{ "id": "380905f1-535e-42d9-a377-da1e4c3c43ed", "created_at": "2026-04-06T00:07:38.009594Z", "updated_at": "2026-04-10T03:32:26.450812Z", "deleted_at": null, "sha1_hash": "0fd00c87a492ab822d22bd5c7140cd00f2eabdbf", "title": "DNS Hijacking Abuses Trust In Core Internet Service", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 569506, "plain_text": "DNS Hijacking Abuses Trust In Core Internet Service\r\nBy Cisco Talos\r\nPublished: 2019-04-17 · Archived: 2026-04-05 13:20:04 UTC\r\nWednesday, April 17, 2019 11:00\r\nPreface\r\nThis blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this\r\nincident is limited to targeting primarily national security organizations in the Middle East and North Africa, and\r\nwe do not want to overstate the consequences of this specific campaign, we are concerned that the success of this\r\noperation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology\r\nsupporting the Internet. Manipulating that system has the potential to undermine the trust users have on the\r\ninternet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations\r\nshould avoid targeting this system, work together to establish an accepted global norm that this system and the\r\norganizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by\r\ntargeting this system.\r\nExecutive Summary\r\nCisco Talos has discovered a new cyber threat campaign that we are calling \"Sea Turtle,\" which is targeting public\r\nand private entities, including national security organizations, located primarily in the Middle East and North\r\nAfrica. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of\r\n2019. Our investigation revealed that at least 40 different organizations across 13 different countries were\r\ncompromised during this campaign. We assess with high confidence that this activity is being carried out by an\r\nadvanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems.\r\nhttps://blog.talosintelligence.com/seaturtle/\r\nPage 1 of 12\n\nThe actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their\r\nultimate objectives. DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to\r\nactor-controlled servers. The Department of Homeland Security (DHS) issued an alert about this activity on Jan.\r\n24 2019, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an\r\norganization's domain names.\r\nIn the Sea Turtle campaign, Talos was able to identify two distinct groups of victims. The first group, we identify\r\nas primary victims, includes national security organizations, ministries of foreign affairs, and prominent energy\r\norganizations. The threat actor targeted third-party entities that provide services to these primary entities to obtain\r\naccess. Targets that fall into the secondary victim category include numerous DNS registrars, telecommunication\r\ncompanies, and internet service providers. One of the most notable aspects of this campaign was how they were\r\nable to perform DNS hijacking of their primary victims by first targeting these third-party entities.\r\nWe assess with high confidence that these operations are distinctly different and independent from the operations\r\nperformed by DNSpionage, which we reported on in November 2018. The Sea Turtle campaign almost certainly\r\nposes a more severe threat than DNSpionage given the actor's methodology in targeting various DNS registrars\r\nand registries. The level of access we presume necessary to engage in DNS hijacking successfully indicates an\r\nongoing, high degree of threat to organizations in the targeted regions. Due to the effectiveness of this approach,\r\nwe encourage all organizations, globally, to ensure they have taken steps to minimize the possibility of malicious\r\nactors duplicating this attack methodology.\r\nThe threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their\r\nendeavors. The actors are responsible for the first publicly confirmed case against an organizations that manages a\r\nroot server zone, highlighting the attacker's sophistication. Notably, the threat actors have continued their attacks\r\ndespite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may\r\nbe difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once\r\ntheir campaigns are publicly revealed.\r\nThis post provides the technical findings you would typically see in a Talos blog. We will also offer some\r\ncommentary on the threat actor's tradecraft, including possible explanations about the actor's attack methodology\r\nand thought process. Finally, we will share the IOCs that we have observed thus far, although we are confident\r\nthere are more that we have not seen.\r\nBackground on Domain Name Services and records management\r\nThe threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and\r\nfalsifying DNS records at various levels in the domain name space. This section provides a brief overview of\r\nwhere DNS records are managed and how they are accessed to help readers better understand how these events\r\nunfolded.\r\nThe first and most direct way to access an organization's DNS records is through the registrar with the registrant's\r\ncredentials. These credentials are used to login to the DNS provider from the client-side, which is a registrar. If an\r\nattacker was able to compromise an organization's network administrator credentials, the attacker would be able to\r\nchange that particular organization's DNS records at will.\r\nhttps://blog.talosintelligence.com/seaturtle/\r\nPage 2 of 12\n\nThe second way to access DNS records is through a DNS registrar, sometimes called registrar operators. A\r\nregistrar sells domain names to the public and manages DNS records on behalf of the registrant through the\r\ndomain registry. Records in the domain registry are accessed through the registry application using the Extensible\r\nProvisioning Protocol (EPP). EPP was detailed in the request for comment (RFC) 5730 as \"a means of interaction\r\nbetween a registrar's applications and registry applications.\" If the attackers were able to obtain one of these EPP\r\nkeys, they would be able to modify any DNS records that were managed by that particular registrar.\r\nThe third approach to gain access to DNS records is through one of the registries. These registries manage any\r\nknown TLD, such as entire country code top-level domains (ccTLDs) and generic top-level domains (gTLDs). For\r\nexample, Verisign manages all entities associated with the top-level domain (TLD) \".com.\" All the different\r\nregistry information then converges into one of 12 different organization that manage different parts of the domain\r\nregistry root. The domain registry root is stored on 13 \"named authorities in the delegation data for the root zone,\"\r\naccording to ICANN.\r\nFinally, actors could target root zone servers to modify the records directly. It is important to note that there is no\r\nevidence during this campaign (or any other we are aware of) that the root zone servers were attacked or\r\ncompromised. We highlight this as a potential avenue that attackers would consider. The root DNS servers issued\r\na joint statement that stated, \"There are no signs of lost integrity or compromise of the content of the root [server]\r\nzone…There are no signs of clients having received unexpected responses from root servers.\"\r\nAssessed Sea Turtle DNS hijacking methodology\r\nIt is important to remember that the DNS hijacking is merely a means for the attackers to achieve their primary\r\nobjective. Based on observed behaviors, we believe the actor ultimately intended to steal credentials to gain access\r\nto networks and systems of interest. To achieve their goals, the actors behind Sea Turtle:\r\n1. Established a means to control the DNS records of the target.\r\n2. Modified DNS records to point legitimate users of the target to actor-controlled servers.\r\n3. Captured legitimate user credentials when users interacted with these actor-controlled servers.\r\nThe diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to\r\nachieve their end goals.\r\nRedirection Attack Methodology Diagram\r\nhttps://blog.talosintelligence.com/seaturtle/\r\nPage 3 of 12\n\nhttps://blog.talosintelligence.com/seaturtle/\r\nPage 4 of 12\n\nOperational tradecraft\r\nInitial access\r\nThe threat actors behind the Sea Turtle campaign gained initial access either by exploiting known vulnerabilities\r\nor by sending spear-phishing emails. Talos believes that the threat actors have exploited multiple known CVEs to\r\neither gain initial access or to move laterally within an affected organization. Based on our research, we know the\r\nactor utilizes the following known exploits:\r\nCVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin\r\nCVE-2014-6271: RCE affecting GNU bash system, specifically the SMTP (this was part of the Shellshock\r\nCVEs)\r\nCVE-2017-3881: RCE by unauthenticated user with elevated privileges Cisco switches\r\nCVE-2017-6736: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811\r\nCVE-2017-12617: RCE affecting Apache web servers running Tomcat\r\nCVE-2018-0296: Directory traversal allowing unauthorized access to Cisco Adaptive Security Appliances\r\n(ASAs) and firewalls\r\nCVE-2018-7600: RCE for Website built with Drupal, aka \"Drupalgeddon\"\r\nAs of early 2019, the only evidence of the spear-phishing threat vector came from a compromised organization's\r\npublic disclosure. On January 4, Packet Clearing House, which is not an Internet exchange point but rather is an\r\nNGO which provides support to Internet exchange points and the core of the domain name system, provided\r\nconfirmation of this aspect of the actors’ tactics when it publicly revealed its internal DNS had been briefly\r\nhijacked as a consequence of the compromise at its domain registrar.\r\nAs with any initial access involving a sophisticated actor, we believe this list of CVEs to be incomplete. The actor\r\nin question can leverage known vulnerabilities as they encounter a new threat surface. This list only represents the\r\nobserved behavior of the actor, not their complete capabilities.\r\nGlobalized DNS hijacking activity as an infection vector\r\nDuring a typical incident, the actor would modify the NS records for the targeted organization, pointing users to a\r\nmalicious DNS server that provided actor-controlled responses to all DNS queries. The amount of time that the\r\ntargeted DNS record was hijacked can range from a couple of minutes to a couple of days. This type of activity\r\ncould give an attacker the ability to redirect any victim who queried for that particular domain around the world.\r\nOther cybersecurity firms previously reported some aspects of this activity. Once the actor-controlled name server\r\nwas queried for the targeted domain, it would respond with a falsified \"A\" record that would provide the IP\r\naddress of the actor-controlled MitM node instead of the IP address of the legitimate service. In some instances,\r\nthe threat actors modified the time-to-live (TTL) value to one second. This was likely done to minimize the risk of\r\nany records remaining in the DNS cache of the victim machine.\r\nDuring 2019, we observe the following name servers being used in support of the Sea Turtle campaign:\r\nhttps://blog.talosintelligence.com/seaturtle/\r\nPage 5 of 12\n\nDomain Active Timeframe\r\nns1[.]intersecdns[.]com March - April 2019\r\nns2[.]intersecdns[.]com March - April 2019\r\nns1[.]lcjcomputing[.]com January 2019\r\nns2[.]lcjcomputing[.]com January 2019\r\nCredential harvesting: Man-in-the-middle servers\r\nOnce the threat actors accessed a domain's DNS records, the next step was to set up a man-in-the-middle (MitM)\r\nframework on an actor-controlled server.\r\nThe next step for the actor was to build MitM servers that impersonated legitimate services to capture user\r\ncredentials. Once these credentials were captured, the user would then be passed to the legitimate service. to evade\r\ndetection, the actors performed \"certificate impersonation,\" a technique in which the attacker obtained a certificate\r\nauthority-signed X.509 certificate from another provider for the same domain imitating the one already used by\r\nthe targeted organization. For example, if a DigiCert certificate protected a website, the threat actors would obtain\r\na certificate for the same domain but from another provider, such as Let's Encrypt or Comodo. This tactic would\r\nmake detecting the MitM attack more difficult, as a user's web browser would still display the expected \"SSL\r\npadlock\" in the URL bar.\r\nWhen the victim entered their password into the attacker's spoofed webpage, the actor would capture these\r\ncredentials for future use. The only indication a victim received was a brief lag between when the user entered\r\ntheir information and when they obtained access to the service. This would also leave almost no evidence for\r\nnetwork defenders to discover, as legitimate network credentials were used to access the accounts.\r\nIn addition to the MitM server IP addresses published in previous reports, Talos identified 16 additional servers\r\nleveraged by the actor during the observed attacks. The complete list of known malicious IP addresses are in the\r\nIndicators of Compromise (IOC) section below.\r\nCredential harvesting with compromised SSL certificates\r\nOnce the threat actors appeared to have access to the network, they stole the organization's SSL certificate. The\r\nattackers would then use the certificate on actor-controlled servers to perform additional MitM operations to\r\nharvest additional credentials. This allowed the actors to expand their access into the targeted organization's\r\nnetwork. The stolen certificates were typically only used for less than one day, likely as an operational security\r\nhttps://blog.talosintelligence.com/seaturtle/\r\nPage 6 of 12\n\nmeasure. Using stolen certificates for an extended period would increase the likelihood of detection. In some\r\ncases, the victims were redirected to these actor-controlled servers displaying the stolen certificate.\r\nOne notable aspect of the campaign was the actors' ability to impersonate VPN applications, such as Cisco\r\nAdaptive Security Appliance (ASA) products, to perform MitM attacks. At this time, we do not believe that the\r\nattackers found a new ASA exploit. Rather, they likely abused the trust relationship associated with the ASA's SSL\r\ncertificate to harvest VPN credentials to gain remote access to the victim's network. This MitM capability would\r\nallow the threat actors to harvest additional VPN credentials.\r\nAs an example, DNS records indicate that a targeted domain resolved to an actor-controlled MitM server. The\r\nfollowing day, Talos identified an SSL certificate with the subject common name of \"ASA Temporary Self Signed\r\nCertificate\" associated with the aforementioned IP address. This certificate was observed on both the actor-controlled IP address and on an IP address correlated with the victim organization.\r\nIn another case, the attackers were able to compromise NetNod, a non-profit, independent internet infrastructure\r\norganization based in Sweden. NetNod acknowledged the compromise in a public statement on February 5, 2019.\r\nUsing this access, the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net. This\r\nredirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of\r\nSaudi Arabia (.sa). It is likely that there are additional Saudi Arabia-based victims from this attack.\r\nIn one of the more recent campaigns on March 27, 2019, the threat actors targeted the Sweden-based consulting\r\nfirm Cafax. On Cafax's public webpage, the company states that one of their consultants actively manages the\r\ni[.]root-server[.]net zone. NetNod managed this particular DNS server zone. We assess with high confidence that\r\nthis organization was targeted in an attempt to re-establish access to the NetNod network, which was previously\r\ncompromised by this threat actor.\r\nPrimary and secondary victims\r\nWe identified 40 different organizations that have been targeted during this campaign. The victim organizations\r\nappear to be broadly grouped into two different categories. The first group of victims, which we refer to as\r\nprimary victims, were almost entirely located in the Middle East and North Africa. Some examples of\r\norganizations that were compromised include:\r\nhttps://blog.talosintelligence.com/seaturtle/\r\nPage 7 of 12\n\nMinistries of foreign affairs\r\nMilitary organizations\r\nIntelligence agencies\r\nProminent energy organizations\r\nThe second cluster of victim organizations were likely compromised to help enable access to these primary\r\ntargets. These organizations were located around the world; however, they were mostly concentrated in the Middle\r\nEast and North Africa. Some examples of organizations that were compromised include:\r\nTelecommunications organizations\r\nInternet service providers\r\nInformation technology firms\r\nRegistrars\r\nOne registry\r\nNotably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as\r\nthe technical contact on IANA for the ccTLD .am. Obtaining access to this ccTLD registrars would have allowed\r\nattackers to hijack any domain that used those ccTLDs.\r\nHow is this tradecraft different?\r\nThe threat actors behind the Sea Turtle campaign have proven to be highly capable, as they have been able to\r\nperform operations for over two years and have been undeterred by public reports documenting various aspects of\r\ntheir activity. This cyber threat campaign represents the first known case of a domain name registry organization\r\nthat was compromised for cyber espionage operations.\r\nIn order to distinguish this activity from the previous reporting on other attackers, such as those affiliated with\r\nDNSpionage, below is a list of traits that are unique to the threat actors behind the Sea Turtle campaign:\r\nThese actors perform DNS hijacking through the use of actor-controlled name servers.\r\nThese actors have been more aggressive in their pursuit targeting DNS registries and a number of\r\nregistrars, including those that manage ccTLDs.\r\nThese actors use Let's Encrypts, Comodo, Sectigo, and self-signed certificates in their MitM servers to gain\r\nthe initial round of credentials.\r\nOnce they have access to the network, they steal the organization's legitimate SSL certificate and use it on\r\nactor-controlled servers.\r\nWhy was it so successful?\r\nWe believe that the Sea Turtle campaign continues to be highly successful for several reasons. First, the actors\r\nemploy a unique approach to gain access to the targeted networks. Most traditional security products such as IDS\r\nand IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this\r\nlevel of success because the DNS domain space system added security into the equation as an afterthought. Had\r\nhttps://blog.talosintelligence.com/seaturtle/\r\nPage 8 of 12\n\nmore ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the\r\ntargeted domains.\r\nThe threat actors also used an interesting techniques called certificate impersonation. This technique was\r\nsuccessful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers\r\nstole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials,\r\nallowing the actors to gain access to the targeted network.\r\nThe threat actors were able to maintain long term persistent access to many of these networks by utilizing\r\ncompromised credentials.\r\nWe will continue to monitor Sea Turtle and work with our partners to understand the threat as it continues to\r\nevolve to ensure that our customers remain protected and the public is informed.\r\nMitigation strategy\r\nIn order to best protect against this type of attack, we compiled a list of potential actions. Talos suggests using a\r\nregistry lock service, which will require an out-of-band message before any changes can occur to an organization's\r\nDNS record. If your registrar does not offer a registry lock service, we recommend implementing multi-factor\r\nauthentication, such as DUO, to access your organization's DNS records. If you suspect you were targeted by this\r\ntype of activity intrusion, we recommend instituting a network-wide password reset, preferably from a computer\r\non a trusted network. Lastly, we recommend applying patches, especially on internet-facing machines. Network\r\nadministrators can monitor passive DNS record on their domains, to check for abnormalities.\r\nCoverage\r\nCVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin\r\nSID: 2281\r\nCVE-2014-6271: RCE affecting GNU bash system, specific the SMTP (this was part of the Shellshock CVEs)\r\nSID: 31975 - 31978, 31985, 32038, 32039, 32041 - 32043, 32069, 32335, 32336\r\nCVE-2017-3881: RCE for Cisco switches\r\nSID: 41909 - 41910\r\nCVE-2017-6736: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811\r\nSID: 43424 - 43432\r\nCVE-2017-12617: RCE affecting Apache web servers running Tomcat\r\nSID: 44531\r\nCVE-2018-0296: Directory traversal to gain unauthorized access to Cisco Adaptive Security Appliances (ASAs)\r\nand Firewalls\r\nSID: 46897\r\nCVE-2018-7600: RCE for Website built with Drupal aka \"Drupalgeddon\"\r\nSID: 46316\r\nhttps://blog.talosintelligence.com/seaturtle/\r\nPage 9 of 12\n\nIndicators of Compromise\r\nThe threat actors utilized leased IP addresses from organizations that offer virtual private server (VPS) services.\r\nThese VPS providers have since resold many of these IP addresses to various benign customers. To help network\r\ndefenders, we have included the IP address, as well as the month(s) that the IP address was associated with the\r\nthreat actor.\r\nIP address Month Year Country of targets\r\n199.247.3.191 November 2018 Albania, Iraq\r\n37.139.11.155 November 2018 Albania, UAE\r\n185.15.247.140 January 2018 Albania\r\n206.221.184.133 November 2018 Egypt\r\n188.166.119.57 November 2018 Egypt\r\n185.42.137.89 November 2018 Albania\r\n82.196.8.43 October 2018 Iraq\r\n159.89.101.204 December - January 2018-2019 Turkey, Sweden, Syria, Armenia, US\r\n146.185.145.202 March 2018 Armenia\r\n178.62.218.244 December - January 2018-2019 UAE, Cyprus\r\n139.162.144.139 December 2018 Jordan\r\nhttps://blog.talosintelligence.com/seaturtle/\r\nPage 10 of 12\n\n142.54.179.69 January - February 2017 Jordan\r\n193.37.213.61 December 2018 Cyprus\r\n108.61.123.149 February 2019 Cyprus\r\n212.32.235.160 September 2018 Iraq\r\n198.211.120.186 September 2018 Iraq\r\n146.185.143.158 September 2018 Iraq\r\n146.185.133.141 October 2018 Libya\r\n185.203.116.116 May 2018 UAE\r\n95.179.150.92 November 2018 UAE\r\n174.138.0.113 September 2018 UAE\r\n128.199.50.175 September 2018 UAE\r\n139.59.134.216 July - December 2018 United States, Lebanon\r\n45.77.137.65 March - April 2019 Syria, Sweden\r\n142.54.164.189 March - April 2019 Syria\r\n199.247.17.221 March 2019 Sweden\r\nhttps://blog.talosintelligence.com/seaturtle/\r\nPage 11 of 12\n\nThe following list contains the threat actor name server domains and their IP address.\r\nDomain Active Timeframe IP address\r\nns1[.]intersecdns[.]com March - April 2019 95.179.150.101\r\nns2[.]intersecdns[.]com March - April 2019 95.179.150.101\r\nns1[.]lcjcomputing[.]com January 2019 95.179.150.101\r\nns2[.]lcjcomputing[.]com January 2019 95.179.150.101\r\nSource: https://blog.talosintelligence.com/seaturtle/\r\nhttps://blog.talosintelligence.com/seaturtle/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://blog.talosintelligence.com/seaturtle/" ], "report_names": [ "seaturtle" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434058, "ts_updated_at": 1775791946, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0fd00c87a492ab822d22bd5c7140cd00f2eabdbf.pdf", "text": "https://archive.orkl.eu/0fd00c87a492ab822d22bd5c7140cd00f2eabdbf.txt", "img": "https://archive.orkl.eu/0fd00c87a492ab822d22bd5c7140cd00f2eabdbf.jpg" } }