{ "id": "84cabb35-cb54-4dfd-b9ac-e8408e49b1d8", "created_at": "2026-04-06T00:21:19.665115Z", "updated_at": "2026-04-10T03:36:47.961521Z", "deleted_at": null, "sha1_hash": "106f7d512f587c56cc68c378918113454fbc6fce", "title": "DNSpionage Campaign Targets Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 574238, "plain_text": "DNSpionage Campaign Targets Middle East\r\nBy Warren Mercer\r\nPublished: 2018-11-27 · Archived: 2026-04-05 14:50:26 UTC\r\nTuesday, November 27, 2018 10:02\r\nUpdate 2018-11-27 15:30:00 EDT: A Russian-language document has been removed. Subsequent analysis leads\r\nus to believe it is unrelated to this investigation\r\nExecutive Summary\r\nCisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting\r\n.gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary\r\nspent time understanding the victims' network infrastructure in order to remain under the radar and act as\r\ninconspicuous as possible during their attacks.\r\nBased on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or\r\nactor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job\r\npostings that are used to compromise targets via malicious Microsoft Office documents with embedded macros.\r\nThe malware utilized by this actor, which we are calling \"DNSpionage,\" supports HTTP and DNS communication\r\nwith the attackers.\r\nIn a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company\r\ndomains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected\r\nhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nPage 1 of 13\n\ndomains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this\r\ntime if the DNS redirections were successful.\r\nIn this post, we will break down the attackers' methods and show how they used malicious documents to attempt\r\nto trick users into opening malicious websites that are disguised as \"help wanted\" sites for job seekers.\r\nAdditionally, we will describe the malicious DNS redirection and the timeline of the events.\r\nInfection Vectors\r\nFake job websites\r\nThe attackers' first attempt to compromise the user involved two malicious websites that mimicked legitimate sites\r\nthat host job listings:\r\nhr-wipro[.]com (with a redirection to wipro.com)\r\nhr-suncor[.]com (with a redirection to suncor.com)\r\nThese sites hosted a malicious Microsoft Office document: hxxp://hr-suncor[.]com/Suncor_employment_form[.]doc.\r\nThe document is a copy of a legitimate file available on the website for Suncor Energy, a Canadian sustainable\r\nenergy company, and contains a malicious macro.\r\nAt this time, we don't know how the target received these links. The attackers most likely sent the malicious\r\ndocument via email as part of a spear-phishing campaign, but it also could have circulated via social media\r\nplatforms, such as LinkedIn, in an attempt to legitimize the opportunity for a new job.\r\nMalicious Office document\r\nUpon opening the first Office document, the user receives a message that says \"Content Mode Available:\"\r\nhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nPage 2 of 13\n\nMacros used\r\nThe macros of the analysed samples can be divided into two steps:\r\n1. When the document is opened, the macro will decode a PE file encoded with base64 and will drop it in\r\n%UserProfile%\\.oracleServices\\svshost_serv.doc\r\n2. When the document is closed, the macro will rename the file \"svshost_serv.doc\" to \"svshost_serv.exe.\"\r\nThen, the macro creates a scheduled task named \"chromium updater v 37.5.0\" in order to execute the\r\nbinary. The scheduled task is executed immediately and repeatedly every minute.The purpose of these two\r\nsteps is to avoid sandbox detection.\r\nThe payload is executed when Microsoft Office is closed, meaning it requires human interaction to deploy it. The\r\nmacros, while available through analysis, are also password-protected in Microsoft Word to stop the victim from\r\nexploring the macro code via Microsoft Office.\r\nAdditionally, the macro uses classical string obfuscation in order to avoid strings detection:\r\nThe \"schedule.service\" string is created by concatenation. The final payload is a remote administration tool that\r\nhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nPage 3 of 13\n\nwe named \"DNSpionage.\"\r\nDNSpionage Malware\r\nMalware analysis\r\nThe malware dropped by the malicious document is an undocumented remote administration tool. We are naming\r\nit DNSpionage due to the fact that it supports DNS tunneling as a covert channel to communicate with the\r\nattackers' infrastructure.\r\nDNSpionage creates its own data in the running directory:\r\n%UserProfile%\\.oracleServices/\r\n%UserProfile%\\.oracleServices/Apps/\r\n%UserProfile%\\.oracleServices/Configure.txt\r\n%UserProfile%\\.oracleServices/Downloads/\r\n%UserProfile%\\.oracleServices/log.txt\r\n%UserProfile%\\.oracleServices/svshost_serv.exe\r\n%UserProfile%\\.oracleServices/Uploads/\r\nThe Downloads directory is used by the attackers to store additional scripts and tools downloaded from the C2\r\nserver.\r\nThe Uploads directory is used by the attacker to temporarily store files before exfiltrating them to the C2 server.\r\nThe log.txt file contains logs in plain text.\r\nAll the executed commands can be logged in this file, it also contains the result of the commands.\r\nThe last file is Configure.txt. As expected, this file contains the malware configuration. The attackers can specify a\r\ncustom command and control (C2) server URL, a URI and a domain that serves as a DNS covert channel.\r\nAdditionally, the attackers can specify a custom base64 alphabet for obfuscation. We discovered that the attackers\r\nused a custom alphabet for each target.\r\nAll the data is transferred in JSON. That's why a large part of the code of the malware is the JSON library.\r\nCommunication Channels\r\nThe malware uses HTTP and DNS in order to communicate with the C2 server.\r\nHTTP Mode\r\nA DNS request (to 0ffice36o[.]com) is performed with random data encoded with base64. This request registers\r\nthe infected system and received the IP of an HTTP server (185.20.184.138 during the investigation). An example\r\nof a DNS request:\r\nhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nPage 4 of 13\n\nyyqagfzvwmd4j5ddiscdgjbe6uccgjaq[.]0ffice36o[.]com\r\nThe malware is able to craft DNS requests used to provide the attacker with further information. Here is an\r\nexample of request:\r\noGjBGFDHSMRQGQ4HY000[.]0ffice36o[.]com\r\nIn this context, the first four characters are randomly generated by the malware using rand(). The rest of the\r\ndomain is then encoded in base32, once decoded the value is 1Fy2048. \"Fy\" is the target ID and \"2048\" (0x800)\r\nmeans \"Config file not found\". The request is performed if the configuration file was not retrieved on the infected\r\nmachine. This is a message is used to inform the attacker.\r\nThe malware performs an initial HTTP request to retrieve its configuration at hxxp://IP/Client/Login?id=Fy.\r\nThis request will be used to create the configuration file, particularly to set the custom base64 dictionary.\r\nThe second HTTP request is hxxp://IP/index.html?id=XX (where \"XX\" is the ID for the infected system)\r\nThe purpose of this request is to retrieve the orders. The site is a fake Wikipedia page:\r\nThe commands are included in the source code of the page:\r\nhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nPage 5 of 13\n\nIn this example, the commands are encoded with a standard base64 algorithm because we did not receive a custom\r\nalphabet. Here is another example with a custom alphabet in the configuration file:\r\nHere are the three commands automatically sent to the compromised system:\r\n{\"c\": \"echo %username%\", \"i\": \"-4000\", \"t\": -1, \"k\": 0}\r\n{\"c\": \"hostname\", \"i\": \"-5000\", \"t\": -1, \"k\": 0}\r\n{\"c\": \"systeminfo | findstr /B /C:\\\"Domain\\\"\", \"i\": \"-6000\", \"t\": -1, \"k\": 0}\r\nThe malware generates the following snippet of code after executing those commands:\r\nThe attackers ask for the username and hostname to retrieve the infected user's domains. The first step is clearly a\r\nreconnaissance phase. The data is eventually sent to hxxp://IP/Client/Upload.\r\nFinally, CreateProcess() executes the commands, and the output is redirected to a pipe to the malware created with\r\nCreatePipe().\r\nDNS Mode\r\nThe malware also supports a DNS-only mode. In this mode, the orders and answers are handled via DNS. This\r\noption is dictated within the configure.txt file on the infected machine. Using DNS can sometimes be easier to\r\nhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nPage 6 of 13\n\nallow for information to be sent back to the attacker as it will generally avoid proxies or web filtering in place by\r\nleveraging the DNS protocol.\r\nFirst, the malware initiates a DNS query to ask for orders, for example:\r\nRoyNGBDVIAA0[.]0ffice36o[.]com\r\nThe first four characters must be ignored, as mentioned earlier in the article this is random generated characters,\r\nand the relevant data is GBDVIAA0. The decoded value (base32) is \"0GT\\x00\". GT is the target ID and \\x00 the\r\nrequest number. The C2 server replies with an answer to the DNS request, this will be an IP address, whilst not\r\nalways a valid IP it is perfectly acceptable for the DNS protocol, for example 0.1.0.3. We believe the first value\r\n(0x0001) is the command ID for the next DNS request and 0x0003 is the size of the command.\r\nSecondly, the malware performs a DNS query with the command ID:\r\nt0qIGBDVIAI0[.]0ffice36o[.]com (GBDVIAI0 =\u003e \"0GT\\x01\")\r\nThe C2 server will return a new IP: 100.105.114.0. If we convert the value in ASCII we have \"dir\\x00\", the\r\ncommand to be execute.\r\nFinally, the result of the executed command will be sent by multiple DNS request:\r\ngLtAGJDVIAJAKZXWY000.0ffice36o[.]com -\u003e GJDVIAJAKZXWY000 -\u003e \"2GT\\x01 Vol\" TwGHGJDVIATVNVSSA000.0ffice\r\nVictimology\r\nThanks to the DNS exfiltration and Cisco Umbrella, we are able to identify the origin of some of the victims and\r\nthe period of activity in October and November. Here is the graph for 0ffice36o[.]com, the DNS we mentioned\r\nabove:\r\nThe queries were performed from Lebanon and UAE. This information is confirmed by the DNS redirection\r\ndescribed in the next section.\r\nDNS Redirection\r\nIntroduction\r\nTalos discovered three IPs linked to the DNSpionage domain:\r\nhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nPage 7 of 13\n\n185.20.184.138\r\n185.161.211.72\r\n185.20.187.8\r\nThe three IPs are hosted by DeltaHost.\r\nThe last one was used in a DNS redirection attack between September and November. Multiple nameservers\r\nbelonging to the public sector in Lebanon and UAE, as well as some companies in Lebanon, were apparently\r\ncompromised, and hostnames under their control were pointed to attacker-controlled IP addresses. The attackers\r\nredirected the hostnames to the IP 185.20.187.8 for a short time. Just before redirecting the IP, the attackers\r\ncreated a certificate matching the domain name with the Let's Encrypt service.\r\nIn this section, we will present all the DNS redirection instances we identified and the attacker-generated\r\ncertificates associated with each. We don't know if the redirection attack was ultimately successful, or what exact\r\npurpose the DNS redirection served. However, the impact could be significant, as the attackers were able to\r\nintercept all traffic destined for these hostnames during this time. Because the attackers targeted email and VPN\r\ntraffic specifically, they may have been used to harvest additional information, such as email and/or VPN\r\ncredentials.\r\nAs incoming email would also be arriving at the attackers' IP address, if there was multi-factor authentication, it\r\nwould allow the attackers to obtain MFA codes to abuse. Since the attackers were able to access email, they could\r\ncarry out additional attacks or even blackmail the target.\r\nThe DNS redirection we identified occurs in multiple locations where there is no direct correlation of\r\ninfrastructure, staff, or job routines. It also occurs in both the public and private sectors. Therefore, we believe it\r\nwas not human error, nor a mistake by an administrative user within any of the impacted organisations. This was a\r\ndeliberate, malicious attempt by the attackers to redirect DNS.\r\nLebanon government redirection\r\nTalos identified that the Finance Ministry of Lebanon's email domain was the victim of a malicious a DNS\r\nredirection.\r\nwebmail.finance.gov.lb was redirected to 185.20.187.8 on Nov. 6 06:19:13 GMT. On the same date at\r\n05:07:25 a Let's Encrypt certificate was created.\r\nUAE government redirection\r\nUAE public domains were targeted, as well. We identified a domain from a law enforcement domain below (VPN\r\nand College) and the Telecommunication Regulatory Authority.\r\nadpvpn.adpolice.gov.ae redirected to 185.20.187.8 on Sept. 13 at 06:39:39 GMT. The same date at\r\n05:37:54 a Let's Encrypt certificate was created.\r\nmail.mgov.ae redirected to 185.20.187.8 on Sept. 15 at 07:17:51 GMT. A Let's Encrypt certificate was also\r\ncreated at 06:15:51 GMT.\r\nhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nPage 8 of 13\n\nmail.apc.gov.ae redirected to 185.20.187.8 on Sept. 24. A Let's Encrypt certificate was also created at\r\n05:41:49 GMT.\r\nMiddle East Airline redirection\r\nTalos discovered that Middle East Airlines (MEA), a Lebanese airline, was also the victim of DNS redirection.\r\nmemail.mea.com.lb redirected to 185.20.187.8 on Nov. 14 at 11:58:36 GMT\r\nOn Nov. 6, at 10:35:10 GMT, a Let's Encrypt certificate was created.\r\nThis certificate contains alternative names in the subject lines, this is a feature with DNS to allow for multiple\r\ndomains to be added to the certificate for SSL activities:\r\nhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nPage 9 of 13\n\nmemail.mea.com.lb\r\nautodiscover.mea.com.lb\r\nowa.mea.com.lb\r\nwww.mea.com.lb\r\nautodiscover.mea.aero\r\nhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nPage 10 of 13\n\nautodiscover.meacorp.com.lb\r\nmea.aero\r\nmeacorp.com.lb\r\nmemailfr.meacorp.com.lb\r\nmeoutlook.meacorp.com.lb\r\ntmec.mea.com.lb\r\nThese domains show a clear understanding of the victims' domains, leads us to believe the attacker was\r\nactive in these environments to understand the specific domains and certificates they would be required to\r\nproduce.\r\nConclusion\r\nOur investigation discovered two events: the DNSpionage malware and a DNS redirection campaign. In the case\r\nof the malware campaign, we don't know the exact target, but we do know the attackers went after users in\r\nLebanon and the UAE. However, as outlined above, we were able to uncover the targets of the redirect campaign.\r\nWe are highly confident that both of these campaigns came from the same actor. However, we do not know much\r\nabout the location of the actors and their exact motivations. It is clear that this threat actor was able to redirect\r\nDNS from government-owned domains in two different countries over the course of two months, as well as a\r\nnational Lebanese airline. They were able to work from the system's point of view by using a Windows malware,\r\nas well as the network, by using DNS exfiltration and redirection. It is unclear if these DNS redirection attacks\r\nwere successful, but the attackers have kept up their efforts, launching five attacks so far this year, including one\r\nin the past two weeks.\r\nUsers should use these campaigns as proof that their endpoint protection as well as the network protection need to\r\nbe as strong as possible. This is an advanced actor who obviously has their sights set on some important targets,\r\nand they don't appear to be letting up any time soon.\r\nCOVERAGE\r\nSnort rules 48444 and 48445 will prevent DNSpionage from making an outbound connection.\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nPage 11 of 13\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nINDICATORS OF COMPROMISE (IOCS)\r\nThe following IOCs are associated with various malware distribution campaigns that were observed during the\r\nanalysis of associated malicious activity.\r\nFake job websites:\r\nhr-wipro[.]com\r\nhr-suncor[.]com\r\nMalicious documents:\r\n9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14 (LB submit)\r\n15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa (LB submit)\r\nhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nPage 12 of 13\n\nDNSpionage samples:\r\n2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec\r\n82285b6743cc5e3545d8e67740a4d04c5aed138d9f31d7c16bd11188a2042969\r\n45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff\r\nC2 Server IPs:\r\n185.20.184.138\r\n185.20.187.8\r\n185.161.211.72\r\nC2 Server Domains:\r\n0ffice36o[.]com\r\nDNS Hijack Domains (pointed to 185.20.187.8):\r\n2018-11-14 : memail.mea.com.lb\r\n2018-11-06 : webmail.finance.gov.lb\r\n2018-09-24 : mail.apc.gov.ae\r\n2018-09-15 : mail.mgov.ae\r\n2018-09-13 : adpvpn.adpolice.gov.ae\r\nDomains in the MEA certificate (on 185.20.187.8):\r\nmemail.mea.com.lb\r\nautodiscover.mea.com.lb\r\nowa.mea.com.lb\r\nwww.mea.com.lb\r\nautodiscover.mea.aero\r\nautodiscover.meacorp.com.lb\r\nmea.aero\r\nmeacorp.com.lb\r\nmemailr.meacorp.com.lb\r\nmeoutlook.meacorp.com.lb\r\ntmec.mea.com.lb\r\nSource: https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nhttps://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "Malpedia", "ETDA" ], "references": [ "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html" ], "report_names": [ "dnspionage-campaign-targets-middle-east.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434879, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/106f7d512f587c56cc68c378918113454fbc6fce.pdf", "text": "https://archive.orkl.eu/106f7d512f587c56cc68c378918113454fbc6fce.txt", "img": "https://archive.orkl.eu/106f7d512f587c56cc68c378918113454fbc6fce.jpg" } }