{ "id": "fb65332e-5c25-4e69-b472-85ef88871c86", "created_at": "2026-04-06T00:21:42.302294Z", "updated_at": "2026-04-10T03:37:36.669801Z", "deleted_at": null, "sha1_hash": "0115fd88969fa6f95d6f1574b518d51ab1714562", "title": "APT trends report Q3 2019", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57625, "plain_text": "APT trends report Q3 2019\r\nBy GReAT\r\nPublished: 2019-10-16 · Archived: 2026-04-05 14:09:21 UTC\r\nFor more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing\r\nquarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat\r\nintelligence research and provide a representative snapshot of what we have published and discussed in greater\r\ndetail in our private APT reports. They are designed to highlight the significant events and findings that we feel\r\npeople should be aware of.\r\nThis is our latest installment, focusing on activities that we observed during Q3 2019.\r\nReaders who would like to learn more about our intelligence reports or request more information on a specific\r\nreport are encouraged to contact intelreports@kaspersky.com.\r\nOn August 30, Ian Beer from Google’s Project Zero team published an extensive analysis of at least 14 iOS zero-days found in the wild and used in five exploitation chains to escalate privileges by an unknown threat actor.\r\nAlthough the use of watering-hole attacks was popular in the early 2010s, it has now become less common.\r\nAccording to Google, a number of waterholed websites were delivering the exploits, possibly as far back as three\r\nyears ago (based on September 2016 usage of the first exploit chain). While the blog contains no details about the\r\ncompromised sites or if they are still active, it claims that these websites receive “thousands of visitors per week”.\r\nThe first stage Webkit exploit used to infect visitors makes no discrimination other than that the victim uses an\r\niPhone and browses the website with Safari, although the vulnerability would also have worked in other browsers\r\nsuch as Chrome. The lack of victim discrimination would point to a relatively non-targeted attack, but the not-so-high estimate of the number of visitors to the waterholed sites seems to indicate that the attack was targeted at\r\nsome communities: it is likely that these waterholed sites were all dedicated to some common topic. The blog does\r\nnot contains many details regarding who the actor behind this attack is, but the high technical capabilities needed\r\nto deliver and install this malware, and keep the exploitation chains up-to-date for more than two years, shows a\r\nhigh level of resources and dedication. Upon infection, the malware itself will be invisible to the victim. It pings\r\nits C2 every 60 seconds for new commands. It is able to get access to all kinds of files in the system, as well as\r\ntracking GPS position. There is no mechanism to survive a reboot, but the capability to steal signing-in cookies\r\nfrom a victim’s account can keep providing the attackers with access to this data.\r\nShortly after the Google blogpost, Volexity published more details about the waterholing websites used in the\r\nattack to distribute the malware, pointing to a “strategic web compromise targeting Uyghurs”. Citizen Lab\r\npublished the Android counterpart for this story, stating that between November 2018 and May 2019, senior\r\nmembers of Tibetan groups were targeted by the same actor (this time dubbed POISON CARP by Citizen Lab)\r\nusing malicious links in WhatsApp text exchanges, with the attackers posing as NGO workers, journalists and\r\nother fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on\r\niOS and Android devices, and in some cases to OAuth phishing pages.\r\nhttps://securelist.com/apt-trends-report-q3-2019/94530/\r\nPage 1 of 6\n\nAt the beginning of September 2019, Zerodium, a zero-day brokerage firm, indicated that a zero-day for Android\r\nwas now worth more than one for iOS: the exploit broker is now willing to pay $2.5 million for a zero-click\r\nAndroid zero-day with persistence. This is a significant increase on the company’s previous payout ceiling of $2\r\nmillion for remote iOS jailbreaks. By contrast, Zerodium has also reduced payouts for Apple one-click exploits.\r\nOn the same day, a high-severity zero-day was found in the v412 (Video4Linux) driver, the Android media driver.\r\nThis vulnerability, which could enable privilege escalation, was not included in Google’s September security\r\nupdate. A few days later, an Android flaw was identified that left more than a billion Samsung, Huawei, LG and\r\nSony smartphones vulnerable to an attack that would allow an attacker to gain full access to emails on a\r\ncompromised device using an SMS message.\r\nRussian-speaking activity\r\nTurla (aka Venomous Bear, Uroburos and Waterbug) has made significant changes to its toolset. While\r\ninvestigating malicious activity in Central Asia, we identified a new backdoor that we attribute with medium\r\nconfidence to this APT group. The malware, named Tunnus, is a.NET-based backdoor with the ability to run\r\ncommands or perform file actions on an infected system and send the results to its C2. So far, the C2 infrastructure\r\nhas been built using compromised sites with vulnerable WordPress installations. According to our telemetry,\r\nTunnus activity started in March and was still active when we published our private report in July.\r\nTurla has also wrapped its notorious JavaScript KopiLuwak malware in a dropper called Topinambour, a new.NET\r\nfile that the group is using to distribute and drop KopiLuwak through infected installation packages for legitimate\r\nsoftware programs such as VPNs. Some of the changes are to help Turla evade detection. For example, the C2\r\ninfrastructure uses IP addresses that appear to mimic ordinary LAN addresses. The malware is almost completely\r\n‘fileless’: the final stage of infection, an encrypted Trojan for remote administration, is embedded into the\r\ncomputer’s registry for the malware to access when ready. Two KopiLuwak analogues – the.NET RocketMan\r\nTrojan and the PowerShell MiamiBeach Trojan – are used for cyber-espionage. We think that the threat actor\r\ndeploys these versions where their targets are protected with security software capable of detecting KopiLuwak.\r\nAll three implants can fingerprint targets, gather information on system and network adapters, steal files and\r\ndownload and execute additional malware. MiamiBeach is also able to take screenshots.\r\nIn September, Zebrocy spear-phished multiple NATO and alliance partners throughout Europe, attempting to gain\r\naccess to email communications, credentials and sensitive documents. This campaign is similar to past Zebrocy\r\nactivity, with target-relevant content used within emails, and ZIP attachments containing harmless documents\r\nalongside executables with altered icons and identical filenames. The group also makes use of remote Word\r\ntemplates pulling contents from the legitimate Dropbox file sharing site. In this campaign, Zebrocy targeted\r\ndefense and diplomatic targets located throughout Europe and Asia with its Go backdoor and Nimcy variants.\r\nChinese-speaking activity\r\nHoneyMyte (aka Temp.Hex and Mustang Panda), which has been active for several years, has adopted different\r\ntechniques to perform its attacks over the past couple of years, and has focused on various targeting profiles. In\r\nprevious attacks, conducted from mid-2018, this threat actor deployed PlugX implants, as well as multi-stage\r\nPowerShell scripts resembling CobaltStrike. That campaign targeted government entities in Myanmar, Mongolia,\r\nEthiopia, Vietnam and Bangladesh. We recently described a new set of activities from HoneyMyte involving\r\nhttps://securelist.com/apt-trends-report-q3-2019/94530/\r\nPage 2 of 6\n\nattacks that relied on several types of tools. They include: (a) PlugX implants; (b) a multi-stage package\r\nresembling the CobaltStrike stager and stageless droppers with PowerShell and VB scripts,.NET executables,\r\ncookie-stealers and more; (c) ARP poisoning with DNS hijacking malware, to deliver poisoned Flash and\r\nMicrosoft updates over http for lateral movement; (d) various system and network utilities. Based on the targeting\r\nof government organizations related to natural resource management in Myanmar and a major continental\r\norganization in Africa, we assess that one of the main motivations of HoneyMyte is gathering geo-political and\r\neconomic intelligence. While a military organization was targeted in\r\nBangladesh, it’s possible that the individual targets were related to geopolitical activity in the region.\r\nSince the beginning of 2019, we have observed a spike in LuckyMouse activity, both in Central Asia and the\r\nMiddle East. For these new campaigns, the attackers seem to focus on telecommunications operators, universities\r\nand governments. The infection vectors are direct compromise, spear phishing and, possibly, watering holes.\r\nLuckyMouse hasn’t changed any of its TTPs (Tactics, Techniques and Procedures), continuing to rely on its own\r\ntools to get a foothold in the victim’s network. The new campaigns consist of HTTPBrowser as a first stage,\r\nfollowed by the Soldier Trojan as a second-stage implant. The attackers made a change to their infrastructure, as\r\nthey seem to solely rely on IPv4 addresses instead of domain names for their C2s, which can be seen as an attempt\r\nby them to limit correlation. The campaigns from this actor were still active at the time we published our latest\r\nprivate report on LuckyMouse in September.\r\nOur January 2018 private report ‘ShaggyPanther – Chinese-speaking cluster of activity in APAC’ introduced\r\nShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia. Related\r\ncomponents and activity span back over a decade, with similar code maintaining compilation timestamps as far\r\nback as 2004. Since then ShaggyPanther activity has been detected in several more locations: the most recent\r\ndetections occurred on servers in Indonesia in July, and, somewhat surprisingly, in Syria in March. The newer\r\n2018 and 2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings.\r\nSince our original release, we have identified an initial server-side infection vector from this actor, using\r\nSinoChoper/ChinaChopper, a commonly used webshell shared across multiple Chinese-speaking actors.\r\nSinoChopper is not only used to perform host identification and backdoor delivery but also email archive theft and\r\nadditional activity. Though not all incidents can be traced back to server-side exploitation, we did detect a couple\r\nof cases and obtained information about their staged install process. In 2019 we observed ShaggyPanther targeting\r\nWindows servers.\r\nMiddle East\r\nOn August 1, Dragos published an overview of attacks called ‘Oil and Gas Threat Perspective Summary’, which\r\nreferences an alleged new threat actor they call Hexane. According to the report, “HEXANE targets oil and gas\r\nand telecommunications in Africa, the Middle East, and Southwest Asia”. Dragos claims to have identified the\r\ngroup in May 2019, associating it with OilRig and CHRYSENE. Although no IoCs have been made publicly\r\navailable, some researchers have shared hashes in a Twitter thread in response to the Dragos announcement. Our\r\nanalysis reveals some low-confidence similarities with OilRig based on TTPs, which is something that Dragos\r\nalso mentions in its research. If this is indeed the case, the recent leaks from Lab Dookhtegan and GreenLeakers\r\noffer several hypotheses about this group’s emergence. Due to exposure and leaks, OilRig may simply have\r\nchanged its toolset and continued to operate as usual: this would imply a quick and flexible response to the leaks\r\nhttps://securelist.com/apt-trends-report-q3-2019/94530/\r\nPage 3 of 6\n\nfrom this actor. Or perhaps some of the OilRig TTPs were adopted by a new group that seems to have similar\r\ninterests. Hexane’s activity appears to have started around September 2018 with a second wave of activity starting\r\nin May 2019. In all cases, the artefacts used in the attacks are relatively unsophisticated. The constant evolution of\r\nthe droppers seems to indicate a trial-and-error period where attackers were testing how best to evade detection.\r\nThe TTPs we can link to previous OilRig activity include the described trial-and-error process, the use of\r\nsimplistic unsophisticated droppers distributed through spear phishing and DNS-based C2 exfiltration.\r\nTortoiseShell is a new cluster of activities associated with an unknown APT actor, revealed by Symantec on\r\nSeptember 18, 2019. Symantec claims that the first signs of activity were seen in July 2018, and are still active\r\none year later; Kaspersky has seen different TortoiseShell artifacts dating back to January 2018. To date, all\r\nregistered attacks, according to our telemetry, are in Saudi Arabia. Symantec’s report also confirms that the\r\nmajority of the infections they found were in the same location. The attackers deploy their Syskit backdoor and\r\nthen use it for reconnaissance. Other tools deployed on the victim machines are designed to collect files and pack\r\nthem using RAR, gathering further system information. In one case, the attackers deployed the TightVNC remote\r\nadministration tool to obtain full access to a machine. Symantec mentions traces of OilRig tools in some of the\r\nvictims, something which we cannot confirm. Also, they mention in their blogpost the possibility that this was\r\ndistributed through a supply chain attack. We were able to see the malware being distributed through a fake\r\napplication distributed from a specifically created website for war veterans around two months before the\r\npublication of our report. The website was activated shortly after we published our report during a national\r\nholiday period in Saudi Arabia. However, we didn’t find any compromised application that could suggest a supply\r\nchain attack.\r\nSoutheast Asia and the Korean Peninsula\r\nRecently we discovered new Android malware disguised as a mobile messenger or as cryptocurrency-related\r\napplications. The new malware has several connections with KONNI, a Windows malware strain that has been\r\nused in the past to target a human rights organization and an individual/organization with an interest in Korean\r\nPeninsula affairs. KONNI has also previously targeted cryptocurrencies. The infected apps don’t steal\r\ncryptocurrencies from a specific trading application or switch wallet addresses; they implement full-featured\r\nfunctionalities to control an infected Android device and steal personal cryptocurrency using these features. We\r\nworked closely with a local CERT in order to take down the attacker’s server, giving us a chance to investigate it.\r\nWe recently tracked new BlueNoroff activity. In particular, we identified a bank in Myanmar that was\r\ncompromised by this actor and promptly contacted it to share the IoCs we had found. This collaboration allowed\r\nus to obtain valuable information on how the attackers move laterally to access high value hosts, such as those\r\nowned by the bank’s system engineers interacting with SWIFT. They use a public login credential dumper and\r\nhomemade PowerShell scripts for lateral movement. BlueNoroff also employs new malware with an uncommon\r\nstructure, probably to slow down analysis. Depending on the command line parameters, this malware can run as a\r\npassive backdoor, an active backdoor or a tunneling tool; we believe the group runs this tool in different modes\r\ndepending on the situation. Moreover, we found another type of PowerShell script used by this threat actor when it\r\nattacked a target in Turkey. This PowerShell script has similar functionality to those used previously, but\r\nBlueNoroff keeps changing it to evade detection.\r\nhttps://securelist.com/apt-trends-report-q3-2019/94530/\r\nPage 4 of 6\n\nKaspersky observed a recent campaign utilizing a piece of malware referred to by FireEye as DADJOKE. This\r\nmalware was first used in the wild in January 2019 and has undergone constant development since then. We have\r\nonly observed this malware being used in a small number of active campaigns since January, all targeting\r\ngovernment, military, and diplomatic entities in the Southeast Asia region. The latest campaign was conducted on\r\nAugust 29 and seems to have targeted only a select few individuals working for a military organization.\r\nThe Andariel APT group, considered to be a sub-group of Lazarus, was initially described by the South Korean\r\nFinancial Security Institute (FSI) in 2017. This threat actor has traditionally focused on geopolitical espionage and\r\nfinancial intelligence in South Korea. We have released several private intelligence reports on the group. We\r\nrecently observed new efforts by this actor to build a new C2 infrastructure targeting vulnerable Weblogic servers,\r\nin this case exploiting CVE-2017-10271. Following a successful breach, the attackers implanted malware signed\r\nwith a legitimate signature belonging to a South Korean security software vendor. Thanks to the quick response of\r\nthe South Korean CERT, this signature was soon revoked. The malware is a brand new type of backdoor, called\r\nApolloZeus, started by a shellcode wrapper with complex configuration data. This backdoor uses a relatively large\r\nshellcode in order to make analysis difficult. In addition, it implements a set of features to execute the final\r\npayload discreetly. The discovery of this malware allowed us to find several related samples, as well as documents\r\nused by the attackers to distribute it, providing us with a better understanding of the campaign. Indeed, we believe\r\nthis attack is an early preparation stage for a new campaign, which also points to the attacker’s intentions to\r\nreplace their malware framework with the newly discovered artifacts.\r\nOther interesting discoveries\r\nThe well-known Shadow Brokers leak Lost in Translation included an interesting Python script –sigs.py – that\r\ncontained lots of functions to check if a system had already been compromised by another threat actor. Each check\r\nis implemented as a function that looks for a unique signature in the system, for example, a file with a unique\r\nname or registry path. Although some checks are empty, 44 entries are listed in sigs.py, many of them related to\r\nunknown APTs that have not yet been publicly described. In 2018, we identified the APT described as the 27th\r\nfunction of the sigs.py file, which we call DarkUniverse. We assess with medium confidence that DarkUniverse is\r\nconnected with the ItaDuke set of activity due to unique code overlaps. The main component is a rather simple\r\nDLL with only one exported function that implements persistence, malware integrity, communication with the C2\r\nand control over other modules. We found about 20 victims in Western Asia and Northeastern Africa, including\r\nmedical institutions, atomic energy bodies, military organizations and telecommunications companies.\r\nSince the beginning of 2019, we have observed the operation of new RCS (Remote Control System) implants for\r\nAndroid. RCS uses watermarks for different customers, which allowed us to correlate post-leak activity in the\r\nwild to obtain a global picture of how this malware is still being used, including the most recent cases. We\r\ndetected RCS being used in Ethiopia in February, while additional samples with the same watermark were also\r\ndetected in Morocco. The deployment method used depends on the actor, but the most common method consists\r\nof sending a legitimate backdoored application with RCS directly to the target using IM services (Telegram and\r\nWhatsApp).\r\nFinal thoughts\r\nhttps://securelist.com/apt-trends-report-q3-2019/94530/\r\nPage 5 of 6\n\nIn seeking to evade detection, threat actors are refreshing their toolsets. This quarter, we have seen this clearly in\r\nTurla’s development of its Tunnus backdoor and Topinambour dropper.\r\nHowever, when a new campaign is observed, it’s not always immediately clear whether the tools used are the\r\nresult of an established threat actor revamping its tools or a completely new threat actor making use of the tools\r\ndeveloped by an existing APT group. In the case of Hexane, for example, it’s unclear if this is a new development\r\nby OilRig, or the use of OilRig TTPs by a new group with similar interests in the Middle East, Africa and\r\nSouthwest Asia.\r\nKorean-focused APT campaigns continue to dominate activities in Southeast Asia, a trend we first noted in our Q2\r\nreport.\r\nDespite the lower payouts by Zerodium for iOS exploits relative to those for Android, it’s clear that mobile\r\nexploits continue to fetch very high prices. Our research into the ongoing use of RCS implants for Android and the\r\nrevelations about the use of multiple iOS zero-days as described by Google and Citizen Lab underline the fact that\r\nmobile platforms have now become a standard aspect of APT attacks.\r\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it\r\nneeds to be borne in mind that, while we strive to continually improve, there is always the possibility that other\r\nsophisticated attacks may fly under our radar.\r\nSource: https://securelist.com/apt-trends-report-q3-2019/94530/\r\nhttps://securelist.com/apt-trends-report-q3-2019/94530/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://securelist.com/apt-trends-report-q3-2019/94530/" ], "report_names": [ "94530" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "9443573a-7ebc-4fd3-869f-b9c820c152d8", "created_at": "2022-10-25T16:07:24.175377Z", "updated_at": "2026-04-10T02:00:04.889801Z", "deleted_at": null, "main_name": "ShaggyPanther", "aliases": [], "source_name": "ETDA:ShaggyPanther", "tools": [ "CHINACHOPPER", "China Chopper", "SinoChopper" ], "source_id": "ETDA", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9a58d7bb-dd32-41bc-804e-500ef7550cf8", "created_at": "2023-01-06T13:46:39.131811Z", "updated_at": "2026-04-10T02:00:03.2252Z", "deleted_at": null, "main_name": "ItaDuke", "aliases": [ "DarkUniverse", "SIG27" ], "source_name": "MISPGALAXY:ItaDuke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "dcf74886-fda8-4268-905a-3515ead0ab42", "created_at": "2024-02-06T02:00:04.127333Z", "updated_at": "2026-04-10T02:00:03.574562Z", "deleted_at": null, "main_name": "ShaggyPanther", "aliases": [], "source_name": "MISPGALAXY:ShaggyPanther", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "52973e5f-9656-4b60-b7f8-457e32ac4bbe", "created_at": "2023-01-06T13:46:39.056888Z", "updated_at": "2026-04-10T02:00:03.198866Z", "deleted_at": null, "main_name": "POISON CARP", "aliases": [ "Evil Eye", "Red Dev 16", "Earth Empusa" ], "source_name": "MISPGALAXY:POISON CARP", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-10T02:00:03.619131Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "d2a5c949-7ae0-4610-8bb8-047ab03b1574", "created_at": "2022-10-25T16:07:24.064197Z", "updated_at": "2026-04-10T02:00:04.856578Z", "deleted_at": null, "main_name": "Poison Carp", "aliases": [ "Earth Empusa", "Evil Eye", "EvilBamboo", "Poison Carp", "Red Dev 16", "Sentinel Taurus" ], "source_name": "ETDA:Poison Carp", "tools": [ "ActionSpy", "AxeSpy", "BADSIGNAL", "BADSOLAR", "BadBazaar", "IRONSQUIRREL", "IceCube", "MOONSHINE", "PoisonCarp" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "59ce37c7-ce10-4cc3-ab27-c784a8a0898a", "created_at": "2022-10-25T16:07:23.534403Z", "updated_at": "2026-04-10T02:00:04.645423Z", "deleted_at": null, "main_name": "DarkUniverse", "aliases": [], "source_name": "ETDA:DarkUniverse", "tools": [ "dfrgntfs5.sqt", "glue30.dll", "msvcrt58.sqt", "updater.mod", "zl4vq.sqt" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434902, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0115fd88969fa6f95d6f1574b518d51ab1714562.pdf", "text": "https://archive.orkl.eu/0115fd88969fa6f95d6f1574b518d51ab1714562.txt", "img": "https://archive.orkl.eu/0115fd88969fa6f95d6f1574b518d51ab1714562.jpg" } }