{ "id": "7abc466f-2e94-4243-b50a-2faa74bfd1dc", "created_at": "2026-04-06T00:12:18.536178Z", "updated_at": "2026-04-12T02:22:14.811079Z", "deleted_at": null, "sha1_hash": "142b04f517a7ee2de3224b79afee580463689a3f", "title": "Xenomorph: A newly hatched Banking Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2154632, "plain_text": "Xenomorph: A newly hatched Banking Trojan\r\nPublished: 2024-10-01 · Archived: 2026-04-05 17:01:52 UTC\r\nIntro\r\nIn February 2022, ThreatFabric came across a new Android banking Trojan, which we dubbed Xenomorph. The\r\nname comes from its clear ties with another infamous banking Trojan, Alien, from which Xenomorph adopts class\r\nnames and interesting strings.\r\nBased on the intelligence gathered, users of 56 different European banks are among the targets of this new\r\nAndroid malware trojan, distributed on the official Google Play Store, with more than 50.000 installations.\r\nJust like the monster protagonist of the famous Ridley Scott’s franchise, this malware shares some aspects with its\r\npredecessor. However, despite its obvious ties to one of the most wide-spread malware of the last two years,\r\nXenomorph is radically different from Alien in functionalities. This fact, in addition to the presence of not\r\nimplemented features and the large amount of logging present on the malware, may suggest that this malware\r\nmight be the in-progress new project of either the actors responsible with the original Alien, or at least of someone\r\nfamiliar with its code base. However, this is only speculation at the moment.\r\nDistribution\r\nAs we have previously discussed, threat actors are increasingly focusing their efforts into sneaking their way onto\r\nthe Google Play Store (MITRE T1475).\r\nGoogle has seemingly taken some action to reduce the amount of malicious applications on the app market, but\r\noften these efforts are not enough to stop criminals from reaching the store. As part of our daily threat hunting,\r\nThreatFabric analysts encounter and report malicious applications on the store to Google.\r\nOne of the applications ThreatFabric discovered was posing as “Fast Cleaner”, an application aiming at speeding\r\nup the device by removing unused clutter and removing battery optimization blocks. The application itself seemed\r\nsuccessful, with more than 50.000 installations reported on Google Play. This is not an uncommon lure, and we\r\nhave seen malware families like Vultur and Alien being deployed by such application.\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 1 of 14\n\nUpon analysis, we recognized this application as belonging to the Gymdrop dropper family. Gymdrop is a\r\ndropper family discovered by ThreatFabric in November 2021. Previously it was observed deploying a Alien.A\r\npayload. From the configuration downloaded by the dropper, ThreatFabric was able to confirm that this dropper\r\nfamily continues to adopt this malware family as its payload. However, contrary to the past, the server hosting the\r\nmalicious code also contained two other malware families, which were also returned instead of Alien, based on\r\nspecific triggers.\r\nFirstly, we observed samples belonging to a new wave of ExobotCompact.D, which has been living a new\r\nresurgence in the past few weeks, posing as Google play store applications, as well as different banking\r\napplications.\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 2 of 14\n\nHowever, despite being the first time we observed ExobotCompact.D and Alien.A being distributed by the same\r\ndropper infrastructure, what surprised us the most was the presence of a totally new malware family. This is how\r\nThreatFabric discovered Xenomorph.\r\nCapabilities\r\nHere is a comprehensive list of Xenomorph capabilities:\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 3 of 14\n\nModus Operandi\r\nThe main attack vector for Xenomorph is the classic overlay attack powered by Accessibility Services privileges.\r\nOnce the malware is up and running on a device, its background services receive accessibilty events whenever\r\nsomething new happens on the device. if the application opened is part of the list of targets, then Xenomorph will\r\ntrigger an overlay injection and show a WebView Activity posing as the targeted package. Here as a few examples\r\nof triggered overlays:\r\nThis feature is performed by the code you see in the snippet underneath:\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 4 of 14\n\nprotected void onStart() {\r\n super.onStart();\r\n this.context = this;\r\n OverlayInjectResource v0 = UtilGlobal.getPackageInjection(this, UtilGlobal.SettingsRead(this, \"AITG\"));\r\n this.resource = v0;\r\n this.hideStop = true;\r\n if (!this.stopActivity \u0026\u0026 v0 != null) {\r\n try {\r\n WebView v0_2 = new WebView(this);\r\n this.wv = v0_2;\r\n v0_2.getSettings().setJavaScriptEnabled(true);\r\n this.wv.setScrollBarStyle(0);\r\n this.wv.setWebViewClient(new MyWebViewClient(null));\r\n this.wv.setWebChromeClient(new MyWebChromeClient(null));\r\n this.wv.addJavascriptInterface(new WebAppInterface(this), \"Android\");\r\n String v3 = this.resource.getPageResource(this);\r\n this.wv.loadDataWithBaseURL(null, v3, \"text/html\", \"UTF-8\", null);\r\n this.setContentView(this.wv);\r\n } catch (Exception v0_1) {\r\n v0_1.printStackTrace();\r\n }\r\n return;\r\n }\r\n}\r\nIn addition, the malware is able to abuse Accessibility Services to log everything that happens on the device. At\r\nthe moment of writing, all the information gathered is only displayed on the local device logs, but in the future a\r\nvery minor modification would be enough to add keylogging and Accessibility logging capabilities to the\r\nmalware.\r\nTargets\r\nAs a first step, the malware sends back the list of installed packages on device, and based on what targeted\r\napplication is present on the device, it downloads the corresponding overlays to inject. The list of overlay targets\r\nreturned by Xenomorph includes targets from Spain, Portugal, Italy, and Belgium, as well as some general\r\npurpose applications like emailing services, and cryptocurrency wallets.\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 5 of 14\n\nC2 Communication \u0026 Commands\r\nFor its C2 communication, Xenomorph relies on the open-source project Retrofit2.\r\nRetrofit is a type-safe REST client for Android, Java and Kotlin developed by Square. The library provides a\r\npowerful framework for authenticating and interacting with APIs and sending network requests with OkHttp.\r\nNOTE : ThreatFabric wants to explicitly mention that RetroFit is a legitimate and legal product. The\r\ndevelopers that created this project have no control over the misuse of their software.\r\nAfter obtaining Accessibility Services privileges, Xenomorph will first register and verify itself with the C2, by\r\nsending a request containing the following information at the endpoint ‘ping’:\r\n{\r\n \"api\": \"%DEVICE_SDK_NUMBER%\",\r\n \"apps\": [\"%LIST%\", \"%OF%\", \"%INSTALLED%\", \"%APPS%\"],\r\n \"imei\": \"%IMEI%\",\r\n \"model\": \"%MODEL%\",\r\n \"numbers\": [\"%LIST%\", \"%OF%\", \"%CONTACTS%\"],\r\n \"tag\": \"%BOT_TAG%\",\r\n \"uid\": \"%UID%\"\r\n}\r\nThe messages are encrypted with an ever changing AES key and IV, together with an hash of the message to\r\nensure the integrity of the communication. The first message sent to the C2 has the following format and uses an\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 6 of 14\n\nhardcoded testKey. The initial information exfiltrated about the device and displayed above is contained in the tag\r\n‘id’:\r\n{\r\n \"hash\": \"%BASE64_ENCODED_SHA256%\",\r\n \"id\": \"%ENCRYPTED_DATA%\",\r\n \"iv\": \"%IV_FOR_AES%\",\r\n \"type\": \"request_verify\"\r\n}\r\nFollowing this exchange, the bot can be successfully registered and communicate with the C2. In this stage, the\r\nmalware will periodically poll for new commands from the C2, receiving the following response:\r\n{\r\n \"type\": \"get_coms\",\r\n \"coms\": [\"\u003cCOMMANDS\u003e\"]\r\n}\r\nThe value of ‘coms’ can be empty, or it can be any of the values described in the following section.\r\nCommands\r\nThe following table contains all the accepted commands that can be sent from the C2:\r\nCommand Description\r\nsms_log Log SMS\r\nnotif_ic_disable Disable Intercept notification\r\ninj_list List injects\r\nnotif_ic_enable Enable notification intercept\r\nsms_ic_disable Disable SMS intercept\r\ninj_enable Enable Injects\r\napp_list Get installed apps list\r\nsms_ic_enable Enable SMS intercept\r\ninj_update Update list of injects\r\ninj_disable Disable injects\r\nsms_ic_update Not implemented\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 7 of 14\n\nCommand Description\r\nsms_ic_list Not implemented\r\nnotif_ic_list Not implemented\r\nself_cleanup Not implemented\r\nnotif_ic_update Not implemented\r\nfg_disable Not implemented\r\nfg_enable Not implemented\r\napp_kill Not implemented\r\nEndpoints\r\nHere is a list of the endpoints used by Xenomorph to communicate with its C2\r\nEndpoint Description\r\n/ping Used for initial verification step\r\n/metrics Used to retrieve commands from the c2 and send exfiltrated information\r\nSimilarities with Alien\r\nBoth choices of having a fully modular Accessibility Service engine and the use of Retrofit2 could remind of\r\nanother powerful Android Banking trojan, S.O.V.A.. However, despite this design similarities, the two families are\r\ncompletely different in implementation. On the other hand, there are many similarities with another Android\r\nBanking Trojan, which has been around for more than 2 years now: Alien.\r\nThe first similarity between these two families is the use of the same HTML resource page to trick victims into\r\ngranting the Accessibility Services privileges, which however has been re-used by many families before\r\nXenomorph.\r\nThis new malware also uses a very similar style of state-tracking through the use of the ‘SharedPreferences’ file.\r\nThis file is commonly used to track the state of an application. However, the style of variable naming used by\r\nXenomorph is very reminiscent of Alien, despite being potentially even more detailed.\r\nPotentially the most interesting fact is the actual name of the sharedPreferences file used to store the configuration\r\nfor Xenomorph: the file is named ring0.xml.\r\nThis might look like any other generic random string, but it happens to coincide with the name of the supposed\r\nactor behind the development of the original Alien malware.\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 8 of 14\n\nIf this could look like a coincidence, there are many occurences of very peculiar logging strings and class names\r\nobserved first in Cerberus, and later in its successor Alien.\r\nCurrently the set of capabilities of Alien is much larger than the one of Xenomorph. However, considering that\r\nthis new malware is still very young and adopts a strong modular design, it is not hard to predict new features\r\ncoming in the near future.\r\nConclusions\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 9 of 14\n\nThe surfacing of Xenomorph shows, once again, that threat actors are focusing their attention on landing\r\napplications on official markets. This is also a signal that the underground market for droppers and distribution\r\nactors has increased its activity, considering that we just very recently observed Medusa and Cabassous also being\r\ndistributed side-by-side.\r\nXenomorph currently is an average Android Banking Trojan, with a lot of untapped potential, which could be\r\nreleased very soon. Modern Banking malware is evolving at a very fast rate, and criminals are starting to adopt\r\nmore refined development practices to support future updates. Xenomorph is at the forefront of this change.\r\nThe current version of Xenomorph is capable of abusing Accessibility Services to steal PII from unaware victims,\r\nprevent uninstallation and intercept SMS and notifications. ThreatFabric predicts that with some more time to\r\nfinish development, this malware could reach higher threat levels, comparable to other modern Android Banking\r\ntrojans.\r\nMTI \u0026 CSD\r\nThis and other mobile malware is tracked in our Mobile Threat Intel service (MTI). Try out our MTI feed today!\r\nSend a message to sales@threatfabric.com, and get 30 days access to our portal free of charge.\r\nIf you want more information on how we detect mobile malware on mobile devices, you can directly contact us\r\nat: info@threatfabric.com\r\nAppendix\r\nXenomorph Samples\r\nApp\r\nname\r\nPackage name SHA-256\r\nFast\r\nCleaner\r\ncom.census.turkey 64c0f71d9c903f7b22a193a7844ea98a5f9db62b4dcc139f75f6d9698645f369\r\nFast\r\nCleaner\r\ncom.laundry.vessel 76e9359cfa98bb326f544577394b007132db63fd19fedde73a76162744b93c6f\r\nFast\r\nCleaner\r\ncom.tip.equip 2d6f26c16d29d4e68ece44e3ac558cd557d906684ee1a546ea982e7a64ddf0ce\r\nFast\r\nCleaner\r\ncom.spike.old 2877b27f1b6c7db466351618dda4f05d6a15e9a26028f3fc064fa144ec3a1850\r\nXenomorph C2\r\nC2 Description\r\nsimpleyo5[.]tk Main C2\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 10 of 14\n\nC2 Description\r\nsimpleyo5[.]cf Backup C2\r\nart12sec[.]ga Backup C2\r\nkart12sec[.]gq Backup C2\r\nhomeandofficedeal[.]com Overlay C2\r\nXenomorph Targets\r\nPackage Name App Name\r\nca.mobile.explorer CA Mobile\r\ncgd.pt.caixadirectaparticulares Caixadirecta\r\ncom.abanca.bm.pt ABANCA - Portugal\r\ncom.bbva.mobile.pt BBVA Portugal\r\ncom.exictos.mbanka.bic Banco BIC, SA\r\npt.bancobpi.mobile.fiabilizacao BPI APP\r\npt.novobanco.nbapp NB smart app\r\npt.sibs.android.mbway MB WAY\r\nwit.android.bcpBankingApp.millennium Millenniumbcp\r\nbe.argenta.bankieren Argenta Banking\r\nbe.axa.mobilebanking Mobile Banking Service\r\nbe.belfius.directmobile.android Belfius Mobile\r\ncom.beobank_prod.bad Beobank Mobile\r\ncom.bnpp.easybanking Easy Banking App\r\ncom.ing.banking ING Banking\r\ncom.kbc.mobile.android.phone.kbc KBC Mobile\r\ncom.binance.dev Binance - Buy \u0026 Sell Bitcoin Securely\r\ncom.bitfinex.mobileapp Bitfinex\r\ncom.coinbase.android Coinbase – Buy \u0026 Sell Bitcoin. Crypto Wallet\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 11 of 14\n\nPackage Name App Name\r\ncom.kraken.trade Pro: Advanced Bitcoin \u0026 Crypto Trading\r\ncom.plunien.poloniex Poloniex Crypto Exchange\r\ncom.squareup.cash Cash App\r\ncom.transferwise.android TransferWise Money Transfer\r\ncom.wavesplatform.wallet Waves.Exchange\r\nnet.bitbay.bitcoin Bitcoin \u0026 Crypto Exchange - BitBay\r\nnet.bitstamp.app Bitstamp – Buy \u0026 Sell Bitcoin at Crypto Exchange\r\norg.electrum.electrum Electrum Bitcoin Wallet\r\npiuk.blockchain.android Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum\r\napp.wizink.es WiZink, tu banco senZillo\r\ncom.bankinter.launcher Bankinter Móvil\r\ncom.bbva.bbvacontigo BBVA Spain\r\ncom.bbva.netcash BBVA Net Cash ES \u0026 PT\r\ncom.cajasur.android Cajasur\r\ncom.db.pbc.mibanco Mi Banco db\r\ncom.grupocajamar.wefferent Grupo Cajamar\r\ncom.imaginbank.app imaginBank - Your mobile bank\r\ncom.indra.itecban.mobile.novobanco NBapp Spain\r\ncom.indra.itecban.triodosbank.mobile.banking Triodos Bank. Banca Móvil\r\ncom.mediolanum Banco Mediolanum España\r\ncom.rsi ruralvía\r\ncom.targoes_prod.bad TARGOBANK - Banca a distancia\r\ncom.tecnocom.cajalaboral Banca Móvil Laboral Kutxa\r\nes.bancosantander.apps Santander\r\nes.caixagalicia.activamovil ABANCA- Banca Móvil\r\nes.caixaontinyent.caixaontinyentapp Caixa Ontinyent\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 12 of 14\n\nPackage Name App Name\r\nes.cecabank.ealia2091appstore ABANCA Pay - Paga y envía dinero con el móvil\r\nes.cecabank.ealia2103appstore UniPay Unicaja\r\nes.cm.android Bankia\r\nes.evobanco.bancamovil EVO Banco móvil\r\nes.ibercaja.ibercajaapp Ibercaja\r\nes.lacaixa.mobile.android.newwapicon CaixaBank\r\nes.liberbank.cajasturapp Banca Digital Liberbank\r\nes.openbank.mobile Openbank – banca móvil\r\nes.pibank.customers Pibank\r\nes.univia.unicajamovil UnicajaMovil\r\nwww.ingdirect.nativeframe ING España. Banca Móvil\r\ncom.latuabancaperandroid Intesa Sanpaolo Mobile\r\ncom.lynxspa.bancopopolare YouApp\r\ncom.sella.BancaSella Banca Sella\r\nit.bcc.iccrea.mycartabcc myCartaBCC\r\nit.bnl.apps.banking BNL\r\nit.carige Carige Mobile\r\nit.copergmps.rt.pf.android.sp.bmps Banca MPS\r\nit.creval.bancaperta Bancaperta\r\nit.nogood.container UBI Banca\r\nit.popso.SCRIGNOapp SCRIGNOapp\r\nposteitaliane.posteapp.appbpol BancoPosta\r\nposteitaliane.posteapp.apppostepay Postepay\r\ncom.android.vending Google Play\r\ncom.connectivityapps.hotmail Connect for Hotmail \u0026 Outlook: Mail and Calendar\r\ncom.google.android.gm Gmail\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 13 of 14\n\nPackage Name App Name\r\ncom.mail.mobile.android.mail mail.com mail\r\ncom.microsoft.office.outlook Microsoft Outlook: Organize Your Email \u0026 Calendar\r\ncom.paypal.android.p2pmobile PayPal Mobile Cash: Send and Request Money Fast\r\ncom.yahoo.mobile.client.android.mail Yahoo Mail – Organized Email\r\nSource: https://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nhttps://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.threatfabric.com/blogs/xenomorph-a-newly-hatched-banking-trojan.html" ], "report_names": [ "xenomorph-a-newly-hatched-banking-trojan.html" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-12T02:00:04.841451Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "8309f9cf-9abb-4ce3-aa1e-cda7d7f5c1b3", "created_at": "2022-10-25T16:07:23.729215Z", "updated_at": "2026-04-12T02:00:04.663435Z", "deleted_at": null, "main_name": "Indra", "aliases": [], "source_name": "ETDA:Indra", "tools": [ "Stardust" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-12T02:00:03.085596Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "FROZENBARENTS", "Seashell Blizzard", "Quedagh", "TEMP.Noble", "ELECTRUM", "UAC-0113", "UAC-0082", "APT44", "VOODOO BEAR", "IRON VIKING", "G0034", "TeleBots", "IRIDIUM", "Blue Echidna" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e", "created_at": "2026-03-16T02:02:50.582318Z", "updated_at": "2026-04-12T02:00:03.62743Z", "deleted_at": null, "main_name": "COASTLIGHT", "aliases": [ "Gonjeshke Darande", "Indra", "Predatory Sparrow" ], "source_name": "Secureworks:COASTLIGHT", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-12T02:00:04.38342Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-12T02:00:04.579883Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-12T02:00:03.467242Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "219ddb41-2ea8-4121-8b63-8c762f7e15df", "created_at": "2023-01-06T13:46:39.384442Z", "updated_at": "2026-04-12T02:00:03.379957Z", "deleted_at": null, "main_name": "Predatory Sparrow", "aliases": [ "Indra", "Gonjeshke Darande" ], "source_name": "MISPGALAXY:Predatory Sparrow", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-12T02:00:04.384657Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434338, "ts_updated_at": 1775960534, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/142b04f517a7ee2de3224b79afee580463689a3f.pdf", "text": "https://archive.orkl.eu/142b04f517a7ee2de3224b79afee580463689a3f.txt", "img": "https://archive.orkl.eu/142b04f517a7ee2de3224b79afee580463689a3f.jpg" } }