{ "id": "3d991ba0-3c9d-4ae9-8860-f1cbd12cc683", "created_at": "2026-04-06T00:10:43.870336Z", "updated_at": "2026-04-10T03:33:45.91548Z", "deleted_at": null, "sha1_hash": "fd6b01e83e768a576de15304790fde3a16e894fe", "title": "menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1885161, "plain_text": "menuPass Returns with New Malware and New Attacks Against\r\nJapanese Academics and Organizations\r\nBy Jen Miller-Osborn, Josh Grunzweig\r\nPublished: 2017-02-16 · Archived: 2026-04-05 13:23:16 UTC\r\nIn 2016, from September through November, an APT campaign known as “menuPass”  targeted Japanese academics\r\nworking in several areas of science, along with Japanese pharmaceutical and a US-based subsidiary of a Japanese\r\nmanufacturing organizations. In addition to using PlugX and Poison Ivy (PIVY), both known to be used by the group, they\r\nalso used a new Trojan called “ChChes” by the Japan Computer Emergency Response Team Coordination Center\r\n(JPCERT).  In contrast to PlugX and PIVY, which are used by multiple campaigns, ChChes appears to be unique to this\r\ngroup. An analysis of the malware family can be found later in this blog.\r\nInterestingly, the ChChes samples we observed were digitally signed using a certificate originally used by HackingTeam and\r\nlater part of the data leaked when they were themselves hacked. Wapack labs also observed a similar sample targeting Japan\r\nin November. It’s not clear why the attackers chose to use this certificate, as it was old, had been leaked online, and had\r\nalready been revoked by the time they used it. Digital certificates are typically used because they afford an air of legitimacy,\r\nwhich this one definitely does not.\r\nThe attackers spoofed several sender email addresses to send spear phishing emails, most notably public addresses\r\nassociated with the Sasakawa Peace Foundation and The White House. All the spear phishes were socially engineered with\r\nsubjects appropriate for the target and the apparent sender. One of the more interesting subject lines was used in the White\r\nHouse attack; “[UNCLASSIFIED] The impact of Trump’s victory to Japan,” sent two days after the election.  Most of the\r\nattacks against academics involved webmail addresses using names of academics but are not tied to those academics openly\r\nonline. However, all the spear phish recipients used email addresses tied to them online.\r\nFigure 1. Recent menuPass activity and some ties to older infrastructure\r\nThe C2 infrastructure in these attacks is largely actor registered, with only a few Dynamic Domain Name System (DDNS)\r\ndomains. menuPass typically makes use of a mix of DDNS and actor-registered domains in their attack campaigns. All of\r\nthe related hashes and C2s are in appendix at the end of this blog.\r\nTies to menuPass\r\nThere is not much public information about the APT campaign called menuPass (also known as Stone Panda and APT10).  A\r\npaper from FireEye in 2013 on several campaigns using PIVY included menuPass as one of them.  A later blog added some\r\nadditional details. The group name is derived from one of the passwords they use with PIVY in their attacks. Believed to\r\nhave started activity in 2009 and to originate from China, the group initially was known for targeting US and overseas\r\ndefense contractors but broadened their targeting as time passed. They have targeted Japanese organizations since at least\r\n2014.\r\nThe newer ChChes malware family uses an import hash (bb269704ba8647da97377440d403ae4d) shared with other tools\r\nused by menuPass, affording an initial link. However, the ties are most strongly proved through infrastructure analysis,\r\nwhich shows a number of links between the newer infrastructure used in these attacks and older infrastructure publicly\r\nassociated with the group. The three circled domains represent C2s publicly reported as tied to menuPass, linked to domains\r\nnot previously publicly reported as associated. These are only a few of multiple overlaps analysts can find while researching\r\nmenuPass infrastructure. The circled known domains are the first three below:\r\napple[.]cmdnetview[.]com\r\nfbi[.]sexxxy[.]biz\r\ncvnx[.]zyns[.]com\r\ncia[.]toh[.]info\r\n2014[.]zzux[.]com\r\nhttps://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/\r\nPage 1 of 11\n\niphone[.]vizvaz[.]com\r\nFigure 2. menuPass infrastructure overlaps\r\nTwo of these domains can further be tied into the newer C2 infrastructure. Again, these are only a few of the overlaps that\r\ncan be uncovered by analyzing the infrastructure used by menuPass. The domains in the below figure are:\r\ncia[.]toh[.]info\r\n2014[.]zzux[.]com\r\nwchildress[.]com\r\nlion[.]wchildress[.]com\r\nkawasaki[.]unhamj[.]com\r\nsakai[.]unhamj[.]com\r\nkawasaki[.]cloud-maste[.]com\r\nfukuoka[.]cloud-maste[.]com\r\nyahoo[.]incloud-go[.]com\r\nmsn[.]incloud-go[.]com\r\nwww[.]mseupdate[.]ourhobby[.]com\r\ncontractus[.]qpoe[.]com\r\nFigure 3. Ties between new and older infrastructure.\r\nAdditionally, the passwords in the PIVY samples also fit known passwords used by the group – three samples use\r\n“menuPass” and the other uses “keaidestone.”  With these data points, we assess with high confidence the recent attacks\r\nwere conducted by the menuPass group.\r\nFollowing is our analysis of the ChChes malware family.\r\nMalware Analysis\r\nFor this analysis, Unit 42 looked at the following file:\r\nMD5 c0c8dcc9dad39da8278bf8956e30a3fc\r\nSHA1 009b639441ad5c1260f55afde2d5d21fc5b4f96c\r\nSHA256 6605b27e95f5c3c8012e4a75d1861786fb749b9a712a5f4871adbad81addb59e\r\nCompile Time 2016-11-24 01:31:37 UTC\r\nThis malware is provided with an icon that appears to be that of a Microsoft Word document, as we can see in the image\r\nbelow.\r\nhttps://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/\r\nPage 2 of 11\n\nFigure 4. Icon used for ChChes\r\nAdditionally, we discovered that the samples identified in attacks against Japanese organizations were digitally signed using\r\nthe certificate originally used by the Italian-based company, HackingTeam. Readers may recall that HackingTeam was\r\ncompromised and subsequently had a large amount of internal data exposed in July 2015. This data included a wealth of\r\ncode used by the organization, including certificates. The certificate in question was fairly old, and expired on August 4th,\r\n2012. On July 10th, 2015, the certificate was revoked.\r\nFigure 5.  Digital signing of ChChes\r\nhttps://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/\r\nPage 3 of 11\n\nFigure 6.  Certificate revocation\r\nMultiple instances of malware have been discovered using this certificate since it was originally leaked in 2015. It is unclear\r\nwhy the actors decided to use this certificate that is tied to known malicious samples for their own samples. One possibility\r\nmay be to make attribution more difficult for analysts researching these threats.\r\nWhen the malware is initially run, it will first decrypt an embedded stub of code within the malware prior to executing it.\r\nThis stub has many characteristics seen in shellcode, and begins by creating a new Import Address Table (IAT). This new\r\nIAT is then referenced throughout the remainder of the code when calling Windows APIs. The following snippet of assembly\r\nshows the newly created IAT being referenced to call various functions, such as GetProcessHeap, RtlAllocateHeap,\r\nRtlReAllocateHeap, and InternetReadFile.\r\nhttps://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/\r\nPage 4 of 11\n\nFigure 7.  Newly created IAT being used to call Windows API functions\r\nAfter the IAT has been generated, the malware will determine the path of %TEMP% and set its current working directory to\r\nthis value. ChChes proceeds to collect the following information about the victim:\r\nHostname\r\nProcess Identifier (PID)\r\nCurrent working directory (%TEMP%)\r\nWindow resolution\r\nMicrosoft Windows version\r\nThis information is aggregated into a string such as the following:\r\nWBQTLJRH9553618*2564?3618468394?C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp?1.4.1\r\n(1024x768)*6.1.7601.17514\r\nNote that in the string above, the ‘3618468394’ and ‘1.4.1’ strings are hardcoded within the malware itself. These may\r\nindicate versions of the malware or campaign identifiers, however, this has not been confirmed.\r\nAfter this data has been aggregated, it is uploaded to a hardcoded command and control (C2) server via HTTP. The data is\r\nembedded within the ‘Cookie’ HTTP header, as seen below\r\nhttps://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/\r\nPage 5 of 11\n\nFigure 8.  Initial HTTP beacon for ChChes\r\nThe URI used above is randomly generated for each HTTP request made by ChChes. The data embedded within the Cookie\r\nheader is encrypted using a unique technique. For each key/value pair, separated by a ‘;’, the malware will first perform a\r\nMD5 hash of the key, and extract the middle 16 bytes. The value is base64-decoded after the string is unquoted. Finally, the\r\nbase64-decoded data is decrypted using RC4 with the previously obtained 16 bytes. All of the data is concatenated to form\r\nthe final, decrypted data.\r\nThe following Python code shows an example of decoding the supplied Cookie field:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\nimport urllib\r\nimport base64\r\nfrom binascii import *\r\nimport hashlib\r\ndef md5_get_middle(data):\r\n  m = hashlib.md5()\r\n  m.update(data)\r\n  o = m.digest()\r\n  hexed = hexlify(o)\r\n  return hexed[8:24]\r\ndef rc4_crypt(data, key):\r\n  S = range(256)\r\n  j = 0\r\n  out = []\r\n  for i in range(256):\r\n    j = (j + S[i] + ord( key[i % len(key)] )) % 256\r\n    S[i] , S[j] = S[j] , S[i]\r\n  i = j = 0\r\n  for char in data:\r\n    i = ( i + 1 ) % 256\r\n    j = ( j + S[i] ) % 256\r\n    S[i] , S[j] = S[j] , S[i]\r\n    out.append(chr(ord(char) ^ S[(S[i] + S[j]) % 256]))\r\n  return ''.join(out)\r\nhttps://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/\r\nPage 6 of 11\n\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\ncookie_string =\r\n'OtKoVg=jlIt2Eh55%2F%2F38%2FJbKlZpYFNNFhXgOgc0zzNqAxvls8edznJy4k%2BpxKUl1GG15OTRuC%2Blc5R6WGCmOHyPNObeV2O\r\nall_decrypted = \"\"\r\nsub_strings = cookie_string.split(\";\")\r\nfor s in sub_strings:\r\n  key, data = s.split(\"=\")\r\n  new_key = md5_get_middle(key)\r\n  new_data = base64.b64decode(urllib.unquote(data))\r\n  decrypted = rc4_crypt(new_data, new_key)\r\n  decrypted_data = decrypted.split(key)[1]\r\n  all_decrypted += decrypted_data\r\nprint \"Decrypted String:\"\r\nprint repr(all_decrypted)\r\nThe script above produces the following output:\r\nDecrypted String:\r\n'AWBQTLJRH9553618*2564?3618468394?C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp?1.4.1\r\n(1024x768)*6.1.7601.17514'\r\nThe initial ‘A’ character witnessed in the output above instructs the remote server that this is an initial beacon, or the first\r\nexpected request sent by ChChes.\r\nThe C2 will respond with a ‘Set-Cookie’ header that contains the middle 16 bytes of the MD5 hash performed against the\r\nhostname and PID. Using the above example, the C2 would perform the MD5 against ‘WBQTLJRH9553618*2564’.\r\njgrunzweig$ echo -n WBQTLJRH9553618*2564 | md5\r\n7fc27808b331106210b6364c326569fd\r\nThe resulting middle 16 characters is ‘b331106210b6364c’.\r\nThe subsequent request made by ChChes looks like the following:\r\nFigure 9. Second network request made by ChChes\r\nDecrypted, we see the following contents stored within the Cookie field:\r\nBb331106210b6364c\r\nThe first character of ‘B’ signifies that this is the second request, and the remaining data is the 16 bytes previously seen in\r\nthe C2 response within the Set-Cookie header.\r\nAt this stage, the C2 server is expected to return content in the following format:\r\nhttps://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/\r\nPage 7 of 11\n\n[Middle MD5][Base64-Encoded Data][Middle MD5]\r\nThe ‘Middle MD5’ field contains the middle 16 bytes of the MD5 hash of the ‘b331106210b6364c’ string. This would result\r\nin a string of ‘500089dadf52ae0b’ in this particular example. The ‘Base64-Encoded Data’ field contains a fairly complex\r\nstructure that will store a module that is to be loaded and subsequently run by ChChes.\r\nA visualization of this network communication can be seen in the following figure:\r\nFigure 10. Network flow of ChChes\r\nChChes acts as an initial infiltration point on a victim machine. It has the ability to load additional code that in turn may\r\naccomplish any number of tasks. During analysis, no C2 servers were found to be active, and Unit 42 was unable to identify\r\nany modules being loaded by ChChes. However, the JPCERT also recently analyzed this family and was able to collect\r\nmodules that give ChChes the following functions:\r\nEncryption of communication by AES\r\nExecute shell command\r\nUploading and downloading files\r\nLoading and executing the DLL\r\nTask list of bot command\r\nHowever, the lack of persistence built into ChChes suggests that it by itself is not intended to run on a victim’s machine for\r\nlong periods of time.  In a successful intrusion, it may be only a first stage tool used by the attackers to orient where they\r\nlanded in a network, and other malware will be deployed as a second stage layering for persistence and additional access as\r\nthe attackers move laterally through a network.\r\nConclusion\r\nThese attacks show Japan continues to be a target of interest to APT campaigns. menuPass has targeted individuals and\r\norganizations in Japan since at least 2014, and as the same organizations and academics were largely targeted each month in\r\nthese attacks, it further shows menuPass is persistent in attempts to compromise their targets.  menuPass also heavily favors\r\nspear phishing, and so takes steps to socially engineer their spear phishes for maximum appearance of legitimacy. This, and\r\ntheir persistence, highlights the need for training and awareness of spear phishing on the part of both individuals and\r\nhttps://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/\r\nPage 8 of 11\n\norganizations likely to be targeted. menuPass is an ongoing APT campaign with a broad range of targets and will likely\r\ncontinue to target Japan in the future.\r\nPalo Alto Networks customers are protected from these malware families and C2 infrastructure by:\r\nAll C2 domains are flagged as malicious in Threat Prevention and PAN-DB\r\nAll three families are properly tagged malware by WildFire. Autofocus subscribers can learn more about each family\r\nvia their tags:\r\nChChes\r\nPoison Ivy\r\nPlugX\r\nAdditionally, Autofocus subscribers can learn more about menuPass by exploring tied activity with the menuPass tag.\r\nIndicators of Compromise\r\nSHA256 Hashes\r\nChChes\r\n5961861d2b9f50d05055814e6bfd1c6291b30719f8a4d02d4cf80c2e87753fa1\r\ne90064884190b14a6621c18d1f9719a37b9e5f98506e28ff0636438e3282098b\r\nae6b45a92384f6e43672e617c53a44225e2944d66c1ffb074694526386074145\r\nfd6a956a7708708cddff78c8505c7db73d7c4e961da8a3c00cc5a51171a92b7b\r\n2c71eb5c781daa43047fa6e3d85d51a061aa1dfa41feb338e0d4139a6dfd6910\r\n316e89d866d5c710530c2103f183d86c31e9a90d55e2ebc2dda94f112f3bdb6d\r\nefa0b414a831cbf724d1c67808b7483dec22a981ae670947793d114048f88057\r\n6605b27e95f5c3c8012e4a75d1861786fb749b9a712a5f4871adbad81addb59e\r\nfadf362a52dcf884f0d41ce3df9eaa9bb30227afda50c0e0657c096baff501f0\r\n2965c1b6ab9d1601752cb4aa26d64a444b0a535b1a190a70d5ce935be3f91699\r\ne88f5bf4be37e0dc90ba1a06a2d47faaeea9047fec07c17c2a76f9f7ab98acf0\r\nd26dae0d8e5c23ec35e8b9cf126cded45b8096fc07560ad1c06585357921eeed\r\ne6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e\r\n4521a74337a8b454f9b80c7d9e57b4c9580567f84e513d9a3ce763275c55e691\r\nbc2f07066c624663b0a6f71cb965009d4d9b480213de51809cdc454ca55f1a91\r\nc21eaadf9ffc62ca4673e27e06c16447f103c0cf7acd8db6ac5c8bd17805e39d\r\nf251485a62e104dfd8629dc4d2dfd572ebd0ab554602d682a28682876a47e773\r\nb20ce00a6864225f05de6407fac80ddb83cd0aec00ada438c1e354cdd0d7d5df\r\nc6b8ed157eed54958da73716f8db253ba5124a0e4b649f08de060c4aa6531afc\r\n9a6692690c03ec33c758cb5648be1ed886ff039e6b72f1c43b23fbd9c342ce8c\r\ncb0c8681a407a76f8c0fd2512197aafad8120aa62e5c871c29d1fd2a102bc628\r\n4cc0adf4baa1e3932d74282affb1a137b30820934ad4f80daceec712ba2bbe14\r\n312dc69dd6ea16842d6e58cd7fd98ba4d28eefeb4fd4c4d198fac4eee76f93c3\r\n45d804f35266b26bf63e3d616715fc593931e33aa07feba5ad6875609692efa2\r\n19aa5019f3c00211182b2a80dd9675721dac7cfb31d174436d3b8ec9f97d898b\r\nPlugX\r\nf1ca9998ca9078c27a6dab286dfe25fcdfb1ad734cc2af390bdcb97da1214563\r\n6392e0701a77ea25354b1f40f5b867a35c0142abde785a66b83c9c8d2c14c0c3\r\nhttps://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/\r\nPage 9 of 11\n\n6c7e85e426999579dd6a540fcd827b644a79cda0ad50211d585a0be513571586\r\n9f01dd2b19a1032e848619428dd46bfeb6772be2e78b33723d2fa076f1320c57\r\n6c7e85e426999579dd6a540fcd827b644a79cda0ad50211d585a0be513571586\r\n76721d08b83aae945aa00fe69319f896b92c456def4df5b203357cf443074c03\r\ndcff19fc193f1ba63c5dc6f91f00070e6912dcec3868e889fed37102698b554b\r\n7eeaa97d346bc3f8090e5b742f42e8900127703420295279ac7e04d06ebe0a04\r\na6b6c66735e5e26002202b9d263bf8c97e278f6969c141853857000c8d242d24\r\n5412cddde0a2f2d78ec9de0f9a02ac2b22882543c9f15724ebe14b3a0bf8cbda\r\n92dbbe0eff3fe0082c3485b99e6a949d9c3747afa493a0a1e336829a7c1faafb\r\nPIVY\r\nf0002b912135bcee83f901715002514fdc89b5b8ed7585e07e482331e4a56c06\r\n412120355d9ac8c37b5623eea86d82925ca837c4f8be4aa24475415838ecb356\r\n44a7bea8a08f4c2feb74c6a00ff1114ba251f3dc6922ea5ffab9e749c98cbdce\r\n9edf191c6ca1e4eddc40c33e2a2edf104ce8dfff37b2a8b57b8224312ff008fe\r\nC2s\r\ndick[.]ccfchrist[.]com\r\ntrout[.]belowto[.]com\r\nsakai[.]unhamj[.]com\r\nzebra[.]wthelpdesk[.]com\r\narea[.]wthelpdesk[.]com\r\nkawasaki[.]cloud-maste[.]com\r\nkawasaki[.]unhamj[.]com\r\nfukuoka[.]cloud-maste[.]com\r\nscorpion[.]poulsenv[.]com\r\nlion[.]wchildress[.]com\r\nfbi[.]sexxxy[.]biz\r\ncia[.]toh[.]info\r\n2014[.]zzux[.]com\r\nnttdata[.]otzo[.]com\r\niphone[.]vizvaz[.]com\r\napp[.]lehigtapp[.]com\r\njimin[.]jimindaddy[.]com\r\nJepsen[.]r3u8[.]com\r\ninspgon[.]re26[.]com\r\nnunluck[.]re26[.]com\r\nyahoo[.]incloud-go[.]com\r\nmsn[.]incloud-go[.]com\r\nwww[.]mseupdate[.]ourhobby[.]com\r\ncontractus[.]qpoe[.]com\r\nhttps://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/\r\nPage 10 of 11\n\napple[.]cmdnetview[.]com\r\ncvnx[.]zyns[.]com\r\nSource: https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/\r\nhttps://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" ], "report_names": [ "unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434243, "ts_updated_at": 1775792025, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fd6b01e83e768a576de15304790fde3a16e894fe.pdf", "text": "https://archive.orkl.eu/fd6b01e83e768a576de15304790fde3a16e894fe.txt", "img": "https://archive.orkl.eu/fd6b01e83e768a576de15304790fde3a16e894fe.jpg" } }