{
	"id": "cc26da0b-9278-40d7-b49e-72422bbe1b7e",
	"created_at": "2026-04-06T00:16:46.649354Z",
	"updated_at": "2026-04-10T03:21:27.415239Z",
	"deleted_at": null,
	"sha1_hash": "0ec8b940b7112d14cf6359300dcbab31bf6b68e0",
	"title": "NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1361909,
	"plain_text": "NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails\r\nBy Anthony Kasza\r\nPublished: 2016-02-09 · Archived: 2026-04-05 17:16:14 UTC\r\nIt seems every mainstream news event or holiday has an accompanying phishing campaign. Opportunistic actors\r\nhoping to capitalize on the public's attention are often seen sending phishing e-mails with themes related to the\r\nnews or the season..\r\nIt happened this last holiday season and will likely continue to occur as long as email is around.\r\nUnsurprisingly, as we near the U.S. deadline for filing our income taxes, Palo Alto Networks researchers have\r\nseen an increase in phishing emails specifically related to taxes. This blog details some recent trends we have been\r\nable to identify. Palo Alto Networks noticed both executable attachments and Microsoft Word documents with\r\nmacros designed to download and execute files.\r\nTax-Themed Phishing\r\nLooking through recent email attachments determined to be malicious by WildFire, we noticed a trend in subject\r\nlines involving tax forms using the keywords ‘report’, ‘tax’, ‘secure’ and ‘pin’. Pivoting from subject lines to the\r\nhash values and filenames of attachments included in the emails allowed us to expand our initial sample set.\r\nFinally, using the AutoFocus API and a bit of Python we were able to collect data about the samples included in\r\nthe tax-themed phishing and build a data frame for further analysis.\r\nWithin the final sample set, we were able to identify 70 unique malware samples distributed through 2,062 email\r\nsessions between September 2, 2015 and January 28, 2016. As expected, email sender addresses were often\r\nspoofed to provide a sense of legitimacy.\r\nSome examples of email sender addresses:\r\n2015-autax-return@ato.gov.au\r\n2015Refund@cra-arc.gc.ca\r\n2015autaxreturn@ato.gov.au\r\n2015tax-return@irs.gov\r\n2015taxreturn-noreply@irs.gov\r\n2015taxreturn@iras.gov.sg\r\nWe also noticed the source IP address of the emails primarily came from a free mail service called mail2world.\r\nThe top 5 source IP addresses by session count were:\r\n209.67.128.221  934 sessions\r\n117.120.5.194     214 sessions\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nPage 1 of 13\n\n209.67.128.182  213 sessions\r\n23.235.221.158  63 sessions\r\n130.194.13.86     53 sessions\r\nWhile some of the phishing email attachments were PE files, others were MS Word documents with malicious\r\nmacros. One sample (119f3dd48e316f77974a7ec84c0fdecd943ceed77c30db9a6df0c1b0615b0ac0) included\r\ninstructions on how to enable macros.\r\nUsing open source tools, the obfuscated file download functionality is easily located in the Word macro.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nPage 2 of 13\n\nLooking at the malware contained in each email attachment, the payloads consisted predominantly of\r\nNanoCoreRAT or a generic macro downloader that would then download and execute NanoCoreRAT. The\r\ncountries receiving these phishing messages align with what are believed to be country code indicators in\r\nmalicious URLs and email attachment names.\r\nRecipients of Tax-Based Phishing E-mails\r\nAnalyzing the malicious macro documents we observed for these tax-themed phishing attacks revealed that\r\nalthough there were a large number of unique samples, their behavior and infrastructure contained significant\r\noverlap.\r\nIn the above figure, we can easily see that six domains were in heavy use by most samples.\r\nSecond-stage download:\r\nwww.cnw-inc[.]com\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nPage 3 of 13\n\nwww.iphonetechie[.]com\r\nNanoCoreRAT Command and Control:\r\ndawood01.ddns[.]net\r\ndawood02.no-ip[.]org\r\ndawood00.no-ip[.]org\r\nNanoCore\r\nNanoCore is a commodity trojan developed in the .NET framework. According to Symantec, a fully cracked\r\nversion of NanoCore 1.2.2.0 with premium plugins was released around March 2015 and has been seen targeting\r\nthe energy sector. This release caused NanoCore to become increasingly popular with adversaries, especially the\r\nmore frugal ones. Around April 2015 we observed a rise in activity involving NanoCore. We have observed its\r\nincorporation into tax-themed phishing since June 2015 and are continuing to see a general increase in activity\r\nsince then. Below shows the upward trend Palo Alto Networks has seen in NanoCoreRAT being distributed since\r\nSeptember 2014.\r\nNanoCore is a modular RAT with many of its capabilities provided through plugins. Capabilities provided by the\r\npremium plugins we could identify include:\r\nkeylogging and password \"recovery\"\r\n\"stress testing\" or DoS\r\ndownload, execute, or install other software\r\nremote CLI and UI\r\nregistry editing\r\nsocks proxy\r\nfirewall modification\r\nwebcam and audio controls\r\nThe plugins available to a NanoCoreRAT sample are encrypted and stored in the resource section of the PE file.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nPage 4 of 13\n\nUsing dnSpy as a debugger, we extracted the plugins included in sample\r\n758f255abc102d53b7a4e8a8902da57076db9889cb80e81e8f1a344056f00c59 by setting breakpoints on all\r\nAssembly.Load calls, running the sample, and manually dumping the raw assembly bytes passed to those\r\nfunctions to disk as DLLs.\r\nMost of the plugins included in this sample were obfuscated with Eazfuscater.NET 3.3 and easily deobfuscated\r\nusing de4dot.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nPage 5 of 13\n\nNanoCoreRAT uses a custom TCP protocol to connect to a server specified by the attacker on the port of their\r\nchoosing. Below is the encrypted traffic sent by one sample to 54.152.254.8 on TCP port 4782:\r\n00000000 40 00 00 00 52 5a 31 be 44 a9 01 f5 65 18 54 8e @...RZ1. D...e.T.\r\n00000010 75 be e4 66 6a a4 0f e1 d0 4b 4e 6d 27 b6 19 a1 u..fj... .KNm'...\r\n00000020 0b 21 07 b8 1a 57 60 42 0d 54 d8 4e 1b 04 54 6b .!...W`B .T.N..Tk\r\n00000030 d5 8c 94 a0 76 88 6f 8a 05 88 dc ca 65 62 54 2b ....v.o. ....ebT+\r\n00000040 fe d4 ab 7c\r\nThis sample uses DES to encrypt the traffic. It creates DESCryptoServiceProvider with a key from the Assembly\r\nResource Guide Attribute and bytes from the resource section.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\nprivate static bool smethod_13()\r\n{\r\nbyte[] array = Class8.smethod_16();\r\nif (array != null)\r\n{\r\n...\r\nGuid guid_ = Class8.smethod_18(Assembly.GetExecutingAssembly());\r\nClass8.byte_2 = Class8.smethod_19(byte_, guid_);\r\nClass13.smethod_0(Class8.byte_2);\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nPage 6 of 13\n\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n...\r\n}\r\nprivate static Guid smethod_18(Assembly assembly_1)\r\n{\r\nGuid result = new Guid(((GuidAttribute)assembly_1.GetCustomAttributes(typeof(GuidAttribute), false)\r\n[0]).Value);\r\nreturn result;\r\n}\r\nprivate static byte[] smethod_19(byte[] byte_3, Guid guid_0)\r\n{\r\nRfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(guid_0.ToByteArray(),\r\nguid_0.ToByteArray(), 8);\r\nreturn new RijndaelManaged\r\n{\r\nIV = rfc2898DeriveBytes.GetBytes(16),\r\nKey = rfc2898DeriveBytes.GetBytes(16)\r\n}.CreateDecryptor().TransformFinalBlock(byte_3, 0, byte_3.Length);\r\n}\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nPage 7 of 13\n\nThe DES key for this sample is 72 20 18 78 8C 29 48 97, we can use it to decrypt the traffic into the following:\r\n00 00 00 00 12 DD DF 82 E7 AE 59 ED 45 B3 F4 E2 B5 7D 53 A5 EE 0C 14 57 49 4E 2D 48 55 46 44 39 33 41\r\n52 36 32 32 5C 6A 6F 68 6E 0C 07 44 65 66 61 75 6C 74 0C 07 31 2E 32 2E 32 2E 30\r\n.....Ýß‚ç®YíE³ôâµ}S¥î..WIN-HUFD93AR622\\john..Default..1.2.2.0\r\nSystem Guid ComputerName\\Username RAT Group Version\r\nThe bytes are stored in array2 and are encrypted with the following code and stored in the byte array named\r\nbuffer.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nPage 8 of 13\n\nbyte[] buffer = Class13.icryptoTransform_0.TransformFinalBlock(array2, 0, array2.Length);\r\nNanoCore can output messages to a console if the EnableDebugMode parameter is enabled in the RATs\r\nconfiguration.\r\nConclusion\r\nPhishing is often how threat attackers gain access to targeted systems and user awareness is the first line of\r\ndefense. Phishing isn't new but the increased distribution of the full-featured NanoCoreRAT implants is. Users\r\nshould be made aware of the dangers that enabling macros poses. We have observed macro-based attacks on the\r\nrise in October of 2014\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nPage 9 of 13\n\nPalo Alto Networks customers with WildFire turned on would have been alerted to the presence of this threat on\r\ntheir networks. AutoFocus customers are able to further research both tax-themed phishing and NanoCoreRAT\r\nsamples and trends.\r\nIndicators\r\nEmail Subject Lines\r\n[Attention] Your 2014 Tax Report\r\n[Urgent Attention] Your 2015 Secure IP PIN\r\n[ATO: URGENT] Your 2014 Tax Return Report!\r\n[URGENT ATTENTION] Your 2014 Tax Return!\r\n[ATO: ATTENTION] Your 2015 Tax Return PIN!\r\n[IRS ATTENTION] Your 2015 Secure IP PIN!!!\r\n[HMRC ATTENTION] Your 2015 Tax Report PIN!\r\n[ATTENTION] Your 2015 Tax Return PIN!!!\r\nEmail Attachment Filenames\r\nIRSReport.doc\r\nCATAXREPORT.doc\r\n2015TaxPIN.pdf.exe\r\n[CRA]Report.pdf.exe\r\nSGTAXREPORT.doc\r\n[CRA]TaxReport.doc\r\n[IRS]TaxReport.doc\r\n[HMRC]TaxReport.doc\r\nTaxReport!!.doc\r\nSGTAXREPORT.pdf.exe\r\n[CRA]ReadReport.doc\r\nUKTaxReturnReport.pdf.exe\r\nCATaxReturnReport.pdf.exe\r\n[CA]Report.pdf.exe\r\n[BE]TaxReport.pdf.exe\r\nUS2015TaxPIN.doc\r\nAUTaxReport.pdf.exe\r\nAU2015TaxPIN.doc\r\n2015TaxPIN.doc\r\nCRA-Report.doc.exe\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nPage 10 of 13\n\nTaxReport.doc\r\nUKTAXREPORT.doc\r\nAUTAXREPORT.doc\r\nCATaxreturn.doc\r\n[CRA]Report!.pdf.exe\r\nFRTaxReport.pdf.exe\r\nEmail Attachment SHA256s\r\nb633e5b9d6961f63dbf07ccd864903948a3c0772f2f66f86ad42c5b1faa0c539\r\na1bc606d12db420c511ba94f042021d34d84ba98a16c016445632ed03d37f909\r\nbbbc92b4ebab54a3b7e35168a0e89ecbae701d3a04ea0df9bb5c132fcb8fa2aa\r\na89dd66865554cbe2b1ea6ff18653e964ac48ef585458d7f2d18f3083d039b39\r\n6c1eb38781214b88cc9f9eb702ad9655f32e033ffa493e0954100b6be9c12d98\r\n4b1b9fa256a6e6473c5ca25ce30ccdb4f955abb5e620d219dce85152d9e440ed\r\nd910ffe4bb03c3b0066877b75c8ce5f5bc7ad1ae74908d96f7571bb75bf485f3\r\na827613e8a9d69f6401a25690e2282722b901b31f748c1ed2766e680bc14e77c\r\nba37d89a20a944cdee5cc4bd146cc225124091f9a576b1c5d6fa0239f3628b38\r\nfc8da8715a9cab9643c63c7dacf83613478b11b2fc758d2b3b989ffbba9b93af\r\n899e395fd22b8dc909a26c8fb380eac00e51e2b8766ef363d2a1c75335a40591\r\nc4e0c88aa4c1a3da9a21114b22b546e238643146603ca667ea2158f142149507\r\nb13305fe5d3c9e904ffe8d39fcc363f4fa799f5c57c854bf5a5e1ce9307942a4\r\n200b1ed7f776d4ee32430ffdffefc76c44f359c19a7dff90e5b5ecdbef8e5608\r\n3f1fc0757542fd80f216753d34ec27569f826d690a520d16017cd6f35acb4be8\r\nfbcb8f3de748be39c396deea1f172213ff203f3997c575b017ed5e6e2c46ba18\r\n119f3dd48e316f77974a7ec84c0fdecd943ceed77c30db9a6df0c1b0615b0ac0\r\n71755fd086ccf44e384d59e91234906403aaf28d73fea96ffa052187c2824b6a\r\ne2c3c2949f12556b5df7ead551eea2e9a0827dafdf385be2d1f470ba768be4f0\r\n283152ea205f4098e221b6dab94e5c61619d507b4e8ad3613f7df4ffac35ba88\r\n23067c7dd27eeeab574aa7cf65fd2b287c2ff794aed3589ff89419a71b740afd\r\nea97f1c48ed8e91e5e53683417893dc99f620acbd90b20b069e891c8875fa3ee\r\n11b2db6fe850cbd373b5222e2512603e3bda0be749910e15d2961a373d56dde8\r\n09a73ceeaf543a7741503c477af939aa59d13ba1d81983844a4b94bdfa27396a\r\n6d3917640123e89a714cb0f165c91ae3ffcf8b7bb6321c57c96684952982fbef\r\n4f60ebf97267480ab084e0851759b18111427e63628ba89a0deaea24c987cf3c\r\n0175575982f1d298b980583cd48d3d7cdc14ce944352fd259a76f46a58bc609b\r\n371fa8f45c0203d3470db7518571a8ced1070d2836e3d697e02c614d0b6fe401\r\na222d3095d93afbbc59f15ef9fce75dcfbd19eb9d619a8536fd8e49935220319\r\n657758c09948c3203283fe61de51a31af77115e30b1f0e0b0296d40f97a2d615\r\nd60d17f39de0d9298eb629d68276198793a16780260340fb8a2af35087a0ffa1\r\n323cde2a163b8296159637c536c349756fccc2cf356fa084eb42dc5756627a4a\r\n572b7dd0a742c5efda10b6ae40e764eb81db1add5736d14dd6dd9e091c711475\r\n48912c24f24ea296ca00be255a9c8a27b8dd3c7b2755c0a562018e0f04ca5fc1\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nPage 11 of 13\n\ne18ba8f98204e754e66d3ab5b5bddef80d0a8e924cf29342ec746570d113d0ce\r\nf10a42a4f135adf7e71b9f23454bf57d616cb5373135b7a70334f1a8921b12a2\r\nfa4f12d6aa94d6196b68e304e31d7365c2ebeff465f87012c233d366f08abfed\r\n326ba05909dc6244e00253ef610aea8904b935c617802d492d889363e3f27fa7\r\n82c9b0b1076fb2709711142a62d04601896606bdb1647ae1a4e51d2158475138\r\n6e21a9823b5b7ee7c6a2a7d2323afbd9693cd141cf9d1f80f2030b16a0df0937\r\n5071acb947d01fc7298df97480a5701bfd1c15e629c7ddfe70c75fd8b3bc9b31\r\nca06f69759d2e331a1355af447daa857a5ca5bd8e7dd3d25d5c11f58c4a3cd0e\r\n40ee213a2b2b26c5c48501e159dc30151d2a31056f4c9a32e256c397bf875b85\r\n822445be43d5e383971ed3b9a63a9f4c17d0e8d067986cecd14e537f71a0e4f0\r\n798e0e897035d4b821364435e6eaf620181b8096df65d73aea85ef84d7fd5c2c\r\n80771e4e8155602b5e40aded581f1e141355942a5c8236ddbfcd9983ec8e4bfd\r\nb5240a38cab5eea7610e902ac7e62b41c255d82eaaad7cfb39cd49029bf50804\r\n8d6146bc12d170162ff2b542cf56b07aa91c970416b38ef274a95cd4ecb10063\r\n6e15e471b76fea17cae4aea600a61680d53a8f857489bc818a7b88092bfdb724\r\n96ffab6bc9b0d9f2d2e0388aea2c13a263e11c708bca309d5f3b1ffe77a5be5c\r\n7c7434fc496f7cae0185e4ec40a17b41d24f8a2fdbeae9e64998426a1063e26b\r\nd1778dd50c2a906bcc8e53372045dd3d976d5071ef8b3817ec28627fc0f4d8df\r\n83f29a170ffcb9f13e630e1b240cfb0c75ff6854740ccf700e83af40a2dc770b\r\n677ec33db3d3e9b20894bfc1280d3a9944413434cf4eae844d6f79d49bc372bd\r\n6a8c5e6026e6a5d4561d4006ae7a3f0ab82d5ba4deb21c904684a6c3a5c75a7c\r\n3118ca1232a55ee0d718c5efb2590d3af0a19d6a3861f4c7c56ecf0dcc3a8083\r\n4eca6ea67d389ce85e41804bdb23acd7e34e585b3b92ce521636ffa35d877e32\r\nfc83728faf8ca614e2798d64ed2eca2691354bf83ff5726d52badcd44787db14\r\n87971bb9bdaea061ebea3d6903d6df359a13713e0d5aeda0a3fee0df852c3799\r\n44b6807e0ea21d7f41ca09fa04a8bd1192fd568364a3ac5ba12a7c0de7d57a9d\r\n455705d79026ddfc758cf069267b6975c677e2a28a0f553baca91a3f95d6dbbc\r\n37160143a5064b505f050d8d37fbd2d2492c62afa599c9bbe0a6c5f0e20f3300\r\nd175d0c65acebb61bdefd3e498bb24761c6ffd67c401060649d094e9a7d7753b\r\nbf1e3483ec56fb480a88c6208f5ba2e51a69361b8cb26b8002f4c3bc562996fb\r\n73935900282967ad8d1d0822f46c49cd69ae49e15bf63435db5074b6d932ba01\r\na34a3e1d0e427c9b112bd647fc5b53f1f8401e12bdcf16d6076dbc17fcaa7537\r\nb11ac7fcb5d0427b922a8f6ba0bf6078647cb8bf3bed11ca43dc30f0f30157f2\r\n6335b913b0a900e67155dab585249c1861912116bd53bb46055ee966511f97a8\r\ncdc350df224011bd95f8fc04cfe355b44f1a3732ea7683339227baaa89a7935e\r\n161a7c71330f0088b5bc06cc2a80fb1217e1a834d8ca87e749cdafa64f521bc5\r\nEmail Attachment Resolved Domains\r\nagor0020.gotdns.ch\r\nbtint.net16.net\r\ndawood00.no-ip.org\r\ndawood01.ddns.net\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nPage 12 of 13\n\ndawood02.no-ip.org\r\nwww.cnw-inc.com\r\nwww.iphonetechie.com\r\nwww.pantech224.firstcom.com.sg\r\nwww.secretchamber.sg\r\nNanoCore Deobfuscated Plugin SHA256s\r\nClientPlugin.dll 277f74d0ce633645c1a3a91b45f800f16385496d50c511084ccbd19c33a39b23\r\nCoreClientPlugin.dll 8c18712257e04e0554a4fa8414906489bc4300ee71405719d43ce949decddf18\r\nFileBrowserClient.dll 98b70d6b88b8fdf05d8da676fa7a48622c2d415cd5cf8e8a1f193dc6c65dc101\r\nLzma#.dll ee05e8bd662e8e59c851b4053d2b34e8524cbe5356ee6c385b07d028a9dfb28d\r\nManagementClientPlugin.dll 3ad61e99f7a09c524121981f536b625fadcb27481d99ffe75938bb550be8883e\r\nMyClientPlugin.dll 1e6cc9c0ee28a352611fd1a6b41f4a5e66019729b529d9177b14b25624533cad\r\nMyClientPluginNew.dll c986b9e146cb4f88dc68bea7927c76e0056e181b7b0de45fe4a221ce5e900d08\r\nNanoCoreBase.dll ea8ddf633460353ab0e641b97a370873b16ac4aef3e6ef6bffc2c4618256ab64\r\nNanoCoreStressTester.dll edd0e15cdf75f8158c5aae90db3e8c7d7705a247c5d807bc74c027c36ef6dc3d\r\nNetworkClientPlugin.dll 6995887a9827808ca41ffbfddbeb93b8de9468387ec8958207a3eb9951d286f6\r\nSecurityClientPlugin.dll ee5cb353a3e4bdce3ac3b514e2e17e0dd0b04d787b4705c7cf1a681c0b422d85\r\nSurveillanceClientPlugin.dll beaf550d664abe4653fd0ddbdd1783894141b51272d8ac565556aa28e2ac847d\r\nSurveillanceExClientPlugin.dll 5db139678bcfda1b46ddab1e2956b599da89a364230d16703a4ac0b02325a13a\r\nToolsClientPlugin.dll a4f7a7dddbef1930d11609e4cd7604d1c3a75646db051499b1247b3b03b48692\r\nMyClientPlugin.dll_2 7c1d77c3b41af227c5f6ae49000134420ce9fdd8d3050eceb5aa2358a31a4724\r\nAdditional Resources\r\nNanoCore and Unpacking the AutoIT Cryptor\r\nNanoCore: Another RAT tries to make it out of the gutter\r\nSource: https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/"
	],
	"report_names": [
		"nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails"
	],
	"threat_actors": [],
	"ts_created_at": 1775434606,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0ec8b940b7112d14cf6359300dcbab31bf6b68e0.pdf",
		"text": "https://archive.orkl.eu/0ec8b940b7112d14cf6359300dcbab31bf6b68e0.txt",
		"img": "https://archive.orkl.eu/0ec8b940b7112d14cf6359300dcbab31bf6b68e0.jpg"
	}
}