{ "id": "84529172-546f-45af-8000-cd1406c0a314", "created_at": "2026-04-06T00:12:07.252409Z", "updated_at": "2026-04-10T03:37:49.779203Z", "deleted_at": null, "sha1_hash": "0256b0bc4f12bb03ebdbcfe025b1841f4ebefa05", "title": "Cloud Cover: How Malicious Actors Are Leveraging Cloud Services", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 69228, "plain_text": "Cloud Cover: How Malicious Actors Are Leveraging Cloud\r\nServices\r\nBy About the Author\r\nArchived: 2026-04-05 17:43:29 UTC\r\nThe number of threat actors leveraging legitimate cloud services in their attacks has grown this year as attackers\r\nhave begun to realize their potential to provide low-key and low-cost infrastructure. Traffic to and from well\r\nknown, trusted services such as Microsoft OneDrive or Google Drive may be less likely to raise red flags than\r\ncommunications with attacker-controlled infrastructure. \r\nIn the past few weeks alone, Symantec’s Threat Hunter Team has identified three further espionage operations\r\nusing cloud services and found evidence of further tools in development. Marc Elias, an investigator with the\r\nThreat Hunter Team, will be presenting these findings today (August 7) at the Black Hat Conference in Las Vegas.\r\nGoGra\r\nA previously unseen backdoor which Symantec has named GoGra (Trojan.Gogra) was deployed against a media\r\norganization in South Asia in November, 2023. GoGra is written in Go and uses the Microsoft Graph API to\r\ninteract with a command-and-control (C\u0026C) server hosted on Microsoft mail services. \r\nGraph is a Microsoft API designed to facilitate access to resources hosted on Microsoft cloud services, such as\r\nMicrosoft 365. Authentication is carried out using OAuth access tokens. \r\nGoGra is configured to read messages from an Outlook username \"FNU LNU\" whose subject line starts with the\r\nword \"Input\". It decrypts the message contents using the AES-256 algorithm in Cipher Block Chaining (CBC)\r\nmode, using the following key: b14ca5898a4e4133bbce2ea2315a1916.\r\nGogra executes commands via the cmd.exe input stream and supports an additional command named \"cd\" which\r\nchanges the active directory. After the execution of a command, it encrypts the output and sends it to the same user\r\nwith the subject \"Output\".\r\nAnalysis of the backdoor revealed that it is highly likely it was developed by Harvester, a nation-state-backed\r\ngroup uncovered by Symantec in 2021 that specializes in targeting organizations in South Asia. \r\nGoGra is functionally similar to a known Harvester tool called Graphon, which was written in .NET. Aside from\r\nthe different programming languages used, Graphon used a different AES key (juBvYU7}33Xq}ghO), did not\r\ncontain the extra “cd” command, and did not have a hardcoded Outlook username to communicate with. The\r\nusername was instead received from the C\u0026C server. \r\nGoogle Drive exfiltration\r\nhttps://www.security.com/threat-intelligence/cloud-espionage-attacks\r\nPage 1 of 6\n\nA previously unseen exfiltration tool was deployed by the Firefly espionage group in an attack against a military\r\norganization in South East Asia. Analysis of the tool revealed that it was a publicly available Google Drive client\r\nin a Python wrapper.\r\nThe tool was configured to search for all .jpg files in the System32 directory and upload them to Google Drive\r\nusing a hardcoded refresh token. \r\nMany of the exfiltrated files were not actual .jpg images but were instead encrypted RAR files, which were likely\r\neither created by hands-on-keyboard activity by the attackers or by another attacker-deployed tool that copied and\r\nprepared data for exfiltration. Exfiltrated data included documents, meeting notes, call transcripts, building plans,\r\nemail folders, and accounting data.\r\nGrager\r\nA previously unseen backdoor named Trojan.Grager was deployed against three organizations in Taiwan, Hong\r\nKong, and Vietnam in April 2024. Analysis of the backdoor revealed that it used the Graph API to communicate\r\nwith a C\u0026C server hosted on Microsoft OneDrive. Grager was downloaded from a typosquatted URL mimicking\r\nthe open-source file archiver 7-Zip (hxxp://7-zip.tw/a/7z2301-x64[.]msi). \r\nThe aforementioned MSI file, which acts as a dropper, is a Trojanized 7-Zip installer that installs the real 7-Zip\r\nsoftware into the folder “C:\\Program Files (x86)\\7-Zip” along with a malicious DLL named “epdevmgr.dll”\r\n(SHA2: ab6a684146cec59ec3a906d9e018b318fb6452586e8ec8b4e37160bcb4adc985), a copy of the Tonerjam\r\nmalware, and the encrypted Grager backdoor into a file named “data.dat” (SHA2:\r\n45a5dd715dc5f08f3b987a0415c2e500c549508aadf4183fdb94f749af8f1d67).\r\nThe Tonerjam malware was described by Mandiant as a launcher that decrypts and executes a shellcode payload,\r\nwhich in this case was the new backdoor Grager. The backdoor decrypts a client_id and refresh token for\r\nOneDrive from a blob within the file’s body. The backdoor supports the following commands:\r\nRetrieve machine info including machine name, user, IP address, and machine architecture\r\nDownload/upload a file\r\nExecute a file\r\nGather file system info including available drives, size of drives, and type of drives\r\nThere are tentative links between this tool and a group known as UNC5330. Symantec observed the Tonerjam\r\nmalware described in this blog being dropped with the same file name (epdevmgr.dll) by a benign sample named\r\n(EpDevMgr.exe), which Mandiant also attributes to UNC5330. UNC5330 was described as a “suspected China-nexus espionage actor” that exploited Ivanti Connect Secure VPN vulnerabilities (CVE-2024-21893 and CVE-2024-21887) to compromise appliances in early 2024.\r\nMoonTag\r\nSymantec also found evidence of another backdoor called MoonTag (Trojan.Moontag) that appears to be currently\r\nin development. Several variants of the backdoor have been uploaded to VirusTotal in recent weeks, although\r\nnone appeared complete. The malware, which may be named “Moon_Tag” by its developer given references in its\r\nhttps://www.security.com/threat-intelligence/cloud-espionage-attacks\r\nPage 2 of 6\n\nstrings, is based on code published in this Google Group. All the variants found contain functionality for\r\ncommunicating with the Graph API. \r\nMoonTag samples match a YARA rule named “MAL_APT_9002_SabrePanda” that detects samples from the\r\n9002 RAT malware family used by the Sabre Panda threat actor. We did not find strong links to attribute MoonTag\r\nto Sabre Panda, but we can attribute the MoonTag backdoor with high confidence to a Chinese-speaking threat\r\nactor based on the Chinese language used in the Google Group post and the infrastructure used by the attackers.\r\nOnedrivetools\r\nAnother backdoor (Trojan.Ondritols), which appears to be called Onedrivetools by its authors, has been deployed\r\nagainst IT services companies in the U.S. and Europe. A multi-stage backdoor, the first stage is a downloader that\r\nauthenticates to Microsoft Graph API and downloads the second stage payload from OneDrive and executes it. \r\nThe main payload will download a publicly available file from GitHub. It will then create a folder in OneDrive\r\nnamed deviceId_n_\u003cip address\u003e for each infected machine and upload the following file to OneDrive to signal the\r\nattackers the status of a new infection:\r\n/v1.0/me/drive/root:/deviceId_n_\u003cip address\u003e/status\r\nIt will then continue in a loop, authenticating itself using Graph API, creating a file called heartbeat with the\r\ncontent “1” and fetching the new commands to execute from a file called cmd, both files located in the victim\r\nfolder. The output of the executed command will be saved in the same cmd file. The backdoor also can download\r\nfiles to its victims and upload files from the infected machine to OneDrive.\r\nThe attackers used a tunneling tool known as Whipweave (SHA256:\r\n30093c2502fed7b2b74597d06b91f57772f2ae50ac420bcaa627038af33a6982), likely derived from the open-source\r\nChinese VPN Free Connect (FCN) project, to connect to an Operational Relay Box (ORB) network known as\r\nOrbweaver which is designed to obfuscate the origin of attacks. \r\nRapidly developing trend\r\nIn May 2024, Symantec uncovered BirdyClient, new malware that used the Graph API to communicate with a\r\nOneDrive C\u0026C server. The malware was used in an attack against an organization in Ukraine. \r\nAlthough leveraging cloud services for command and control is not a new technique, more and more attackers\r\nhave started to use it recently. Three years ago, Volexity published about BlueLight, malware developed by the\r\nNorth Korea-linked Vedalia espionage group (aka APT37). This was followed by Symantec’s discovery of the\r\nGraphon backdoor in October 2021. \r\nThe Russian Swallowtail espionage group (aka APT28, Fancy Bear) was found to have adopted the tactic\r\nfollowing the discovery of Graphite—malware that used the Graph API to communicate with a OneDrive account\r\nthat was acting as a C\u0026C server. In June 2023, Symantec discovered Backdoor.Graphican, which was being used\r\nby the Flea (aka APT15, Nickel) group in a campaign against foreign affairs ministries in the Americas. \r\nhttps://www.security.com/threat-intelligence/cloud-espionage-attacks\r\nPage 3 of 6\n\nThe number of actors now deploying threats that leverage cloud services suggests that espionage actors are clearly\r\nstudying threats created by other groups and mimicking what they perceive to be successful techniques.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\nd728cdcf62b497362a1ba9dbaac5e442cebe86145734410212d323a6c2959f0f – Trojan.Gogra\r\nf1ccd604fcdc0034d94e575b3709cd124e13389bbee55c59cbbf7d4f3476e214 – Trojan.Gogra\r\n9f61ed14660d8f85d606605d1c4c23849bd7a05afd02444c3b33e3af591cfdc9 – Trojan.Grager\r\nab6a684146cec59ec3a906d9e018b318fb6452586e8ec8b4e37160bcb4adc985 – Trojan.Grager\r\n97551bd3ff8357831dc2b6d9e152c8968d9ce1cd0090b9683c38ea52c2457824 – Trojan.Grager\r\nf69fb19604362c5e945d8671ce1f63bb1b819256f51568daff6fed6b5cc2f274 – Trojan.Ondritols\r\n582b21409ee32ffca853064598c5f72309247ad58640e96287bb806af3e7bede – Trojan.Ondritols\r\n79e56dc69ca59b99f7ebf90a863f5351570e3709ead07fe250f31349d43391e6 – Trojan.Ondritols\r\n4057534799993a63f41502ec98181db0898d1d82df0d7902424a1899f8f7f9d2 – Trojan.Ondritols\r\na76507b51d84708c02ca2bd5a5775c47096bc740c9f7989afd6f34825edfcba6 – Trojan.Moontag\r\n527fada7052b955ffa91df3b376cc58d387b39f2f44ebdcb54bc134e112a1c14 – Trojan.Moontag\r\nfd9fc13dbd39f920c52fbc917d6c9ce0a28e0d049812189f1bb887486caedbeb – Trojan.Moontag\r\n30093c2502fed7b2b74597d06b91f57772f2ae50ac420bcaa627038af33a6982 – Whipweave\r\nhxxp://7-zip.tw/a/7z2301-x64[.]msi - Trojan.Grager download URL\r\nhxxp://7-zip.tw/a/7z2301[.]msi - Trojan.Grager download URL\r\n7-zip[.]tw – 7-Zip typosquatted domain\r\n103.255.178[.]200 – MoonTag C\u0026C\r\n157.245.159[.]135 – Whipweave C\u0026C\r\n89.42.178[.]13 – Whipweave C\u0026C\r\n30sof.onedumb[.]com – Whipweave C\u0026C\r\nhttps://www.security.com/threat-intelligence/cloud-espionage-attacks\r\nPage 4 of 6\n\nBest Practices\r\nBlock cloud services not used by your organization \r\nProfile network traffic and monitor for network anomalies\r\ne.g. Large file is uploaded to a cloud service\r\nUse application whitelisting where applicable\r\nBlock non-browser processes connecting to cloud services\r\nIdentify critical assets in your organization and monitor them for exfiltration of data\r\nActivate host based and cloud audit logs\r\nMITRE TTPs\r\nEstablish Accounts: Cloud Accounts\r\nID: T1585.003\r\nSub-technique of: T1585 - Establish Accounts\r\nTactic: Resource Development\r\nDescription: Adversaries may create accounts with cloud providers that can be used during\r\ntargeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud\r\nstorage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration\r\nto Cloud Storage or to Upload Tools.\r\nStage Capabilities: Upload Malware\r\nID: T1608.001\r\nSub-technique of: T1608 - Stage Capabilities\r\nTactic: Resource Development\r\nDescription: Adversaries may upload malware to third-party or adversary controlled infrastructure\r\nto make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content.\r\nStage Capabilities: Upload Tool\r\nID: T1608.002\r\nSub-technique of: T1608 - Stage Capabilities\r\nTactic: Resource Development\r\nDescription: Adversaries may upload tools to third-party or adversary controlled infrastructure to\r\nmake it accessible during targeting. Tools can be open or closed source, free or\r\ncommercial. Adversaries may upload tools to support their operations, such as making a tool\r\navailable to a victim network to enable Ingress Tool Transfer (i.e. PowerShell, Certutil) by placing it\r\non an Internet-accessible web server.\r\nCommand and Scripting Interpreter: Cloud API\r\nID: T1059.009\r\nSub-technique of: T1059 - Command and Scripting Interpreter\r\nTactic: Execution\r\nDescription: Adversaries may abuse cloud APIs to execute malicious commands. \r\nExfiltration Over Web Service: Exfiltration to Cloud Storage\r\nID:  T1567.002\r\nhttps://www.security.com/threat-intelligence/cloud-espionage-attacks\r\nPage 5 of 6\n\nSub-technique of:   T1567 - Exfiltration Over Web Service\r\nTactic:  Exfiltration\r\nDescription: Adversaries may exfiltrate data to a cloud storage service rather than over their primary\r\ncommand and control channel. Cloud storage services allow for the storage, edit, and retrieval of\r\ndata from a remote cloud storage server over the internet.\r\nSource: https://www.security.com/threat-intelligence/cloud-espionage-attacks\r\nhttps://www.security.com/threat-intelligence/cloud-espionage-attacks\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.security.com/threat-intelligence/cloud-espionage-attacks" ], "report_names": [ "cloud-espionage-attacks" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8306123b-72e8-47b5-8103-17e2d9095b95", "created_at": "2024-04-20T02:00:03.573036Z", "updated_at": "2026-04-10T02:00:03.623348Z", "deleted_at": null, "main_name": "UNC5330", "aliases": [], "source_name": "MISPGALAXY:UNC5330", "tools": [ "GOST", "GO Simple Tunnel" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d4fa3dd1-7c2b-46c0-b90f-2741410572b5", "created_at": "2023-01-06T13:46:38.633201Z", "updated_at": "2026-04-10T02:00:03.045529Z", "deleted_at": null, "main_name": "SABRE PANDA", "aliases": [], "source_name": "MISPGALAXY:SABRE PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6d9dd5d-b19c-4d48-b842-e34893e72a06", "created_at": "2022-10-25T16:07:23.273213Z", "updated_at": "2026-04-10T02:00:04.512532Z", "deleted_at": null, "main_name": "Sabre Panda", "aliases": [], "source_name": "ETDA:Sabre Panda", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434327, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0256b0bc4f12bb03ebdbcfe025b1841f4ebefa05.pdf", "text": "https://archive.orkl.eu/0256b0bc4f12bb03ebdbcfe025b1841f4ebefa05.txt", "img": "https://archive.orkl.eu/0256b0bc4f12bb03ebdbcfe025b1841f4ebefa05.jpg" } }