{ "id": "2346931b-ef16-4fc2-aafc-c0920478de1e", "created_at": "2026-04-06T00:15:27.725774Z", "updated_at": "2026-04-10T13:12:54.28939Z", "deleted_at": null, "sha1_hash": "04d51843e390c18fd41214130931ce897aa16a3f", "title": "StrongPity espionage campaign targeting Android users", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 988007, "plain_text": "StrongPity espionage campaign targeting Android users\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 21:18:37 UTC\r\nESET researchers identified an active campaign that we have attributed to the StrongPity APT group. Active since\r\nNovember 2021, the campaign has distributed a malicious app through a website impersonating Shagle – a random-video-chat service that provides encrypted communications between strangers. Unlike the entirely web-based, genuine Shagle site\r\nthat doesn’t offer an official mobile app to access its services, the copycat site only provides an Android app to download\r\nand no web-based streaming is possible.\r\nKey points of the blogpost:\r\nOnly one other Android campaign has been previously attributed to StrongPity.\r\nThis is the first time that the described modules and their functionality have been documented publicly.\r\nA copycat website, mimicking the Shagle service, is used to distribute StrongPity’s mobile backdoor app.\r\nThe app is a modified version of the open-source Telegram app, repackaged with StrongPity backdoor code.\r\nBased on similarities with previous StrongPity backdoor code and the app being signed with a certificate from an\r\nearlier StrongPity campaign, we attribute this threat to the StrongPity APT group.\r\nStrongPity’s backdoor is modular, where all necessary binary modules are encrypted using AES and downloaded\r\nfrom its C\u0026C server, and has various spying features.\r\nThe malicious app is, in fact, a fully functional but trojanized version of the legitimate Telegram app, however, presented as\r\nthe non-existent Shagle app. We will refer to it as the fake Shagle app, the trojanized Telegram app, or the StrongPity\r\nbackdoor in the rest of this blogpost. ESET products detect this threat as Android/StrongPity.A.\r\nThis StrongPity backdoor has various spying features: its 11 dynamically triggered modules are responsible for recording\r\nphone calls, collecting SMS messages, lists of call logs, contact lists, and much more. These modules are being documented\r\nfor the very first time. If the victim grants the malicious StrongPity app accessibility services, one of its modules will also\r\nhave access to incoming notifications and will be able to exfiltrate communication from 17 apps such as Viber, Skype,\r\nGmail, Messenger as well as Tinder.\r\nThe campaign is likely very narrowly targeted, since ESET telemetry still doesn’t identify any victims. During our research,\r\nthe analyzed version of malware available from the copycat website was not active anymore and it was no longer possible to\r\nsuccessfully install it and trigger its backdoor functionality because StrongPity hasn’t obtained its own API ID for its\r\ntrojanized Telegram app. But that might change at any time should the threat actor decide to update the malicious app.\r\nOverview\r\nThis StrongPity campaign centers around an Android backdoor delivered from a domain containing the word “dutch”. This\r\nwebsite impersonates the legitimate service named Shagle at shagle.com. In Figure 1 you can see the home pages of both\r\nwebsites. The malicious app is provided directly from the impersonating website and has never been made available from\r\nthe Google Play store. It is a trojanized version of the legitimate Telegram app, presented as if it were the Shagle app,\r\nalthough there is currently no official Shagle Android app.\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 1 of 14\n\nFigure 1. Comparing the legitimate website on the left and the copycat on the right\r\nAs you can see in Figure 2, the HTML code of the fake site includes evidence that it was copied from the legitimate\r\nshagle.com site on November 1st, 2021, using the automated tool HTTrack. The malicious domain was registered on the\r\nsame day, so the copycat site and the fake Shagle app may have been available for download since that date.\r\nFigure 2. Logs generated by the HTTrack tool recorded in the fake website’s HTML code\r\nVictimology\r\nOn July 18th, 2022, one of our YARA rules at VirusTotal was triggered when a malicious app and a link to a website\r\nmimicking shagle.com were uploaded. At the same time, we were notified on Twitter about that sample, although it was\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 2 of 14\n\nmistakenly attributed to Bahamut. ESET telemetry data still does not identify any victims, suggesting the campaign is likely\r\nto have been narrowly targeted.\r\nAttribution\r\nThe APK distributed by the copycat Shagle website is signed with the same code-signing certificate (see Figure 3) as a\r\ntrojanized Syrian e-gov app discovered in 2021 by Trend Micro, which was also attributed to StrongPity.\r\nFigure 3. This certificate signed the fake Shagle app and the trojanized Syrian e-gov app\r\nMalicious code in the fake Shagle app was seen in the previous mobile campaign by StrongPity, and implements a simple,\r\nbut functional, backdoor. We have seen this code being used only in campaigns conducted by StrongPity. In Figure 4 you\r\ncan see some of the added malicious classes with many of the obfuscated names even being the same in the code from both\r\ncampaigns.\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 3 of 14\n\nFigure 4. Class name comparison of the trojanized Syrian e-gov app (left) and the trojanized Telegram app (right)\r\nComparing the backdoor code from this campaign to that from the trojanized Syrian e-gov app (SHA-1:\r\n5A5910C2C9180382FCF7A939E9909044F0E8918B), it has extended functionality but with the same code being used to\r\nprovide similar functions. In Figure 5 and Figure 6 you can compare the code from both samples that is responsible for\r\nsending messages between components. These messages are responsible for triggering the backdoor’s malicious behavior.\r\nHence, we strongly believe that the fake Shagle app is linked to the StrongPity group.\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 4 of 14\n\nFigure 5. Message dispatcher responsible for triggering malicious functionality in the trojanized Syrian e-gov app\r\nFigure 6. Message dispatcher responsible for triggering malicious functionality in the fake Shagle app\r\nTechnical analysis\r\nInitial access\r\nAs described in the Overview section of this blogpost, the fake Shagle app has been hosted at the Shagle copycat website,\r\nfrom which victims had to choose to download and install the app. There was no subterfuge suggesting the app was\r\navailable from Google Play and we do not know how potential victims were lured to, or otherwise discovered, the fake\r\nwebsite.\r\nToolset\r\nAccording to the description on the copycat website, the app is free and intended to be used to meet and chat with new\r\npeople. However, the downloaded app is a maliciously patched Telegram app, specifically Telegram version 7.5.0 (22467),\r\nwhich was available for download around February 25th, 2022.\r\nThe repackaged version of Telegram uses the same package name as the legitimate Telegram app. Package names are\r\nsupposed to be unique IDs for each Android app and must be unique on any given device. This means that if the official\r\nTelegram app is already installed on the device of a potential victim, then this backdoored version can’t be installed; see\r\nFigure 7. This might mean one of two things – either the threat actor first communicates with potential victims and pushes\r\nthem to uninstall Telegram from their devices if it is installed, or the campaign focuses on countries where Telegram usage is\r\nrare for communication.\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 5 of 14\n\nFigure 7. If the official Telegram app is already installed on the device, the trojanized version cannot be successfully\r\ninstalled\r\nStrongPity’s trojanized Telegram app should have worked just as the official version does for communication, using\r\nstandard APIs that are well documented on the Telegram website – but the app doesn’t work anymore, so we're unable to\r\ncheck.\r\nDuring our research, the current version of malware available from the copycat website was not active anymore and it was\r\nno longer possible to successfully install it and trigger its backdoor functionality. When we tried to sign up using our phone\r\nnumber, the repackaged Telegram app couldn’t obtain the API ID from the server, and hence did not work properly. As seen\r\nin Figure 8, the app displayed an API_ID_PUBLISHED_FLOOD error.\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 6 of 14\n\nFigure 8. Error displayed during sign-up using phone number\r\nBased on Telegram’s error documentation, it seems that StrongPity hasn’t obtained its own API ID. Instead, it has used the\r\nsample API ID included in Telegram’s open-source code for initial testing purposes. Telegram monitors API ID usage and\r\nlimits the sample API ID, so its use in a released app results in the error seen in Figure 8. Because of the error, it is not\r\npossible to sign up and use the app or trigger its malicious functionality anymore. This might mean that StrongPity operators\r\ndidn’t think this through, or perhaps there was enough time to spy on victims between publishing the app and it being\r\ndeactivated by Telegram for APP ID overuse. Since no new and working version of the app was ever made available through\r\nthe website, it might suggest that StrongPity successfully deployed the malware to its desired targets.\r\nAs a result, the fake Shagle app available on the fake website at the time of our research was not active anymore. However,\r\nthis might change anytime should the threat actors decide to update the malicious app.\r\nComponents of, and permissions required by, the StrongPity backdoor code are appended to the Telegram app’s\r\nAndroidManifest.xml file. As can be seen in Figure 9, this makes it easy to see what permissions are necessary for the\r\nmalware.\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 7 of 14\n\nFigure 9. AndroidManifest.xml with components and permissions of the StrongPity backdoor highlighted\r\nFrom the Android manifest we can see that malicious classes were added in the org.telegram.messenger package to appear\r\nas part of the original app.\r\nThe initial malicious functionality is triggered by one of three broadcast receivers that are executed after defined actions –\r\nBOOT_COMPLETED, BATTERY_LOW, or USER_PRESENT. After the first start, it dynamically registers additional\r\nbroadcast receivers to monitor SCREEN_ON, SCREEN_OFF, and CONNECTIVITY_CHANGE events. The fake Shagle\r\napp then uses IPC (interprocess communication) to communicate between its components to trigger various actions. It\r\ncontacts the C\u0026C server using HTTPS to send basic information about the compromised device and receives an AES-encrypted file containing 11 binary modules that will be dynamically executed by the parent app; see Figure 10. As seen in\r\nFigure 11, these modules are stored in the app’s internal storage, /data/user/0/org.telegram.messenger/files/.li/.\r\nFigure 10. StrongPity backdoor receives an encrypted file that contains executable modules\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 8 of 14\n\nFigure 11. Modules received from the server stored in the StrongPity backdoor’s internal storage\r\nEach module is responsible for different functionality. The list of the module names is stored in local shared preferences in\r\nthe sharedconfig.xml file; see Figure 12.\r\nModules are dynamically triggered by the parent app whenever necessary. Each module has its own module name and is\r\nresponsible for different functionality such as:\r\nlibarm.jar (cm module) – records phone calls\r\nlibmpeg4.jar (nt module) – collects text of incoming notification messages from 17 apps\r\nlocal.jar (fm/fp module) – collects file list (file tree) on the device\r\nphone.jar (ms module) – misuses accessibility services to spy on messaging apps by exfiltrating contact name, chat\r\nmessage, and date\r\nresources.jar (sm module) – collects SMS messages stored on the device\r\nservices.jar (lo module) – obtains device location\r\nsystemui.jar (sy module) – collects device and system information\r\ntimer.jar (ia module) – collects a list of installed apps\r\ntoolkit.jar (cn module) – collects contact list\r\nwatchkit.jar (ac module) – collects a list of device accounts\r\nwearkit.jar (cl module) – collects a list of call logs\r\nFigure 12. List of modules used by the StrongPity backdoor\r\nAll obtained data is stored in the clear in /data/user/0/org.telegram.messenger/databases/outdata, before being encrypted\r\nusing AES and sent to the C\u0026C server, as you can see in Figure 13.\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 9 of 14\n\nFigure 13. Encrypted user data exfiltrated to the C\u0026C server\r\nThis StrongPity backdoor has extended spying features compared to the first StrongPity version discovered for mobile. It\r\ncan request the victim to activate accessibility services and gain notification access; see Figure 14. If the victim enables\r\nthem, the malware will spy on incoming notifications and misuses accessibility services to exfiltrate chat communication\r\nfrom other apps.\r\nFigure 14. Malware requests, from the victim, notification access and accessibility services\r\nWith notification access, the malware can read received notification messages coming from 17 targeted apps. Here is a list\r\nof their package names:\r\nMessenger (com.facebook.orca)\r\nMessenger Lite (com.facebook.mlite)\r\nViber - Safe Chats And Calls (com.viber.voip)\r\nSkype (com.skype.raider)\r\nLINE: Calls \u0026 Messages (jp.naver.line.android)\r\nKik — Messaging \u0026 Chat App (kik.android)\r\ntango-live stream \u0026 video chat (com.sgiggle.production)\r\nHangouts (com.google.android.talk)\r\nTelegram (org.telegram.messenger)\r\nWeChat (com.tencent.mm)\r\nSnapchat (com.snapchat.android)\r\nTinder (com.tinder)\r\nHike News \u0026 Content (com.bsb.hike)\r\nInstagram (com.instagram.android)\r\nTwitter (com.twitter.android)\r\nGmail (com.google.android.gm)\r\nimo-International Calls \u0026 Chat (com.imo.android.imoim)\r\nIf the device is already rooted, the malware silently tries to grant permissions to WRITE_SETTINGS,\r\nWRITE_SECURE_SETTINGS, REBOOT, MOUNT_FORMAT_FILESYSTEMS, MODIFY_PHONE_STATE,\r\nPACKAGE_USAGE_STATS, READ_PRIVILEGED_PHONE_STATE, to enable accessibility services, and to grant\r\nnotification access. The StrongPity backdoor then tries to disable the SecurityLogAgent app\r\n(com.samsung.android.securitylogagent), which is an official system app that helps protect the security of Samsung devices,\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 10 of 14\n\nand disables all app notifications coming from the malware itself that might be displayed to the victim in the future in case\r\nof app errors, crashes, or warnings. The StrongPity backdoor does not itself try to root a device.\r\nThe AES algorithm uses CBC mode and hardcoded keys to decrypt the downloaded modules:\r\nAES key – aaaanothingimpossiblebbb\r\nAES IV – aaaanothingimpos\r\nConclusion\r\nThe mobile campaign operated by the StrongPity APT group impersonated a legitimate service to distribute its Android\r\nbackdoor. StrongPity repackaged the official Telegram app to include a variant of the group’s backdoor code.\r\nThat malicious code, its functionality, class names, and the certificate used to sign the APK file, are the same as from the\r\nprevious campaign; thus we believe with high confidence that this operation belongs to the StrongPity group.\r\nAt the time of our research, the sample that was available on the copycat website was disabled due to the\r\nAPI_ID_PUBLISHED_FLOOD error, which results in malicious code not being triggered and potential victims possibly\r\nremoving the non-working app from their devices.\r\nCode analysis reveals that the backdoor is modular and additional binary modules are downloaded from the C\u0026C server.\r\nThis means that the number and type of modules used can be changed at any time to fit the campaign requests when\r\noperated by the StrongPity group.\r\nBased on our analysis, this appears to be the second version of StrongPity’s Android malware; compared to its first version,\r\nit also misuses accessibility services and notification access, stores collected data in a local database, tries to execute su\r\ncommands, and for most of the data collection uses downloaded modules.\r\nESET Research also offers private APT intelligence reports and data feeds. For any inquiries about this service, visit\r\nthe ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 File name ESET detection name Description\r\n50F79C7DFABECF04522AEB2AC987A800AB5EC6D7 video.apk Android/StrongPity.A\r\nStrongPity backdoor (legitimate\r\nTelegram app repackaged with\r\nmalicious code).\r\n77D6FE30DAC41E1C90BDFAE3F1CFE7091513FB91 libarm.jar Android/StrongPity.A\r\nStrongPity mobile module respo\r\nfor recording phone calls.\r\n5A15F516D5C58B23E19D6A39325B4B5C5590BDE0 libmpeg4.jar Android/StrongPity.A\r\nStrongPity mobile module respo\r\nfor collecting text of received\r\nnotifications.\r\nD44818C061269930E50868445A3418A0780903FE local.jar Android/StrongPity.A\r\nStrongPity mobile module respo\r\nfor collecting a file list on the de\r\nF1A14070D5D50D5A9952F9A0B4F7CA7FED2199EE phone.jar Android/StrongPity.A\r\nStrongPity mobile module respo\r\nfor misusing accessibility servic\r\non other apps.\r\n3BFAD08B9AC63AF5ECF9AA59265ED24D0C76D91E resources.jar Android/StrongPity.A\r\nStrongPity mobile module respo\r\nfor collecting SMS messages sto\r\nthe device.\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 11 of 14\n\nSHA-1 File name ESET detection name Description\r\n5127E75A8FAF1A92D5BD0029AF21548AFA06C1B7 services.jar Android/StrongPity.A\r\nStrongPity mobile module respo\r\nfor obtaining device location.\r\nBD40DF3AD0CE0E91ACCA9488A2FE5FEEFE6648A0 systemui.jar Android/StrongPity.A\r\nStrongPity mobile module respo\r\nfor collecting device and system\r\ninformation.\r\nED02E16F0D57E4AD2D58F95E88356C17D6396658 timer.jar Android/StrongPity.A\r\nStrongPity mobile module respo\r\nfor collecting a list of installed a\r\nF754874A76E3B75A5A5C7FE849DDAE318946973B toolkit.jar Android/StrongPity.A\r\nStrongPity mobile module respo\r\nfor collecting the contacts list.\r\nE46B76CADBD7261FE750DBB9B0A82F262AFEB298 watchkit.jar Android/StrongPity.A\r\nStrongPity mobile module respo\r\nfor collecting a list of device acc\r\nD9A71B13D3061BE12EE4905647DDC2F1189F00DE wearkit.jar Android/StrongPity.A\r\nStrongPity mobile module respo\r\nfor collecting a list of call logs.\r\nNetwork\r\nIP Provider First seen Details\r\n141.255.161[.]185 NameCheap 2022-07-28 intagrefedcircuitchip[.]com C\u0026C\r\n185.12.46[.]138 Porkbun 2020-04-21 networksoftwaresegment[.]com C\u0026C\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 12 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nPersistence\r\nT1398\r\nBoot or Logon\r\nInitialization\r\nScripts\r\nThe StrongPity backdoor receives the BOOT_COMPLETED\r\nbroadcast intent to activate at device startup.\r\nT1624.001\r\nEvent Triggered\r\nExecution:\r\nBroadcast\r\nReceivers\r\nThe StrongPity backdoor functionality is triggered if one of these\r\nevents occurs: BATTERY_LOW, USER_PRESENT,\r\nSCREEN_ON, SCREEN_OFF, or\r\nCONNECTIVITY_CHANGE.\r\nDefense\r\nEvasion\r\nT1407\r\nDownload New\r\nCode at Runtime\r\nThe StrongPity backdoor can download and execute additional\r\nbinary modules.\r\nT1406\r\nObfuscated Files or\r\nInformation\r\nThe StrongPity backdoor uses AES encryption to obfuscate\r\ndownloaded modules and to hide strings in its APK.\r\nT1628.002\r\nHide Artifacts:\r\nUser Evasion\r\nThe StrongPity backdoor can disable all app notifications\r\ncoming from the malware itself to hide its presence.\r\nT1629.003\r\nImpair Defenses:\r\nDisable or Modify\r\nTools\r\nIf the StrongPity backdoor has root it disables SecurityLogAgent\r\n(com.samsung.android.securitylogagent) if present.\r\nDiscovery\r\nT1420\r\nFile and Directory\r\nDiscovery\r\nThe StrongPity backdoor can list available files on external\r\nstorage.\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 12 of 14\n\nTactic ID Name Description\r\nT1418 Software Discovery\r\nThe StrongPity backdoor can obtain a list of installed\r\napplications.\r\nT1422\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nThe StrongPity backdoor can extract IMEI, IMSI, IP address,\r\nphone number, and country.\r\nT1426\r\nSystem Information\r\nDiscovery\r\nThe StrongPity backdoor can extract information about the\r\ndevice including type of internet connection, SIM serial number,\r\ndevice ID, and common system information.\r\nCollection\r\nT1417.001\r\nInput Capture:\r\nKeylogging\r\nThe StrongPity backdoor logs keystrokes in chat messages and\r\ncall data from targeted apps.\r\nT1517\r\nAccess\r\nNotifications\r\nThe StrongPity backdoor can collect notification messages from\r\n17 targeted apps.\r\nT1532\r\nArchive Collected\r\nData\r\nThe StrongPity backdoor encrypts exfiltrated data using AES.\r\nT1430 Location Tracking The StrongPity backdoor tracks device location.\r\nT1429 Audio Capture The StrongPity backdoor can record phone calls.\r\nT1513 Screen Capture\r\nThe StrongPity backdoor can record device screen using the\r\nMediaProjectionManager API.\r\nT1636.002\r\nProtected User\r\nData: Call Logs\r\nThe StrongPity backdoor can extract call logs.\r\nT1636.003\r\nProtected User\r\nData: Contact List\r\nThe StrongPity backdoor can extract the device’s contact list.\r\nT1636.004\r\nProtected User\r\nData: SMS\r\nMessages\r\nThe StrongPity backdoor can extract SMS messages.\r\nCommand\r\nand Control\r\nT1437.001\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nThe StrongPity backdoor uses HTTPS to communicate with its\r\nC\u0026C server.\r\nT1521.001\r\nEncrypted Channel:\r\nSymmetric\r\nCryptography\r\nThe StrongPity backdoor uses AES to encrypt its\r\ncommunication.\r\nExfiltration T1646\r\nExfiltration Over\r\nC2 Channel\r\nThe StrongPity backdoor exfiltrates data using HTTPS.\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 13 of 14\n\nSource: https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nhttps://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" ], "report_names": [ "strongpity-espionage-campaign-targeting-android-users" ], "threat_actors": [ { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434527, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04d51843e390c18fd41214130931ce897aa16a3f.pdf", "text": "https://archive.orkl.eu/04d51843e390c18fd41214130931ce897aa16a3f.txt", "img": "https://archive.orkl.eu/04d51843e390c18fd41214130931ce897aa16a3f.jpg" } }