{ "id": "db1dd5ff-53a9-448a-bd21-ebd7fb9393a3", "created_at": "2026-04-06T00:11:45.646401Z", "updated_at": "2026-04-10T13:12:58.846021Z", "deleted_at": null, "sha1_hash": "04c3f2e39a53a15e6d9ac0f7af5ae212e3fe42fa", "title": "TEARDROP (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 114560, "plain_text": "TEARDROP (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 17:03:15 UTC\r\nTEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file\r\n“gracious_truth.jpg”, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF\r\nexists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an\r\nembedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any\r\npreviously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.\r\n2022-07-31 ⋅ BushidoToken Blog ⋅\r\nSpace Invaders: Cyber Threats That Are Out Of This World\r\nPoison Ivy Raindrop SUNBURST TEARDROP WastedLocker 2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nSolar Phoenix\r\nSUNBURST TEARDROP UNC2452 2022-04-27 ⋅ Mandiant ⋅ Mandiant\r\nAssembling the Russian Nesting Doll: UNC2452 Merged into APT29\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2021-07-13 ⋅ YouTube ( Matt Soseman) ⋅ Matt Soseman\r\nSolarwinds and SUNBURST attacks compromised my lab!\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2021-07-13 ⋅ Symantec ⋅ Threat Hunter Team\r\nAttacks Against the Government Sector\r\nRaindrop TEARDROP 2021-06-01 ⋅ SANS ⋅ Jake Williams, Kevin Haley\r\nA Contrarian View on SolarWinds\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2021-03-08 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅\r\nAdam Pennington, Jen Burns, Katie Nickels\r\nSTAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT\u0026CK(R)\r\nCobalt Strike SUNBURST TEARDROP 2021-03-04 ⋅ Microsoft ⋅ Andrea Lelli, Microsoft 365 Defender Threat Intelligence\r\nTeam, Microsoft Threat Intelligence Center (MSTIC), Ramin Nafisi\r\nGoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence\r\nSUNBURST TEARDROP UNC2452 2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2021 Global Threat Report\r\nRansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide\r\nDoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker\r\nMespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT\r\nRagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST\r\nSunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER\r\nSOLAR SPIDER VIKING SPIDER 2021-02-16 ⋅ Accenture ⋅ Alexandrea Berninger\r\nHard lessons learned: Threat intel takeaways from the community response to Solarigate\r\nSUNBURST TEARDROP 2021-02-09 ⋅ Securehat ⋅ Securehat\r\nExtracting the Cobalt Strike Config from a TEARDROP Loader\r\nCobalt Strike TEARDROP 2021-02-08 ⋅ US-CERT ⋅ US-CERT\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop\r\nPage 1 of 3\n\nMalware Analysis Report (AR21-039B): MAR-10320115-1.v1 - TEARDROP\r\nTEARDROP 2021-01-20 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Cyber Defense Operations Center (CDOC),\r\nMicrosoft Threat Intelligence Center (MSTIC)\r\nDeep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop\r\nCobalt Strike SUNBURST TEARDROP 2021-01-18 ⋅ Symantec ⋅ Threat Hunter Team\r\nRaindrop: New Malware Discovered in SolarWinds Investigation\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2021-01-12 ⋅ BrightTALK (FireEye) ⋅ Ben Read, John Hultquist\r\nUNC2452: What We Know So Far\r\nCobalt Strike SUNBURST TEARDROP 2021-01-11 ⋅ SolarWinds ⋅ Sudhakar Ramakrishna\r\nNew Findings From Our Investigation of SUNBURST\r\nCobalt Strike SUNBURST TEARDROP 2021-01-04 ⋅ Twitter (@TheEnergyStory) ⋅ Dominik Reichel\r\nSome small detail on compiler used for TEARDROP\r\nTEARDROP 2021-01-01 ⋅ Symantec ⋅ Symantec Threat Hunter Team\r\nSupply Chain Attacks:Cyber Criminals Target the Weakest Link\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2020-12-28 ⋅ Microsoft ⋅ Microsoft 365 Defender Team\r\nUsing Microsoft 365 Defender to protect against Solorigate\r\nSUNBURST TEARDROP 2020-12-24 ⋅ Twitter (@TheEnergyStory) ⋅ Dominik Reichel\r\nTweet on TEARDROP sample\r\nTEARDROP 2020-12-23 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nA Timeline Perspective of the SolarStorm Supply-Chain Attack\r\nSUNBURST TEARDROP 2020-12-22 ⋅ Checkpoint ⋅ Check Point Research\r\nSUNBURST, TEARDROP and the NetSec New Normal\r\nSUNBURST TEARDROP 2020-12-22 ⋅ Medium mitre-attack ⋅ Adam Pennington, Matt Malone\r\nIdentifying UNC2452-Related Techniques for ATT\u0026CK\r\nSUNBURST TEARDROP UNC2452 2020-12-21 ⋅ Microsoft ⋅ MSRC Team\r\nSolorigate Resource Center\r\nSUNBURST TEARDROP 2020-12-21 ⋅ Fortinet ⋅ Udi Yavo\r\nWhat We Have Learned So Far about the “Sunburst”/SolarWinds Hack\r\nCobalt Strike SUNBURST TEARDROP 2020-12-18 ⋅ Costin Raiu\r\nTweet from Costin Raiu about confirmed TEARDROP sample\r\nTEARDROP 2020-12-18 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Threat Intelligence Center (MSTIC)\r\nAnalyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft\r\nDefender helps protect customers\r\nSUNBURST SUPERNOVA TEARDROP UNC2452 2020-12-14 ⋅ Symantec ⋅ Threat Hunter Team\r\nSunburst: Supply Chain Attack Targets SolarWinds Users\r\nSUNBURST TEARDROP 2020-12-14 ⋅ Cisco Talos ⋅ Nick Biasini\r\nThreat Advisory: SolarWinds supply chain attack\r\nSUNBURST TEARDROP 2020-12-13 ⋅ FireEye ⋅ Alex Berry, Alex Pennino, Alyssa Rahman, Andrew Archer, Andrew Rector,\r\nAndrew Thompson, Barry Vengerik, Ben Read, Ben Withnell, Chris DiGiamo, Christopher Glyer, Dan Perez, Dileep Jallepalli, Doug\r\nBienstock, Eric Scales, Evan Reese, Fred House, Glenn Edwards, Ian Ahl, Isif Ibrahima, Jay Smith, John Gorman, John Hultquist, Jon\r\nLeathery, Lennard Galang, Marcin Siedlarz, Matt Dunwoody, Matthew McWhirt, Michael Sikorski, Microsoft, Mike Burns, Nalani\r\nFraiser, Nick Bennett, Nick Carr, Nick Hornick, Nick Richard, Nicole Oppenheim, Omer Baig, Ramin Nafisi, Sarah Jones, Scott\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop\r\nPage 2 of 3\n\nRunnels, Stephen Eckels, Steve Miller, Steve Stone, William Ballenthin\r\nHighly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With\r\nSUNBURST Backdoor\r\nSUNBURST SUPERNOVA TEARDROP UNC2452 2020-12-13 ⋅ Github (fireeye) ⋅ FireEye\r\nSUNBURST Countermeasures\r\nSUNBURST SUPERNOVA TEARDROP UNC2452 2020-01-22 ⋅ Thomas Barabosch\r\nThe malware analyst’s guide to PE timestamps\r\nAzorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop" ], "report_names": [ "win.teardrop" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "99d9dd87-91c3-4371-9943-0a1c9c3cd99c", "created_at": "2022-10-25T16:07:23.277763Z", "updated_at": "2026-04-10T02:00:04.514755Z", "deleted_at": null, "main_name": "Solar Spider", "aliases": [], "source_name": "ETDA:Solar Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "80edca9f-dcd6-491e-92f3-87ad1f575631", "created_at": "2023-10-14T02:03:14.694988Z", "updated_at": "2026-04-10T02:00:05.021046Z", "deleted_at": null, "main_name": "NetSec", "aliases": [ "NetSec", "Operation Data Breach", "ScarFace_TheOne", "USDoD" ], "source_name": "ETDA:NetSec", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e227b757-7032-4a99-b119-1bfda2ebd543", "created_at": "2023-01-06T13:46:39.21663Z", "updated_at": "2026-04-10T02:00:03.248543Z", "deleted_at": null, "main_name": "SOLAR SPIDER", "aliases": [], "source_name": "MISPGALAXY:SOLAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434305, "ts_updated_at": 1775826778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04c3f2e39a53a15e6d9ac0f7af5ae212e3fe42fa.pdf", "text": "https://archive.orkl.eu/04c3f2e39a53a15e6d9ac0f7af5ae212e3fe42fa.txt", "img": "https://archive.orkl.eu/04c3f2e39a53a15e6d9ac0f7af5ae212e3fe42fa.jpg" } }