{ "id": "7af815aa-7b0d-43f8-a545-1468d52e8708", "created_at": "2026-04-06T00:17:50.186015Z", "updated_at": "2026-04-10T03:32:15.003289Z", "deleted_at": null, "sha1_hash": "d5e526ec916e516c4a9ecee9367a3d41d5165b22", "title": "CCleaner Backdoor: Analysis \u0026 Recommendations - CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1006909, "plain_text": "CCleaner Backdoor: Analysis \u0026 Recommendations - CrowdStrike\r\nBy karansood\r\nArchived: 2026-04-05 17:00:50 UTC\r\nThe term “supply chain attacks” means different things to different people. To the general business community, it\r\nrefers to attacks targeting vulnerable third-parties in a larger organization’s supply chain. A well-known retail\r\nchain’s massive breach in 2013 is a classic example: Adversaries used a poorly protected HVAC vendor as their\r\ngateway to hack into the giant retailer’s enterprise network. However, threat researchers have another definition:\r\nTo them, supply chain attacks can also denote the growing phenomenon in which malicious code is injected into\r\nnew releases and updates of legitimate software packages, effectively turning an organization’s own software\r\nsupply infrastructure into a potent and hard-to-prevent attack vector. The recent backdoor that was discovered\r\nembedded in the legitimate, signed version of CCleaner 5.33, is just such an attack. To help inform the user\r\ncommunity and empower them to better defend against software supply chain attacks, the CrowdStrike® Security\r\nResponse Team (SRT) conducted a thorough analysis of the CCleaner backdoor. A popular PC optimization tool,\r\nthe 5.33 version of CCleaner has had widespread distribution across multiple industries, but the embedded code\r\nappeared to actually be targeted at specific groups in the technology sector. (More information on targeted\r\nindustries is available for CrowdStrike customers in our Falcon Intelligence™ portal.) CrowdStrike's threat\r\nintelligence team had also previously reported on the malware’s C2 (command and control) infrastructure in a\r\nrecent alert for CrowdStrike customers identifying possible links to Aurora Panda. The report also outlines the\r\npotential for additional adversary tactics, techniques and procedures (TTPs).\r\nTechnical Analysis\r\nCCleaner\r\nCCleaner is a PC cleaning utility developed by Piriform, which was recently acquired by antivirus (AV) provider\r\nAvast in June 2017. The affected version of the utility contains a modified __scrt_common_main_seh function\r\nthat routes the execution flow to a custom function meant to decode and load the malware. This takes place even\r\nbefore the entry point (EP) of the utility is reached.The new execution flow leads to a function that decodes a blob\r\nof data, as reproduced in Python below:\r\ndef decode(indata): key = 0x2547383 i = 0 dec = \u003c\u003e for i in range(0, len(indata)): key =\r\n((key * 0x47a6547) \u0026 0xFFFFFFFF) \u0026 0xFF dec.append(blob ^ key) key = key \u003e\u003e 0x8 return dec\r\nThe result of the decoding subroutine is shellcode and the payload (which is missing the IMAGE_DOS_HEADER\r\nfield). The missing IMAGE_DOS_HEADER is likely to subvert AV solutions that search for MZ (0x4d5a) headers\r\nin memory. Next, the program creates a memory heap with the flag HEAP_CREATE_ENABLE_EXECUTE to\r\nallow for execution, and copies the shellcode on the heap, and executes it.\r\nShellCode\r\nhttps://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/\r\nPage 1 of 10\n\nThe shellcode is responsible for loading the payload in memory. It attains the PEB (Process Environment Block)\r\nof the malware process to load kernel32.dll and find the location of the function GetProcAddress. This function is\r\nused to retrieve the addresses of functions such as VirtualAlloc, memcpy, and LoadLibrary. It allocates\r\nPAGE_EXECUTE_READWRITE memory to which it copies the previously decoded payload (minus the\r\nIMAGE_DOS_HEADER) as shown below.\r\n0000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000010: 0000 0000 0000 0000 0000\r\n0000 0000 0000 ................ 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n0000030: 0000 0000 0000 0000 0000 0000 d000 0000 ................ 0000040: 0000 0000 0000 0000 0000\r\n0000 0000 0000 ................ 0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000070: 0000 0000 0000 0000 0000\r\n0000 0000 0000 ................ 0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n0000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000a0: 0000 0000 0000 0000 0000\r\n0000 0000 0000 ................ 00000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000d0: 5045 0000 4c01 0200 c23a\r\n8059 0000 0000 PE..L....:.Y.... 00000e0: 0000 0000 e000 0e21 0b01 0600 0020 0000 .......!..... ..\r\n00000f0: 0002 0000 0000 0000 0011 0000 0010 0000 ................ 0000100: 0030 0000 0000 0010 0010\r\n0000 0002 0000 .0.............. 0000110: 0400 0000 0000 0000 0400 0000 0000 0000 ................\r\n0000120: 0040 0000 0004 0000 0000 0000 0200 0000 .@.............. 0000130: 0000 1000 0010 0000 0000\r\n1000 0010 0000 ................ 0000140: 0000 0000 1000 0000 0000 0000 0000 0000 ................\r\n0000150: 4c28 0000 dc00 0000 0000 0000 0000 0000 L(.............. 0000160: 0000 0000 0000 0000 0000\r\n0000 0000 0000 ................ 0000170: 0030 0000 c000 0000 0000 0000 0000 0000 .0..............\r\n0000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000190: 0000 0000 0000 0000 0000\r\n0000 0000 0000 ................ 00001a0: 0000 0000 0000 0000 0010 0000 0001 0000 ................\r\n00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00001c0: 0000 0000 0000 0000 2e74\r\n6578 7400 0000 .........text… 00001d0: 041e 0000 0010 0000 0020 0000 0004 0000 ......... ......\r\n00001e0: 0000 0000 0000 0000 0000 0000 2000 00e0 ............ … 00001f0: 2e72 656c 6f63 0000 1a01\r\n0000 0030 0000 .reloc.......0.. 0000200: 0002 0000 0024 0000 0000 0000 0000 0000 .....$..........\r\n0000210: 0000 0000 4000 0042 0000 0000 0000 0000 ....@..B........\r\nOnce the payload is copied to the newly allocated memory, the shellcode resolves the needed API's, and calls the\r\nOEP (original entry point) of the payload in memory.\r\nPayload\r\nEnvironment Checks\r\nOnce it’s loaded, the payload creates a thread that performs the core functionality of the malware. It performs a\r\nfew checks at the onset of the environment and the user privileges. The malware employs the function msvcrt.time\r\nto record the current time of the malware. It then uses IcmpCreateFile and IcmpSendEcho to send an IPv4 ICMP\r\necho to an invalid IP address, with a timeout of 601 seconds. This is meant to delay the execution of the malware\r\nby 601 seconds; this delay is then measured by calling msvcrt.time again, and ensuring that more than 600\r\nseconds have elapsed between the first and second calls to the function. It should be noted that if the call to\r\nIcmpCreateFile fails, the malware will just sleep for 600 seconds.These steps are measures against debugging\r\nhttps://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/\r\nPage 2 of 10\n\nand/or sandboxing. It also invokes IsUserAnAdmin to ensure that the current user is member of the\r\nadministrator's group. If either of these checks fails, the malware exits immediately. It uses a decoding scheme as\r\nthe one described above to decode strings during runtime in memory. It is important to note that these\r\ndynamically decoded strings are zeroed out in memory before each function using them exits. The strings\r\ndynamically decoded throughout the execution of the malware are listed in the Appendix section of this blog. The\r\nmalware also checks the privilege levels of its own process; if the process does not have administrative privileges,\r\nit uses AdjustTokenPrivileges to enable the SeDebugPrivilege value for the process. This enables the process to\r\neither debug or adjust memory for a process owned by another account.\r\nRegistry Checks\r\nThe malware checks for the following registry key: HKLM\\SOFTWARE\\Piriform\\Agomo\\TCID. The key value is\r\nsupposed to hold a system time value; if the value is greater than the current time, the malware will terminate. It\r\nalso checks the value of HKLM\\SOFTWARE\\Piriform\\Agomo\\MUID. If the key does not exist, the malware will\r\nset its value using a pseudo-random number derived in the following manner:\r\n// Pseudocode to calculate MUID val DWORD MUID; unsigned int seed, rand1, rand2; seed =\r\nGetTickCount(); srand(seed); rand1 = rand(); rand2 = rand() * rand1; MUID = GetTickCount() ^\r\nrand2;\r\nGathering Victim Information\r\nOnce the checks are completed, the malware gathers the following information about the victim machine:\r\nOS major version\r\nOS minor version\r\nOS architecture\r\nComputer name\r\nComputer DNS domain\r\nIPv4 addresses associated with the machine. This information is gathered by calling GetAdaptersInfo, and\r\nthen enumerating through each adapter to search for the IP_ADAPTER_INFO → IpAddressList →\r\nIpAddress field.\r\nInstalled applications. The malware accesses the registry key\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall, and enumerates through each key, and\r\ncompares the Publisher value with \"Microsoft Corporation.\" If there is a match, it moves on to the next\r\nvalue. If not, it will attain the DisplayName value using SHGetValueA, and insert it into memory. Each\r\nname is prepended with an “S” in memory.\r\nFull name of the executable image of each running process. The malware calls WTSEnumerateProcessA\r\nto get a pointer to an array of WTS_PROCESS_INFO structures, which are then used to get the\r\nProcessName field for each process. Each process name is prepended with a “P” in memory.\r\nThis information is stored in a data structure in memory in the following manner:\r\nhttps://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/\r\nPage 3 of 10\n\nThe MUID_Val is used as a unique identifier for the victim machine. Next, the structure is encoded in memory in\r\ntwo steps:\r\nStep 1: Aforementioned scheme\r\nStep 2: Modified version of base64\r\nThe image below displays the data structure as it goes through each encoding step.\r\nThe custom base64 encoding scheme uses a modified Base64 index table. Rather than the regular table that has\r\nthe following values: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/; its\r\ntable has the following values:\r\nabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!*.\r\nC2 Communication\r\nOnce the victim machine information has been encoded, the malware queries the registry key\r\nHKLM\\SOFTWARE\\Piriform\\Agomo\\NID. Upon the initial run, the registry key does not exist; however, the\r\nmalware eventually inserts an IP address computed via a DGA (Domain Generating Algorithm) later in the\r\nexecution flow. It is interesting to note that even if the registry key exists, the malware extracts the IP address from\r\nthe registry value, but does not do anything with it. After the registry check, it decodes the hard-coded IP address\r\n216.126.225\u003c.\u003e148, and attempts to send the encoded data struct to it via an HTTP POST request on port 443. It\r\nuses InternetSetOptionA to set the following option flags on the HTTP handle:\r\nSECURITY_FLAG_IGNORE_CERT_DATE_INVALID → Ignores bad or expired SSL certificates from the\r\nserver\r\nSECURITY_FLAG_IGNORE_CERT_CN_INVALID → Ignores incorrect SSL certificate common names\r\nhttps://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/\r\nPage 4 of 10\n\nSECURITY_FLAG_IGNORE_WRONG_USAGE → Ignores incorrect usage problems\r\nSECURITY_FLAG_IGNORE_UNKNOWN_CA → Ignores unknown certificate authority problems\r\nSECURITY_FLAG_IGNORE_REVOCATION → Ignores certificate revocation problems\r\nThe malware also calls HttpAddRequestHeadersA to append the domain speccy.piriform\u003c.\u003ecom to the POST\r\nrequest. This is performed to appear inconspicuous and make it harder to detect. It is also likely an attempt to\r\nconfuse the analyst performing dynamic analysis of the malware. Once the information is sent to the C2, the\r\nmalware expects to receive a stage 2, which it reads into a locally allocated memory block. Analysis shows that\r\nonce stage 2 is received, it is decoded using the same custom Base64 and the decoding algorithm. Once decoded,\r\nthe functions GetProcAddress and LoadLibraryA are pushed to the stack, and the EP of stage 2 is called. At the\r\ntime of analysis, stage 2 was not available.\r\nDGA\r\nIf the malware cannot connect to the C2, it employs a Domain Generating Algorithm, or DGA, to generate a\r\ndomain. The DGA is dependent on the current year and month; therefore, it generates a new domain on a monthly\r\nbasis. Below is the code, reproduced in C, displaying the DGA utilized by the malware.\r\n#include \"stdafx.h\" #include \u003cWindows.h\u003e #include \u003cstdio.h\u003e void main() { SYSTEMTIME st;\r\nDWORD r1, r2, r3, seed; char buf\u003c100\u003e; const char *format = \"ab%x%x.com\"; GetLocalTime(\u0026st);\r\nseed = st.wYear * 10000 + st.wMonth; srand(seed); r1 = rand(); r2 = rand(); r3 = rand() * r2;\r\nsprintf_s(buf, format, r3, r1); }\r\nThe list of domains calculated for all months in the years 2017 and 2018 are listed in the Appendix. Once the DGA\r\ndomain for the current month and year has been calculated, the malware calculates an IP address using that\r\ndomain in the following steps:\r\nGet a hostent structure by calling gethostbyname on the generated domain\r\nGet the h_addr_list, which is a NULL terminated list of IP addresses associated with the domain\r\nThese A records (127.100.183\u003c.\u003e225 and 10.158.168\u003c.\u003e171) for the domain ab1145b758c30\u003c.\u003ecom, as\r\nhighlighted in the PCAP screenshot below will be used to calculate a new C2 IP address. If there are more than\r\ntwo A records, the malware will only utilize the first two on the list.\r\nhttps://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/\r\nPage 5 of 10\n\nThe Python code below reproduces the algorithm to calculate the new C2 IP address from the A records of the\r\nnewly generated domain.\r\nimport struct import socket a1 = 0xE1B7647F # Addresses are returned in network byte order a2 =\r\n0xABA89E0A def mod_record(rr): rr1 = (((rr \u0026 0xff000000) / 0x1000000) ^ (rr \u0026 0xff)) * 0x1000000\r\nrr2 = (((rr \u0026 0xff0000) / 0x10000) ^ ((rr \u0026 0xff00) / 0x100)) * 0x10000 rr3 = rr \u0026 0xff00 rr4 = rr\r\n\u0026 0xff return (rr1 | rr2 | rr3 | rr4) newa1 = mod_record(a1) newa2 = mod_record(a2) newIP =\r\n(newa2 \u0026 0xffff0000) | (newa1 \u003e\u003e 0x10) # newIP = 0xA1369ED3 print socket.inet_ntoa(struct.pack(\"\u003cL\",\r\nnewIP)) # Output is 211.158.54.161\r\nThe new C2 IP address derived from the records of the domain ab1145b758c30\u003c.\u003ecom is 211.158.54\u003c.\u003e161. The\r\nmalware will attempt to connect to this C2 as shown below. If the connection is successful, it will subsequently\r\nsend the encoded data structure and await stage 2.\r\nhttps://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/\r\nPage 6 of 10\n\nInitial (Buggy) Registry Modifications\r\nOnce the C2 communication subroutine has ended, the malware makes two registry modifications:\r\nEncodes the newly calculated C2 IP address and attempts to save it in\r\nHKLM\\SOFTWARE\\Piriform\\Agomo\\NID. The encoding scheme is the same as the one mentioned\r\nbefore. Analysis shows that before the registry key string is built, a function is called to change the\r\nendianness of 0x44494E (DIN) to 0x4E4944 (NID). However, due to a bug in the code the function\r\nincorrectly changes it to 0x004E4944 (prepended with a NULL value). Subsequently, function\r\nSHSetValueA is called with the following parameters:\r\nhKey = HKEY_LOCAL_MACHINE\r\nSubkey = \"SOFTWARE\\Piriform\\Agomo\"\r\nValue = \"\"\r\nValueType = REG_DWORD\r\nData = ...\r\nDataLength = 0x4\r\nThe parameter Value should be \"NID\"; however, since the string is incorrectly prepended with a NULL value, the\r\nfunction doesn't read the string at all. The C2 IP address is instead saved in\r\nHKLM\\SOFTWARE\\Piriform\\Agomo\\Default as shown below.\r\nhttps://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/\r\nPage 7 of 10\n\nTakes the current time value as determined by the earlier call to msvcrt.time and adds 172,800 seconds (2\r\ndays) to the value. Saves the new value in HKLM\\SOFTWARE\\Piriform\\Agomo\\TCID.\r\nRecommendations\r\nFalcon Endpoint will notify you of any additional activity through our Falcon Intelligence detections. The intent\r\nbehind the malicious packages was to collect an initial set of reconnaissance data; we urge you to block the\r\nknown IP address and domains at your network perimeter to prevent any communication to the collection server.\r\nIn addition, we recommend you update to the latest version of the Avast CCleaner software to ensure the\r\nembedded malicious code is removed. For additional information on CrowdStrike’s threat intelligence offerings,\r\nvisit the Falcon Intelligence product page.\r\nAppendix\r\nHashes\r\nInformation regarding the CCleaner binaries that were affected: Size: 9791816 SHA256:\r\n1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF Compiled: Tue, Dec 29 2015, 21:34:49\r\nUTC - 32 Bit EXE Version: 5.33.00.6162 Signature Valid Subject: Piriform Ltd Issuer: Symantec Class 3\r\nSHA256 Code Signing CA Size: 7680216 SHA256:\r\n6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 Compiled: Thu, Aug 3 2017, 9:25:13\r\nUTC - 32 Bit EXE Version: 5, 33, 00, 6162 Signature Valid Subject: Piriform Ltd Issuer: Symantec Class 3\r\nhttps://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/\r\nPage 8 of 10\n\nSHA256 Code Signing CA Size: 7781592 SHA256:\r\n36B36EE9515E0A60629D2C722B006B33E543DCE1C8C2611053E0651A0BFDB2E9 Compiled: Thu, Aug 3 2017, 9:37:49\r\nUTC - 32 Bit EXE Version: 5, 33, 00, 6162 Signature Valid Subject: Piriform Ltd Issuer: Symantec Class 3\r\nSHA256 Code Signing CA The following is the information about the decoded payload in memory: Size: 16384\r\nSHA256: FA8A55A05CA9E6587C941354628A0E818DCBF42ED3D98C40689F28564F0BFA19 Compiled: Tue, Aug 1 2017,\r\n8:24:34 UTC - 32 Bit DLL\r\nNetwork Artifacts\r\nThe following is the infrastructure associated with the CCleaner backdoor:\r\nInfrastructure Connection Type Description\r\n216.126.225\u003c.\u003e148 Port 443 / TCP C2\r\nDGA Domains\r\nMonth, Year Domain Month, Year Domain\r\nJanuary, 2017 abde911dcc16\u003c.\u003ecom January, 2018 ab3c2b0d28ba6\u003c.\u003ecom\r\nFebruary, 2017 ab6d54340c1a\u003c.\u003ecom Feburary, 2018 ab99c24c0ba9\u003c.\u003ecom\r\nMarch, 2017 aba9a949bc1d\u003c.\u003ecom March, 2018 ab2e1b782bad\u003c.\u003ecom\r\nApril, 2017 ab2da3d400c20\u003c.\u003ecom April, 2018 ab253af862bb0\u003c.\u003ecom\r\nMay, 2017 ab3520430c23\u003c.\u003ecom May, 2018 ab2d02b02bb3\u003c.\u003ecom\r\nJune, 2017 ab1c403220c27\u003c.\u003ecom June, 2018 ab1b0eaa24bb6\u003c.\u003ecom\r\nJuly, 2017 ab1abad1d0c2a\u003c.\u003ecom July, 2018 abf09fc5abba\u003c.\u003ecom\r\nAugust, 2017 ab8cee60c2d\u003c.\u003ecom August, 2018 abce85a51bbd\u003c.\u003ecom\r\nSeptember, 2017 ab1145b758c30\u003c.\u003ecom September, 2018 abccc097dbc0\u003c.\u003ecom\r\nOctober, 2017 ab890e964c34\u003c.\u003ecom October, 2018 ab33b8aa69bc4\u003c.\u003ecom\r\nNovember, 2017 ab3d685a0c37\u003c.\u003ecom November, 2018 ab693f4c0bc7\u003c.\u003ecom\r\nDecember, 2017 ab70a139cc3a\u003c.\u003ecom December, 2018 ab23660730bca\u003c.\u003ecom\r\nDynamically Decoded Strings\r\nThe following are the strings that are dynamically decoded during the malware’s execution. It should be noted that\r\nhttps://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/\r\nPage 9 of 10\n\neach string is promptly zeroed out in memory after use.\r\nSOFTWARE\\Piriform\\Agomo kernel32.dll IsWow64Process\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall Publisher Microsoft Corporation DisplayName\r\nQueryFullProcessImageFileNameA SeDebugPrivilege %u.%u.%u.%u ab%x%x.com speccy.piriform.com\r\nSource: https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/\r\nhttps://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/\r\nPage 10 of 10\n\nHashes Information regarding the CCleaner binaries that were affected: Size: 9791816 SHA256: \n1A4A5123D7B2C534CB3E3168F7032CF9EBF38B9A2A97226D0FDB7933CF6030FF Compiled: Tue, Dec 29 2015, 21:34:49\nUTC-32 Bit EXE Version: 5.33.00.6162 Signature Valid Subject: Piriform Ltd Issuer: Symantec Class 3\nSHA256 Code Signing CA Size: 7680216 SHA256: \n6F7840C77F99049D788155C1351E1560B62B8AD18AD0E9ADDA8218B9F432F0A9 Compiled: Thu, Aug 3 2017, 9:25:13\nUTC-32 Bit EXE Version: 5, 33, 00, 6162 Signature Valid Subject: Piriform Ltd Issuer: Symantec Class 3\n Page 8 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/" ], "report_names": [ "protecting-software-supply-chain-deep-insights-ccleaner-backdoor" ], "threat_actors": [ { "id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9", "created_at": "2022-10-25T16:07:23.708745Z", "updated_at": "2026-04-10T02:00:04.720108Z", "deleted_at": null, "main_name": "Hidden Lynx", "aliases": [ "Aurora Panda", "Group 8", "Heart Typhoon", "Hidden Lynx", "Operation SMN" ], "source_name": "ETDA:Hidden Lynx", "tools": [ "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "BlackCoffee", "HiKit", "MCRAT.A", "Mdmbot.E", "Moudoor", "Naid", "PNGRAT", "Trojan.Naid", "ZoxPNG", "gresim" ], "source_id": "ETDA", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434670, "ts_updated_at": 1775791935, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d5e526ec916e516c4a9ecee9367a3d41d5165b22.pdf", "text": "https://archive.orkl.eu/d5e526ec916e516c4a9ecee9367a3d41d5165b22.txt", "img": "https://archive.orkl.eu/d5e526ec916e516c4a9ecee9367a3d41d5165b22.jpg" } }