{
	"id": "b6259c51-9fb0-4c81-9c60-f38291586553",
	"created_at": "2026-04-06T00:06:26.986191Z",
	"updated_at": "2026-04-10T03:33:38.093779Z",
	"deleted_at": null,
	"sha1_hash": "f1937f6c2c56b7e0b0d408a047fb05ff172626fc",
	"title": "LevelBlue - Open Threat Exchange",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31422,
	"plain_text": "LevelBlue - Open Threat Exchange\r\nBy AlienVault\r\nArchived: 2026-04-05 19:05:19 UTC\r\nFileHash-SHA256: 11 | URL: 4 | YARA: 1 | Domain: 1 | Hostname: 1\r\nIn recent weeks, Unit 42 has discovered three documents crafted to exploit the InPage program. InPage is a word\r\nprocessor program that supports languages such as Urdu, Persian, Pashto, and Arabic. The three InPage exploit\r\nfiles are linked through their use of very similar shellcode, which suggests that either the same actor is behind\r\nthese attacks, or the attackers have access to a shared builder. The documents were found to drop the following\r\nmalware families: The previously discussed CONFUCIUS_B malware family A backdoor previously not\r\ndiscussed in the public domain, commonly detected by some antivirus solutions as “BioData” A previously\r\nunknown backdoor that we have named MY24\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:MY24\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:MY24\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://otx.alienvault.com/browse/pulses?q=tag:MY24"
	],
	"report_names": [
		"pulses?q=tag:MY24"
	],
	"threat_actors": [
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8",
			"created_at": "2022-10-25T16:07:23.482856Z",
			"updated_at": "2026-04-10T02:00:04.627414Z",
			"deleted_at": null,
			"main_name": "Confucius",
			"aliases": [
				"G0142"
			],
			"source_name": "ETDA:Confucius",
			"tools": [
				"ApacheStealer",
				"ByeByeShell",
				"ChatSpy",
				"Confucius",
				"MY24",
				"Sneepy",
				"remote-access-c3",
				"sctrls",
				"sip_telephone",
				"swissknife2"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c",
			"created_at": "2022-10-25T15:50:23.472432Z",
			"updated_at": "2026-04-10T02:00:05.352882Z",
			"deleted_at": null,
			"main_name": "Confucius",
			"aliases": [
				"Confucius",
				"Confucius APT"
			],
			"source_name": "MITRE:Confucius",
			"tools": [
				"WarzoneRAT"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775433986,
	"ts_updated_at": 1775792018,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1937f6c2c56b7e0b0d408a047fb05ff172626fc.pdf",
		"text": "https://archive.orkl.eu/f1937f6c2c56b7e0b0d408a047fb05ff172626fc.txt",
		"img": "https://archive.orkl.eu/f1937f6c2c56b7e0b0d408a047fb05ff172626fc.jpg"
	}
}