{
	"id": "889f38bb-9e1f-4813-984c-44528f5c84ca",
	"created_at": "2026-04-06T00:13:51.972746Z",
	"updated_at": "2026-04-10T03:24:32.602962Z",
	"deleted_at": null,
	"sha1_hash": "fc5c04bd58a5484a24454f866edb816f1e301cee",
	"title": "LevelBlue - Open Threat Exchange",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 27968,
	"plain_text": "LevelBlue - Open Threat Exchange\r\nBy zer0daydan\r\nArchived: 2026-04-05 15:46:28 UTC\r\nPalo Alto observed an attack led by the APT group Wekby targeting a US-based organization in recent weeks.\r\nWekby is a group that has been active for a number of years, targeting various industries such as healthcare,\r\ntelecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits\r\nvery shortly after those exploits are available, such as in the case of HackingTeam’s Flash zero-day exploit. The\r\nmalware used by the Wekby group has ties to the HTTPBrowser malware family, and uses DNS requests as a\r\ncommand and control mechanism. Additionally, it uses various obfuscation techniques to thwart researchers\r\nduring analysis. Based on metadata seen in the discussed samples, Palo Alto has named this malware family\r\n‘pisloader’.\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:pisloader\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:pisloader\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://otx.alienvault.com/browse/pulses?q=tag:pisloader"
	],
	"report_names": [
		"pulses?q=tag:pisloader"
	],
	"threat_actors": [
		{
			"id": "17b92337-ca5f-48bb-926b-c93b5e5678a4",
			"created_at": "2022-10-25T16:07:23.333316Z",
			"updated_at": "2026-04-10T02:00:04.546474Z",
			"deleted_at": null,
			"main_name": "APT 18",
			"aliases": [
				"APT 18",
				"Dynamite Panda",
				"G0026",
				"Red Wraith",
				"SILVERVIPER",
				"Satin Typhoon",
				"Scandium",
				"TG-0416",
				"Wekby"
			],
			"source_name": "ETDA:APT 18",
			"tools": [
				"AngryRebel",
				"AtNow",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HTTPBrowser",
				"HttpBrowser RAT",
				"HttpDump",
				"Moudour",
				"Mydoor",
				"PCRat",
				"Pisloader",
				"QUICKBALL",
				"Roseam",
				"StickyFingers",
				"Token Control",
				"TokenControl",
				"hcdLoader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c8aefee7-fb57-409b-857e-23e986cb4a56",
			"created_at": "2023-01-06T13:46:38.285223Z",
			"updated_at": "2026-04-10T02:00:02.910756Z",
			"deleted_at": null,
			"main_name": "APT18",
			"aliases": [
				"SCANDIUM",
				"PLA Navy",
				"Wekby",
				"G0026",
				"Satin Typhoon",
				"DYNAMITE PANDA",
				"TG-0416"
			],
			"source_name": "MISPGALAXY:APT18",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434431,
	"ts_updated_at": 1775791472,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc5c04bd58a5484a24454f866edb816f1e301cee.pdf",
		"text": "https://archive.orkl.eu/fc5c04bd58a5484a24454f866edb816f1e301cee.txt",
		"img": "https://archive.orkl.eu/fc5c04bd58a5484a24454f866edb816f1e301cee.jpg"
	}
}