{ "id": "12328a8d-c9a6-4912-8495-7f93d4cf57e5", "created_at": "2026-04-06T00:16:35.371675Z", "updated_at": "2026-04-10T03:37:36.728718Z", "deleted_at": null, "sha1_hash": "10bf7d6ab1bc2980d53a01daadd5bb0df8b7911f", "title": "Attack Graph Response to US-CERT Alert (AA22-264A)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1274052, "plain_text": "Attack Graph Response to US-CERT Alert (AA22-264A)\r\nBy Francis Guibernau\r\nPublished: 2022-09-23 · Archived: 2026-04-05 17:41:13 UTC\r\nOn September 21, 2022, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure\r\nSecurity Agency (CISA) released a joint Cybersecurity Advisory (CSA) that provides insight information on\r\nrecent cyber operations against the Government of Albania in July and September 2022.\r\nIn July 2022, Iranian actors identifying as “HomeLand Justice” launched a destructive cyber-attack against the\r\nGovernment of Albania which rendered websites and services unavailable. An FBI investigation indicates Iranian\r\nstate cyber actors acquired initial access to the victim’s network approximately 14 months before launching the\r\ndestructive attack, which included both a ransomware-style file encryptor and a disk wiping malware. The actors\r\nmaintained continuous network access for approximately a year, periodically accessing and exfiltrating e-mail\r\ncontent.\r\nBetween May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance,\r\nand credential harvesting from Albanian government networks. In July 2022, the actors launched ransomware on\r\nthe networks, leaving an anti-Mujahideen E-Khalq (MEK) message on desktops. When network defenders\r\nidentified and began to respond to the ransomware activity, the cyber actors deployed a version of ZeroCleare\r\ndestructive malware.\r\nOn July 18, 2022, HomeLand Justice claimed credit for the attack on the Albanian government infrastructure. On\r\nJuly 23, 2022, Homeland Justice posted videos of the cyber-attack on their website. From July to August 2022,\r\nHomeland Justice posted videos of the cyber-attack on their website and promoted on social media accounts\r\nAlbanian Government information for release.\r\nIn September 2022, Iranian cyber actors launched another wave of cyber-attacks against the Government of\r\nAlbania, using similar TTPs and malware as the cyber-attacks in July. These were likely done in retaliation for\r\npublic attribution of the cyber-attacks in July and severed diplomatic ties between Albania and Iran.\r\nAccording to the following report from Microsoft, released on September 8, 2022, the adversary responsible for\r\nthe initial access and exfiltration of information is linked to OilRig, also known as APT34. This adversary is\r\nclosely linked to Iran’s Ministry of Intelligence and Security (MOIS). Additionally, the Microsoft Detection and\r\nResponse Team (DART) details that the DEV-0133 adversary, publicly known as Lyceum, was responsible for\r\ntesting the victim’s infrastructure.\r\nLyceum is an adversary previously reported by SecureWorks in August 2019. The adversary is suspected of being\r\nclosely linked to APT33 and OilRig.\r\nOn July 11, 2022, AttackIQ released two attack graphs that seek to emulate different aspects of OilRig’s\r\noperations against multiple sectors around the globe.\r\nhttps://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/\r\nPage 1 of 8\n\nAttackIQ has released a new fully featured attack graph that emulates the tactics, techniques, and procedures\r\n(TTPs) used by Iranian nation-state adversaries against the government of Albania.\r\nTesting previously released attack graphs pertaining to this kind of threat in conjunction with this newly released\r\nattack graph can help validate your security program performance in reducing risk. By using the AttackIQ\r\nSecurity Optimization Platform, security teams will be able to:\r\nEvaluate security control performance against malicious techniques that lead to the mass encryption of\r\ncritical services.\r\nAssess their security posture against an actor that doesn’t need to bring down additional backdoors to\r\nsuccessfully infiltrate your network.\r\nContinuously validate detection and prevention pipelines beyond the initial access exploits as new zero-days are discovered\r\n(Click for Larger)\r\n[US-CERT AA22-264A] Iranian Ransomware and Disk Wiping Attack against\r\nGovernment of Albania \r\nhttps://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/\r\nPage 2 of 8\n\n(Click for Larger)\r\nThe Iranian actors first exploited a common vulnerability in SharePoint and dropped a series of webshells to begin\r\ntheir attack. Our attack graph begins after their initial access has been established and the threat actor needs to\r\ngain access to additional credentials to move laterally and expand the scope of their attack.\r\nOS Credential Dumping: LSASS Memory (T1003.001): LSASS memory is dumped to disk by creating a\r\nminidump of the lsass.exe   process. This process is used for enforcing security policy on the system and\r\ncontains many privileged tokens and accounts that are targeted by threat actors. Mimikatz is then used to dump\r\nthe credentials from that minidump file.\r\nOS Credential Dumping: Security Account Manager (T1003.002): A Volume Shadow Copy is used to be able\r\nto dump the SAM registry hive that is typically locked for access when Windows is running. Mimikatz is again\r\nused to dump the credentials from this registry hive.\r\n(Click for Larger)\r\nWith the dumped credentials the actors can now begin to move about the network. They first leveraged a network\r\nscanner to identify other hosts of interest based on their remote services. Then they moved laterally using Remote\r\nDesktop Protocol (RDP) and File Transfer Protocol (FTP). Finally, they exfiltrated gigabytes of data using HTTP\r\nrequests to the Exchange server.\r\nNetwork Service Discovery (T1046): This scenario uses nmap to scan for hosts that are open on ports “ that\r\nwould identify remotely accessible hosts to the attacker.\r\nhttps://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/\r\nPage 3 of 8\n\nRemote Services: Remote Desktop Protocol (T1021.001): Remote Desktop is the built-in remote access utility\r\nused by Windows. This scenario attempts to remotely connect to another accessible asset with stolen credentials.\r\nRemote Services (T1021): This scenario can be configured with the IP address of a remote FTP server and\r\ncredentials to simulate the network traffic observed in the authentication of an internal FTP server.\r\nExfiltration Over C2 Channel (T1041): A large amount of data is exfiltrated over HTTP requests mimicking the\r\ndata exfiltration method used by the Iranian actors when they stole a large amount of email data using their\r\nwebshells.\r\n(Click for Larger)\r\nThe actors wanted to impair the defenses of their compromised systems to limit the ability for the victim to detect\r\ntheir activity or recover from the future destruction actions. The first brought their own custom utility that would\r\ndisable Windows Defender in order to reduce the likelihood that their follow up actions would be detected or\r\nprevented. The tool would elevate their privileges before checking if Windows Defender was enabled using a\r\nWMI command, and then stopping the service before modifying registry keys to prevent it from being re-enabled\r\nat reboot.\r\nIngress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios\r\nto test network and endpoint controls and their ability to prevent the delivery of the disable-defender.exe\r\nbinary.\r\nAccess Token Manipulation (T1134): This scenario lists active access tokens that could be impersonated by\r\nanother process. This method is commonly used to escalate privileges.\r\nWindows Management Instrumentation (WMI) (T1047): WMI is a native Windows administration feature that\r\nprovides a method for accessing Windows system components. This scenario gets the status of Windows Defender\r\nby calling “ MSFT_MpPreference Get DisableRealtimeMonitoring ”\r\nService Stop (T1489): The Windows Defender service is stopped with a “ net stop ” command.\r\nImpair Defenses: Disable or Modify Tools (T1562.001): The registry key\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware is set to 1 that will disable\r\nWindows Defender from being enabled at next reboot.\r\nhttps://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/\r\nPage 4 of 8\n\n(Click for Larger)\r\nWith the system defenses degraded, the actor moved on to launching a ransomware attack. The file cryptor was\r\nbrought down to the system and persistence establishing using the Startup folder. A batch script would be executed\r\nthat disabled System Recovery for all the drives and delete their Recycle Bin directories. Volume Shadow Copies\r\nwould then be removed before finally executing the ransomware binary. The desktop background is changed to a\r\nransomware calling card picture. RunDll32 is used to for the background to update and then ping is used to\r\ndelay in the batch script before killing itself and removing its artifacts.\r\nLogon Autostart Execution: Startup Folder (T1547.001): The Startup folder is a directory associated with the\r\nWindows Start Menu that can be used to launch a process at Windows logon. This scenario creates a binary file in\r\nthis directory that would execute at next logon for users.\r\nWindows Management Instrumentation (WMI) (T1047): This scenario executes the logicaldisk command\r\nto retrieve details on the system’s disks.\r\nInhibit System Recovery (T1490): Runs vssadmin.exe to delete a recent Volume Shadow Copy created by the\r\nattack graph.\r\nModify Registry (T1112): The “ HKEY_CURRENT_USER\\Control Panel\\Desktop ” registry key is modified that\r\nchanges the background image for the current user.\r\nSystem Binary Proxy Execution: Rundll32 (T1218.011): RunDll32 is another native system utility that can be\r\nused to execute DLL files and a specific export inside the file. This scenario executes RunDll32 and passes\r\n“ user32.dll,UpdatePerUserSystemParameters ” which will force the system to refresh a user’s setting including\r\nthe desktop background.\r\n(Click for Larger)\r\nIn response to the victim’s efforts to remediate their incident, the actors moved on to deploying a disk wiping\r\nmalware in retaliation. This was a modified version of their ZeroCleare wiper that uses the EldoS Raw Disk\r\nDriver to wipe drives at the lowest level.\r\nCreate or Modify System Process: Windows Service (T1543.003): Creates a new service called “RawDisk3”\r\nusing the native sc.exe utility. This is the service named used when the driver starts.\r\nOpportunities for Extending the Attack Graph\r\nhttps://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/\r\nPage 5 of 8\n\nWhile we did not include one of many different ransomware file encryption scenarios to this attack graph,\r\ncustomers can add one of the many different Collect and Encrypt File scenarios to the graph or run it individual in\r\na separate assessment to test similar ransomware tools like Locky and Ryuk.\r\nDetection and Mitigation Opportunities\r\nWith so many different techniques being used by threat actors, it can be difficult to know which to prioritize for\r\nprevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated\r\nin our scenarios before moving on to the remaining techniques.\r\n1. OS Credential Dumping: Security Account Manager (T1003.002)\r\nDescription:\r\nAdversaries may attempt to extract credential material from the Security Account Manager (SAM) database either\r\nthrough in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a\r\ndatabase file that contains local accounts for the host, typically those found with the net user command.\r\nEnumerating the SAM database requires SYSTEM level access\r\n1a. Detection:\r\nUsing an EDR or SIEM product, you can detect when suspicious creations of shadow copies are observed as well\r\nas Mimikatz usage with the created shadow copy.\r\nNote: it would be advised to correlate these two rules together in a SIEM product to create an Alert when creation\r\nof shadow volumes is observed alongside Mimikatz usage.\r\nDetecting Suspicious Shadow Copy creations:\r\nProcess Name = “powershell.exe”\r\nCommand Line CONTAINS (“Get-WMIObject Win32_ShadowCopy” AND “Create”)\r\nDetecting Mimikatz usage:\r\nProcess Name = (“powershell.exe” OR “cmd.exe”)\r\nCommand Line CONTAINS (“lsadump::sam”)\r\n1b. Mitigations:\r\nMITRE ATT\u0026CK Recommends the following mitigations for OS Credential Dumping: Security Account\r\nManager (T1003.002):\r\nM1028 – Operating System Configuration\r\nM1027 – Password Policies\r\nM1026 – Privileged Account Management\r\nM1017 – User Training\r\nhttps://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/\r\nPage 6 of 8\n\n2. Impair Defenses: Disable or Modify Tools (T1562.001)\r\nDescription:\r\nAdversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and\r\nactivities. This may take the many forms, such as killing security software processes or services, modifying /\r\ndeleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere\r\nwith security tools scanning or reporting information\r\n2a. Detection:\r\nUsing an EDR or SIEM product, you can detect when Microsoft Defender Registry Key’s Value for\r\n“DisableAntiSpyware” has been set to 1, disabling the security control:\r\nProcess Name = “reg.exe”\r\nCommand Line CONTAINS (“HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender” AND “DisableAntiSpyware”\r\nAND “REG_DWORD /d 1”)\r\n2b. Mitigations:\r\nMITRE ATT\u0026CK Recommends the following mitigations for Impair Defenses: Disable or Modify Tools\r\n(T1562.001):\r\nM1022 – Restrict File and Directory Permissions\r\nM1024 – Restrict Registry Permissions\r\nM1018 – User Account Management\r\n3. Create or Modify System Process: Windows Service (T1543.003)\r\nDescription:\r\nAdversaries may create or modify Windows services to repeatedly execute malicious payloads as part of\r\npersistence. When Windows boots up, it starts programs or applications called services that perform background\r\nsystem functions\r\n3a. Detection:\r\nUsing an EDR or SIEM product, you can detect when sc.exe is being used to create possibly suspicious services.\r\nIn this case, the service the threat actor has been seen creating is named “RawDisk3”\r\nProcess Name = (“cmd.exe” OR “powershell.exe”)\r\nCommand Line CONTAINS (“sc create” AND “RawDisk3” AND start=”demand”)\r\n3b. Mitigations:\r\nhttps://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/\r\nPage 7 of 8\n\nMITRE ATT\u0026CK Recommends the following mitigations for Create or Modify System Process: Windows\r\nService (T1543.003):\r\nM1018 – User Account Management\r\nM1028 – Operating System Configuration\r\nM1047 – Audit\r\nM!040 – Behavior Prevention on Endpoint\r\nM1045 – Code Signing\r\nWrap-up\r\nIn summary, this attack graph will evaluate security and incident response processes and support the improvement\r\nof your security control posture against an actor who intends to destroy their target. With data generated from\r\ncontinuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes,\r\nadjust your security controls, and work to elevate your total security program effectiveness against a known and\r\ndangerous threat.\r\nAttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ\r\nSecurity Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.\r\nSource: https://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/\r\nhttps://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/" ], "report_names": [ "attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-10T02:00:03.195743Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133", "COBALT LYCEUM", "UNC1530" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-10T02:00:03.509338Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-10T02:00:03.619131Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434595, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/10bf7d6ab1bc2980d53a01daadd5bb0df8b7911f.pdf", "text": "https://archive.orkl.eu/10bf7d6ab1bc2980d53a01daadd5bb0df8b7911f.txt", "img": "https://archive.orkl.eu/10bf7d6ab1bc2980d53a01daadd5bb0df8b7911f.jpg" } }