{ "id": "3859c067-0fab-4a3b-a8be-cb2e8e807b91", "created_at": "2026-04-06T00:07:29.654156Z", "updated_at": "2026-04-10T03:37:51.3589Z", "deleted_at": null, "sha1_hash": "0e4caecb0c32c66e4af751b48bfe683e951501d6", "title": "BlackCat (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 208314, "plain_text": "BlackCat (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 15:06:02 UTC\r\nBlackCat\r\naka: ALPHV, Noberus\r\nActor(s): Alpha Spider, RansomHub, Vanilla Tempest\r\nVTCollection    \r\nALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomware as a\r\nService (RaaS) operations. ALPHV is written in the Rust programming language and supports execution on\r\nWindows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. ALPHV\r\nis marketed as ALPHV on cybercrime forums, but is commonly called BlackCat by security researchers due to an\r\nicon of a black cat appearing on its leak site. ALPHV has been observed being deployed in ransomware attacks\r\nsince November 18, 2021.\r\nALPHV can be configured to encrypt files using either the AES or ChaCha20 algorithms. In order to maximize\r\nthe amount of ransomed data, ALPHV can delete volume shadow copies, stop processes and services, and stop\r\nvirtual machines on ESXi servers. ALPHV can self-propagate by using PsExec to remote execute itself on other\r\nhosts on the local network.\r\nReferences\r\n2025-12-30 ⋅ US Department of Justice ⋅\r\nTwo Americans Plead Guilty to Targeting Multiple U.S. Victims Using ALPHV BlackCat Ransomware\r\nBlackCat BlackCat\r\n2025-11-03 ⋅ Breached Company ⋅ Breached Company\r\nWhen the Defenders Become the Attackers: Cybersecurity Experts Indicted for BlackCat Ransomware\r\nOperations\r\nBlackCat BlackCat\r\n2025-07-31 ⋅ Intrinsec ⋅ CTI Intrinsec\r\nShadow syndicate infrastructure illumination\r\nAMOS BlackCat Cactus Cicada3301 Clop LockBit PLAY RansomHub Royal Ransom Silence\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat\r\nPage 1 of 9\n\n2025-05-06 ⋅ Mandiant ⋅ Mandiant\r\nDefending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines\r\nBlackCat DragonForce RansomHub\r\n2025-05-06 ⋅ Mandiant ⋅ Mandiant\r\nDefending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines\r\nBlackCat DragonForce RansomHub\r\n2024-10-30 ⋅ EclecticIQ ⋅ EclecticIQ Threat Research Team\r\nInside Intelligence Center: LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute\r\nRatel C4 and Latrodectus\r\nBlackCat Brute Ratel C4 Latrodectus\r\n2024-09-30 ⋅ The DFIR Report ⋅ The DFIR Report\r\nNitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware\r\nBlackCat Nitrogen Loader Sliver\r\n2024-06-05 ⋅ S-RM ⋅ David Broom, Gavin Hull\r\nExmatter malware levels up: S-RM observes new variant with simultaneous remote code execution and data\r\ntargeting\r\nBlackCat BlackMatter Conti ExMatter LockBit REvil Ryuk\r\n2024-04-24 ⋅ SentinelOne ⋅ Jim Walter\r\nRansomware Evolution | How Cheated Affiliates Are Recycling Victim Data for Profit\r\nBlackCat RansomHub RansomHub\r\n2024-02-29 ⋅ CrowdStrike ⋅ Jean-Philippe Teissier\r\nThe Anatomy of an ALPHA SPIDER Ransomware Attack\r\nBlackCat Alpha Spider\r\n2024-02-22 ⋅ Sekoia ⋅ Livia Tibirna, Pierre-Antoine D., Quentin Bourgue, Threat \u0026 Detection Research Team\r\nScattered Spider laying new eggs\r\nBlackCat\r\n2023-12-13 ⋅ cocomelonc ⋅ cocomelonc\r\nMalware in the wild book\r\nAsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer\r\n2023-12-03 ⋅ Twitter (@vxunderground) ⋅ VX-Underground\r\nTweet about ALPHV group compromising Tipalti to pressure its clients.\r\nBlackCat BlackCat\r\n2023-11-16 ⋅ The Register ⋅ Connor Jones\r\nBlackCat plays with malvertising traps to lure corporate victims\r\nBlackCat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat\r\nPage 2 of 9\n\n2023-11-16 ⋅ CISA ⋅ CISA\r\nScattered Spider\r\nAve Maria BlackCat Raccoon Vidar\r\n2023-10-30 ⋅ eSentire ⋅ eSentire\r\nNitrogen Campaign 2.0: Reloads with Enhanced Capabilities Leading to ALPHV/BlackCat Ransomware\r\nBlackCat Nitrogen Loader\r\n2023-10-25 ⋅ Microsoft ⋅ Microsoft Incident Response, Microsoft Threat Intelligence\r\nOcto Tempest crosses boundaries to facilitate extortion, encryption, and destruction\r\nBlackCat BlackCat Lumma Stealer\r\n2023-09-12 ⋅ ⋅ ANSSI ⋅ ANSSI\r\nFIN12: A Cybercriminal Group with Multiple Ransomware\r\nBlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC\r\n2023-08-17 ⋅ Trellix ⋅ Phelix Oluoch\r\nScattered Spider: The Modus Operandi\r\nBlackCat POORTRY\r\n2023-07-18 ⋅ Symantec ⋅ Threat Hunter Team\r\nFIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware\r\nBlackCat Unidentified 103 (FIN8)\r\n2023-07-13 ⋅ MSSP Lab ⋅ cocomelonc\r\nMalware analysis report: BlackCat ransomware\r\nBlackCat BlackCat\r\n2023-06-10 ⋅ The DFIR Report ⋅ The DFIR Report\r\nIcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment\r\nBlackCat Cobalt Strike IcedID\r\n2023-06-01 ⋅ Infinitum IT ⋅ Kerime Gencay\r\nBlackCat Ransomware Analysis Report (Paywall)\r\nBlackCat\r\n2023-05-30 ⋅ IBM Security ⋅ IBM Security X-Force Team\r\nBlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration\r\nBlackCat BlackCat\r\n2023-05-22 ⋅ Trend Micro ⋅ Bahaa Yamany, Mahmoud Zohdy, Mohamed Fahmy, Sherif Magdy\r\nBlackCat Ransomware Deploys New Signed Kernel Driver\r\nBlackCat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat\r\nPage 3 of 9\n\n2023-04-19 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nMarch 2023 broke ransomware attack records with 459 incidents\r\nClop WhiteRabbit BianLian Black Basta BlackCat LockBit Medusa PLAY Royal Ransom\r\n2023-04-18 ⋅ Mandiant ⋅ Mandiant\r\nM-Trends 2023\r\nQUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive\r\nINDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC\r\nWhisperGate\r\n2023-04-03 ⋅ Mandiant ⋅ Eduardo Mattos, JASON DEYALSINGH, Nick Richard, NICK SMITH, Tyler McLellan\r\nALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access\r\nLaZagne BlackCat MimiKatz\r\n2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Fortra, HEALTH-ISAC, Microsoft\r\nCracked Cobalt Strike (1:23-cv-02447)\r\nBlack Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet\r\nLockBit Mount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader\r\n2023-03-21 ⋅ Github (rivitna) ⋅ Andrey Zhdanov\r\nBlackCat v3 Decryptor Scripts\r\nBlackCat BlackCat\r\n2022-11-09 ⋅ Netskope ⋅ Gustavo Palazolo\r\nBlackCat Ransomware: Tactics and Techniques From a Targeted Attack\r\nBlackCat ExMatter\r\n2022-10-25 ⋅ Microsoft ⋅ Microsoft Security Threat Intelligence\r\nDEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sector\r\nBlackCat Mount Locker PortStarter Zeppelin Vanilla Tempest\r\n2022-10-10 ⋅ RiskIQ ⋅ Microsoft Threat Intelligence Center (MSTIC)\r\nDEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns\r\nBlackCat Mount Locker SystemBC Zeppelin\r\n2022-09-22 ⋅ ComputerWeekly ⋅ Alex Scroxton\r\nALPHV/BlackCat ransomware family becoming more dangerous\r\nBlackCat BlackCat FIN7\r\n2022-09-22 ⋅ Broadcom ⋅ Symantec Threat Hunter Team\r\nNoberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics\r\nBlackCat BlackMatter DarkSide\r\n2022-09-08 ⋅ Sentinel LABS ⋅ Aleksandar Milenkoski, Jim Walter\r\nCrimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection\r\nAgendaCrypt Black Basta BlackCat PLAY\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat\r\nPage 4 of 9\n\n2022-09-06 ⋅ SecurityScorecard ⋅ Vlad Pasca\r\nTTPs Associated With a New Version of the BlackCat Ransomware\r\nBlackCat\r\n2022-08-22 ⋅ Microsoft ⋅ Microsoft\r\nExtortion Economics - Ransomware’s new business model\r\nBlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive\r\nMount Locker Nokoyawa Ransomware REvil Ryuk\r\n2022-08-11 ⋅ SecurityScorecard ⋅ Robert Ames\r\nThe Increase in Ransomware Attacks on Local Governments\r\nBlackCat BlackCat Cobalt Strike LockBit\r\n2022-07-18 ⋅ SecurityScorecard ⋅ Vlad Pasca\r\nA Deep Dive Into ALPHV/BlackCat Ransomware\r\nBlackCat\r\n2022-07-14 ⋅ Sophos ⋅ Andrew Brandt, Andy French, Bill Kearney, Elida Leite, Harinder Bhathal, Lee Kirkpatrick, Peter\r\nMackenzie, Robert Weiland, Sergio Bestulic\r\nBlackCat ransomware attacks not merely a byproduct of bad luck\r\nBlackCat BlackCat\r\n2022-06-29 ⋅ Group-IB ⋅ Andrey Zhdanov, Oleg Skulkin\r\nFat Cats - An analysis of the BlackCat ransomware affiliate program\r\nBlackCat BlackCat\r\n2022-06-23 ⋅ Kaspersky ⋅ Danila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev\r\nThe hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)\r\nBlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker\r\n2022-06-23 ⋅ Kaspersky ⋅ Danila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev\r\nThe hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs\r\nConti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok\r\n2022-06-13 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nThe many lives of BlackCat ransomware\r\nBlackCat Velvet Tempest\r\n2022-06-13 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team\r\nThe many lives of BlackCat ransomware\r\nBlackCat\r\n2022-06-07 ⋅ AdvIntel ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy\r\nBlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive\r\nBlackCat BlackCat Cobalt Strike\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat\r\nPage 5 of 9\n\n2022-06-01 ⋅ Jorge Testa ⋅ Jorge Testa\r\nKilling The Bear - Alphv\r\nBlackCat BlackCat\r\n2022-05-23 ⋅ Trend Micro ⋅ Trend Micro Research\r\nLockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1\r\n2022 (PDF)\r\nBlackCat Conti LockBit\r\n2022-05-23 ⋅ Trend Micro ⋅ Matsugaya Shingo\r\nLockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1\r\n2022\r\nBlackCat Conti LockBit\r\n2022-05-20 ⋅ AdvIntel ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy\r\nDisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape\r\nAvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive\r\n2022-05-09 ⋅ Microsoft Security ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nGriffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot\r\n2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands\r\nGozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix\r\nLocker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT\r\n2022-04-29 ⋅ The Record ⋅ Jonathan Greig\r\nGerman wind farm operator confirms cybersecurity incident\r\nBlack Basta BlackCat\r\n2022-04-27 ⋅ ⋅ ANSSI ⋅ ANSSI\r\nLE GROUPE CYBERCRIMINEL FIN7\r\nBateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter\r\nBOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz\r\nMurofet Qadars Ranbyus SocksBot\r\n2022-04-19 ⋅ FBI ⋅ FBI\r\nFBI Flash CU-000167-MW: BlackCat/ALPHV Ransomware Indicators of Compromise\r\nBlackCat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat\r\nPage 6 of 9\n\n2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy\r\nEnter KaraKurt: Data Extortion Arm of Prolific Ransomware Group\r\nAvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt\r\n2022-04-18 ⋅ Trend Micro ⋅ Leandro Froes, Lucas Silva\r\nAn Investigation of the BlackCat Ransomware via Trend Micro Vision One\r\nBlackCat\r\n2022-04-08 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nResearchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity\r\nBlackCat BlackMatter BlackCat BlackMatter\r\n2022-04-07 ⋅ Kaspersky ⋅ GReAT\r\nA Bad Luck BlackCat\r\nBlackCat\r\n2022-04-07 ⋅ Kaspersky ⋅ GReAT\r\nA Bad Luck BlackCat\r\nBlackCat BlackCat\r\n2022-03-23 ⋅ CrowdStrike ⋅ Falcon OverWatch Team\r\nFalcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack\r\nBlackCat\r\n2022-03-17 ⋅ Cisco ⋅ Caitlin Huey, Tiago Pereira\r\nFrom BlackMatter to BlackCat: Analyzing two attacks from one affiliate\r\nBlackCat BlackMatter BlackCat BlackMatter\r\n2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team\r\nThe Ransomware Threat Landscape: What to Expect in 2022\r\nAvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty\r\nSquirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin\r\n2022-03-01 ⋅ Cybereason ⋅ Ohav Peri, Tom Fakterman\r\nCybereason vs. BlackCat Ransomware\r\nBlackCat\r\n2022-02-08 ⋅ Trellix ⋅ Arnab Roy\r\nBlackCat Ransomware as a Service - The Cat is certainly out of the bag!\r\nBlackCat BlackCat\r\n2022-02-02 ⋅ ZDNet ⋅ Jonathan Greig\r\nBlackCat ransomware implicated in attack on German oil companies\r\nBlackCat BlackCat\r\n2022-01-28 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nWho Wrote the ALPHV/BlackCat Ransomware Strain?\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat\r\nPage 7 of 9\n\nBlackCat BlackCat\r\n2022-01-27 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe, Amanda Tanner, Doel Santos\r\nThreat Assessment: BlackCat Ransomware\r\nBlackCat\r\n2022-01-26 ⋅ Intrinsec ⋅ Intrinsec\r\nALPHV ransomware gang analysis\r\nBlackCat BlackCat\r\n2022-01-26 ⋅ Intrinsec ⋅ Intrinsec\r\nALPHV ransomware gang analysis\r\nBlackCat LockBit\r\n2022-01-26 ⋅ Varonis ⋅ Jason Hill\r\nALPHV (BlackCat) Ransomware\r\nBlackCat\r\n2022-01-18 ⋅ SentinelOne ⋅ Jim Walter\r\nBlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims\r\nBlackCat\r\n2021-12-16 ⋅ Symantec ⋅ Threat Hunter Team\r\nNoberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware\r\nBlackCat\r\n2021-12-10 ⋅ Medium s2wlab ⋅ S2W TALON\r\nBlackCat: New Rust based ransomware borrowing BlackMatter’s configuration\r\nBlackCat BlackMatter\r\n2021-12-10 ⋅ Dissecting Malware ⋅ Marius Genheimer\r\nBlackCatConf - Static Configuration Extractor for BlackCat Ransomware\r\nBlackCat\r\n2021-12-01 ⋅ ⋅ ID Ransomware ⋅ Andrew Ivanov\r\nBlackCat Ransomware\r\nBlackCat\r\nYara Rules\r\n[TLP:WHITE] win_blackcat_auto (20251219 | Detects win.blackcat.)\r\nDownload all Yara Rules\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat\r\nPage 8 of 9\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat" ], "report_names": [ "win.blackcat" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "3150bf4f-288a-44b8-ab48-0ced9b052a0c", "created_at": "2025-08-07T02:03:24.910023Z", "updated_at": "2026-04-10T02:00:03.713077Z", "deleted_at": null, "main_name": "GOLD HUXLEY", "aliases": [ "CTG-6969 ", "FIN8 " ], "source_name": "Secureworks:GOLD HUXLEY", "tools": [ "Gozi ISFB", "Powersniff" ], "source_id": "Secureworks", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "5bdde906-0416-42ee-9100-5ebd95dda77a", "created_at": "2023-01-06T13:46:38.601977Z", "updated_at": "2026-04-10T02:00:03.035842Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK113", "G0061" ], "source_name": "MISPGALAXY:FIN8", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "76e1fb02-1ceb-4fe5-8a68-456f0d4c62a4", "created_at": "2024-02-02T02:00:04.037062Z", "updated_at": "2026-04-10T02:00:03.535409Z", "deleted_at": null, "main_name": "Velvet Tempest", "aliases": [ "DEV-0504" ], "source_name": "MISPGALAXY:Velvet Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86ab9be8-ce67-4866-9f66-1df471e9d251", "created_at": "2024-05-29T02:00:03.942487Z", "updated_at": "2026-04-10T02:00:03.641939Z", "deleted_at": null, "main_name": "Alpha Spider", "aliases": [ "ALPHV Ransomware Group" ], "source_name": "MISPGALAXY:Alpha Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "72d09c17-e33e-4c2f-95db-f204848cc797", "created_at": "2022-10-25T15:50:23.832551Z", "updated_at": "2026-04-10T02:00:05.336787Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "FIN8", "Syssphinx" ], "source_name": "MITRE:FIN8", "tools": [ "BADHATCH", "PUNCHBUGGY", "Ragnar Locker", "PUNCHTRACK", "dsquery", "Nltest", "Sardonic", "PsExec", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "fc80a724-e567-457c-82bb-70147435e129", "created_at": "2022-10-25T16:07:23.624289Z", "updated_at": "2026-04-10T02:00:04.691643Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK 113", "G0061", "Storm-0288", "Syssphinx" ], "source_name": "ETDA:FIN8", "tools": [ "ALPHV", "ALPHVM", "BadHatch", "BlackCat", "Noberus", "PSVC", "PUNCHTRACK", "PoSlurp", "Powersniff", "PunchBuggy", "Ragnar Loader", "Ragnar Locker", "RagnarLocker", "Sardonic", "ShellTea" ], "source_id": "ETDA", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434049, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0e4caecb0c32c66e4af751b48bfe683e951501d6.pdf", "text": "https://archive.orkl.eu/0e4caecb0c32c66e4af751b48bfe683e951501d6.txt", "img": "https://archive.orkl.eu/0e4caecb0c32c66e4af751b48bfe683e951501d6.jpg" } }