{ "id": "ccc11c04-5fdc-44d8-8a38-f4df17902892", "created_at": "2026-04-06T01:31:27.581861Z", "updated_at": "2026-04-10T03:37:23.932023Z", "deleted_at": null, "sha1_hash": "0abbe3a5e07241fb6f26cafbb7b6f14e05ded38d", "title": "Spam trends campaigns senior superlatives 2023", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2980832, "plain_text": "Spam trends campaigns senior superlatives 2023\r\nBy Ole Villadsen, Golo Mühr\r\nPublished: 2024-02-28 · Archived: 2026-04-06 00:46:36 UTC\r\nAuthors\r\nOle Villadsen\r\nCyber Threat Hunt Analyst\r\nIBM Security\r\nThe 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to\r\ndeliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro\r\nexecution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to\r\nshift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and HTML\r\nsmuggling.\r\nOf course, with these security improvements, attackers are forced to find successful entry points into\r\norganizations, and in 2023, X-Force observed attackers—in particular, initial access brokers—increasingly shift to\r\nplacing malicious links within emails to download subsequent payloads or attach PDF files containing malicious\r\nlinks. Other key observations for 2023 include:\r\nAn increase in the use of Nullsoft Scriptable Install System (NSIS) executables and .NET-based\r\nobfuscators and packers in executable files used to deliver commodity malware.\r\nThe continued prominence of ZIP files as the most observed archive. More advanced threat actors\r\nintroduced new file types within archives such as Internet shortcut (.URL) files, whose overall use\r\nincreased significantly in 2023.\r\nAn increase in the exploitation of older vulnerabilities such as CVE-2017-11882, the most prolific exploit\r\nin email campaigns.\r\nThe adoption of increasingly complex execution chains likely designed to reduce detection rates and filter\r\nout security researchers and automated sandboxes.\r\nThis article describes high-level shifts X-Force observed in threat actors’ email campaigns in 2023 and leverages\r\nthe tradition of United States High School “Senior Superlatives” to highlight noteworthy campaigns and trends\r\nthat X-Force observed last year along with examples. The article concludes with a look at what to expect in 2024\r\nand what organizations can do to detect and improve their defenses.\r\nBye bye malicious macros?\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 1 of 16\n\nThe 2023 X-Force Threat Intelligence Index highlighted how threat actors were forced to change tactics in 2022\r\nwhen Microsoft began to block macro execution by default in documents received through email or from the\r\ninternet. The move away from malicious macros became even more apparent with Office documents containing\r\nmalicious Visual Basic Application (VBA) macros and Excel Macro (XLM) files observed in a few campaigns\r\nearly in 2023. Year over year X-Force saw a 93% reduction in email spam containing maldocs leveraging VBA\r\nmacros with close to no activity since late March, when X-Force observed their use with Emotet and Hive0133\r\ncampaigns.\r\nFigure 1: Volume of emails with VBA and XLM documents in 2023. Source: X-Force\r\nThis dramatic reduction in attackers’ use of malicious macros is a positive reflection of how implementing certain\r\nchanges to an environment can practically shut down what would have otherwise been fruitful opportunities for\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 2 of 16\n\nmalicious actors. However, as discussed later in this article, when one door closes for an attacker, they attempt to\r\nfind their way in through another door.\r\nShort-lived campaigns: HTML smuggling and OneNote\r\nAs in 2022, X-Force identified Qakbot and other activities last year that used HTML smuggling to compromise\r\nvictims. This evasive technique allows the attacker to use HTML 5 and JavaScript running in the browser to\r\ndynamically decode or decrypt a payload embedded within the HTML and drop it to the victim’s system. While\r\nthe majority of HTML smuggling activity took place in March, activity was also observed in January, April, and\r\nMay. Year-over-year HTML smuggling activity is down 96%. X-Force assesses this is the case because endpoint\r\ndetection continues to improve. A local HTML file triggering the browser to “download” something without web\r\ntraffic is suspicious. Additionally, HTML files are very large if they bear an encoded payload – another\r\nopportunity to detect this activity.\r\nIn early 2023, X-Force also observed multiple groups leveraging OneNote attachments in their campaigns to\r\ninclude the initial access brokers TA570 and TA577—known for delivering Qakbot, and TA551, whose campaigns\r\nprimarily delivered IcedID. Other groups using OneNote attachments included Emotet and Hive0126 (which\r\noverlaps with TA581), with the latter attempting to deliver IcedID and Bumblebee malware.\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 3 of 16\n\nFigure 2: Volume of OneNote emails in 2023. Source: X-Force\r\nThe short-lived but large OneNote campaigns by these threat actors occurred in the first three months of the year.\r\nNotably, X-Force has observed very little activity using OneNote attachments since March 2023. This is likely\r\nbecause Microsoft took steps to block embedded files with “dangerous extensions” in April.\r\nContainers/Archives: Disk images down; NSIS and .URL up\r\nIn 2022, X-Force observed an increase in the use of malicious disk images (ISO, IMG) with Windows shortcut\r\nfiles (LNK) to deliver malware. This landscape shifted in 2023, with the use of ISO files dropping to only 3% of\r\ncontainer/archive deliveries and IMG files similarly down to 1.39%. This is likely due to email detections\r\nadjusting to the previous year’s threats. There is minimal legitimate use of disk images in emails, making it easy to\r\nidentify as suspicious.\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 4 of 16\n\nIn 2023, ZIP files were again by far the most common delivery mechanism among archives (54.07%), followed by\r\nRAR files (20.13%).\r\nFigure 3: 2023 top archive extensions. Source: X-Force\r\nThe majority of file types contained within container or archive attachments – greater than 80% – were Windows\r\nexecutables, which are mainly used to deliver commodity Stealers and RATs such as Agent Tesla, the “Most\r\nCommon Malware” X-Force observed in 2023. Attackers pivot though, where they can, to evade detection: X-Force saw a notable increase in Nullsoft Scriptable Install System (NSIS) executables—likely because NSIS is\r\nmore difficult to scan since it works as a self-extracting archive. These installers were found mostly in 7z, RAR,\r\nand ZIP files and make up more than 25% of executables observed in 2023 spam emails. Another common\r\ntechnique is the use of . NET-based obfuscators and packers such as Eazfuscator, .NET-Reactor, Crypto-Obfuscator and the Roboski packer – which were used in more than 60% of the executables X-Force observed.\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 5 of 16\n\nMore advanced threat actors have also switched to less common filetypes within archives such as Internet\r\nshortcut (.URL) files, which were used in several large campaigns, as seen in Figure 4 below, including from\r\nHive0126. The use of .URL files in general—whether within an archive, directly attached to emails, or as part of\r\ncomplex execution chains—increased dramatically in 2023.\r\nOther examples of file types used for malspam include various script files such as Batch, JavaScript, Windows\r\nScript Files or Visual Basic. X-Force also observed the use of .PIF and .COM extensions on Windows\r\nexecutables, which are less common but also result in automatic execution if opened by a Windows user.\r\nFigure 4: Volume of emails leveraging less common file types within archives in 2023. Source: X-Force\r\nURLs and PDF files take the stage\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 6 of 16\n\nCoinciding with the decline in Macros, disk images and HTML smuggling files, X-Force has observed threat\r\nactors—including initial access brokers such as TA570, TA577, and Hive0133—shift increasingly to using URLs\r\nplaced directly within emails or within attached PDF files to download malicious payloads. X-Force also has\r\nobserved Latin American distributors regularly employ these techniques to deliver banking trojans such as\r\nOusaban and Grandoreiro. Threat actors likely have adopted these techniques because it would not be feasible for\r\nnetwork defenders or security solutions to block emails wholesale with URLs or PDF attachments given their\r\nprevalent use with legitimate communication. Other security researchers have also identified the trend towards\r\nincreased use of PDFs early last year.\r\nThis dynamic forces network defenders into a game of “whac-a-mole” to identify and either flag or block\r\npotentially malicious URLs and PDF attachments before they can lead to dangerous infections, including\r\nransomware attacks. X-Force has also observed threat actors require passwords provided within the email to open\r\nencrypted PDFs, impeding the ability to scan these PDFs for malicious URLs or other content. In other cases,\r\nthreat actors have adopted several evasion techniques unique to PDF files to obfuscate or otherwise conceal\r\nURLs, making it more difficult to identify and extract embedded links for review and enabling them to pass\r\nthrough security solutions. The “Senior Superlatives” section below for “Most Dangerous Campaigns” provides\r\nan example of a TA577 campaign using a malicious PDF attachment.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nHigh schools in the United States practice a tradition in which graduating seniors are awarded “superlatives” for\r\nbeing the best example of a given category, such as “Most Likely to Succeed”, “Most Outspoken”, or “Most\r\nPopular”. Leveraging such superlatives provides an effective way to highlight interesting campaigns, trends, and\r\nstatistics for 2023 from X-Force telemetry, as detailed below.\r\nMost Common Malware\r\nThe winner of 2023’s “Most Common Malware” goes to Agent Tesla, a popular information stealer active since\r\n2014 and available for sale on underground markets. Rounding out the top five most common malware are the\r\ninformation stealers Formbook and Lokibot, the remote access tool Remcos, and Snake Keylogger. These\r\nmalware were typically delivered within archives or downloaded by malicious office documents, including those\r\nexploiting CVE-2017-11882 (see below).\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 7 of 16\n\nFigure 5: Most common malware observed in email spam for 2023. Source: X-Force\r\nFigure 6 provides an example of an email campaign delivering Agent Telsa using an NSIS installer delivered\r\nwithin a ZIP archive. As mentioned above, X-Force has also observed an increase in the use of NSIS installers to\r\ndeliver commodity malware.\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 8 of 16\n\nFigure 6: Email delivering Agent Tesla infostealer using an NSIS installer. Source: X-Force\r\nMost observed exploit\r\nThe winner of the “Most observed exploit” category goes to CVE-2017-11882. Now that the easy way in through\r\nthe use of macros has been mitigated, many threat actors are focusing on creating and weaponizing exploits for\r\nolder and potentially vulnerable versions of MS Office. Notably, X-Force observed a significant increase in the\r\nuse of files exploiting the vulnerability CVE-2017-11882 – a remote code execution vulnerability in the Microsoft\r\nOffice Equation Editor tool. Campaigns exploiting this vulnerability to deliver commodity malware such as Agent\r\nTesla, Remcos, Formbook, Lokibot, Xworm and AsyncRAT (to name a few) came in large waves in 2023, with\r\nspikes in activity observed in March, May, and July, resulting in this exploit being the most observed in spam\r\ndocuments in 2023.\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 9 of 16\n\nFigure 7: Volume of emails exploiting CVE-2017-11882 in 2023. Source: X-Force\r\nAlthough a patch has been available since November 2017, attackers bank on organizations not having applied the\r\nsecurity update and are therefore potentially vulnerable to their exploit. In fact, attackers often take advantage of\r\norganizations overwhelmed by the task of identifying, prioritizing and remediating vulnerabilities. Vulnerability\r\nmanagement services can help organizations handle this task effectively ensuring high-risk vulnerabilities, like\r\nCVE-2017-11882, are found and remediated.\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 10 of 16\n\nFigure 8: Malicious email leveraging CVE-2017-11882 to download Formbook. Source: X-Force\r\nMost dangerous campaigns\r\nThe “Most dangerous campaigns” category goes to the initial access broker TA577, also known as “TR” and\r\ntracked by X-Force as Hive0118. TA577 campaigns in 2023 delivered Qakbot until it was disrupted in August,\r\nafter which they switched to DarkGate, IcedID, and Pikabot. X-Force observed several TA577 email campaigns\r\nlast year result in successful Qakbot infections, which have been observed leading to BlackBasta ransomware\r\nattacks. TA577 combines high-volume campaigns with email “thread hijacking”, in which attackers add malicious\r\nURLs or attachments to a stolen email to make it appear more legitimate. The majority of TA577 campaigns since\r\nlast spring have leveraged malicious URLs or PDFs containing a malicious URL. The example below took place\r\non 22 December and delivered Pikabot.\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 11 of 16\n\nFigure 9: TA577 Thread-hijacking email delivering a malicious PDF attachment. Source: X-Force\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 12 of 16\n\nFigure 10: PDF containing a malicious URL, delivered by the TA577 campaign in Figure 9. Source: X-Force\r\nMost complex infection chain\r\nThe “Most complex infection chain” goes to a campaign from mid-December 2023 delivered by a distributor\r\ntracked as Hive0137. Over the past year, threat actors have increasingly employed complex execution chains. The\r\nuse of several consecutive stages makes individual components and their behavior less prone to detection and\r\nallows attackers to implement checks at several different points throughout the infection to filter out security\r\nresearchers and automated sandboxes.\r\nHive0137 has been active since at least October delivering emails containing malicious PDF attachments or URLs\r\nwhich have led to DarkGate, NetSupport and a new loader dubbed “T34 Loader.” Hive0137 campaigns overlap\r\nwith Proofpoint’s BattleRoyal cluster, which also noted the complexity of their email campaigns. During a\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 13 of 16\n\nHive0137 campaign taking place on 19 December 2023, X-Force identified an extraordinarily complex infection\r\nchain delivering the T34 Loader. X-Force has previously observed the T34 Loader downloading the\r\nRhadamanthys stealer.\r\nTo download and install the T34 loader, this campaign leveraged an Open Redirect URL, the Keitaro traffic\r\ndistribution system (TDS), remote configuration data and four distinct files, including two .URL files, a\r\ndownloader PE file, the Snow crypter, and the T34 Loader DLL. Of note, the Snow crypter was developed by\r\nformer members of the Trickbot/Conti syndicate (aka ITG23), suggesting a relationship between threat actors\r\ndeveloping or using T34 Loader and ITG23.\r\nFigure 11: Hive0137 email with a malicious URL commencing an elaborate execution chain. Source: X-Force\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 14 of 16\n\nFigure 12: Hive0137 campaign using a complex execution chain to deliver the final payload.\r\nMoving forward in 2024, X-Force anticipates email spam distributors will continue to adopt new tactics,\r\ntechniques, and procedures (TTPs) to bypass security solutions and network defenses and convince users to\r\nexecute email attachments and links. In particular:\r\nThreat actors will continue to use URLs within emails and PDF attachments to commence execution\r\nchains. An email with a PDF attachment looks far less suspicious than an email with a disk image. Threat\r\nactors understand this and will use these methods to get past the first line of defense.\r\nEmail distributors will increasingly embrace artificial intelligence and Large Language Models (LLMs) to\r\ncreate more convincing email content that pushes users to click on links or execute attachments. Spam\r\nemails can often be spotted quickly if they use poor grammar, broken English, or simplistic messages. This\r\nwill change as actors leverage AI to help them create professional and polished emails.\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 15 of 16\n\nIncreasingly complex infection chains with multiple stages will also likely increase. Already there are\r\nregular email campaigns that make use of multiple stages before delivering the final payload, with the goal\r\nof deflecting security researchers and sandboxes and minimizing behavior to pass through security\r\ndefenses. Attackers will likely turn to unusual file types to support these execution chains, such as .URL\r\nattachments or script files e.g. Javascript or batch files.\r\nGood cyber-hygiene will continue to play a critical role in preventing the success of email-based attacks e.g.,\r\nregularly updating and patching applications, ensuring anti-virus software and associated files are working and up\r\nto date, and maintaining vigilance for any suspicious activity.\r\nOrganizations should also train users to exercise extreme caution with email links and PDF attachments and to\r\nrefrain from executing unusual file types that they may have never seen before or trigger their sixth sense that\r\nsomething is wrong, e.g. .URL attachments or script files. To limit the danger from script files, organizations\r\nshould also consider changing the default application for Javascript/JScript/VBScript files to Notepad.\r\nPolicy and procedure changes in the form of multi-factor authentication implementation, monitoring for leaked\r\nenterprise credentials and review of policies for disk image auto-mounting can also help mitigate the risk of email\r\nspam attacks.\r\nSource: https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nhttps://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securityintelligence.com/x-force/spam-trends-campaigns-senior-superlatives-2023/" ], "report_names": [ "spam-trends-campaigns-senior-superlatives-2023" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "67ad7d52-d75e-43cb-9c57-8864949984e9", "created_at": "2024-08-20T02:00:04.546933Z", "updated_at": "2026-04-10T02:00:03.68954Z", "deleted_at": null, "main_name": "Hive0137", "aliases": [], "source_name": "MISPGALAXY:Hive0137", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "96d5b301-0872-444c-ba32-eecf7a9241c0", "created_at": "2023-02-15T02:01:49.560566Z", "updated_at": "2026-04-10T02:00:03.347926Z", "deleted_at": null, "main_name": "TA570", "aliases": [ "DEV-0450" ], "source_name": "MISPGALAXY:TA570", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439087, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0abbe3a5e07241fb6f26cafbb7b6f14e05ded38d.pdf", "text": "https://archive.orkl.eu/0abbe3a5e07241fb6f26cafbb7b6f14e05ded38d.txt", "img": "https://archive.orkl.eu/0abbe3a5e07241fb6f26cafbb7b6f14e05ded38d.jpg" } }