{ "id": "6337d40a-d635-4f9e-8374-d6384e9badab", "created_at": "2026-04-06T00:10:49.218591Z", "updated_at": "2026-04-10T03:32:21.523125Z", "deleted_at": null, "sha1_hash": "e57298055c00603d5e76069271d8721d61bbecfd", "title": "An inside look at NSA (Equation Group) TTPs from China’s lense", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1475840, "plain_text": "An inside look at NSA (Equation Group) TTPs from China’s lense\r\nBy inversecos\r\nPublished: 2025-02-19 · Archived: 2026-04-05 14:19:59 UTC\r\nSince I reside in a Five Eyes country (Australia) and have publicly presented four cases I led on China’s APT41\r\nattacking organisations in ASEAN, particularly concerning China’s cyber and political strategies, I was curious to\r\nexplore what China publishes about Five Eyes operations. This led me down a rabbit hole of research into TTPs\r\nthat Chinese cybersecurity entities have attributed to the NSA – or, as they coin “APT-C-40”.\r\nThese insights stem from extensive research I did on Weixin containing intelligence reports published by China’s\r\nQihoo 360, Pangu Lab, and the National Computer Virus Emergency Response Center (CVERC). It is important\r\nto note that the authenticity and extent of these allegations remain unverified by independent sources. My goal in\r\nwriting this blog is simply to aggregate and share what Chinese sources are publishing about NSA’s cyber\r\noperations (APT-C-40) to see if I could learn any new detection techniques or offensive techniques to research for\r\nfun. \r\nAs I did this research, I had a realisation that the Chinese methodology of Incident Response appears very\r\ndifferent to how we perform IR in the West and had me thinking more about how I could modify some of my own\r\nmethodologies to include some of the learnings. Maybe I will write a blog on this in the future. Ultimately,\r\ndepending on the reception of this blog, I may continue this series by sharing my other findings on Chinese\r\nhttps://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html\r\nPage 1 of 11\n\nreports regarding CIA (APT-C-39) cyber operations and a third North American group (not NSA or CIA) that\r\nChinese firms are tracking named APT-C-57.\r\nHow the NSA Allegedly Hacked China’s Northwestern Polytechnical University\r\nThis is how China’s Northwestern Polytechnical University, a leading institution specializing in aerospace and\r\ndefence, allegedly became the target of a sophisticated cyberattack attributed to the NSA’s APT-C-40 group back\r\nin 2022. Reports claim that the attack was executed by Tailored Access Operations (TAO), a division within the\r\nNSA, which allegedly deployed over 40 unique malware strains to conduct data theft and espionage.\r\nAll the information regarding this breach is publicly disclosed on the internet by Chinese cyber companies Qihoo\r\n360 and National Computer Virus Emergency Response Centre on Weixin.\r\nThe attack was publicly announced by the University in a public bulletin post on June 2022 (below). Saying the\r\nUniversity suffered a series of phishing emails to staff and employees. \r\nhttps://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html\r\nPage 2 of 11\n\nHow did China perform the attribution?Through the joint investigation and forensics on the University,\r\nCVERC and 360 identified 4 IPs that the NSA supposedly purchased through two cover companies “Jackson\r\nSmith Consultants” and “Mueller Diversified Systems”. The four IPs identified are listed at the end of this report.\r\nCVERC and 360 alleged a TAO employee with the pseudonym “Amanda Ramirez” anonymously purchased these\r\nfor the NSA’s FoxAcid platform which was later used in the attack on the University.\r\nCVERC and 360 also alleged that the NSA had used anonymous protection services of a Registrar in the US to\r\nanonymize domain names and certificates to prevent them from being queried by public channels.\r\nInvestigators from CVERC and 360 were able to trace the attack back to NSA's TAO unit through a mix of human\r\nerror, patterns in their analysis and tool overlap. \r\n1. Attack Times\r\nhttps://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html\r\nPage 3 of 11\n\nOne of the frameworks used by TAO that was forensically uncovered during the incident named “NOPEN”\r\nrequires human operation. As such, a lot of the attack required hands-on-keyboard and data analysis of the\r\nincident timeline showed 98% of all the attacks occurred during 9am – 4pm EST (US working hours).\r\nThere were zero cyber-attacks on Saturdays and Sundays with all attacks centralised between Mon-Fri.\r\nNo attacks occurred during Memorial Day and Independence Day holidays which were unique American\r\nholidays.\r\nNo attacks occurred during Christmas.\r\n2. Keyboard Inputs\r\nAttacker used American English.\r\nAll devices used by the attacker had English OS and English applications.\r\nAmerican keyboard was utilised.\r\n3. Human Errors\r\nDue to the length and scale of the incident, when one of the alleged NSA “attackers” tried to upload and\r\nrun a Pyscript tool, they forgot to modify the parameters. This returned an error – the error message\r\nexposed the working directory and file name of the attacker’s internet terminal.\r\nThis was then used to identify that they were running on a Linux system and the directory “etc/autoutils”\r\nwas known to be the special name of the TAO network attack tool directory.\r\nThe error message is as follows: Quantifier follows nothing in regex; marked by \u003c-- HERE in m/* \u003c--\r\nHERE .log/ at .. /etc/autoutils line 4569\r\n4. Tools Were Found Prior to Shadow Brokers Leak\r\nThe Northwestern Polytechnical University had allegedly suffered multiple breaches throughout the years\r\nwhere several pieces of malware uncovered in prior investigations (prior to Shadow Broker’s leak) were\r\nallegedly the same tools described in the Shadow Broker’s leak. They did not provide further information\r\non this.\r\n5. Toolkits related to NSA\r\n41 different tools and malware samples were identified as a part of the investigation in the forensic\r\nanalysis.\r\n16 of these tools were consistent with the TAO weapons exposed by the Shadow Brokers leak.\r\n23 of the tools had around 97% similarity to the tools in the Shadow Brokers leak.\r\n2 of these tools were not found in Shadow Brokers but were seen used by TAO in other cyber-attacks\r\n(according to 360).\r\nInside the Attack: Alleged NSA TTPs\r\n1. Pre Attack Preparation\r\nhttps://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html\r\nPage 4 of 11\n\nOne of the NSA's primary strategies in breaching the university was the use of zero-days. However, to begin the\r\nattack the attackers first conducted a pre-attack preparation phase with extensive work. Two zero-days were used\r\nto breach any company with SunOS-exposed systems in neighbouring countries to China. 360 and CVERC did\r\nnot specify which vulnerabilities were targeted in their reports.\r\nSpecifically, the NSA would target any server with large network traffic (i.e. educational institutions and\r\ncommercial organisations). Once the attack was successful, they would install NOPEN (more on this later) to\r\nestablish a foothold. By deploying zero-days on these systems, they established access on these systems that\r\nwould later be used as springboards for the main attack on the University.\r\nIn total, 54 jump servers and 5 proxy servers were used to perform the attack coming from 17 different countries\r\nincluding Japan, South Korea, Sweden, Poland and Ukraine with 70% of the attacks coming from China’s\r\nneighbouring countries.\r\nThe proprietary tool that was alleged to be run:\r\nSHAVER: This tool was used to attack the SunOS exposed servers that were used for the jump servers.\r\nThis was identified as an automated exploitation tool designed for x86 and SPARC architectures with RPC\r\nservices enabled.\r\n2. Initial Access into the University\r\nTo gain access into the network, they leveraged MiTM and spear phishing emails. Around April, there were\r\nphishing emails identified with references to “scientific research review” targeted towards members of the\r\nUniversity (students and teachers). These phishing emails contained malware embedded in them and some were\r\ndesigned to steal credentials from these users.\r\nAside from this, 360 and CVERC also reported that one of the platforms used was a platform coined as\r\n“FOXACID” which was a part of the Snowden leaks. This platform according to Wikileaks, 360 and CVERC is a\r\n0-day vulnerability attack platform designed by the NSA to automate delivery of browser (IE, Chrome, FireFox,\r\nSafari, Android Webkit etc) exploits to workstations, servers and mobile devices. When a user tries to access a\r\nwebsite like Gmail, BiliBili (Chinese YouTube) instead of the normal server response, the response is hijacked to\r\nredirect to APT-C-40 (NSA) controlled server which injects malware onto the user’s browser. Below is a diagram\r\n360 drew of how it works (I translated it into English with Google).\r\nhttps://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html\r\nPage 5 of 11\n\nQihoo 360 - Diagram\r\nThe question would be “how did they use FOXACID” without having compromised systems? Based on the\r\nreports it seems like this is a logical sequence of events:\r\n1. External servers of the University were compromised giving APT-C-40 foothold into the environment\r\nusing a tool called ISLAND (manual exploitation of Solaris systems)\r\n2. APT-C-40 installed a framework called SECONDDATE an espionage software designed to be installed on\r\nnetwork devices (gateways, border routers and firewalls). There is a server and control side to the tool. The\r\nserver is run on the network edge device and the traffic is monitored/tampered through a driver. The\r\ncommunication back to controller is encrypted and the port used is randomised. Second date has\r\ncapabilities of network eavesdropping, MiTM, and code injection. It can be used with other malware to\r\nperform espionage activities. It’s primarily used to hijack mass amounts of data traffic, tampering and\r\nmisdirection.\r\n3. SECONDDATE redirects traffic from users within the University network accessing popular sites like\r\nBiliBili to FOXACID platform which performs the browser exploitation on the student/staff devices to\r\ngain control. \r\nUsing this MiTM platform, they allegedly hijacked internal hosts and servers of the University before deploying\r\nfurther tools for remote control of the systems. This allowed them access into core network equipment, servers\r\nand terminals relating to ops and maintenance of the University network. Of interest (and this appears to be a\r\nhttps://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html\r\nPage 6 of 11\n\npattern), APT-C-40 (according to 360 and CVERC) had a keen interest on network devices like routers and\r\nswitches.\r\nThe proprietary tools that were alleged to be run include:\r\nISLAND: This tool was allegedly run against the University’s external servers to gain control. It is a\r\nmanual exploitation tool used to breach Solaris-based systems.\r\nFOXACID: Browser exploitation framework that fingerprints the browser and deploys a 0-day. \r\nSECONDDATE: This tool was allegedly used by TAO (NSA) to hack into the office intranet of the\r\nUniversity. Attribution of SECONDDATE was discovered through collaboration with other industry\r\npartners. They found thousands of network devices running this spyware – where the communications went\r\nback to NSA servers located in Germany, Japan, South Korea and Taiwan. This tool was used to redirect\r\nuser traffic to the FOXACID platform.\r\n3. Persistence and Lateral Movement\r\nAfter securing initial access, APT-C-40 focused on long-term persistence and lateral movement across the\r\nuniversity’s network. To avoid detection, they allegedly deployed a combination of backdoors and credential theft\r\ntechniques.\r\nSECONDDATE – Backdoor installed on network edge devices such as gateways and border routers to\r\nfilter, and hijack mass amounts of data in a MiTM. This was placed on the border routers of the University\r\nto hijack traffic to redirect to NSA’s FOXACID platform.\r\nNOPEN: A remote-controlled malware that provided NSA operators with ongoing access to compromised\r\nsystems. It allowed for file execution, process management, system command execution, and privilege\r\nescalation. TAO used this to gain persistent control over core business servers and key network equipment.\r\nFLAME SPRAY - Windows-based remote-controlled malware with strong anti-analysis features. Can be\r\ncustomized to generate different types of servers. Works with the \"Acid Fox\" platform to control personal\r\noffice network hosts. It has strong anti-analysis/anti debug capabilities.\r\nCUNNING HERETICS: A lightweight implant that established encrypted communication channels for\r\nNSA to remotely reactivate access points even after clean up attempts.\r\nSTOIC SURGEON: A stealthy backdoor targeting Linux, Solaris, JunOS, and FreeBSD systems, enabling\r\nthe NSA to maintain control while avoiding security audits.\r\n4. Lateral Movement Techniques:\r\nThere was a keen focus from APT-C-40 on targeting edge network devices. From the IR perspective this makes\r\ncomplete sense (lack of EDR, lack of logs, lack of visibility and differing OS’s makes investigation at scale\r\nincredible difficult and very manual). At this stage of the attack, they used legitimate credentials to access firewall\r\nappliances and focused a portion of the attacks on the telecom operators of the University. This was highlighted by\r\n360 and CVERC as their method of fingerprinting and accessing personal data related to key researchers.\r\nLegitimate Credentials: NSA allegedly used legitimate credentials for the Cisco PIX firewall, Tianrongxin\r\nfirewall and other equipment to scope out the intranet, monitor data, control the SMS gateway and telecom\r\noperators. They then relied on other tools like MAGIC SCHOOL to query sensitive personnel, encrypted\r\nhttps://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html\r\nPage 7 of 11\n\nthe information and exfiltrated it. The result of the queried data was saved to:\r\nvar/tmp/.2e434fd8aeae73e1/erf/out/f/ before being encrypted and exfiltrated.\r\nHijacking Intranet Upgrade Programs: The NSA allegedly compromised software update mechanisms to\r\ndistribute malware disguised as legitimate updates.\r\nCredential Harvesting via the tool DRINKING TEA: This tool sniffed SSH, Telnet, and Rlogin passwords\r\nused by university IT administrators, granting NSA full access to internal systems. NSA allegedly used this\r\nto capture command-line logs, passwords generated by University staff during their operation and\r\nmaintenance work. This data was them compressed and encrypted for exfil by NOPEN. These credentials\r\nthen gave them more access to edge devices and business devices.\r\nHijacking Border Routers: NSA installed Second Date spyware on university routers, allowing them to\r\nintercept, manipulate, and reroute network traffic.\r\n5. Data Exfiltration: Stealing Critical Research and Credentials\r\nOnce inside, NSA operatives allegedly systematically stole classified research data, network infrastructure details,\r\nand sensitive operational documents.\r\nExfiltration Methods Used:\r\nOPERATION BEHIND ENEMY LINES: A suite of tools used to query, package, and encrypt stolen data\r\nbefore transmitting it to NSA-controlled servers.\r\nSchool of Magic, Clown Food, and Cursed Fire: These NSA tools were specifically designed for extracting\r\nsensitive files from telecom and defense research systems.\r\nUse of Proxy Servers \u0026 VPNs: To avoid detection, stolen data was routed through 54 jump servers and\r\nproxy nodes in 17 countries, masking the true origin of the attackers.\r\n6. Evasion and Anti-Forensic Measures\r\nTo minimize the risk of detection and forensic investigation, the NSA employed several anti-forensic techniques\r\n(but most of these are inbuilt in the tools and frameworks they leveraged):\r\nTOAST BREAD: A log manipulation tool that erased evidence of unauthorized access, including UTMP,\r\nWTMP, and LASTLOG files.\r\nEncrypted Communications: All NSA tools leveraged encryption, ensuring that traffic to their command-and-control (C2) servers remained undetectable.\r\nWhat did I learn from this?\r\nThere is a clear and structured collaboration amongst Chinese cybersecurity organizations during casework. While\r\nindustry collaboration exists in the West through closed invite-only groups, Chinese cyber organizations openly\r\nacknowledge and publicize their partnerships. This openness was particularly interesting to observe and may be\r\ninfluenced by cultural factors, such as the Confucian emphasis on shared knowledge and a political framework\r\nthat encourages collective efforts. Additionally, this collaboration extends across borders, involving cybersecurity\r\nentities from multiple countries.\r\nhttps://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html\r\nPage 8 of 11\n\nIn the Incident Response process, Western methodologies typically focus on constructing a super timeline of an\r\nattack, detailing events in chronological order. We compile timelines, document indicators of compromise (IoCs),\r\nand hand off reports to intelligence teams, often accompanied by a verbal debrief. However, large-scale data\r\nanalysis using AI across multiple cases—or even on a single case—is not a standard practice. A key observation\r\nfrom the Chinese case notes was the extensive use of big data analysis, particularly in tracking “hands-on\r\nkeyboard” activity. This approach enabled Qihoo 360 to identify patterns, such as the alleged absence of activity\r\non Memorial Day, and precisely documenting the operational hours of the attackers, allowing 360 to isolate\r\nactivity to Monday-Friday, EST working hours.\r\nAttacks on edge devices, IoT, and network appliances appear to be becoming the norm. From a threat actor’s\r\nperspective, this makes complete sense. Most adversaries are aware that XDR/EDR solutions are deployed on\r\ntraditional endpoints, making edge devices an attractive target for initial access and persistence. Defending and\r\ndetecting such threats is particularly challenging due to the variety of operating systems, proprietary encoding\r\nmethods, and the extensive manual forensic analysis required. The focus on edge devices is not unique to the NSA\r\n—it is an emerging trend that is likely to escalate. We have already seen Chinese APTs and Russian actors\r\nadopting similar techniques, including firmware manipulation. It will be interesting to see how this space evolves.\r\nFinally, across the reports, there were sporadic mentions that most of the attack frameworks operated in-memory,\r\nwith no files written to disk. This is not abnormal to see – however, it is interesting always to observe how the\r\ninvestigation and forensics was done. One area I wish had been covered in more detail was the methodology used\r\nto investigate these attacks, particularly how IR teams conducted forensic analysis on edge devices and routers.\r\nAlleged NSA IoCs\r\nThe IPs are redacted by 360 and CVERC (not me).\r\nNSA IPs (Purchased through cover companies):\r\n209.59.36.xx\r\n69.165.54.xx\r\n207.195.240.xx\r\n209.118.143.xx\r\nWeapon Platform IPs (C2 Servers):\r\n192.242.xx.xx (Colombia)\r\n81.31.xx.xx (Czech Republic)\r\n80.77.xx.xx (Egypt)\r\n83.98.xx.xx (Netherlands)\r\n82.103.xx.xx (Denmark)\r\nIPs Used to Launch Attacks:\r\n211.119.xx.xx (Korea)\r\n210.143.xx.xx (Japan)\r\n211.119.xx.xx (Korea)\r\nhttps://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html\r\nPage 9 of 11\n\n210.143.xx.xx (Japan)\r\n211.233.xx.xx (Korea)\r\n143.248.xx.xx (Korea - Daejeon Institute of Science and Technology)\r\n210.143.xx.xx (Japan)\r\n211.233.xx.xx (Korea)\r\n210.143.xx.xx (Japan)\r\n210.143.xx.xx (Japan)\r\n210.143.xx.xx (Korea - Korea National Open University)\r\n211.233.xx.xx (Korea - KT Telecom)\r\n89.96.xx.xx (Italy - Milan)\r\n210.143.xx.xx (Japan - Tokyo)\r\n147.32.xx.xx (Czech Republic - Brno)\r\n132.248.xx.xx (Mexico - UNAM)\r\n195.162.xx.xx (Sweden)\r\n210.143.xx.xx (Japan - Tokyo)\r\n210.228.xx.xx (Japan)\r\n211.233.xx.xx (Korea)\r\n212.187.xx.xx (Germany - Nuremberg)\r\n222.187.xx.xx (Germany - Bremen)\r\n210.143.xx.xx (Japan)\r\n91.217.xx.xx (Finland)\r\n211.233.xx.xx (Korea)\r\n84.88.xx.xx (Spain - Barcelona)\r\n210.143.xx.xx (Japan - Kyoto University)\r\n132.248.xx.xx (Mexico)\r\n148.208.xx.xx (Mexico)\r\n192.162.xx.xx (Italy)\r\n211.233.xx.xx (Korea)\r\n218.232.xx.xx (Korea)\r\n148.208.xx.xx (Mexico)\r\n61.115.xx.xx (Japan)\r\n130.241.xx.xx (Sweden)\r\n210.143.xx.xx (India)\r\n210.143.xx.xx (Japan)\r\n202.30.xx.xx (Australia)\r\n220.66.xx.xx (Korea)\r\n222.122.xx.xx (Korea)\r\n141.57.xx.xx (Germany - Leipzig Institute of Economics and Culture)\r\n212.109.xx.xx (Poland)\r\n210.135.xx.xx (Japan - Tokyo)\r\n148.208.xx.xx (Mexico)\r\n82.148.xx.xx (Qatar)\r\nhttps://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html\r\nPage 10 of 11\n\n46.29.xx.xx (UAE)\r\n143.248.xx.xx (Korea - Daejeon Institute of Science and Technology)\r\nSecondDate CnC\r\nMD5: 485a83b9175b50df214519d875b2ec93 \r\nSHA-1: 0a7830ff10a02c80dee8ddf1ceb13076d12b7d83\r\nSHA-256: d799ab9b616be179f24dbe8af6ff76ff9e56874f298dab9096854ea228fc0aeb \r\nSOURCES\r\nhttps://www.cverc.org.cn/head/zhaiyao/news20220905-NPU.htm\r\nhttps://mp.weixin.qq.com/s/CfkLGhqLB3hyVcDzqUQwJQ\r\nhttps://www.secrss.com/articles/54025\r\nhttps://www.cverc.org.cn/head/zhaiyao/news20220629-FoxAcid.htm\r\nhttps://www.aclu.org/documents/foxacid-sop-operational-management-foxacid-infrastructure\r\nhttps://nsarchive.gwu.edu/document/22069-document-01\r\nhttps://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html\r\nhttps://m.thepaper.cn/wifiKey_detail.jsp?contid=20362635\u0026from=wifiKey\r\nhttp://www.ce.cn/xwzx/gnsz/gdxw/202209/27/t20220927_38130496.shtml\r\nhttps://world.huanqiu.com/article/4EX89Zq6zNg\r\nSource: https://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html\r\nhttps://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.inversecos.com/2025/02/an-inside-look-at-nsa-equation-group.html" ], "report_names": [ "an-inside-look-at-nsa-equation-group.html" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434249, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e57298055c00603d5e76069271d8721d61bbecfd.pdf", "text": "https://archive.orkl.eu/e57298055c00603d5e76069271d8721d61bbecfd.txt", "img": "https://archive.orkl.eu/e57298055c00603d5e76069271d8721d61bbecfd.jpg" } }