{ "id": "28005a68-2260-41c0-8f61-2dae54bfc74f", "created_at": "2026-04-06T00:18:57.668769Z", "updated_at": "2026-04-10T03:37:21.707577Z", "deleted_at": null, "sha1_hash": "ef0d3a0f2cd3f5367d4e964f6b0f08381a34d8bd", "title": "HyperSSL (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57140, "plain_text": "HyperSSL (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 19:47:34 UTC\r\n2025-06-13 ⋅ Twitter (@Unit42_Intel) ⋅\r\nTweet about APT27 SysUpdate activity\r\nHyperSSL HyperSSL 2023-07-18 ⋅ Mandiant ⋅ Mandiant Intelligence\r\nStealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection\r\nBPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear 2023-03-01 ⋅ Trend\r\nMicro ⋅ Daniel Lunghi\r\nIron Tiger’s SysUpdate Reappears, Adds Linux Targeting\r\nHyperSSL HyperSSL 2022-11-22 ⋅ Twitter (@ESETresearch) ⋅ ESET Research\r\nTweets on SysUpdate / Soldier / HyperSSL\r\nHyperSSL 2021-08-10 ⋅ FireEye ⋅ Israel Research Team, U.S. Threat Intel Team\r\nUNC215: Spotlight on a Chinese Espionage Campaign in Israel\r\nHyperBro HyperSSL MimiKatz 2021-06-02 ⋅ Trend Micro ⋅ Daniel Lunghi\r\nTaking Advantage of PE Metadata, or How To Complete Your Favorite Threat Actor’s Sample Collection\r\nHyperSSL 2021-06-02 ⋅ Trend Micro ⋅ Daniel Lunghi\r\nTaking Advantage of PE Metadata,or How To Complete your Favorite ThreatActor’s Sample Collection (Paper)\r\nHyperSSL 2021-04-29 ⋅ ESET Research ⋅ Andy Garth, Daniel Chromek, Matthieu Faou, Robert Lipovsky, Tony Anscombe\r\nESET Industry Report on Government: Targeted but not alone\r\nExaramel Crutch Exaramel HyperBro HyperSSL InvisiMole XDSpy 2021-04-09 ⋅ Trend Micro ⋅ Daniel Lunghi, Kenney\r\nLu\r\nIron Tiger APT Updates Toolkit With Evolved SysUpdate Malware\r\nHyperBro HyperSSL APT27 2020-09-30 ⋅ Team Cymru ⋅ Jacomo Piccolini, James Shank\r\nPandamic: Emissary Pandas in the Middle East\r\nHyperBro HyperSSL 2020-01-01 ⋅ FireEye ⋅ Mandiant, Mitchell Clarke, Tom Hall\r\nMandiant IR Grab Bag of Attacker Activity\r\nTwoFace CHINACHOPPER HyperBro HyperSSL 2019-07-21 ⋅ One Night in Norfolk ⋅ Kevin Perlow\r\nEmissary Panda DLL Backdoor\r\nHyperSSL 2019-06-13 ⋅ ae CERT ⋅ ae CERT\r\nAdvanced Notification of Cyber Threats against Family of Malware Giving Remote Access to Computers\r\nHyperBro HyperSSL 2019-05-28 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone, Tom Lancaster\r\nEmissary Panda Attacks Middle East Government Sharepoint Servers\r\nCHINACHOPPER HyperSSL\r\n[TLP:WHITE] win_hyperssl_auto (20251219 | Detects win.hyperssl.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl" ], "report_names": [ "win.hyperssl" ], "threat_actors": [ { "id": "11f52079-26d3-4e06-8665-6a0b3efdc41c", "created_at": "2022-10-25T16:07:23.736987Z", "updated_at": "2026-04-10T02:00:04.732021Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [ "UAC-0035" ], "source_name": "ETDA:InvisiMole", "tools": [ "InvisiMole" ], "source_id": "ETDA", "reports": null }, { "id": "69cba9ab-de35-4103-a699-7d243bcfd196", "created_at": "2023-01-06T13:46:39.159472Z", "updated_at": "2026-04-10T02:00:03.233731Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "MISPGALAXY:XDSpy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "274f04ff-fae8-4e90-bcf5-3e391a860cd5", "created_at": "2023-12-08T02:00:05.75114Z", "updated_at": "2026-04-10T02:00:03.493837Z", "deleted_at": null, "main_name": "UNC215", "aliases": [], "source_name": "MISPGALAXY:UNC215", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b", "created_at": "2023-01-06T13:46:39.095233Z", "updated_at": "2026-04-10T02:00:03.21157Z", "deleted_at": null, "main_name": "InvisiMole", "aliases": [], "source_name": "MISPGALAXY:InvisiMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "d69b3831-de95-42c9-b4b6-26232627206f", "created_at": "2022-10-25T16:07:24.429466Z", "updated_at": "2026-04-10T02:00:04.985102Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "ETDA:XDSpy", "tools": [ "ChromePass", "IE PassView", "MailPassView", "Network Password Recovery", "OperaPassView", "PasswordFox", "Protected Storage PassView", "XDDown", "XDList", "XDLoc", "XDMonitor", "XDPass", "XDRecon", "XDUpload" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "ea34919f-9093-4e34-b9de-a37ab9b4d5c4", "created_at": "2022-10-25T16:07:24.35727Z", "updated_at": "2026-04-10T02:00:04.952883Z", "deleted_at": null, "main_name": "UNC215", "aliases": [], "source_name": "ETDA:UNC215", "tools": [ "AdFind", "CHINACHOPPER", "China Chopper", "FOCUSFJORD", "HighShell", "HyperBro", "HyperSSL", "HyperShell", "Mimikatz", "NBTscan", "ProcDump", "PsExec", "SEASHARPEE", "SinoChopper", "SysUpdate", "TwoFace", "WHEATSCAN", "WinRAR", "certutil", "certutil.exe", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434737, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ef0d3a0f2cd3f5367d4e964f6b0f08381a34d8bd.pdf", "text": "https://archive.orkl.eu/ef0d3a0f2cd3f5367d4e964f6b0f08381a34d8bd.txt", "img": "https://archive.orkl.eu/ef0d3a0f2cd3f5367d4e964f6b0f08381a34d8bd.jpg" } }