{ "id": "97b8e90c-4f71-45c7-909c-5b887e6fcddf", "created_at": "2026-04-06T00:12:56.85076Z", "updated_at": "2026-04-10T03:37:01.093545Z", "deleted_at": null, "sha1_hash": "f0487f5496a4edf0b00f792aab65d938674ca196", "title": "Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 515489, "plain_text": "Rare Backdoors Suspected to be Tied to Gelsemium APT Found in\r\nTargeted Attack in Southeast Asian Government\r\nBy Lior Rochberger, Tom Fakterman, Robert Falcone\r\nPublished: 2023-09-22 · Archived: 2026-04-05 16:58:45 UTC\r\nExecutive Summary\r\nA cluster of threat actor activity that Unit 42 observed attacking a Southeast Asian government target could\r\nprovide insight into a rarely seen, stealthy APT group known as Gelsemium.\r\nWe found this activity as part of an investigation into compromised environments within a Southeast Asian\r\ngovernment. We identified the cluster as CL-STA-0046.\r\nThis unique cluster had activity spanning over six months between 2022-2023. It featured a combination of rare\r\ntools and techniques that the threat actor leveraged to gain a clandestine foothold and collect intelligence from\r\nsensitive IIS servers belonging to a government entity in Southeast Asia.\r\nIn addition to an array of web shells, the main backdoors used by the threat actor were OwlProxy and\r\nSessionManager. This combination, which was publicly documented once before in 2020, is rare and was\r\npreviously used to target several entities in Laos.\r\nBased on our analysis and available threat intelligence, we attribute CL-STA-0046 to the Gelsemium APT group,\r\nwith a moderate level of confidence. The observations we describe here could provide a view into a threat group\r\nabout which only a handful of public reports have been published to date.\r\nAccording to research published by ESET, the Gelsemium APT group has been operational since at least 2014. It\r\nis recognized for its tendency to target a diverse range of entities, including governments, universities, electronics\r\nmanufacturers and religious organizations, predominantly in East Asia and the Middle East.\r\nDespite Gelsemium's long-standing presence in the threat landscape, limited information has been available about\r\ntheir tactics, techniques, and procedures (TTPs). Our analysis and description of this cluster of activities provides\r\ndeep technical insights into the tools and strategies that this APT group might employ.\r\nAdditionally, we provide a documented timeline of the operations we observed, presenting a repository of\r\nindicators for defenders.\r\nPalo Alto Networks customers receive protections against the threats discussed in this article through Advanced\r\nWildFire, Advanced URL Filtering, DNS Security, Cortex XDR and Cortex XSIAM, as detailed in the conclusion.\r\nOrganizations can engage the Unit 42 Incident Response team for specific assistance with this threat and others.\r\nTimeline of Activity\r\nhttps://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/\r\nPage 1 of 9\n\nFigure 1. Timeline of CL-STA-0046.\r\nCL-STA-0046 Details\r\nInfection Vector\r\nThe threat actor behind CL-STA-0046 gained access to the environment after installing several web shells on a\r\ncompromised web server. Among the types of web shells observed are the following:\r\nreGeorg\r\nChina Chopper\r\nAspxSpy web shell\r\nOne of the AspxSpy web shells that we saw the threat actor behind CL-STA-0046 use was reportedly used by Iron\r\nTaurus (aka APT 27) for operation Iron Tiger in 2015 (according to Trend Micro). However, this particular web\r\nshell is publicly available and could be used by any threat actor (and was therefore not included in our attribution\r\nconsideration).\r\nThe attackers conducted additional activities using the web shells. They moved laterally via SMB and downloaded\r\nadditional tools. Initially, the attackers performed basic reconnaissance commands such as ipconfig and whoami.\r\nLater, they used netscan and nbtscan to gather further information about the victim.\r\nIn some instances, we observed that the attackers started to deliver tools to the compromised server. The attackers\r\nused a “shell-like” tool named demo.exe to run additional commands, and they used the Potato Suite (JuicyPotato\r\n– j.exe, BadPotato and SweetPotato – ev.exe) to try to perform privilege escalation.\r\nInstalling Additional Tools and Malware\r\nhttps://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/\r\nPage 2 of 9\n\nTo gain a foothold in the environment, the attackers behind CL-STA-0046 downloaded several different tools.\r\nSome of these tools attackers rarely use, and when other researchers have observed attackers using them in the\r\npast, it was sophisticated APT groups.\r\nWe will describe the following tools we observed in further sections:\r\nOwlProxy\r\nSessionManager\r\nCobalt Strike\r\nSpoolFool\r\nEarthWorm\r\nThe attackers checked connectivity to the internet, as shown in Figure 2, by pinging www.qq[.]com. This site is a\r\nwell-known Chinese web portal.\r\nFigure 2. Process tree of Cobalt Strike, the Potato Suite, SpoolFool and EarthWorm.\r\nhttps://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/\r\nPage 3 of 9\n\nSessionManager\r\nDuring our investigation, there were several unsuccessful attempts to install a variant of the SessionManger IIS\r\nbackdoor on a compromised web server. Cortex XDR blocked these attempts automatically.\r\nSessionManager is a unique custom backdoor that allows its operators to run commands, as well as uploading files\r\nto and downloading them from the web server. This threat also allows attackers to use the web server as a proxy to\r\ncommunicate with additional systems on the network.\r\nAccording to a Kaspersky blog published in June 2022, the Gelsemium APT group used SessionManager in\r\ncompromises dating back to at least March 2021. Attackers specifically used it in government, nongovernment,\r\nmilitary and industrial organizations.\r\nThe SessionManager sample we observed in CL-STA-0046 was designed to inspect all inbound HTTP requests\r\nand look for requests containing a specifically crafted Cookie field within the HTTP request.\r\nThe Cookie field would contain the actor’s desired command. SessionManager supports the following commands:\r\nUploading files to the server\r\nDownloading files from the server\r\nRunning commands and applications\r\nProxying connections to additional systems\r\nThe proxy functionality offered by SessionManager suggests the actors wanted to use the server as an ingress\r\npoint to communicate with other systems on the network.\r\nOwlProxy Malware\r\nAnother unique and custom tool that attackers used was OwlProxy. OwlProxy is an HTTP proxy with backdoor\r\nfunctionality that was first discovered in April 2020 in an attack targeting the Taiwanese government. The attack,\r\nwhich was part of a campaign targeting governmental entities in East Asia and the Middle East, was attributed to\r\nGelsemium.\r\nThe threat actor deployed an executable that saved an embedded DLL to c:\\windows\\system32\\wmipd.dll and\r\ncreated a service named WMI Provider to run the DLL.\r\nThe wmipd.dll DLL is a variant of OwlProxy that differs slightly from those discussed in the April 2020 attacks in\r\nTaiwan. This variant of OwlProxy creates an HTTP service that will handle inbound HTTP requests to URLs\r\nbased on the following UrlPrefix formats:\r\nHTTPS://+:443/topics/\r\nHTTPS://+:443/topics/pp/\r\nThe DLL checks incoming requests that match these URLs for s?pa= and s?pp= to run commands or to set up a\r\nproxy, respectively. Like the SessionManager tool, the proxy functionality within OwlProxy furthers the theme of\r\nthe actors planning to use the server as a gateway to other systems on the network.\r\nhttps://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/\r\nPage 4 of 9\n\nAs part of CL-STA-0046 activities, the attackers tried to execute the OwProxy malware (named client.exe) but\r\nCortex XDR prevented the execution. After being thwarted, the attackers tried using a replacement for the tool\r\nthat is not necessarily malicious on its own, called EarthWorm.\r\nCobalt Strike\r\nThe attackers attempted to execute Artifactd.exe, as shown in Figure 2 above, which is a Cobalt Strike beacon\r\nconfigured to communicate with the command and control (C2) 27.124.26[.]83.\r\nEarthWorm\r\nEarthWorm is a publicly available SOCKS tunneler that, although initially created for research purposes, gained\r\npopularity among Chinese-speaking actors. For example, Kaspersky reported that APT 27 used EarthWorm in a\r\ncampaign targeting Asian government entities.\r\nThe use of EarthWorm by the threat actor behind CL-STA-0046 occurred after the attackers failed to execute\r\nOwlProxy, and we assess that they delivered EarthWorm as a replacement.\r\nAs shown in Figure 2 above, the attackers used EarthWorm (ew.exe) to create a tunnel to their C2 traffic that was\r\nhosted on 27.124.26[.]86. This tunnel allowed the attackers to connect the local area network (LAN) of the\r\ninfected network to their external C2. Figure 3 shows a screenshot of the EarthWorm website.\r\nFigure 3. Screenshot from the EarthWorm website.\r\nUsing EarthWorm, the attackers sent and received data to and from their C2 server.\r\nSpoolFool\r\nIn addition to using the Potato Suite mentioned above, the attackers also used another local privilege escalation\r\n(LPE) proof of concept (PoC) published on GitHub called SpoolFool, as shown in Figure 2 above. This tool\r\nexploits CVE-2022-21999 (Windows Print Spooler Elevation of Privilege Vulnerability).\r\nThe attackers used this tool to attempt to create a local administrator user (username admin with the default\r\npassword Passw0rd!) using the following command.\r\nhttps://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/\r\nPage 5 of 9\n\nAttribution\r\nUnit 42 assesses with moderate confidence that the activity observed in CL-STA-0046 is associated with the\r\nGelsemium APT group.\r\nThis assessment is based on the unique combination of malware that attackers used in CL-STA-0046, namely the\r\nSessionManager IIS backdoor and OwlProxy. At the time of writing this report, the only publicly available report\r\nabout attackers using SessionManager and OwlProxy in conjunction is a report about the Gelsemium APT group.\r\nIn addition, there is a victimology overlap between CL-STA-0046 and Gelsemium. Researchers from ESET have\r\nreported that this threat group has targeted the government sector in Southeast Asia in the past.\r\nGelsemium has been in operation since 2014. Publicly available research reports that this group targets\r\ngovernments, and that they have been operating in Southeast Asia in the past. Although the researchers who first\r\ndiscovered Gelsemium did not attribute it to any specific state, the security firm Telsy and the Thai CERT consider\r\nthis group to be operating from China. At the time of writing this report, Unit 42 cannot confirm these attribution\r\nclaims.\r\nConclusion\r\nCL-STA-0046 is one of three clusters that we observed targeting the government sector in a country in Southeast\r\nAsia. Unit 42 associates the activity observed by the threat actor behind CL-STA-0046 to the Gelsemium APT\r\ngroup with a moderate level of confidence.\r\nAs part of the activity we observed, the threat actor received access through the use of several web shells,\r\nfollowing the attempted installation of multiple types of proxy malware and an IIS backdoor. As some of the threat\r\nactor's attempts to install malware were unsuccessful, they kept delivering new tools, showing their ability to\r\nadapt to the mitigation process.\r\nThe findings of this investigation highlight the urgent need for enhanced security measures, vigilant monitoring\r\nand proactive threat intelligence sharing among government entities and affected industries in Southeast Asia. By\r\nadopting a multilayered defense approach and staying informed about emerging threats, organizations can better\r\nprotect themselves against the persistent and evolving tactics employed by threat actors such as Gelsemium.\r\nProtections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with the\r\nthreats described above:\r\nWildFire cloud-based threat analysis service accurately identifies the known samples as malicious.\r\nAdvanced URL Filtering and DNS Security identify domains associated with this group as malicious.\r\nCortex XDR and XSIAM\r\nPrevents the execution of known malicious malware\r\nPrevents the execution of unknown malware using Behavioral Threat Protection and machine\r\nlearning based on the Local Analysis module\r\nhttps://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/\r\nPage 6 of 9\n\nProtects against credential gathering tools and techniques using the new Credential Gathering\r\nProtection available from Cortex XDR 3.4\r\nProtects from threat actors dropping and executing commands from web shells using Anti-Webshell\r\nProtection, newly released in Cortex XDR 3.4\r\nProtects against exploitation of different vulnerabilities including ProxyShell and ProxyLogon using\r\nthe Anti-Exploitation modules as well as Behavioral Threat Protection\r\nCortex XDR Pro detects postexploit activity, including credential-based attacks, with behavioral\r\nanalytics\r\nIf you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nWeb Shells\r\n24eb9c77448dda2d7cfecc60c804a378e89cbd450fbf7f4db875eb131cd4510a\r\n4dcdce3fd7f0ab80bc34b924ecaa640165ee49aa1a22179b3f580b2f74705dd9\r\n96bc4853d5a0c976fb7a02d747cd268fb2dfc8c2361d68bb4ffcc16adec5ea19\r\nac115bfa8d36cf31046b8ccce30e9ebcede899395d56400955f95e242d5c9c75\r\n17392669a04f17fda068d18ae5850d135f3912d08b4e2eee81fce915849887b3\r\n3be95477e1d9f3877b4355cff3fbcdd3589bb7f6349fd4ba6451e1e9d32b7fa6\r\n181feef51991b162bdff5d49bb7fd368d9ec2b535475b88bc197d70d73eef886\r\n61de79db5ed022ee9376e86a2094a51cf3b31fa6bce126cbcdacad33469c752f\r\nThe Potato Suite\r\nc7bd78b9a68198b8787d28ba5094827eb99a0798719bcb140f3afb695925566c\r\nfd0b9f09770685ed6f40ecabcd31bc467fa22801164b52fdc638334009b7c06f\r\n77e82c3d5fea369f6598339dcd97b73f670ff0ad373bf7fc3a2d8586f58d9d32\r\nf0761ad307781bdf8da94765abd1a2041ac12a52c7fdde85f00b2b2cab6d6ce8\r\n29cc79a451f73bac43dbe9455d2184770beae69f4e6bc2d824abd2cfbedf53f1\r\n3268f269371a81dbdce8c4eedffd8817c1ec2eadec9ba4ab043cb779c2f8a5d2\r\nDemo.exe\r\nhttps://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/\r\nPage 7 of 9\n\n527063cb9da5eec2e4b290019eaac5edd47ff3807fec74efa0f1b7ddf5a1b271\r\nOwlProxy\r\n2f3abc59739b248ee26a575700eef93b18bd2029eb9f8123598ffdd81fa54d8b\r\nSessionManager\r\nb9a9e43e3d10cf6b5548b8be78e01dc0a034955b149a20e212a79a2cf7bee956\r\nCobalt Strike\r\nff7485d30279f78aba29326d9150b8c302294351e716ece77f4a3b890008e5fe\r\nSpoolFool\r\nc0a7a797f39b509fd2d895b5731e79b57b350b85b20be5a51c0a1bda19321bd0\r\nEarthWorm\r\nc254dc53b3cf9c7d81d92f4e060a5c44a4f51a228049fd1e2d90fafa9c0a44ee\r\nInfrastructure\r\n27.124.26[.]83\r\n27.124.26[.]86\r\nAdditional Resources\r\nRead the rest of the related posts: Unit 42 Researchers Discover Multiple Espionage Operations\r\nTargeting Southeast Asian Government Sector – Unit 42, Palo Alto Networks\r\nCyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka\r\nMustang Panda – Unit 42, Palo Alto Networks\r\nPersistent Attempts at Cyberespionage Against Southeast Asian Government Target Has Links to\r\nAlloy Taurus – Unit 42, Palo Alto Networks\r\nDeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos – Malicious Life, Cybereason\r\nTaiwan Government Targeted by Multiple Cyberattacks in April 2020 – CryCraft Technology Corp,\r\nMedium\r\nNew Wave of Espionage Activity Targets Asian Governments – Threat Intelligence, Symantec\r\nOperation Iron Tiger: Exploring Chinese Cyber-Espionage Attacks on United States Defense Contractors\r\n[PDF] – TrendLabs Research Paper, Trend Micro Cybersafety Solutions Team\r\nShadowPad | A Masterpiece of Privately Sold Malware in Chinese Espionage – SentinelLabs\r\nEarth Lusca: Revealing a Worldwide Cyberespionage Operation [PDF] – Joseph Chen, Trend Micro\r\nEarth Preta Spear-Phishing Governments Worldwide – Trend Micro\r\nChina Is Relentlessly Hacking Its Neighbors – WIRED UK\r\nhttps://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/\r\nPage 8 of 9\n\nSource: https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/\r\nhttps://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/" ], "report_names": [ "rare-possible-gelsemium-attack-targets-se-asia" ], "threat_actors": [ { "id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424", "created_at": "2023-01-06T13:46:39.290101Z", "updated_at": "2026-04-10T02:00:03.275981Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "狼毒草" ], "source_name": "MISPGALAXY:Gelsemium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77874718-7ad2-4d15-9831-10935ab9bcbe", "created_at": "2022-10-25T15:50:23.619911Z", "updated_at": "2026-04-10T02:00:05.349462Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Gelsemium" ], "source_name": "MITRE:Gelsemium", "tools": [ "Gelsemium", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434376, "ts_updated_at": 1775792221, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f0487f5496a4edf0b00f792aab65d938674ca196.pdf", "text": "https://archive.orkl.eu/f0487f5496a4edf0b00f792aab65d938674ca196.txt", "img": "https://archive.orkl.eu/f0487f5496a4edf0b00f792aab65d938674ca196.jpg" } }