{ "id": "88680932-ffd5-426e-a710-7574902859f6", "created_at": "2026-04-06T00:10:14.830017Z", "updated_at": "2026-04-10T03:38:19.932493Z", "deleted_at": null, "sha1_hash": "06fe3d3992d1fb252bb8cbc53493233d5c7adabe", "title": "Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2001101, "plain_text": "Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and\r\nLIGHTSHOW | Mandiant\r\nBy Mandiant\r\nPublished: 2023-03-09 · Archived: 2026-04-02 11:52:25 UTC\r\nWritten by: Mandiant Intelligence and Consulting\r\nIn part one on North Korea's UNC2970, we covered UNC2970’s tactics, techniques and procedures (TTPs) and\r\ntooling that they used over the course of multiple intrusions. In this installment, we will focus on how UNC2970\r\nutilized Bring Your Own Vulnerable Device (BYOVD) to further enable their operations.\r\nDuring our investigation, Mandiant consultants identified most of the original compromised hosts, targeted by\r\nUNC2970, contained the files %temp%\\_SB_SMBUS_SDK.dll and suspicious drivers, created around the same time\r\non disk.\r\nAt the time Mandiant initially identified these files, we were unable to determine how they were dropped or the\r\nexact use for these files. It wasn't until later in the investigation, during analysis of a forensic image, where the\r\npieces started falling into place. A consultant noticed multiple keyword references to the file\r\nC:\\ProgramData\\USOShared\\Share.DAT (MD5: def6f91614cb47888f03658b28a1bda6 ). Upon initial glance at the\r\nForensic Image, this file was no longer on disk. However, Mandiant was able to recover the original file, and the\r\ninitial analysis of the sample found that Share.DAT was a XORed data blob, which was encoded with the XOR\r\nkey 0x59 .\r\nThe decoded payload (MD5: 9176f177bd88686c6beb29d8bb05f20c ), referred to by Mandiant as LIGHTSHIFT, is\r\nan in-memory only dropper. The LIGHTSHIFT dropper distributes a payload (MD5:\r\nad452d161782290ad5004b2c9497074f ) that Mandiant refers to as LIGHTSHOW. Once loaded into memory,\r\nLIGHTSHIFT invokes the exports Create then Close in that order. The response from Close is written as a\r\nhex formatted address to the file C:\\Windows\\windows.ini .\r\nhttps://www.mandiant.com/resources/blog/lightshift-and-lightshow\r\nPage 1 of 7\n\nFigure 1: LIGHTSHIFT preparing to load LIGHTSHOW\r\nLIGHTSHOW is a utility that makes use of two primary anti-analysis techniques used to hinder both dynamic and\r\nstatic analysis. To deter static analysis, LIGHTSHOW was observed being packed by VM-Protect. In an effort to\r\nthwart dynamic analysis, LIGHTSHOW is targeted to a specific host and requires a specific SHA256 hash\r\ncorresponding to a specific computer name or the sample will not fully execute. Once FLARE completed the\r\nanalysis of LIGHTSHOW, we were able to understand how the files %temp%\\_SB_SMBUS_SDK.dll and drivers\r\nwere created on disk.\r\nLIGHTSHOW is a utility that was used by UNC2970 to manipulate kernel data-structures and represents an\r\nadvancement in DPRK’s capabilities to evade detection. To accomplish this, LIGHTSHOW drops a legitimate\r\nversion of a driver with known vulnerabilities, with a SHA256 hash of\r\n175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347 to C:\\Windows\\System32\\Drivers\r\nwith one of the following names chosen at random and appended with mgr :\r\ncirclass\r\nhttps://www.mandiant.com/resources/blog/lightshift-and-lightshow\r\nPage 2 of 7\n\ndmvsc\r\nhidir\r\nisapnp\r\numpass\r\nLIGHTSHOW then creates the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ where\r\nis the same as the chosen filename without appended mgr . It then creates a registry key with the value name\r\nImagePath , which points to the path of the driver. The sample then loads the driver using NtLoadDriver .\r\nLIGHTSHOW drops and loads a dummy DLL %temp%\\_SB_SMBUS_SDK.dll to register itself to the driver as a\r\nlegitimate caller.\r\nUsing the vulnerable driver, LIGHTSHOW can perform arbitrary read and write operations to kernel memory.\r\nLIGHTSHOW uses this read/write primitive to patch different kernel routines, which are related to the type of\r\nfacilities an Endpoint Detection and Response (EDR) software may use, to enable evasion of said EDR software.\r\nAfter the read and write operations to kernel memory, the sample unloads and deletes %temp%\\\r\n\u003crandom\\\u003e_SB_SMBUS_SDK.dll\u003c/random\\\u003e .\r\nExamining the chain of execution, we see further obfuscation techniques being employed in LIGHTSHOW.\r\nUNC2970 has a concerted effort towards obfuscation and employs multiple methods to do this throughout the\r\nentire chain of delivery and execution.\r\nhttps://www.mandiant.com/resources/blog/lightshift-and-lightshow\r\nPage 3 of 7\n\nFigure 2: LIGHTSHOW Obfuscation\r\nLIGHTSHOW is another example of tooling that looks to capitalize on the technique of BYOVD. BYOVD is a\r\ntechnique that utilizes the abuse of legitimate and trusted, but vulnerable drivers, to bypass kernel level\r\nprotections. This technique has been utilized by adversaries ranging from financial actors, such as UNC3944, to\r\nespionage actors like UNC2970, which shows its usefulness during intrusion operations. AHNLab recently\r\nreleased a report on activity tracked as Lazarus Group that focused largely on the use of BYOVD. While Mandiant\r\ndid not observe the hashes included in the AHNLab report, the use of SB_SMBUS_SDK.dll as well as other\r\nsimilarities, such as the exported functions Create and Close , indicate an overlap between the activity detailed\r\nin this blog post and those detailed by AHNLab.\r\nThroughout several incidents we responded to in 2022 that involved UNC2970, we observed them utilizing a\r\nsmall set of vulnerable drivers. This includes the Dell DBUtil 2.3 and the ENE Technology device drivers.\r\nUNC2970 utilized both of these drivers in an attempt to evade detection. These two drivers, and many more, are\r\nfound in the Kernel Driver Utility (KDU) toolkit. With this in mind, it is likely that we will continue to see\r\nUNC2970 abuse vulnerable drivers from other vendors.\r\nhttps://www.mandiant.com/resources/blog/lightshift-and-lightshow\r\nPage 4 of 7\n\nMandiant has worked to detect and mitigate BYOVD techniques for a number of years and has worked closely\r\nwith industry allies to report vulnerabilities when discovered. During research being carried out on UNC2970 we\r\ndiscovered a vulnerable driver that the actor had access to, but did not know was vulnerable - essentially making it\r\na 0day in the wild but not being actively exploited. This was verified through our Offensive Task Force who\r\nsubsequently carried out a notification to the affected organization and reported the vulnerability to MITRE,\r\nwhich was assigned CVE-2022-42455.\r\nOutlook and Implications\r\nMandiant continues to observe multiple threat actors utilizing BYOVD during intrusion operations. Because this\r\nTTP provides adversaries an effective means to bypass and mitigate EDR, we assess that it will continue to be\r\nutilized and adapted into actor tooling. The continued targeting of security researchers by UNC2970 also provides\r\nan interesting way that the group can potentially continue to expand their toolset to gain an upper hand with\r\nBYOVD.\r\nMitigations\r\nBecause attestation signing is a legitimate Microsoft program and the resulting drivers are signed with Microsoft\r\ncertificates, execution-time detection is made much more difficult as most EDR tools and Anti-Viruses will allow\r\nbinaries signed with Microsoft certificates to load. The recent blog post released by Mandiant on UNC3944 driver\r\noperations details multiple techniques that can be used by organizations to hunt for the abuse of attestation\r\nsigning. If you haven't already, don't forget to read part one on North Korea's UNC2970. Additionally, Microsoft\r\nrecently released a report detailing how organizations can harden their environment against potentially vulnerable\r\nthird-party developed drivers.\r\nIndicators of Compromise\r\nMD5 Signature\r\ndef6f91614cb47888f03658b28a1bda6 XOR’d LIGHTSHIFT\r\n9176f177bd88686c6beb29d8bb05f20c LIGHTSHIFT\r\nad452d161782290ad5004b2c9497074f LIGHTSHOW\r\n7e6e2ed880c7ab115fca68136051f9ce ENE Driver\r\nSB_SMBUS_SDK.dll LIGHTSHOW Dummy DLL\r\nC:\\Windows\\windows.ini LIGHTSHIFT Output\r\nSignatures\r\nLIGHTSHIFT\r\nhttps://www.mandiant.com/resources/blog/lightshift-and-lightshow\r\nPage 5 of 7\n\nrule M_Code_LIGHTSHIFT\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule for LIGHTSHIFT\"\r\n sha256 = \"ce501fd5c96223fb17d3fed0da310ea121ad83c463849059418639d211933aa4\"\r\n strings:\r\n $p00_0 = {488b7c24??448d40??48037c24??488bcfff15[4]817c24[5]74??488b4b??33d2}\r\n $p00_1 = {498d7c01??8b47??85c075??496345??85c07e??8b0f41b9}\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n (\r\n ($p00_0 in (750..11000) and $p00_1 in (0..8200))\r\n )\r\n}\r\nLIGHTSHOW\r\nrule M_Code_LIGHTSHOW\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule For LIGHTSHOW.\"\r\n md5 = \"ee5057da3e38b934dae15644c6eb24507fb5a187630c75725075b24a70065452\"\r\n strings:\r\n $E01 = { 46 75 64 4d 6f 64 75 6c 65 2e 64 6c 6c }\r\n $I01 = { 62 63 72 79 70 74 2e 64 6c 6c }\r\n $I02 = { 4b 45 52 4e 45 4c 33 32 2e 64 6c 6c }\r\n $I03 = { 75 73 65 72 33 32 2e 64 6c 6c 00 }\r\n $H1 = { 4D 5A 90 00 }\r\n $H2 = { 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F }\r\n $F01 = { 47 65 74 4d 6f 64 75 6c 65 46 69 6c 65 4e 61 6d 65 57 }\r\n $F02 = { 47 65 74 4d 6f 64 75 6c 65 48 61 6e 64 6c 65 41 }\r\n $F03 = { 47 65 74 46 69 6c 65 54 79 70 65 }\r\n $F04 = { 47 65 74 56 65 72 73 69 6f 6e }\r\n $F05 = { 51 75 65 72 79 53 65 72 76 69 63 65 53 74 61 74 75 73 }\r\n $F06 = { 42 43 72 79 70 74 4f 70 65 6e 41 6c 67 6f 72 69 74 68 6d 50 72 6f 76 69 64 65 72 }\r\n $M01 = { 68 2d 79 6e b1 }\r\n $M02 = { 68 ea 71 c2 55 }\r\n $M03 = { 66 b8 ad eb }\r\n $M04 = { 4c 8d 2c 6d b3 6c 05 39 }\r\n $M05 = { 48 8d 2c 95 08 9d ec 9a }\r\n $S01 = { 48 8d 0c f5 a3 cd 0a eb}\r\n $S02 = { 81 f9 7f 56 e6 0a}\r\n condition:\r\nhttps://www.mandiant.com/resources/blog/lightshift-and-lightshow\r\nPage 6 of 7\n\n($H1 in (0..2048)) and ($H2 in (0..2048)) and filesize \u003c 100MB and filesize \u003e 5KB and all of ($M0*) and\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/lightshift-and-lightshow\r\nhttps://www.mandiant.com/resources/blog/lightshift-and-lightshow\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.mandiant.com/resources/blog/lightshift-and-lightshow" ], "report_names": [ "lightshift-and-lightshow" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "7a2dd0e8-beea-415c-b90d-4df9da8358ae", "created_at": "2024-09-20T02:00:04.575485Z", "updated_at": "2026-04-10T02:00:03.695726Z", "deleted_at": null, "main_name": "UNC2970", "aliases": [], "source_name": "MISPGALAXY:UNC2970", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434214, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06fe3d3992d1fb252bb8cbc53493233d5c7adabe.pdf", "text": "https://archive.orkl.eu/06fe3d3992d1fb252bb8cbc53493233d5c7adabe.txt", "img": "https://archive.orkl.eu/06fe3d3992d1fb252bb8cbc53493233d5c7adabe.jpg" } }