{ "id": "61623ccd-c8f9-4386-a05a-7fa0b3bc542e", "created_at": "2026-04-06T00:12:33.067045Z", "updated_at": "2026-04-10T13:12:14.37569Z", "deleted_at": null, "sha1_hash": "07af236eeda152598391db6e04a66344c17083cd", "title": "FAKEUPDATES (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 157306, "plain_text": "FAKEUPDATES (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-02 11:02:09 UTC\r\nFAKEUPDATES\r\naka: FakeUpdate, GhoLoader, SocGholish\r\nActor(s): GOLD PRELUDE\r\nFAKEUPDATES is a downloader written in JavaScript that communicates via HTTP. Supported payload types\r\ninclude executables and JavaScript. It writes the payloads to disk prior to launching them. FAKEUPDATES has\r\nled to further compromise via additional malware families that include CHTHONIC, DRIDEX, EMPIRE,\r\nKOADIC, DOPPELPAYMER, and AZORULT.\r\nFAKEUPDATES has been heavily used by UNC1543, a financially motivated group.\r\nReferences\r\n2025-11-25 ⋅ Arctic Wolf ⋅\r\nRussian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine\r\nFAKEUPDATES\r\n2025-08-06 ⋅ Silent Push ⋅ Silent Push\r\nUnmasking SocGholish: Silent Push Untangles the Malware Web Behind the “Pioneer of Fake Updates” and\r\nIts Operator, TA569\r\nFAKEUPDATES MintsLoader Parrot TDS Parrot TDS WebShell Raspberry Robin\r\n2025-04-29 ⋅ Recorded Future ⋅ Insikt Group\r\nUncovering MintsLoader With Recorded Future Malware Intelligence Hunting\r\nFAKEUPDATES MintsLoader GhostWeaver Stealc TAG-124\r\n2025-04-29 ⋅ LinkedIn (Ethical Hackers Academy) ⋅ Ethical Hackers Academy\r\nRansomHub Ransomware Deploys Malware to Breach Corporate Networks\r\nFAKEUPDATES RansomHub\r\n2025-03-14 ⋅ Trend Micro ⋅ Adam O'Connor, Ian Kenefick, Jack Walsh, Laura Medina, Lucas Silva\r\nSocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware\r\nFAKEUPDATES RansomHub\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates\r\nPage 1 of 6\n\n2025-02-28 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nNotorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab\r\nFAKEUPDATES GootLoader\r\n2025-02-18 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team\r\nAn Update on Fake Updates: Two New Actors, and New Mac Malware\r\nMarcher FAKEUPDATES FrigidStealer Lumma Stealer\r\n2025-02-15 ⋅ Medium TRAC Labs ⋅ TRAC Labs\r\nDon’t Ghost the SocGholish: GhostWeaver Backdoor\r\nFAKEUPDATES GhostWeaver\r\n2025-02-13 ⋅ Intel 471 ⋅ Intel 471\r\nThreat hunting case study: SocGholish\r\nFAKEUPDATES\r\n2025-01-17 ⋅ Google Cloud Security ⋅ Office of the CISO\r\nThreat Horizons - H1 2025 Threat Horizons Report\r\nFAKEUPDATES Conti Hades LockBit Phoenix Locker RansomHub TRIPLESTRENGTH\r\n2025-01-10 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update July to December 2024\r\nCoper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot\r\nDCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc\r\n2024-12-16 ⋅ Morphisec ⋅ Morphisec Labs, Nadav Lorber\r\nCoinLurker: The Stealer Powering the Next Generation of Fake Updates\r\nClearFake FAKEUPDATES\r\n2024-12-15 ⋅ Malwarebytes ⋅ Jérôme Segura\r\nMalicious ad distributes SocGholish malware to Kaiser Permanente employees\r\nFAKEUPDATES\r\n2024-11-21 ⋅ Intrinsec ⋅ CTI Intrinsec, Intrinsec\r\nPROSPERO \u0026 Proton66: Uncovering the links between bulletproof networks\r\nCoper SpyNote FAKEUPDATES GootLoader EugenLoader\r\n2024-11-20 ⋅ Intrinsec ⋅ Equipe CTI\r\nPROSPERO \u0026 Proton66: Tracing Uncovering the links between bulletproof networks\r\nCoper SpyNote FAKEUPDATES GootLoader EugenLoader IcedID Matanbuchus Nokoyawa Ransomware\r\nPikabot\r\n2024-09-30 ⋅ X (@GenThreatLabs) ⋅ Gen Threat Labs\r\nTweet on FAKEUPDATES pushing WARMCOOKIE backdoor via compromised websites targeting France\r\nFAKEUPDATES WarmCookie\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates\r\nPage 2 of 6\n\n2024-07-17 ⋅ Huntress Labs ⋅ Alden Schmidt, Greg Linares, Matt Anderson\r\nFake Browser Updates Lead to BOINC Volunteer Computing Software\r\nFAKEUPDATES MintsLoader AsyncRAT\r\n2024-07-09 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2024\r\nCoper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT\r\nQakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver\r\n2024-04-30 ⋅ Intrinsec ⋅ Intrinsec\r\nMatanbuchus \u0026 Co: Code Emulation and Cybercrime Infrastructure Discovery\r\nFAKEUPDATES Matanbuchus\r\n2024-01-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q4 2023\r\nFluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer\r\nMeterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys\r\nSliver\r\n2023-12-12 ⋅ Check Point Research ⋅ Check Point\r\nNovember 2023’s Most Wanted Malware: New AsyncRAT Campaign Discovered while FakeUpdates Re-Entered the Top Ten after Brief Hiatus\r\nFAKEUPDATES AsyncRAT\r\n2023-08-31 ⋅ Rapid7 Labs ⋅ Evan McCann, Natalie Zargarov, Thomas Elkins, Tyler McGraw\r\nFake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers\r\nFAKEUPDATES Amadey HijackLoader Lumma Stealer SectopRAT\r\n2023-02-26 ⋅ Proofpoint ⋅ Andrew Northern\r\nTA569: SocGholish and Beyond\r\nFAKEUPDATES RedLine Stealer solarmarker\r\n2022-11-07 ⋅ SentinelOne ⋅ Aleksandar Milenkoski\r\nSocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders\r\nFAKEUPDATES\r\n2022-10-27 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nRaspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity\r\nFAKEUPDATES BumbleBee Clop Fauppod Raspberry Robin Roshtyak Silence DEV-0950 Mustard Tempest\r\n2022-10-27 ⋅ Microsoft ⋅ Microsoft Security Threat Intelligence\r\nRaspberry Robin worm part of larger ecosystem facilitating pre-ransomware activity\r\nFAKEUPDATES BumbleBee Fauppod PhotoLoader Raspberry Robin Roshtyak\r\n2022-08-19 ⋅ nccgroup ⋅ Ross Inman\r\nBack in Black: Unlocking a LockBit 3.0 Ransomware Attack\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates\r\nPage 3 of 6\n\nFAKEUPDATES Cobalt Strike LockBit\r\n2022-08-16 ⋅ SUCURI ⋅ Denis Sinegubko\r\nSocGholish: 5+ Years of Massive Website Infections\r\nFAKEUPDATES\r\n2022-07-30 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nMicrosoft Links Raspberry Robin USB Worm to Russian Evil Corp Hackers\r\nFAKEUPDATES Raspberry Robin\r\n2022-06-13 ⋅ Jorge Testa ⋅ Jorge Testa\r\nKilling The Bear - Evil Corp\r\nFAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker\r\nWastedLoader WastedLocker\r\n2022-06-08 ⋅ Malwarebytes Labs ⋅ Threat Intelligence Team\r\nMakeMoney malvertising campaign adds fake update template\r\nFAKEUPDATES\r\n2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence\r\nTo HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions\r\nFAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz\r\nPhoenix Locker WastedLocker\r\n2022-05-25 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt\r\nSocGholish Campaigns and Initial Access Kit\r\nFAKEUPDATES Blister Cobalt Strike NetSupportManager RAT\r\n2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands\r\nGozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix\r\nLocker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT\r\n2022-05-06 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence\r\nTwitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader,\r\nCobaltStrike, Lockbit and followed by Hands On Keyboard activity\r\nFAKEUPDATES Blister Cobalt Strike LockBit\r\n2022-04-25 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Loïc Castel, Yonatan Gidnian\r\nTHREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your\r\nSystems\r\nFAKEUPDATES Zloader\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates\r\nPage 4 of 6\n\n2022-04-10 ⋅ Digital Information World ⋅ Hura Anwar\r\nThreatening Redirect Web Service Instills Malicious Campaigns In Over 16,500 Websites\r\nFAKEUPDATES\r\n2022-04-07 ⋅ Avast Decoded ⋅ Jan Rubín, Pavel Novák\r\nParrot TDS takes over web servers and threatens millions\r\nFAKEUPDATES Parrot TDS Parrot TDS WebShell NetSupportManager RAT\r\n2022-04-05 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Earle Maui Earnshaw, Ian Kenefick, Lucas Silva, Mohamed Fahmy, Ryan\r\nMaglaque\r\nThwarting Loaders: From SocGholish to BLISTER’s LockBit Payload\r\nFAKEUPDATES Blister LockBit\r\n2022-04-05 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Earle Maui Earnshaw, Ian Kenefick, Lucas Silva, Mohamed Fahmy, Ryan\r\nMaglaque\r\nThwarting Loaders: From SocGholish to BLISTER’s LockBit Payload (IoCs)\r\nFAKEUPDATES Blister LockBit\r\n2022-04-04 ⋅ ⋅ LAC WATCH ⋅ Takehiko Takagen\r\nConfirmation of damage to domestic e-commerce sites, actual situation of Web skimming attacks and\r\nexamples of countermeasures that Rack thinks (Water Pamola)\r\nFAKEUPDATES\r\n2022-03-22 ⋅ Red Canary ⋅ Red Canary\r\n2022 Threat Detection Report\r\nFAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT\r\n2022-02-26 ⋅ Mandiant ⋅ Mandiant\r\nTRENDING EVIL Q1 2022\r\nKEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot\r\n2021-07-22 ⋅ Expel ⋅ Evan Reichard, Kyle Pellett, Ryan Gott, Tyler Fornes\r\nIncident report: Spotting SocGholish WordPress injection\r\nFAKEUPDATES\r\n2020-12-17 ⋅ Menlo Security ⋅ Krishnan Subramanian\r\nIncrease In Attack: SocGholish\r\nFAKEUPDATES\r\n2020-03-16 ⋅ Mandiant ⋅ Kelli Vanderlee\r\nThey Come in the Night: Ransomware Deployment Trends\r\nFAKEUPDATES\r\n2018-04-10 ⋅ Malwarebytes Labs ⋅ Jérôme Segura\r\n‘FakeUpdates’ campaign leverages multiple website platforms\r\nFAKEUPDATES\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates\r\nPage 5 of 6\n\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates" ], "report_names": [ "js.fakeupdates" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7", "created_at": "2023-11-14T02:00:07.071699Z", "updated_at": "2026-04-10T02:00:03.440831Z", "deleted_at": null, "main_name": "DEV-0950", "aliases": [ "Lace Tempest" ], "source_name": "MISPGALAXY:DEV-0950", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "2eb5ae35-e3ae-4b76-a945-5e6c2cfc1942", "created_at": "2024-02-02T02:00:04.028297Z", "updated_at": "2026-04-10T02:00:03.530787Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "DEV-0206", "Purple Vallhund" ], "source_name": "MISPGALAXY:Mustard Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34", "created_at": "2024-06-19T02:03:08.096988Z", "updated_at": "2026-04-10T02:00:03.82859Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "Mustard Tempest ", "TA569 ", "UNC1543 " ], "source_name": "Secureworks:GOLD PRELUDE", "tools": [ "SocGholish" ], "source_id": "Secureworks", "reports": null }, { "id": "3fb23d29-6c6c-459b-8985-e11f125cebcf", "created_at": "2025-03-07T02:00:03.805635Z", "updated_at": "2026-04-10T02:00:03.83403Z", "deleted_at": null, "main_name": "TRIPLESTRENGTH", "aliases": [], "source_name": "MISPGALAXY:TRIPLESTRENGTH", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4390d8ec-605d-493a-81ee-d5ef80c07046", "created_at": "2025-05-29T02:00:03.223467Z", "updated_at": "2026-04-10T02:00:03.873701Z", "deleted_at": null, "main_name": "TAG-124", "aliases": [ "LandUpdate808" ], "source_name": "MISPGALAXY:TAG-124", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544cac23-af15-4100-8f20-46c07962cbfa", "created_at": "2023-01-06T13:46:39.484133Z", "updated_at": "2026-04-10T02:00:03.34364Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "TA569", "UNC1543" ], "source_name": "MISPGALAXY:GOLD PRELUDE", "tools": [ "FakeUpdates", "FakeUpdate", "SocGholish" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434353, "ts_updated_at": 1775826734, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/07af236eeda152598391db6e04a66344c17083cd.pdf", "text": "https://archive.orkl.eu/07af236eeda152598391db6e04a66344c17083cd.txt", "img": "https://archive.orkl.eu/07af236eeda152598391db6e04a66344c17083cd.jpg" } }