{
	"id": "b5ec56ec-a448-4e9f-b716-c4a5d8b6b325",
	"created_at": "2026-04-06T01:31:16.615319Z",
	"updated_at": "2026-04-10T13:12:23.721315Z",
	"deleted_at": null,
	"sha1_hash": "07763e9e825930e65f4527b049bb0971f875b1ce",
	"title": "LevelBlue - Open Threat Exchange",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 345729,
	"plain_text": "LevelBlue - Open Threat Exchange\r\nBy TheNewRaikage\r\nArchived: 2026-04-06 00:16:17 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:moonwind\r\nPage 1 of 5\n\nThreat Research | FireEye Inc\r\nFind out more about FireEye.com, the world's leading cyber security company, which provides security services to\r\nmore than 1.5 million customers across the globe, and offers a wide range of products and services.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:moonwind\r\nPage 2 of 5\n\n17 Subscribers\r\nMoonWind\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:moonwind\r\nPage 3 of 5\n\nMoonWind is a remote access trojan (RAT) that was used with the Trochilus RAT from September 2016 through\r\nlate November 2016 by the same threat actor. It was compiled using the same compiler as BlackMoon banking\r\ntrojan.\r\n8 Subscribers\r\nTrochilus and New MoonWind RATs Used In Attack Against Thai Organizations\r\nFileHash-SHA256: 6 | IPv4: 1 | Hostname: 1\r\nFrom September 2016 through late November 2016, a threat actor group used both the Trochilus RAT and a newly\r\nidenfied RAT we’ve named MoonWind to target organizations in Thailand, including a utility organization. We\r\nchose the name ‘MoonWind’ based on debugging strings we saw within the samples, as well as the compiler used\r\nto generate the samples. The attackers compromised two legitimate Thai websites to host the malware, which is a\r\ntactic this group has used in the past. Both the Trochilus and MoonWind RATs were hosted on the same\r\ncompromised sites and used to target the same organization at the same time. The attackers used different\r\ncommand and control servers (C2s) for each malware family, a tactic we believe was meant to thwart attempts to\r\ntie the attacks together using infrastructure alone. The compromised websites are the site for a group of\r\ninformation technology companies in Thailand, and all the tools were stored in the same directory.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:moonwind\r\nPage 4 of 5\n\n374,032 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:moonwind\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:moonwind\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://otx.alienvault.com/browse/pulses?q=tag:moonwind"
	],
	"report_names": [
		"pulses?q=tag:moonwind"
	],
	"threat_actors": [],
	"ts_created_at": 1775439076,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/07763e9e825930e65f4527b049bb0971f875b1ce.pdf",
		"text": "https://archive.orkl.eu/07763e9e825930e65f4527b049bb0971f875b1ce.txt",
		"img": "https://archive.orkl.eu/07763e9e825930e65f4527b049bb0971f875b1ce.jpg"
	}
}