{ "id": "5a200e81-d0be-46a7-a0d3-b202ba9a1925", "created_at": "2026-04-06T00:21:57.731529Z", "updated_at": "2026-04-10T03:37:17.23159Z", "deleted_at": null, "sha1_hash": "00c710ce8db792c6b569db1d8f4ecd6718b5ec06", "title": "Getting the Story Right, and Why It Matters", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 397580, "plain_text": "Getting the Story Right, and Why It Matters\r\nPublished: 2020-01-28 · Archived: 2026-04-05 18:08:38 UTC\r\nThe realm of computer security incidents and events draws increasing amounts of attention, not only from\r\nspecialists and key decision-makers within the field but also “lay” (or non-technical) audiences. As a result of\r\nsuch increasing desire to know about and understand events in this field, researchers as well as journalists\r\npublishing public material must take care to ensure accuracy in communication while at the same time balancing\r\nthis with accessibility. Getting lost in technical jargon or very precise conditional phrasing may be most accurate,\r\nbut will likely lose a “general” audience resulting in a failure to communicate a story. However, moving too far in\r\nthe other direction may mean the nature of an event is obscured or distorted. Finally, the desire to either “be first”\r\nor ensure maximal engagement provides a temptation to “sex up” wording and inflate claims (such as my personal\r\nfavorite, equating “phishing” or “scanning” with a “cyber attack”). Overall there are many pressures, competing\r\ninterests, and at times limited sourcing to develop public communication that meets the criteria of technical\r\naccuracy, general accessibility, and measured language – yet if the overall community of “communicators” in\r\ninformation security doesn’t try, we are all the worse for it.\r\nThis morning, I read an article about a “new” strain of ransomware which includes industrial control system (ICS)\r\nspecific capabilities. Yet from the start, the article errs as the ransomware is not new – it was previously reported\r\nin several other outlets and social media.\r\nhttps://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/\r\nPage 1 of 6\n\nIt is worth noting that public reporting did not capture the ICS-specific angle at the time of discovery outside of\r\neasily-lost Twitter conversation. However, this omission of prior, publicly-available work 20 days before the new\r\narticle is interesting – and reveals an issue that will come up throughout this analysis. Namely, the reporter in\r\nquestion appears completely dependent upon the single source cited in the article, the firm Otorio.\r\nIn any event, identifying and publicly reporting on the ICS-specific aspects of this ransomware variant (which I’ll\r\nrefer to as EKANS given “Snake” conjures up images of Turla for much of my audience) is nonetheless important.\r\nPreviously, the only publicly-known connections between ransomware and industrial environments are IT-centric\r\ninfections spreading into control system environments, or potentially misguided proof-of-concepts designed for\r\neither academic or marketing purposes. So – there is an important story here, yet further reading indicates\r\ncontinued issues of accuracy and identifying implications.\r\nFirst, and addressing the delicate issue of balancing technical accuracy with general accessibility, there is the\r\nquestion of precise impact. The following is reported in the article, largely relying on single-source statements\r\nfrom the security firm mentioned earlier:\r\nThe above is roughly correct, but not quite. Again, publicly-available work from a few weeks prior exists\r\nproviding a list of the specific processes targeted. From this list (or contacting an independent analyst to verify\r\nfindings), interesting observations appear. First, it is true that specific programs are searched for – but only 64\r\ninstead of hundreds. Second, while GE is prevalent, the specific types of processes targeted (including beyond\r\nGE) are interesting and have implications beyond the alleged loss of operational control. When looked at in detail,\r\nthe list of processes and descriptions shows a particular focus:\r\nGE Processes\r\nFocus on Client and Server processes related to the GE Proficy data\r\nhistorianProficy licensing server targetingAdditional targeting of GE-owned Fanuc (CNC and related robots platforms for manufacturing)\r\nlicensing system\r\nThingWorx Industrial\r\nConnectivity Suite\r\nRemote data collection and centralized display for industrial\r\nprocessesFocus on visibility and monitoring, not control\r\nhttps://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/\r\nPage 2 of 6\n\nFLEXNET Licensing\r\nService\r\nLicense management and activation serviceFocus on ICS/IoT markets\r\nHoneywell HMIWeb\r\nWeb-based HMI softwareUsed for management and control of\r\nsystems\r\nSentinel HASP\r\nLicensing Manager\r\nSoftware protection and licensing serviceIncludes security modules\r\nlike hardware tokens\r\nVMWare Processes VMWare activation servicesVMWare guest processes/services\r\nVarious Remote Data\r\nCollection or\r\nMonitoring Services\r\nBlueStripe Data CollectorTivoliRabbitMQ ServerMicrosoft SQL\r\nServer and SCCM services\r\nOverall, the focus on ICS-related technologies is clear, but the specific focus reveals potential attacker intentions.\r\nThe processes identified largely relate to licensing and data transfer services for centralized monitoring (whether\r\nin ICS-specific applications like data historians or more general applications like Microsoft SQL or IBM Tivoli).\r\nThe only real exception is the Honeywell HMIWeb process, which would kill the process allowing for a human to\r\ninteract via the HMI with the underlying process.\r\nThus what emerges is not so much a disruption of the process or elimination of process control (outside of the\r\nHoneywell HMIWeb item). Instead, the attacker appears to focus on the elimination of process (and plant) view.\r\nEven licensing server attacks can induce a “mission kill” on operational view and remote management via a\r\npseudo “denial of service” attack by eliminating the licensing check from completing within the environment.\r\nOverall, these actions inhibit operations and makes them more expensive, but should not (deliberately) induce\r\nphysical plant disruption. Manual operations would be the obvious and predictable response to such an event, and\r\nwhile expensive and inconvenient they are nonetheless planned for and possible within industrial environments.\r\nEssentially, the ICS-specific process elimination appears designed to increase the pain inflicted through a\r\nransomware event in certain types of industrial environments.\r\nBut just what sort of environment, and what sort of actor? The next section attempts to answer these questions, but\r\nin a way that leaves much to be desired:\r\nhttps://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/\r\nPage 3 of 6\n\nThe connection to the Bahrain Petroleum Company (Bapco) is based almost entirely on the email address included\r\nin the ransom note delivered following EKANS execution:\r\nThe email address, bapcocryp[AT]ctemplar[.]com, would, under this interpretation, denote the campaign’s victim.\r\nThis is not an outlandish conclusion to draw, but one that can only be made at low levels of confidence using\r\nproper estimative language. To support this initial conclusion, the security company providing all information for\r\nthe report points to an event previously reported on at Bapco, but associated with the Dustman wiper. \r\nhttps://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/\r\nPage 4 of 6\n\nThis connection leads to a host of follow-on questions concerning assumptions and potentially faulty logic – all of\r\nwhich lie with the sources of the article, but which would ideally be explored by the reporting journalist. Among\r\nother items, the connectivity between Dustman and Bapco could be called into question now, rather than looking\r\nat these as mutually reinforcing claims linked to a single actor or entity. For one, the Dustman report was provided\r\nby the Saudi National Cybersecuirty Authority, which would imply the victims were in Saudi Arabia and not\r\nBahrain. Second, the timing indicates separation in events, from mid-December (EKANS) to late-December\r\n(Dustman). All of this could be explored or questioned, but instead the connectivity is simply left in place making\r\na highly circumstantial claim (that EKANS is the work of Iran and conducted against a Gulf state-owned oil\r\ncompany) seem far stronger than what little evidence supports it.\r\nThe above is further muddied by the closing quotes such as it is “highly unreasonable that [EKANS] was carried\r\nout by a different actor other than Iran” and “it is highly unlikely that a Gulf-area company will be attacked by\r\ntwo different potent actors…at the same time”. These two quotes are, quite simply, bonkers and don’t stand up to\r\neven minimal exploration or investigation. For one, we have numerous examples of networks breached by\r\nmultiple adversaries at the same time – even different groups aligned to the same state sponsor, such as the\r\nDemocratic National Committee intrusion where APT28 and APT29 lived concurrently and independently during\r\nthe course of the breach. \r\nBut even aside from this example, EKANS itself shows no signs of overlap or relation to any known Iranian state-sponsored activity. First, the authors claim that the ransomware is positioned as a disruptive wiper (similar in\r\nintention to NotPetya), and thus it is meant for recovery to be either not possible or not intended. While the idea is\r\nnot far-fetched (and I will be presenting on just this at TROOPERS in March 2020), no evidence exists within\r\nEKANS’ execution or code indicating such is the case. Instead, the malware appears as another piece of\r\nransomware, programmed using the Go language and using the relevant libraries for functionality. This stands\r\napart from known Iran-nexus IT disruption activity, which has previously leveraged Distrack wiper variants and\r\nthe EldoS RawDisk driver to produce direct disruption. Technical observables do not mesh with known Iran-nexus\r\nactivity. Furthermore, Iran-related entities have not previously demonstrated much desire or need to mask activity\r\nfor disruption by hiding behind a fig leaf of criminal activity. Aside from blatant attacks such as ZeroCleare and\r\nShamoon3 within the past year or so, Iranian-linked entities were happy to launch missiles and drones at Saudi\r\nArabia in 2019 to produce a disruption in oil and gas facilities. Thus the need for ransomware-as-wiper seems\r\nhighly unlikely, and outside of all past experience.\r\nOverall, Otorio appears to use some strange transitive property of attribution, relying on the following sequence of\r\nreasoning:\r\n1. EKANS is specifically targeted at Bapco.\r\n2. Bapco was targeted by Iranian entities via Dustman roughly concurrently with EKANS.\r\n3. Assume that it is highly unlikely for different entities to be engaged in the same environment with\r\ndisruptive purposes simultaneously.\r\n4. Therefore, Dustman and EKANS are linked.\r\n5. Since Dustman is assessed to be Iranian in origin, then EKANS must be as well.\r\nThe logical progression here leaves much to be desired, and should have been examined in greater depth instead\r\nof simply reporting as unquestioned truth.\r\nhttps://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/\r\nPage 5 of 6\n\nFinally, there is an issue with EKANS’ very uniqueness. An analysis of the ICS-related processes targeted in the\r\nmalware shows that they are also included in a MEGACORTEX ransomware sample (SHA256:\r\n873aa376573288fcf56711b5689f9d2cf457b76bbc93d4e40ef9d7a27b7be466) identified “in the wild” in August\r\n2019, possibly in the United States. The list of processes in this case encompasses thousands of items, almost all\r\nrelated to security products, with the only ICS-related items being the exact same list as in EKANS. Furthermore,\r\nthis sample was publicly reported by Accenture after discovery, including a list of processes identified. So\r\nEKANS itself seems novel only for adding layers of obfuscation to the process list, but any targeting specificity in\r\nterms of ICS functionality would appear to map back to the MEGACORTEX event earlier in the year. Unless\r\nBapco was targeted by this MEGACORTEX sample, the direct link to Bapco based on specific ICS technologies\r\ntherefore seems weak or nonexistent. Overall, these observed samples align with well-documented, criminal\r\nactivities designed to harvest money from victim environments, and not state-sponsored disruption operations\r\nmasquerading as ransomware.\r\nThe article in question taken without criticism would appear to indicate a new type of state-sponsored disruption\r\ncampaign in the Middle East, tied to Iranian aggression in the Gulf. Yet under moderate scrutiny many (if not all)\r\nof these claims fall apart. Unfortunately, the article does an insufficient job in attempting to validate or otherwise\r\nenrich any of the claims provided by the reporting security company, thus producing an inflammatory article\r\nwhere such concern is unwarranted.\r\nThe above is not meant to shame the journalist in question* (or even the reporting company, although I do think\r\nthe lion’s share of any blame for the errors and misconceptions reside with them). However, given the attention\r\nitems such as this can draw in an increasingly tense environment – both in cybersecurity more generally and\r\npotential Iranian actions specifically – an inability to vet or explore the claims made produces substandard\r\nreporting. If (or more likely when) some entity picks this up and uses it as evidence of increasing Iranian\r\naggression, not only has the report misled audiences on the activity in question, but may even help influence\r\ndefensive and policy choices in ways which are simply not supported by evidence.\r\nTo conclude, we must all strive to do our best when reporting items of significance, such as alleged Iranian cyber\r\ndisruptive activity in the Gulf. The above criticism is not meant to insult or otherwise “blast” any of the parties in\r\nquestion, but it is definitely intended to provide a thorough example for all parties on how we can (and should)\r\nstrive to do better in this field.\r\n*Note: I looked for a means to contact the journalist privately on this matter, but was unable to identify any means\r\nto do so other than a public Twitter stream, which seemed a poor way to communicate some of the detailed and\r\nnuanced points above.\r\nSource: https://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/\r\nhttps://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://pylos.co/2020/01/28/getting-the-story-right-and-why-it-matters/" ], "report_names": [ "getting-the-story-right-and-why-it-matters" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434917, "ts_updated_at": 1775792237, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/00c710ce8db792c6b569db1d8f4ecd6718b5ec06.pdf", "text": "https://archive.orkl.eu/00c710ce8db792c6b569db1d8f4ecd6718b5ec06.txt", "img": "https://archive.orkl.eu/00c710ce8db792c6b569db1d8f4ecd6718b5ec06.jpg" } }