{
    "type": "bundle",
    "id": "bundle--644781a8-38e7-4df6-be90-2cb5562eb019",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--2b96b5d7-2075-4d96-9706-4b67d615e67c",
            "created": "2023-03-08T12:51:44.657627Z",
            "modified": "2024-09-04T07:23:22.792387Z",
            "name": "Mandiant",
            "identity_class": "organization"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--cee438b5-8e1b-43cc-8d77-953839c5b8b7",
            "created": "2026-06-24T18:10:22.574199Z",
            "modified": "2026-06-24T18:10:22.574199Z",
            "name": "YARA Rule",
            "pattern": "rule M_APT_Launcher_TEARPAGE_1 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndate_created = \"2024-08-13\"\r\ndate_modified = \"2024-08-13\"\r\nmd5 = \"006cbff5d248ab4a1d756bce989830b9\"\r\nrev = 1\r\nstrings:\r\n$load_encrypted_payload = { FF 15 [4-8] 83 F8 2C\r\n0F 8? [4-32] 41 B8 20 00 00 00 [4-12] FF 15 [4] 85 C0 0F 8?\r\n[4-32] 41 B8 0C 00 00 00 [4-12] FF 15 [4] 85 C0 0F 8? [4-32]\r\n83 C6 D4 B9 40 00 00 00 [2-16] FF 15 }\r\n$chacha_marker = { 65 78 70 61 [0-12] 6E 64 20\r\n33 [0-12] 32 2D 62 79 [0-12] 74 65 20 6B }\r\n$load_pe = { 81 3C [1-3] 50 45 00 00 [1-8] 8B [1-3]\r\n50 [4-32] B9 FF FF 1F 00 [2-16] FF 15 [4-64] C7 44 24 [1-8] 40\r\n00 00 00 C7 44 24 [1-8] 00 30 00 00 41 FF D? 85 C0 0F 8? }\r\ncondition:\r\nall of them\r\n}",
            "pattern_type": "yara",
            "valid_from": "2024-09-17T00:00:00Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--ff017974-4ff6-43b7-b018-d713de1e35b6",
            "created": "2026-06-24T18:10:22.575019Z",
            "modified": "2026-06-24T18:10:22.575019Z",
            "name": "YARA Rule",
            "pattern": "rule M_APT_Backdoor_MISTPEN_2 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndate_created = \"2024-08-13\"\r\ndate_modified = \"2024-08-13\"\r\nmd5 = \"eca8eb8871c7d8f0c6b9c3ce581416ed\"\r\nrev = 1\r\nstrings:\r\n$s1 = \"Cookie: _PHPSESSIONID=\"\r\n$s2 = \"%d_%s_%d\"\r\n$s3 = \"DEAD\" fullword\r\n$s4_sleep_succcess = { 53 6C 65 65 [1-16] 70 20\r\n53 75 [1-16] 63 63 65 73 [1-16] 73 00 }\r\n$s5_hiber_success = { 48 69 62 65 [1-16] 72 20 53\r\n75 [1-16] 63 63 65 73 [1-16] 73 00 }\r\n$s6 = \"Loaded at %p\"\r\n$s7 = \"setup.bin\" wide\r\n$send_DEAD_signal = { 8B 05 [4] 48 C7 ?? FF FF FF\r\nFF 89 45 ?? 0F B6 05 [4] 88 45 ?? 4? 8D [2-64] B9 40 00 00 00\r\nFF 15 [4-8] 8? ?? 01 [1-32] 48 8D 48 08 E8 }\r\n$const_marker = { 83 E3 09 81 C3 11 27 00 00 }\r\ncondition:\r\n(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) ==\r\n0x00004550) and (6 of them or ($s1 and $s2 and $s3 and $s6))\r\n}",
            "pattern_type": "yara",
            "valid_from": "2024-09-17T00:00:00Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--65a46015-91ba-4d1a-9fa1-520d4b11ca4a",
            "created": "2026-06-24T18:10:22.575626Z",
            "modified": "2026-06-24T18:10:22.575626Z",
            "name": "YARA Rule",
            "pattern": "rule M_Launcher_BURNBOOK_2 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndate_created = \"2024-08-12\"\r\ndate_modified = \"2024-08-12\"\r\nmd5 = \"57e8a7ef21e7586d008d4116d70062a6\"\r\nrev = 1\r\nstrings:\r\n$parse_decoy_document = { FF 15 [4-32] 41 B8 08\r\n00 00 00 [4-32] FF 15 [4] 85 C0 0F 8? [4-32] 48 83 ?? 08 48 3B\r\n?? 0F 8? [4-32] 41 B8 20 00 00 00 [4-32] FF 15 [4] 85 C0 0F 8?\r\n[4-32] 41 B8 0C 00 00 00 [4-32] FF 15 [4] 85 C0 0F 8? }\r\n$chacha_marker = { 65 78 70 61 [0-12] 6E 64 20 33\r\n[0-12] 32 2D 62 79 [0-12] 74 65 20 6B }\r\ncondition:\r\nall of them\r\n}",
            "pattern_type": "yara",
            "valid_from": "2024-09-17T00:00:00Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--e65cf5d6-4414-41c4-8200-73ba8dc5672b",
            "created": "2026-06-24T18:10:22.576209Z",
            "modified": "2026-06-24T18:10:22.576209Z",
            "name": "YARA Rule",
            "pattern": "rule M_Launcher_BURNBOOK_1 {\r\nmeta:\r\nauthor = \"Mandiant\"\r\ndate_created = \"2024-08-12\"\r\ndate_modified = \"2024-08-12\"\r\nmd5 = \"8c2302c2d43ebe5dda18b8d943436580\"\r\nrev = 1\r\nstrings:\r\n$pk_magic = { 50 4B 03 04 }\r\n$cd_magic = { 50 4B 01 02 }\r\n$n1 = \"libmupdf.dll\"\r\n$n2 = \".pdf\"\r\n$n3 = \"PdfFilter.dll\"\r\n$n4 = \"PdfPreview.dll\"\r\n$n5 = \"SumatraPDF.exe\"\r\ncondition:\r\nuint32(0) == 0x04034b50 and for any i in (2 .. #pk_magic) :\r\n( ($n1 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 +\r\nuint16(@pk_magic[i] + 26))) and ($n1 in (@cd_magic[i] + 46 ..\r\n@cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in\r\n(2 .. #pk_magic) : ( ($n2 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 +\r\nuint16(@pk_magic[i] + 26))) and ($n2 in (@cd_magic[i] + 46 ..\r\n@cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in\r\n(2 .. #pk_magic) : ( ($n3 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 +\r\nuint16(@pk_magic[i] + 26))) and ($n3 in (@cd_magic[i] + 46 ..\r\n@cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in\r\n(2 .. #pk_magic) : ( ($n4 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 +\r\nuint16(@pk_magic[i] + 26))) and ($n4 in (@cd_magic[i] + 46 ..\r\n@cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) ) and for any i in\r\n(2 .. #pk_magic) : ( ($n5 in (@pk_magic[i] + 30 .. @pk_magic[i] + 30 +\r\nuint16(@pk_magic[i] + 26))) and ($n5 in (@cd_magic[i] + 46 ..\r\n@cd_magic[i] + 46 + uint16(@cd_magic[i] + 28))) )\r\n}",
            "pattern_type": "yara",
            "valid_from": "2024-09-17T00:00:00Z"
        },
        {
            "type": "file",
            "spec_version": "2.1",
            "id": "file--28875bbe-74d7-45e8-afae-c80df5dc826b",
            "hashes": {
                "MD5": "006cbff5d248ab4a1d756bce989830b9"
            }
        },
        {
            "type": "file",
            "spec_version": "2.1",
            "id": "file--6e6fc049-feb3-4a20-a2ff-2cdede4d714f",
            "hashes": {
                "MD5": "8c2302c2d43ebe5dda18b8d943436580"
            }
        },
        {
            "type": "file",
            "spec_version": "2.1",
            "id": "file--e5139a6b-5c96-455c-886f-910eb3ff5dab",
            "hashes": {
                "MD5": "eca8eb8871c7d8f0c6b9c3ce581416ed"
            }
        },
        {
            "type": "file",
            "spec_version": "2.1",
            "id": "file--bc9696f2-ae8e-4af2-8b85-c71042d0a9bd",
            "hashes": {
                "MD5": "57e8a7ef21e7586d008d4116d70062a6"
            }
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--beeac24b-ca38-4cfb-aac0-b4c3f0568487",
            "value": "https://dstvdtt.co.za/wp-content/plugins/social-pug/assets/lib.php"
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--3b8b7354-373f-42e6-87cc-22862902a95c",
            "value": "https://cmasedu.com/wp-content/plugins/kirki/inc/script.php"
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--7d4250ce-2c24-4f24-80e6-af1228a49251",
            "value": "https://bmtpakistan.com/solution/wp-content/plugins/one-click-demo-import/assets/asset.php"
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--15511121-77d7-4d79-a138-c2fdd3565b1f",
            "value": "cmasedu.com"
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--834ffff2-f904-41d5-b894-cbf98e949124",
            "value": "bmtpakistan.com"
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--0899c786-bc2a-4c36-b58d-78994c155924",
            "value": "dstvdtt.co.za"
        },
        {
            "type": "threat-actor",
            "spec_version": "2.1",
            "id": "threat-actor--049cf601-7a61-5344-a195-591661b1b2ec",
            "created": "2026-06-24T18:10:22.583295Z",
            "modified": "2026-06-24T18:10:22.583295Z",
            "name": "UNC2970"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--ac146760-0743-44d8-90cd-5a4a8fdc6075",
            "created_by_ref": "identity--2b96b5d7-2075-4d96-9706-4b67d615e67c",
            "created": "2026-06-24T18:10:22.587925Z",
            "modified": "2026-06-24T18:10:22.587925Z",
            "name": "An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader",
            "published": "2024-09-17T00:00:00Z",
            "object_refs": [
                "identity--2b96b5d7-2075-4d96-9706-4b67d615e67c",
                "indicator--cee438b5-8e1b-43cc-8d77-953839c5b8b7",
                "indicator--ff017974-4ff6-43b7-b018-d713de1e35b6",
                "indicator--65a46015-91ba-4d1a-9fa1-520d4b11ca4a",
                "indicator--e65cf5d6-4414-41c4-8200-73ba8dc5672b",
                "file--28875bbe-74d7-45e8-afae-c80df5dc826b",
                "file--6e6fc049-feb3-4a20-a2ff-2cdede4d714f",
                "file--e5139a6b-5c96-455c-886f-910eb3ff5dab",
                "file--bc9696f2-ae8e-4af2-8b85-c71042d0a9bd",
                "url--beeac24b-ca38-4cfb-aac0-b4c3f0568487",
                "url--3b8b7354-373f-42e6-87cc-22862902a95c",
                "url--7d4250ce-2c24-4f24-80e6-af1228a49251",
                "domain-name--15511121-77d7-4d79-a138-c2fdd3565b1f",
                "domain-name--834ffff2-f904-41d5-b894-cbf98e949124",
                "domain-name--0899c786-bc2a-4c36-b58d-78994c155924",
                "threat-actor--049cf601-7a61-5344-a195-591661b1b2ec"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc2970-backdoor-trojanized-pdf-reader/"
                }
            ]
        }
    ]
}