{ "id": "670cdcf9-e893-4fbb-bba9-7df55c3b3267", "created_at": "2026-04-06T00:14:58.560443Z", "updated_at": "2026-04-10T03:38:03.332862Z", "deleted_at": null, "sha1_hash": "13664c900bb06b88df95238c97d4cb3951cd0de0", "title": "New TA402 Molerats Malware Targets Governments in the Middle East | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2230222, "plain_text": "New TA402 Molerats Malware Targets Governments in the Middle East |\r\nProofpoint US\r\nBy June 17, 2021 Konstantin Klinger, Dennis Schwarz, and Selena Larson\r\nPublished: 2021-06-16 · Archived: 2026-04-05 12:38:39 UTC\r\nKey Findings \r\nTA402 leverages political and military themes, including the ongoing conflict in the Gaza Strip, to entice users\r\nto open attachments and click on malicious links. \r\nTA402 activity is largely focused on entities operating in the Middle East, especially government or government-adjacent organizations. \r\nTA402’s custom malware called LastConn is used to gain access to and conduct information gathering activities. \r\nLastConn uses a number of unique features to deter automated threat analysis and make manual analysis difficult. \r\nOverview \r\nProofpoint researchers identified a malware called LastConn distributed by TA402, a threat actor also known as Molerats.\r\nThe malware targeted government institutions in the Middle East and global government organizations associated with\r\ngeopolitics in the region.  \r\nTA402 is a Middle Eastern advanced persistent threat (APT) group that often targets entities in Israel and Palestine, in\r\naddition to other regions in the Middle East. In campaigns identified throughout 2021, TA402 leveraged Middle Eastern\r\ngeopolitical themes including ongoing conflict in the Gaza Strip. The custom malware implant identified by Proofpoint\r\nenables the threat actor to conduct reconnaissance on the target host and exfiltrate data. TA402 leveraged multiple\r\nmechanisms to avoid automated threat analysis including geofencing based on IP addresses, only targeting computers with\r\nArabic language packs installed, and password-protected archive files to distribute malware. \r\nCampaign Details \r\nFollowing a busy 2020 for TA402, Proofpoint researchers identified new and highly targeted email threat\r\ncampaigns impacting government organizations in the Middle East and entities with diplomatic relationships in the region.  \r\nBased on Proofpoint visibility, the campaigns occurred on a weekly basis throughout early 2021 before abruptly stopping in\r\nMarch for a two-month hiatus. TA402, also known as Molerats and GazaHackerTeam, resumed email threat campaigns in\r\nearly June 2021 with continued use of malware Proofpoint dubbed LastConn. Researchers assess with high\r\nconfidence LastConn is an updated version of SharpStage malware first reported by Cybereason in December 2020. \r\nThe temporary disruption to email threat operations in March 2021 is interesting and may be due to current tensions in the\r\nMiddle East region including ongoing violence in the Gaza Strip between Israeli and Palestinian militants or the observation\r\nof Ramadan in April through early May 2021, one of the most important religious holidays for\r\nMuslims. However, Proofpoint cannot confirm either hypothesis with high confidence.  \r\nTA402 Background \u0026 Attribution \r\nTA402 has been active since at least 2011 and is believed to be operating out of the Middle East. The group’s\r\ntargeting includes but is not limited to targets in Israel and Palestine. [3,4] TA402 is known to target multiple industry\r\nverticals such as technology, telecommunications, financial institutions, academic institutions, military installations, media\r\noutlets, and government offices. The primary motivation of this group is to collect sensitive information and documents\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\r\nPage 1 of 12\n\nfrom high values targets to gather intelligence. Proofpoint assesses with moderate confidence based on lure topics, targeting,\r\nand historic campaigns the activity likely supports military or Palestinian state objectives. \r\nAttack Paths \r\nTA402 used spear-phishing emails containing either malicious links or attachments in the recently observed campaigns. \r\nIn June campaigns, TA402 leveraged a PDF attachment with one or multiple geofenced URLs leading to password-protected\r\narchives that contained the malware.  \r\n Figure 1: TA402 attack chain leveraging PDF attachments \r\nThe email and the PDF are typically both written in Arabic, and the lure is usually based on a geopolitical topic impacting\r\nthe Middle East, especially the Gaza conflict. Proofpoint observed lure themes including “A delegation from Hamas meets\r\nwith the Syrian regime” and “Hamas member list”. The password of the RAR file can be found inside the text of the\r\nPDF. Extracting the archive reveals a custom TA402 implant. In recent campaigns, the archive\r\ndropped LastConn malware. Other observed malware distributed by this attack path\r\ninclude SharpStage, Loda, and MiraiEye RAT. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\r\nPage 2 of 12\n\nFigure 2: Example PDF from 02 June 2021 campaign. The filename is “hamas - syria.pdf” with the content purporting to\r\nbe details regarding a delegation of Hamas militants meeting with Syrian regime representatives. (SHA256:\r\n557c60ae9c613164fda3189720eaf78fe60b6bd8191f4d208ca3bbbdceffee36) \r\nThe PDF link drops the following files. \r\nDownloaded RAR: \r\nHamas-Syria.rar|0db46fea5a0be8624069f978f115e4270833df29ed776c712182327a758fd639 \r\nExe file inside RAR: \r\nالسوري النظام مع حماس من وفد إجتماع.exe|f55e2050733576fa16452e2589a187f4bf202ca3b54b1497ba2c006e8d3bdd45 \r\nTranslation: “A delegation from Hamas meets with the Syrian regime” \r\nA payload is not immediately downloaded. Proofpoint researchers were unable to determine the exact mechanisms for\r\ninitiating links to the hosted malware, but the PDF may only direct the victim to the files if the source IP address belongs to\r\nthe targeted countries in the Middle East. If the source IP address does not align with the target group, the URL may redirect\r\nthe recipient to a benign decoy website, typically an Arabic language news website. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\r\nPage 3 of 12\n\nFigure 3: Example Benign Decoy Redirect from 02 June 2021 PDF campaign \r\nThe password protection of the malicious archive and the geofenced delivery method are two easy anti-detection\r\nmechanisms threat actors can use to bypass automatic analysis products. \r\nAnother initial access vector inside TA402’s 2021 arsenal observed in February is the use of Google Apps Script\r\nURLs directly inside the spear-phishing email. Google Apps Script is a development platform based on JavaScript that\r\nallows both the creation of standalone web apps and powerful extensions to various elements of the Google Apps software-as-a-service ecosystem. Proofpoint has previously observed multiple threat actors leveraging this method of malware\r\ndistribution via URLs. \r\n Figure 4: TA402 attack chain leveraging Google Apps Script URLs \r\nIn the identified TA402 campaign, the script also redirects to a password protected archive or to a benign decoy\r\nwebsite based on the geofencing mechanism. Some Google App Script URLs Proofpoint observed in this campaign also\r\nrequire a legitimate login to a Google account before they can be accessed.  \r\nExample URL from 16 February 2021 URL campaign: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\r\nPage 4 of 12\n\nhxxps://script[.]google[.]com/macros/s/AKfycbxhRyJqO682mzT4C3-\r\naNwSULjNPuHvhqpGYElJedUBPfaG60fZSOEQ/exec \r\n \r\nFigure 5: Example benign decoy redirect from 16 February 2021 URL campaign \r\nExtracting the archive leads to a custom TA402 implant, in this case LastConn. \r\n \r\nFigure 6: Example Successful Download of RAR archive from 16 February 2021 URL campaign \r\nMalware Analysis \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\r\nPage 5 of 12\n\nTA402 has been using a malware that Proofpoint tracks as LastConn in recent email-based campaigns. It is an\r\nupdated version or new variant of the malware that Cybereason calls “SharpStage” and analyzed in December 2020. \r\nLastConn malware is specifically targeted at computers with an Arabic language pack installed to ensure it only infects\r\nspecific targets. It uses Dropbox for all command and control (C2) capabilities and infrastructure. Proofpoint researchers\r\nassess LastConn is very actively developed and maintained malware. It features multiple capabilities that attempt to prevent\r\nboth automated and manual malware analysis.  \r\nSamples \r\nFor this malware analysis Proofpoint researchers analyzed the following two samples: \r\nSHA256: 6d65804ca8f71e21b18de08176a53d8f203bc23629dd822ef3c0da217f95f119  \r\nCompile time: 2021-02-16 06:55:44 \r\nUsed in an email-based campaign on 16 February 2021 \r\nand \r\nSHA256: f55e2050733576fa16452e2589a187f4bf202ca3b54b1497ba2c006e8d3bdd45  \r\nCompile time: 2021-05-27 04:58:05 \r\nUsed in email-based campaigns in June 2021 \r\nNaming \r\nThe name “LastConn” is based on a file “LastConn.txt” that is maintained on the malware’s Dropbox account and used to\r\ndocument when the malware was active: \r\n \r\nFigure 7: Origin of “LastConn” name \r\nAnti-Analysis \r\nBoth samples use third-party .NET code obfuscators. The sample in February used an unknown obfuscator that\r\nthe de4dot deobfuscator was unable to deobfuscate.  \r\nBased on a string, the sample in June used an obfuscator called “Eziriz's .NET Reactor”. It added obfuscations such as: \r\nObfuscated names \r\nJunk code \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\r\nPage 6 of 12\n\nControl flow obfuscation \r\nDate check – e.g., not runnable 14 days after 2021-06-16 \r\nEncrypted strings – see below \r\nWhile de4dot could not fully deobfuscate this one either, it was able to clean up some of the obfuscations. \r\nStrings in the malware and its included components were stored encrypted inside a .NET resource. A 32-byte key was stored\r\nas a stack string with multiple character replacements and is used with an unknown decryption algorithm. Once the resource\r\nis decrypted strings are referenced by an index. We have included a list of decrypted strings and their index values on our\r\nProofpoint Threat Research GitHub. \r\nIn addition to the code obfuscator anti-analysis mechanisms, the LastConn malware requires mouse clicks and an Arabic\r\nlanguage pack to be installed on the victim’s computer before it will continue executing its malicious functionality: \r\n Figure 8: Arabic language check \r\nConfiguration \r\nLastConn’s configuration is stored as an unnamed encrypted PE resource: \r\n \r\nFigure 9: Encrypted configuration \r\nIt can be decrypted by: \r\nSplitting on “#” and finding the piece with data \r\nReversing the data, but keeping any trailing “=”s \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\r\nPage 7 of 12\n\nBase64 decoding \r\nSplitting on “@” \r\nThe configuration for the February sample looks like: \r\ntxt_Totime=25 \r\ntxt_Ftime=20 \r\ntxt_FristTimeConn=20 \r\ntxt_PathDir=C:\\Users\\Public\\Downloads \r\ntxt_PassRar=YOV76B95S6 \r\ntxt_Mutex=95DTUJMONY4LMDLYZZBQFSSGG \r\ntxt_KeyPath=SOFTWARE\\MicroFile \r\ntxt_LastConn=LastConn.txt \r\ntxt_ShellCode=ShellCode.txt \r\ntxt_ListFile=ListFile.txt \r\ntxt_isdownload=isdownload.txt \r\ntxt_FileToDown=FileToDown.txt \r\ntxt_TokenRunOne=2AQ... \r\ntxt_FileName=Local \r\ntxt_MyToken=2AQ... \r\ntxt_FileOpen=hamas.docx \r\ntxt_Setting=Setting \r\nThe configuration for the June sample looks like: \r\ntxt_Totime=60 \r\ntxt_Ftime=50 \r\ntxt_FristTimeConn=45 \r\ntxt_PathDir=C:\\Users\\Public\\Downloads \r\ntxt_PassRar=1D1VQB4G8Q \r\ntxt_Mutex=NVQAGGMV22CY37LNUO9T5CZVS \r\ntxt_KeyPath=SOFTWARE\\Box \r\ntxt_LastConn=LastConn.txt \r\ntxt_ShellCode=ShellCode.txt \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\r\nPage 8 of 12\n\ntxt_ListFile=ListFile.txt \r\ntxt_isdownload=isdownload.txt \r\ntxt_FileToDown=FileToDown.txt \r\ntxt_TokenRunOne=O1P... \r\ntxt_FileName=Viewfile \r\ntxt_MyToken=O1P... \r\ntxt_FileOpen=news.doc \r\ntxt_Setting=Setting \r\n“txt_TokenRunOne” and “txt_MyToken” are Dropbox authentication tokens and have been redacted in this report. The\r\nmalware trims the first three characters off the token before using them. \r\nMost of these config options will be discussed below, but the ones that are not include: \r\ntxt_Totime, txt_Ftime, and txt_FristTimeConn – used to control timing of the malware \r\ntxt_Mutex – used as a mutex name \r\ntxt_KeyPath – used as a registry subkey to track some malware status \r\ntxt_isdownload – a status/debug file that is maintained on the malware’s Dropbox \r\nFunctionality \r\nThe first time LastConn runs, a “RunFileOnes” function is executed. This function uses the legitimate Dropbox API and\r\nthe “txt_TokenRunOne” authentication token to download the “txt_FileOpen” file to “txt_PathDir”. This file is\r\nthen opened, and Proofpoint researchers believe it is used to display a decoy document. The February decoy document was\r\nnamed “hamas.docx” and looked like: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\r\nPage 9 of 12\n\nFigure 10: Example of LastConn decoy document \r\nThe decoy document for the June campaigns, “news.doc”, was not available at the time of research. \r\nAfter the decoy document functionality, a “StartFolder” function is executed. Using the Dropbox API and the\r\n“txt_MyToken” authentication token a working directory is created on the malware’s Dropbox named “\u003ccomputer_name\u003e\r\n\u003cusername\u003e”. An empty “txt_FileToDown” file is then uploaded to the working directory. Proofpoint researchers believe\r\nthis empty file is used to signal that the malware has been initialized and is ready to execute commands. \r\nThe final broad function is called “GetUpload” and is used to do several things. First, it maintains the “txt_LastConn”\r\nmalware activity log mentioned in the “Naming” section above.  \r\nSecond, it downloads the “txt_Setting” file which contains a third Dropbox authentication token used for\r\ncommand handling. If this file cannot be downloaded, a new “txt_MyToken” is fetched from Pastebin sites and the\r\ndownload is tried again. At the time of research, the content of the configured Pastebin URLs were unavailable: \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\r\nPage 10 of 12\n\nhxxps://pastebin\\.com/raw/q81XevX2 \r\nhxxps://justpaste\\.it/ONE_ME_OR18 \r\nThird, it downloads the legitimate RAR utility file Rar.exe and “txt_FileName”.rar file. The RAR archive is decompressed\r\nusing the downloaded RAR utility and “txt_PassRar” password. The June campaign’s “Viewfile.rar” contained: \r\nViewfile.exe - a copy of the LastConn malware  \r\nSHA256: f55e2050733576fa16452e2589a187f4bf202ca3b54b1497ba2c006e8d3bdd45 \r\nViewfileQA.exe - a program that sets up registry “Shell Folders” and “User Shell Folders” persistence for LastConn \r\nSHA256: 0f36088ed9f5ffd4b42d35789113e99d8839edc52e554dbee0969bcad0200cfb \r\nFourth and final capability is command handling. The “txt_FileToDown” file is downloaded from Dropbox using the\r\nauthentication token received in the “txt_Setting” file. If there are any commands to execute, this file will contain newline\r\ndelimited “\u003ccommand\u003e=\u003ccommand arguments\u003e” entries. Commands include: \r\nDFileDrop – download and execute file hosted on the malware’s Dropbox \r\nDFromUrl – download and execute file hosted at a URL \r\nCmd – execute cmd.exe command and send results back to the malware’s Dropbox via the “txt_ShellCode” file \r\nPowershell – similar to “Cmd”, but for Powershell \r\nWMIC - similar to “Cmd”, but for WMIC \r\nListFile – get specified file listing and send results back to the malware’s Dropbox via the “txt_ListFile” file \r\nUploadFiles – create folder on the malware’s Dropbox and upload specified files to it \r\nScreenshot – take a screenshot and upload to the malware’s Dropbox \r\nGetIP – get IP address via hxxps://api.ipify\\.org and upload to the malware’s Dropbox \r\nOnce a command is executed, its entry is removed from the “txt_FileToDown” file and the file is re-uploaded to the\r\nmalware’s Dropbox. \r\nConclusion \r\nTA402 is a highly effective and capable threat actor that remains a serious threat, especially to entities operating in and\r\nworking with government or other geopolitical entities in the Middle East. Researchers anticipate TA402 will remain very\r\nactive, based on its return to weekly threat activity as of June 2021. It is likely TA402 continue its targeting largely\r\nfocused on the Middle East region. Proofpoint assesses TA402 will continue to develop and modify customized\r\nmalware implants and include features to evade detection and automated analysis.  \r\nTo defend against exploitation, Proofpoint recommends recipients pay close attention when downloading and opening\r\npassword protected archives, and only open them from trusted sources. Proofpoint’s Threat Research team developed\r\nEmerging Threat rules to detect post infection network traffic.  \r\nIndicators of Compromise (IOCs) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\r\nPage 11 of 12\n\nIOC \r\nIOC\r\nType \r\nDescription \r\nf55e2050733576fa16452e2589a187f4bf202ca3b54b1497ba2c006e8d3bdd45  SHA256 \r\nex.إجتماع وفد من حماس مع النظام السوري”\r\n- LastConn sample June 2021 \r\n0db46fea5a0be8624069f978f115e4270833df29ed776c712182327a758fd639  SHA256 \r\n“Hamas-Syria.rar” - Password\r\nprotected RAR archive\r\ncontaining LastConn exe June 2021 \r\nhxxp[:]//192[.]210[.]151[.]43/CVDWwr42525[.]php  URL \r\nURL that leads to “Hamas-Syria.rar” June 2021 \r\n557c60ae9c613164fda3189720eaf78fe60b6bd8191f4d208ca3bbbdceffee36  SHA256 \r\n“hamas - syria.pdf” - PDF as seen in\r\nemail June 2021 \r\n0f36088ed9f5ffd4b42d35789113e99d8839edc52e554dbee0969bcad0200cfb  SHA256 \r\nSets up persistence\r\nfor LastConn sample June 2021 \r\n1cf18ce4becf2244fb715aa52eb4d56b569a95f2a1e7a835d217a20a2757a2d8  SHA256 \r\n“Hammas.exe” -\r\n LastConn sample 16th February 202\r\n6d65804ca8f71e21b18de08176a53d8f203bc23629dd822ef3c0da217f95f119  SHA256 \r\n“Hammas.exe” -\r\n LastConn dropper 16th February 202\r\ncd60488acc0cc596c0de63eb0a7bca4ada4748fc4e76a86ca0fab42f15050347  SHA256 \r\n“Hammas.rar” - Password protected\r\nRAR archive containing\r\n“Hamas.exe” 16th February 2021 \r\nhxxps://script[.]google[.]com/macros/s/AKfycbxhRyJqO682mzT4C3-\r\naNwSULjNPuHvhqpGYElJedUBPfaG60fZSOEQ/exec \r\nURL \r\nURL that leads to\r\n“Hammas.rar” 16th ebruary 2021 \r\nET Signatures \r\n2848195 -  ETPRO MALWARE Molerats LastConn Dropbox Activity \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\r\nhttps://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east" ], "report_names": [ "new-ta402-molerats-malware-targets-governments-middle-east" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0ad97d64-7970-48ca-83f6-3635c66e315c", "created_at": "2023-11-21T02:00:07.400003Z", "updated_at": "2026-04-10T02:00:03.479189Z", "deleted_at": null, "main_name": "TA402", "aliases": [], "source_name": "MISPGALAXY:TA402", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434498, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/13664c900bb06b88df95238c97d4cb3951cd0de0.pdf", "text": "https://archive.orkl.eu/13664c900bb06b88df95238c97d4cb3951cd0de0.txt", "img": "https://archive.orkl.eu/13664c900bb06b88df95238c97d4cb3951cd0de0.jpg" } }