{ "id": "3a805962-5ee5-4db1-87bc-8d4006ea4590", "created_at": "2026-04-06T00:19:25.323784Z", "updated_at": "2026-04-10T03:37:51.336926Z", "deleted_at": null, "sha1_hash": "0daf6e6c593ad8b87aa7d0dfc25d8549601b492f", "title": "TRACKING RANSOMWARE - FEBRUARY 2025 - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 809968, "plain_text": "TRACKING RANSOMWARE - FEBRUARY 2025 - CYFIRMA\r\nArchived: 2026-04-05 13:24:19 UTC\r\nPublished On : 2025-03-13\r\nEXECUTIVE SUMMARY\r\nFebruary 2025 witnessed a sharp rise in ransomware incidents, with 956 reported victims globally, marking an\r\n87% increase from January. Clop and Play ransomware groups led this surge, while new actors like Anubis and\r\nLinkc Pub emerged. The Manufacturing sector faced the highest impact, and the United States remained the most\r\ntargeted region. This report analyzes key ransomware trends, highlighting the growing sophistication of attacks\r\nand the increasing overlap between financial crime and cyber espionage.\r\nINTRODUCTION\r\nThe ransomware landscape in February 2025 experienced unprecedented growth, surpassing trends from previous\r\nyears. This report presents a detailed analysis of ransomware activity, comparing it with past months. It covers the\r\nmost affected industries, geographical targets, and newly emerging ransomware groups. Additionally, the report\r\nexplores evolving threat actor tactics, including zero-day exploitation, advanced social engineering techniques,\r\nhttps://www.cyfirma.com/research/tracking-ransomware-february-2025/\r\nPage 1 of 11\n\nand espionage-linked ransomware attacks, offering valuable insights into the rapidly shifting cyber threat\r\nenvironment.\r\nKEY POINTS\r\nIn February 2025, the Clop ransomware group emerged as a significant threat, leading with a victim count\r\nof 332.\r\nThe Manufacturing sector is the primary target of ransomware attacks, experiencing 159 incidents globally\r\nin February 2025.\r\nThe USA was the most targeted geography in February 2024.\r\nAnubis, linkc and RunSomeWares emerged as new threats in the ransomware landscape.\r\nTREND COMPARISON OF FEBRUARY 2025’S TOP 5 RANSOMWARE GROUPS.\r\nThroughout February 2025, there was notable activity from several ransomware groups. Here are the trends\r\nregarding the top 5:\r\nRansomware activity surged in February 2025 compared to January. Clop saw a staggering 453% increase, while\r\nRansomhub rose by 135%. Play experienced a sharp 360% spike, and Qilin nearly doubled, growing by 91%.\r\nAkira showed a moderate 10% rise. The significant uptick, especially in Clop and Play ransomware, underscores\r\nthe urgent need for enhanced cybersecurity measures to counter evolving ransomware threats.\r\nINDUSTRIES TARGETED IN FEBRUARY 2025 COMPARED WITH JANUARY 2025\r\nhttps://www.cyfirma.com/research/tracking-ransomware-february-2025/\r\nPage 2 of 11\n\nIn February 2025, cyberattacks surged across industries compared to January 2025, with Manufacturing\r\nwitnessing the highest increase of 112% (from 75 to 159 incidents). FMCG attacks rose by 78%, while\r\nTransportation saw a 250% spike. I.T. and Services industries faced 138% and 131% increases, respectively.\r\nBanking \u0026 Finance attacks increased 138%, whereas Healthcare rose by 9.2% incidents. Government \u0026 Law and\r\nEducation also saw 51% and 37% growth. Minimal changes were observed in energy, e-commerce, and media.\r\nThese trends indicate a sharp rise in cyber threats across critical sectors, demanding stronger security measures.\r\nTRENDS COMPARISON OF RANSOMWARE ATTACKS\r\nIn February 2025, ransomware attacks surged , marking an 87% increase from 510 in January 2025. This sharp\r\nrise highlights a significant escalation in ransomware operations, surpassing trends from 2023 and 2024. The\r\nunprecedented spike suggests evolving attacker tactics and increased targeting of vulnerable sectors. This trend\r\nhttps://www.cyfirma.com/research/tracking-ransomware-february-2025/\r\nPage 3 of 11\n\nhighlights the urgent need for enhanced cybersecurity defenses, proactive threat intelligence, and stronger incident\r\nresponse frameworks to mitigate the growing ransomware threat and minimize business disruptions.\r\nGEOGRAPHICAL TARGETS: TOP 5 LOCATIONS\r\nIn February 2025, the United States remained the top ransomware target, with 591 victims—significantly\r\noutpacing other regions. Canada followed with 57 attacks, while the United Kingdom (32), Germany (25), and\r\nFrance (14) saw lower but notable ransomware activity. These regions are prime targets due to their strong\r\neconomies, data-rich enterprises, critical infrastructure, and high ransom-paying potential, making them lucrative\r\nfor cybercriminals.\r\nEVOLUTION OF RANSOMWARE GROUP IN FEBRUARY 2025\r\nChina-linked attackers exploit Check Point flaw, deploy ShadowPad and ransomware\r\nA newly identified threat activity cluster targeted European organizations, particularly in the healthcare sector,\r\ndeploying PlugX and its successor ShadowPad, before executing NailaoLocker ransomware. The attacks\r\nleveraged a recently patched vulnerability (CVE-2024-24919 – CVSS score: 7.5) in Check Point network gateway\r\nto gain initial access.\r\nExploiting vulnerable instances enabled credential theft and VPN access using legitimate accounts. The attackers\r\nthen conducted network reconnaissance, moved laterally via RDP, and escalated privileges. They employed DLL\r\nsearch-order hijacking to sideload ShadowPad and PlugX, enabling persistent remote access. ShadowPad, an\r\nadvanced malware with obfuscation and anti-debugging techniques, was used for stealthy command-and-control\r\noperations.\r\nThe final stage involved executing NailaoLocker ransomware via DLL sideloading. The payload encrypted files,\r\nappended a “.locked” extension, and dropped a ransom note demanding bitcoin payments. NailaoLocker lacked\r\nsophistication, with no capability to scan network shares, stop critical services, or evade debugging.\r\nAttribution indicators, including the use of ShadowPad, sideloading techniques, and tool overlaps with previous\r\ncampaigns, suggest involvement of a Chinese-aligned group. The attack highlights a potential trend where\r\nhttps://www.cyfirma.com/research/tracking-ransomware-february-2025/\r\nPage 4 of 11\n\nespionage-focused actors engage in ransomware for financial gain while maintaining long-term network access for\r\nfuture operations.\r\nETLM Assessment\r\nFuture ransomware campaigns may increasingly blur the lines between espionage and financial crime, with state-linked actors leveraging advanced implants like ShadowPad for persistent access while deploying unsophisticated\r\nransomware for quick profits. More critical sectors could be targeted, and attackers may refine techniques,\r\nexploiting zero-days and evading detection with enhanced obfuscation.\r\nXELERA Ransomware Campaign Spreads via Malicious Documents in New Attack\r\nA recent cybersecurity threat has emerged, targeting job seekers with fake employment offers from a prominent\r\nIndian public sector organization. The attack begins with a spear-phishing email containing a malicious Word\r\ndocument titled “FCEI-job-notification.doc.” This document appears legitimate, detailing vacancies and eligibility\r\ncriteria, but harbors an embedded Object Linking and Embedding (OLE) object. Extracting this object reveals a\r\ncompressed PyInstaller executable named “jobnotification2025.exe,” which serves as the initial stage of the\r\nmalware.\r\nUpon execution, this executable unpacks Python-compiled files, including “mainscript.pyc,” which contains the\r\ncore malicious logic. The malware employs libraries such as psutil, aiohttp, and asyncio for system monitoring\r\nand network operations. Notably, it utilizes a Discord bot as its command-and-control (C2) server, enabling\r\nremote command execution on the victim’s machine. The bot can perform various malicious activities, including\r\nprivilege escalation, system control (e.g., locking or shutting down the system), credential theft from browsers,\r\nand visual disruptions like altering wallpapers.\r\nIn its final stage, the malware deploys ransomware that demands payment in Litecoin. It includes functions to\r\nterminate Windows Explorer unless a specific executable is running and downloads an MBR (Master Boot\r\nRecord) corruption tool named “MEMZ.exe.” This tool can render the system unbootable, adding pressure on the\r\nvictim to comply with the ransom demands.\r\nGiven the sophistication of this attack and its exploitation of trusted platforms and services, it is anticipated that\r\nsimilar ransomware campaigns will increase in frequency and complexity. Attackers are likely to continue refining\r\ntheir tactics, making detection and prevention increasingly challenging.\r\nETLM Assessment\r\nGiven the sophisticated nature of this campaign, it’s anticipated that similar attacks will increase, employing\r\nadvanced social engineering tactics and multi-stage infection processes to exploit job seekers and other vulnerable\r\ngroups globally.\r\nEncryptHub infiltrates organisations, deploys infostealers, and ransomware.\r\nEncryptHub, also known as Larva-208, is a new sophisticated threat actor targeting organizations globally through\r\nspear-phishing and social engineering tactics. Since June 2024, it has compromised over 600 organizations by\r\nimpersonating IT support and mimicking corporate VPN products. Victims are lured through SMS phishing, voice\r\nphishing, and fake login pages, where credentials and MFA tokens are stolen in real time. The group uses over 70\r\ndomains that resemble legitimate services to increase credibility. Once access is gained, remote monitoring and\r\nmanagement tools are deployed for persistence, followed by information stealers like Stealc and Rhadamanthys to\r\nhttps://www.cyfirma.com/research/tracking-ransomware-february-2025/\r\nPage 5 of 11\n\nexfiltrate credentials, browser data, and cryptocurrency wallets. EncryptHub has also been linked to RansomHub\r\nand BlackSuit ransomware operations, acting either as an initial access broker or direct affiliate. While it has\r\ndeployed these ransomware variants in past attacks, it also uses a custom PowerShell-based encryptor that\r\nappends a “.crypted” extension to files before deleting originals. A ransom note demands payment in USDT via\r\nTelegram. The use of bulletproof hosting, sophisticated obfuscation, and tailored social engineering tactics allows\r\nEncryptHub to evade detection and compromise high-value targets. Its connections to established ransomware\r\ngroups further amplify the threat to global organizations.\r\nETLM:\r\nEncryptHub and other threat atcors are likely to evolve by refining phishing techniques, leveraging AI for\r\nautomation, and expanding partnerships with ransomware groups like RansomHub and BlackSuit. Increased use\r\nof evasive malware, cloud-based attacks, and multi-platform targeting could escalate global breaches.\r\nStrengthened defenses against social engineering and MFA bypass will be critical.\r\nChinese espionage tools deployed in RA World ransomware attack\r\nA China-based threat actor, Emperor Dragonfly, has been observed conducting ransomware attacks using a toolset\r\npreviously linked to espionage operations. The attackers deployed RA World ransomware against an Asian\r\nsoftware company, demanding a $2 million ransom. This activity suggests a potential overlap between cyber\r\nespionage and financially motivated cybercrime.\r\nBetween mid-2024 and early 2025, the threat actor targeted government ministries and telecom operators in\r\nSoutheast Europe and Asia, focusing on long-term persistence. A specific PlugX (Korplug) backdoor was\r\ndeployed using DLL sideloading, leveraging a legitimate Toshiba executable (toshdpdb.exe) and a malicious DLL\r\n(toshdpapi.dll). Additionally, NPS proxy, a covert network communication tool, and RC4-encrypted payloads\r\nwere used to maintain stealth.\r\nLater, in a separate attack against a South Asian software firm, RA World ransomware was executed following the\r\ndeployment of Korplug. The attackers initially compromised the network by exploiting CVE-2024-0012, a\r\nvulnerability in security appliances. They then used the same sideloading techniques to establish persistence\r\nbefore encrypting systems.\r\nETLM:\r\nState-backed cybercriminals will likely continue blending espionage with ransomware for financial gain. Future\r\nattacks may target critical infrastructure and major enterprises, exploiting zero-days and supply chain\r\nvulnerabilities for deeper access.\r\nOverall Trend in Ransomware Evolution\r\nBlurring Lines Between Espionage and Financial Crime – State-linked actors are increasingly engaging\r\nin ransomware attacks, not just for financial gain but also to maintain long-term network access. The\r\nChina-linked group behind the ShadowPad and NailaoLocker campaign exemplifies this hybrid approach,\r\nwhere advanced malware ensures persistence while ransomware serves as a quick monetization tool.\r\nAdvanced Social Engineering \u0026 Multi-Stage Attacks – Threat actors are refining their social\r\nengineering tactics, leveraging phishing, fake job offers, and impersonation to gain initial access. Groups\r\nlike EncryptHub mimic IT support teams and use real-time MFA interception to bypass security measures\r\nhttps://www.cyfirma.com/research/tracking-ransomware-february-2025/\r\nPage 6 of 11\n\nbefore deploying ransomware. Meanwhile, XELERA campaign is conducting through fake job\r\nnotifications, utilizing Discord bots for command-and-control before encrypting victims’ data.\r\nExploitation of Zero-Days \u0026 Evasive Malware – The increased use of zero-day vulnerabilities and\r\nsideloading techniques highlights the evolution of ransomware delivery methods. The exploitation of a\r\nCheck Point firewall flaw (CVE-2024-24919) allowed China-linked attackers to deploy ShadowPad and\r\nransomware payloads undetected, demonstrating how adversaries rapidly weaponize newly disclosed\r\nvulnerabilities.\r\nRansomware incidents have surged 87.45%, rising from 510 to 956 victims. This sharp increase is largely\r\nattributed to the Clop ransomware group, whose victim count skyrocketed by 453%. The group recently disclosed\r\nthe majority of its compromised victims, exploiting zero-day vulnerabilities (CVE-2024-50623 and CVE-2024-\r\n55956) in Cleo software to breach corporate networks.\r\nEMERGING GROUPS\r\nAnubis\r\nAnubis, a new Ransomware-as-a-Service (RaaS) group, suspected to be active since late 2024, comprising\r\nexperienced cybercriminals with an active dark web presence. The group employs a double extortion strategy and\r\noffers three affiliate programs: classic ransomware (providing an 80% share for affiliates targeting Windows,\r\nLinux, NAS, and ESXi), data ransom (monetizing stolen data with a 60/40 revenue split), and access monetization\r\n(paying brokers 50% for exclusive access in select regions). Tracked through dark web actors like ‘superSonic’,\r\nAnubis launched its dedicated leak site by the end of February 2025, signaling its intent to intensify ransomware\r\noperations.\r\nAppearance of the leaksite of ransomware\r\nLinkc Pub\r\nThe Linkc Pub ransomware group recently emerged and launched its leak site in mid-February 2025. As of the\r\ntime of this report, the group has already listed one victim, indicating the beginning of its extortion activities.\r\nhttps://www.cyfirma.com/research/tracking-ransomware-february-2025/\r\nPage 7 of 11\n\nAppearance of the leaksite of ransomware\r\nRunSomeWares\r\nResearchers have identified a new ransomware group, RunSomeWares, which launched its leak site in late\r\nFebruary 2025. While limited information is available about this group, its emergence poses a serious global\r\nthreat, given that it has already claimed four victims upon launch. Stay tuned with our reports for more details.\r\nAppearance of the leaksite of ransomware\r\nKEY RANSOMWARE EVENTS IN FEBRUARY 2025\r\nhttps://www.cyfirma.com/research/tracking-ransomware-february-2025/\r\nPage 8 of 11\n\n8Base dismanteled\r\nAn international law enforcement operation dismantled the 8Base ransomware group, shutting down its dark web\r\ndata leak and negotiation sites. Authorities arrested four individuals in Thailand for deploying Phobos\r\nransomware, which encrypted data across 17 firms, demanding ransom payments for decryption keys. The\r\nsuspects allegedly stole approximately $16 million in cryptocurrency from around 1,000 victims worldwide.\r\nActive since 2022, 8Base targeted small and medium-sized businesses across industries such as finance,\r\nmanufacturing, and IT. In recent campaigns, Phobos ransomware was delivered via encrypted payloads instead of\r\ntraditional loaders. It executed rapid encryption by fully locking files under 1.5MB and partially encrypting larger\r\nones while storing metadata within the file. The malware scanned network shares, disabled backups, and used\r\nregistry keys for persistence. It also bypassed security controls, terminated processes holding files open, and\r\nreported infections to an external URL. These techniques enhanced stealth, encryption speed, and operational\r\nefficiency.\r\nBeware of Ghost CISA and the FBI warns\r\nGhost ransomware has been an active threat since early 2021, compromising victims across over 70 countries,\r\nincluding critical infrastructure, healthcare, government, education, and manufacturing sectors. According to a\r\njoint advisory from CISA and the FBI, the group indiscriminately exploits outdated internet-facing services,\r\nleveraging multiple ransomware variants such as Ghost.exe, Cring.exe, and ElysiumO.exe. The attackers\r\nfrequently modify file extensions, ransom notes, and communication methods to evade detection.\r\nCISA and the FBI highlight that Ghost ransomware operators exploit unpatched vulnerabilities in Fortinet (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Exchange (CVE-2021-34473, CVE-2021-\r\n34523, CVE-2021-31207). They deploy credential stealers, CobaltStrike beacons, and ransomware payloads using\r\nCertUtil to bypass security measures. Some of these vulnerabilities have also been exploited by state-backed\r\nthreat actors.\r\nBlack Basta ransomware attack cost Southern Water £4.5M\r\nBlack Basta ransomware targeted a major UK water supplier Southern Water in February 2024, leading to a data\r\nbreach and financial impact of £4.5 million ($5.7M). While the attack did not disrupt operations, the ransomware\r\nactors stole data from the company’s servers. The victim engaged cybersecurity experts and legal advisors, as well\r\nas notified affected individuals.\r\nLeaked internal communications suggest that the attackers initially demanded $3.5 million, but the victim\r\nreportedly negotiated a lower ransom offer of $950,000. By the end of February, the victim’s listing was removed\r\nfrom Black Basta’s extortion site, implying a possible settlement. However, no official confirmation of a ransom\r\npayment was provided.\r\nIVF giant Genea got hit by Termite ransomware\r\nThe Termite ransomware group has claimed responsibility for breaching a major fertility services provider Genea\r\nin Australia, exfiltrating 940.7GB of sensitive data. The attack began on January 31, 2025, through a Citrix server,\r\nallowing access to critical systems, including patient management, domain controllers, and backup infrastructure.\r\nTwo weeks later, the attackers transferred the stolen data to a cloud server under their control. The compromised\r\nrecords include personally identifiable information, medical histories, insurance details, and diagnostic test results.\r\nhttps://www.cyfirma.com/research/tracking-ransomware-february-2025/\r\nPage 9 of 11\n\nThe victim has obtained a court order to prevent further distribution of the leaked data and is working with\r\ncybersecurity authorities on the investigation. Termite operators later leaked portions of the stolen data on their\r\ndark web portal, showcasing identification documents and patient files. This ransomware group, active since\r\nOctober 2024, leverages a Babuk-based encryptor, conducts data theft, and engages in extortion. Their encryptor\r\nhas exhibited execution flaws, suggesting ongoing development. The incident underscores the growing risks to\r\nhealthcare data security.\r\nBUSINESS IMPACT ANALYSIS\r\nBased on available public reports approximately 31% of enterprises are compelled to halt their operations, either\r\ntemporarily or permanently, in the aftermath of a ransomware onslaught. The ripple effects extend beyond\r\noperational disruptions, as detailed by additional metrics:\r\nA significant 40% of affected organizations are forced into downsizing their workforce due to the financial\r\nstrain caused by the attack.\r\nThe aftermath sees 35% of businesses experiencing turnover at the executive level, with C-suite members\r\nstepping down in the wake of the security breach.\r\nThe financial toll of cyber incidents is staggering, with the average cost burden to companies, irrespective\r\nof their size, estimated at around $200,000. This figure underscores the substantial economic impact of\r\ncyber threats.\r\nAlarmingly, 75% of small to medium-sized enterprises (SMEs) face existential threats, admitting the\r\nlikelihood of closure should cybercriminals extort them for ransom to avoid malware infection.\r\nThe long-term viability of these entities is also in jeopardy, with 60% of small businesses shutting down\r\nwithin six months post-attack, highlighting the enduring impact of such security breaches.\r\nEven in instances where ransoms are not conceded to, organizations bear significant financial weight in\r\ntheir recovery and remediation endeavors to restore normality and secure their systems.\r\nEXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW\r\nImpact Assessment\r\nRansomware remains a severe threat to both organizations and individuals, encrypting critical data and demanding\r\npayment for decryption. Beyond financial extortion, these attacks impose heavy costs through recovery efforts,\r\noperational disruptions, and cybersecurity reinforcements. Victims often face reputational damage, regulatory\r\nfines, and market instability, eroding consumer confidence. To protect financial stability and public trust,\r\nbusinesses and governments must prioritize proactive cybersecurity strategies to mitigate ransomware risks\r\neffectively.\r\nVictimology\r\nCybercriminals are intensifying attacks on businesses that manage vast amounts of sensitive data, including\r\npersonal information, financial records, and intellectual property. Industries like manufacturing, real estate,\r\nhealthcare, FMCG, e-commerce, finance, and technology are prime targets due to their extensive data assets.\r\nAttackers focus on nations with strong economies and advanced digital infrastructures, exploiting vulnerabilities\r\nto encrypt critical data and demand high ransoms, aiming to maximize financial gains through calculated and\r\nsophisticated tactics.\r\nhttps://www.cyfirma.com/research/tracking-ransomware-february-2025/\r\nPage 10 of 11\n\nCONCLUSION\r\nThe escalation in ransomware activity in February 2025 highlights the increasing complexity and aggression of\r\ncybercriminals. The emergence of state-backed ransomware operations and the weaponization of zero-day\r\nvulnerabilities signal a critical need for stronger defenses. Organizations must adopt proactive threat intelligence,\r\nrobust incident response frameworks, and enhanced cybersecurity measures to counter evolving threats. As\r\nransomware tactics continue to evolve, staying ahead of adversaries through continuous security improvements\r\nwill be imperative.\r\nSTRATEGIC RECOMMENDATIONS:\r\n1. Strengthen cybersecurity measures: invest in robust cybersecurity solutions, including advanced threat\r\ndetection and prevention tools, to proactively defend against evolving ransomware threats.\r\n2. Employee training and awareness: conduct regular cybersecurity training for employees to educate them\r\nabout phishing, social engineering, and safe online practices to minimize the risk of ransomware infections.\r\n3. Incident response planning: develop and regularly update a comprehensive incident response plan to ensure\r\na swift and effective response in case of a ransomware attack, reducing the potential impact and downtime.\r\nMANAGEMENT RECOMMENDATIONS:\r\n1. Cyber Insurance: Evaluate and consider cyber insurance policies that cover ransomware incidents to\r\nmitigate financial losses and protect the organization against potential extortion demands.\r\n2. Security audits: conduct periodic security audits and assessments to identify and address potential\r\nweaknesses in the organization’s infrastructure and processes.\r\n3. Security governance: establish a strong security governance framework that ensures accountability and\r\nclear responsibilities for cybersecurity across the organization.\r\nTACTICAL RECOMMENDATIONS:\r\n1. Patch management: regularly update software and systems with the latest security patches to mitigate\r\nvulnerabilities that threat actors may exploit.\r\n2. Network segmentation: implement network segmentation to limit lateral movement of ransomware within\r\nthe network, isolating critical assets from potential infections.\r\n3. Multi-Factor authentication (MFA): enable MFA for all privileged accounts and critical systems to add an\r\nextra layer of security against unauthorized access.\r\nSource: https://www.cyfirma.com/research/tracking-ransomware-february-2025/\r\nhttps://www.cyfirma.com/research/tracking-ransomware-february-2025/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.cyfirma.com/research/tracking-ransomware-february-2025/" ], "report_names": [ "tracking-ransomware-february-2025" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "af10aec6-36a8-4bdb-ba47-8f75b6a4aa4b", "created_at": "2025-03-07T02:00:03.797427Z", "updated_at": "2026-04-10T02:00:03.821929Z", "deleted_at": null, "main_name": "Larva-208", "aliases": [ "EncryptHub" ], "source_name": "MISPGALAXY:Larva-208", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0e370d67-4094-4c0a-894d-8c14a6a5ad39", "created_at": "2025-03-21T02:00:03.845864Z", "updated_at": "2026-04-10T02:00:03.838595Z", "deleted_at": null, "main_name": "LinkC Pub", "aliases": [ "LinkC" ], "source_name": "MISPGALAXY:LinkC Pub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434765, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0daf6e6c593ad8b87aa7d0dfc25d8549601b492f.pdf", "text": "https://archive.orkl.eu/0daf6e6c593ad8b87aa7d0dfc25d8549601b492f.txt", "img": "https://archive.orkl.eu/0daf6e6c593ad8b87aa7d0dfc25d8549601b492f.jpg" } }