{ "id": "4c135927-8e8c-4de6-83b3-993e50ff5541", "created_at": "2026-04-06T00:08:07.063353Z", "updated_at": "2026-04-10T13:12:27.090877Z", "deleted_at": null, "sha1_hash": "e044518cd9650a70a955286615359512ad1e1a0b", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 347861, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy PetrP.73\r\nArchived: 2026-04-05 13:38:40 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:RoyalCli\r\nPage 1 of 6\n\nAPT15 Cyber Espionage: Campaigns and TTPs Analysis\r\nCVE: 5 | URL: 1 | Hostname: 2\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:RoyalCli\r\nPage 2 of 6\n\nAPT15, a cyber espionage group with origins in China, has been active since approximately 2010 and has\r\nconducted numerous high-profile campaigns targeting government, diplomatic, and military sectors across North\r\nAmerica, Europe, and the Middle East. Their operations include notable incidents such as the 2013 \"moviestar\"\r\noperation against European Ministries of Foreign Affairs, attacks on Indian embassy personnel in 2016, and the\r\nhacking of a US Navy contractor in 2018. Even after significant disruptions like the 2021 crackdown by\r\nMicrosoft, APT15 adapted and continued its activities, notably deploying a new backdoor called Graphican in\r\n2022 and using the ORB3 network for operations in 2023.\r\n161 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:RoyalCli\r\nPage 3 of 6\n\nThreat Research | FireEye Inc\r\nFind out more about FireEye.com, the world's leading cyber security company, which provides security services to\r\nmore than 1.5 million customers across the globe, and offers a wide range of products and services.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:RoyalCli\r\nPage 4 of 6\n\n17 Subscribers\r\n354 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:RoyalCli\r\nPage 5 of 6\n\nAPT15 is alive and strong: An analysis of RoyalCli and RoyalDNS\r\nFileHash-MD5: 2 | FileHash-SHA256: 6 | YARA: 6 | Domain: 4 | Hostname: 6\r\nIn May 2017, NCC Groups Incident Response team reacted to an ongoing incident where our client, which\r\nprovides a range of services to UK Government, suffered a network compromise involving the advanced\r\npersistent threat group APT15. APT15 is also known as, Ke3chang, Mirage, Vixen Panda GREF and Playful\r\nDragon. A number of sensitive documents were stolen by the attackers during the incident and we believe APT15\r\nwas targeting information related to UK government departments and military technology.\r\n373,906 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:RoyalCli\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:RoyalCli\r\nPage 6 of 6\n\nAPT15 Cyber Espionage: https://otx.alienvault.com/browse/pulses?q=tag:RoyalCli Campaigns and TTPs Analysis\nCVE: 5 | URL: 1 | Hostname: 2 \n Page 2 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:RoyalCli" ], "report_names": [ "pulses?q=tag:RoyalCli" ], "threat_actors": [ { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434087, "ts_updated_at": 1775826747, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e044518cd9650a70a955286615359512ad1e1a0b.pdf", "text": "https://archive.orkl.eu/e044518cd9650a70a955286615359512ad1e1a0b.txt", "img": "https://archive.orkl.eu/e044518cd9650a70a955286615359512ad1e1a0b.jpg" } }