{ "id": "7dba5594-2e16-4ab8-aa6f-1a6259eaffc1", "created_at": "2026-04-06T00:19:31.986071Z", "updated_at": "2026-04-10T13:11:21.749709Z", "deleted_at": null, "sha1_hash": "e77b297b2ecccec54516ba2538bd4f30bb528cb7", "title": "nao-sec.org", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5440746, "plain_text": "nao-sec.org\r\nBy nao_sec\r\nPublished: 2021-01-04 · Archived: 2026-04-05 16:53:27 UTC\r\nRoyal Road! Re:Dive\r\n2021-01-04\r\nAbstract\r\nWe introduced the “Royal Road RTF Weaponizer” in our previous blog [1] (and presented at Japan Security\r\nAnalyst Conference 2020 and CPX 360 CPRCon 2020). Royal Road is a tool shared by many targeted attack\r\ngroups believed to belong to China. It’s been a year since our previous blog, and Royal Road is still in use. Here,\r\nwe will introduce the Royal Road-related attacks observed during 2020.\r\nPrevious Blog\r\nLet’s briefly review the previous blog. Royal Road is a tool that generates RTF files that exploit the Microsoft\r\nOffice Equation Editor vulnerabilities (CVE-2017-11882, CVE-2018-0798, CVE-2018-0802). The details of the\r\ntool are unknown, but the RTF file generated by it has various characteristics. The definition of “RTF file\r\ngenerated by Royal Road” may vary from researcher to researcher. Therefore, we define a file that meets the\r\nfollowing conditions as an “RTF file generated by Royal Road”.\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 1 of 16\n\n1. Exploiting a vulnerability in Microsoft Office Equation Editor\r\n2. Containing an object named “8.t”\r\nHowever, some RTF files are likely to be related to Royal Road, even though they don’t meet the second\r\ncondition. For classification purposes, we refer to this as “Related Samples”. In reality, this may also be an RTF\r\nfile generated by Royal Road, but the truth is only known to the attacker. Due to the our research, we have divided\r\nthese into “Royal Road Samples” and “Related Samples”. However, they are treated the same in the specific case\r\nstudies below.\r\nAnd Royal Road is shared among various attack groups believed to belong to China. Specifically, it is believed to\r\nbe used by the following attack groups. The attack group alias is written for reference. Strictly speaking, these can\r\nbe different. For example, TA428 and Pirate Panda are not exactly equivalent.\r\n1. Temp.Tick (BRONZE BUTLER, RedBaldKnight)\r\n2. Temp.Conimes (Goblin Panda, Cycldek)\r\n3. Temp.Periscope (Leviathan, APT40)\r\n4. Temp.Trident (Dagger Panda, IceFog)\r\n5. Tonto (Karma Panda, CactusPete, LoneRanger)\r\n6. TA428 (Pirate Panda)\r\n7. Rancor\r\nAlso, we categorized the various characteristics of the RTF files used by these groups and showed what they have\r\nin common.\r\nUpdates\r\nIt’s been a year since we introduced Royal Road. In the meantime, the RTF file, believed to have been generated\r\nby Royal Road, has been used many times in targeted attacks, and several updates have been observed. First of all,\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 2 of 16\n\nwe will introduce the updates.\r\nThe RTF file generated by Royal Road contains encoded malware. It is decoded by Shellcode after exploit. In our\r\nprevious blog, we introduced the following 5 encodings.\r\n1. 4D 5A 90 00 (not encoded)\r\n2. F2 A3 20 72\r\n3. B2 A6 6D FF\r\n4. B0 74 77 46\r\n5. B2 5A 6F 00\r\nMany of the RTF files we observed in 2020 used the 3rd and 4th encodings. However, a few samples used the new\r\nencodings. The following 2 encodings.\r\n1. A9 A4 6E FE\r\nThis encoding can be decoded with code like the following:\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 3 of 16\n\ndec_data = []\r\nfor i in range(len(enc_data)):\r\n dec_data.append(((int.from_bytes(enc_data[i], \"little\") ^ 0x7b) + 0x7b) % 256)\r\n1. 94 5F DA D8\r\nThis encoding can be decoded with code like the following:\r\ndec_data = []\r\nxor_key = 1387678300\r\nfor i in range(len(enc_data)):\r\n for _ in range(7):\r\n x0 = (xor_key \u0026 0x20000000) == 0x20000000\r\n x1 = (xor_key \u0026 8) == 8\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 4 of 16\n\nx2 = xor_key \u0026 1\r\n x3 = 1 + (x0 ^ x1 ^ x2)\r\n xor_key = (xor_key + xor_key) + x3\r\n dec_data.append(int.from_bytes(enc_data[i], \"little\") ^ (xor_key % 256))\r\nOur tool for decrypting Royal Road encoded object is already available on GitHub. It also supports the above new\r\nencodings.\r\nhttps://github.com/nao-sec/rr_decoder\r\nNew Attack Groups\r\nAs we mentioned earlier, several attack groups use Royal Road. The following eight attack groups have been\r\nobserved to use Royal Road (including both Royal Road Samples and Related Samples) during 2020.\r\n1. Temp.Conimes\r\n2. Tonto\r\n3. TA428\r\n4. Naikon\r\n5. Higaisa\r\n6. Vicious Panda\r\n7. FunnyDream\r\n8. TA410\r\nOf these, we have already reported on 1-3 attack groups in our previous blog. Temp.Conimes used NewCore RAT\r\nto attack Vietnamese organizations. Tonto used Bisonal to attack organizations in East Asia such as Russia.\r\nAnd the TA428 was also particularly active, using PoisonIvy, Cotx RAT, Tmanger, and nccTrojan to attack East\r\nAsian organizations such as Mongolia. We will not cover these individual cases here, but if you are interested, see\r\nthe IOC chapter. For TA428, the paper [2] and blogs [3][4][5] are available from NSJ (NTT Security Japan).\r\nPlease refer to that.\r\nFor Naikon, CheckPoint Research reported [6], but unfortunately, we could not observe this. Therefore, in the\r\nfollowing, we will introduce attack cases related to Royal Road for four groups (5-8).\r\nHigaisa\r\nHigaisa is an attack group that seems to have been active since at least around 2016. It is primarily targeted at\r\nNorth Korean-related organizations and is believed to be aimed at stealing information using AttackBot, PIZ\r\nStealer, and Gh0st RAT.\r\nThe blogs have been written by Tencent and Positive Technologies so far [7][8][9], and are attributed to (South)\r\nKorea. However, NSJ’s paper [10] showed a connection with Ghost Dragon [11] and PKPLUG [12], and it was\r\nreported that it might belong to China.\r\nWe observed an attack by Higaisa on Royal Road in March 2020.\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 5 of 16\n\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 6 of 16\n\nThe malware executed by the Royal Road RTF was AttackBot. AttackBot is a downloader that has been used by\r\nHigaisa since at least April 2018.\r\nVicious Panda\r\nVicious Panda is an attack group reported by CheckPoint Research in March 2020 [13]. It is said to belong to\r\nChina and targets East Asia such as Russia, Mongolia, and Ukraine.\r\nWe observed an attack on the Royal Road by Vicious Panda in March 2020.\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 7 of 16\n\nIt has been reported to execute malware similar to Enfal and BYEBY.\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 8 of 16\n\nFunnyDream\r\nFunnyDream is an attack group that is said to have been active since around 2018. It is said to belong to China and\r\ntargets Southeast Asia such as Vietnam and Malaysia. FunnyDream uses Chinoxy and FunnyDream Backdoor.\r\nBitDefender has published a detailed report [14] on FunnyDream.\r\nWe observed an attack by FunnyDream from March to May 2020.\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 9 of 16\n\nChinoxy is a RAT that has been used by FunnyDream since around 2018. It decoded the config using two numeric\r\ndata and communicates with the C\u0026C server using its original protocol using Blowfish.\r\nTA410\r\nTA410 is an attack group that is said to have been active since around 2016. It is said to belong to China and is\r\nsuspected to be related to APT10. The report has been published by Proofpoint [15][16][17] and is mainly targeted\r\nat public sector in the US. It uses malware called LockBack and FlowCloud.\r\nWe observed an attack by TA410 in October 2020.\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 10 of 16\n\nFlowCloud is a RAT reported by Proofpoint in June 2020. FlowCloud has been reported to be v4 and v5, but the\r\nFlowCloud we observed at this time was similar to v4.\r\nAttack case against Japan\r\nIn addition to the four attack groups shown so far (Higaisa, Vicious Panda, FunnyDream, TA410), attacks that\r\nappear to be related to Royal Road have been observed. Among them, we will introduce an example of attacks on\r\nJapan. We are not able to identify which attack group made this attack. If you have any knowledge about it, please\r\nshare it with us…\r\nThe attack on Japan took place in November 2020. The attack began with 2 RTF files attached to the email.\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 11 of 16\n\nThese RTF files did not contain an 8.t object, however did contain an associated object. This is the malware\r\nencoded by the 4th (B0 74 77 46) encoding shown above.\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 12 of 16\n\nThe overall picture of the attack is as follows.\r\nThe malware executed was an unknown RAT. We call this XLBug RAT because of the characteristics left in this\r\nRAT. The RAT held information such as C\u0026C server encoded by Base64 and XOR.\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 13 of 16\n\nThe following commands are implemented in XLBug RAT.\r\nGet directory information\r\nGet file information\r\nGet computer information\r\nExecute file\r\nUpload file\r\nDownload file\r\nRename file\r\nDelete file\r\nDelete itself\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 14 of 16\n\nThe naming convention and encoding of the encoded object contained in the RTF are similar to those of the\r\nTA428. However, we could not say that this was a TA428 attack.\r\nRelationship\r\nIn the previous blog, we summarized the characteristics of attack groups that use Royal Road. We used it to divide\r\nthe attack groups into two groups. However, by 2020, those characteristics are almost meaningless. It has been\r\nstandardized or deleted. It’s not as easy to group as it used to be. In the first place, the groups sharing Royal Road\r\nshould be close. We do not classify further, but if you have any comments please let us know.\r\nYara Rule\r\nThe GitHub repository we shared in the previous blog is still being updated.\r\nhttps://github.com/nao-sec/yara_rules\r\nIOC\r\nThe IOC sheet shared in the previous blog is still being updated.\r\nhttps://nao-sec.org/jsac2020_ioc.html\r\nThe tool used by Royal Road to decrypt encoded object is still being updated.\r\nhttps://github.com/nao-sec/rr_decoder\r\nWrap-Up\r\nThe attacks using Royal Road have decreased compared to 2019, but are still ongoing. There are many cases of\r\nattacks by TA428 and Tonto, but other attacks by different attack groups (Higaisa, Vicious Panda, FunnyDream,\r\nTA410) have also been observed.\r\nThe attacks on Japan have also been observed and we were unable to identify this with a known attack group. The\r\nuse of Royal Road by these unknown attack groups is expected to continue.\r\nIn addition to Royal Road, there are other cases, such as the Tmanger family, that appear to share tools among\r\nmultiple targeted attack groups. We should continue to pay close attention to these tool sharing cases.\r\nAcknowledgments\r\n“nao_sec” is an independent research team that does not belong to any company. Individuals belong to each\r\ncompany and engage in research, but the activities of nao_sec still maintain their independence from each\r\ncompany. We are grateful to all of you who cooperated with our research activities every day.\r\nReferences\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 15 of 16\n\n[1] nao_sec, “An Overhead View of the Royal Road”, https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html\r\n[2] NTT Security Japan, “Operation LagTime IT: colourful Panda footprint”,\r\nhttps://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf\r\n[3] NTT Security Japan, “Panda’s New Arsenal: Part 1 Tmanger”, https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger\r\n[4] NTT Security Japan, “Panda’s New Arsenal: Part 2 Albaniiutas”, https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas\r\n[5] NTT Security Japan, “Panda’s New Arsenal: Part 3 Smanager”, https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager\r\n[6] CheckPoint Research, “Naikon APT: Cyber Espionage Reloaded”,\r\nhttps://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/\r\n[7] Tencent, “APT攻击组织”黑格莎(Higaisa)”攻击活动披露”, https://s.tencent.com/research/report/836.html\r\n[8] Tencent, ““Higaisa(黑格莎)”组织近期攻击活动报告”, https://s.tencent.com/research/report/895.html\r\n[9] Positive Technologies, “COVID-19 и новогодние поздравления: исследуем инструменты группировки\r\nHigaisa”, https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/covid-19-i-novogodnie-pozdravleniya-issleduem-instrumenty-gruppirovki-higaisa/\r\n[10] NTT Security Japan, “Crafty Panda 標的型攻撃解析レポート”,\r\nhttps://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report\r\n[11] Cylance (BlackBerry), “The Ghost Dragon”, https://blogs.blackberry.com/en/2016/04/the-ghost-dragon\r\n[12] Palo Alto Networks, “PKPLUG: Chinese Cyber Espionage Group Attacking Southeast Asia”,\r\nhttps://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/\r\n[13] CheckPoint Research, “Vicious Panda: The COVID Campaign”,\r\nhttps://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/\r\n[14] BitDefender, “A Detailed Timeline of a Chinese APT Espionage Attack Targeting South Eastern Asian\r\nGovernment Institutions”, https://labs.bitdefender.com/2020/11/a-detailed-timeline-of-a-chinese-apt-espionage-attack-targeting-south-eastern-asian-government-institutions/\r\n[15] Proofpoint, “LookBack Malware Targets the United States Utilities Sector with Phishing Attacks\r\nImpersonating Engineering Licensing Boards”, https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks\r\n[16] Proofpoint, “LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals\r\nAdditional Adversary TTPs”, https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals\r\n[17] Proofpoint, “TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New\r\nMalware”, https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new\r\nSource: https://nao-sec.org/2021/01/royal-road-redive.html\r\nhttps://nao-sec.org/2021/01/royal-road-redive.html\r\nPage 16 of 16\n\nfor i in range(len(enc_data)): for _ in range(7): \nx0 = (xor_key \u0026 0x20000000) == 0x20000000 \nx1 = (xor_key \u0026 8) == 8 \n Page 4 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://nao-sec.org/2021/01/royal-road-redive.html" ], "report_names": [ "royal-road-redive.html" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "faa4a29b-254a-45bd-b412-9a1cbddbd5e3", "created_at": "2022-10-25T16:07:23.80111Z", "updated_at": "2026-04-10T02:00:04.753677Z", "deleted_at": null, "main_name": "LookBack", "aliases": [ "FlowingFrog", "LookBack", "LookingFrog", "TA410", "Witchetty" ], "source_name": "ETDA:LookBack", "tools": [ "FlowCloud", "GUP Proxy Tool", "SodomMain", "SodomMain RAT", "SodomNormal" ], "source_id": "ETDA", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9ffcbb0c-7a0f-419f-a174-f18a02ce47f1", "created_at": "2023-01-06T13:46:39.059774Z", "updated_at": "2026-04-10T02:00:03.199867Z", "deleted_at": null, "main_name": "TA410", "aliases": [], "source_name": "MISPGALAXY:TA410", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20", "created_at": "2023-01-06T13:46:39.138138Z", "updated_at": "2026-04-10T02:00:03.227223Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [], "source_name": "MISPGALAXY:Higaisa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c5d5d4-3969-4e34-9982-55144c3908eb", "created_at": "2022-10-25T16:07:24.37846Z", "updated_at": "2026-04-10T02:00:04.965506Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "Bronze Dudley" ], "source_name": "ETDA:Vicious Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "BBSRAT", "Byeby", "Cmstar", "Enfal", "Lurid", "Pylot", "RoyalRoad", "Travle", "meciv" ], "source_id": "ETDA", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "e8aee970-e31e-489f-81c2-c23cd52e255c", "created_at": "2023-01-06T13:46:38.763687Z", "updated_at": "2026-04-10T02:00:03.092181Z", "deleted_at": null, "main_name": "RANCOR", "aliases": [ "Rancor Group", "G0075", "Rancor Taurus", "Rancor group", "Rancor" ], "source_name": "MISPGALAXY:RANCOR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d11e45c-4e31-4997-88f5-295b2564cfc6", "created_at": "2022-10-25T15:50:23.794721Z", "updated_at": "2026-04-10T02:00:05.358892Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "Rancor" ], "source_name": "MITRE:Rancor", "tools": [ "DDKONG", "PLAINTEE", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0", "created_at": "2022-10-25T15:50:23.400822Z", "updated_at": "2026-04-10T02:00:05.350302Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [ "Higaisa" ], "source_name": "MITRE:Higaisa", "tools": [ "PlugX", "certutil", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695", "created_at": "2022-10-25T16:07:24.120424Z", "updated_at": "2026-04-10T02:00:04.871598Z", "deleted_at": null, "main_name": "RedFoxtrot", "aliases": [ "Moshen Dragon", "Nomad Panda", "TEMP.Trident" ], "source_name": "ETDA:RedFoxtrot", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Fucobha", "GUNTERS", "Gen:Trojan.Heur.PT", "Icefog", "Impacket", "Kaba", "Korplug", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XShellGhost", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "416f8374-2b06-47e4-ba91-929b3f85d9bf", "created_at": "2022-10-25T16:07:24.093951Z", "updated_at": "2026-04-10T02:00:04.864244Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "G0075", "Rancor Group", "Rancor Taurus" ], "source_name": "ETDA:Rancor", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "DDKONG", "Derusbi", "Dudell", "ExDudell", "KHRAT", "PLAINTEE", "RoyalRoad", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434771, "ts_updated_at": 1775826681, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e77b297b2ecccec54516ba2538bd4f30bb528cb7.pdf", "text": "https://archive.orkl.eu/e77b297b2ecccec54516ba2538bd4f30bb528cb7.txt", "img": "https://archive.orkl.eu/e77b297b2ecccec54516ba2538bd4f30bb528cb7.jpg" } }