{ "id": "3c2f2b95-862f-4a35-a6f8-e9457cd28854", "created_at": "2026-04-06T00:06:27.633325Z", "updated_at": "2026-04-10T03:36:33.995989Z", "deleted_at": null, "sha1_hash": "0bf6a5f2cf8bcf27684b4419597baffa11998d21", "title": "Dissecting TriangleDB, a Triangulation spyware implant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 485316, "plain_text": "Dissecting TriangleDB, a Triangulation spyware implant\r\nBy Georgy Kucherin\r\nPublished: 2023-06-21 · Archived: 2026-04-05 13:17:32 UTC\r\nMalware descriptions\r\nMalware descriptions\r\n21 Jun 2023\r\n 6 minute read\r\nhttps://securelist.com/triangledb-triangulation-implant/110050/\r\nPage 1 of 10\n\nUPD 23.04.2025: MITRE created a page for Operation Triangulation as part of its ATT\u0026CK framework.\r\nOver the years, there have been multiple cases when iOS devices were infected with targeted spyware such as\r\nPegasus, Predator, Reign and others. Often, the process of infecting a device involves launching a chain of\r\ndifferent exploits, e.g. for escaping the iMessage sandbox while processing a malicious attachment, and for getting\r\nroot privileges through a vulnerability in the kernel. Due to this granularity, discovering one exploit in the chain\r\noften does not result in retrieving the rest of the chain and obtaining the final spyware payload. For example, in\r\n2021, analysis of iTunes backups helped to discover an attachment containing the FORCEDENTRY exploit.\r\nHowever, during post-exploitation, the malicious code downloaded a payload from a remote server that was not\r\naccessible at the time of analysis. Consequently, the analysts lost “the ability to follow the exploit.”\r\nIn researching Operation Triangulation, we set ourselves the goal to retrieve as many parts of the exploitation\r\nchain as possible. It took about half a year to accomplish that goal, and, after the collection of the chain had been\r\ncompleted, we started an in-depth analysis of the discovered stages. As of now, we have finished analyzing the\r\nspyware implant and are ready to share the details.\r\nhttps://securelist.com/triangledb-triangulation-implant/110050/\r\nPage 2 of 10\n\nThe Operation Triangulation infection chain\r\nThe implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS\r\ndevice by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are\r\nlost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by\r\nsending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no\r\nreboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers.\r\nMeet TriangleDB\r\nThe TriangleDB implant is coded using Objective-C, a programming language that preserves names of members\r\nand methods assigned by the developer. In the implant’s binary, method names are not obfuscated; however,\r\nnames of class members are uninformative acronyms, which makes it difficult to guess their meaning:\r\nClass method examples Class member examples\r\n-[CRConfig populateWithFieldsMacOSOnly]\r\n-[CRConfig populateWithSysInfo]\r\n-[CRConfig extendFor:]\r\n-[CRConfig getCInfoForDump]\r\n+[CRConfig sharedInstance]\r\nNSString *pubKI;\r\nNSData *pubK;\r\nsigned __int64 iDa;\r\nsigned __int64 uD;\r\nNSString *deN;\r\nhttps://securelist.com/triangledb-triangulation-implant/110050/\r\nPage 3 of 10\n\n+[CRConfig unmungeHexString:]\r\n-[CRConfig init]\r\n-[CRConfig getBuildArchitecture]\r\n-[CRConfig cLS]\r\n-[CRConfig setVersion]\r\n-[CRConfig swapLpServerType]\r\n-[CRConfig setLpServerType:]\r\nNSSTring *prT;\r\nNSString *seN;\r\nNSString *uDI;\r\nNSString *iME;\r\nNSString *meI;\r\nNSString *osV;\r\nCRPwrInfo *pwI;\r\nIn some cases, it is possible to guess what the acronyms mean. For example, osV is the iOS version, and iME\r\ncontains the device’s IMEI.\r\nThe strings in the implant are HEX-encoded and encrypted with rolling XOR:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\nid +[CRConfig unmungeHexString:](id a1, SEL a2, id stringToDecrypt) {\r\n  // code omitted\r\n  while (1) {\r\nhexByte[0] = stringBytes[i];\r\nhexByte[1] = stringBytes[i + 1];\r\nencryptedByte = strtoul(hexByte, \u0026__endptr, 16);\r\nif (__endptr == hexByte)\r\n          break;\r\ni += 2LL;\r\nif (j)\r\n       decryptedString[j] = encryptedByte ^ previousByte;\r\nelse\r\n       decryptedString[0] = encryptedByte;\r\n++j;\r\npreviousByte = encryptedByte;\r\nhttps://securelist.com/triangledb-triangulation-implant/110050/\r\nPage 4 of 10\n\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\nif (i \u003e= stringLength)\r\n          break;\r\n  }\r\n  decryptedString[j] = 0;\r\n  // code omitted\r\n}\r\nThe rolling XOR algorithm implemented in the implant for string decryption\r\nC2 communications\r\nOnce the implant launches, it starts communicating with the C2 server, using the Protobuf library for exchanging\r\ndata. The configuration of the implant contains two servers: the primary and the fallback (contained in the lS and\r\nlSf configuration fields). Normally, the implant uses the primary server, and, in case of an error, it switches to the\r\nfallback server by invoking the -[CRConfig swapLpServerType:] method.\r\nAdditionally, the sent and received messages are encrypted with symmetric (3DES) and asymmetric (RSA)\r\ncryptography. All messages are exchanged via the HTTPS protocol in POST requests, with the cookie having the\r\nkey g and a value that is a digit string from the pubKI configuration parameter.\r\nThe implant periodically sends heartbeat beacons that contain system information, including the implant version,\r\ndevice identifiers (IMEI, MEID, serial number, etc.) and the configuration of the update daemon (whether\r\nautomatic downloads and installations of updates are enabled).\r\nhttps://securelist.com/triangledb-triangulation-implant/110050/\r\nPage 5 of 10\n\nHeartbeat beacon snippet, implant v1.7.0.5 running on iOS 15.3.1\r\nTriangleDB commands\r\nThe C2 server responds to heartbeat messages with commands. Commands are transferred as Protobuf messages\r\nthat have type names starting with CRX. The meaning of these names is obscure: for example, the command\r\nlisting directories is called CRXShowTables, and changing C2 server addresses is handled by the command\r\nCRXConfigureDBServer. In total, the implant we analyzed has 24 commands designed for:\r\nInteracting with the filesystem (creation, modification, exfiltration and removal of files);\r\nInteracting with processes (listing and terminating them);\r\nDumping the victim’s keychain items, which can be useful for harvesting victim credentials;\r\nMonitoring the victim’s geolocation;\r\nRunning additional modules, which are Mach-O executables loaded by the implant. These executables are\r\nreflectively loaded, with their binaries stored only in memory.\r\nOne of the interesting commands we discovered is called CRXPollRecords. It monitors changes in folders,\r\nlooking for modified files that have names matching specified regular expressions. Change monitoring is handled\r\nby obtaining a Unix file descriptor of the directory and assigning a vnode event handler to it. Whenever the\r\nimplant gets notified of a change, the event handler searches for modified files that match the regex provided by\r\nthe attacker. Such files are then scheduled for uploading to the C2 server.\r\nThe parameters of this command are as follows:\r\nParameter\r\nname\r\nParameter description\r\nhttps://securelist.com/triangledb-triangulation-implant/110050/\r\nPage 6 of 10\n\np Directory path\r\nm Filename regex\r\nsDC\r\nSpecifies whether the command should exfiltrate files that were modified before\r\nmonitoring started.\r\neWo Specifies whether file contents should be exfiltrated only via Wi-Fi.\r\nBelow, we describe the implant’s commands, specifying the developer-assigned command names along with their\r\nnumerical identifiers when possible.\r\nCommand\r\nID\r\nDeveloper-assigned name Description\r\n0xFEED CRXBlank No operation\r\n0xF001 N/A Uninstalls the implant by terminating its process.\r\n0xF301 CRXPause Makes the implant sleep for a specified number of seconds.\r\n0xFE01 N/A\r\nSleeps for a pseudorandom time defined by the configuration\r\nparameters caS and caP. The sleeping time is chosen between\r\ncaP – caS and caP + caS.\r\n0xFB01 CRXForward\r\nChanges the caP configuration value for the 0xFE01\r\ncommand.\r\n0xFB02 CRXFastForward\r\nChanges the caS configuration value for the 0xFE01\r\ncommand.\r\n0xF201 CRXConfigureDBServer Changes the addresses of the primary and fallback C2 servers.\r\n0xF403 CRXUpdateConfigInfo\r\nChanges the implant’s configuration parameters. The\r\narguments of this command contain the identifier of the\r\nparameter to be changed and its new value. Note that the\r\nparameter identifiers are number strings, such as “nineteen” or\r\n“twentyone”.\r\n0xF101 CRXExtendTimeout\r\nExtends the implant lifetime by a specified number of seconds\r\n(the default implant lifetime is 30 days).\r\n0xF601 CRXQueryShowTables Obtains a listing of a specified directory with the fts API.\r\n0xF801 CRXFetchRecordInfo\r\nRetrieves metadata (attributes, permissions, size, creation,\r\nmodification and access timestamps) of a given file.\r\n0xF501 CRXFetchRecord Retrieves contents of a specified file.\r\nhttps://securelist.com/triangledb-triangulation-implant/110050/\r\nPage 7 of 10\n\n0xFC10 CRXPollRecords\r\nStarts monitoring a directory for files whose names match a\r\nspecified regex.\r\n0xFC11 CRXStopPollingRecords Stops execution of the CRXPollRecords command.\r\n0xFC01 CRXFetchMatchingRecords Retrieves files that match a specified regex.\r\n0xF901 CRXUpdateRecord\r\nDepending on the command’s iM argument, either writes data\r\nto a file or adds a new module to the implant.\r\n0xFA02 CRXRunRecord\r\nLaunches a module with a specified name by reflectively\r\nloading its Mach-O executable.\r\n0xF902 CRXUpdateRunRecord Adds a new module to the implant and launches it.\r\n0xFA01 CRXDeleteRecord\r\nDepending on the command’s arguments, either removes an\r\nimplant module or deletes a file with a specified name.\r\n0xF402 CRXGetSchemas Retrieves a list of running processes.\r\n0xFB44 CRXPurgeRecord\r\nKills a process with a specified PID, either with SIGKILL or\r\nSIGSTOP, depending on the command’s arguments.\r\n0xFD01 N/A Retrieves information about installed iOS applications\r\n0xFB03 CRXGetIndexesV2\r\nRetrieves keychain entries of the infected device. It starts\r\nmonitoring the screen lock state, and, when the device is\r\nunlocked, dumps keychain items from the genp (generic\r\npasswords), inet (Internet passwords), keys and cert tables\r\n(certificates, keys and digital identity) from the\r\n/private/var/Keychains/keychain-2.db database. Note here that\r\nthe implant’s code can work with different keychain versions,\r\nstarting from the ones used in iOS 4.\r\n0xF401 N/A\r\nRetrieves the victim’s location information: coordinates,\r\naltitude, bearing (the direction in which the device is moving)\r\nand speed. By default, this command works only if the device\r\nscreen is off. However, the implant operator can override this\r\nrestriction with a configuration flag.\r\nOdd findings\r\nWhile researching the TriangleDB implant, we found a lot of curious details:\r\nThe developers refer to string decryption as “unmunging” (as the method performing string decryption is\r\nnamed +[CRConfig unmungeHexString:] );\r\nhttps://securelist.com/triangledb-triangulation-implant/110050/\r\nPage 8 of 10\n\nThroughout the code, we observed that different entities were given names from database terminology,\r\nwhich is the reason why we dubbed the implant TriangleDB:\r\nEntity Developer-used terminology for the entity\r\nDirectory Table\r\nFile\r\nRecord\r\nImplant module\r\nProcess Schema\r\nKeychain entry Index, row\r\nC2 server DB Server\r\nGeolocation information DB Status\r\nHeartbeat Diagnostic data\r\nProcess of exchanging data with C2 server Transaction\r\nRequest to C2 server Query\r\niOS application Operation\r\nWhile analyzing TriangleDB, we found that the class CRConfig (used to store the implant’s configuration)\r\nhas a method named populateWithFieldsMacOSOnly. This method is not called anywhere in the iOS\r\nimplant; however, its existence means that macOS devices can also be targeted with a similar implant;\r\nThe implant requests multiple entitlements (permissions) from the operating system. Some of them are not\r\nused in the code, such as access to camera, microphone and address book, or interaction with devices via\r\nBluetooth. Thus, functionalities granted by these entitlements may be implemented in modules.\r\nTo be continued\r\nThat’s it for TriangleDB, a sophisticated implant for iOS containing multiple oddities. We are continuing to\r\nanalyze the campaign, and will keep you updated with all details about this sophisticated attack.\r\nTriangleDB indicators of compromise\r\nMD5      063db86f015fe99fdd821b251f14446d\r\nSHA-1    1a321b77be6a523ddde4661a5725043aba0f037f\r\nSHA-256  fd9e97cfb55f9cfb5d3e1388f712edd952d902f23a583826ebe55e9e322f730f\r\nhttps://securelist.com/triangledb-triangulation-implant/110050/\r\nPage 9 of 10\n\nLatest Posts\r\nLatest Webinars\r\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/triangledb-triangulation-implant/110050/\r\nhttps://securelist.com/triangledb-triangulation-implant/110050/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://securelist.com/triangledb-triangulation-implant/110050/" ], "report_names": [ "110050" ], "threat_actors": [ { "id": "ad08bd3d-e65c-4cfd-874a-9944380573fd", "created_at": "2023-06-23T02:04:34.517668Z", "updated_at": "2026-04-10T02:00:04.842233Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "ETDA:Operation Triangulation", "tools": [ "TriangleDB" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "113b8930-4626-4fa0-9a3a-bcf3ef86f595", "created_at": "2024-02-06T02:00:04.14393Z", "updated_at": "2026-04-10T02:00:03.578394Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "MISPGALAXY:Operation Triangulation", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433987, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0bf6a5f2cf8bcf27684b4419597baffa11998d21.pdf", "text": "https://archive.orkl.eu/0bf6a5f2cf8bcf27684b4419597baffa11998d21.txt", "img": "https://archive.orkl.eu/0bf6a5f2cf8bcf27684b4419597baffa11998d21.jpg" } }