{ "id": "90a0149d-2a3f-4f7f-affd-5eced1641042", "created_at": "2026-04-06T00:16:42.52315Z", "updated_at": "2026-04-10T03:37:26.392002Z", "deleted_at": null, "sha1_hash": "d920d18f5f0097fde995ebb847f099d605b74f8c", "title": "UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 598985, "plain_text": "UPS: Observations on CVE-2015-3113, Prior Zero-Days and the\r\nPirpi Payload\r\nBy Robert Falcone, Richard Wartell\r\nPublished: 2015-07-27 · Archived: 2026-04-05 19:59:26 UTC\r\nA June 23 FireEye blog post titled “Operation Clandestine Wolf” discussed a cyber espionage group, known as\r\nAPT3, that had been exploiting a zero-day vulnerability in Adobe Flash. Unit 42 also tracks the APT3 group using\r\nthe name UPS, which is an intrusion set with Chinese origins that is known for having early access to zero-day\r\nvulnerabilities and delivering a backdoor called Pirpi.\r\nThe UPS group has exploited several zero-day vulnerabilities, most recently using the zero-days released in the\r\nHacking Team breach that we discussed in our July 10 blog post, “APT Group UPS Targets US Government with\r\nHacking Team Flash Exploit”. However, the most recent original zero-day released by this group is tracked by\r\nCVE-2015-3113, which has similarities to the once zero-day vulnerabilities CVE-2014-1776 and CVE-2014-6332\r\nexploited by UPS in May and November 2014, respectively. We’ll discuss here the similarities observed between\r\nthe various components used to exploit these two vulnerabilities, specifically focusing on the malicious Flash files\r\nand the payloads delivered.\r\nMalicious Flash Files\r\nRecent zero-day vulnerabilities exploited by UPS exploit or leverage Adobe Flash to exploit other applications on\r\nthe system. Unit 42 recently analyzed malicious Flash files that exploited CVE-2015-3113, which was a zero-day\r\nvulnerability in Adobe Flash that was patched on June 23, 2015.. During the analysis, we noticed similarities\r\nbetween this malicious Flash file, those that UPS used to exploit CVE-2014-1776, and the proof-of-concept code\r\nfor CVE-2014-6332, albeit these two Flash files were used to exploit zero-day vulnerabilities in Internet Explorer.\r\nOverlaps within ActionScript\r\nUnit 42 analyzed the ActionScript within malicious Flash files created by UPS that exploited CVE-2014-1776 and\r\nCVE-2015-3113 and discovered shared code between the two. First, both ActionScripts contain a function named\r\n“hexToIntArray”, which Figure 1 displays side-by-side for comparison. Not only do these files contain the same\r\nfunction name, but they also share the same exact operation codes (opcodes) to carry out its functionality. The\r\nexistence of the hexToIntArray function in the CVE-2015-3113 sample is rather interesting, as it is never called or\r\nused within the ActionScript. We believe that the threat actor used the CVE-2014-1776 ActionScript as the basis\r\nfor the CVE-2015-3113 file and forgot to remove the unused hexToIntArray function.\r\nCVE-2014-1776 CVE-2015-3113\r\nfunction\r\nprivate::hexToIntArray(String):__AS3__.vec::Vector.\r\nfunction\r\nprivate::hexToIntArray(String):__AS3__.vec::Vector.\r\nhttps://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/\r\nPage 1 of 11\n\n\u003cint\u003e\r\n{\r\n0    getlocal0\r\n1    pushscope\r\n2    pushnull\r\n3    coerce_a\r\n4    setlocal2\r\n5    getlocal1\r\n6    getproperty     length\r\n8    coerce_a\r\n9    setlocal3\r\n10   pushbyte        0\r\n12   coerce_a\r\n13   setlocal        4\r\n15   getlex          Vector\r\n17   getlex          int\r\n19   applytype       (1)\r\n21   getlocal3\r\n22   pushbyte        2\r\n24   divide\r\n25   construct       (1)\r\n27   coerce          __AS3__.vec::Vector.\u003cint\u003e\r\n29   setlocal        5\r\n31   pushbyte        0\r\n33   coerce_a\r\n34   setlocal        6\r\n36   jump            L1L2:\r\n40   label\r\n41   getlocal1\r\n42   getlocal        4\r\n44   callproperty   \r\nhttp://adobe.com/AS3/2006/builtin::charAt (1)\r\n47   getlocal1\r\n48   getlocal        4\r\n50   pushbyte        1\r\n52   add\r\n53   callproperty   \r\nhttp://adobe.com/AS3/2006/builtin::charAt (1)\r\n56   add\r\n57   coerce_a\r\n58   setlocal2\r\n59   getlocal        5\r\n\u003cint\u003e\r\n{\r\n0    getlocal0\r\n1    pushscope\r\n2    pushnull\r\n3    coerce_a\r\n4    setlocal2\r\n5    getlocal1\r\n6    getproperty     length\r\n8    coerce_a\r\n9    setlocal3\r\n10   pushbyte        0\r\n12   coerce_a\r\n13   setlocal        4\r\n15   getlex          Vector\r\n17   getlex          int\r\n19   applytype       (1)\r\n21   getlocal3\r\n22   pushbyte        2\r\n24   divide\r\n25   construct       (1)\r\n27   coerce          __AS3__.vec::Vector.\u003cint\u003e\r\n29   setlocal        5\r\n31   pushbyte        0\r\n33   coerce_a\r\n34   setlocal        6\r\n36   jump            L1L2:\r\n40   label\r\n41   getlocal1\r\n42   getlocal        4\r\n44   callproperty   \r\nhttp://adobe.com/AS3/2006/builtin::charAt (1)\r\n47   getlocal1\r\n48   getlocal        4\r\n50   pushbyte        1\r\n52   add\r\n53   callproperty   \r\nhttp://adobe.com/AS3/2006/builtin::charAt (1)\r\n56   add\r\n57   coerce_a\r\n58   setlocal2\r\n59   getlocal        5\r\nhttps://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/\r\nPage 2 of 11\n\n61   getlocal        6\r\n63   findpropstrict  parseInt\r\n65   getlocal2\r\n66   pushbyte        16\r\n68   callproperty    parseInt (2)\r\n71   setproperty     null\r\n73   getlocal        4\r\n75   pushbyte        2\r\n77   add\r\n78   coerce_a\r\n79   setlocal        4\r\n81   getlocal        6\r\n83   pushbyte        1\r\n85   add\r\n86   coerce_a\r\n87   setlocal        6L1:\r\n89   getlocal        4\r\n91   getlocal3\r\n92   iflt            L2\r\n96   getlocal        5\r\n98   returnvalue\r\n}\r\n61   getlocal        6\r\n63   findpropstrict  parseInt\r\n65   getlocal2\r\n66   pushbyte        16\r\n68   callproperty    parseInt (2)\r\n71   setproperty     null\r\n73   getlocal        4\r\n75   pushbyte        2\r\n77   add\r\n78   coerce_a\r\n79   setlocal        4\r\n81   getlocal        6\r\n83   pushbyte        1\r\n85   add\r\n86   coerce_a\r\n87   setlocal        6L1:\r\n89   getlocal        4\r\n91   getlocal3\r\n92   iflt            L2\r\n96   getlocal        5\r\n98   returnvalue\r\n}\r\nFigure 1. Side-by-side comparison of opcodes in hexToIntArray functions\r\nAlso, the Flash file exploiting CVE-2015-3113 had a main class named \"flappyMan\".  This class name was also\r\nused in the Flash file that Unit 42 analyzed and discussed in its November 26, 2014 blog titled “Addressing CVE-2014-6332 SWF Exploit”, as well as the proof-of-concept (PoC) for CVE-2014-6332 that is now publicly\r\navailable in exploit-related forums.  According to FireEye's \"Operation Double Tap\", UPS exploited CVE-2014-\r\n6332 in its November 2014 attacks; however, UPS used a VBScript to exploit the vulnerability instead of a Flash\r\nfile. While purely speculation, this overlap in class names between the CVE-2014-6332 PoC and the Flash file\r\nexploiting CVE-2015-3113 may suggest that UPS also used Flash files to exploit CVE-2014-6332.\r\nShellcode Similarities\r\nAs with most remote code execution vulnerabilities, UPS’ malicious documents execute shellcode in the event of\r\nsuccessful exploitation of either CVE-2014-1776 or CVE-2015-3113. The shellcode found in the UPS delivery\r\ndocuments exploiting both of these vulnerabilities are not the same, but have similarities worth noting.\r\nFirst, the delivery documents share the same technique of locating API functions, which involves using the rotate\r\nright (ror 7 to be specific) instruction on the function name in kernel32.dll and checking it with a specific value.\r\nThe use of the same rotate right algorithm results in several common constants, such as 0xC917432 that both\r\nhttps://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/\r\nPage 3 of 11\n\nshellcodes use to locate LoadLibraryA. Second, both shellcodes use a similar method of creating the Unicode\r\nstring “kernel32.dll”, seen in Figure 2. The shellcodes use the Unicode string and the same method to find the base\r\naddress of the loaded kernel32.dll module from the LDR structures obtained from the process environment block\r\n(PEB). Third, both shellcodes have similar single byte XOR algorithms used to decrypt and later execute the\r\nfunctional payload.\r\nFigure 2. Comparison of Instructions in UPS Shellcodes that Builds Kernel32.dll Unicode String\r\nSteganography to Conceal Payloads\r\nWhile analyzing the malicious Flash file exploiting CVE-2015-3113, Unit 42 discovered that the ActionScript\r\nloaded an animated GIF image. The malware author used steganography to embed an encrypted payload within\r\nthis animated GIF image. The payload in the CVE-2014-1776 was also embedded within an animated GIF.\r\nUltimately, the shellcode executed in the event of successful exploitation of either of these vulnerabilities decrypt\r\nand execute the embedded payload, as mentioned in the previous section. While the animated GIFs themselves are\r\nvastly different, as seen in Figure 3 and 4 (payloads removed), the use of steganography and animated images as\r\nthe carrier of the payload is common between the two campaigns.\r\nhttps://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/\r\nPage 4 of 11\n\nFigure 3. Animated GIF “v.gif” from UPS Campaign Exploiting CVE-2015-3113 (click to see .gif)\r\nFigure 4. Animated GIF “anyway.gif” from UPS Campaign Exploiting CVE-2014-1776\r\nPayload Comparison\r\nWith the amount of overlap between the other components in these separate campaigns, we decided to compare\r\nthe Pirpi payloads delivered by the UPS group using CVE-2014-1776 and CVE-2015-3113. From here on, we will\r\nrefer to these two payloads as Pirpi.2014 (CVE-2014-1776) and Pirpi.2015 (CVE-2015-3113), whose details are\r\nlisted in Table 1. Unit 42 discovered several similarities between the two Pirpi variants, as well as a few equally\r\nimportant differences, both of which are worth discussing. We also compared the Pirpi.2014 and Pirpi.2015\r\npayloads to other known Pirpi samples in an attempt to determine which variant they most closely resemble.\r\nFile Name File Type Architecture Size\r\nMD5\r\nCompile Time\r\nSHA256\r\nIePorxyv.dll (Pirpi.2014) PE.DLL X86 86016\r\nhttps://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/\r\nPage 5 of 11\n\nB48E578F030A7B5BB93A3E9D6D1E2A83 04:29:14\r\n00:44:04 81BD203EF3924BF497E8824ED5F224561487258FF3D8EE55F1E0907155FD5333\r\n{CVE-2015-3113 payload} (Pirpi.2015) PE.DLL X86 150528\r\n1B0E6BA299A522A3B3B02015A3536F6F 06:07:15\r\n01:51:27 0649A3DD632CDE57BC2E97B814BE81A7F45454FED2A73800DE476AA75CDBE8CD\r\nTable 1. File Details of Pirpi.2014 and Pirpi.2015 Samples\r\nSimilarities in C2 Communications\r\nBoth Pirpi variants perform an initial check to see if a configuration file exists at %APPDATA%\\vcl.tmp or\r\n%TEMP%\\vcl.tmp depending on the operating system. If it finds one, it decodes it and uses the configuration data\r\nit finds inside for C2 communication, otherwise it uses hardcoded C2 domains encoded inside the binary. The\r\nmalware then creates threads to begin C2 communication.\r\nThe Pirpi.2014 and Pirpi.2015 payloads communicate with their C2 by issuing HTTP GET requests to the C2\r\ndomain hardcoded inside the payload or within its “vcl.tmp” configuration file. While the structure of the C2 URL\r\ndiffers between the two variants, both use the HTTP Cookie field to transmit data in encrypted form to the C2\r\ndomain. Figure 6 shows examples of C2 communications from Pirpi.2014 and Figure 7 shows communication\r\nwith the C2 of Pirpi.2015 malware variants, both containing data within the Cookie field.\r\nFigure 5. Pirpi.2014 C2 Communication using Cookie Field for Exfiltration\r\nFigure 6. Pirpi.2015 C2 Communication using Cookie Field for Exfiltration\r\nThe GET request will return a web page that the malware will parse, specifically looking for encoded commands\r\nwithin two of the HTML tags.\r\nhttps://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/\r\nPage 6 of 11\n\nCommand Loop Overlap\r\nOnce the two Pirpi variants successfully communicate with their C2 server and parse the returned HTML for\r\ncommands, Pirpi enters a command loop that processes the commands and carries out the respective activities.\r\nThe command loop for the backdoor remains largely unchanged between Pirpi.2014 and Pirpi.2015 with only two\r\nof the commands differing between the two. Table 2 shows the commands that each malware can accept with only\r\nthe 35 and 36 commands differing between the two Pirpi variants.\r\nValue Pirpi.2014 Command Pirpi.2015 Command\r\n1 Launch Process\r\n2 Process Listing\r\n3 Terminate Process\r\n4 Download a file from the C2, launch it, and then delete it\r\n5 Exit the malware\r\n6 Sleep\r\n7 Update C2 configuration and save it to %APPDATA%\\vcl.tmp\r\n8 Download a file, load it into memory, then delete the file\r\n9 Load a DLL from %APPDATA% and execute one of its exported functions\r\n10 Do nothing\r\n11 Do nothing\r\n12 List all servers in the domain\r\n13 Get network adaptor information\r\n14 List TCP connection status (netstat)\r\n15 Retrieve information about connected users\r\n16 List servers in the primary domain\r\n17 Locates DCs on a domain\r\n32 Directory listing\r\n33 Upload a file to the C2\r\n34 Delete file\r\n35 Copy file and delete original Copy file\r\nhttps://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/\r\nPage 7 of 11\n\n36 Download and save file Do Nothing\r\n37 Echo\r\n38 Execute Process\r\n49 Get location of configuration file and set as current working directory\r\nTable 2. Commands Available within Pirpi.2014 and Pirpi.2015\r\nAnti-Disassembly\r\nThe UPS threat group is a fan of one anti-disassembly trick that can be seen in both Pirpi.2014 and Pirpi.2015. It\r\nplays upon the order IDA Pro disassembles instructions. As you can see in the code sample in Figure 6 from\r\nPirpi.2014 there is a “jump above” instruction, followed by a “jump below or equal” instruction which just falls\r\nthrough to the next instruction. This fall-through code path will never get executed since the jump occurs if\r\n0x58693C96 \u003e 0x0D7F31B4.\r\nFigure 7. Code Showing Anti-Disassembly Technique used in Pirpi Tool\r\nIDA Pro’s disassembly sequence follows the fall-through branch of conditional jumps first, and thus in the\r\nprevious instruction sequence, IDA keeps disassembling one instruction after another. When IDA goes back to\r\ndisassemble the jump target for 0x10009133, it finds it pointing to the middle of an instruction. This stops IDA\r\nfrom being able to draw function borders, view a function in graph mode, or decompile with Hex-Rays. To solve\r\nthis, undefine all of the code that will not be executed, and define code starting from the target of the conditional\r\nbranch (in this case 0x1000913E), as seen in Figure 7.\r\nFigure 8. Fixing Anti-Disassembly Trick used by Pirpi Tool by Undefining Errant Instructions\r\nYou will now be able to create a function to improve your ability to do analysis. To make this easier, use an IDA\r\nPro script to fix these anti-disassembly tricks. Please note that this script specifically targets the anti-disassembly\r\nhttps://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/\r\nPage 8 of 11\n\nused in Pirpi and other UPS samples. It may cause issues with malware that uses other anti-disassembly tricks.\r\nUse with caution.\r\nNotable Differences\r\nThe first major difference between the Pirpi.2014 and Pirpi.2015 variants is in the way the command loop is\r\nexecuted in each backdoor. In Pirpi.2014, the malware uses a simple state machine that executes code blocks that\r\ncorrespond to a state value, which the malware updates at the end of each code block. Many of these code blocks\r\ninclude sleep functions, however, if the state value is set to the correct value, the malware executes a code block\r\nthat contains the command loop. The purpose of this state machine is to intentionally delay the malware’s\r\nexecution of the command loop.\r\nIn Pirpi.2015, the malware implements a second state machine that executes the Pirpi.2014 state machine as one\r\nof its code blocks. The second state machine introduces a large number of randomized sleep functions, causing the\r\nmalware to take much longer to execute its command loop. The majority of code blocks in the second state\r\nmachine either sleep, or create threads and wait for them to finish.  The malware author likely implemented these\r\nstate machines as an anti-debugging technique and to defeat most modern sandbox solutions.\r\nThe second difference between the two Pirpi variants involves the encoding algorithm, which has improved\r\ngreatly in the past year. Contained in the binary is an invertible math function for encoding and decoding of data.\r\nIn Pirpi.2014 this function is rather simple, involving a few mathematical operations. However, in Pirpi.2015, the\r\nalgorithm when decompiled is more than 300 source code lines of mathematical operations.\r\nOther Pirpi Samples\r\nFireEye released two reports in 2014 about APT3 phishing campaigns, Operation Doubletap and Operation\r\nClandestine Fox. Each report containins md5s of other Pirpi samples that were available on VirusTotal. In\r\naddition, simple VirusTotal searches resulted in a few more Pirpi samples that came from the same code base.\r\nTable 3 contains the file information for each of these Pirpi samples.\r\nFile Name File Type Architecture Size\r\nMD5\r\nCompile Time\r\nSHA256\r\n{FireEye Report Sample} PE.EXE X86 102400\r\n8849538EF1C3471640230605C2623C67 09:25:14\r\n09:09:59 854C6BA97B4BD01246AC6EF9258135D2337E6938676421131B6793ABF339FA94\r\nmsupd.dll PE.DLL X86 81920\r\nFA3578C2ABE3F37DDDA76EE40C5A1608 09:10:14\r\n04:54:09 CE7ACAE4CDB53C2FB526624855FC8E008608343B177DF348657295578312EB49\r\nhttps://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/\r\nPage 9 of 11\n\nieupd.dll PE.DLL X86 86016\r\n1A4B710621EF2E69B1F7790AE9B7A288 05:27:14\r\n08:48:13 12AE4A7072C95EAE0E433570B1D563C3D39FE3239816C04426C8E64A49BBE7D7\r\nIePorxyv.dll PE.DLL X86 86016\r\nF4884C0458176AAC848A911683D3DEF5 04:29:14\r\n00:45:45 8C64D673CB84F76124FDBDC76941396647FF03725BDDD1D59D0CD32D8EBAD81F\r\nIePorxyv.dll PE.DLL X86 81920\r\n4CA97FF9D72B422589266AA7B532D6E6 04:29:14\r\n00:32:43 4F677060D25A5E448BE986759FED5A325CD83F64D9FEF13FB51B18D1D0EB0F52\r\nTable 3. Details of Pirpi Samples from FireEye Reports and Samples that Share the Same Code Base\r\nThe sample listed as “{FireEye Report Sample}” in Table 3 is simply a dropper and loader for msupd.dll sample.\r\nUnit 42 compared all of the DLL samples listed in the table above and found that they are most closely related to\r\nPirpi.2014. Table 4 below shows the statistics from Zynamics BinDiff from comparing each of the DLLs with\r\nPirpi.2014 and Pirpi.2015.\r\nSample MD5\r\nPirpi.2014 Bindiff Pirpi.2015 Bindiff\r\nSimilarity Confidence Similarity Confidence\r\nFA3578C2ABE3F37DDDA76EE40C5A1608 89.5% 98.6% 29.8% 69.5%\r\n1A4B710621EF2E69B1F7790AE9B7A288 92.7% 98.8% 29.4% 69.5%\r\nF4884C0458176AAC848A911683D3DEF5 91.4% 98.7% 29.6% 71.6%\r\n4CA97FF9D72B422589266AA7B532D6E6 93.7% 98.7% 30.7% 71.6%\r\nB48E578F030A7B5BB93A3E9D6D1E2A83 100% 100% 34.3% 73.0%\r\n1B0E6BA299A522A3B3B02015A3536F6F 34.3% 73.0% 100% 100%\r\nTable 4. Resulting Similarity and Confidence Rates of Pirpi Samples\r\nConclusion\r\nThe UPS threat group continues to exploit zero-day vulnerabilities in their campaigns, which shows that this\r\ngroup is quite sophisticated and has access to significant resources. Within their attack campaigns involving zero-days, UPS has consistently reused delivery techniques and code within various components of the attack. UPS has\r\nrelied on steganography to conceal the payloads delivered after exploitation of zero-days by embedding payloads,\r\nhttps://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/\r\nPage 10 of 11\n\nspecifically the Pirpi backdoor within animated GIFs. This group also reuses portions of their ActionScript within\r\ntheir malicious Flash files used to exploit vulnerabilities, as well as sharing portions of shellcode that executes\r\nafter exploitation.\r\nIn regards to similarities amongst payloads, UPS delivers variants of the Pirpi backdoor that are typically very\r\nsimilar to each other. The Pirpi backdoors we analyzed use the same configuration file, a common C2\r\ncommunications channel and a similar command handler. Also, the author of Pirpi includes several notable\r\nfingerprints within the code, specifically using a unique state machine and anti-disassembly techniques.\r\nOrganizations can use all of these overlaps and similarities to track and hopefully protect themselves from this\r\nadvanced adversary. AutoFocus users can identify Pirpi payloads with the Pirpi tag (Figure 9). WildFire\r\nautomatically classifies Pirpi samples as malicious and we have released IPS signature 14643 to detect Pirpi C2\r\ncommunications.\r\nFigure 9. Pirpi tag\r\nSource: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/\r\nhttps://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" ], "report_names": [ "ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434602, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d920d18f5f0097fde995ebb847f099d605b74f8c.pdf", "text": "https://archive.orkl.eu/d920d18f5f0097fde995ebb847f099d605b74f8c.txt", "img": "https://archive.orkl.eu/d920d18f5f0097fde995ebb847f099d605b74f8c.jpg" } }