{ "id": "d635e5c8-25fb-4215-a81d-6d9b24c8fede", "created_at": "2026-04-06T00:06:10.903206Z", "updated_at": "2026-04-10T03:37:04.323319Z", "deleted_at": null, "sha1_hash": "fa0b2245a64f141c0908dd087baee7e7d9e4125e", "title": "The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 847334, "plain_text": "The Rise of Collaborative Tactics Among China-aligned Cyber\r\nEspionage Campaigns\r\nBy By: Daniel Lunghi, Leon M Chang Oct 22, 2025 Read time: 13 min (3590 words)\r\nPublished: 2025-10-22 · Archived: 2026-04-05 19:18:05 UTC\r\nKey takeaways\r\n“Premier Pass-as-a-Service” describes the emerging trend of advanced collaboration tactics between\r\nmultiple China-aligned APT groups, notably Earth Estries and Earth Naga, that are making modern\r\ncyberespionage campaigns even more complex.\r\nThe case study discussed in this blog entry shows the model in action between these two groups, with\r\nEarth Estries acting as an access broker to Earth Naga for continued exploitation. By sharing access, Earth\r\nEstries and Earth Naga further complicate detection and attribution efforts.\r\nEarth Estries and Earth Naga have persistently targeted critical sectors, especially government agencies and\r\ntelecommunications providers, with operations spanning multiple regions. Earth Estries and Earth Naga's\r\ncoordinated cyberespionage campaigns have recently focused on retail and government-related\r\norganizations in APAC.\r\nTrend™ Research has introduced a new four-tier framework that categorizes these different kinds of\r\ncollaborative attacks and helps security practitioners better understand such collaborations.\r\nWith contributions from Joseph C Chen, Vickie Su and Lenart Bermejo\r\nIn the domain of cyberespionage, Trend™ Research has observed an emerging development in recent years: close\r\ncollaboration between different advanced persistent threat (APT) groups of what looks like a single cyber\r\ncampaign at first sight. This report highlights instances of such cooperation, where the APT group Earth\r\nEstriesopen on a new tab handed over a compromised asset to Earth Naga, another APT group also known as Flax\r\nTyphoonopen on a new tab, RedJuliettopen on a new tab, or Ethereal Pandaopen on a new tab. This phenomenon,\r\nwhich we have termed \"Premier Pass,\" represents a new level of coordination in cyber campaigns, particularly\r\namong China-aligned APT actors.\r\nAttributing cyberattacks to specific threat actors is inherently complex, often relying on a blend of techniques such\r\nas malware analysis, network traffic analysis, examination of tactics, techniques, and procedures (TTPs) and\r\nvictimology. However, the rise of collaborative operations, such as those exemplified by Earth Estriesopen on a\r\nnew tab and Earth Naga, introduces additional layers of difficulty in attribution. These operations challenge\r\ntraditional methods by involving multiple intrusion sets, complicating the identification of responsible parties.\r\nThis report will delve into the intricacies of this emerging trend, focusing on:\r\nA comprehensive analysis of the Premier Pass case, where Earth Estries facilitated access for Earth Naga,\r\nshowcasing a sophisticated level of inter-group cooperation.\r\nhttps://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html\r\nPage 1 of 12\n\nThe introduction of a four-tier framework to define and categorize modern collaborative attacks among\r\nChina-aligned APT groups.\r\nInsights into the attribution challenges posed by these collaborative operations, emphasizing the need for\r\ncyber threat intelligence (CTI) researchers to look beyond mere process chain overlaps.\r\nThe collaboration discussed in this case study between Earth Estries and Earth Naga marks a pivotal shift in the\r\nlandscape of cyberespionage, demanding a re-evaluation of attribution strategies and highlighting the intricate web\r\nof alliances within the cyber threat landscape.\r\nEarth Estries and Earth Naga victimology\r\nEarth Estries has primarily targeted critical sectors like telecommunications and government entities across the\r\nUS, Asia-Pacific region, and the Middle East. In the past two years, we have also observed the group expanding\r\nits targeting to regions such as South America and South Africa.\r\nEarth Naga has been actively targeting high-value organizations across strategic sectors since at least 2021.\r\nPrimary targets include government agencies, telecommunications, military-related manufacturers, technology\r\ncompanies, media outlets and academic institutions, with a concentrated focus on entities based in Taiwan (Table\r\n1).\r\nIn addition to its operations in Taiwan, Earth Naga has extended its reach to selected organizations in the broader\r\nAPAC region, as well as in NATO member countries and Latin America, indicating a growing interest in global\r\nintelligence collection.\r\nIntrusion set Targeted industry\r\nTargeted\r\nregion\r\nDate\r\nEarth Estries / Earth Naga (Premier\r\nPass)\r\nRetail company APAC\r\nNovember\r\n2024\r\nEarth Estries / Earth Naga (Premier\r\npass)\r\nGovernment agency\r\nSoutheast\r\nAsia\r\nMarch 2025\r\nEarth Estries and Earth Naga (separate\r\ncompromises)\r\nTelecommunications\r\nprovider\r\nAPAC April 2025\r\nEarth Naga\r\nInformation service\r\nprovider\r\nTaiwan April 2025\r\nEarth Estries and Earth Naga (separate\r\ncompromises)\r\nTelecommunications\r\nprovider\r\nNATO\r\ncountry\r\nJuly 2025\r\nTable 1. Recent campaigns involving Earth Estries and Earth Naga\r\nEvidence of access broker activities by Earth Estries\r\nhttps://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html\r\nPage 2 of 12\n\nOur investigation indicates that Earth Estries operated as an access broker in some campaigns. Specifically,\r\nevidence of shared access behavior was identified in the TrillClient attack chainsopen on a new tab attributed to\r\nEarth Estries.\r\nCollaboration between multiple intrusion sets is not unheard of, but we believe there are multiple categories that\r\ncan be used to describe these types of incidents. Therefore, we will introduce multiple types we know about later\r\nin this report.\r\nIn two distinct organizational environments that have been persistently targeted by Earth Estries, we identified\r\nevidence suggesting that Earth Estries shared access to Earth Naga. This activity indicates a possible operational\r\nlinkage or access-sharing arrangement between the two threat groups, which may reflect strategic collaboration\r\nwithin a broader threat ecosystem.\r\nThe first instance was identified in November 2024, involving a major mobile retail company in the APAC region,\r\nwhere Earth Estries appeared to have provided access to Earth Naga. In addition, our telemetry data reveals that\r\nEarth Estries attempted to share access with Earth Naga as early as late 2023. However, Earth Naga’s toolset was\r\ndetected and blocked by our product during deployment. Therefore, we didn’t observe any network traffic with\r\nknown Earth Naga command-and-control (C\u0026C) infrastructure at that time.\r\nSubsequently, we identified a second instance of shared access in March 2025, this time involving a government\r\nagency in Southeast Asia. Further analysis and indicators related to this case are included in following section.\r\nEarth Estries and Earth Naga’s joint operation\r\nFigure 1 illustrates the attack infection chain we have constructed based on incidents observed within a Southeast\r\nAsian government entity earlier this year. These events, which bear strong ties to the activities of Earth Estries and\r\nEarth Naga, offer insights into the TTPs employed by these intrusion sets in recent campaigns.\r\nhttps://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html\r\nPage 3 of 12\n\nFigure 1. The overview of infection chain observed in multiple infected machines\r\nBased on the timeline of observed events, the following key findings were derived from our in-depth analysis of\r\nactivities linked to Earth Estries and Earth Naga:\r\n1. Initial compromise via vulnerable internal web server (January 2025)\r\nOn January 22, 2025, Earth Estries likely leveraged an unmanaged host to compromise a vulnerable internal web\r\nserver (Vulnerable Web Server X). The attacker deployed the CrowDoor backdoor on the server, which\r\nsubsequently established communication with CrowDoor C\u0026C infrastructure:\r\nhttps://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html\r\nPage 4 of 12\n\nback-trust-aurora[.]cluster-ctrjumtpbmf[.]mnl-east-2.timcorpnet[.]com\r\n2. Lateral movement and deployment of toolsets (March 2025)\r\nIn March 2025, multiple Earth Estries-related toolsets were discovered on several internal machines. Due to space\r\nlimitations, we highlight the four most significant infected hosts: In Figuer 1, these are labelled as Infected\r\nMachine A, B, C, and D.\r\n3. Deployment of ShadowPad via Multiple Vectors (March 2025)\r\nSince March 18, 2025, we have identified that Earth Estries has been deploying the ShadowPad backdoor through\r\nmultiple vectors within the compromised environment. We believe the threat actor tried all these approaches in an\r\nattempt to evade detection:\r\nDeploy malware via Cobalt Strike SMB beacon (Figure 2)\r\nDeploy malware using compromised user credentials to transfer files via SMB\r\nDeploy malware via CrowDoor (new variant of SparrowDoor)\r\nFigure 2. The ShadowPad deployment observed in Trend Vision One™\r\nOn March 27, 2025, we identified the deployment of a ShadowPad malware sample originating from a CrowDoor\r\nnetwork session. The session, observed on Infected Machine D, was associated with the following CrowDoor\r\nC\u0026C infrastructure:\r\nC\u0026C domain: afddd9d14453d4f9-1e185df7e4[.]ap-southeast-mnl[.]timcorpnet[.]com\r\nResolved C\u0026C IP address: 103[.]175[.]16[.]77\r\nThis activity suggests a possible linkage or operational overlap between CrowDoor and ShadowPad toolsets,\r\npotentially indicating shared infrastructure or a coordinated campaign.\r\n4. Attribution of ShadowPad to Earth Naga\r\nhttps://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html\r\nPage 5 of 12\n\nThe ShadowPad C\u0026C server 45[.]92[.]158[.]50 is linked to known Earth Naga C\u0026C infrastructure. This marks\r\nthe second observed instance of Earth Estries deploying a known Earth Naga backdoor within a victim’s internal\r\nnetwork.\r\nMalware toolkit\r\nThe following malware families were involved in this incident:\r\nDraculoader - a generic shellcode loader. We observed the final decrypted payload could be CrowDoor,\r\nHEMIGATE and CobaltStrike beacon\r\nCobalt Strike - an offensive framework used by all kinds of threat actors\r\nCrowDoor - a malware family used by Earth Estries\r\nShadowPad - a malware family used by multiple advanced China-aligned threat actors\r\nThe CrowDoor infection flow is as follows:\r\nLogServer.exe -\u003e VERSION.dll -\u003e LogServer (payload)\r\nLogServer.exe - Legitimate Microsoft launcher vulnerable to DLL side-loading\r\nVERSION.dll - DRACULOADER loader. The payload filename is the same with the host process\r\nfilename minus the file extension\r\nLogServer - This is an encrypted shellcode payload form of a backdoor known as CrowDooropen on a\r\nnew tab\r\nC\u0026C server: back-trust-aurora[.]cluster-ctrjumtpbmf[.]mnl-east-2.timcorpnet[.]com\r\nThe ShadowPad infection flow is as follows:\r\nbdreinit.exe -\u003e wer.dll(loader) -\u003e 36EB6076.tmp/A30429D0.tmp (payload)\r\nThe ShadowPad samples were of the same variant that we described recentlyopen on a new tab, however with\r\ndifferent DLL filenames being side-loaded:\r\nBdreinit.exe - Legitimate executable signed by BitDefender vulnerable to DLL side-loading\r\nwer.dll - Malicious DLL loading the encrypted ShadowPad payload\r\n36EB6076.tmp or A30429D0.tmp - Encrypted ShadowPad payload, encrypted to the Windows registry\r\nand removed after the first launch of the malware\r\nPost-exploitation tools\r\nWe observed Earth Estries using the following post-exploitation tools (Figure 3):\r\nAnyDesk\r\nA VMProtected version of EarthWorm, a SOCK5 network tunnel\r\nBlindsight, a publicly available tool to dump LSASS memory with evasion techniques based on\r\ntransactional NTFS\r\nA custom tool dumping memory from its loading process, probably used as security support provider (SSP)\r\nto dump LSASS memory, detected as HackTool.Win64.MINIDUMP.ZALL\r\nhttps://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html\r\nPage 6 of 12\n\nFigure 3. The post-exploitation activities observed in Trend Vision One\r\nRecent activities targeting a major telecommunication provider\r\nBetween late April and late July of this year, we detected attempts by Earth Estries and Earth Naga to gain access\r\nto at least two top telecommunications providers located in the APAC region and NATO member countries.\r\nBoth Earth Estries and Earth Naga have demonstrated distinct, long-term targeting of specific organizations. In\r\nApril, we observed that Earth Naga gained access to the checkpoint mail server of a leading information service\r\nprovider in Taiwan. They connected to their C\u0026C server using the wget command. Subsequently, our gateway\r\nproduct detected that the attackers attempted to use the checkpoint mail server to establish SSH connections to\r\nother internal network hosts.\r\nStarting in July, we identified Earth Estries exploiting CVE-2025-5777open on a new tab to attack Citrix devices.\r\nIn the past, we observed both Earth Estries and Earth Naga targeting edge devicesopen on a new tab from Ivanti,\r\nCisco, and others. \r\nModern APT collaborative attack definitions and types\r\nThe previous study illustrates the complexity of attribution for modern cases. In this section, we aim to set some\r\ndefinitions of what constitutes a modern APT collaborative attack online, as observed through our analysis.\r\nIn the past, we have observed that many intrusion sets leverage multi-stage backdoor mechanisms to ensure\r\npersistent access and control. In most cases, when a connection within the process chain is identified, we attribute\r\nall stages of the backdoor to a single intrusion set.\r\nHowever, here we aim to present a scenario in which, when the following three criteria are met, a more plausible\r\nexplanation is that multiple threat groups may be collaborating. Therefore, the attribution of espionage operations\r\ncannot solely rely on process chain analysis. Similar to how “ORB networksopen on a new tab” operate as\r\nhttps://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html\r\nPage 7 of 12\n\ninfrastructure providers, it is also plausible that a specialized access broker service exists to facilitate such\r\ncollaboration.\r\nThat said, the presence of different malware sample sets should not be immediately interpreted as evidence of a\r\ncollaborative relationship, as intrusion sets may deploy backdoors through various independent means without the\r\ncooperation or knowledge of the affected parties.\r\nRule 1: No traces of compromise of the intrusion set were noticed. For example, no process or network\r\nhijacking activity was identified during the operation.\r\nRule 2: The malware is deployed in the same process or network session.\r\nRule 3: The next stage malware or C\u0026C infrastructure cannot be attributed to the same threat group.\r\nNext, we present a categorization of collaborative attack types observed in recent years, summarized in Table 2.\r\nType Attack type\r\nCollaboration\r\ntype\r\nDescription\r\nA Shared infection vector\r\nLoose\r\ncoordination\r\nDeployment of backdoors via web shells,\r\nexploitation of vulnerable public-facing servers, or\r\nsimilar methods. Coordination is likely incidental,\r\nnot intentional.\r\nB\r\nCoordinated supply\r\nchain attack\r\nStrict\r\ncoordination\r\nAttacks leveraging supply chain compromise.\r\nMultiple intrusion sets collaborate to distribute\r\nbackdoors via the same compromised vendor.\r\nC\r\nDeployment of a\r\npayload attributed to\r\ndifferent intrusion set\r\nStrict\r\ncoordination\r\nOne group helps another deploy its malware in a\r\ntarget network. This is rare and highly coordinated.\r\nD\r\nProvision of an\r\noperational box\r\nStrict\r\ncoordination\r\nOne group prepares infrastructure (an \"operational\r\nbox\") for use by another, often leveraging cloud\r\nservices for C\u0026C communications.\r\nTable 2. Categories of collaborative attack types \r\nType A – Shared infection vector (Loose coordination)\r\nThis type involves the deployment of backdoors through web shells, exploitation of vulnerable public facing\r\nservers, and similar initial access techniques. In such cases, any observed coordination between intrusion sets is\r\nlikely incidental rather than intentional.\r\nRecently, Cisco Talos researchers have also reportedopen on a new tab on similar activity, reinforcing the\r\nprevalence of this technique. However, due to the loose operational structure, we assess that it remains difficult to\r\ndetermine whether any genuine collaboration or intentional access sharing has occurred in cases involving\r\ncompromised public-facing servers.\r\nhttps://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html\r\nPage 8 of 12\n\nType B – Coordinated supply chain attack (Strict coordination)\r\nThis type involves collaboration through supply chain attacks. As highlighted in ESET’s reportopen on a new tab,\r\nwe assess that it is unlikely for unrelated intrusion sets to independently distribute backdoors via the same\r\ncompromised supply chain vendor without some level of prior collaboration or shared intent.\r\nType C – Deployment of a payload attributed to a different intrusion set (Strict coordination)\r\nGroup X actively assists Group Y in deploying its backdoors within an internal network. To our knowledge, this is\r\nan unprecedented event in China-aligned APT groups. The case we detailed at the beginning of this report belongs\r\nto this category. In September 2025, ESET publishedopen on a new tab a report discussing some collaboration\r\nbetween Gamaredon and Turla, two Russia-aligned intrusion sets. Based on the public reporting, it seems that\r\nPteroOdd and PteroPaste, two custom malware families attributed to Gamaredon, deployed Kazuar, a malware\r\nattributed to Turla. We cannot confirm those statements, but if they prove to be true, this would be categorized in\r\nthis Type C category.\r\nType D - Provision of an operational box (Strict coordination)\r\nAn evolution of Type C, Group X sets up an “operational box” for Group Y and abuses cloud services for C\u0026C\r\nnetwork communications. That way, it is not possible to base on network indicators for attribution. An example of\r\nthis is the usage of VSCode remote tunnel featureopen on a new tab as a RATopen on a new tab. We believe this\r\ntype represents the most advanced collaboration model observed to date. This level of access sharing makes it\r\nvery difficult to determine the identity of the actor behind the “operation box” if threat actor shared access with\r\nothers.\r\nThe above summarizes the types of collaborative attacks we have observed so far. In the first section of this report,\r\nwe presented real-world cases related to the Type C category. \r\nCollaboration attack MITRE’s tactic sharing stage\r\nType A – Shared infection vector Initial access (TA0001)\r\nType B – Coordinated supply chain attack Initial access (TA0001)\r\nType C – Deployment of a third-party payload  Command and Control (TA0011)  \r\nType D – Provision of an operational box Command and Control (TA0011)\r\nTable 3. MITRE tactics Involved in intrusion set collaboration\r\nTable 3 shows the MITRE tactics at which the sharing between both intrusion sets happens. As seen in this table,\r\nthe sharing in type C and D occurs in later stages of the MITRE matrix. This implies that the intrusion set\r\nresponsible for the access sharing perform more steps from the kill chain in these scenarios, increasing the\r\ndifficulty to draw a clear line between its actions and those belonging to the second intrusion set.\r\nEmerging trend: The “Premier Pass-as-a-Service” model in APT operations\r\nhttps://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html\r\nPage 9 of 12\n\nWhile it may challenge conventional thinking, we assess that once threat actors have successfully compromised a\r\ntarget and maintained persistence long enough to exfiltrate valuable data, a new operational model here tentatively\r\nreferred to as “Premier Pass-as-a-Service” may be emerging within the ecosystem of China-aligned APT\r\noperations.\r\nOur hypothesis stems from observations that diverge from typical initial access broker (IAB) behavior. Unlike\r\nIABs, who focus primarily on gaining and selling initial access to networks, the activities we’ve observed involve\r\ndirect access to target assets. These unprecedented cases differ in scale, sophistication, and apparent purpose,\r\nprompting us to adopt the provisional term Premier Pass-as-a-Service to describe the phenomenon.\r\nThe strategic advantage of such a service lies in its efficiency. Premier Pass-as-a-Service provides direct access to\r\ncritical assets, reducing the time spent on reconnaissance, initial exploitation and lateral movement phases (Figure\r\n4). Analogous to a “fast pass” service at a theme park, in this context, the “facility” could represent any target\r\nasset.\r\nFigure 4. Initial access brokers vs. Premier Pass-as-a-Service\r\nIn addition, we are aware that similar activity has been documented by Unit 42 in their researchopen on a new tab\r\non Stately Taurus. Notably, they observed both Stately Taurus and an uncategorized ShadowPad cluster operating\r\nwithin the same network session, suggesting potential collaboration (this would be what we defined as “Type D”\r\nin an earlier section), shared infrastructure, or operational overlap.\r\nAlthough the full extent of this model is not yet known, the limited number of observed incidents, combined with\r\nthe substantial risk of exposure such a service entails, suggests that access is likely restricted to a small circle of\r\nthreat actors.\r\nThe emergence of the Premier Pass model may also explain why some APT groups have seemingly gone dark in\r\nrecent years. Rather than having disbanded or ceased operations, these actors may now be operating covertly\r\nthrough shared access infrastructure, or “operation boxes”, provided by this new service.\r\nBeyond the Diamond Model of intrusion analysis\r\nhttps://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html\r\nPage 10 of 12\n\nTo address the increasing complexity in attributing activity among China-aligned APT groups, primarily due to the\r\ngrowing overlap and sharing of TTPs, we propose an enhanced analytic approach that emphasizes identifying each\r\nthreat actor’s role within specific operational services. Whereas frameworks like the Diamond Modelopen on a\r\nnew tab focus on certain key aspects – the adversary, infrastructure, capability, and victim – of a cyberthreat, this\r\nnew approach provides a more granular view of actor behavior and relationships that may not be covered by\r\ntraditional diamond models (Figure 5).\r\nFigure 5. Example of the relationship between threat groups\r\nKey service categories\r\n“Premier Pass” or initial access broker\r\nOrb networks\r\nPrivate toolsets or exploitation frameworks\r\nOperational role classification\r\nDeveloper – Responsible for creating or maintaining tools, malware, or infrastructure\r\nProvider/Broker – Facilitates access, distributes tools, or connects operational nodes\r\nDownstream user – Directly conducts operations using tools or infrastructure provided by others\r\nTherefore, we utilize the approach to better understand the relationship between two threat groups through their\r\nrespective roles.\r\nUpstream Access provider (Premier Pass): Earth Estries\r\nDownstream Access user (Premier Pass): Earth Naga\r\nSecurity recommendations\r\nThe threat landscape is increasingly shaped by sophisticated, multi-group intrusions, as demonstrated by the\r\ncollaborative operations between Earth Estries and Earth Naga. Defenders must adopt vigilant and multi-layered\r\nsecurity strategies to counter risks such as suspicious file deployments, unauthorized remote administration, and\r\nhttps://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html\r\nPage 11 of 12\n\ntargeted attacks on edge devices. To better detect and respond to these evolving tactics, they can apply mitigation\r\npractices such as:\r\nStaying alert to any suspicious file deployment activities, which may originate from compromised servers\r\nor lateral movement using leaked credentials.\r\nVerifying whether any legitimate remote administration tools have been installed and are being used by\r\nauthorized users only.\r\nCarefully monitoring edge devices. A joint advisory containing general recommendations, as well as a\r\nmethodology for hunting possible compromises, has been publishedopen on a new tab in August 2025 by\r\nmultiple governmental agencies.\r\nConclusion\r\nOur research indicates that Earth Estries and Earth Naga have historically demonstrated significant differences in\r\ntheir TTPs. Therefore, we have tracked them as two separate intrusion sets. Although we have previously observed\r\noverlaps in the tools used by both groups, we believe the tool overlap is likely the consequence of a shared digital\r\nquartermaster rather than direct collaboration.\r\nHowever, recent evidence of shared access and operational overlap suggests a notable shift, indicating the\r\nemergence of a new era of collaborative activity among China-aligned APT groups. This development marks a\r\nsignificant evolution in the threat landscape. The rise of coordinated operations presents an increasing challenge to\r\naccurate attribution and effective cyber defence. It is no longer sufficient to focus solely on the activities of\r\nindividual threat groups. Instead, defenders must recognize and respond to the broader, evolving ecosystem of\r\ninterconnected threat alliances.\r\nIndicators of compromise (IOCs)\r\nThe indicators of compromise for this entry can be found hereopen on a new tab.\r\nSource: https://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html\r\nhttps://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/25/j/premier-pass-as-a-service.html" ], "report_names": [ "premier-pass-as-a-service.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775433970, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fa0b2245a64f141c0908dd087baee7e7d9e4125e.pdf", "text": "https://archive.orkl.eu/fa0b2245a64f141c0908dd087baee7e7d9e4125e.txt", "img": "https://archive.orkl.eu/fa0b2245a64f141c0908dd087baee7e7d9e4125e.jpg" } }