{ "id": "74e6b588-4613-4f5a-b864-662b2bfb2240", "created_at": "2026-04-06T00:16:51.218015Z", "updated_at": "2026-04-10T13:11:21.211906Z", "deleted_at": null, "sha1_hash": "04148fd40e3fd0c9adc69b4dd2adc12a76c4a716", "title": "Picus Cyber Threat Intelligence Report May 2023: Top 10 MITRE ATT\u0026CK Techniques", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 241449, "plain_text": "Picus Cyber Threat Intelligence Report May 2023: Top 10 MITRE\r\nATT\u0026CK Techniques\r\nBy Sıla Özeren Hacıoğlu\r\nPublished: 2023-06-14 · Archived: 2026-04-02 10:58:04 UTC\r\nWelcome to Picus Security's monthly cyber threat intelligence blog, where we list and examine the most\r\nfrequently employed MITRE ATT\u0026CK techniques observed in the wild.\r\nEach month, we gather data from a diverse range of including threat intelligence and malware dump platforms,\r\nCTI blogs, exploit databases, sandboxes, and network data query results. This data is used for an in-depth analysis\r\nof malware samples, as well as threat actor and Advanced Persistent Threat (APT) campaigns.\r\nOur main goal is to identify the tactics, techniques, and procedures (TTPs) used by cybercriminals and map these\r\nonto the MITRE ATT\u0026CK framework. This focus facilitates a comprehensive understanding of the prevalent\r\nattack paths, helping to shape more effective mitigation strategies.\r\nIn this blog, you'll come across a thorough list of ATT\u0026CK techniques adopted by threat actors, APT groups, and\r\nmalware campaigns. As you progress further into the blog, you'll find detailed explanations of these techniques,\r\ncoupled with relevant procedures for a better understanding of these ATT\u0026CK techniques.\r\n \r\nATT\u0026CK\r\nTechnique\r\nThreat Groups Malware and Tools\r\n1\r\nPhishing\r\n(ATT\u0026CK\r\nT1566)\r\nSideWinder, APT 28, BianLian\r\nRansomware Gang, IceID, Water\r\nOrthrus [1]\r\nGreatness “Phishing-as-a-Service” tool,\r\nCopperStealer \r\n2\r\nCommand and\r\nScripting\r\nInterpreter\r\n(ATT\u0026CK\r\nT1059)\r\nVolt Typhoon APT, Cactus\r\nRansomware Gang, BlackByte\r\nRansomware Gang, Rancoz\r\nRansomware Gang, BlackSuite\r\nRansomware Gang, 8220 Gang [2]\r\nCOSMICENERGY OT malware, Cobalt\r\nStrike, BlackByte NT, CloudWizard APT\r\nframework, IceID banking trojan\r\nhttps://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nPage 1 of 13\n\n3\r\nSystem\r\nInformation\r\nDiscovery\r\n(ATT\u0026CK\r\nT1082)\r\nSharpPanda APT, Volt Typhoon\r\nAPT, GoldenJackal APT, BlackByte\r\nRansomware Gang, Rancoz\r\nRansomware Gang, BlackSuite\r\nRansomware Gang \r\nDarkWatchman RAT, \r\nSeroXen RAT, Mélofée and\r\nAlienReverse implants [3]\r\n4\r\nObfuscated Files\r\nor Information\r\n(ATT\u0026CK\r\nT1027)\r\nSideWinder APT, Void Rabisu APT,\r\nSharpPanda APT, LancefLy APT,\r\nALPHV Ransomware Gang\r\nCOSMICENERGY OT malware,\r\nVMProtect tool [4], RomCom RAT,\r\nHackTool webshell encoder (tool.exe)\r\n[5], Safengine Protector v2.4.0.0\r\n5\r\nProcess Injection\r\n(ATT\u0026CK\r\nT1055)\r\nRedStinger APT, MEME#4CHAN\r\nCampaign Actors, Minas\r\ncryptocurrency miner [6]\r\nGenesis Market malware, XWorm\r\n6\r\nIngress Tool\r\nTransfer\r\n(ATT\u0026CK\r\nT1105)\r\nBlackCat Ransomware Gang,\r\nBianLian Ransomware Gang, Royal\r\nRansomware Gang\r\nCobalt Strike, Chisel hacking tool,\r\nUrsnif/Gozi, PowerShell toolkit\r\ndownloader, Advanced Port Scanner,\r\nSoftPerfect Network Scanner\r\n(netscan.exe), SharpShares, PingCastle,\r\nRclone, Mega, Safengine Protector\r\nv2.4.0.0\r\n7\r\nScheduled\r\nTask/Job\r\n(ATT\u0026CK\r\nT1053)\r\nGoldenJackal APT, Earth Longzhi\r\nAPT\r\nIceID banking trojan\r\n8\r\nApplication\r\nLayer Protocols\r\n(ATT\u0026CK\r\nT1071)\r\nVoid Rabisu APT, 8220 Gang   \r\nhttps://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nPage 2 of 13\n\n9\r\nImpair Defenses\r\n(ATT\u0026CK\r\nT1562)\r\nEarth Longzhi APT, Volt Typhoon\r\nAPT\r\nAuKill EDR bypass tool, SPHijacker [7]\r\n10\r\nOS Credential\r\nDumping\r\n(ATT\u0026CK\r\nT1003)\r\nVolt Typhoon APT, Unidentified\r\nChina State-Sponsored Threat\r\nActors [8], Cactus Ransomware\r\nGang\r\nLaZagne tool, HackBrowserData tool,\r\nIceID banking trojan\r\nPhishing (ATT\u0026CK T1566)\r\nThroughout May 2023, a wide range of threat actors ramped up their use of phishing and spear-phishing\r\ntechniques in their attack campaigns. \r\nThreat actors such as SideWinder APT [9], APT28 [10], and the BianLian Ransomware Gang [11] used these\r\ntechniques, targeting various sectors with mimicked domains and decoy emails. The APT28 group, associated\r\nwith Russian GRU, notably employed diverse phishing methods against Ukrainian society. Meanwhile, the threat\r\nactors infected the target with the IceID banking trojan using macro-embedded Office documents, underscoring\r\nthe continued effectiveness of the phishing ATT\u0026CK technique. \r\nAdditionally, a new “Phishing-as-a-Service” (PaaS) tool, \"Greatness\" [12], targeted Microsoft 365 users, and\r\nWater Orthrus unveiled its CopperPhish [13] campaign, leveraging phishing to distribute malware and steal credit\r\ncard information. \r\nThese cases emphasize the adaptability of threat actors and the importance of proactive defense strategies against\r\nevolving phishing techniques.\r\nCommand and Scripting Interpreter (ATT\u0026CK T1059)\r\nCommand and scripting tools were extensively used in May, enabling attackers to carry out their malicious\r\nactivities swiftly. \r\nFor instance, Volt Typhoon APT, [14] used various tools and commands in their attack campaign, such as\r\nWMI/WMIC for gathering local drive info, PowerShell for identifying logons, portproxy commands for port\r\nforwarding, and ntdsutil.exe for copying ntds.dit files and SYSTEM registry hives. \r\nIn addition, it is observed that COSMICENERGY, a novel OT malware, is using a command-line interface and\r\nPython scripting to interact with IEC 60870-5-104 devices, causing electric power disruption in electric\r\ntransmission and distribution operations in Europe, the Middle East, and Asia [15].  \r\nBlackByte Ransomware Gang have launched a new version of their ransomware, BlackByte NT [16], and used\r\nWindows commands to perform anti-debugging measures that deletes its executable and to encrypt files, posing a\r\nsignificant threat to organizations’ systems and data.\r\nhttps://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nPage 3 of 13\n\nIcedID operators used tools like Cobalt Strike for privilege escalation, AdFind and adget.exe for domain\r\ndiscovery, and utilities like rundll32.exe and PSExec for remote execution and lateral movement [17]. These tools,\r\nwhile legitimate, can be exploited by threat actors like those using IcedID for nefarious activities, presenting a\r\nsignificant risk to network security.\r\nLastly and not surprisingly, ransomware actors such as BianLian [11], Rancoz [18] and BlackSuite Ransomware\r\nGangs [19] also leveraged command and scripting tools. For instance, the new Cactus ransomware [20] variant\r\nnotably demonstrates an advanced use of command and scripting techniques, particularly through PowerShell and\r\nbatch scripting, to execute multi-stage encryption and obfuscation processes, raising serious concerns regarding\r\nthe potential for this ransomware to evade traditional detection mechanisms and escalate its impact on unprepared\r\nsystems.\r\nSystem Information Discovery (ATT\u0026CK T1082)\r\nThreat actors showed a consistent trend in May: they harness the power of system information discovery to\r\nelevate the efficacy and stealthiness of their malicious campaigns.\r\nThe SharpPanda APT, known for its emphasis on system information discovery, performs comprehensive network\r\nreconnaissance prior to launching targeted attacks. The Volt Typhoon APT, another adept at system information\r\ndiscovery, leverages this intelligence to mount customized attacks on its targets. GoldenJackal APT, on the other\r\nhand, exploits this technique not only for system profiling but also to prepare for their intricate cyber-espionage\r\noperations. \r\nIn the ransomware realm, the BlackByte NT ransomware employs techniques such as dynamic API import, PEB\r\nstructure examination, execution argument checks, and DLL retrieval for enabling the ransomware to access\r\nsystem functionality, showcasing its active system information discovery capabilities. \r\nSimilarly, Rancoz ransomware employs drive enumeration to identify and traverse through available local and\r\nremote drives, including network shares, in order to locate and target files for encryption [16]. DarkWatchman\r\nRAT operators, another significant threat, rely on system information discovery to maintain persistence and avoid\r\ndetection, showing a trend in cyber threats exploiting this attack technique for a variety of malicious objectives.\r\nThreat Actors and\r\nMalware\r\nCommands, Tools and Files Used for Information Discovery\r\nSharpPanda APT\r\nDLL Downloader (“c6gt.b”) - When the loader is executed through rundll32.exe, it\r\ncollects various data from the target’s system. [21]\r\nVolt Typhoon\r\nAPT\r\nnetstat -ano, \r\nreg query hklm\\software\\, \r\nsysteminfo, \r\nhttps://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nPage 4 of 13\n\ntasklist /v, \r\nwhoami, \r\nnet group \"Domain Admins\" /dom, \r\nnetsh interface firewall show all, \r\nnetsh interface portproxy show all [14] \r\nGoldenJackal\r\nAPT\r\nnetstat -aon, \r\nipconfig /displaydns, \r\nreg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v, \r\ntasklist, \r\nnetsh winhttp show proxy [22]\r\nBlackByte\r\nRansomware\r\nGang\r\nanti-debug check by examining the \"BeingDebugged\" flag within the PEB structure,\r\nchecking the arguments passed during the execution of needed APIs for the following\r\nflags: -a, -s, -w, -q,\r\nretrieving functions from various DLLs, such as kernel32.dll, ntdll.dll, advapi32.dll [16]\r\nRancoz\r\nRansomware\r\nGang\r\nThe main thread of the ransomware evaluates the drive types, which can be categorized\r\nas DRIVE_UNKNOWN, DRIVE_NO_ROOT_DIR, DRIVE_REMOVABLE,\r\nDRIVE_FIXED, and DRIVE_REMOTE [16].  \r\nBlackSuite\r\nRansomware\r\nGang\r\nNetShareEnum() API to obtain information about the available network shares, such as\r\n(ADMIN$) and interprocess communication (IPC$) shares, on the local system [17]. \r\nDarkWatchman\r\nRAT Operators\r\nstart_instance() function within the DarkWatchMan RAT collects the victim's system\r\ninformation, including the operating system version, domain role, and antivirus\r\nsoftware.\r\nhttps://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nPage 5 of 13\n\nObfuscated Files or Information (ATT\u0026CK T1027)\r\nMay was another month that demonstrates the malicious use of advanced obfuscation techniques to evade\r\ndetection by security software.\r\nFor instance, SideWinder APT uses obfuscation and decoding techniques in their recent campaign, which targets\r\nPakistan government organizations and now Turkey by delivering the next stage payload through server-based\r\npolymorphism to evade detection by signature-based antivirus [23].\r\nIn another case, Void Rabisu APT has employed binary padding as a technique for obfuscation in their attacks [7].\r\nBinary padding involves adding a significant amount of overlay bytes to the payload files, thereby increasing the\r\nsize of the malicious payload. This method aims to evade detection by security scanners and make analysis more\r\nchallenging.\r\nThe COSMICENERGY, assumed to be related to the Russian Emergency Response Exercises, is using the certutil\r\nutility to handle the Base64-encoded malicious executables. This shows us a sign that classical obfuscation\r\ntechniques like file encoding are still used by adversaries as they can bypass security controls that rely on\r\ndetecting specific file formats or signatures.\r\nThreat Actors\r\nand Malware\r\nCommands, Tools and Files used\r\nSideWinder\r\nAPT\r\nIn their attack campaign, the \"1.a\" object extracted from the RTF file is a highly\r\nobfuscated JavaScript that is decoded to reveal a base64 encoded data blob, two\r\ncommunication URLs, and other important information used to communicate with the\r\ncommand and control server [23]. \r\nLancefly APT\r\nIn their attack campaign, Lancefly encoded the MerDoor backdoor malware for\r\nobfuscation [5].  \r\nEarth Longzhi\r\nAPT\r\nIn the course of their attack campaigns, Earth Longzhi APT conceals their malicious\r\npayloads through encryption. Disguised under the name \"MPClient.dll,\" the newly\r\nintroduced Croxloader variant accesses the encrypted payload \"MpClient.bin,\" and\r\nproceeds to decrypt its hidden content [7].\r\nProcess Injection (ATT\u0026CK T1055)\r\nIn May, we witnessed a surge in sophisticated process injection methods designed to impair defense controls. \r\nhttps://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nPage 6 of 13\n\nThe RedStinger APT utilized a DLL with Process Doppelganging (ATT\u0026CK T1055.013) capabilities for stealthy\r\noperations and bypassing security protocols like whitelisting [24]. \r\nThe MEME#4CHAN campaign employed the Proc Memory (ATT\u0026CK T1055.009) technique, using .NET\r\nreflection for in-memory execution of malicious code and making it challenging for security professionals to\r\npredict and counter the attack's behavior [25]. \r\nGenesis Market's tactics involved Process Hollowing (ATT\u0026CK T1055.012) by replacing the Portable Executable\r\n(PE) of its host process with a new PE, bypassing routine security measures [26]. \r\nThe level of sophistication in these process techniques highlight the need for enhanced detection and response\r\nstrategies, as it becomes more and more difficult for security professionals to detect the existence of an adversary.\r\nThreat Actors and\r\nMalware\r\nCommands, Tools and Files used \r\nRedStinger APT\r\nIn the case of RedStinger, the DLL file named InjectorTransactedHollow.dll is used to\r\nperform the injection technique. The injected code runs in the memory space of a\r\nlegitimate process, mobisync.exe, which makes it difficult for security software to\r\ndetect.\r\nMEME#4CHAN\r\nThe MEME#4CHAN Attack Campaign leverages process memory injection by\r\nembedding binary data within a PowerShell script which is then loaded into the\r\nmemory of system processes like RegSvcs.exe or Msbuild.exe, using .NET assemblies\r\nvia reflection. \r\nGenesis Market\r\nThe malware decrypts nested encrypted shellcode stages via a legitimate svchost.exe\r\nprocess, ultimately using process hollowing to replace the svchost.exe's own Portable\r\nExecutable (PE) with the final decrypted shellcode stage's PE.\r\nIn May 2021, there was an alarming increase in the use of third-party and ingress tools by cyber adversaries. \r\nThe BianLian Ransomware Gang, in particular, has made use of advanced port scanners and SoftPerfect network\r\nscanners for reconnaissance, while relying on PingCastle for AD enumeration. Additionally, Rclone and Mega\r\nhave been used for data exfiltration purposes. \r\nIn their attack campaign, the Royal Ransomware Gang has also been observed using a wide array of tools,\r\nincluding Chisel and Cobalt Strike for covert communication and lateral movement within targeted systems.\r\nLegitimate remote access tools like AnyDesk and LogMeIn have also been repurposed by attackers for long-term\r\npersistence. \r\nhttps://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nPage 7 of 13\n\nFinally, BlackCat Ransomware Gang have used a custom kernel driver for evasion, while using the Safengine\r\nProtector tool for obfuscation purposes [27].\r\nThis increased use of third-party tools highlights the growing sophistication of ransomware attacks and the need\r\nfor organizations to prioritize proactive defense strategies. \r\nThreat Actors and Malware Tools and Software Used\r\nBlackCat Ransomware Gang Safengine Protector v2.4.0.0\r\nBianLian Ransomware Gang\r\nAdvanced Port Scanner, \r\nSoftPerfect Network Scanner (netscan.exe), \r\nSharpShares,\r\nPingCastle,\r\nRclone,\r\nMega\r\nRoyal Ransomware Gang\r\nChisel (TCP/UDP tunnel over HTTP)\r\nCobalt Strike\r\nAnyDesk\r\nLogMeln\r\nAtera\r\nExfil\r\nUrsnif/Gozi\r\nPowerShell Toolkit Downloader\r\nScheduled Task/Job (ATT\u0026CK T1053)\r\nMay spotlighted advanced task scheduling tactics by cyber threat groups. \r\nGoldenJackal APT utilized 'schtasks.exe', ensuring malware persistence post-infiltration [20]. \r\nEarth Longzhi APT exploited Windows COM objects for privilege escalation, bypassing the Windows User\r\nAccount Control (UAC), and hiding payloads effectively [1]. \r\nhttps://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nPage 8 of 13\n\nIcedID banking trojan harnessed task scheduling to maintain a malicious DLL active on the system [28]. This\r\nintricate layering of techniques signifies an alarming evolution in threat actor capabilities. \r\nFor IT security, it underscores the necessity of continuous system monitoring, cutting-edge detection systems, and\r\nthorough audits to safeguard against these progressively sophisticated attacks.\r\nThreat Actors and\r\nMalware\r\nTools and Commands Used\r\nGoldenJackal\r\nAPT\r\nGoldenJackal APT uses its JackalWorm malware to create a Windows Task Scheduler\r\njob, typically by calling the 'schtasks.exe' utility with parameters like '/create /tn\r\n\"taskname\" /tr \"tasklocation\\malware.exe\" /sc minute /mo 1'. \r\nEarth Longzhi (a\r\nsubgroup of the\r\nAPT41)\r\nThe Earth Longzhi employs a tool called dwm.exe, which modifies image paths and\r\ncommand-line information for obfuscation, leverages the COM object\r\n'IElevatedFactoryServer' to bypass the Windows UAC, and establishes the high-privilege scheduled task disguised as legitimate Google Update, which also deploys a\r\npayload downloader named 'dllhost.exe'.\r\nIceID\r\nAfter the initial execution of the IcedID malware, it creates a DLL file named\r\nUtucka.dll. Following this, a new scheduled task was created to execute this DLL file at\r\nspecific intervals. This task is executed in the background by the Task Scheduler service\r\n(svchost.exe -k netsvcs -p -s Schedule). \r\nApplication Layer Protocols (ATT\u0026CK T1071)\r\nIn May, our observations pointed to the \"Web Protocols\" sub-technique as the predominant method used in\r\nApplication Layer Protocols attacks. Attackers exploit this technique to establish and maintain an encrypted\r\ncommand and control (C2) channel over HTTPS. This channel serves a dual purpose: facilitating communication\r\nwith the target system and enabling the extraction of sensitive data to a server under the control of the attacker.\r\nFor instance, the Russian-originated Void Rabisu APT group is using a remote access trojan called RomCom that\r\nuses HTTPS for C\u0026C communications [29].\r\nIn addition, the 8220 Gang has been found to cunningly use HTTP requests for malicious purposes, most notably\r\nexploiting the Oracle WebLogic vulnerability CVE-2017-3506 [2]. By executing arbitrary commands via a\r\nspecifically crafted XML document embedded in an HTTP request, they're able to gain unauthorized access to\r\nsensitive data and even compromise entire systems.\r\nImpair Defenses (ATT\u0026CK T1562)\r\nhttps://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nPage 9 of 13\n\nUpon gaining access to a target system, adversaries consistently aim to employ the stealthiest attack techniques to\r\nevade detection by defense controls. This is precisely why the “Impair Defenses” has positioned itself among the\r\ntop ten techniques.\r\nEarth Longzhi APT performed a sophisticated defense evasion attack called “Stack Rumbling” to disable security\r\ndefenses [30], impairing running security products via a vulnerable driver in a “Bring Your Own Vulnerable\r\nDriver” attack [7].  On the other hand, Volt Typhoon APT selectively cleared Windows Event Logs, system logs,\r\nand other technical artifacts to remove evidence of their intrusion activity [31].\r\nOn the other hand, an emerging defense evasion tool called AuKill uses an old Windows driver to bypass EDR\r\nsoftware and prepare for malware installation, leveraging a BYOVD attack like Earth Longzhi [32]. This\r\ntechnique, bypassing critical security measures using an authorized yet outdated driver, presents significant\r\nconcern for potential widespread cyberattacks across crucial sectors.\r\nOS Credential Dumping (ATT\u0026CK T1003)\r\nCredential dumping remains a persistent and powerful tool in the top ten most deployed tactics, techniques, and\r\nprocedures (TTPs), as demonstrated by Chinese threat actors in their sophisticated cyber attack on Taiwan's\r\ncritical infrastructure. Using advanced tools like LaZagne and HackBrowserData, they extracted NTLM hash\r\npasswords, enabling an alarming level of privilege escalation and underscoring the pressing need for robust\r\ncybersecurity measures [8]. This tactic was also seen in the deployment of Cactus ransomware, which dumped\r\nbrowser credentials and manually scanned for password files [20].\r\nThe Volt Typhoon APT further escalated this approach, specifically targeting the Local Security Authority\r\nSubsystem Service (LSASS) to acquire OS credential hashes and increase their privileges. They also used the\r\ncommand-line tool, Ntdsutil.exe, to create installation media containing usernames and password hashes from\r\ndomain controllers, which could be cracked offline, ensuring persistent system access. Similarly, IceID conducted\r\ncredential dumping [33] and ran Windows discovery commands to survey RDP access across the environment,\r\nfurther showcasing the evolving complexity of these threat strategies.\r\nReferences\r\n[1] “Water Orthrus New Campaigns Deliver Rootkit and Phishing Modules,” Trend Micro, May 15, 2023.\r\n[Online]. Available: https://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html. [Accessed: Jun. 09, 2023]\r\n[2] “8220 Gang Evolves With New Strategies,” Trend Micro, May 16, 2023. [Online]. Available:\r\nhttps://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html. [Accessed:\r\nJun. 09, 2023]\r\n[3] “Mélofée: a new alien malware in the Panda’s toolset targeting Linux hosts.” [Online]. Available:\r\nhttps://blog.exatrack.com/melofee/. [Accessed: Jun. 09, 2023]\r\n[4] “Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals,” Trend Micro,\r\nMay 30, 2023. [Online]. Available: https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-https://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nPage 10 of 13\n\nromcom-backdoor-shows-a-growing-shift-in-th.html. [Accessed: Jun. 09, 2023]\r\n[5] “Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors.” [Online].\r\nAvailable: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor. [Accessed: Jun. 09, 2023]\r\n[6] I. Borisov, “Minas – on the way to complexity,” Kaspersky, May 17, 2023. [Online]. Available:\r\nhttps://securelist.com/minas-miner-on-the-way-to-complexity/109692/. [Accessed: Jun. 09, 2023]\r\n[7] “Attack on Security Titans: Earth Longzhi Returns With New Tricks,” Trend Micro, May 02, 2023. [Online].\r\nAvailable: https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html. [Accessed: Jun. 02, 2023]\r\n[8] “Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure.”\r\n[Online]. Available: https://blog.eclecticiq.com/chinese-threat-actor-used-modified-cobalt-strike-variant-to-attack-taiwanese-critical-infrastructure. [Accessed: Jun. 09, 2023]\r\n[9]    “The distinctive rattle of APT SideWinder” [Online]. Available: https://www.group-ib.com/blog/hunting-sidewinder/\r\n[10] F. Aimé, “APT28 leverages multiple phishing techniques to target Ukrainian civil society,” Sekoia.io Blog,\r\nMay 17, 2023. [Online]. Available: https://blog.sekoia.io/apt28-leverages-multiple-phishing-techniques-to-target-ukrainian-civil-society/. [Accessed: Jun. 02, 2023]\r\n[11] “#StopRansomware: BianLian Ransomware Group,” Cybersecurity and Infrastructure Security Agency CISA.\r\n[Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a. [Accessed: Jun. 02,\r\n2023]\r\n[12] T. Pereira, “New phishing-as-a-service tool ‘Greatness’ already seen in the wild,” Cisco Talos Blog, May 10,\r\n2023. [Online]. Available: https://blog.talosintelligence.com/new-phishing-as-a-service-tool-greatness-already-seen-in-the-wild/. [Accessed: Jun. 06, 2023]\r\n[13] “Water Orthrus New Campaigns Deliver Rootkit and Phishing Modules,” Trend Micro, May 15, 2023.\r\n[Online]. Available: https://www.trendmicro.com/en_us/research/23/e/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html. [Accessed: Jun. 06, 2023]\r\n[14] M. T. Intelligence, “Volt Typhoon targets US critical infrastructure with living-off-the-land techniques,”\r\nMicrosoft Security Blog, May 24, 2023. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/.\r\n[Accessed: Jun. 02, 2023]\r\n[15] “New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids,” The Hacker News, May\r\n26, 2023. [Online]. Available: https://thehackernews.com/2023/05/new-cosmicenergy-malware-exploits-ics.html.\r\n[Accessed: Jun. 06, 2023]\r\n[16] “Back in Black: BlackByte Ransomware returns with its New Technology (NT) version,” May 22, 2023.\r\n[Online]. Available: https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt. [Accessed: Jun.\r\nhttps://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nPage 11 of 13\n\n06, 2023]\r\n[17] “IcedID Macro Ends in Nokoyawa Ransomware,” The DFIR Report, May 22, 2023. [Online]. Available:\r\nhttps://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/. [Accessed: Jun. 06, 2023]\r\n[18] “Dissecting Rancoz Ransomware,” Cyble, May 11, 2023. [Online]. Available:\r\nhttps://blog.cyble.com/2023/05/11/dissecting-rancoz-ransomware/. [Accessed: Jun. 06, 2023]\r\n[19] “BlackSuit Ransomware Strikes Windows and Linux Users,” Cyble, May 12, 2023. [Online]. Available:\r\nhttps://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/. [Accessed: Jun. 06,\r\n2023]\r\n[20] L. Iacono, S. Green, and D. Truman, “CACTUS Ransomware: Prickly New Variant Evades Detection,” Kroll,\r\nMay 10, 2023. [Online]. Available: https://www.kroll.com/en/insights/publications/cyber/cactus-ransomware-prickly-new-variant-evades-detection. [Accessed: Jun. 06, 2023]\r\n[21] “SharpPanda APT Campaign Expands its Arsenal Targeting G20 Nations,” Cyble, Jun. 01, 2023. [Online].\r\nAvailable: https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-\r\nnations/. [Accessed: Jun. 06, 2023]\r\n[22] G. Dedola, “Meet the GoldenJackal APT group. Don’t expect any howls,” Kaspersky, May 23, 2023.\r\n[Online]. Available: https://securelist.com/goldenjackal-apt-group/109677/. [Accessed: Jun. 06, 2023]\r\n[23] “SideWinder Uses Server-side Polymorphism to Attack Pakistan Government Officials — and Is Now\r\nTargeting Turkey,” BlackBerry, May 08, 2023. [Online]. Available:\r\nhttps://blogs.blackberry.com/en/2023/05/sidewinder-uses-server-side-polymorphism-to-target-pakistan.\r\n[Accessed: Jun. 06, 2023]\r\n[24] “Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020,” Malwarebytes,\r\nMay 10, 2023. [Online]. Available: https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger.\r\n[Accessed: Jun. 06, 2023]\r\n[25] “Securonix Threat Labs Security Advisory: Latest Update: Ongoing MEME#4CHAN Attack/Phishing\r\nCampaign uses Meme-Filled Code to Drop XWorm Payloads,” Securonix, May 12, 2023. [Online]. Available:\r\nhttps://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/. [Accessed: Jun. 07, 2023]\r\n[26] “Technical analysis of the Genesis Market,” Apr. 05, 2023. [Online]. Available:\r\nhttps://sector7.computest.nl/post/2023-04-technical-analysis-genesis-market/.[Accessed: Jun. 07, 2023]\r\n[27] “BlackCat Ransomware Deploys New Signed Kernel Driver,” Trend Micro, May 22, 2023. [Online].\r\nAvailable: https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html. [Accessed: Jun. 07, 2023]\r\n[28] “Malicious ISO File Leads to Domain Wide Ransomware,” The DFIR Report, Apr. 03, 2023. [Online].\r\nAvailable: https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/. [Accessed:\r\nJun. 07, 2023]\r\nhttps://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nPage 12 of 13\n\n[29] “Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals,” Trend Micro,\r\nMay 30, 2023. [Online]. Available: https://www.trendmicro.com/en_id/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html. [Accessed: Jun. 09, 2023]\r\n[30] A. Mascellino, “Earth Longzhi Uses ‘Stack Rumbling’ to Disable Security Software,” Infosecurity Magazine,\r\nMay 03, 2023. [Online]. Available: https://www.infosecurity-magazine.com/news/earth-longzhi-disable-security/.\r\n[Accessed: Jun. 02, 2023]\r\n[31] “People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection,”\r\nCybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a. [Accessed: Jun. 09, 2023]\r\n[32] “AuKill: A ‘defense evasion tool’ disables EDR software via BYOVD attack,” SISA, May 19, 2023. [Online].\r\nAvailable: https://www.sisainfosec.com/threat-a-licious/aukill-defense-evasion-tool-disables-edr-software-via-byovd-attack/. [Accessed: Jun. 09, 2023]\r\n[33] Y. Ernalbant, “IcedID Macro Attacks Deploy Nokoyawa Ransomware,” SOCRadar® Cyber Intelligence Inc.,\r\nMay 22, 2023. [Online]. Available: https://socradar.io/icedid-macro-attacks-deploy-nokoyawa-ransomware/.\r\n[Accessed: Jun. 09, 2023]\r\nSource: https://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nhttps://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023" ], "report_names": [ "cyber-threat-intelligence-report-may-2023" ], "threat_actors": [ { "id": "a8356cf9-e9d6-4585-8ccf-d30d3efe142b", "created_at": "2023-06-23T02:04:34.262059Z", "updated_at": "2026-04-10T02:00:04.711064Z", "deleted_at": null, "main_name": "GoldenJackal", "aliases": [], "source_name": "ETDA:GoldenJackal", "tools": [ "JackalControl", "JackalPerInfo", "JackalScreenWatcher", "JackalSteal", "JackalWorm" ], "source_id": "ETDA", "reports": null }, { "id": "ef8ed28b-6afb-4447-b560-0df2892b8f1c", "created_at": "2023-06-23T02:04:34.315779Z", "updated_at": "2026-04-10T02:00:04.738599Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "ETDA:Lancefly", "tools": [ "Merdoor" ], "source_id": "ETDA", "reports": null }, { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "3f918a1b-2f20-4f3f-ae16-31e83d9d91d9", "created_at": "2023-06-23T02:04:34.088425Z", "updated_at": "2026-04-10T02:00:04.573175Z", "deleted_at": null, "main_name": "Bad Magic", "aliases": [ "Bad Magic", "CloudWizard", "RedStinger" ], "source_name": "ETDA:Bad Magic", "tools": [ "CommonMagic", "PowerMagic" ], "source_id": "ETDA", "reports": null }, { "id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7", "created_at": "2023-06-23T02:04:34.839947Z", "updated_at": "2026-04-10T02:00:04.99239Z", "deleted_at": null, "main_name": "8220 Gang", "aliases": [ "8220 Mining Group", "Returned Libra", "Water Sigbin" ], "source_name": "ETDA:8220 Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8a3bd03a-f69b-455b-b88b-3842a3528bfd", "created_at": "2022-10-25T16:07:24.178007Z", "updated_at": "2026-04-10T02:00:04.89066Z", "deleted_at": null, "main_name": "SharpPanda", "aliases": [ "Sharp Dragon", "SharpPanda" ], "source_name": "ETDA:SharpPanda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "RoyalRoad", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5b317799-01c0-48fa-aee2-31a738116771", "created_at": "2022-11-20T02:02:37.746719Z", "updated_at": "2026-04-10T02:00:04.561617Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "Earth Longzhi" ], "source_name": "ETDA:Earth Longzhi", "tools": [ "Agentemis", "BigpipeLoader", "Cobalt Strike", "CobaltStrike", "CroxLoader", "MultiPipeLoader", "OutLoader", "Symatic Loader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "81a3e326-a23a-4b8b-ae07-2e6679b3f2b3", "created_at": "2023-11-04T02:00:07.682997Z", "updated_at": "2026-04-10T02:00:03.391958Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "MISPGALAXY:Lancefly", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ff5a7bd9-75a5-43fe-ba4c-27dab43e1f61", "created_at": "2023-11-07T02:00:07.086058Z", "updated_at": "2026-04-10T02:00:03.403516Z", "deleted_at": null, "main_name": "RedStinger", "aliases": [ "Bad Magic" ], "source_name": "MISPGALAXY:RedStinger", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "dc1a1006-34fc-4491-b982-f0f0b5362ac2", "created_at": "2024-05-03T02:00:04.196123Z", "updated_at": "2026-04-10T02:00:03.638185Z", "deleted_at": null, "main_name": "Water Orthrus", "aliases": [], "source_name": "MISPGALAXY:Water Orthrus", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8", "created_at": "2024-07-09T02:00:04.434476Z", "updated_at": "2026-04-10T02:00:03.671196Z", "deleted_at": null, "main_name": "Water Sigbin", "aliases": [ "8220 Gang" ], "source_name": "MISPGALAXY:Water Sigbin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d196cb29-a861-4838-b157-a31ac92c6fb1", "created_at": "2023-11-04T02:00:07.66699Z", "updated_at": "2026-04-10T02:00:03.386945Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "SnakeCharmer" ], "source_name": "MISPGALAXY:Earth Longzhi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bacb81f4-18d1-4dcd-b277-65a9dac41b61", "created_at": "2023-11-04T02:00:07.680044Z", "updated_at": "2026-04-10T02:00:03.390891Z", "deleted_at": null, "main_name": "GoldenJackal", "aliases": [], "source_name": "MISPGALAXY:GoldenJackal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e79324a2-bdae-4dc5-9421-578a59045288", "created_at": "2022-10-25T16:07:23.906087Z", "updated_at": "2026-04-10T02:00:04.784657Z", "deleted_at": null, "main_name": "Nightshade Panda", "aliases": [ "APT 9", "FlowerLady", "FlowerShow", "Group 27", "Nightshade Panda", "Operation Seven Pointed Dagger" ], "source_name": "ETDA:Nightshade Panda", "tools": [ "3102 RAT", "9002 RAT", "Agent.dhwf", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "EvilGrab", "EvilGrab RAT", "Gen:Trojan.Heur.PT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "MoonWind", "MoonWind RAT", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Vidgrab", "Wmonder", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "e7ef34b6-e7b6-46f3-8dd8-2708c1659cd6", "created_at": "2023-11-08T02:00:07.107758Z", "updated_at": "2026-04-10T02:00:03.415268Z", "deleted_at": null, "main_name": "SharpPanda", "aliases": [ "Sharp Dragon" ], "source_name": "MISPGALAXY:SharpPanda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434611, "ts_updated_at": 1775826681, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04148fd40e3fd0c9adc69b4dd2adc12a76c4a716.pdf", "text": "https://archive.orkl.eu/04148fd40e3fd0c9adc69b4dd2adc12a76c4a716.txt", "img": "https://archive.orkl.eu/04148fd40e3fd0c9adc69b4dd2adc12a76c4a716.jpg" } }