{ "id": "5df74ffe-0396-4347-915b-a2d566f080b8", "created_at": "2026-04-06T00:15:08.831906Z", "updated_at": "2026-04-10T13:12:54.948572Z", "deleted_at": null, "sha1_hash": "f5a39926e59bb028f7b3e1bcbfcc0a58d97c1a91", "title": "Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1333621, "plain_text": "Phantom Taurus: A New Chinese Nexus APT and the Discovery of\r\nthe NET-STAR Malware Suite\r\nBy Lior Rochberger\r\nPublished: 2025-09-30 · Archived: 2026-04-05 15:09:02 UTC\r\nExecutive Summary\r\nPhantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s\r\nRepublic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed\r\nPhantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and\r\nAsia.\r\nOur observations show that Phantom Taurus’ main focus areas include ministries of foreign affairs, embassies,\r\ngeopolitical events and military operations. The group’s primary objective is espionage. Its attacks demonstrate\r\nstealth, persistence and an ability to quickly adapt their tactics, techniques and procedures (TTPs).\r\nWhat sets Phantom Taurus apart from other actors in the Chinese advanced persistent threat (APT) nexus is its\r\ndistinctive set of TTPs. These enable the group to conduct highly covert operations and maintain long-term access\r\nto critical targets. This article sheds more light on the threat actor’s recently observed TTPs and reveals a\r\npreviously undocumented custom tool in Phantom Taurus’ arsenal called NET-STAR.\r\nWe published our first article about this activity cluster (originally tracked as CL-STA-0043) in June 2023. In May\r\n2024, we promoted the classification of this cluster to a temporary group, which we designated TGR-STA-0043\r\nand nicknamed Operation Diplomatic Specter. Our ongoing investigations into this group deepened our\r\nunderstanding of the threat actor’s operations and enabled us to determine its connection to the Chinese nexus.\r\nThis rare level of insight reflects the depth and duration of our investigation.\r\nAfter sustained observation and intelligence collection over the past year, we have accumulated sufficient\r\nevidence to classify the temporary group as a new threat actor. Our attribution and cluster maturation process is\r\nbased on Unit 42’s attribution framework. Figure 1 shows the process of promoting Phantom Taurus from a cluster\r\nof activity to a formally named threat actor.\r\nFigure 1 shows the process of promoting Phantom Taurus from a cluster of activity to a formally named threat\r\nactor.\r\nhttps://unit42.paloaltonetworks.com/phantom-taurus/\r\nPage 1 of 13\n\nFigure 1. The maturation process of Phantom Taurus.\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts and services:\r\nAdvanced WildFire\r\nAdvanced Threat Prevention\r\nCortex XDR and XSIAM\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nPhantom Taurus: The Evolution of a Threat Actor\r\nPhantom Taurus is a Chinese APT group that conducts long-term intelligence collection operations against high-value targets to obtain sensitive, non-public information.\r\nThe group primarily targets government entities and government service providers across the Middle East, Africa\r\nand Asia. The targeting patterns align consistently with the People's Republic of China (PRC) economic and\r\ngeopolitical interests. We observed that the group takes an interest in diplomatic communications, defense-related\r\nintelligence and the operations of critical governmental ministries. The timing and scope of the group’s operations\r\nfrequently coincide with major global events and regional security affairs.\r\nOur technical analysis reveals that the group employs a unique set of custom-developed tools and implements\r\ntechniques that are rarely observed in the threat landscape. The list of TTPs is provided in Appendix A.\r\nThis group's distinctive modus operandi, combined with its advanced operational practices, sets Phantom Taurus\r\napart from other Chinese APT groups. The designation of this group as a distinct Chinese APT is supported by\r\nmultiple attribution factors, as illustrated in the Diamond Model of attribution [PDF] shown in Figure 2.\r\nhttps://unit42.paloaltonetworks.com/phantom-taurus/\r\nPage 2 of 13\n\nFigure 2. Diamond Model representation of Phantom Taurus.\r\nDiamond Model Attribution Breakdown\r\nWe established the attribution of Phantom Taurus through a comprehensive analysis of the following Diamond\r\nModel elements:\r\nInfrastructure: Phantom Taurus uses a shared Chinese APT operational infrastructure that has been\r\nexclusively used by Chinese threat actors, including Iron Taurus (aka APT27), Starchy Taurus (aka Winnti)\r\nand Stately Taurus (aka Mustang Panda). However, the specific infrastructure components used by\r\nPhantom Taurus have not been observed in operations by other threat actors, indicating operational\r\ncompartmentalization within this shared ecosystem.\r\nVictimology: The group consistently targets high-value organizations that have access to sensitive non-public information. Over the past several years, we have observed Phantom Taurus targeting government\r\nand telecommunications sector organizations, particularly those that provide services and infrastructure.\r\nThis group focuses its operations on the Middle East, Africa and Asia, reflecting intelligence collection\r\npriorities that align with Chinese strategic interests.\r\nCapabilities: Phantom Taurus employs a set of TTPs that differentiate it from other threat actors. Several\r\nof these techniques have not been observed in operations by other groups, while others are sufficiently rare\r\nthat only a handful of actors have been observed using similar methods. In addition to common tools such\r\nas China Chopper, the Potato suite and Impacket, the group uses customized tools, including the Specter\r\nmalware family, Ntospy and the NET-STAR malware suite described later in this article.\r\nhttps://unit42.paloaltonetworks.com/phantom-taurus/\r\nPage 3 of 13\n\nBy using the Diamond Model of attribution with the three nodes shown in Figure 2, we mapped the group’s\r\nsimilarities and overlaps with other threat actors. As we tracked the activity for an extended period, it became\r\nclear that the activities that we observed were carried out by a new threat actor.\r\nCharting the Course From Email to Databases: Phantom Taurus’ New Data Collection Methods\r\nOur continuous monitoring of Phantom Taurus activities has revealed a tactical evolution that we first observed in\r\nearly 2025. Since 2023, Phantom Taurus has focused on stealing sensitive and specific emails of interest from\r\nemail servers, as we described in a previous article. However, our telemetry indicates a shift from this email-centric methodology to the direct targeting of databases.\r\nWe observed Phantom Taurus using a script named mssq.bat to connect to and collect data from a targeted\r\ndatabase.\r\nThe mssq.bat script operates in the following manner:\r\nConnects to an SQL Server database with a given server name, a user ID named sa (system administrator)\r\nand a password that the attackers previously obtained\r\nReads the SQL query provided in the command-line arguments by the group’s operators. This allows\r\ndynamic searching for tables and specific keywords\r\nExecutes the provided query and returns the results that match the user’s search\r\nExports results to a CSV file\r\nCloses the database connection\r\nThe threat actor leveraged Windows Management Instrumentation (WMI) to execute the mssq.bat script on the\r\nremote SQL Server. Figure 3 shows that the command contains both the embedded script and the execution\r\ninstructions.\r\nFigure 3. Execution of mssq.bat as shown in Cortex XDR.\r\nThe threat actor used this method to search for documents of interest and information related to specific countries\r\nsuch as Afghanistan and Pakistan.\r\nThe New NET-STAR Malware Suite\r\nIn addition to Phantom Taurus’ shift to collecting data from databases, we observed the group using a new and\r\nundocumented malware suite in its recent operations. This new tool is a .NET malware suite designed to target\r\nhttps://unit42.paloaltonetworks.com/phantom-taurus/\r\nPage 4 of 13\n\nInternet Information Services (IIS) web servers. We named the suite NET-STAR, based on the use of the string in\r\nthe malware’s program database (PDB) paths:\r\nC:\\Users\\Administrator\\Desktop\\tmp\\NETstarshard\\ServerCore\\obj\\Release\\ServerCore.pdb\r\nC:\\Users\\admin\\Desktop\\starshard\\NETstarshard\\ExecuteAssembly\\obj\\Debug\\ExecuteAssembly.pdb\r\nThe STAR string also appears as a delimiter in Base64-encoded data. The NET-STAR malware suite demonstrates\r\nPhantom Taurus’ advanced evasion techniques and a deep understanding of .NET architecture, representing a\r\nsignificant threat to internet-facing servers. The suite consists of three distinct web-based backdoors, each serving\r\na specific role in the attack chain while maintaining persistence within the target’s IIS environment:\r\nIIServerCore: A fileless modular backdoor that supports in-memory execution of command-line\r\narguments, arbitrary commands and payloads\r\nAssemblyExecuter V1: Loads and executes additional .NET payloads in memory\r\nAssemblyExecuter V2: An enhanced version of AssemblyExecuter V1 that is also equipped with\r\nAntimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) bypass capabilities\r\nIIServerCore: A Modular Fileless IIS Backdoor\r\nIIServerCore is the main web-based backdoor component in the NET-STAR malware suite. After being loaded by\r\nthe web shell loader component, the backdoor operates entirely in memory within the w3wp.exe IIS worker\r\nprocess.\r\nThe IIServerCore backdoor has a unique modular, fileless execution flow that allows it to:\r\nReceive additional payloads and arguments\r\nExecute them in memory\r\nSend the results in an encrypted command and control (C2) communication channel\r\nFigure 4 shows the execution flow.\r\nFigure 4. IIServerCore execution flow.\r\nIIServerCore Under the Hood: From Web Shell Loader to Fileless Malware\r\nThe initial component of IIServerCore is an ASPX web shell named OutlookEN.aspx. This web shell contains an\r\nembedded Base64-compressed binary, the IIServerCore backdoor. When the web shell executes, it loads the\r\nhttps://unit42.paloaltonetworks.com/phantom-taurus/\r\nPage 5 of 13\n\nbackdoor into the memory of the w3wp.exe process and invokes the Run method, which is the main function of\r\nIIServerCore. Figure 5 shows the web shell.\r\nFigure 5. Web shell content of OutlookEN.aspx.\r\nIn an attempt to evade detection efforts, the threat actor timestomped the ASPX file to match the timestamp of\r\nanother old ASPX file found on the operating system. The threat actor timestomped not only the web shell, but\r\nalso the backdoors in the NET-STAR malware suite. The actor changed the compilation time to a random future\r\ndate to hide the malware’s real compilation timestamp.\r\nIIServerCore also supports a command called changeLastModified. This suggests that the malware has active\r\ntimestomping capabilities, designed to confuse security analysts and digital forensics tools.\r\nBreaking Down IIServerCore Method by Method\r\nThe IIServerCore backdoor consists of a class called ServerRun and 11 methods. This includes a main method\r\nnamed Run as well as several others that provide additional capabilities. The methods and their descriptions are\r\nlisted in Appendix B.\r\nThe main method, Run, receives the incoming communication and handles all malware operations. This method\r\nprocesses two types of requests:\r\nInitial handshake requests to establish a session with the C2 server\r\nSubsequent command execution requests to load and execute .NET assemblies dynamically\r\nFigure 6 shows the Run method.\r\nhttps://unit42.paloaltonetworks.com/phantom-taurus/\r\nPage 6 of 13\n\nFigure 6. Screenshot of IIServerCore main method Run.\r\nThe Run method manages the session state using cookies. This behavior allows the method to track and maintain\r\ninformation about a user’s session across multiple web requests. It decrypts incoming commands and payloads,\r\nloads .NET code from Base64-encoded assemblies and supports data encryption.\r\nThe backdoor supports various built-in commands that provide a wide range of functionalities, including:\r\nhttps://unit42.paloaltonetworks.com/phantom-taurus/\r\nPage 7 of 13\n\nFile system operations\r\nDatabase access, including running SQL commands\r\nArbitrary code execution\r\nWeb shell management to deploy and manage multiple web shells\r\nAntivirus evasion: AMSI bypass functionality\r\nEncrypted C2 communication, where all communications are AES encrypted\r\nMemory-only execution: payloads are loaded directly into memory\r\nThe full list of commands is provided in Appendix C.\r\nTwo New Variants of .NET Malware Loaders\r\nThe second component in the NET-STAR suite is another .NET IIS malware that we named AssemblyExecuter.\r\nDuring our investigation, we observed two versions of AssemblyExecuter:\r\nAn older version (v1) that we believe the threat actors initially used around 2024\r\nA newer version (v2) that we believe they used in 2025\r\nAssemblyExecuter V1\r\nThe first AssemblyExecuter version is a .NET assembly designed for a single, specific purpose of executing other\r\n.NET assemblies directly in memory without writing them to disk.\r\nThis component enables threat actors to dynamically load and execute additional functionality after a compromise.\r\nThe backdoor accepts assembly bytecode as input parameters, loads it using the .NET Assembly.Load() method\r\nand invokes the assembly’s entry point along with specified command-line arguments.\r\nThe component’s seemingly benign code structure results in minimal flagging by antivirus engines on VirusTotal,\r\nat the time of writing this article. This demonstrates a technique that threat actors can use to create tools that avoid\r\novert code, which detection systems might interpret as malicious.\r\nAssemblyExecuter V2\r\nThe second AssemblyExecuter version maintains the same core purpose as its predecessor, executing arbitrary\r\n.NET assemblies directly in memory. This version has enhanced evasion capabilities to operate in more heavily\r\nmonitored environments.\r\nWhile the fundamental assembly loading and execution logic remain unchanged, AssemblyExecuter v2 includes\r\ndedicated methods for bypassing two critical Windows security mechanisms, AMSI and ETW. The malware\r\ndynamically determines which bypass techniques to apply based on input parameters, allowing attackers to\r\nselectively disable security controls, depending on the target environment’s configuration.\r\nFigure 7 displays the input parameters that the attackers used to achieve bypass.\r\nhttps://unit42.paloaltonetworks.com/phantom-taurus/\r\nPage 8 of 13\n\nFigure 7. Security bypass code inside AssemblyExecuter V2.\r\nConclusion\r\nThis article details the maturation of activity cluster CL-STA-0043 to a formally designated threat actor, Phantom\r\nTaurus. We also provide a detailed technical analysis of NET-STAR, a previously undiscovered malware suite that\r\nrepresents a significant evolution in this actor's operational capabilities.\r\nThe extensive evidence that we gathered provides crucial insights into adversary persistence, adaptability,\r\nevolution process and strategic intent that short-term analysis cannot always capture.\r\nThe formal designation of Phantom Taurus demonstrates the value of sustained threat actor tracking. Our multi-year investigation exemplifies how long-term monitoring enables a comprehensive understanding of threat actor\r\nevolution and operational capabilities.\r\nhttps://unit42.paloaltonetworks.com/phantom-taurus/\r\nPage 9 of 13\n\nPalo Alto Networks Protection and Mitigation\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated\r\nin light of the indicators shared in this research.\r\nAdvanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real\r\ntime.\r\nCortex XDR and XSIAM.\r\nThe XDR agent is designed to protect against the initial NET-STAR malware loader, preventing the\r\nexecution of the attack chain outlined in this article.\r\nFigure 8 shows that the execution of the loader component was detected and prevented by the web\r\nshell protection module.\r\nFigure 8. Prevention alert for execution of web shell loader component.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 000 800 050 45107\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 hash for IIServerCore\r\n(ServerCore.dll)\r\neeed5530fa1cdeb69398dc058aaa01160eab15d4dcdcd6cb841240987db284dc\r\nSHA256 hash for AssemblyExecuter V1\r\n(ExecuteAssembly.dll)\r\nhttps://unit42.paloaltonetworks.com/phantom-taurus/\r\nPage 10 of 13\n\n3e55bf8ecaeec65871e6fca4cb2d4ff2586f83a20c12977858348492d2d0dec4\r\nSHA256 hash for AssemblyExecuter V2\r\n(ExecuteAssembly.dll)\r\nafcb6289a4ef48bf23bab16c0266f765fab8353d5e1b673bd6e39b315f83676e\r\nb76e243cf1886bd0e2357cbc7e1d2812c2c0ecc5068e61d681e0d5cff5b8e038\r\nAdditional Resources\r\nUNMASKED: Inside a New Chinese Nexus APT – Webinar, Palo Alto Networks\r\nOperation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to\r\nTarget Governmental Entities in the Middle East, Africa and Asia – Unit 42, Palo Alto Networks\r\nThrough the Cortex XDR Lens: Uncovering a New Activity Group Targeting Governments in the Middle\r\nEast and Africa – Palo Alto Networks Blog\r\nNew Tool Set Found Used Against Organizations in the Middle East, Africa and the US – Unit 42, Palo\r\nAlto Networks\r\nAppendix A – Phantom Taurus Main TTPs\r\nTools Malware Techniques\r\nHtran\r\nYasso\r\nJuicyPotatoNG\r\nNbtscan\r\nScansql\r\nLadon\r\nSamba\r\nSMBClient\r\nImpacket\r\nSharpEfsPotato\r\niislpe\r\nMimikatz\r\nTunnelSpecter\r\nSweetSpecter\r\nAgent Racoon\r\nIIServerCore\r\nAssemblyExecuter\r\nNtospy\r\nPlugX\r\nGh0st RAT\r\nChina Chopper\r\nRunning an in-memory Visual Basic script\r\nimplant to act as a web shell\r\nStealing credentials by misusing the network\r\nproviders\r\nStealing emails by misusing the Exchange\r\nManagement Shell entity\r\nTable 1. Phantom Taurus main TTPs.\r\nAppendix B – IIServerCore Methods\r\nMethod Name Description\r\nEncryptBase64 Receives a plain text string and performs basic Base64 encoding (not encryption,\r\ndespite the name). This function is used throughout the malware to obfuscate data\r\nhttps://unit42.paloaltonetworks.com/phantom-taurus/\r\nPage 11 of 13\n\ntransmission.\r\nDecryptBase64 Receives a Base64-encoded string and decodes it back to plain text.\r\nEncrypt\r\nReceives raw byte data and an encryption key string. This function then performs\r\nAES encryption using ECB mode with PKCS7 padding. It creates an AES cipher\r\nwith the provided key, encrypts the input data, and returns the encrypted bytes.\r\nThe malware uses this method to secure communication with the C2.\r\nDecrypt\r\nReceives encrypted byte data and the corresponding key. The function then\r\ndecrypts the data using AES decryption with the same ECB mode and PKCS7\r\npadding settings. It reverses the encryption process to recover the original data,\r\nenabling the malware to process encrypted commands from the attacker.\r\nCompress\r\nReceives byte array data and compresses it using Gzip. Creates a compressed\r\nversion of the input data to reduce the size of data it transmits between the\r\nmalware and its C2 server, making network traffic less conspicuous.\r\nDecompress\r\nReceives Gzip-compressed byte data and decompresses it back to its original\r\nform.\r\nGetContext\r\nReceives a string containing the full request data. This function then extracts the\r\npayload portion and returns only the Base64-encoded payload data that contains\r\nthe actual malicious payload.\r\nConvertToSpecialString\r\nTakes a list of dictionaries, each containing string key-value pairs, and converts\r\nthem into a custom-formatted string. This string is used by the SetContext function\r\nto prepare command execution results.\r\nSetContext\r\nTakes the structured output from ConvertToSpecialString and applies multi-layer\r\nencoding (compression, encryption and Base64) that is later used for secure\r\ntransmission back to the C2 server.\r\nGetMd5Hash Receives a string input and computes its MD5 hash.\r\nRun\r\nThe main execution function that receives the HTTP context and handles all\r\nmalware operations.\r\nTable 2. List of IIServerCore’s methods.\r\nAppendix C – Built-In Commands\r\nThe following commands are embedded in the IIServerCore backdoor:\r\nfileExist\r\nlistDir\r\ncreateDir\r\nhttps://unit42.paloaltonetworks.com/phantom-taurus/\r\nPage 12 of 13\n\nrenameDir\r\nfileRead\r\ndeleteFile\r\nDictionary\r\ncreateFile\r\nchangeLastModified\r\ncode_self\r\ncode_pid\r\nrun_code\r\naddshell\r\nbypassPrecompiledApp\r\nlistShell\r\nremoveShell\r\nexecuteSQLQuery\r\nExecuteNonQuery\r\nSource: https://unit42.paloaltonetworks.com/phantom-taurus/\r\nhttps://unit42.paloaltonetworks.com/phantom-taurus/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/phantom-taurus/" ], "report_names": [ "phantom-taurus" ], "threat_actors": [ { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "ffc66b49-9396-46af-966f-9376c4315f32", "created_at": "2023-11-21T02:00:07.339061Z", "updated_at": "2026-04-10T02:00:03.462317Z", "deleted_at": null, "main_name": "CL-STA-0043", "aliases": [ "TGR-STA-0043" ], "source_name": "MISPGALAXY:CL-STA-0043", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "cff2cedd-a198-4e79-ae67-19048084ae7f", "created_at": "2024-06-20T02:02:09.945126Z", "updated_at": "2026-04-10T02:00:04.79991Z", "deleted_at": null, "main_name": "Operation Diplomatic Specter", "aliases": [ "CL-STA-0043", "TGR-STA-0043" ], "source_name": "ETDA:Operation Diplomatic Specter", "tools": [ "Agent Racoon", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "HTran", "HUC Packet Transmit Tool", "JuicyPotatoNG", "Kaba", "Korplug", "LadonGo", "Mimikatz", "Mimilite", "Moudour", "Mydoor", "NBTscan", "Ntospy", "PCRat", "PlugX", "RedDelta", "SharpEfsPotato", "SinoChopper", "Sogu", "SweetSpecter", "TIGERPLUG", "TVT", "Thoper", "TunnelSpecter", "Xamtrav", "Yasso", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434508, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f5a39926e59bb028f7b3e1bcbfcc0a58d97c1a91.pdf", "text": "https://archive.orkl.eu/f5a39926e59bb028f7b3e1bcbfcc0a58d97c1a91.txt", "img": "https://archive.orkl.eu/f5a39926e59bb028f7b3e1bcbfcc0a58d97c1a91.jpg" } }