{ "id": "11e38873-afbc-4a11-84e4-48d82b42b8eb", "created_at": "2026-04-06T00:10:35.891236Z", "updated_at": "2026-04-10T13:12:52.531435Z", "deleted_at": null, "sha1_hash": "e169dc0c4f11806903a0914f6cc79f30571ac06d", "title": "Redfly: Espionage Actors Continue to Target Critical Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 51951, "plain_text": "Redfly: Espionage Actors Continue to Target Critical Infrastructure\r\nBy About the Author\r\nArchived: 2026-04-05 16:30:13 UTC\r\nEspionage actors are continuing to mount attacks on critical national infrastructure (CNI) targets, a trend that has become a\r\nsource of concern for governments and CNI organizations worldwide. Symantec’s Threat Hunter Team has found evidence\r\nthat a threat actor group Symantec calls Redfly used the ShadowPad Trojan to compromise a national grid in an Asian\r\ncountry for as long as six months earlier this year. The attackers managed to steal credentials and compromise multiple\r\ncomputers on the organization’s network. \r\nThe attack is the latest in a series of espionage intrusions against CNI targets. In May 2023, the U.S., UK, Australian,\r\nCanadian, and New Zealand governments issued a joint alert about threat actors targeting CNI organizations in the U.S.\r\nusing techniques that could potentially be replicated against targets in other countries. The alert followed Microsoft’s report\r\non Volt Typhoon, an espionage actor that compromised several critical infrastructure organizations in the U.S.\r\nLinks to earlier attacks\r\nShadowPad is a modular remote access Trojan (RAT) that was designed as a successor to the Korplug/PlugX Trojan, and\r\nwas, for a period of time, sold in underground forums. However, despite its origins as a publicly available tool, it was only\r\nsold publicly for a very short time reportedly to a handful of buyers. It has since been closely linked to espionage actors. \r\nWhile ShadowPad is known to be used by multiple advanced persistent threat (APT) actors, identified tools and\r\ninfrastructure used in the recent campaign targeting a national power grid overlaps with previously reported attacks\r\nattributed to a cluster of APT41 activity (aka Brass Typhoon, Wicked Panda, Winnti, and Red Echo). Symantec tracks this\r\ngroup under as multiple distinct actors such as Blackfly and Grayfly, where links between these groups have been discussed\r\nbefore. The activities identified in this campaign are currently being tracked under a separate group that Symantec has\r\ndubbed Redfly, which appears to exclusively focus on targeting CNI. \r\nTools used: ShadowPad\r\nA distinct variant of the ShadowPad Trojan was used in this attack. It utilized the domain websencl[.]com for command-and-control (C\u0026C) purposes. \r\nIt copied itself to disk in the following locations, masquerading as VMware files and directories to mask its purpose (there is\r\nno other evident association with VMware products):\r\nC:\\ProgramData\\VMware\\RawdskCompatibility\\virtual\\vmrawdsk.exe\r\nC:\\ProgramData\\VMware\\RawdskCompatibility\\virtual\\mscoree.dll\r\nPersistence is achieved by creating the following service that is configured to start with Windows on boot-up:\r\nServiceName: VMware Snapshot Provider Service\r\nDisplayName: VMware Snapshot Provider Service\r\nServiceType: SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS\r\nStartType: SERVICE_AUTO_START\r\nBinaryPathName: C:\\ProgramData\\VMware\\RawdskCompatibility\\virtual\\vmrawdsk.exe\r\nTools used: Packerloader\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks\r\nPage 1 of 4\n\nThis is a tool used to load and execute shellcode. The shellcode is stored in a file in an encrypted form. It allows the\r\nattackers to deliver and execute arbitrary files or commands on an infected computer.\r\nThe tool is a 64-bit dynamic link library (DLL) that has one export, called WorkProc, which accepts an additional command-line argument. This argument is interpreted as a string and can be used as a decryption key. If no key is passed on the\r\ncommand line, the malware attempts to retrieve a key from the following registry location instead:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\HomeGroup\\PublishedMessageOfflineCache\\\"A\r\nIn all cases, the malware checks that the string length of the decryption secret is 0x20 characters.\r\nThe malware then loads its payload. It will first check if the following file exists:\r\n[FILE_DIRECTORY_OF_SAMPLE_BINARY]\\tmp.bin\r\nIf the file exists, its contents are used as the encrypted payload. Otherwise, the malware attempts to retrieve a payload from\r\nthe registry at the following location: \r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\HomeGroup\\PublishedMessageOfflineCache\\\"S\r\nThe malware will then decrypt the loaded payload with the Advanced Encryption Standard (AES) algorithm in Electronic\r\nCode Book (ECB) mode using the first 0x10 bytes of the decryption key as the AES key. Finally, it creates a new thread to\r\nexecute the decrypted payload as shellcode. \r\nTools used: Keylogger\r\nThe attackers also employed a keylogger, which was installed under various file names on different computers, including\r\nwinlogon.exe and hphelper.exe.\r\nThe keylogger was configured to store captured keystrokes in the following location:\r\n%SYSTEMROOT%\\Intel\\record.log\r\nAttack outline\r\nThe first evidence of intrusion on the targeted network dated from February 28, 2023, when ShadowPad was executed on a\r\nsingle computer. It was executed again on May 17 2023, suggesting that the attackers had maintained a presence in the\r\nintervening three months. \r\nA day earlier (May 16), a suspicious Windows batch file (file name: 1.bat) was executed. Shortly afterwards, PackerLoader\r\nwas executed via rundll32 from the %TEMP% directory with some command-line arguments:\r\nrundll32 %TEMP\\%packerloader.dll WorkProc E10ADC3949BA59ABBE56E057F20F883E\r\nImmediately afterwards, permissions were modified for a driver file called dump_diskfs.sys to grant access to all users. It is\r\npossible the attackers used this driver to create dumps of the file system for later exfiltration. Four minutes later, credentials\r\nwere dumped from the Windows registry:\r\nreg save HKLM\\SYSTEM system.save\r\nreg save HKLM\\SAM sam.sav\r\nreg save HKLM\\SECURITY security.save\r\nOn May 19, the attackers returned, running PackerLoader and the 1.bat batch file again. Shortly afterwards, a legitimate\r\nbinary named displayswitch.exe was executed. It was likely being used to perform DLL side-loading. This involves the\r\nattackers placing a malicious DLL in a directory where a legitimate DLL is expected to be found. The attacker then runs the\r\nlegitimate application (having installed it themselves). The legitimate application then loads and executes the payload.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks\r\nPage 2 of 4\n\nSeveral hours later a suspicious PowerShell command was executed and used to gather information on the storage devices\r\nattached to the system. Specifically it was designed to look for DriveType=3 (Read/Write Supported) and gather details on\r\navailable space. \r\npowershell -executionpolicy ByPass -command \"$disks = Get-WmiObject Win32_LogicalDisk -Filter \\\" DriveType = 3\\\" ;\r\nforeach ($disk in $disks) { $freeSpace = \\\"{0:N2}\\\" -f ($disk.FreeSpace/1GB) ; Write-Host \\\"Drive Free Space:\r\n$($disk.DeviceID) $freeSpace\\\"; }\"\r\nSeveral hours later, a similar set of activity occurred again.\r\nOn May 26, displayswitch.exe was executed from the %TEMP% directory via the command prompt. Less than an hour\r\nlater, several commands were executed via displayswitch.exe to dump credentials from the registry and clear the Windows\r\nsecurity event logs:\r\nCSIDL_SYSTEM\\cmd.exe\r\nreg save HKLM\\SAM sam.save\r\nreg save HKLM\\SYSTEM system.save\r\nreg save HKLM\\SYSTEM system.save\r\nreg save HKLM\\SYSTEM system.save\r\nreg save HKLM\\SECURITY security.save\r\nreg save HKLM\\SAM sam.save\r\nreg save HKLM\\SECURITY security.save\r\nwevtutil cl security\r\nOn May 29, the attackers returned and used a renamed version of ProcDump (file name: alg.exe) to dump credentials from\r\nLSASS.\r\nalg.exe -accepteula -ma lsass.exe z1.dmp\r\nOn May 31, a scheduled task is used to execute oleview.exe, mostly likely to perform side-loading and laterally movement.\r\nUse of Oleview by ShadowPad has been previously documented by Dell Secureworks and was also reported to have been\r\nused in attacks against industrial control systems. The command specified that Oleview was to be executed on a remote\r\nmachine using the task name (TendView) at 07:30 a.m. It appears the attackers likely used stolen credentials in order to\r\nspread their malware onto other machines within the network.\r\nschtasks /create /s \\\\[REMOVED] /u [REMOVED] /P [REMOVED] /tr \"CSIDL_PROFILE\\\r\n[REMOVED]\\appdata\\local\\temp\\oleview.exe\" /tn TrendView /st 07:30 /sc once /ru \" \" /f\r\nMalicious activity appeared to cease until July 27, when a keylogger (file name: winlogon.exe) was installed on a machine.\r\nThe final evidence of malicious activity came on August 3, when the attackers returned and attempted to dump credentials\r\nagain using a renamed version of ProcDump (file name: yara32.exe):\r\nyara32.exe -accepteula -ma lsass.exe z1.dmp\r\nMinutes later, the attackers also attempted to dump credentials from the Windows registry:\r\nreg save HKLM\\SAM sam.save\r\nreg save HKLM\\SAM sam.save\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks\r\nPage 3 of 4\n\nreg save HKLM\\SYSTEM system.save\r\nreg save HKLM\\SYSTEM system.save\r\nreg save HKLM\\SYSTEM system.save\r\nreg save HKLM\\SECURITY security.save\r\nreg save HKLM\\SECURITY security.save\r\nSource of concern\r\nAttacks against CNI targets are not unprecedented. Almost a decade ago, Symantec uncovered the Russian-sponsored\r\nDragonfly group’s attacks against the energy sectors in the U.S. and Europe. More recently, the Russian Sandworm group\r\nmounted attacks against the electricity distribution network in Ukraine, which were directed at disrupting electricity\r\nsupplies. \r\nHowever, the frequency at which CNI organizations are being attacked appears to have increased over the past year and is\r\nnow a source of concern. Threat actors maintaining a long-term, persistent presence on a national grid presents a clear risk\r\nof attacks designed to disrupt power supplies and other vital services in nation-states during times of increased political\r\ntension. While Symantec has not seen any disruptive activity by Redfly, the fact that such attacks have occurred in other\r\nregions means they are not outside the bounds of possibility. \r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-attacks" ], "report_names": [ "critical-infrastructure-attacks" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "3ec9542a-2245-466b-86e3-cd345819b09b", "created_at": "2023-11-04T02:00:07.67045Z", "updated_at": "2026-04-10T02:00:03.388063Z", "deleted_at": null, "main_name": "Redfly", "aliases": [], "source_name": "MISPGALAXY:Redfly", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434235, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e169dc0c4f11806903a0914f6cc79f30571ac06d.pdf", "text": "https://archive.orkl.eu/e169dc0c4f11806903a0914f6cc79f30571ac06d.txt", "img": "https://archive.orkl.eu/e169dc0c4f11806903a0914f6cc79f30571ac06d.jpg" } }