{ "id": "722a4038-ec25-442e-a94b-126982d2e363", "created_at": "2026-04-06T00:18:26.866401Z", "updated_at": "2026-04-10T03:36:06.912701Z", "deleted_at": null, "sha1_hash": "db0fd986406b396c00c7efb0cd942945db5d7c70", "title": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/iron-tiger-compromises-chat-application-mimi,-targets-windows,-mac,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35129, "plain_text": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ir\r\ntiger-compromises-chat-application-mimi,-targets-windows,-mac,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt\r\nArchived: 2026-04-05 14:45:24 UTC\r\nIron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users\r\nSHA256\r\n56b55e3587dc8e40e36c2eadba62dd2b39890dc0df313620f3b42ab0f0b92a3d HyperBro DLL (Windows)\r\n22c3c2bf77a94ed5f207c00e240f558d6411308d237779ffb12e04bbe2c90356 HyperBro DLL (Windows)\r\nef2f20d1016cd39ff44f1399c8aa5c1ff5bfd4850d611ba375fbeff7f7e3eaf6 HyperBro packed payload (Windows)\r\nd0fec5c5e2687e76af07a4a3c6e2e2b02789838c0b802f5041443ab482bc3498 Rshell (Linux)\r\n07aa739fa4942cfd68d4a075568456797f11ae34db5cd56f88d80185bc1d7a29 Rshell (Linux)\r\nd67aebfafa347a21805dbded3fa310e2268a5d2255fcb7f1c8004502a95e7538 Rshell (Linux)\r\ne909c4dac832e9d1ecd1673c5bff6e1939d9c832a2509cb64931e4aa1e334077 Rshell (Linux)\r\nc10a3a78cdf1e48189ac270767f7f718bd15a9d4e48e580a9ef6ceff5f4abf46 Rshell (Linux)\r\n8019b7deaf41b48c38b8b48e016f208a28e0909d437d4e35e3e35f7995758564 Rshell (Linux)\r\n3a9e72b3810b320fa6826a1273732fee7a8e2b2e5c0fd95b8c36bbab970e830a Rshell (Mac OS)\r\n8c3be245cbbe9206a5d146017c14b8f965ab7045268033d70811d5bcc4b796ec Rshell (Mac OS)\r\nURLs\r\ntime.ntp-server.asia C\u0026C\r\n45.142.214.193 C\u0026C\r\nlinux.updatelive-oline.com C\u0026C\r\ncenter.veryssl.org C\u0026C\r\nhttps://139.180.216.65:443/api/v2/ajax C\u0026C\r\nhttps://104.168.211.246:443/api/v2/ajax C\u0026C\r\nhttps://80.92.206.158:443/api/v2/ajax C\u0026C\r\nhttps://45.77.250.141:443/api/v2/ajax C\u0026C\r\nhttp://139.180.216.65/dlpprem32.dll Disease Vector\r\nhttp://139.180.216.65/dlpprem32.bin Disease Vector\r\nhttp://139.180.216.65/rshell Disease Vector\r\nhttp://45.77.250.141/dlpprem32.dll Disease Vector\r\nhttp://45.77.250.141/dlpprem32.bin Disease Vector\r\nSource: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/iron-tiger-compromises-chat-application-mimi,-targets-windows,-ma\r\nc,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt\r\nhttps://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/iron-tiger-compromises-chat-application-mimi,-targets-windows,-mac,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/iron-tiger-compromises-chat-application-mimi,-targets-windows,-mac,-and-linux-users/IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt" ], "report_names": [ "IOCs-IronTiger-compromises-chat-application-mimi-targets-windows-mac-linux-users.txt" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434706, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db0fd986406b396c00c7efb0cd942945db5d7c70.pdf", "text": "https://archive.orkl.eu/db0fd986406b396c00c7efb0cd942945db5d7c70.txt", "img": "https://archive.orkl.eu/db0fd986406b396c00c7efb0cd942945db5d7c70.jpg" } }