{ "id": "0e4e63da-3e12-4d78-a7ad-273ca404d00e", "created_at": "2026-04-06T00:13:01.626703Z", "updated_at": "2026-04-10T13:12:55.637001Z", "deleted_at": null, "sha1_hash": "db14ce81f2d9b9d6dc5a21217b8179375edae589", "title": "Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack | 360 Total Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2080066, "plain_text": "Analysis of CVE-2018-8174 VBScript 0day and APT actor related\r\nto Office targeted attack | 360 Total Security Blog\r\nPublished: 2018-05-25 · Archived: 2026-04-05 13:11:09 UTC\r\nLearn more about 360 Total Security\r\nI Overview\r\nRecently, the Advanced Threat Response Team of 360 Core Security Division detected an APT attack exploiting a\r\n0-day vulnerability and captured the world’s first malicious sample that uses a browser 0-day vulnerability. We\r\ncode named the vulnerability as “double kill” exploit. This vulnerability affects the latest version of Internet\r\nExplorer and applications that use the IE kernel. When users browse the web or open Office documents, they are\r\nlikely to be potential targets. Eventually the hackers will implant backdoor Trojan to completely control the\r\ncomputer. In response, we shared with Microsoft the relevant details of the 0day vulnerability in a timely manner.\r\nThis APT attack was analyzed and attributed upon the detection and we now confirmed its association with the\r\nAPT-C-06 Group.\r\nOn April 18, 2018, as soon as 360 Core Security detected the malicious activity, we contacted Microsoft without\r\nany delay and submitted relevant details to Microsoft. Microsoft confirmed this vulnerability on the morning of\r\nApril 20th and released an official security patch on May 8th. Microsoft has fixed the vulnerability and named it\r\nCVE-2018-8174. After the vulnerability was properly resolved, we published this report on May 9th, along with\r\nfurther technical disclosure of the attack and the 0day.\r\nII Affection in China\r\nAccording to the sample data analysis, the attack affected regions in China are mainly distributed in provinces that\r\nactively involved in foreign trade activities.Victims include trade agencies and related organizations.\r\nIII Attack Procedure Analysis\r\nThe lure documents captured in this attack are in Yiddish[1] The attackers exploit office with OLE autolink\r\nobjects (CVE-2017-0199) to embed the documents onto malicious websites. All the exploits and malicious\r\npayload were uploaded through remote servers.\r\n[1]The language is automatically identified by Google Translate\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 1 of 29\n\nNotification in the pop-up window:\r\nLinks to this document may reference other files. Do you want to update this document with the data in the linked\r\nfile?\r\nOnce victims opened the lure document, Word will firstly visit a remote website of IE vbscript 0day (CVE-2018-\r\n8174) to trigger the exploit. Afterwards, Shellcode will be running to send several requests to get payload from\r\nremote servers. The payload will then be decrypted for further attack.\r\nWhile the payload is running, Word will release three DLL backdoors locally. The backdoors will be installed and\r\nexecuted through PowerShell and rundll32. UAC bypass was used in this process, as well as file steganography\r\nand memory reflection uploading, in order to bypass traffic detection and to complete loading without any files.\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 2 of 29\n\nThe main process of the attack is shown in the following figure:\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 3 of 29\n\nIV IE VBScript 0day (CVE-2018-8174)\r\n1. Timeline\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 4 of 29\n\nOn April 18, 2018, Advanced Threat Response Team of 360 Core Security Division detected a high-risk 0day\r\nvulnerabilities. The vulnerability affects the latest version of Internet Explorer and applications that use the IE\r\nkernel and has been found to be used for targeted APT attacks. On the same day, 360 immediately communicated\r\nwith Microsoft and submitted details of the vulnerability to Microsoft. Microsoft confirmed this vulnerability on\r\nthe morning of April 20th and released an official security patch on May 8th. The 0day vulnerability was fixed and\r\nit was named CVE-2018-8174.\r\nCVE-2018-8174 is a remote code execution vulnerability of Windows VBScript engine. Attackers can embed\r\nmalicious VBScript to Office document or website and then obtain the credential of the current user, whenever the\r\nuser clicks, to execute arbitrary code.\r\n2. Vulnerability Principles\r\nThrough the statistical analysis of the vulnerability samples, we found out that obfuscation was used massively.\r\nTherefore, we filtered out all the duplicated obfuscation and renamed all the identifiers.\r\nSeeing from the POC created by using the exploit samples we captured, the principles of the exploit is obvious.\r\nThe POC samples are as below:\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 5 of 29\n\nDetailed procedures:\r\n1) First create a cla1 instance assigned to b, and then assign value 0 to b, because at this point b’s referenced count\r\nis 1, causing cla1’s Class_Terminate function to be called.\r\n2) In the Class_Terminate function, again assign b to c and assign 0 to b to balance the reference count.\r\n3) After the Class_Terminate return, the memory pointed to by the b object will be released, so that a pointer to the\r\nmemory data of the released object b is obtained.\r\n4) If you use another object to occupy the freed memory, it will lead to the typical UAF or Type Confusion\r\nproblem\r\n3. Exploitation\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 6 of 29\n\nThe 0-day exploit exploits UAF multiple times to accomplish type confusion. It fakes and overrides the array\r\nobject to perform arbitrary address reading and writing. In the end, it releases code to execute after constructing an\r\nobject. Code execution does not use the traditional ROP or GodMod, but through the script layout Shellcode to\r\nstabilize the use.\r\nFake array to perform arbitrary address reading and writing\r\nMem members of 2 classes created by UAF are offset by 0x0c bytes, and an array of 0x7fffffff size is forged by\r\nreading and writing operation to the two mem members.\r\ntypedef struct tagSAFEARRAY {\r\nUSHORT cDims; // cDims = 0001\r\nUSHORT fFeatures; fFeatures =0x0880\r\nULONG cbElements; // the byte occupied by one element (1 byte)\r\nULONG cLocks;\r\nPVOID pvData; // Buffer of data starts from 0x0\r\nSAFEARRAYBOUND rgsabound[1];\r\n} SAFEARRAY, *LPSAFEARRAY;\r\ntypedef struct tagSAFEARRAYBOUND {\r\nULONG cElements; // the number of elements (0x7fffffff, user space)\r\nLONG lLbound; // the initial value of the index (starting from 0)\r\n} SAFEARRAYBOUND, *LPSAFEARRAYBOUND;\r\nA forged array composes of a one-dimensional array, the number of elements is 7fffffff, each element occupies 1\r\nbyte, and the element memory address is 0. So the accessible memory space for the array is from 0x00000000 to\r\n0x7ffffffff*1. Therefore, the array can be read and written at any address. But the storage type of lIlIIl is string, so\r\nonly by modifying the data type to 0x200C, i.e. VT_VARIANT|VT_ARRAY( array type), attackers can achieve\r\ntheir purpose.\r\nRead the storage data of the specified parameter\r\n \r\nIn the malicious code, the above function is mainly used to read the data of the memory address specified by the\r\nparameter. The idea is to obtain the specified memory read capability via the characteristics of the first 4 bytes of\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 7 of 29\n\nthe string address (namely, the content of the bstr, type, size field) returned by the lenb (bstr xx) in the vb (the data\r\ntype in the VBS is bstr).\r\nThis is shown in the above code. If the input argument is addr(0x11223344), first add 4 to the value to get\r\n0x11223348, and then set the variant type to 8 (string type). Next, call len function: if found to be BSTR type,\r\nvbscript will assume that the forward 4 bytes (0x11223344) is the address memory to store the length. So the len\r\nfunction will be executed and the value of the specified memory address will be returned.\r\nObtain Key DLL Base Address\r\n1.The attacker leaks the virtual function table address of the CScriptEntryPoint object in the following way, which\r\nbelongs to Vbscript.dll.\r\n2.Obtain the vbscript.dll base address in the following way\r\n3.Because vbscript.dll imported msvcrt.dll, the msvcrt.dll base address was obtained by traversing the vbscript.dll\r\nimport table, msvcrt.dll introduces kernelbase.dll, ntdll.dll, and finally the NtContinue, VirtualProtect function\r\naddress was obtained.\r\nBypass DEP to execute shellcode\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 8 of 29\n\n1.Use arbitrary reading and writing technique to modify the VAR type type to 0x4d, and then assign it with a value\r\nof 0 to make the virtual machine perform VAR:: Clear function.\r\n2.Control with caution and let the code Execute function ntdll!ZwContinue. The first parameter CONTEXT\r\nstructure was also constructed by the attacker.\r\n3.Control the code with caution to execute ntdll! ZwContinue function. The first parameter CONTEXT structure is\r\nalso carefully constructed by the attacker.\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 9 of 29\n\n4.The first parameter of ZwContinue is a pointer to the CONTEXT structure. The CONTEXT structure is shown\r\nin the following figure, and the offset of EIP and ESP in CONTEXT can be calculated\r\n5.The values of the Eip and Esp in the actual runtime CONTEXT and the attacker’s intention are shown in the\r\nfigure below.\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 10 of 29\n\nV Powershell Payload\r\nAfter the bait DOC file is executed, it will start to execute the Powershell command to the next step payload.\r\nFirst of all, Powershell will fuzzy match incoming parameter names, and it is case-insensitive.\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 11 of 29\n\nSecond step, decrypt the obfuscated command.\r\nNext, the script uses a special User-Agent access URL page to request the next load and execute.\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 12 of 29\n\nThe size of the requested payload file is approximately 199K. The code fragment is as follows.\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 13 of 29\n\nWe found that this code was modified from invoke-ReflectivePEInjection.ps1[2]. buffer_x86 and buffer_x64 in\r\nthe code are same function but from different versions of dll files. File export module name: ReverseMet.dll.\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 14 of 29\n\n[2] https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-ReflectivePEInjection.ps1\r\nDLL file decrypts ip address, port and sleep time from the configuration. After the decryption algorithm xor 0xA4,\r\nand subtracted 0x34, the code is as follows.\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 15 of 29\n\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 16 of 29\n\nDecryption configuration file from the ip address 185.183.97.28 port 1021 to obtain the next load and execute.\r\nAfter it connects to the tcp port, it will get 4 bytes to apply for a memory.\r\nSubsequent acquired writes into the new thread, and execute the acquired shellcode payload.\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 17 of 29\n\nSince the port of the sample CC server is closed, we cannot get the next load for analysis.\r\nVI UAC Bypass Payload\r\nIn addition to use PowerShell to load the payload, the bait DOC file also runs rundll32.exe to execute another\r\nbackdoor locally. There are several notable features of the backdoor program it uses: the program uses COM port\r\nto copy files, realize UAC bypass and two system DLL hijacks; it also uses the default DLLs of cliconfg.exe and\r\nSearchProtocolHost.exe to take advantage of whitelist; finally in the process of component delivery, use file\r\nsteganography and memory reflection loading method to avoid traffic monitoring and achieve no file landing load.\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 18 of 29\n\n1. Retro backdoor execution\r\nThe backdoor program used in this attack is actually the Retro series backdoor known to be used by the APT-C-06\r\norganization. The following is a detailed analysis of the implementation process of the backdoor program.\r\nFirst execute the DLL disguised as a zlib library function with rundll32 and execute the backdoor installation\r\nfunctions uncompress2 and uncompress3.\r\nIt uses a COM port for UAC bypass, copying its own DLL to the System32 path for DLL hijacking, and the\r\nhijacked targets are cliconfg.exe and SearchProtocolHost.exe.\r\nCopy the DLL file in the AppData directory to the System32 directory through the COM interface and name it\r\nmsfte.dll and NTWDBLIB.dll.\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 19 of 29\n\nThen copy the file NTWDBLIB.dll to the System directory and execute the system’s own cliconfig to achieve\r\nDLL hijacking and load NTWDBLIB.dll.\r\nThe role of NTWDBLIB.dll is to restart the system service WSearch, and then start msfte.dll.\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 20 of 29\n\nThe script will then generate and execute the MO4TH2H0.bat file in the TEMP directory, which will delete the\r\nNTWDBLIB.DLL and its own BAT from the system directory.\r\n \r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 21 of 29\n\nMsfte.dll is the final backdoor program whose export is disguised as zlib. The core export functions are\r\nAccessDebugTracer and AccessRetailTracer. Its main function is to communicate with CC and further download\r\nand execute subsequent DLL programs.\r\nSimilar to the previously analyzed sample, it is also using image steganography and memory reflection loading.\r\nThe decrypted CC communication information is as follows:\r\nThe format of the request is:\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 22 of 29\n\nHxxp://CC_Address /s7/config.php ?p=M\u0026inst=7917\u0026name= \r\nAmong them, the parameter p is the current process authority, there are two types of M and H, inst parameter is\r\nthe current installation id, name is the CC_name obtained by decryption, this time is pphp.\r\nAfter decryption after downloading, the process is exactly the same as the format of the previous image\r\nsteganography transmission. The decryption process this time is shown in the figure below:\r\nThe previously decrypted test sample decryption process is shown below:\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 23 of 29\n\nFor the CC URL corresponding to the test request, because we did not obtain the corresponding image during the\r\nanalysis, the CC is suspected to have failed.\r\nIn the implementation process, Retro disguised fake SSH and fake zlib, intended to obfuscate and interfere with\r\nusers and analysts. Retro’s attack method has been used since 2016.\r\n2. Retro backdoor evolvement\r\nThe back door program used in the APT-C-06 organization’s early APT operation was Lucker. It is a set of self-developed and customized modular Trojans. The set of Trojans is powerful, with keyboard recording, voice\r\nrecording, screen capture, file capture and U disk operation functions, etc. The Lucker ‘s name comes from the\r\nPDB path of this type of Trojan, because most of the backdoor’s function use the LK abbreviation.\r\n \r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 24 of 29\n\nIn the middle to late period we have discovered its evolution and two different types of backdoor programs. We\r\nhave named them Retro and Collector by the PDB path extracted from the program. The Retro backdoor is an\r\nevolution of the Lucker backdoor and it actives in a series of attacks from 2016 till now. The name comes from the\r\npdb path of this type of Trojan with the label Retro, and also has the word Retro in the initial installer.\r\nC:\\workspace\\Retro\\DLL-injected-explorer\\zlib1.pdb\r\nC:\\workspace\\Retro\\RetroDLL\\zlib1.pdb\r\nThe evolution of the reflective DLL injection technique can be found from the relevant PDB paths, and there are a\r\nlot of variants of this series of backdoors.\r\nVII Attribution\r\n1. Decryption Algorithm\r\nDuring the analysis, we found the decryption algorithm that malware used is identical to APT-C-06’s decryption\r\nalgorithm.\r\nThe decryption algorithm of this attack is as follow:\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 25 of 29\n\nThe decryption algorithm APT-C-06 used is as follow:\r\nIn the further analysis, we found the same decryption algorithm was used in the 64-bit version of the relevant\r\nmalware.\r\n2. PDB Path\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 26 of 29\n\nThe PDB path of the malware used in this attack has a string of “Retro”. It is one specific feature of Retro Trojan\r\nfamily.\r\n3. Victims\r\nIn the process of tracing victims, we found one special compromised machine. It has a large amount of malware\r\nrelated to APT-C-06. By looking at these samples in chronological order, the evolution of the malicious program\r\ncan be clearly seen. The victim has been under constant attack acted by APT-C-06 since 2015. The early samples\r\non the compromised machine could be associated with DarkHotel. Then it was attacked by Lurker Trojan.\r\nRecently it was under the attack exploiting 0-day vulnerabilities CVE-2018-8174.\r\nVIII Conclusion\r\nAPT-C-06 is an overseas APT organization which has been active for a long time. Its main targets are China and\r\nsome other countries. Its main purpose is to steal sensitive data and conduct cyber-espionage. DarkHotel can be\r\nregarded as one of its series of attack activities.\r\nThe attacks against China specifically targeted government, scientific research institutions and some particular\r\nfield. The attacks can be dated back to 2007 and are still very active. Based on the evidence we have, the\r\norganization may be a hacker group or intelligence agency supported by a foreign government.\r\nThe attacks against China have never stopped over the past 10 years. The Techniques the group uses keep\r\nevolving through time. Based on the data we captured in 2017, targets in China are trade related institutions and\r\nconcentrated in provinces that have frequent trading activities. The group has been conducting long-term\r\nmonitoring on the targets to stole confidential data.\r\nDuring the decades of cyber attacks, APT-C-06 exploits several 0-day vulnerabilities and used complicated\r\nmalware. It has dozens of function modules and over 200 malicious codes.\r\nIn April, 2018, the Advanced Threat Response Team of 360 Core Security Division takes the lead in capturing the\r\ngroup’s new APT attack using 0-day vulnerabilities (CVE-2018-8174) in the wild, and then discovers the new\r\ntype attack – Office related attack exploiting 0-day VBScript vulnerabilities.\r\nAfter the capture of the new activity, we contacted Microsoft immediately and shared detailed information with\r\nthem. Microsoft’s official security patch was released on 8th May. Now, we published this detailed report to\r\ndisclose and analyze the attack.\r\nAppendix IOC\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 27 of 29\n\nReferences\r\nhttps://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8174\r\nAbout\r\n360 Helios Team is the APT(Advanced Persistent Attack) research and analysis team in Qihoo 360. The team is\r\ndedicated in APT attack investigation, threat incident response and underground economy industrial chain studies.\r\nSince the establishment in December, 2014, the team has successflly integrated 360’s big data base and built up a\r\nquick reversing and corellation procudure. So far, more than 30 APT and underground economy groups have been\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 28 of 29\n\ndiscovered and revealed.\r\n360 Helios also provides threat intelligence assessment and response solutions for enterprises.\r\nLearn more about 360 Total Security\r\nSource: https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nhttps://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/\r\nPage 29 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/" ], "report_names": [ "analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434381, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db14ce81f2d9b9d6dc5a21217b8179375edae589.pdf", "text": "https://archive.orkl.eu/db14ce81f2d9b9d6dc5a21217b8179375edae589.txt", "img": "https://archive.orkl.eu/db14ce81f2d9b9d6dc5a21217b8179375edae589.jpg" } }