{ "id": "4837080a-6ce0-43d1-9af4-ef4df5238081", "created_at": "2026-04-06T03:37:31.782258Z", "updated_at": "2026-04-10T13:12:32.612338Z", "deleted_at": null, "sha1_hash": "10203915a66fac3a506a778baf1a9241927b7002", "title": "SysKit (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43986, "plain_text": "SysKit (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-06 03:15:11 UTC\r\nwin.syskit (Back to overview)\r\nSysKit\r\naka: IvizTech, MANGOPUNCH\r\nActor(s): APT35, Tortoiseshell\r\nThere is no description at this point.\r\nReferences\r\n2021-07-28 ⋅ Proofpoint ⋅ Crista Giering, Joshua Miller, Michael Raggi\r\nI Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona\r\nLiderc SysKit\r\n2021-07-15 ⋅ Facebook ⋅ David Agranovich, Mike Dvilyanski\r\nTaking Action Against Hackers in Iran\r\nLiderc SysKit\r\n2019-09-25 ⋅ Twitter (@QW5kcmV3) ⋅ Andrew Thompson\r\nTweet on APT35 activity\r\nSysKit\r\n2019-09-24 ⋅ Cisco Talos ⋅ Jungsoo An, Paul Rascagnères, Warren Mercer\r\nHow Tortoiseshell created a fake veteran hiring website to host malware\r\nLiderc SysKit\r\n2019-09-24 ⋅ DARKReading ⋅ Kelly Jackson Higgins\r\nIranian Government Hackers Target US Veterans\r\nSysKit Tortoiseshell\r\n2019-09-18 ⋅ Symantec ⋅ Security Response Attack Investigation Team\r\nTortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks\r\nSysKit Tortoiseshell\r\nThere is no Yara-Signature yet.\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.syskit\r\nPage 1 of 2\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.syskit\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.syskit\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.syskit" ], "report_names": [ "win.syskit" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2", "created_at": "2023-04-26T02:03:02.969306Z", "updated_at": "2026-04-10T02:00:05.341127Z", "deleted_at": null, "main_name": "CURIUM", "aliases": [ "CURIUM", "Crimson Sandstorm", "TA456", "Tortoise Shell", "Yellow Liderc" ], "source_name": "MITRE:CURIUM", "tools": [ "IMAPLoader" ], "source_id": "MITRE", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775446651, "ts_updated_at": 1775826752, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/10203915a66fac3a506a778baf1a9241927b7002.pdf", "text": "https://archive.orkl.eu/10203915a66fac3a506a778baf1a9241927b7002.txt", "img": "https://archive.orkl.eu/10203915a66fac3a506a778baf1a9241927b7002.jpg" } }