{ "id": "acc90dd7-deb6-4876-b4a3-680051fa4416", "created_at": "2026-04-06T00:13:00.977613Z", "updated_at": "2026-04-10T03:38:20.50976Z", "deleted_at": null, "sha1_hash": "0dd88c4d988fa9a583d6265388c0375ee1c93131", "title": "DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity - SentinelLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 62322, "plain_text": "DPRK Hidden Cobra Update: North Korean Malicious Cyber\r\nActivity - SentinelLabs\r\nBy Jim Walter\r\nPublished: 2020-02-25 · Archived: 2026-04-05 21:55:29 UTC\r\nNorth Korea (specifically the Lazarus group) has a long and storied history of destructive cyber-attacks. Some\r\nmore notable examples are the 2013 “Dark Seoul” attacks, the 2014 attack on Sony Pictures, a series of SWIFT-targeted campaigns in 2015-2016, and more recently their foray into commercial cybercrime operations with\r\nTrickbot and Anchor.  \r\nThe US-CERT recently released a new set of MARs (Malware Analysis Reports) covering newly\r\nuncovered/updated malware/implants attributed to North Korea. More specifically, these are tools attributed to the\r\nLazarus Group / Hidden Cobra. These updates provide a sizeable glimpse into the ever expanding DPRK toolset.\r\nAs we have seen in the past, the complexity and sophistication of these tools varies widely. Most of the families\r\ncovered in this update are meant to function as RATs or Cobalt-Strike-like (beacon) tools meant to enable\r\npersistence and manipulation of infected hosts.\r\nBISTROMATH\r\nFull Featured RAT (Remote Access Trojan) payloads and associated CAgent11 implant builder/controller. This\r\nimplant is used for standard system management, control and recon. Initial infection is carried out via a malicious\r\nexecutable. An embedded bitmap image (contained in the trojan) is decoded into shellcode upon execution, thus\r\nloading the implant. Network communications are encrypted via XOR. The analyzed BISTROMATH samples,\r\nalong with the other families all attempt to evade analysis via common sandboxes (VIRTUALBOX, QEMU,\r\nVMware) via multiple artifact checks (presence of specific devices, registry entries, processes, files).\r\nCore functionality includes:\r\n· File and Process manipulation\r\n· File/Data upload/exfiltration\r\n· Timestamp modification/masquerading\r\n· Service start/stop\r\n· CMD shell access / use\r\n· Screenshot Capture\r\n· Microphone Capture\r\n· Webcam Control\r\n· Keylogging\r\n· Browser hijacking/form grabbing\r\n· Exfiltration of cached credentials\r\n· Self-management (update/uninstall)\r\nhttps://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/\r\nPage 1 of 6\n\nHOPLIGHT\r\nProxy payload to obfuscate and/or re-route traffic between infected hosts and C2. Traffic is encrypted over SSL,\r\nand the individual payloads are capable of generating fake SSL Certificates. Analyzed samples are Themida\r\npacked. One of the examples (SHA256:\r\nd77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39) provided by CISA contained a\r\npublic SSL certificate and encrypted payload.\r\nSLICKSHOES\r\nSLICKSHOES is typically utilized as a loader/Dropper. The malware writes itself to\r\n“C:WindowsWebtaskenc.exe”. Separate processes are responsible for the manipulation and execution of the\r\ndropped executable. SLICKSHOES is a full beacon-style implant (similar to Cobalt Strike).  \r\nMakes use of bespoke encoding methods and is capable of RAT-like functionality.\r\n· File and Process manipulation\r\n· System recon and exfiltration\r\n· Input capture\r\n· Command/process execution and manipulation\r\nSLICKSHOES communicates to a hardcoded C2 address (188[.]165[.]37[.]168) on TCP port 80. Communication\r\noccurs in 60-second intervals.\r\nCROWDEDFLOUNDER\r\nCROWDEDFLOUNDER functions as a memory-resident RAT (32-bit and Themida packed). The malware\r\naccepts arguments at runtime, and can be installed as a service.\r\nCROWDEDFLOUNDER implants can perform full two-way comms with C2, however in context the primary\r\nfunction appears to be a proxy for inbound connections from the C2. Upon execution the malware will manipulate\r\nlocal firewall settings to allow for flow of its traffic. C2 traffic and data transfers are encrypted via rotating XOR.\r\nFunctionality includes:\r\n· File and Process manipulation\r\n· System recon and exfiltration\r\n· Input capture\r\n· Command/process execution and manipulation\r\nHOTCROISSANT\r\nHOTCROISSANT is a full beacon-style (Cobalt Strike style) implant with RAT-like functionality. Network traffic\r\nis encoded via XOR. C2 communications are limited to a hard-coded IP (94.177.123.138:8088). Upon infection,\r\nvictim information is transferred to the C2. After this point, the malware listens and responds to commands from\r\nthe C2.\r\nhttps://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/\r\nPage 2 of 6\n\nARTFULPIE\r\nARTFULPIE is responsible for retrieval and injection of a DLL-based payload. The malware contains a hard-coded URL from which to download the additional code (193[.]56[.]28[.]103). \r\nBUFFETLINE\r\nBUFFETLINE is a full, beacon-style, implant with RAT-like functionality.\r\nFeatures include:\r\n· File and Process manipulation\r\n· System recon and exfiltration\r\n· CLI status manipulation\r\n· Lateral targeting \u0026 enumeration\r\n· Command/process execution and manipulation\r\nAnalyzed samples utilize a combination of RC4 encoding and PolarSSL (auth) to obfuscate network\r\ncommunications. Once authenticated to the C2, the trojan will send a collection of victim information and then\r\nawait further interaction.\r\nData transferred includes:\r\n· Victim “ID”\r\n· Implant Version\r\n· System directory location\r\n· Hardware details (network adapters, CPU revision)\r\n· OS Version / Software environment data\r\n· Computer Name\r\n· Victim IP Address\r\nConclusion\r\nAdversarial toolsets are constantly evolving. The upper tier of sophisticated, or state-backed threats, have rapid\r\nand agile development/release cycles, mirroring the world of legitimate software development. Staying on top of\r\nthese trends is a critical piece of protecting our environments against these threats. A power and modern security\r\nplatform (ex: SentinelOne Singularity) is required to tackle these evolving threats from both static and behavioral\r\nangles.\r\nIOCs\r\nHOPLIGHT\r\nSHA-256: 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461\r\nSHA-256: 0608e411348905145a267a9beaf5cd3527f11f95c4afde4c45998f066f418571\r\nSHA-256: 084b21bc32ee19af98f85aee8204a148032ce7eabef668481b919195dd62b319\r\nhttps://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/\r\nPage 3 of 6\n\nSHA-256: 12480585e08855109c5972e85d99cda7701fe992bc1754f1a0736f1eebcb004d\r\nSHA-256: 1a01b8a4c505db70f9e199337ce7f497b3dd42f25ad06487e29385580bca3676\r\nSHA-256: 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525\r\nSHA-256: 32ec329301aa4547b4ef4800159940feb950785f1ab68d85a14d363e0ff2bc11\r\nSHA-256: 4a74a9fd40b63218f7504f806fce71dffefc1b1d6ca4bbaadd720b6a89d47761\r\nSHA-256: 4c372df691fc699552f81c3d3937729f1dde2a2393f36c92ccc2bd2a033a0818\r\nSHA-256: 70034b33f59c6698403293cdc28676c7daa8c49031089efa6eefce41e22dccb3\r\nSHA-256: 73dcb7639c1f81d3f7c4931d32787bdf07bd98550888c4b29b1058b2d5a7ca33\r\nSHA-256: 83228075a604e955d59edc760e4c4ed16eedabfc8f6ac291cf21b4fcbcd1f70a\r\nSHA-256: 8a1d57ee05d29a730864299376b830a7e127f089e500e148d96d0868b7c5b520\r\nSHA-256: b05aae59b3c1d024b19c88448811debef1eada2f51761a5c41e70da3db7615a9\r\nSHA-256: b9a26a569257fbe02c10d3735587f10ee58e4281dba43474dbdef4ace8ea7101\r\nSHA-256: c66ef8652e15b579b409170658c95d35cfd6231c7ce030b172692f911e7dcff8\r\nSHA-256: d77fdabe17cdba62a8e728cbe6c740e2c2e541072501f77988674e07a05dfb39\r\nSHA-256: ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d\r\nSHA-256: f8f7720785f7e75bd6407ac2acd63f90ab6c2907d3619162dc41a8ffa40a5d03\r\nSHA-256: fe43bc385b30796f5e2d94dfa720903c70e66bc91dfdcfb2f3986a1fea3fe8c5\r\n112[.]175[.]92.57\r\n113[.]114[.]117.122\r\n117[.]239[.]241.2\r\n119[.]18[.]230.253\r\n128[.]200[.]115.228\r\n137[.]139[.]135.151\r\n14[.]140[.]116.172\r\n181[.]39[.]135.126\r\n186[.]169[.]2.237\r\n195[.]158[.]234.60\r\n197[.]211[.]212.59\r\n21[.]252[.]107.198\r\n210[.]137[.]6.37\r\n217[.]117[.]4.110\r\n218[.]255[.]24.226\r\n221[.]138[.]17.152\r\n26[.]165[.]218.44\r\n47[.]206[.]4.145\r\n70[.]224[.]36.194\r\n81[.]94[.]192.10\r\n81[.]94[.]192.147\r\n84[.]49[.]242.125\r\n97[.]90[.]44.200\r\nARTFULPIE\r\nSHA-256: 606c6000f36dc69fefc6df828e1ac9c5529a71a62b99f5df55463606c4c9689c\r\n193[.]56[.]28.103\r\nhttps://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/\r\nPage 4 of 6\n\nHOTCROISSANT\r\nSHA-256: 8ee7da59f68c691c9eca1ac70ff03155ed07808c7a66dee49886b51a59e00085\r\n94[.]177[.]123.138\r\nCROWDEDFLOUNDER\r\nSHA-256: a2a77cefd2faa17e18843d74a8ad155a061a13da9bd548ded6437ef855c14442\r\nSLICKSHOES\r\nSHA-256: fdb87add07d3459c43cfa88744656f6c00effa6b7ec92cb7c8b911d233aeb4ac\r\n188[.]165[.]37.168\r\nBISTROMATH\r\nSHA-256: 04d70bb249206a006f83db39bbe49ff6e520ea329e5fbb9c758d426b1c8dec30\r\nSHA-256: 1ea6b3e99bbb67719c56ad07f5a12501855068a4a866f92db8dcdefaffa48a39\r\nSHA-256: 618a67048d0a9217317c1d1790ad5f6b044eaa58a433bd46ec2fb9f9ff563dc6\r\nSHA-256: 738ba44188a93de6b5ca7e0bf0a77f66f677a0dda2b2e9ef4b91b1c8257da790\r\n159[.]100[.]250.231\r\nBUFFETLINE\r\nSHA-256: 52f83cdaefd194fff3d387631d5693a709cd7b3a20a072e7827c4d4218d57695\r\n107[.]6[.]12.135\r\n210[.]202[.]40.35\r\nMITRE ATT\u0026CK\r\nLazarus Group – G0032\r\nCommonly Used Port – T1043\r\nConnection Proxy – T1090\r\nCredential Dumping – T1003\r\nCustom Cryptographic Protocol – T1024\r\nData Encoding – T1132\r\nData from Local System – T1005\r\nData Staged – T1074\r\nExfiltration Over Alternative Protocol – T1048\r\nExfiltration Over Command and Control Channel – T1041\r\nFile and Directory Discovery – T1083\r\nInput Capture – T1056\r\nNew Service – T1050\r\nhttps://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/\r\nPage 5 of 6\n\nObfuscated Files or Information – T1027\r\nProcess Discovery – T1057\r\nProcess Injection – T1055\r\nQuery Registry – T1012\r\nRegistry Run Keys / Startup Folder – T1060\r\nRemote File Copy – T1105\r\nScripting – T1064\r\nSpearphishing Attachment – T1193\r\nSystem Information Discovery – T1082\r\nSystem Network Configuration Discovery – T1016\r\nSystem Owner/User Discovery – T1033\r\nSystem Time Discovery – T1124\r\nUncommonly Used Port – T1065\r\nUser Execution – T1204\r\nSoftware: HOPLIGHT – S0376\r\nSource: https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/\r\nhttps://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/" ], "report_names": [ "dprk-hidden-cobra-update-north-korean-malicious-cyber-activity" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434380, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0dd88c4d988fa9a583d6265388c0375ee1c93131.pdf", "text": "https://archive.orkl.eu/0dd88c4d988fa9a583d6265388c0375ee1c93131.txt", "img": "https://archive.orkl.eu/0dd88c4d988fa9a583d6265388c0375ee1c93131.jpg" } }