{ "id": "c690e721-a487-4cca-96b2-37d68d60844c", "created_at": "2026-04-06T00:10:07.087611Z", "updated_at": "2026-04-10T03:33:45.81975Z", "deleted_at": null, "sha1_hash": "e0e37eb0ab7e925d6c5af6b7d5f662cbdc0df7f6", "title": "JSAC 2022 -Day 1- - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1883218, "plain_text": "JSAC 2022 -Day 1- - JPCERT/CC Eyes\r\nBy JPCERT/CC\r\nPublished: 2022-03-21 · Archived: 2026-04-05 17:52:34 UTC\r\nJSAC\r\nJPCERT/CC held JSAC2022 online on January 27, 2022. The purpose of this conference is to raise the knowledge\r\nand technical level of security analysts in Japan, and we aimed to bring them together in one place where they can\r\nshare technical knowledge related to incident analysis and response. This year was the fifth time the conference\r\nwas held. 9 presentations and 2 workshops, selected from 18 CFP and CFW submissions, were presented.\r\nUnlike last year, the event had a single track. Day 1 was Conference Day, and Day 2 was Workshop Day. The\r\nquestion-and-answer session was held on Slack, and speakers and the audience lively exchanged their opinions.\r\nMost of the presentation slides are available on JPCERT/CC website. This article reports on Day 1, and Day 2 will\r\nbe covered by our next blog post.\r\nOpening Talk: Looking Back on the Incidents in 2021\r\nSpeaker: Takayoshi Shiigi (JPCERT/CC)\r\nSlides (English)\r\nVideo\r\nIn the opening talk, Takayoshi discussed some incidents that JPCERT/CC confirmed in 2021 as well as its\r\nrepositories published in GitHub.\r\nLODEINFO and Gh0stTimes were used in targeted attacks. LODEINFO was updated frequently, even in 2021.\r\nSince version 0.4.x, the launch method has been changed to LOLBAS (Living Off The Land Binaries And\r\nScripts). Gh0stTimes is used by an attack group called BlackTech and equipped with a panel called Times. The\r\ncode and functions are similar to the malware Gh0stRAT, which is also used by BlackTech.\r\nBy referring to the information published by JPCERT/CC, the speaker mentioned the restarted Emotet campaign\r\nand human-operated ransomware attacks as 2021's features in widespread attacks.\r\nSome of JPCERT/CC’s public projects on GitHub were introduced at the end of the talk. YARA rules and the IoC\r\nof the redirected domain used for lucky visitor scam are available in the websites below.\r\nJPCERT/CC YARA rules\r\nhttps://github.com/JPCERTCC/jpcert-yara\r\nLucky Visitor Scam IoCs\r\nhttps://github.com/JPCERTCC/lucky-visitor-scam-ioc\r\nhttps://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html\r\nPage 1 of 12\n\nResearch on Unique Adversaries and its Attack Tools Targeting Widespread CMS in Japan\r\nSpeakers: Ryosuke Tsuji, Naoaki Nishibe (LAC Co., Ltd.)\r\nSlides (Japanese)\r\nVideo\r\nRyosuke and Naoaki described some features of the attack exploiting CVE-2021-20837, the vulnerability in\r\nMovable Type (a Contents Management System) published in October 2021, and the functions of the tools used in\r\nthe attack.\r\nAccording to the presentation, there was about a week between the release of the PoC for the vulnerability and the\r\nlaunch of the attack. Another aspect of the attack was that Movable Type was used more concentratedly in Japan\r\nthan in other regions, which resulted in the delay in the actions by foreign security vendors. Japanese local\r\nvendors therefore proactively collected and verified information as well as alerted users and provide measures.\r\nNext, the analysis of the following tools used in the vulnerability exploit was presented.\r\nFoxEx-Shell\r\nFoxWSO\r\nFoxWSO, downloaded by FoxEx-Shell, is a modified WSO (WebShell by Orb) which has features specific to\r\nFoxWSO compared to known WSOs. The speakers also added that AnonymousFox, an organisation allegedly\r\nselling FoxWSO, may have been involved in the attack as there were several posts from them offering the tool on\r\nTelegram.\r\nhttps://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html\r\nPage 2 of 12\n\nma2tl: macOS Forensics Timeline Generator Using mac_apt Analysis Results\r\nSpeaker: Minoru Kobayashi (Internet Initiative Japan Inc.)\r\nSlides (English)\r\nVideo\r\nMinoru presented a tool called ma2tl (mac_apt to timeline), which he has developed. It automates the creation of a\r\nforensic timeline based on the results of mac_apt, an open source software for forensic analysis of macOS devices.\r\nIn order to perform forensic analysis of macOS devices, it is necessary to create a timeline that provides clues for\r\nthe investigation. The background of developing the tool was the fact that there was no tool available with\r\nsufficient functionality. The speaker also added that mac_apt is the suitable tool for creating macOS timeline\r\nbecause it is constantly maintained to keep up with the macOS updates, which frequently change the file names\r\nand paths.\r\nma2tl helps to create a timeline of the following activities from databases such as mac_apt.db and UnifiedLogs.db,\r\nwhere the analysis results of mac_apt are stored.\r\nPersistence setting status\r\nProgram execution history\r\nVolume (USB thumb drives or disk images) mount\r\nFile Download\r\nTo conclude, the speaker demonstrated ma2tl facilitating forensic analysis of a device infected by the malware.\r\nma2tl\r\nhttps://github.com/mnrkbys/ma2tl\r\nhttps://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html\r\nPage 3 of 12\n\nThe Struggle Against Domestic Malicious Proxy Services\r\nSpeaker: Yuji Ino (Recruit Holdings Co.,Ltd.)\r\nSlides (Japanese)\r\nYuji presented on his analysis results of the IP addresses of Japanese Residential IP Proxies (RESIPs), which are\r\nexploited in cyber attacks.\r\nHe first mentioned that if an attacker abuses RESIPs, which are proxies that provide traffic relay using residential\r\nnetwork hosts, they can avoid detection of unauthorized access by setting the access source to Japan when\r\nconducting a cyber attack from outside Japan via Japanese RESIPs. Next, he shared and explained the trend of\r\nabused Japanese RESIPs, mainly from the following perspectives:\r\nPercentage of survival period for each IP address\r\nActive rate (number of days with suspicious activity/survival period) of IP addresses with long-term\r\nactivity observed\r\nRatio of IP addresses per carrier\r\nTrends in access by unique users to each IP address\r\nFinally, he explained the verification results of fraud detection (spoofed login, unauthorized use of stolen cards,\r\nfraud). He compared the data collected in this research and those of fraud cases, and as a result, he found the\r\nfollowings:\r\nSimple IP address matching causes many false positives.\r\nFalse positives can be reduced to some extent by comparing the data with the time of malicious activities.\r\nIt is useful for determining whether an attacker uses Residential IP Proxy.\r\nAn Order of Magnitude Update\r\nhttps://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html\r\nPage 4 of 12\n\nSpeakers: Rintaro Koike, Hajime Takai, Nobuyuki Amakasu (NTT Security Japan)\r\nSlides (Japanese)\r\nRintaro and Hajime gave an update on an exploit kit called Magnitude Exploit Kit observed in 2021 and the\r\nanalysis results of ransomware called Magniber, which is executed by this kit.\r\nThe kit has been frequently observed since around October 2021 in Japan. The speakers remarked that the\r\nexploitation of new vulnerabilities (e.g., CVE-2021-40444) and the distribution of Magniber through social\r\nengineering were the features of 2021.\r\nNext, a case study of the Magniber infection using Magnitude Exploit Kit and social engineering was described.\r\nWhen the kit was executed, a window asking for update appeared on Microsoft Edge. The malware was\r\ntransmitted by downloading and installing AppX file (Windows Application Package) with a valid digital\r\nsignature. The speakers also noted that Magniber has been updated to remove unnecessary features.\r\nIn the end, a few methods for investigating and detecting the Magnitude Exploit Kit and Magniber were presented\r\nbased on their distinctive features.\r\nEmotet vs EmoCheck: The Battle Against Emotet Developers\r\nSpeakers: Tomoaki Tani (NTT Social Information Laboratories), Kota Kino, Ken Sajo (JPCERT/CC\r\nIncident Response Group)\r\nSlides (Japanese)\r\nVideo\r\nTomoaki and Kota presented on the changes after Emotet restarted its activity and EmoCheck, a tool to detect\r\nEmotet processes.\r\nOne of the changes after Emotet restarted its activity is that the malware now directly distributes Cobalt Strike\r\nbeacon. It is necessary to pay attention because this tool can lead to ransomware infection just like before.\r\nRegarding EmoCheck, they said that the main purpose of developing it was to provide users with a tool to easily\r\ncheck for Emotet infection. They also explained the change in detection logic of EmoCheck. The first detection\r\nlogic reproduced Emotet’s process, which selects multiple keywords for drive serials and set file names. Then, the\r\nlogic was repeatedly updated as Emotet renewed its version and changed its processing logic.\r\nThey also explained about the obfuscation process implemented in EmoCheck to prevent Emotet developers from\r\nbypassing the detection logic of EmoCheck. They said that the latest version of EmoCheck (version 2.0) uses\r\nobfuscation methods same as or equivalent to those Emotet uses as follows.\r\nString Obfuscation\r\nMixed Boolean Arithmetic\r\nControl Flow Flattening\r\nWin32API Hashing Obfuscation\r\nFunction Argument Randomization\r\nEmoCheck\r\nhttps://github.com/JPCERTCC/EmoCheck\r\nhttps://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html\r\nPage 5 of 12\n\nCrazy Journey: Evolution of Smoky Camouflage\r\nSpeakers: Ryuichi Tanabe, Yuta Sawabe (NTT Security Japan)\r\nSlides (Japanese)\r\nVideo\r\nRyuichi and Yuta presented on an attack campaign called Malsmoke and the investigation and detection methods\r\nfor the campaign.\r\nThey said that the Japanese users are one of the main targets of Malsmoke. The campaign has features such as\r\nusing malvertising to infect them with Zloader malware eventually, and its attack methods have been frequently\r\nupdated with new attack techniques.\r\nMalvertising used in this campaign is characterized by the landing page that appears after advertisement page\r\ndisplays a fake Java plug-in installation screen in the language of the target’s country based on the geographic\r\ninformation of the IP address.\r\nIn addition, they said that the following campaigns are probably conducted by the same attack group since they\r\nare similar to Malsmoke in that they use malvertising and geographic information of IP address, etc.\r\nSeamless\r\nPseudoGate\r\nThey also explained the detection method of Malsmoke. They focused on the fact that Zloader’s C2 server\r\ndomains are generated by DGA (Domain Generation Algorithm), which does not change. They first collected\r\nZloader samples from VirusTotal and other sources and then extracted Zloader configuration files with Triage, an\r\nonline sandbox.\r\nBased on the information, they explained how DGA calculates the C2 server domains.\r\nhttps://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html\r\nPage 6 of 12\n\nLuoYu: espionage in 2021 targeting Japan with new WinDealer\r\nSpeakers: Leon Chang (TeamT5), Yusuke Niwa (Itochu), Suguru Ishimaru (Kaspersky)\r\nSlides (English)\r\nVideo\r\nLeon and Yusuke presented on the updated information on LuoYu, a Chinese APT group on which Leon presented\r\nat JSAC2021.\r\nThey said LuoYu have newly used the following malware since JSAC2021:\r\nMalware: XDealer, ShadowPad, PlugX\r\nIn addition, the following industries and areas have been newly targeted:\r\nIndustries: Finance, Foreign Affairs, Military, Communications, Logistics\r\nAreas: Russia, United States, Czech Republic, Australia, Germany\r\nThey also explained the features of WinDealer, a type of malware LuoYu uses. WinDealer converts information\r\nfor identifying each device, such as user name, into a format similar to an IP address before saving it in the\r\nregistry. When communicating with the C2 server, the malware accesses a domain or URL that does not exist, and\r\na part of the response data (NXDOMAIN) is used for a label that identifies WinDealer-infected devices. The label\r\nis used for a custom header when sending data to the C2 server. In addition, WinDealer uses IPGA (IP Generation\r\nAlgorithm) to generate a random IP address from a specified range for C2 server to avoid tracking.\r\nThey also introduced an incident case of LuoYu. In this case, a legitimate application such as TIM (a\r\ncommunication tool) downloaded WinDealer, and then the device got infected with it. Finally, they described the\r\nresults of threat analysis of the campaign using frameworks such as Diamond Model and MITRE ATT\u0026CK.\r\nhttps://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html\r\nPage 7 of 12\n\nAmbiguously Black: The Current State of Earth Hundun's Arsenal\r\nSpeaker: Hiroaki Hara (TrendMicro)\r\nSlides (English)\r\nVideo\r\nHiroaki presented on the attack operations observed in 2021 which were conducted by an attack group called\r\nEarth Hundun.\r\nHe explained about the attack campaigns which used the following malware. The features, attack methods, and\r\nattack infrastructure of each type of malware were covered.\r\nCampaign 1: LAMICE, BUSYICE (a.k.a Flagpro), etc.\r\nCampaign 2: SLEFMAKE, SPIDERPIG\r\nHe first presented Campaign 1. The attack starts with a phishing email with the malware LAMICE attached.\r\nLAMICE drops BUSYICE and other type of malware, which then downloads new backdoors. He found that the\r\nway LAMICE generates a file name for the malware it drops is identical to that of Earth Hundun’s TTP. In\r\naddition, he found connections and overlaps between the attack infrastructure of malware used by Earth Hundun,\r\nsuch as Gh0stTimes, and that of BUSYICE. For these reasons, he associated Campaign 1 with Earth Hundun.\r\nHe next presented Campaign 2. This campaign drops SELFMAKE through ProxyLogon, a vulnerability in\r\nMicrosoft Exchange Server or via malware bundled installer. It eventually executes SPIDERPIG on memory. He\r\nfound that the format of the Mutex strings created by SPIDERPIG and BUSYICE are similar, and he also\r\nobserved a case where SPIDERPIG was dropped from LAMICE in November 2021. For these reasons, he\r\nconcluded that the attack groups of Campaign 1 and 2 are probably the same and therefore that Campaign 2 is\r\nEarth Hundun.\r\nFinally, he explained that in the future, it will be important to continuously disclose the process of attribution and\r\nhttps://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html\r\nPage 8 of 12\n\nredefine attack groups in order to keep up with attacker groups, which keep changing by sharing attack tools with\r\nother groups.\r\nWhat we can do to the chaotic A41APT campaign\r\nSpeakers: Gen Yanagishita (Macnica Networks Corp), Kiyotaka Tamada, Yu Nakatsuru (SecureWorks),\r\nSuguru Ishimaru (Kaspersky)\r\nSlides (English)\r\nVideo\r\nKiyotaka and Gen presented on the updates of A41APT, which they presented in JSAC2021.\r\nThey first explained that the decryption process and commands of SigLoader and SoadMaster, the malware\r\nA41APT has long used, were updated. The following new attack methods that they confirmed after JSAC2021\r\nwere also introduced:\r\nExploit Jackpot Webshell\r\nPenetration through exploiting ProxyShell (Microsoft Exchange Server vulnerability)\r\nExploit HUI Loader\r\nNext, they explained about HUI Loader. It loads SoadMaster by using an attack technique called DLL side-loading on legitimate files. HUI Loader and SoadMaster stores the DLL files they load in a different folder.\r\nRegarding the connection between the A41APT campaign and attack groups, they discussed the possibility of\r\nmultiple attack groups involved, based on the fact that security researchers overseas identified HUI Loader in\r\nLockFile ransomware and BRONZE RIVERSIDE (a.k.a. APT10) incidents.\r\nFinally, he said that it is important to understand the status of security measures in one’s own and related\r\norganizations because since 2020, incidents are more likely to occur in places with weak security measures.\r\nhttps://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html\r\nPage 9 of 12\n\nIn closing\r\nIn this article, we reported on the 9 presentations on Day 1 of JSAC 2022. In our next blog post, we will cover the\r\nworkshops on Day 2.\r\nShohei Iwasaki\r\n(Translated by Takumi Nakano and Masa Toyama)\r\nJPCERT/CC\r\nPlease use the below contact form for any inquiries about the article.\r\nRelated articles\r\nhttps://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html\r\nPage 10 of 12\n\nJSAC2026 -Workshop/Lightning Talk Session/Panel Discussion-JSAC2026 -Day 2-\r\nJSAC2026 -Day 1-\r\nICS Security Conference 2025\r\nJSAC2025 -Workshop \u0026 Lightning Talk-https://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html\r\nPage 11 of 12\n\nSource: https://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html\r\nhttps://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html\r\nPage 12 of 12\n\n https://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html \nJSAC2026 -Workshop/Lightning Talk Session/Panel Discussion\u0002\nJSAC2026 -Day 2- \nJSAC2026 -Day 1- \nICS Security Conference 2025 \nJSAC2025 -Workshop \u0026 Lightning Talk\u0002 \n Page 11 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html" ], "report_names": [ "jsac2022report1.html" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "8143b0d6-bfa0-43cc-b45f-dbcf4728741c", "created_at": "2025-05-29T02:00:03.230052Z", "updated_at": "2026-04-10T02:00:03.880481Z", "deleted_at": null, "main_name": "Malsmoke", "aliases": [], "source_name": "MISPGALAXY:Malsmoke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434207, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e0e37eb0ab7e925d6c5af6b7d5f662cbdc0df7f6.pdf", "text": "https://archive.orkl.eu/e0e37eb0ab7e925d6c5af6b7d5f662cbdc0df7f6.txt", "img": "https://archive.orkl.eu/e0e37eb0ab7e925d6c5af6b7d5f662cbdc0df7f6.jpg" } }