{ "id": "341b377d-4e6d-4b0c-8d43-8776accb8791", "created_at": "2026-04-06T00:10:54.316205Z", "updated_at": "2026-04-10T03:37:04.382382Z", "deleted_at": null, "sha1_hash": "13284d0cd27ac906600ae25b16ab899f3ccf70c5", "title": "The Transportation sector cyber threat overview", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1313053, "plain_text": "The Transportation sector cyber threat overview\r\nBy Maxime A.,\u0026nbsp;Livia Tibirna\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2023-09-12 · Archived: 2026-04-02 11:27:03 UTC\r\nThis report aims at contextualising cyber activities targeting the transportation sector worldwide over the 2022 –\r\n2023 period. This report is based on open source reporting and Sekoia.io observations of campaigns mostly\r\nimpacting the road, air and rail transportation.\r\nIntroduction\r\nThe increasingly digitised and connected transportation sector faces a broad range of threats,\r\nincluding in cyberspace. Organisations operating in the transportation sector are a prime target\r\nThe increasingly digitised and connected transportation sector faces a broad range of threats, including in\r\ncyberspace. Organisations operating in the transportation sector are a prime target for cyberattacks, due to the\r\ncritical role of the transportation infrastructure for the physical connectivity and for the functioning of the\r\neconomic systems within a territory. Indeed, interrupted transportation operations may have potentially significant\r\nimpact on other verticals, e.g. impacts on the supply chain management. In addition, transportation operators\r\nprocess personally identifiable information (PII), exposing them to the risk of surveillance. Additionally, some\r\nactors – national air and rail companies – are perceived as a symbol for politically-motivated attackers aiming\r\nat attempting the image of the originating state.\r\nOver the past years, the transportation sector was subject to evolving cyber security regulations to improve the\r\noverall level of security, including cybersecurity. One of the latest evolutions was the adoption, in late 2022, of the\r\nNIS2 Directive aiming at strengthening the cybersecurity level across the European Union, including the\r\ntransportation and other essential sectors. \r\nA sector highly impacted by lucrative-oriented cyber criminal threat\r\nLucrative-oriented cybercrime is a major threat increasingly impacting companies worldwide, including the\r\ntransportation sector. Over the last two years, the sector faced an ever evolving and progressively advanced\r\ncybercrime ecosystem, dominated by the ransomware threat (38% of all the threats identified by ENISA within\r\nthe EU). Sekoia.io assess that most financially-motivated campaigns impacting the transportation sector are\r\nopportunistic and are primarily intended to maximise attackers’ gain by compromising victims’ data integrity.\r\nRansomware and extortion campaigns\r\nBased on Sekoia.io observations, the ransomware-related threat steadily intensified over the past years, both\r\nmeasured in the number of reported incidents and their estimated impact, and the diversification of intrusion set’s\r\nnature and techniques. The transportation sector was increasingly impacted by ransomware and extortion\r\ncampaigns (hitting a 186% increase between January and June 2021 according to CheckPoint and remaining in the\r\nhttps://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/\r\nPage 1 of 9\n\nTop 5 impacted sectors as reported by NTT Security in May 2023), reflecting similar trends observed across many\r\nsectors.\r\nIn recent years, the large majority of ransomware groups known to target corporate assets were reported\r\nconducting campaigns against the transportation sector. Reported victimology notably includes a double extortion\r\ncampaign targeting Wabtec, a U.S. product and services provider for the rail and transit industry, claimed by the\r\nLockBit intrusion set in mid-2022. The same group claimed a ransomware operation against Port of Lisbon in\r\nearly 2023, as well as an attack against the Romanian Association for International Road Transport (ARTRI) in\r\nApril 2023. A campaign impacting Japan’s biggest port, the Port of Nagoya, was also reported in July 2023. The\r\nransomware attack, claimed by the LockBit ransomware group, targeted Nagoya Port’s central container\r\noperations handling system and resulted in disrupted container operations across all terminals within the port for\r\ntwo days. The attack also raised concerns over its potential impact on the local economy, as the port handles\r\n10% of Japan’s total trade volume, and on global supply chains including the auto industry. Sekoia.io did not\r\nobserve a specific country-level targeting and assess the geography of reported ransomware attacks against the\r\ntransportation sector is mostly arbitrary.\r\nBased on open source reporting, a significant number of successful ransomware attacks resulted in data\r\ncompromise (encryption, theft, exposure to unauthorised users, leakage, non availability and loss). Other impacts\r\nwere reported, such as financial loss, loss of operational continuity (canceled and delayed operations), reputation\r\ndamage, web services unavailability.\r\nSekoia.io assess the most immediate ransomware threat impacting the transportation sector in the 2022-early\r\n2023 period was Ransomware-as-a-Service (RaaS) leveraging the double extortion technique. Most of the\r\nknown RaaS operators – such as LockBit, BlackCat, BlackByte and Black Basta – were reported targeting the\r\ntransportation sector over the last two years. Reported lucrative campaigns implied urging the victims to pay a\r\nransom, selling the exfiltrated data, or exploiting it for further lucrative operations such as fraud.\r\nDuring the first half of 2023, the transportation sector faced the growing trend of multiple opportunistic intrusion\r\nsets actively exploiting 0-day vulnerabilities to deploy ransomware and/or exfiltrate data. One such example is\r\nthe massive exploitation of the CVE-2023-34362 zero-day vulnerability found in the MOVEit file transfer\r\nsolution in late May 2023. In early June 2023, British Airways, the largest airline based in the United Kingdom,\r\nand Transport for London, the London public transport operator, reported incidents involving the MOVEit\r\nvulnerability. The exploitation was subsequently attributed to intrusion sets associated with the TA505 group,\r\nresulting in extortion campaigns and confidential data exposure. \r\nThe MOVEit campaign mirrors a common trend among ransomware intrusion sets observed by Sekoia.io, which\r\nis the mass adoption of the exfiltration-based extortion technique, increasingly avoiding encryption. One such\r\nexample is the BianLian intrusion set, reported to shift from the double-extortion model to primarily exfiltration-based extortion technique in January 2023, which continuously claims data extortion attacks impacting most\r\nverticals, including the transportation sector ([1], [2], [3]). Sekoia.io assess with high confidence that lucrative\r\nintrusion sets will increasingly adopt the data extortion technique, mainly resulting in reputation damage and\r\ndata integrity compromise.\r\nCredential theft campaigns\r\nhttps://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/\r\nPage 2 of 9\n\nPhishing campaigns are a common attack vector for initial access in reported campaigns impacting the\r\ntransportation sector. Phishing attacks are regularly followed by further compromises such as ransomware\r\nattacks, fraud, data theft and extortion campaigns. While most of the observed mass phishing campaigns are\r\nopportunistic, they are commonly tailored to the particular context of the victim’s activities, as well as to major\r\nevents related to the victim’s industry. \r\nFor instance, based on Kaspersky observation, from early 2022, the transportation sector was subject to spam\r\nmailing campaigns leveraging the economic sanctions due to the Russo-Ukrainian conflict, highly likely to\r\nconduct fraud campaigns via spear phishing links. In May 2023, an emerging malware called FluHorse was\r\nleveraged in phishing campaigns impacting Android users of a major transportation application in Eastern Asia\r\nand of an Electronic Toll Collection (ETC) application in Taiwan. In reported campaigns, FluHorse mimics\r\nlegitimate transportation applications and aims at gathering the victims’ credentials, credit card data and Two-Factor Authentication (2FA) codes. \r\nCredentials and other sensitive information obtained from phishing campaigns are either directly leveraged by the\r\nsame attackers or sold to other financially-motivated threat actors. During our cybercrime forums monitoring\r\nroutine, Sekoia.io observes a significant number of publications leaking sensitive data or selling credentials for\r\nremote access services to corporate networks within the transportation vertical. While this illicit market evolves\r\ntowards specialisation and professionalisation, most threat actors observed by Sekoia.io persist in opportunistic\r\ntargeting.\r\nhttps://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/\r\nPage 3 of 9\n\nFigure 1. A threat actor selling an unauthorized VPN access to a French boat manufacturer’s internal networks\r\n(Source: RAMP cybercrime forum)\r\nOpportunistic disruption operations led by nationalist hacktivist groups\r\nSince the beginning of the Russian invasion of Ukraine in February 2022, Sekoia.io observed a significant\r\nincrease regarding the activity of nationalist hacktivist groups. Those groups usually use cybercriminal\r\ntechniques, tactics and procedures (TTPs) but differ from cybercrime activities regarding their motivations,\r\nresponding to geopolitical rather than lucrative goals. Hacktivist groups are known to carry out Distributed denial\r\nof service (DDoS) attacks and DDoS-related activities, defacement, hack-and-leak operations and extortion\r\ncampaigns that hide a disruption goal. Such targeting often impacts the transportation sector, as many entities such\r\nas airlines or national rail services represent an opportunistic and symbolic objective to undermine foreign\r\nstates. Since February 2022, multiple NHG claimed cyber operations which aimed at contributing to the narrative\r\nof the side they belong. On the Russian side, mainly targeting Ukraine and NATO entities, Killnet, NoName057,\r\nAnonymous Sudan – an assessed false flag hacktivist group directly related to Killnet – were the most active. \r\nCyber and kinetic disruption \r\nhttps://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/\r\nPage 4 of 9\n\nIn the 2022-2023 period, the transportation sector was particularly impacted by DDoS operations claimed by the\r\naforementioned groups. In March 2023, Sekoia.io observed Anonymous Sudan carrying out successive DDoS\r\ncampaigns over French entities, including airports and French airlines AirFrance, Transavia and FlyingBlue. Over\r\nthe same period, NoName057 leveraged their participative DDoS tool named DDOSIA to impact websites from\r\nentities in NATO countries, among them French rail transportation companies were particularly targeted (Paris\r\ntransports RATP, national rail service SNCF). In June 2023, shortly after French president Macron announced the\r\nincoming delivery of an air defense system to Kiev, Sekoia.io detected multiple targets related to the French\r\ntransport group RATP. Sekoia.io assess with high confidence those targets represent an opportunistic way for\r\nthe attackers to mediatise cyber operations impacting countries supporting Ukraine against the Russian\r\ninvasion. \r\nSimilar operations were observed to be conducted by pro-Russia hacktivist groups supporting Ukraine. For\r\ninstance, in January 2022, the Belarusian Cyber Partisans, a group opposed to the Moscow-aligned Belarus\r\ngovernment, conducted a ransomware attack on Belarusian Railway information systems. The campaign aimed at\r\ndenouncing the involvement of the Belarusian President in the Russian military operation against Ukraine, and\r\ndelaying the deployment of the Russian military troops near Ukraine using the Belarusian Railways’ system.\r\nThe ransom asked by the Belarusian Cyber Partisans was the release of 50 political prisoners and the withdrawal\r\nof Russian troops, instead of money. No open source information is available whether that operation impacted\r\nBelarusian military troop transportation. \r\nRansom DDoS attacks (RDDoS)\r\nRansom Distributed Denial of Service (RDDoS) attacks are a form of cyber malicious campaign aiming at\r\nperforming distributed denial of service until a ransom fee is paid. This extortion-based technique is mostly\r\nleveraged to escalate the impact of an ongoing campaign and force the victim to pay the ransom.\r\nWhile the transportation sector was impacted by denial of service attacks over the last years, a less widespread\r\nRDDoS attack was reported targeting the Swedish aviation industry in early 2023. In February 2023, the Russia-aligned hacktivist group Anonymous Sudan announced a massive politically-motivated DDoS campaign against\r\nthe Swedish airport infrastructure, an initiative joined later by the UserSec group. Later, Anonymous Sudan\r\nexpanded this DDoS campaign to other Scandinavian air transportation entities, leveraging the RDDoS technique\r\nagainst Scandinavian Airlines and Northern Europe’s leading airline, asking for a $3,500, then $3M and later\r\n$10M ransom. Impacts such as website and application unavailability, as well as passengers’ data exposure were\r\nreported by the victim, which is a relatively unusual behaviour for a hacktivist group usually focused on website\r\naccessibility disruption. \r\nSekoia.io assess it is likely Anonymous Sudan, alongside with other Russia-aligned hacktivist nationalist groups\r\noperations, conducted a fake extortion campaign with an overstated ransom demand to amplify their operation\r\naiming at undermining Sweden, currently awaiting NATO integration.\r\nAnonymous Sudan ties with Russia-aligned hacktivist groups\r\nAnonymous Sudan emerged in January 2023 with the “OpSweden”, a DDoS campaign against Sweden in\r\nreaction of an mediatised anti-muslim act conducted by a swedish right-wing activist. However, evidence shows a\r\nhttps://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/\r\nPage 5 of 9\n\nstrong possibility that Anonymous Sudan is a sub-group of the pro-Russian hacktivist group Killnet, a group with\r\nwhich Anonymous Sudan has publicly aligned itself since March 2023.\r\nA bit of context is needed to understand the self designated Anonymous Sudan group. In May 2022, following the\r\nRussian invasion of Ukraine, Finland and Sweden applied to join NATO. Turkey, as a NATO member, voiced its\r\nopposition to include Sweden arguing Stockholm was helpling Kurdish organizations Ankara considers terrorist.\r\nDiplomatic negotiation went by to find a consensus. \r\nSekoia.io assess with confidence that in January 2023, when the swedish right-wing activist committed the\r\nmediatised anti-muslim act, Russian nationalist hacktivist groups such as Killnet identified an opportunity to\r\nundermine Swedish-Turkish negotiation on an islamophobic pretext, as Turkish president Erdogan often reacts\r\non this subject. Killnet either created Anonymous Sudan or helped a preexisting unskilled group, to conduct and\r\nmediatise proxy DDoS operations on Sweden and later other NATO countries, to impact states that support\r\nUkraine.\r\nFigure 2. Anonymous Sudan announcement of DDoS campaign targeting the Swedish aviation industry (Source:\r\nAnonymous Sudan Telegram channel) – 07/02/2023\r\nhttps://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/\r\nPage 6 of 9\n\nFigure 3. Anonymous Sudan announcement of RDDoS campaign targeting Scandinavian Airlines (Source:\r\nAnonymous Sudan Telegram channel) – 02/06/2023\r\nA transportation sector less reported as impacted by State-nexus intrusion sets\r\nTransportation sector is also a target for state-aligned cyber offensive operations both as a final target for\r\nindustrial espionage, and as a medium to conduct espionage operations and kinetic disruption. However, as\r\nfew details (detailed victimology, assessed impact) are usually available in open-source reporting state-nexus\r\ncyber operations on the transportation sector, it is difficult to be exhaustive on this aspect of the cyber threat. \r\nGiven the criticality of the transportation sector, as the energy, in high intensity conflicts, most exemple in this\r\nsection are related to the Russia-Ukraine war. Is it due to the overrepresentation of cyber operations related to the\r\nconflict reported in open source. Off note, transportation entities unrelated to the Russia-Ukraine conflict can still\r\nbe targeted by state-nexus cyber threats.\r\nRoad and rail logistics disruption\r\nVarious entities, private companies, operators, NGOs and state administrations operating in the transportation\r\nvertical can be targeted by cyber operations in order to disrupt the provided service, and potentially, conduct\r\nstrategic espionage on the transported assets.\r\nSince the beginning of the Russian invasion of Ukraine in February 2022, multiple Russian-nexus intrusion sets\r\n(Calisto, Gamaredon, Sandworm) were reported to target Ukraine-based and NATO transportation and logistic\r\ncompanies. For instance in March 2023, Russian military GRU-associated Sandworm was observed by Microsoft\r\nconducting a destructive attack on the network of an undisclosed logistic provider headquartered in Western\r\nUkraine. Technical investigation allowed Sekoia.io to detect similar targeting conducted by FSB-associated\r\nCalisto intrusion set, which carried out phishing campaigns aiming at credential theft on logistics companies such\r\nas DTGruelle and Emcompass, both involved in support to Ukraine war support. \r\nhttps://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/\r\nPage 7 of 9\n\nOther operations were reported in open-source, impacting national transportation sectors. In July 2021, Iranian\r\nauthorities reported cyber attacks impacting Iranian Railways and the Ministry of Roads and Urban Development\r\ninformation systems. The operation was claimed by the anti-Iranian regime hacktivist group Indra, a group that\r\nTehran accuses of being helped by Israel, likely to undermine the government and favor a popular uprising.\r\nPlausible prepositioning operations\r\nOther state-nexus operations were reported impacting transportation and logistics companies, such as Israeli\r\nmaritime and road shipping firms targeted by Iran-associated TortoiseShell, an intrusion set observed by ClearSky\r\nsetting up watering hole attacks on at least eight Israeli companies in May 2023. Although it is difficult to assess\r\nthe intention of such operations due to the absence of intrusion details in open source reporting, the\r\ntransportation sector, as a strategic asset for a state security and economic stability, is likely a target for\r\nprepositioning operations where the intrusion is conducted to be the more covert possible, allowing future actions\r\non objective (espionage, sabotage or both). Another example is the China-associated TIANWU intrusion set,\r\nobserved in december 2021 by TeamT5 leveraging the malware Pangolin8Rat to target a Taiwanese rail-transportation company, an operation we can assess as plausibly linked to Chinese efforts to preposition in the\r\nevent of Taiwan annexion conflict. Aerospace companies can be targeted as well for alleged prepositioning\r\noperations. In February 2022 the KA-SAT satellite communication modems, operated by VIA-SAT company, were\r\nimpacted by Russia-nexus Sandworm, launching a destructive command on a likely prepositioned compromise,\r\nto disrupt Ukrainian army communications. \r\nTechnology and industrial espionage \r\nThe transportation sector, involving high technology, is a target for industrial cyber espionage. The threat is\r\nparticularly relevant pertaining to the civil aerospace industry, especially airliner manufacturers due to the\r\nresearch and development investments. China-associated intrusion sets such as LanceFly, APT41, Winnti and\r\nMustang Panda are often reported by different cybersecurity vendors as groups involved in industrial cyber\r\nespionage, notably focusing on aerospace companies. APT41, an intrusion set associated to the Chinese Ministry\r\nof State Security, was indeed observed by TrendMicro in March 2022 using a custom Cobalt Strike loader to\r\ntarget a Taiwanese aviation company, a focus coherent with Symantec and Recorded Future analysis on LanceFly\r\nvictimology, an intrusion set which technically overlaps [1] APT41.\r\nSurveillance and individuals espionage\r\nWhen operated by intelligence services, State-nexus intrusion sets can target transportation companies to\r\ngather information about individuals. A similar operation was observed by IBM Security in March 2021\r\ndocumenting the Iran-nexus MuddyWater group, associated with the Ministry of Intelligence of the Islamic\r\nRepublic of Iran (MOIS), conducting an espionage operation against an Asian airline. The files found on the\r\nMuddyWater command and control (C2) server suggested possible access to reservation data. Similar indirect\r\ntargeting for individual espionage was later used by another Iran-nexus intrusion set, Cuboid Sandstorm. The\r\ngroup, assessed to be associated with the intelligence service of the Islamic Revolutionary Guard Corps (IRGC),\r\nwas observed by Microsoft in May 2023 impacting Albania hotels, likely to gather information on individuals\r\nlinked to an Iranian dissident organization. \r\nhttps://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/\r\nPage 8 of 9\n\nConclusion\r\nThe transportation sector is a regular target for financially-motivated actors, notably ransomware groups\r\nconducting double extortion campaigns. While cybercrime intrusion sets can leverage the criticality of the\r\ntransportation infrastructure to extort victims, Sekoia.io assess with high confidence that most lucrative\r\ncampaigns impacting the transportation sector are opportunistic.\r\nSekoia.io assess Russia-aligned hacktivist threat impacting transportation entities located in Europe will\r\nlikely pursue, exploiting political opportunity to conduct mainly DDoS operations to impact any countries\r\ninvolved in Ukraine support. To a lesser extent, targeting airline companies could be interpreted as a retaliation for\r\nabandoning their operations in Russia in response to the Russo-Ukrainian war.\r\nSekoia.io assess is it likely that entities associated with the transportation sector will continue to be a target for\r\nState-nexus intrusion sets aiming at disrupting logistics — especially those implied in Ukraine war support —,\r\nperforming industrial espionage and individuals’ surveillance.\r\nExternal references :\r\n[1] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor, accessed September 12, 2023\r\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please\r\ncontact us on tdr[at]sekoia.io\r\nFeel free to read other TDR analysis here :\r\nAPT CTI Cybercrime Infrastructure Ransomware transportation\r\nShare this post:\r\nSource: https://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/\r\nhttps://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/" ], "report_names": [ "the-transportation-sector-cyber-threat-overview" ], "threat_actors": [ { "id": "ef8ed28b-6afb-4447-b560-0df2892b8f1c", "created_at": "2023-06-23T02:04:34.315779Z", "updated_at": "2026-04-10T02:00:04.738599Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "ETDA:Lancefly", "tools": [ "Merdoor" ], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "e53fc09e-24cc-40d4-b38d-7e2d6dbe81d8", "created_at": "2023-03-17T02:01:50.851615Z", "updated_at": "2026-04-10T02:00:03.362605Z", "deleted_at": null, "main_name": "Anonymous Sudan", "aliases": [], "source_name": "MISPGALAXY:Anonymous Sudan", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4f472ea8-b147-486d-8533-88f8036343a6", "created_at": "2024-01-23T13:22:35.081084Z", "updated_at": "2026-04-10T02:00:03.520098Z", "deleted_at": null, "main_name": "Cyber Partisans", "aliases": [], "source_name": "MISPGALAXY:Cyber Partisans", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "81a3e326-a23a-4b8b-ae07-2e6679b3f2b3", "created_at": "2023-11-04T02:00:07.682997Z", "updated_at": "2026-04-10T02:00:03.391958Z", "deleted_at": null, "main_name": "Lancefly", "aliases": [], "source_name": "MISPGALAXY:Lancefly", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d027fba8-ffe7-4093-aa0d-833b52ce4427", "created_at": "2023-01-06T13:46:39.438394Z", "updated_at": "2026-04-10T02:00:03.326914Z", "deleted_at": null, "main_name": "TianWu", "aliases": [], "source_name": "MISPGALAXY:TianWu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a3917c91-ec7d-485f-8784-bfb1b1a78359", "created_at": "2023-11-08T02:00:07.13872Z", "updated_at": "2026-04-10T02:00:03.424164Z", "deleted_at": null, "main_name": "UserSec", "aliases": [], "source_name": "MISPGALAXY:UserSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cd118f78-11b5-4b51-ad97-2f7562905bdb", "created_at": "2024-02-02T02:00:04.021391Z", "updated_at": "2026-04-10T02:00:03.525833Z", "deleted_at": null, "main_name": "Cuboid Sandstorm", "aliases": [ "DEV-0228" ], "source_name": "MISPGALAXY:Cuboid Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "8309f9cf-9abb-4ce3-aa1e-cda7d7f5c1b3", "created_at": "2022-10-25T16:07:23.729215Z", "updated_at": "2026-04-10T02:00:04.729076Z", "deleted_at": null, "main_name": "Indra", "aliases": [], "source_name": "ETDA:Indra", "tools": [ "Stardust" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e", "created_at": "2026-03-16T02:02:50.582318Z", "updated_at": "2026-04-10T02:00:03.777263Z", "deleted_at": null, "main_name": "COASTLIGHT", "aliases": [ "Gonjeshke Darande", "Indra", "Predatory Sparrow" ], "source_name": "Secureworks:COASTLIGHT", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "b05a0147-3a98-44d3-9b42-90d43f626a8b", "created_at": "2023-01-06T13:46:39.467088Z", "updated_at": "2026-04-10T02:00:03.33882Z", "deleted_at": null, "main_name": "NoName057(16)", "aliases": [ "NoName057", "NoName05716", "05716nnm", "Nnm05716" ], "source_name": "MISPGALAXY:NoName057(16)", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "219ddb41-2ea8-4121-8b63-8c762f7e15df", "created_at": "2023-01-06T13:46:39.384442Z", "updated_at": "2026-04-10T02:00:03.309654Z", "deleted_at": null, "main_name": "Predatory Sparrow", "aliases": [ "Indra", "Gonjeshke Darande" ], "source_name": "MISPGALAXY:Predatory Sparrow", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434254, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/13284d0cd27ac906600ae25b16ab899f3ccf70c5.pdf", "text": "https://archive.orkl.eu/13284d0cd27ac906600ae25b16ab899f3ccf70c5.txt", "img": "https://archive.orkl.eu/13284d0cd27ac906600ae25b16ab899f3ccf70c5.jpg" } }