{ "id": "97271a6a-85e2-4e34-afd8-4ef4fcea8001", "created_at": "2026-04-06T00:14:25.99503Z", "updated_at": "2026-04-10T03:36:36.983939Z", "deleted_at": null, "sha1_hash": "141b4e143958399b55532eca5ef036e16785f0e3", "title": "Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4875523, "plain_text": "Probable Iranian Cyber Actors, Static Kitten, Conducting\r\nCyberespionage Campaign Targeting UAE and Kuwait Government\r\nAgencies\r\nBy Anomali Threat Research\r\nPublished: 2025-12-18 · Archived: 2026-04-02 10:42:39 UTC\r\nScreenConnect Remote Access Tool Utilizing Ministry of Foreign Affairs-Themed EXEs and URLs: Static Kitten is likely\r\nusing features of ScreenConnect to steal sensitive information or download malware for additional cyber operations\r\ntargeting government agency employees.\r\nKey Findings\r\nOverview\r\nDetails\r\nConclusion\r\nMITRE TTPs\r\nKey Findings\r\nAnomali Threat Research identified a campaign targeting government agencies in the United Arab Emirates (UAE)\r\nand likely the broader Middle East.\r\nWe assess with medium confidence that the activity is being conducted by Iran-nexus cyberespionage group Static\r\nKitten, due to Israeli geopolitical-themed lures, Ministry of Foreign Affairs (MOFA) references, and the use of file-storage service Onehub that was attributed to their previous campaign known as Operation Quicksand.[1]\r\nThe objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise\r\n2015) with unique launch parameters that have custom properties.\r\nhttps://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies\r\nPage 1 of 8\n\nMalicious executables and URLs used in this campaign are masquerading as the Ministry of Foreign Affairs (MOFA)\r\nof Kuwait (mofa.gov[.]kw).\r\nAnother sample, including only MOFA (mfa.gov), could be used for broader government targeting.\r\nOverview\r\nAnomali Threat Research has uncovered malicious activity very likely attributed to the Iran-nexus cyberespionage group,\r\nStatic Kitten (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, MuddyWater), which is known to target\r\nnumerous sectors primarily located in the Middle East.[2] This new campaign, which uses tactics, techniques, and\r\nprocedures (TTPs) consistent with previous Static Kitten activity, uses ScreenConnect launch parameters designed to target\r\nany MOFA with mfa[.]gov as part of the custom field. We found samples specifically masquerading as the Kuwaiti\r\ngovernment and the UAE National Council respectively, based on references in the malicious samples.\r\nIn mid-2020, the UAE and Israel began the process of normalizing relations. Since then, tensions have further escalated in\r\nthe region, as reported by numerous sources. The targeting of Kuwait could be tied to multiple factors, including Kuwait’s\r\nMOFA making a public statement that they were willing to lead mediation between Iran and Saudi Arabia.[3] Furthermore,\r\nin October 2020, trade numbers for a peace deal between Israel and UAE included an estimate for the creation of 15,000\r\njobs and $2 billion in revenue on each side.[4] In that same month, Static Kitten reportedly conducted Operation Quicksand,\r\nwhich targeted prominent Israeli organizations and included the use of file-storage service OneHub.[5]\r\nDetails\r\nWe identified two lure ZIP files being used by Static Kitten designed to trick users into downloading a purported report on\r\nrelations between Arab countries and Israel, or a file relating to scholarships. The URLs distributed through these phishing\r\nemails direct recipients to the intended file storage location on Onehub, a legitimate service known to be used by Static\r\nKitten for nefarious purposes.[6] Anomali Threat Research has identified that Static Kitten is continuing to use Onehub to\r\nhost a file containing ScreenConnect.\r\nThe delivery URLs found to be part of this campaign are:\r\nws.onehub[.]com/files/7w1372el\r\nws.onehub[.]com/files/94otjyvd\r\nFile names in this campaign include:\r\nZIP.kw.gov].[httpsmod تحليل ودراسة تطبيع العالقات الدول العربية واسرائيل\r\nexe.kw.gov].[httpsmod تحليل ودراسة تطبيع العالقات الدول العربية واسرائيل\r\nzip. الدراسیة\r\nexe. الدراسیة\r\ndocx. مشروع\r\nTranslated file names\r\nAnalysis and study of the normalization of relations between the Arab countries and Israel httpsmod.gov.kw.zip\r\nAnalysis and study of the normalization of relations between the Arab countries and Israel httpsmod.gov.kw.exe\r\nScholarships.zip\r\nScholarships.exe\r\nProject.docx\r\nStatic Kitten’s objective is to direct users to a downloader URL (ws.onehub[.]com/files/7w1372el which downloads a ZIP\r\nfile) via a phishing email that impersonates an EXE (واسرائيل العربية الدول العالقات تطبيع ودراسة تحليل httpsmod[.]gov.kw.exe).\r\nThis EXE purports to be a report on Arabic countries and Israel relations but, when executed, actually launches the\r\ninstallation process for ScreenConnect.\r\nA similar second sample uses .docx file that tries to direct users to ws.onehub[.]com/files/94otjyvd which downloads a ZIP\r\nfile called لدراسیة .zip. An EXE inside the ZIP of the same name will also begin the ScreenConnect installation process when\r\nexecuted. An overview of the infection chain is shown in Figure 1 below.\r\nhttps://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies\r\nPage 2 of 8\n\nFigure 1 - Static Kitten Campaign Infection Chain\r\nLure Document Analysis\r\nStatic Kitten is distributing at least two URLs that deliver two different ZIP files that are themed to be relevant to\r\ngovernment agency employees. The URLs are distributed through phishing emails with lure and decoy documents. An\r\nexample lure is shown in Figure 2 below.\r\nFigure 2 – Static Kitten Lure Document .docx\r\nThe .docx file shown in Figure 2 directly refers to government agency recipients while highlighting concerns about recent\r\nIranian actions, the impact of the US elections, and joint studies by government entities on relations between Arabic\r\ncountries and Israel. The actors reference multiple official agencies, including the General Secretariat of the Cooperation\r\nCouncil for the Arab States of the Gulf and the UAE National Media Council, likely in an effort to add the appearance of\r\nlegitimacy. A full translation of this document can be viewed in Appendix A. The hyperlink in the .docx file is impersonating\r\nthe UAE National Media Council, however, the actual link directs to ws.onehub.com/files/7w1372el.\r\nThe second file is a ZIP called الدراسیة .zip (see Figure 3). We cannot determine the delivery method for this ZIP, but it is\r\nlikely similar to the .docx email delivery method of the first download URL. The geopolitical-themed ZIP contains an EXE\r\nfile with the same name that begins the installation process for ScreenConnect when executed (see Figure 4).\r\nhttps://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies\r\nPage 3 of 8\n\nFigure 3 – Download URL ws.onehub.com/files/94otjyvd for Malicious ZIP الدراسیة .zip\r\nFigure 4 - ScreenConnect Installation\r\nTechnical Analysis\r\nScreenConnect and OneHub Context\r\nBetween 2016 and 2020, we have seenScreenConnect and Onehub used in malicious cyber activity by different,\r\nunassociated threat actors. For example, between 2016 and 2019 unknown threat actors targeted IT outsourcing firms,\r\nincluding compromising US-based Cognizant and India-based Wipro.[7] The actors responsible for these attacks used\r\nScreenConnect to connect to endpoints on client networks, enabling them to conduct further lateral movements and\r\nautomated actions on objectives. During an incident impacting Cognizant and their client Maritz Holdings, actors used\r\nScreenConnect to propagate to other connected systems and caused over $1.8 million (USD) in losses through a gift card\r\nfraud scheme.[6] In 2019, another threat group used ConnectWise to execute PowerShell commands in their target\r\nenvironments. This lead to the delivery of Zeppelin and other VegaLocker ransomware variants, Vidar information stealer,\r\nCobalt Strike beacons, PS2EXE tools, and banker Trojans.[7] In 2020, ScreenConnect/ConnectWise has been utilized by the\r\ncybercriminal group Pinchy Spider (GOLD SOUTHFIELD, GOLD GARDEN, Sodinokibi, REvil, GandCrab) to distribute\r\nSodinokibi ransomware.[8]\r\nRemote desktop management software is a common target and tool used by threat actors because of the wide variety of\r\nfunctionalities they offer. ScreenConnect offers three primary functions that each contain different valuable features for\r\nthreat actors. ScreenConnect’s capabilities are shown in Table 1 below.\r\nTable 1 - ScreenConnect Capabilities[9]\r\nFeature Functions\r\nRemote Support Remote control and viewing of any internet-connect device.\r\nUnattended\r\nAccess\r\nPersistent connection allows behind-the-scenes, remote control of any machine or server.\r\nMeetings\r\nStandard screen-sharing meetings with chat and voice communication, record video, and take\r\nscreenshots.\r\nThe cybercriminal group Graceful Spider (TA505, Gold Evergreen, TEMP.Warlock, Hive0065, Chimborazo, FIN11)\r\ndistributed spearphishing emails impersonating Onehub in 2019 in attempts to trick users into downloading the SDBbot\r\nremote access trojan (RAT).[10] Onehub’s file-storage services are also utilized in malspam emails to host various malware,\r\nas is common with other file storage locations abused by multiple threat actors.\r\nFirst Executable\r\nexe.kw.gov.httpsmod تحليل ودراسة تطبيع العالقات الدول العربية واسرائيل\r\nhttps://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies\r\nPage 4 of 8\n\nWhen a user tries to double click the executable واسرائيل العربية الدول العالقات تطبيع ودراسة تحليل httpsmod.gov.kw.exe\r\n(Screenconnect payload), it drops the Microsoft installer file. This begins the installation of the client payload onto victim\r\nmachines. While the actors attempted to make the installation appear legitimate, closer inspection of the client launch\r\nparameters reveals the potential for broader MOFA targeting. The client service launch parameters are:\r\n\"C:\\Program Files (x86)\\ScreenConnect Client (a97eeae2330a1851)\\ScreenConnect.ClientService.exe\" \"?\r\ne=Access\u0026y=Guest\u0026h=instance-uwct38-relay.screenconnect.com\u0026p=443\u0026s=defc756e-8027-47b6-b67f-400b5152b0f9\u0026k=BgIAAACkAABSU0ExAAgAAAEAAQAtuFTxmBL02KmPrJD46iRMPemIxmEf5ugjlUMfa193CjLMeH9pna2eM0ZGHYhe3MZH\r\nWhile the ScreenConnectclient agent is being installed, the server component expects a connection and the server can\r\nidentify the client agent through a public key thumbprint. The thumbprint is a 16 character string located at \"C:\\Program\r\nFiles (x86)\\ScreenConnect Client (a97eeae2330a1851)”\r\nAnalysis of the authentic launch parameters passed back to the server as part of Screenconnect functionality is shown in\r\nTable 2 below.\r\nTable 2 - ScreenConnect Launch Parameters\r\nLaunch Parameter\r\ne=Access\r\ny=Guest\r\nh=instance-sy9at2-relay.screenconnect.com\r\np=443\r\ns=6a1e6739-ad4f-4759-8c69-dfe896b9a817\r\nk=BgIAAACkAABSU0ExAAgAAAEAAQCVzMmjXhdfu5xyqTHPWDSj9Qjbq%2bQlIQursvinhHWO9UWKiTPrrR7quzVCpids4AagFWBCbS6cfo\r\n\u0026t\r\nThe main launch parameter that indicates this EXE is designed to target MOFAs are the custom c parameters:\r\n\u0026c=mofa\r\n\u0026c=mofa.gov.kw\r\nThese parameters contain predefined properties that can allow an actor to know which target, or from where, has been\r\ninfected. In this example the infected target is MOFA.\r\nSecond Executable\r\nexe. المنح الدراسیة\r\nThe ScreenConnect launch parameters from الدراسیة المنح .exe is shown below:\r\n\"C:\\Program Files (x86)\\ScreenConnect Client (03b9d0ec9210f109)\\ScreenConnect.ClientService.exe\" \"?\r\ne=Access\u0026y=Guest\u0026h=instance-sy9at2-relay.screenconnect.com\u0026p=443\u0026s=6a1e6739-ad4f-4759-8c69-\r\nhttps://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies\r\nPage 5 of 8\n\ndfe896b9a817\u0026k=BgIAAACkAABSU0ExAAgAAAEAAQCVzMmjXhdfu5xyqTHPWDSj9Qjbq%2bQlIQursvinhHWO9UWKiTPrrR7quzVCpids4Aag\r\nThe actors again created a custom field parameter, however, this one is kept to a generic MOFA targeting that appears as\r\nMFA:\r\n\u0026c=mfa\u0026c=mfa.gov\r\nConclusion\r\nUtilizing legitimate software for malicious purposes can be an effective way for threat actors to obfuscate their operations.\r\nIn this latest example, Static Kitten is very likely using features of ScreenConnect to steal sensitive information or download\r\nmalware for additional cyber operations. As Static Kitten is assessed to be primarily focused on cyberespionage, it is very\r\nlikely that data-theft is the primary objective behind propagating ScreenConnect to government agency employees. We will\r\ncontinue monitoring this group for additional malicious activity and provide details when appropriate.\r\nMITRE TTPs\r\nMasquerading - T1036\r\nPhishing - T1566\r\nRemote Access Software - T1219\r\nSpearphishing Attachment - T1566.001\r\nSpearphishing Link - T1566.002\r\nUser Execution - T1204\r\nUser Execution: Malicious File - T1204.002\r\nEndnotes\r\n[1]\r\n ClearSky Cyber Security, “Operation Quicksand: Muddywater’s Offensive Attack Against Israeli Organizations,”\r\nClearSky, accessed February 8, 2021, published October 2020, https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf, 3.\r\n[2]\r\n MuddyWater,” MITRE, accessed February 8, 2021 https://attack.mitre.org/groups/G0069/.\r\n[3]\r\n “Kuwait willing to mediate between Iran and Saudi,” Middle East Monitor, accessed February 8, 2021, published\r\nFebruary 4, 2021, https://www.middleeastmonitor.com/20210204-kuwait-willing-to-mediate-between-iran-and-saudi/.\r\n[4]\r\n Attila Shumelby, “Intelligence Minister Eli Cohen: Netanyahu secretly visited other countries besides the Emirates,”\r\nYnet, accessed February 8, 2021, published, September 9, 2020, https://www.ynet.co.il/news/article/S1v00IFsXP; Jonathan\r\nJosephs, “Israel-UAE peace deal ‘big’ for trade in Middle East,” BBC News, accessed February 8, 2021, published October\r\n16, 2020, https://www.bbc.com/news/business-54574022.\r\n[5]\r\n ClearSky Cyber Security, “Operation Quicksand: Muddywater’s Offensive Attack Against Israeli Organizations,”\r\nClearSky, 23.\r\n[6]\r\n Ibid.\r\n[7]\r\n “Wipro Intruders Targeted Other Major IT Firms,” KrebsOnSecurity, accessed February 8, 2021, published April 18,\r\n2019, https://krebsonsecurity.com/2019/04/wipro-intruders-targeted-other-major-it-firms/#more-47453.\r\n[8]\r\n Ibid.\r\n[8]\r\n Alon Groisman, “Connectwise Control Abused Again to Deliver Zeppelin Ransomware,” Morphisec Blog, accessed\r\nFebruary 8, 2021, published December 18, 2019, https://blog.morphisec.com/connectwise-control-abused-again-to-deliver-zeppelin-ransomware.\r\n[9]\r\n “CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS,” Tetra Defense, accessed February 8, 2021,\r\nhttps://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis/.\r\n[9]\r\n “Now Let’s Get Tech-y: ScreenConnect’s three main product components create a trio of powerful remote functionality,”\r\nConnectWise Control, accessed February 8, 2021, https://www.screenconnect.com/Remote-Support?\r\nt=2\u0026t=2#:~:text=ScreenConnect%20is%20a%20fully%20functional,remote%20support%20on%20the%20fly.\r\n[10]\r\n Dennis Schwarz, et al., “TA505 Distributeds New SDBbot Remote Access Trojan with Get2 Downloader, Proofpoint,\r\naccessed February 8, 2021, published October 16, 2019, https://www.proofpoint.com/us/threat-insight/post/ta505-\r\ndistributes-new-sdbbot-remote-access-trojan-get2-downloader.\r\nIOCs\r\nhttps://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies\r\nPage 6 of 8\n\nDocx\r\n31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535\r\nEXE\r\n3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b\r\n5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b\r\nIP\r\n149.202.216.53\r\nURL\r\nhttps://ws.onehub.com/files/94otjyvd\r\nhttps://ws.onehub.com/files/7w1372el\r\ninstance-sy9at2-relay.screenconnect.com\r\ninstance-uwct38-relay.screenconnect.com\r\nZIP\r\nb2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf\r\n77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1\r\nAppendix A\r\nGentlemen / employees of government agencies\r\nHappy New Year\r\nAfter a kind greeting ,,,\r\nIn view of the situation in the region, especially after the US elections, and concerns about Iran's actions, joint studies have\r\nbeen conducted between the National Media Council and the General Secretariat of the Cooperation Council for the Arab\r\nStates of the Gulf on counting the political, security and economic consequences of the normalization of relations between\r\nArab countries and Israel. Consequently, the draft studies on negotiations on the normalization of relations between Arab\r\ncountries and Israel were presented by experts of the member states of the General Secretariat of the Cooperation Council\r\nfor the Arab States of the Gulf, and in this regard, the National Media Council seeks to conduct a comprehensive survey by\r\nthe member states.\r\nDownload the relevant content via the link below.\r\nAnalysis and study / normalization of relations / Arab countries and Israel / https://nmc.gov.ae\r\nYours sincerely\r\nIran's Cyber War Machine Hits Full Stride: What CISOs Must Do Right Now\r\nhttps://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies\r\nPage 7 of 8\n\nWhen Federal Cyber Defenses Shrink, State Governments Stand in the Crossfire\r\nIran Cyber War, Day 32: FBI Director Breached, Critical Infrastructure Under Siege, and the Silence That\r\nShould Worry You Most\r\nSource: https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-govern\r\nment-agencies\r\nhttps://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "references": [ "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" ], "report_names": [ "probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ada819f-dec0-4de4-97eb-0a8aff899c56", "created_at": "2023-01-06T13:46:39.225531Z", "updated_at": "2026-04-10T02:00:03.251546Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [], "source_name": "MISPGALAXY:GOLD EVERGREEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "404bb014-d051-447e-90d8-1a4adc3409b0", "created_at": "2024-06-19T02:03:08.058292Z", "updated_at": "2026-04-10T02:00:03.679333Z", "deleted_at": null, "main_name": "GOLD GARDEN", "aliases": [ "" ], "source_name": "Secureworks:GOLD GARDEN", "tools": [ "GandCrab" ], "source_id": "Secureworks", "reports": null }, { "id": "7961bf6e-e429-484c-93e2-bd1d36fa5588", "created_at": "2023-01-06T13:46:39.275053Z", "updated_at": "2026-04-10T02:00:03.270128Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [], "source_name": "MISPGALAXY:GOLD SOUTHFIELD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02ef8063-7ad4-42ba-a646-97210000f6b5", "created_at": "2024-06-19T02:03:08.117993Z", "updated_at": "2026-04-10T02:00:03.614663Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "" ], "source_name": "Secureworks:GOLD SOUTHFIELD", "tools": [ "REvil" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "70268431-11ed-474f-9fbc-96f894684201", "created_at": "2023-01-06T13:46:39.26058Z", "updated_at": "2026-04-10T02:00:03.26462Z", "deleted_at": null, "main_name": "GOLD GARDEN", "aliases": [], "source_name": "MISPGALAXY:GOLD GARDEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434465, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/141b4e143958399b55532eca5ef036e16785f0e3.pdf", "text": "https://archive.orkl.eu/141b4e143958399b55532eca5ef036e16785f0e3.txt", "img": "https://archive.orkl.eu/141b4e143958399b55532eca5ef036e16785f0e3.jpg" } }