alphatronBot是一款基于p2p协议的后门程序，拥有远控功能，并且会下发特定的payload。该恶意软件通过Pubsub聊天室的形式进行控制，后门内置了700多个受感染的p2p C2节点，影响linux和windows双平台。

alphatronBot is a backdoor program based on p2p protocol. It has remote control function and will deliver a specific payload. The malware is controlled through a Pubsub chat room, with more than 700 infected p2p C2 nodes built into the backdoor, affecting both Linux and Windows platforms.

Recently, the Qi'anxin Threat Intelligence Center discovered a suspicious compressed file from a job search website. Through the comprehensive judgment of malicious behavior based on intelligence, the Qi'anxin Intelligence Sandbox identified the file as suspicious and gave it a malicious score of 10. The RAS detection results showed that the sample may use DLL side loading. Combined with manual analysis, it is believed that this malicious activity is a continuation of the UNC1549 attack.

近期，奇安信威胁情报中心发现一个来自伪装为求职网站的可疑压缩包。通过奇安信情报沙箱基于智能的恶意行为综合判断，识别出文件可疑并给出 10 分的恶意评分。RAS 检测结果表明样本可能采用 DLL 侧加载手段。结合手动分析，认为此次恶意活动是 UNC1549 攻击的延续。

The recent activity tracking of the APT-Q-27 is based on the mapping analysis of Qi’anxin Threat Radar. Since 2022, APT-Q-27 has been one of the groups with the highest frequency of domestic attacks. This article will introduce the APT-Q-27 samples and attack methods captured in recent years, and discuss the common attack methods and sample evolution of APT-Q-27.

金眼狗团伙近期活动跟踪基于奇安信威胁雷达的测绘分析，从 2022 年以来，金眼狗一直是对国内攻击频率最高的几个组织之一。本文将对最近几年捕获到的金眼狗样本以及攻击手法进行介绍，并讨论金眼狗的常用攻击手法和样本演变。

The QiAnXin Threat Intelligence Center has discovered that the new OceanLotus group (APT-Q-31) has recently become active again and is employing a new tactic of MSI file abuse, which is the first time that the use of this technique has been captured in domestic APT campaigns targeting government and enterprises. The two OceanLotus attack sets share attack resources, but have completely different TTPs. The last time a new Sea Lotus was active was in late 2023.

奇安信威胁情报中心发现，新海莲花组织APT-Q-31近期重新活跃，并采用MSI文件滥用的新手法，这是首次在国内针对政企的APT活动中捕获到该技术的使用。海莲花的两个攻击集合共享攻击资源，但TTP完全不同。上次新海莲花的活跃是2023年末。

The QiAnXin Threat Intelligence Center has recently discovered a batch of special CHMs, in which the html is very simple and only executes an external file, which leads to a very low number of VT reports. Based on the similarity of the malicious samples, this article suggests that these special CHM attack samples and the C# backdoor are most likely from the Mysterious Elephant group.

奇安信威胁情报中心近期发现一批特别的 CHM，其中html十分简单，仅执行一个外部文件，这导致VT报毒数很低。本文基于恶意样本相似性认为这些特殊的 CHM 攻击样本和 C# 后门很可能来自 Mysterious Elephant 组织。