{
	"id": "41d9dbab-ca1f-4772-bef8-1085e057bc74",
	"created_at": "2026-04-06T00:17:32.534408Z",
	"updated_at": "2026-04-10T13:11:44.824805Z",
	"deleted_at": null,
	"sha1_hash": "0c04ec550a2aacc5835fe85491e5aa3b74e48598",
	"title": "Chisel (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 33999,
	"plain_text": "Chisel (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:48:40 UTC\r\nelf.chisel (Back to overview)\r\nChisel\r\nChisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP connections via\r\nHTTP. It is available across platforms and written in Go. While benign in itself, Chisel has been utilized by\r\nmultiple threat actors. It was for example observed by SentinelOne during a PYSA ransomware campaign to\r\nachieve persistence and used as backdoor.\r\nGithub: https://github.com/jpillora/chisel\r\nReferences\r\n2022-04-18 ⋅ SentinelOne ⋅ James Haughom\r\nFrom the Front Lines | Peering into A PYSA Ransomware Attack\r\nChisel Chisel Cobalt Strike Mespinoza\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/elf.chisel\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.chisel\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/elf.chisel"
	],
	"report_names": [
		"elf.chisel"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434652,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0c04ec550a2aacc5835fe85491e5aa3b74e48598.pdf",
		"text": "https://archive.orkl.eu/0c04ec550a2aacc5835fe85491e5aa3b74e48598.txt",
		"img": "https://archive.orkl.eu/0c04ec550a2aacc5835fe85491e5aa3b74e48598.jpg"
	}
}