{ "id": "60e12a77-41b6-40dd-b0c1-9b1c78a6b4c8", "created_at": "2026-04-06T00:15:16.206957Z", "updated_at": "2026-04-10T03:38:20.66592Z", "deleted_at": null, "sha1_hash": "101d6e4515e730e85c9751f702244cd46b45cb61", "title": "Looking at Big Threats Using Code Similarity. Part 1", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7652454, "plain_text": "Looking at Big Threats Using Code Similarity. Part 1\r\nBy Costin Raiu\r\nPublished: 2020-06-09 · Archived: 2026-04-05 21:42:56 UTC\r\nToday, we are announcing the release of KTAE, the Kaspersky Threat Attribution Engine. This code attribution technology,\r\ndeveloped initially for internal use by the Kaspersky Global Research and Analysis Team, is now being made available to a\r\nwider audience. You can read more about KTAE in our official press release, or go directly to its info page on the Kaspersky\r\nEnterprise site. From an internal tool, to prototype and product, this is a road which took about 3 years. We tell the story of\r\nthis trip below, while throwing in a few code examples as well. However, before diving into KTAE, it’s important to talk\r\nabout how it all started, on a sunny day, approximately three years ago.\r\nMay 12, 2017, a Friday, started in a very similar fashion to many other Fridays: I woke up, made coffee, showered and drove\r\nto work. As I was reading e-mails, one message from a colleague in Spain caught my attention. Its subject said “Crisis …\r\n(and more)”. Now, crisis (and more!) is not something that people appreciate on a Friday, and it wasn’t April 1st either.\r\nGoing through the e-mail from my colleague, it became obvious something was going on in several companies around the\r\nworld. The e-mail even had an attachment with a photo, which is now world famous:\r\nSoon after that, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a massive\r\nransomware attack affecting several Spanish organizations. The alert recommended the installation of updates in the\r\nMicrosoft March 2017 Security Bulletin as a means of stopping the spread of the attack. Meanwhile, the National Health\r\nService (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions.\r\nAs we dug into the attack, we confirmed additional infections in several additional countries, including Russia, Ukraine, and\r\nIndia.\r\nQuite essential in stopping these attacks was the Kaspersky System Watcher component. The System Watcher component\r\nhas the ability to rollback the changes done by ransomware in the event that a malicious sample manages to bypass other\r\ndefenses. This is extremely useful in case a ransomware sample slips past defenses and attempts to encrypt the data on the\r\ndisk.\r\nAs we kept analysing the attack, we started learning more things; for instance, the infection relied on a famous exploit,\r\n(codenamed “EternalBlue”), that has been made available on the internet through the Shadowbrokers dump on April 14th,\r\n2017 and patched by Microsoft on March 14. Despite the fact the patch has been available for two months, it appeared that\r\nhttps://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nPage 1 of 13\n\nmany companies didn’t patch. We put together a couple of blogs, updated our technical support pages and made sure all\r\nsamples were detected and blocked even on systems that were vulnerable to the EternalBlue exploit.\r\nWannaCry ransomware used in widespread attacks all over the world\r\nWannaCry FAQ: What you need to know today\r\nMeanwhile, as everyone was trying to research the samples, we were scouting for any possible links to known criminal or\r\nAPT groups, trying to determine how a newcomer malware was able to cause such a pandemic in just a few days. The\r\nexplanation here is simple – for ransomware, it is not very often that we get to see completely new, built from scratch,\r\npandemic-level samples. In most cases, ransomware attacks make use of some popular malware that is sold by criminals on\r\nunderground forums or, “as a service”.\r\nAnd yet, we couldn’t spot any links with known ransomware variants. Things became a bit clearer on Monday evening,\r\nwhen Neel Mehta, a researcher at Google, posted a mysterious message on Twitter with the #WannaCryptAttribution\r\nhashtag:\r\nThe cryptic message in fact referred to a similarity between two samples that have shared code. The two samples Neel refers\r\nto in the post were:\r\nA WannaCry sample from February 2017 which looks like a very early variant\r\nA Lazarus APT group sample from February 2015\r\nThe similarity can be observed in the screenshot below, taken between the two samples, with the shared code highlighted:\r\nhttps://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nPage 2 of 13\n\nAlthough some people doubted the link, we immediately realized that Neel Mehta was right. We put together a blog diving\r\ninto this similarity, “WannaCry and Lazarus Group – the missing link?”. The discovery of this code overlap was obviously\r\nnot a random hit. For years, Google integrated the technology they acquired from Zynamics into their analysis tools making\r\nit possible to cluster together malware samples based on shared code. Obviously, the technology seemed to work rather\r\nnicely. Interestingly, one month later, an article was published suggesting the NSA also reportedly believed in this link.\r\nThinking about the story, the overlap between WannaCry and Lazarus, we put a plan together – what if we built a\r\ntechnology that can quickly identify code reuse between malware attacks and pinpoint the likely culprits in future cases?\r\nThe goal would be to make this technology available in a larger fashion to assist threat hunters, SOCs and CERTs speed up\r\nincident response or malware triage. The first prototype for this new technology was available internally June 2017, and we\r\ncontinued to work on it, fine-tuning it, over the next months.\r\nIn principle, the problem of code similarity is relatively easy. Several approaches have been tested and discussed in the past,\r\nincluding:\r\nCalculating checksums for subs and comparing them against a database\r\nReconstructing the code flow and creating a graph from it; comparing graphs for similar structures\r\nExtracting n-grams and comparing them against a database\r\nUsing fuzzy hashes on the whole file or parts of it\r\nUsing metadata, such as the rich header, exports or other parts of the file; although this isn’t code similarity, it can\r\nstill yield some very good results\r\nTo find the common code between two malware samples, one can, for instance, extract all 8-16 byte strings, then check for\r\noverlaps. There’s two main problems to that though:\r\nOur malware collection is too big; if we want to do this for all the files we have, we’d need a large computing cluster\r\n(read: thousands of machines) and lots of storage (read: Petabytes)\r\nCapex too small\r\nAdditionally, doing this massive code extraction, profiling and storage, not to mention searching, in an efficient way that we\r\ncan provide as a stand-alone box, VM or appliance is another level of complexity.\r\nTo refine it, we started experimenting with code-based Yara rules. The idea was also simple and beautiful: create a Yara rule\r\nfrom the unique code found in a sample, then use our existing systems to scan the malware collection with that Yara rule.\r\nHere’s one such example, inspired by WannaCry:\r\nhttps://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nPage 3 of 13\n\nThis innocent looking Yara rule above catches BlueNoroff (malware used in the Bangladesh Bank Heist), ManusCrypt (a\r\nmore complex malware used by the Lazarus APT, also known as FALLCHILL) and Decafett, a keylogger that we previously\r\ncouldn’t associate with any known APT.\r\nA breakthrough in terms of identifying shared code came in Sep 2017, when for the first time we were able to associate a\r\nnew, “unknown” malware with a known entity or set of tools. This happened during the #CCleaner incident, which was\r\ninitially spotted by Morphisec and Cisco Talos.\r\nIn particular, our technology spotted a fragment of code, part of a custom base64 encoding subroutine, in the Cbkrdr\r\nshellcode loader that was identical to one seen in a previous malware sample named Missl, allegedly used by APT17:\r\nhttps://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nPage 4 of 13\n\nDigging deeper, we identified at least three malware families that shared this code: Missl, Zoxpng/Gresim and Hikit, as\r\nshown below in the Yara hits:\r\nIn particular, the hits above are the results of running a custom Yara rule, based on what we call “genotypes” – unique\r\nfragments of code, extracted from a malware sample, that do not appear in any clean sample and are specific to that malware\r\nfamily (as opposed to being a known piece of library code, such as zlib for instance).\r\nAs a side note, Kris McConkey from PwC delivered a wonderful dive into Axiom’s tools during his talk “Following APT\r\nOpSec failures” at SAS 2015 – highly recommended if you’re interested in  learning more about this APT super-group.\r\nhttps://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nPage 5 of 13\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nSoon, the Kaspersky Threat Attribution Engine – “KTAE” – also nicknamed internally “Yana”, became one of the most\r\nimportant tools in our analysis cycle.\r\nDigging deeper, or more case studies\r\nThe United States Cyber Command, or in short, “USCYBERCOM”, began posting samples to VirusTotal in November\r\n2018, an excellent move in our opinion. The only drawback for these uploads was the lack of any context, such as the\r\nmalware family, if it’s APT or criminal, which group uses them and whether they were found in the wild, or scooped from\r\ncertain places. Although the first upload, a repurposed Absolute Computrace loader, wasn’t much of an issue to recognize,\r\nan upload from May 2019 was a bit more tricky to identify. This was immediately flagged as Sofacy by our technology, in\r\nparticular, as similar to known XTunnel samples, a backdoor used by the group. Here’s how the KTAE report looks like for\r\nthe sample in question:\r\nAnalysis for d51d485f98810ab1278df4e41b692761\r\nIn February 2020, USCYBERCOM posted another batch of samples that we quickly checked with KTAE. The results\r\nindicated a pack of different malware families, used by several APT groups, including Lazarus, with their BlueNoroff\r\nsubgroup, Andariel, HollyCheng, with shared code fragments stretching back to the DarkSeoul attack, Operation\r\nBlockbuster and the SPE Hack.\r\nhttps://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nPage 6 of 13\n\nGoing further, USCYBERCOM posted another batch of samples in May 2020, for which KTAE revealed a similar pattern.\r\nOf course, one might wonder, what else can KTAE do except help with the identification of VT dumps from\r\nUSCYBERCOM?\r\nFor a more practical check, we looked at the samples from the 2018 SingHealth data breach that, according to Wikipedia,\r\nwas initiated by unidentified state actors. Although most samples used in the attack are rather custom and do not show any\r\nsimilarity with previous attacks, two of them have rather interesting links:\r\nKTAE analysis for two samples used in the SingHealth data breach\r\nMofang, a suspected Chinese-speaking threat actor, was described in more detail in 2016 by this FOX-IT research paper,\r\nwritten by Yonathan Klijnsma and his colleagues. Interestingly, the paper also mentioned Singapore as a suspected country\r\nwhere this actor is active. Although the similarity is extremely weak, 4% and 1% respectively, they can easily point the\r\ninvestigator in the right direction for more investigation.\r\nAnother interesting case is the discovery and publication (“DEADLYKISS: HIT ONE TO RULE THEM ALL. TELSY\r\nDISCOVERED A PROBABLE STILL UNKNOWN AND UNTREATED APT MALWARE AIMED AT COMPROMISING\r\nINTERNET SERVICE PROVIDERS“) from our colleagues at Telsy of a new, previously unknown malware deemed\r\n“DeadlyKiss”. A quick check with KTAE on the artifact with sha256\r\nc0d70c678fcf073e6b5ad0bce14d8904b56d73595a6dde764f95d043607e639b (md5: 608f3f7f117daf1dc9378c4f56d5946f)\r\nreveals a couple of interesting similarities with other Platinum APT samples, both in terms of code and unique strings.\r\nhttps://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nPage 7 of 13\n\nAnalysis for 608f3f7f117daf1dc9378c4f56d5946f\r\nAnother interesting case presented itself when we were analysing a set of files included in one of the Shadowbrokers dumps.\r\nAnalysis for 07cc65907642abdc8972e62c1467e83b\r\nIn the case above, “cnli-1.dll” (md5: 07cc65907642abdc8972e62c1467e83b) is flagged as being up to 8% similar to Regin.\r\nLooking into the file, we spot this as a DLL, with a number of custom looking exports:\r\nhttps://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nPage 8 of 13\n\nLooking into these exports, for instance, fileWriteEx, shows the library has actually been created to act as a wrapper for\r\npopular IO functions, most likely for portability purposes, enabling the code to be compiled for different platforms:\r\nSpeaking of multiplatform malware, recently, our colleagues from Leonardo published their awesome analysis of a new set\r\nof Turla samples, targeting Linux systems. Originally, we published about those in 2014, when we discovered Turla\r\nPenquin, which is one of this group’s backdoors for Linux. One of these samples (sha256:\r\n67d9556c695ef6c51abf6fbab17acb3466e3149cf4d20cb64d6d34dc969b6502) was uploaded to VirusTotal in April 2020. A\r\nquick check in KTAE for this sample reveals the following:\r\nhttps://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nPage 9 of 13\n\nAnalysis for b4587870ecf51e8ef67d98bb83bc4be7 – Turla 64 bit Penquin sample\r\nWe can see a very high degree of similarity with two other samples (99% and 99% respectively) as well as other lower\r\nsimilarity hits to other known Turla Penquin samples. Looking at the strings they have in common, we immediately spot a\r\nfew very good candidates for Yara rules—quite notably, some of them were already included in the Yara rules that Leonardo\r\nprovided with their paper.\r\nWhen code similarity fails\r\nWhen looking at an exciting, brand new technology, sometimes it’s easy to overlook any drawbacks and limitations.\r\nHowever, it’s important to understand that code similarity technologies can only point in a certain direction, while it’s still\r\nthe analyst’s duty to verify and confirm the leads. As one of my friends used to say, “the best malware similarity technology\r\nis still not a replacement for your brain” (apologies, dear friend, if the quote is not 100% exact, that was some time ago).\r\nThis leads us to the case of OlympicDestroyer, a very interesting attack, originally described and named by Cisco Talos.\r\nIn their blog, the Cisco Talos researchers also pointed out that OlympicDestroyer used similar techniques to Badrabbit and\r\nNotPetya to reset the event log and delete backups. Although the intention and purpose of both implementations of the\r\nhttps://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nPage 10 of 13\n\ntechniques are similar, there are many differences in the code semantics. It’s definitely not copy-pasted code, and because\r\nthe command lines were publicly discussed on security blogs, these simple techniques became available to anyone who\r\nwants to use them.\r\nIn addition, Talos researchers noted that the evtchk.txt filename, which the malware used as a potential false-flag during its\r\noperation, was very similar to the filenames (evtdiag.exe, evtsys.exe and evtchk.bat) used by BlueNoroff/Lazarus in the\r\nBangladesh SWIFT cyberheist in 2016.\r\nSoon after the Talos publication, the Israeli company IntezerLabs tweeted that they had found links to Chinese APT groups.\r\nAs a side node, IntezerLabs have an exceptional code similarity technology themselves that you can check out by visiting\r\ntheir site at analyze.intezer.com.\r\nIntezerLabs further released a blogpost with an analysis of features found using their in-house malware similarity\r\ntechnology.\r\nA few days later, media outlets started publishing articles suggesting potential motives and activities by Russian APT\r\ngroups: “Crowdstrike Intelligence said that in November and December of 2017 it had observed a credential harvesting\r\noperation operating in the international sporting sector. At the time it attributed this operation to Russian hacking group\r\nFancy Bear”…\r\nOn the other hand, Crowdstrike’s own VP of Intelligence, Adam Meyers, in an interview with the media, said: “There is no\r\nevidence connecting Fancy Bear to the Olympic attack”.\r\nhttps://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nPage 11 of 13\n\nAnother company, Recorded Future, decided to not attribute this attack to any actor; however, they claimed that they found\r\nsimilarities to BlueNoroff/Lazarus LimaCharlie malware loaders that are widely believed to be North Korean actors.\r\nDuring this “attribution hell”, we also used KTAE to check the samples for any possible links to previous known campaigns.\r\nAnd amazingly, KTAE discovered a unique pattern that also linked Olympic Destroyer to Lazarus. A combination of certain\r\ncode development environment features stored in executable files, known as a Rich header, may be used as a fingerprint\r\nidentifying the malware authors and their projects in some cases. In the case of the Olympic Destroyer wiper sample\r\nanalyzed by Kaspersky, this “fingerprint” produced a match with a previously known Lazarus malware sample. Here’s how\r\ntoday’s KTAE reports it:\r\nAnalysis for 3c0d740347b0362331c882c2dee96dbf\r\nThe 4% similarity shown above comes from the matches in the sample’s Rich header. Initially, we were surprised to find the\r\nlink, even though it made sense; other companies also spotted the similarities and Lazarus was already known for many\r\ndestructive attacks. Something seemed odd though. The possibility of North Korean involvement looked way off mark,\r\nespecially since Kim Jong-un’s own sister attended the opening ceremony in Pyeongchang. According to our forensic\r\nfindings, the attack was started immediately before the official opening ceremony on 9 February, 2018. As we dug deeper\r\ninto this case, we concluded it was an elaborate false flag; further research allowed us to associate the attack with the Hades\r\nAPT group (make sure you also read our analysis: “Olympic destroyer is here to trick the industry“).\r\nThis proves that even the best attribution or code similarity technology can be influenced by a sophisticated attacker, and the\r\ntools shouldn’t be relied upon blindly. Of course, in 9 out of 10 cases, the hints work very well. As actors become more and\r\nmore skilled and attribution becomes a sensitive geopolitical topic, we might experience more false flags such as the ones\r\nfound in the OlympicDestroyer.\r\nIf you liked this blog, then you can hear more about KTAE and using it to generate effective Yara rules during the upcoming\r\n“GReAT Ideas, powered by SAS” webinar, where, together with my colleague Kurt Baumgartner, we will be discussing\r\npractical threat hunting and how KTAE can boost your research. Make sure to register for GReAT Ideas, powered by SAS,\r\nby clicking here.\r\nhttps://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nPage 12 of 13\n\nRegister: https://www.brighttalk.com/webcast/15591/414427\r\nNote: more information about the APTs discussed here, as well as KTAE, is available to customers of Kaspersky\r\nIntelligence Reporting. Contact: intelreports@kaspersky.com\r\nSource: https://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nhttps://securelist.com/big-threats-using-code-similarity-part-1/97239/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/big-threats-using-code-similarity-part-1/97239/" ], "report_names": [ "97239" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a2939cf7-76f8-4080-9ba1-42ccb4016b3b", "created_at": "2022-10-25T15:50:23.53328Z", "updated_at": "2026-04-10T02:00:05.372938Z", "deleted_at": null, "main_name": "Mofang", "aliases": [ "Mofang" ], "source_name": "MITRE:Mofang", "tools": [ "ShimRatReporter", "ShimRat" ], "source_id": "MITRE", "reports": null }, { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "db318f04-09e6-4c57-b0e9-3f71f0b2de94", "created_at": "2023-01-06T13:46:38.648954Z", "updated_at": "2026-04-10T02:00:03.054266Z", "deleted_at": null, "main_name": "Mofang", "aliases": [ "BRONZE WALKER" ], "source_name": "MISPGALAXY:Mofang", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "df9bfbf1-bb9d-492f-b381-95b9e1482267", "created_at": "2022-10-25T16:07:24.394491Z", "updated_at": "2026-04-10T02:00:04.973663Z", "deleted_at": null, "main_name": "Whitefly", "aliases": [ "ATK 83", "Bronze Walker", "G0103", "G0107", "Mofang", "SectorM04", "TEMP.Mimic" ], "source_name": "ETDA:Whitefly", "tools": [ "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Nibatad", "Shim RAT", "ShimRAT", "Vcrodat" ], "source_id": "ETDA", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null }, { "id": "728d2c2c-c4af-4cdc-8723-5d3aa97924a8", "created_at": "2024-05-01T02:03:08.002557Z", "updated_at": "2026-04-10T02:00:03.669852Z", "deleted_at": null, "main_name": "BRONZE WALKER", "aliases": [ "CTG-2810 ", "Mofang " ], "source_name": "Secureworks:BRONZE WALKER", "tools": [ "ShimRat", "Superman" ], "source_id": "Secureworks", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434516, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/101d6e4515e730e85c9751f702244cd46b45cb61.pdf", "text": "https://archive.orkl.eu/101d6e4515e730e85c9751f702244cd46b45cb61.txt", "img": "https://archive.orkl.eu/101d6e4515e730e85c9751f702244cd46b45cb61.jpg" } }