{ "id": "849a0c27-b70d-4588-957a-74b752c97004", "created_at": "2026-04-06T00:10:20.839542Z", "updated_at": "2026-04-10T13:11:41.656798Z", "deleted_at": null, "sha1_hash": "0f11b452c512baf0c39d718a8b9b47f590a5579d", "title": "Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021 | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 160870, "plain_text": "Evolving trends in Iranian threat actor activity – MSTIC\r\npresentation at CyberWarCon 2021 | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-11-16 · Archived: 2026-04-02 10:49:55 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy\r\naligned around the theme of weather. Nation-state actors from Iran are now tracked under the name\r\nSandstorm.\r\nCURIUM is now tracked as Crimson Sandstorm\r\nEUROPIUM is now tracked as Hazel Sandstorm\r\nPHOSPHORUS is now tracked as Mint Sandstorm\r\nDEV-0343 is now tracked as Gray Sandstorm.\r\nTo learn more about this evolution, how the new taxonomy represents the origin, unique traits, and\r\nimpact of threat actors, and a complete mapping of threat actor names, read this blog: Microsoft shifts\r\nto a new threat actor naming taxonomy.\r\nOver the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the\r\ntools, techniques, and procedures employed by malicious network operators based in Iran. At CyberWarCon 2021,\r\nMSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled\r\n“The Iranian evolution: Observed changes in Iranian malicious network operations”. This blog is intended to\r\nsummarize the content of that research and the topics covered in their presentation and demonstrate MSTIC’s\r\nongoing efforts to track these actors and protect customers from the related threats.\r\nMSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across\r\nMicrosoft Security products and services to build detections into our products that improve customer protections.\r\nWe are sharing this blog today so that others in the community can also be aware of the latest techniques we have\r\nobserved being used by Iranian actors.\r\nAs with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted\r\nor compromised, providing them with the information they need to help secure their accounts. Microsoft uses\r\nDEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat\r\nactivity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the\r\norigin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\r\nThree notable trends in Iranian nation-state operators have emerged:\r\nThey are increasingly utilizing ransomware to either collect funds or disrupt their targets.\r\nThey are more patient and persistent while engaging with their targets.\r\nhttps://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/\r\nPage 1 of 6\n\nWhile Iranian operators are more patient and persistent with their social engineering campaigns, they\r\ncontinue to employ aggressive brute force attacks on their targets.\r\nRansomware\r\nSince September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their\r\nstrategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.\r\nFigure 1: Timeline of ransomware attacks by Iranian threat actors\r\nIn one observed campaign, PHOSPHORUS targeted the Fortinet FortiOS SSL VPN and unpatched on-premises\r\nExchange Servers globally with the intent of deploying ransomware on vulnerable networks. A recent blog post by\r\nthe DFIR Report describes a similar intrusion in which actors leveraged vulnerabilities in on-premise Exchange\r\nServers to compromise a victim environment and encrypt systems via BitLocker. MSTIC also attributes this\r\nactivity to PHOSPHORUS. PHOSPHORUS operators conducted widespread scanning and ransomed targeted\r\nsystems through a five-step process: Scan, Exploit, Review, Stage, Ransom.\r\nScan\r\nIn the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL\r\nVPN that were vulnerable to CVE-2018-13379. This vulnerability allowed the attackers to collect clear-text\r\ncredentials from the sessions file on vulnerable Fortinet VPN appliances. The actors collected credentials from\r\nover 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021,\r\nPHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).\r\nExploit\r\nWhen they identified vulnerable servers, PHOSPHORUS sought to gain persistence on the target systems. In\r\nsome instances, the actors downloaded a Plink runner named MicrosoftOutLookUpdater.exe. This file would\r\nhttps://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/\r\nPage 2 of 6\n\nbeacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors\r\nwould download a custom implant via a Base64-encoded PowerShell command. This implant established\r\npersistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to\r\ndownload additional tools.\r\nReview\r\nAfter gaining persistence, PHOSPHORUS actors triaged hundreds of victims to determine which of them were\r\nfitting for actions on objectives. On select victims, operators created local administrator accounts with a with a\r\nusername of “help” and password of “_AS_@1394” via the commands below. On occasion, actors dumped\r\nLSASS to acquire credentials to be used later for lateral movement.\r\nStage and Ransom\r\nFinally, MSTIC observed PHOSPHORUS employing BitLocker to encrypt data and ransom victims at several\r\ntargeted organizations. BitLocker is a full volume encryption feature meant to be used for legitimate purposes.\r\nAfter compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to\r\na different system on the victim network to gain access to higher value resources. From there, they deployed a\r\nscript to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page\r\nto pay for the decryption key.\r\nPatience and persistence\r\nMSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their\r\nvictims before targeting them. These operations likely required significant investment in the operator’s time and\r\nresources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on\r\ntheir past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt\r\ncredential theft.\r\nPHOSHORUS – Patient and persistent\r\nPHOSPHORUS sends “interview requests” to target individuals through emails that contain tracking links to\r\nconfirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS\r\nattackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers\r\nhttps://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/\r\nPage 3 of 6\n\ncontinue with several back-and-forth conversations discussing the questions with the target user before finally\r\nsending a meeting invite with a link masquerading as a Google Meeting.\r\nOnce the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the\r\nGoogle Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them\r\nto click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the\r\nlink. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google\r\nMeeting link, which leads to a credential harvesting page.\r\nMSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is\r\nsent, to the point where they are almost demanding a response from the targeted user.\r\nCURIUM – In it for the long run\r\nCURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users.\r\nInstead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust\r\nwith targets and deliver malware.\r\nThese attackers have followed the following playbook:\r\nMasquerade as an attractive woman on social media\r\nEstablish a connection via social media with a target user via LinkedIn, Facebook, etc.\r\nChat with the target daily\r\nSend benign videos of the woman to the target to prime them to lower their guard\r\nSend malicious files to the target similar the benign files previously sent\r\nRequest that the target user open the malicious document\r\nExfiltrate data from the victim machine\r\nThe process above can take multiple months from the initial connection to the delivery of the malicious document.\r\nThe attackers build a relationship with target users over time by having constant and continuous communications\r\nwhich allows them to build trust and confidence with the target. In many of the cases we have observed, the\r\ntargets genuinely believed that they were making a human connection and not interacting with a threat actor\r\noperating from Iran.\r\nBy exercising patience, building relationships, and pestering targets continuously once a relationship has been\r\nformed, Iranian threat actors have had more success in compromising their targets.\r\nBrute force\r\nIn 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of\r\npassword spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian\r\ninterests. MSTIC has blogged about DEV-0343 activity previously.\r\nAnalysis of Office 365 logs suggests that DEV-0343 is using a red team tool like o365spray to conduct these\r\nattacks.\r\nhttps://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/\r\nPage 4 of 6\n\nTargeting in this DEV-0343 activity has been observed across defense companies that support United States,\r\nEuropean Union, and Israeli government partners producing military-grade radars, drone technology, satellite\r\nsystems, and emergency response communication systems. Further activity has targeted customers in geographic\r\ninformation systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and\r\ncargo transportation companies with a business focus in the Middle East.\r\nAs we discussed in our previous blog, DEV-0343 operators’ ‘pattern of life’ is consistent with the working\r\nschedule of actors based in Iran. DEV-0343 operator activity peaked Sunday through Thursday between 04:00:00\r\nand 16:00:00 UTC.\r\nFigure 2: DEV-0343 observed operating hours in UTC\r\nFigure 3: DEV-0343 observed actor requests per day\r\nKnown DEV-0343 operators have also been observed targeting the same account on the same tenant being\r\ntargeted by other known Iranian operators. For example, EUROPIUM operators attempted to access a specific\r\naccount on June 12, 2021 and ultimately gained access to this account on June 13, 2021. DEV-0343 was then\r\nobserved targeting this same account within minutes of EUROPIUM operators gaining access to it the same day.\r\nMSTIC assesses that these observed overlapping activities suggest a coordination between different Iranian actors\r\npursuing common objectives.\r\nClosing thoughts: Increasingly capable threat actors\r\nAs Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more\r\ncompetent threat actors capable of conducting a full spectrum of operations including:\r\nInformation operations\r\nDisruption and destruction\r\nhttps://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/\r\nPage 5 of 6\n\nSupport to physical operations\r\nSpecifically, Iranian operators have proven themselves to be both willing and able to:\r\nDeploy ransomware\r\nDeploy disk wipers\r\nDeploy mobile malware\r\nConduct phishing attacks\r\nConduct password spray attacks\r\nConduct mass exploitation attacks\r\nConduct supply chain attacks\r\nCloak C2 communications behind legitimate cloud services\r\nMSTIC thanks CyberWarCon 2021 for the opportunity to present this research to the broader security community.\r\nMicrosoft will continue to monitor all this activity by Iranian actors and implement protections for our customers.\r\nSource: https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyber\r\nwarcon-2021/\r\nhttps://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/" ], "report_names": [ "evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2", "created_at": "2023-04-26T02:03:02.969306Z", "updated_at": "2026-04-10T02:00:05.341127Z", "deleted_at": null, "main_name": "CURIUM", "aliases": [ "CURIUM", "Crimson Sandstorm", "TA456", "Tortoise Shell", "Yellow Liderc" ], "source_name": "MITRE:CURIUM", "tools": [ "IMAPLoader" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c4cd33a4-3ec0-4a21-b20f-99d3b7cc6525", "created_at": "2024-01-09T02:00:04.205662Z", "updated_at": "2026-04-10T02:00:03.511121Z", "deleted_at": null, "main_name": "Gray Sandstorm", "aliases": [ "DEV-0343" ], "source_name": "MISPGALAXY:Gray Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434220, "ts_updated_at": 1775826701, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0f11b452c512baf0c39d718a8b9b47f590a5579d.pdf", "text": "https://archive.orkl.eu/0f11b452c512baf0c39d718a8b9b47f590a5579d.txt", "img": "https://archive.orkl.eu/0f11b452c512baf0c39d718a8b9b47f590a5579d.jpg" } }