{ "id": "04eede97-88dc-40c9-b4ca-04ca76af1c39", "created_at": "2026-04-06T00:06:20.52125Z", "updated_at": "2026-04-10T13:12:24.338601Z", "deleted_at": null, "sha1_hash": "16711c6fc4baba8b4fe7bc3140156e9895cf353b", "title": "Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 722842, "plain_text": "Threat Assessment: Repellent Scorpius, Distributors of Cicada3301\r\nRansomware\r\nBy Navin Thomas, Jerome Tujague\r\nPublished: 2024-09-10 · Archived: 2026-04-05 12:36:42 UTC\r\nExecutive Summary\r\nRepellent Scorpius is a new ransomware-as-a-service (RaaS) group that distributes Cicada3301 ransomware. The\r\nransomware group appears to have first emerged in May 2024, with a multi-extortion operation.\r\nThis report based on Unit 42 Incident Response engagements provides a technical analysis of the ransomware\r\nemployed by the Repellent Scorpius group. It also covers other tactics, techniques and procedures (TTPs) observed\r\nduring this attack.\r\nIn addition, we discuss Repellent Scorpius' connection to a historical incident involving data exfiltration, predating\r\nthe group's operation under the Cicada3301 brand, as well as the ransomware group’s plans going forward. Finally,\r\nwe provide a walkthrough of an updated encryptor obtained through external sources, highlighting the differences\r\nfrom its previous variant. Unit 42 anticipates a rise in Cicada3301 ransomware activity, leading to an increase in\r\nthe number of victims.\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nCortex XDR\r\nAdvanced WildFire\r\nAdvanced URL Filtering and Advanced DNS Security\r\nPrisma Cloud through the Cloud Security Agent (CSA)\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nRepellent Scorpius Threat Overview\r\nRepellent Scorpius (distributors of Cicada3301 ransomware) is a new threat group that has recently emerged in the\r\nwild. Despite its recent inception, it is quickly picking up pace by setting up an affiliate program and recruiting\r\npartners. This has increased its number of victims according to the leak site.\r\nThere is an intriguing background associated with the name under which the ransomware group operates.\r\nAccording to Wikipedia, the name 3301 refers to three sets of highly complex and mysterious puzzles that first\r\nappeared on 4chan between 2012-2014, all signed with the pseudonym 3301. The third set of these puzzles\r\nremains unsolved to this day.\r\nhttps://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nPage 1 of 13\n\nBased on the timeline from a Unit 42 Incident Response engagement, we estimate that the ransomware group\r\nbegan their operations in May 2024. Owing to the absence of other reports, we believe that this may be the\r\nbeginning of their operations.\r\nWhile the incidents may have begun around that time, we started to observe leak site activity in June. Despite a\r\nlack of activity on the leak site for around a month since June 19, the ransomware group has resumed operations.\r\nOf note, we have observed signs that the group has data obtained in older compromise incidents. It is unclear\r\nwhether this means that the threat actor previously operated using differently branded ransomware, or whether they\r\nhave purchased or inherited data from other ransomware groups.\r\nFigure 1. Cicada3301 leak site as of July 2024.\r\nRepellent Scorpius employs a double extortion scheme of encrypting systems. This entails stealing data and\r\nthreatening to publish it if the victim doesn’t pay the ransom.\r\nUnit 42 has evidence to suggest that the Repellent Scorpius operators have developed a RaaS affiliate program. It\r\noperates a control panel for affiliates and ransom payment pages for victims, and actively recruits initial access\r\nbrokers (IAB) and network intruders on Russian-language cybercrime forums.\r\nGiven the limited number of victims, it might be too early to suggest whether this ransomware group targets a\r\nparticular sector or region. Having said that, one of the points in the FAQ section on the affiliate panel website\r\nsays, “It is strictly prohibited to target the CIS countries.” (Translated from Russian.)\r\nhttps://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nPage 2 of 13\n\nKrakenLabs posted a screenshot on X (formerly Twitter), displaying a Russian translated post by the Repellent\r\nScorpius ransomware group on an underground forum to recruit partners for their affiliate program.\r\nIncident Attack Lifecycle\r\nWe have mapped the attack stages captured from our incident response engagement to the MITRE ATT\u0026CK®\r\nframework tactics, which we summarize below.\r\nInitial Access\r\nMultiple Remote Desktop Protocol (RDP) logon events were captured on a given host. Based on investigation\r\nfindings and the group’s modus operandi, we assess that attackers achieved initial access through stolen\r\ncredentials, possibly purchased from an IAB.\r\nThe public IP address predominantly associated was 103.42.240[.]37, as an RDP server with the hostname: WIN-RMM48SHAUPR. This IP address is associated with a Pakistan-based hosting provider 0DAYHOST (SMC-PRIVATE) LIMITED, while the autonomous system name indicates that Serverius Holding B.V. controls the IP\r\naddress allocation.\r\nExecution\r\nUnit 42 investigators observed attackers employing a batch script named 1.bat to execute the ransomware payload\r\nagainst multiple hosts within the client network. Details regarding the ransomware payload, along with its\r\narguments, are below.\r\nFigure 2. Batch script with multiple ransomware command executions.\r\nLateral Movement\r\nPsExec is a legitimate tool that attackers leveraged to execute the ransomware payload against different hosts\r\nwithin the network. The tool is embedded within the ransomware payload and later extracted, which we describe in\r\nfurther detail below. It was executed through the following PowerShell command:\r\npowershell -Command C:\\Users\\Public\\psexec0.exe -accepteula -s -d \"C:\\Users\\Public\\locker.exe\" --\r\nno_impl --key \u003credacted\u003e -p \\\\\u003chostname\u003e\\C$\r\nhttps://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nPage 3 of 13\n\nCollection\r\nUnit 42 investigators found the creation of the following file C:\\ProgramData\\found_shares.txt. There have been\r\nprevious occurrences of PowerView, a PowerSploit PowerShell module, storing file share enumeration results in\r\nthe same file path and multiple ransomware intrusions have leveraged this technique.\r\nExfiltration\r\nUnit 42 investigators identified Rclone (a legitimate open-source utility) as the tool used for exfiltration. Attackers\r\ninstalled the tool in the ProgramData file path (C:\\ProgramData\\rclone.exe), along with the configuration file\r\n(C:\\ProgramData\\rclone.conf).\r\nWe observed 91.238.181[.]238 was the public IP address attackers used for exfiltration activity. This IP address\r\ncomes from a hosting provider called VDS\u0026VPN services.\r\nThe IP address in question has previously been flagged for Cobalt Strike activity (watermark: 674054486) and was\r\npotentially linked to other ransomware groups such as Bashful Scorpius (aka Nokoyawa) and Ambitious Scorpius\r\n(aka ALPHV/BlackCat) in 2023. This IP address was also observed trying to exploit ScreenConnect vulnerabilities,\r\n(CVE-2024-1708 and CVE-2024-1709) in February 2024.\r\nImpact (Encryptor)\r\nThe ransomware is a 64-bit binary written in the programing language Rust, which accepts the following\r\ncommand-line arguments:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\nUSAGE:\r\nlocker.exe [FLAGS] [OPTIONS]\r\nAdditional Information:\r\n--key Sets the keys for activation (Required parameter)\r\n-p, --path Sets the path to the file or directory to be encrypted\r\n-s, --sleep Sleep is indicated in seconds\r\n--no_local Skip encrypting data stored locally on this device\r\n--no_net Skip encryption of network data\r\n--no_impl Don't use impersonation\r\nhttps://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nPage 4 of 13\n\n13\r\n14\r\n15\r\n16\r\n17\r\nFigure 2 shows the threat actors used a batch script to execute the ransomware multiple times against a list of hard-coded directory paths in the victim network. The encryptor requires a key parameter to begin execution, which has\r\nbeen redacted from the image.\r\nThe binary performs a key validation routine, in which it attempts to decrypt an embedded ransom note using the\r\nChaCha20 stream cipher [PDF].\r\nThe ransomware note is Base64-decoded. It is then decrypted using the first 32 bytes of the submitted key as the\r\nChaCha20 secret key and the last 12 bytes of the submitted key as the nonce. Then it is Base64-decoded a final\r\ntime.\r\nThe encryptor will validate the decryption process by checking whether the string ***is_ok*** exists in the\r\ndecrypted data. If the validation is successful, execution proceeds.\r\nThe encryptor contains a legitimate copy of PsExec embedded within itself, which it will extract and save to the\r\nlocation C:\\Users\\Public\\psexec0.exe. The malware will then create a copy of itself in the C:\\Users\\Public\\\r\ndirectory.\r\nOnce copied, it will use the PsExec binary to execute itself several more times, using hard-coded credentials stolen\r\nfrom the victim network during the preceding incursion. This may be an attempt to get the encryptor to run with\r\nhigher privileges.\r\nC:\\Users\\Public\\psexec0.exe -accepteula -s -d \"C:\\Users\\Public\\\u003cencryptor\u003e\" --no_impl --key \u003ckey\u003e\r\nC:\\Users\\Public\\psexec0.exe -accepteula -u \u003cusername\u003e -p \u003cpassword\u003e -s -d \"C:\\Users\\Public\\\r\n\u003cencryptor\u003e\" --no_impl --key \u003ckey\u003e\r\nNext, the encryptor will run a series of commands to terminate services and processes, delete shadow copies and\r\ndisable recovery features among other tasks. A list of the executed commands is below, and a full list of targeted\r\nprocesses and services is in the appendix.\r\nCommand Purpose\r\ncmd /C fsutil behavior set SymlinkEvaluation R2L:1 Enables remote\r\nto local\r\nhttps://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nPage 5 of 13\n\nsymbolic links\r\ncmd /C fsutil behavior set SymlinkEvaluation R2R:1\r\nEnables remote\r\nto remote\r\nsymbolic links\r\ncmd /C iisreset.exe /stop\r\nStops Internet\r\nInformation\r\nServices (IIS) \r\ncmd /C vssadmin.exe Delete Shadows /all /quiet\r\nDeletes volume\r\nshadow copies\r\nusing\r\nVSSAdmin.exe\r\ncmd /C wmic.exe Shadowcopy Delete\r\nDeletes volume\r\nshadow copies\r\nusing the\r\nWindows\r\nManagement\r\nInstrumentation\r\nCommand-Line\r\n(WMIC) utility\r\ncmd /C bcdedit /set {default}\r\nPossibly a\r\nmisused\r\ncommand, as it\r\nrequires\r\nadditional\r\nparameters to\r\nexecute\r\nproperly\r\ncmd /C bcdedit /set {default} recoveryenabled No\r\nDisables the\r\nautomatic\r\nrecover feature\r\nfor the default\r\nboot entry\r\ncmd /C “for /F 'tokens=*' %1 in ('wevtutil.exe el') DO wevtutil.exe cl %1”\r\nClears\r\nWindows\r\nEvent Logs\r\ncmd /C reg add\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\r\n/v MaxMpxCt /d 65535 /t REG_DWORD /f\r\nSets the\r\nnumber of\r\nconcurrent\r\nhttps://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nPage 6 of 13\n\nnetwork\r\nrequests to the\r\nmaximum\r\nallowed\r\ncmd /C sc stop \u003cservice\u003e\r\nStops the\r\nspecified\r\nservice\r\ncmd /C taskkill /IM \u003cprocess\u003e* /F\r\nForcefully\r\nterminates the\r\nspecified\r\nprocess\r\nOnce the sample completes the above processes, it begins the encryption routine. By default, the ransomware will\r\ncheck for the existence of drives from A:\\ to Z:\\. The sample encrypts all files within detected drives, excluding\r\nfiles with specific extensions or files located in directories matching keywords. This information is listed in the\r\nappendix.\r\nThe encryptor renames files with a new extension before starting the encryption process. In the sample analyzed by\r\nUnit 42 the extension was kcr5umw.\r\nThe encryption process is composed of two sequences. First, the encryptor will read the contents of the target file,\r\nencrypt the contents using ChaCha20 with a randomly generated key secret and nonce bytes, and write the result\r\nback to the file. Second, the ChaCha20 key and nonce are encrypted using a hard-coded RSA public key, and the\r\nresult is appended to the file. Finally, the extension is appended to the end of the encrypted data.\r\nOnce encryption of all files is complete, the sample will write the ransom note, named in the format RECOVER-\r\n\u003cencrypted_file_extension\u003e-DATA.txt. The contents of the note are as follows.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n*************************************\r\n*** Welcome to Cicada3301 ***\r\n*************************************\r\n** What Happened? **\r\n----------------------------------------------\r\nYour computers and servers are encrypted, your backups are deleted.\r\nWe use strong encryption algorithms, so you won't be able to decrypt your data.\r\nYou can recover everything by purchasing a special data recovery program from us.\r\nThis program will restore your entire network.\r\nhttps://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nPage 7 of 13\n\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n** Data Leak **\r\n----------------------------------------------\r\nWe have downloaded more than %SIZE% GB of your company data.\r\nContact us, or we will be forced to publish all your data on the Internet\r\nand send it to all regulatory authorities in your country, as well as to your customers, partners, and\r\ncompetitors.\r\nWe are ready to:\r\n- Provide you with proof that the data has been stolen;\r\n- Delete all stolen data;\r\n- Help you rebuild your infrastructure and prevent similar attacks in the future;\r\n** What Guarantees? **\r\n----------------------------------------------\r\nOur reputation is of paramount importance to us.\r\nFailure to fulfill our obligations means not working with you, which is against our interests.\r\nRest assured, our decryption tools have been thoroughly tested and are guaranteed to unlock your data.\r\nShould any problems arise, we are here to support you. As a goodwill gesture,\r\nwe are willing to decrypt one file for free.\r\n** How to Contact us? **\r\n----------------------------------------------\r\nUsing TOR Browser:\r\n1) You can download and install the TOR browser from this site: https://torproject.org/\r\n2) Open our website: \u003credacted\u003e\r\nWARNING: DO NOT MODIFY or attempt to restore any files on your own. This can lead to their\r\npermanent loss.\r\nhttps://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nPage 8 of 13\n\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\nhttps://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nPage 9 of 13\n\nLinks to Historical Incident\r\nUnit 42 is aware of at least one case where Repellent Scorpius had access to a victim’s data, which attackers likely\r\ntook in an incident several years prior. A forensic review of the victim’s environment identified no recent signs of\r\ncompromise. A quick walkthrough of some of the TTPs observed during that incident were as follows:\r\nMITRE Tactic Description\r\nExecution\r\nWinRAR to extract certain tools from its archive. \r\nCertutil leveraged for payload download. \r\nPersistence Multiple scheduled tasks were set up for hourly execution of different commands.\r\nCredential\r\naccess\r\nWe observed the presence of tools such as Mimikatz and Impacket-based executables,\r\nprimarily used for extracting credentials.\r\nDiscovery\r\nExecution of ADRecon PowerShell script to gather information and extract\r\nartifacts from a given Active Directory, and a Rubeus based executable.\r\nSome of the tools or built-in commands attackers used were wmic, nslookup, ping,\r\nipconfig, net, quser, qwinsta and SoftPerfect Network Scanner.\r\nCommand and\r\ncontrol\r\nReverse tunnel with adversary server via SSH\r\nPowerShell command to send the victim IP address and hostname to a given hard-coded domain, via POST request.\r\nMultiple other tools were used in this scenario, including Plink, GOST and a\r\nSOCKS proxy tool.\r\nAs previously mentioned, it is unclear how the Repellent Scorpius group possessed this data. However, we\r\nobserved certain overlaps with another attack carried out by an affiliate that deployed BlackCat ransomware,\r\nreported in March 2022.\r\nExamples include attackers using ADRecon and SoftPerfect Network Scanner tools, setting up a reverse SSH\r\ntunnel and creating similar scheduled tasks. That said, there was no evidence that BlackCat was deployed in this\r\nincident, likely due to the fact that different stages of the attack were thwarted.\r\nWhile we did come across a few filename-based overlaps, we observed no substantial TTP overlaps between the\r\nrecent ransomware incident and the historical one.\r\nNew Version of Encryptor\r\nUnit 42 researchers found an updated Cicada3301 encryptor in late July 2024, which had some differences from\r\nthe previously analyzed version.\r\nhttps://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nPage 10 of 13\n\nThreat authors added a new command-line argument, --no-note. When this argument is invoked, the encryptor will\r\nnot write the ransom note to the system.\r\nInstead of running the embedded PsExec binary directly via PowerShell, the encryptor will create a randomly\r\nnamed .bat file in the C:\\Users\\Public directory, which executes using “cmd.exe /C”. Included in the created .bat\r\nfile is a line to delete the script after execution is complete.\r\nThe most recent samples do not have hard-coded usernames or passwords in the binary but still retain the\r\ncapability to execute PsExec using these credentials if they exist.\r\nAn example of the script is below:\r\nC:\\Users\\Public\\psexec0.exe -accepteula -s -d \"C:\\Users\\Public\\\u003cencryptor\u003e.exe\" --no_impl --key \u003ckey\u003e -p\r\n\u003cpath\u003e\r\ndel /Q \"C:\\Users\\Public\\\u003crandom_10_chars\u003e.bat\"\r\nFinally, the ransomware developers modified the methods used to stop services and added a PowerShell command\r\nto forcibly stop all running virtual machines (VMs) on the target system.\r\nCommand Action\r\npowershell -Command \"$excludedVMs = @(); Get-VM |\r\nWhere-Object { $_.Name -notin $excludedVMs } | ForEach-Object { Stop-VM -Name $_.Name -Force -Confirm:$false }\"\r\nForcibly stops all running VMs. VM files\r\nthat are not shut down before encryption\r\nare permanently damaged. \r\nfor /F \"tokens=2 delims=:\" %i in ('sc query state^= all ^| findstr\r\n/I \u003cservice_name\u003e) do sc stop %i \r\nStops all services containing the supplied\r\nservice name.\r\ncmd /C \"net stop \u003cserviceName\u003e /y\"\r\nUses the net command to stop a running\r\nservice. We list new services that the threat\r\nstops using this method in the appendix.\r\nConclusion\r\nAlthough it may not currently appear to be widespread, Repellent Scorpius is actively hiring IAB and network\r\nintruders. It has also recently set up a RaaS affiliate program. Therefore, we can expect to see attackers posting a\r\ngrowing list of active incidents and victims on their leak site in the near future.\r\nThe TTPs highlighted here are from specific incident response engagements. Considering that the Cicada3301\r\nransomware is relatively new, we expect that its TTPs will change and evolve over time.\r\nPalo Alto Networks Protection and Mitigation\r\nhttps://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nPage 11 of 13\n\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nThe Cicada3301 ransomware is detected and prevented by Cortex XDR.\r\nAdvanced WildFire identifies all known samples mentioned in this article as malicious.\r\nAdvanced URL Filtering and Advanced DNS Security identify known URLs and domains associated with\r\nthis activity as malicious.\r\nPrisma Cloud can detect known Cicada3301 ransomware binaries executed within cloud environments\r\nthrough the Cloud Security Agent (CSA).\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nHashes\r\n8ec114b29c7f2406809337b6c68ab30b0b7f0d1647829d56125e84662b84ea74 Cicada3301 encryptor\r\n0260258f6f083aff71c7549a6364cb05d54dd27f40ca1145e064353dd2a9e983\r\nBatch script 1.bat containing\r\nmultiple Cicada3301\r\nencryptor execution\r\ncommands\r\n2d73b3aefcfbb47c1a187ddee7a48a21af7c85eb49cbdcb665db07375e36dc33 Cicada3301 encryptor\r\n3969e1a88a063155a6f61b0ca1ac33114c1a39151f3c7dd019084abd30553eab\r\nCicada3301 encryptor new\r\nvariant\r\n56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7\r\nCicada3301 encryptor new\r\nvariant\r\nInfrastructure\r\n103.42.240[.]37\r\n91.238.181[.]238\r\ncicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd[.]onion/\r\nhttps://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nPage 12 of 13\n\nAdditional Resources\r\nCicada 3301 – Wikipedia\r\nThe internet mystery that has the world baffled – The Telegraph\r\nC0015, Campaign C0015 – MITRE ATT\u0026CK\r\nCONTInuing the Bazar Ransomware Story – The DFIR Report\r\nThreat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709) – Unit\r\n42, Palo Alto Networks\r\nSource: https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nhttps://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomware/" ], "report_names": [ "repellent-scorpius-cicada3301-ransomware" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433980, "ts_updated_at": 1775826744, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/16711c6fc4baba8b4fe7bc3140156e9895cf353b.pdf", "text": "https://archive.orkl.eu/16711c6fc4baba8b4fe7bc3140156e9895cf353b.txt", "img": "https://archive.orkl.eu/16711c6fc4baba8b4fe7bc3140156e9895cf353b.jpg" } }