{"id":3739,"date":"2018-06-19T21:58:38","date_gmt":"2018-06-19T21:58:38","guid":{"rendered":"https:\/\/kasperskycontenthub.com\/threatpost\/?p=132943"},"modified":"2018-06-19T21:58:38","modified_gmt":"2018-06-19T21:58:38","slug":"apt15-pokes-its-head-out-with-upgraded-miragefox-rat","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/","title":{"rendered":"APT15 Pokes Its Head Out With Upgraded MirageFox RAT"},"content":{"rendered":"<div class=\"media_block\"><\/div>\n<div><img decoding=\"async\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/31\/2018\/06\/19164014\/spyware.jpg\" class=\"ff-og-image-inserted\"\/><\/div>\n<p>The elusive APT15 cyber-espionage group, believed to be affiliated with the Chinese government, has been spotted for the first time in many months, mounting a highly targeted spy campaign using an upgraded version of the Mirage remote access trojan.<\/p>\n<p>This is the first evidence of the China-linked actor\u2019s activity since hacking the U.K. government and military in 2017 (which wasn\u2019t made public until 2018).<\/p>\n<p>The effort follows the known APT15 pattern of infiltrating specific targets with basic tools that are then customized to carry out tailored data exfiltration once the victim has been breached. The victim organization in this instance has not been made public, according to a technical <a href=\"https:\/\/www.intezer.com\/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones\/\" target=\"_blank\" rel=\"noopener\">analysis<\/a>\u00a0of APT15 published by researchers at Intezer last Thursday.<\/p>\n<p><strong>A New and Improved RAT<\/strong><\/p>\n<p>The updated version of the Mirage RAT is called MirageFox.\u00a0This new version of the RAT was discovered in early June by\u00a0Intezer, which recognized a specific signature based off code only found in the earlier version of Mirage \u2013 and loosely related malware called <a href=\"https:\/\/researchcenter.paloaltonetworks.com\/2017\/11\/unit42-new-malware-with-ties-to-sunorcal-discovered\/\" target=\"_blank\" rel=\"noopener\">Reaver<\/a>. The MirageFox signature was a new upload to VirusTotal, with very few detections.<\/p>\n<p>\u201cMirageFox is very similar to APT15\u2019s old RAT, Mirage, but was upgraded to be undetected by most antivirus, and was tailor-made for their target (meaning they had already breached their target, done reconnaissance work and made this version of the RAT to work specifically in that environment),\u201d Jay Rosenberg, senior researcher at Intezer, explained to Threatpost in an interview. \u201cThe RAT uses a hard-coded, internal network IP address as the C&amp;C. This means they already have a node inside the internal network to exfiltrate the stolen data.\u201d<\/p>\n<p>Mirage is an aging RAT at this point, Rosenberg noted.<\/p>\n<p>\u201cOver the weekend, I discovered that the first version of the RAT Mirage was uploaded to VirusTotal in 2009, meaning that the previously believed information that the APT15 was active since 2010 and Mirage originated in 2012 are wrong,\u201d he said.<\/p>\n<p><strong>Malware Code Retread<\/strong><\/p>\n<p>The upgraded version of the malware is an example of code reuse with a few new bells and whistles, researchers said.<\/p>\n<p>The remote shell function used for executing commands and the function for decrypting the data containing the C&amp;C configuration are recycled from the previous version of Mirage, for instance. It also performs the same functions, i.e. collecting information about the computer like the username, CPU information, architecture and so forth before opening a backdoor and awaiting orders for modifying files, gathering data, launching processes and terminating itself, among other things. The C&amp;C commands are sent manually, the analysis found.<\/p>\n<p>In terms of interesting fresh functions, looking at an unusual export feature, there appears to be \u201csome type of DLL hijacking going on,\u201d carried out by distributing a legitimate McAfee binary in a bid to look trustworthy. DLL hijacking techniques have been seen in the past with the APT15 group, Rosenberg said.<\/p>\n<p>Curiously, there\u2019s no persistence in the module\u2014it renames itself so that future executions of the RAT will not be through a McAfee binary \u2013 perhaps because APT15 already has taken root in the target networks making re-execution moot.<\/p>\n<p>\u201cThe future persistence could be setup through another component of the malware or even a command sent by the C&amp;C to the infected computer,\u201d Rosenberg said in the analysis.<\/p>\n<p>The decrypted C&amp;C configuration in MirageFox is notable too, he added; the IP address being used for the C&amp;C is actually an internal IP address on the victim company\u2019s network. Rosenberg said this likely indicates that the malefactors stole a VPN private key in order to breach the organization. Other details on the threat vector are not known.<\/p>\n<p><strong>A Rarely-Seen Threat Group<\/strong><\/p>\n<p>The China-linked APT15 (a.k.a. Vixen Panda, Ke3chang, Royal APT or Playful Dragon) is a seldom-seen threat actor, although Rosenberg believes the group is always busy without coming to the attention of researchers.<\/p>\n<p>\u201cI believe APT15\u2019s campaigns are ongoing all the time,\u201d he told Threatpost. \u201cIt\u2019s only from time-to-time that an incident comes out to the public, because [victim] organizations or companies do not want the public to know that they were breached.\u201d<\/p>\n<p>As for companies and organizations protecting themselves, \u201cit is very difficult because the tools used are very basic and customized once the target has been infiltrated,\u201d Rosenberg said in the interview. \u201cFor example, once they have infiltrated an organization, they can see if an AV product is installed, and test to make sure everything is undetected by that AV in their own environment before deploying another part of their toolset.\u201d<\/p>\n<p>The types of companies and organizations they go after are typical nation-state targets, including government, military, contractors, the oil industry and others.<\/p>\n<p>\u201cBasically, [they attack] anyone they could target that would gather some type of intelligence,\u201d Rosenberg told us. \u201cThis is the first evidence of their activity since they <a href=\"https:\/\/threatpost.com\/china-linked-apt15-used-myriad-of-new-tools-to-hack-uk-government-contractor\/130376\/\" target=\"_blank\" rel=\"noopener\">hacked the U.K. government and military<\/a> in 2017.\u201d That effort used multiple customized backdoors installed on a UK government contractor\u2019s computer systems; information about the hack was <a href=\"https:\/\/threatpost.com\/china-linked-apt15-used-myriad-of-new-tools-to-hack-uk-government-contractor\/130376\/\" target=\"_blank\" rel=\"noopener\">not made public<\/a> until March 2018 however, by NCC Group.<\/p>\n<p>READ MORE <a href=\"https:\/\/threatpost.com\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/132943\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is the first evidence of the China-linked threat actor&#8217;s activity since hacked the U.K. government and military in 2017 (which wasn&#8217;t made public until 2018). READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":3740,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[3],"tags":[1434,1435,18,1436,28,260,1437,1420,331],"class_list":["post-3739","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threatpost","tag-apt15","tag-chinese-government","tag-hacks","tag-intezer","tag-malware","tag-malware-analysis","tag-miragefox","tag-new-campaign","tag-rat"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>APT15 Pokes Its Head Out With Upgraded MirageFox RAT 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"APT15 Pokes Its Head Out With Upgraded MirageFox RAT 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2018-06-19T21:58:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/06\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"768\" \/>\n\t<meta property=\"og:image:height\" content=\"516\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"APT15 Pokes Its Head Out With Upgraded MirageFox RAT\",\"datePublished\":\"2018-06-19T21:58:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\\\/\"},\"wordCount\":863,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat.jpg\",\"keywords\":[\"APT15\",\"Chinese government\",\"Hacks\",\"intezer\",\"Malware\",\"Malware analysis\",\"miragefox\",\"new campaign\",\"RAT\"],\"articleSection\":[\"Threatpost\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\\\/\",\"name\":\"APT15 Pokes Its Head Out With Upgraded MirageFox RAT 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat.jpg\",\"datePublished\":\"2018-06-19T21:58:38+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/06\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat.jpg\",\"width\":768,\"height\":516},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"APT15\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/apt15\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"APT15 Pokes Its Head Out With Upgraded MirageFox RAT\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"APT15 Pokes Its Head Out With Upgraded MirageFox RAT 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/","og_locale":"en_US","og_type":"article","og_title":"APT15 Pokes Its Head Out With Upgraded MirageFox RAT 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2018-06-19T21:58:38+00:00","og_image":[{"width":768,"height":516,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/06\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"APT15 Pokes Its Head Out With Upgraded MirageFox RAT","datePublished":"2018-06-19T21:58:38+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/"},"wordCount":863,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/06\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat.jpg","keywords":["APT15","Chinese government","Hacks","intezer","Malware","Malware analysis","miragefox","new campaign","RAT"],"articleSection":["Threatpost"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/","url":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/","name":"APT15 Pokes Its Head Out With Upgraded MirageFox RAT 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/06\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat.jpg","datePublished":"2018-06-19T21:58:38+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/06\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/06\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat.jpg","width":768,"height":516},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/apt15-pokes-its-head-out-with-upgraded-miragefox-rat\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"APT15","item":"https:\/\/www.threatshub.org\/blog\/tag\/apt15\/"},{"@type":"ListItem","position":3,"name":"APT15 Pokes Its Head Out With Upgraded MirageFox RAT"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/3739","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=3739"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/3739\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/3740"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=3739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=3739"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=3739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}