{ "id": "0d2daad9-0dfb-4dfa-8607-85bc61156799", "created_at": "2026-04-06T00:13:50.901173Z", "updated_at": "2026-04-10T03:38:20.62524Z", "deleted_at": null, "sha1_hash": "167d65bdb8e80b6068ec1fe36dfdda1abc6f9df1", "title": "IT threat evolution in Q2 2023", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2296344, "plain_text": "IT threat evolution in Q2 2023\r\nBy David Emm\r\nPublished: 2023-08-30 · Archived: 2026-04-05 15:26:11 UTC\r\nIT threat evolution in Q2 2023\r\nIT threat evolution in Q2 2023. Non-mobile statistics\r\nIT threat evolution in Q2 2023. Mobile statistics\r\nTargeted attacks\r\nGopuram backdoor deployed through 3CX supply-chain attack\r\nEarlier this year, a Trojanized version of the 3CXDesktopApp, a popular VoIP program, was used in a high-supply-chain attack. The attackers were able to embed malicious code into the libffmpeg media processing library\r\nto download a payload from their servers.\r\nWhen we reviewed our telemetry on the campaign, we found a DLL on one of the computers, named guard64.dll,\r\nwhich was loaded into the infected 3CXDesktopApp.exe process. A DLL with this name was used in recent\r\ndeployments of a backdoor that we dubbed Gopuram, which we had been tracking since 2020. While investigating\r\nan infection of a cryptocurrency company in Southeast Asia, we found Gopuram coexisting on target computers\r\nwith AppleJeus, a backdoor attributed to the Lazarus.\r\nWe had observed few victims compromised using Gopuram, but the number of infections increased in March\r\n2023 — a spike that was directly related to the 3CX supply chain attack. The threat actor specifically targeted\r\ncryptocurrency companies. The backdoor implements commands that allow the attackers to interact with the\r\nvictim’s file system and create processes on the infected machine. Gopuram was additionally observed to launch\r\nin-memory modules.\r\nThe fact that Gopuram backdoor has been deployed to less than 10 infected computers indicates that the attackers\r\nused Gopuram with surgical precision. We observed that they have a specific interest in cryptocurrency\r\ncompanies. We also learned that the threat actor behind Gopuram infects target machines with the full-fledged\r\nmodular Gopuram backdoor. We believe that Gopuram is the main implant and the final payload in the attack\r\nchain.\r\nThe discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat\r\nactor with medium to high confidence.\r\nTracking the Lazarus DeathNote campaign\r\nLazarus is a notorious and highly skilled threat actor. Over the last few years we have tracked DeathNote, one of\r\nLazarus’s active clusters, observing a shift in the threat actor’s targets as well as the development and refinement\r\nof its TTPs (Tactics, Techniques, and Procedures).\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 1 of 18\n\nSince 2018, Lazarus has persistently targeted crypto-currency-related businesses for a long time, using malicious\r\nWord documents and themes related to the crypto-currency business to lure potential targets. If the target opened\r\nthe document and enabled the macros, a malicious script would extract the embedded downloader and load it with\r\nspecific parameters. Lazarus used two different kinds of second-stage payload in these attacks: the first, a\r\nTrojanized application masquerading as the UltraVNC viewer, the second, a typical multi-stage backdoor.\r\nOur investigations identified compromised individuals or companies in Cyprus, the US, Taiwan, and Hong Kong.\r\nIn April 2020, we uncovered a significant shift in targeting and infection vector. The DeathNote cluster was used\r\nto target the automotive and academic sectors in Eastern Europe, both of which are connected to the defense\r\nindustry. At this point, the threat actor switched all the decoy documents to job descriptions related to defense\r\ncontractors and diplomatic services.\r\nLazarus also refined its infection chain using the remote template injection technique in its weaponized\r\ndocuments, as well as utilizing Trojanized open-source PDF viewer software. Both infection methods resulted in\r\nthe same malware (the DeathNote downloader), which uploaded the target’s information and retrieved the next-stage payload at the discretion of the C2 (Command and Control) server. Finally, a COPPERHEDGE variant was\r\nexecuted in memory.\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 2 of 18\n\nIn May 2021, the DeathNote cluster was used to compromise a European IT company providing solutions for\r\nmonitoring network devices and servers, possibly because Lazarus had an interest in this company’s widely-used\r\nsoftware or its supply-chain.\r\nIn early June 2021, the Lazarus group began utilizing a new infection mechanism against targets in South Korea.\r\nOne thing that caught our attention was that the initial stage of the malware was executed by a legitimate security\r\nsoftware that is widely used in the country. It’s thought that the malware was spread through a vulnerability in the\r\nsoftware.\r\nAs in the previous case, the initial infection vector created the downloader malware. Once connected to the C2\r\nserver, the downloader retrieved an additional payload based on the operator’s commands and executed it in\r\nmemory. During this time, the BLINDINGCAN malware was used as a memory-resident backdoor. While the\r\nBLINDINGCAN malware has sufficient capabilities to control the victim, the actor manually implanted additional\r\nmalware: it’s thought that the group aimed to create an auxiliary method to control the victim. Finally, the\r\nCOPPERHEDGE malware, previously used by this cluster, was executed on the victim.\r\nA year later, in March 2022, we discovered that the same security program had been exploited to propagate similar\r\ndownloader malware to several victims in South Korea. However, a different payload was delivered in this case.\r\nThe C2 operator manually implanted a backdoor twice, and although we were unable to acquire the initially\r\nimplanted backdoor, we assume it is the same as the backdoor in the following stage. The newly implanted\r\nbackdoor is capable of executing a retrieved payload with named-pipe communication. In addition, the actor\r\nutilized side-loading to execute Mimikatz and used stealer malware to collect keystroke and clipboard data from\r\nusers.\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 3 of 18\n\nAt around the same time, we uncovered evidence that one defense contractor in Latin America had been\r\ncompromised by the same backdoor. The initial infection vector was similar to what we’ve seen with other\r\ndefense industry targets, involving the use of a Trojanized PDF reader with a crafted PDF file. However, in this\r\nparticular case, the actor adopted a side-loading technique to execute the final payload. When the malicious PDF\r\nfile is opened with the Trojanized PDF reader, the victim is presented with the same malware mentioned above,\r\nwhich collects and reports the victim’s information, retrieves commands and executes them using pipe\r\ncommunication mechanisms. The threat actor used this malware to implant additional payloads, including\r\nlegitimate files for side-loading purposes.\r\nIn July 2022, Lazarus successfully breached a defense contractor in Africa. The initial infection was a suspicious\r\nPDF application, which had been sent via the Skype messenger. After executing the PDF reader, it created both a\r\nlegitimate file (CameraSettingsUIHost.exe) and a malicious file (DUI70.dll) in the same directory. This attack\r\nrelied heavily on the same DLL side-loading technique that we observed in the previous case. Lazarus used this\r\nmalware several times in various campaigns; and also used the same DLL side-loading technique to implant\r\nadditional malware that is capable of backdoor operation. In order to move laterally across systems, the actor used\r\nan interesting technique called ServiceMove. This technique uses the Windows Perception Simulation Service to\r\nload arbitrary DLL files: by creating an arbitrary DLL in C:\\Windows\\System32\\PerceptionSimulation\\ and\r\nstarting the service remotely, the threat actor was able to achieve code execution as NT AUTHORITY\\SYSTEM\r\non a remote system.\r\nOur analysis of the DeathNote cluster reveals a rapid evolution in its TTPs over the years. As Lazarus continues to\r\nrefine its approaches, it is crucial for organizations to maintain vigilance and take proactive measures to defend\r\nagainst its malicious activities. By staying informed and implementing strong security measures, organizations can\r\nreduce the risk of falling victim to this dangerous adversary.\r\nTomiris called, they want their Turla malware back\r\nWe first reported Tomiris in September 2021, following our investigation into a DNS hijack against a government\r\norganization in the CIS (Commonwealth of Independent States). We described links between a Tomiris Golang\r\nimplant and SUNSHUTTLE (which has been linked to NOBELIUM/APT29/TheDukes) as well as Kazuar (which\r\nhas been linked to Turla). However, interpreting these connections proved difficult. We have continued to track\r\nTomiris as a separate threat actor over three new attack campaigns between 2021 and 2023, and our telemetry has\r\nallowed us to shed more light on this group.\r\nThis threat actor’s activities have been focused on CIS members and Afghanistan: while we identified a few\r\ntargets in other locations, all of them appear to be foreign diplomatic entities of these countries.\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 4 of 18\n\nTomiris uses a wide variety of malware implants developed at a rapid pace and in all programming languages\r\nimaginable. The tools used by this threat actor fall into three categories: downloaders, backdoors, and file stealers.\r\nThe threat actor not only develops its own tools, but also uses open source or commercially available implants and\r\noffensive tools. Tomiris employs a wide variety of attack vectors: spear-phishing, DNS hijacking, exploitation of\r\nvulnerabilities (specifically ProxyLogon), suspected drive-by downloads, and other “creative” methods.\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 5 of 18\n\nThe attribution of tools used in a cyber-attack can sometimes be a very tricky issue. In January, some fellow\r\nresearchers attributed an attack on organizations in Ukraine to Turla, based, at least in part, on the use of\r\nKopiLuwak and QUIETCANARY (which we call TunnusSched) — malware known to have been used by Turla.\r\nWe discovered that a TunnusSched sample had been delivered to a government target in the CIS in September\r\n2022; and our telemetry indicated that this malware had been deployed from Tomiris’s Telemiris malware.\r\nMoreover, starting in 2019, we discovered additional implant families linked to KopiLuwak; and that\r\nTunnusSched and KopiLuwak are part of the same toolset.\r\nWe remain convinced that, despite possible ties between the two groups, Turla and Tomiris are separate threat\r\nactors. Tomiris is undoubtedly Russian-speaking, but its targeting and tradecraft are significantly at odds with\r\nwhat we have observed for Turla. In addition, Tomiris’s general approach to intrusion and limited interest in\r\nstealth are significantly at odds with documented Turla tradecraft.\r\nThis throws up several possibilities.\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 6 of 18\n\n1. 1 Turla is happy to use a tool that was burned in 2016; and is still using it in current operations along with\r\nnew tools.\r\n2. 2 Other threat actors may have repurposed these tools and are using them under a false flag.\r\n3. 3 Turla shares tools and expertise with Tomiris, or cooperates with Tomiris on joint operations.\r\n4. 4 Tomiris and Turla rely on a common supplier that provides offensive capabilities. Or maybe Tomiris\r\ninitially started out as a private outfit writing tools for Turla and is now branching out into the mercenary\r\nbusiness.\r\nOur assessment is that the first two hypotheses are the least likely and that there exists a form of deliberate co-operation between Tomiris and Turla, although its exact nature is hard to determine with the information we have\r\nat hand.\r\nCloudWizard APT: the bad magic story goes on\r\nLast October, we identified an active infection of government, agriculture, and transportation organizations\r\nlocated in Donetsk, Lugansk, and Crimea. We published the results of our initial investigations into the\r\nPowerMagic and CommonMagic implants in March. At that time, we were unable to find anything to connect the\r\nsamples we found and the data used in the campaign to any previously known threat actor. However, our\r\ncontinuing investigations revealed more information about this threat, including links to other APT campaigns.\r\nWhile looking for implants bearing similarities to PowerMagic and CommonMagic, we identified a cluster of\r\neven more sophisticated malicious activities originating from the same threat actor. Interestingly, the targets were\r\nlocated not only in the Donetsk, Lugansk, and Crimea regions, but also in central and western Ukraine. These\r\ntargets included individuals, as well as diplomatic and research organizations.\r\nThe newly discovered campaign involved use of a modular framework we dubbed CloudWizard. Its features\r\ninclude taking screenshots, microphone recording, keylogging, and more.\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 7 of 18\n\nThere have been many APT threat actors operating in the Russo-Ukrainian conflict region over the years,\r\nincluding Gamaredon, CloudAtlas, and BlackEnergy. So we looked for clues that might allow us to attribute\r\nCloudWizard to a known threat actor. CloudWizard reminded us of two campaigns observed in Ukraine and\r\nreported publicly: Operation Groundbait (first described by ESET in 2016) and Operation BugDrop (discovered\r\nby CyberX in 2017). While there have been no updates about Prikormka malware (part of Operation Groundbait)\r\nfor a few years now, we discovered multiple similarities between the malware used in that campaign and\r\nCommonMagic and CloudWizard. It’s clear, therefore, that the threat actor behind these two operations has not\r\nceased its activity and has continued developing its cyber-espionage toolset and infecting targets of interest for\r\nmore than 15 years.\r\nMeet the GoldenJackal APT group. Don’t expect any howls\r\nGoldenJackal, an APT group that has been active since 2019, typically targets government and diplomatic entities\r\nin the Middle East and South Asia.\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 8 of 18\n\nWe started monitoring this threat actor in mid-2020 and have observed a constant level of activity that indicates a\r\ncapable and stealthy actor.\r\nThe main feature of this group is a specific toolset of .NET malware: JackalControl, JackalWorm, JackalSteal,\r\nJackalPerInfo, and JackalScreenWatcher. These implants are intended to control target computers, spread using\r\nremovable drives, exfiltrate data, steal credentials, collect information about the local system and the target’s web\r\nactivities, and take screen captures.\r\nWhile we have limited visibility into this threat actor’s infection vectors, during our investigations, we observed\r\nthe use of fake Skype installers and malicious Word documents.\r\nThe fake Skype installer was a .NET executable file named skype32.exe — a dropper containing two resources:\r\nthe JackalControl Trojan and a legitimate Skype for Business standalone installer. The malicious document, which\r\nmasquerades as a legitimate circular distributed to collect information about officers decorated by the Pakistan\r\ngovernment, uses the remote template injection technique to download a malicious HTML page, which\r\nexploits the Follina vulnerability.\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 9 of 18\n\nGoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-\r\nrelated logic. We believe the attackers upload a malicious PHP file that is used as a relay to forward web requests\r\nto another backbone C2 server. We don’t have any evidence of the vulnerabilities used to compromise the sites.\r\nHowever, we did observe that many of the websites were using obsolete versions of WordPress and some had also\r\nbeen defaced or infected with previously uploaded web shells, probably as a result of low-key hacktivist or\r\ncybercriminal activity.\r\nOperation Triangulation\r\nEarly in June, we issued an early warning of a long-standing campaign that we track under the name Operation\r\nTriangulation, involving a previously unknown iOS malware platform distributed via zero-click iMessage\r\nexploits.\r\nThe attack is carried out using an invisible iMessage with a malicious attachment. Using a number of\r\nvulnerabilities in iOS, the attachment is executed and installs spyware. The deployment of the spyware is\r\ncompletely hidden and requires no action from the person being targeted. The spyware then quietly transmits\r\nprivate information to remote servers — including microphone recordings, photos from instant messengers, geo-location, and data about a number of other activities of the owner of the infected device.\r\nWe detected this threat using the Kaspersky Unified Monitoring and Analysis Platform (KUMA) — a\r\nnative SIEM solution for security information and event management. Further investigation revealed that several\r\ndozen iPhones of Kaspersky employees were infected.\r\nIn addition to reaching out to industry partners to assess the prevalence of this threat, we provided a forensic\r\nmethodology to help readers determine whether their organization is targeted by the unknown group behind these\r\nattacks. We subsequently published a utility to check for Indicators of Compromise (IoCs).\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 10 of 18\n\nFollowing this, we released the first of a series of additional reports describing the final payload in the infection\r\nchain: a highly sophisticated spyware implant that we dubbed “TriangleDB”. Operating in memory, this implant\r\nperiodically communicates with the C2 infrastructure to receive commands. The implant allows attackers to\r\nbrowse and modify device files, get passwords and credentials stored in the keychain, retrieve geo-location\r\ninformation, as well as execute additional modules, further extending their control over the compromised devices.\r\nAndariel’s mistakes and a new malware family\r\nAndariel, part of the Lazarus group, is known for its use of the DTrack malware and Maui ransomware in mid-2022. During the same period, Andariel also actively exploited the Log4j vulnerability. The campaign introduced\r\nseveral new malware families, such as YamaBot and MagicRat, but also updated versions of NukeSped and\r\nDTrack.\r\nWhile on an unrelated investigation, we stumbled upon a new campaign and decided to dig a little bit deeper. We\r\ndiscovered a previously undocumented malware family and an addition to Andariel’s set of TTPs.\r\nAndariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the C2\r\nserver. Unfortunately, we were unable to catch the first piece of malware they downloaded, but we did see that\r\nexploitation was closely followed by the download of the DTrack backdoor.\r\nWe were able to reproduce the commands the attackers executed and it quickly became clear that the commands\r\nwere run by a human operator — and, judging by the number of mistakes and typos, probably an inexperienced\r\none. We were also able to identify the set of off-the-shelf tools Andariel installed and ran during the command\r\nexecution phase, and then used for further exploitation of the target. These include Supremo remote desktop,\r\n3Proxy, Powerline, Putty, Dumpert, NTDSDumpEx, and ForkDump.\r\nWe also uncovered new malware, called EarlyRat. We had first noticed this in one of the aforementioned Log4j\r\ncases and assumed it was downloaded via Log4j. However, when we started hunting for more samples, we found\r\nphishing documents that ultimately dropped EarlyRat.\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 11 of 18\n\nEarlyRat, like the phishing document, is very simple: it is capable of executing commands, but nothing else of\r\ninterest.\r\nOther malware\r\nNokoyawa ransomware attacks using Windows zero-day\r\nOur Behavioral Detection Engine and Exploit Prevention components detected attempts to execute elevation-of-privilege exploits on Windows servers belonging to SMBs in the Middle East, North America, and Asia. They\r\nwere similar to exploits in the Common Log File System (CLFS) — the Windows logging subsystem — that we\r\nhad analyzed previously. However, when we double-checked, one of them turned out to be a zero-day supporting\r\ndifferent versions and builds of Windows, including Windows 11. We shared our findings with Microsoft, which\r\ndesignated the vulnerability as CVE-2023-28252. The vulnerability was patched on April 4.\r\nMost zero-days that we have discovered in the past were used by APT threat actors, but this one was used by\r\nNokoyawa, a sophisticated cybercrime group, to carry out ransomware attacks.\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 12 of 18\n\nA spike in QBot banking Trojan infections\r\nIn early April, we detected a significant increase in attacks using the QBot malware (aka QakBot, QuackBot, and\r\nPinkslipbot). The malware was delivered through malicious documents attached to business correspondence. The\r\nhackers would obtain access to real business correspondence (QBot, among other things, steals locally stored e-mails from previous targets’ computers) and join the dialogue, sending messages as if they’re carrying on an old\r\nconversation. The e-mails attempt to convince targets to open an attached PDF file, passing it off as an expenses\r\nlist or other business matter. The PDF actually contains a fake notification from Microsoft Office 365 or Microsoft\r\nAzure. The attackers use this to try to get the target to click on the “Open” button, which then downloads a\r\npassword-protected archive with the password in the text of the notification. If the recipient unpacks the archive\r\nand runs the .WSF (Windows Script File) inside, it downloads the QBot malware from a remote server.\r\nMinas: on the way to complexity\r\nIn June 2022, we found a suspicious shellcode running in the memory of a system process. From our\r\nreconstruction of the infection chain, we determined that it originated by running an encoded PowerShell script as\r\na task, which we believe with low confidence was created through a GPO (Group Policy Object) — something\r\nthat’s especially worrying, since it indicates that the attackers had compromised the target network.\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 13 of 18\n\nThe malware, which we call Minas, is a miner. It aims to hide its presence on infected systems through encryption,\r\nthe random generation of names, and the use of hijacking and injection techniques. It also has the ability to stay on\r\nthe infected system using persistence techniques.\r\nWe think it’s very likely that a new variant will be released in the future that seeks to avoid anti-virus detection —\r\nwhich is why it’s essential to use a security solution that doesn’t primarily rely on signature detection, but also\r\nuses behavioral detection methods.\r\nSatacom delivers browser extension that steals crypto-currency\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 14 of 18\n\nIn June, we reported a recent malware distribution campaign related to the Satacom downloader. The main\r\npurpose of the dropped malware is to steal bitcoins from the target’s account by performing web injections into\r\ntargeted crypto-currency websites. The malware attempts to do this by installing an extension for Chromium-based web browsers, which later communicates with its C2 server, whose address is stored in the BTC transaction\r\ndata.\r\nThe malicious extension has various JS scripts to perform browser manipulations while the user is browsing the\r\ntargeted websites, including enumeration and manipulation with crypto-currency websites. It also has the ability to\r\nmanipulate the appearance of some e-mail services, such as Gmail, Hotmail, and Yahoo, in order to hide its\r\nactivity.\r\nWhile we analyzed a Windows-specific infection-chain, the malware operates as a browser extension, so it could\r\nbe installed in Chromium-based browsers on various platforms — allowing the attackers to target Linux and\r\nmacOS if they choose to do so.\r\nDoubleFinger used to steal crypto-currency\r\nIn June, we reported the use of a sophisticated attack using the DoubleFinger loader to install a crypto-stealer and\r\nremote access Trojan. The technical nature of the attack, and its multi-stage infection mechanism, resemble attacks\r\nby APT threat actors.\r\nThe process starts with an e-mail containing a malicious PIF file. If the target opens the attachment, the first stage\r\nof the attack begins. DoubleFinger executes a shellcode that downloads a file in PNG format from the image-sharing platform Imgur.com. This file actually contains multiple DoubleFinger components in encrypted form,\r\nwhich are used in subsequent stages of the attack. These include a loader for use in the second stage of the attack\r\n— a legitimate java.exe file; actions to try to bypass security software installed on the computer; and decryption of\r\nanother PNG file deployed at the fourth stage — this PNG file contains not only the malicious code but also the\r\nimage that gives the malware its name.\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 15 of 18\n\nDoubleFinger then launches the fifth stage using a technique called Process Doppelgänging, whereby it replaces\r\nthe legitimate process with a modified one that contains the malicious payload — the GreetingGhoul crypto-stealer, which installs itself in the system and is scheduled to run daily at a certain time.\r\nGreetingGhoul contains two components: one detects crypto-wallet applications in the system and steals data of\r\ninterest to the attackers (such as private keys and seed phrases); and another that overlays the interface of crypto-currency applications and intercepts user input.\r\nThese enable the attackers to take control of the target’s crypto-wallets and withdraw funds from them.\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 16 of 18\n\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 17 of 18\n\nWe found several DoubleFinger modifications, some of which install the remote access Trojan Remcos. Its\r\npurpose is to observe all user actions and seize full control of the system.\r\nSource: https://securelist.com/it-threat-evolution-q2-2023/110355/\r\nhttps://securelist.com/it-threat-evolution-q2-2023/110355/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://securelist.com/it-threat-evolution-q2-2023/110355/" ], "report_names": [ "110355" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a8356cf9-e9d6-4585-8ccf-d30d3efe142b", "created_at": "2023-06-23T02:04:34.262059Z", "updated_at": "2026-04-10T02:00:04.711064Z", "deleted_at": null, "main_name": "GoldenJackal", "aliases": [], "source_name": "ETDA:GoldenJackal", "tools": [ "JackalControl", "JackalPerInfo", "JackalScreenWatcher", "JackalSteal", "JackalWorm" ], "source_id": "ETDA", "reports": null }, { "id": "3f918a1b-2f20-4f3f-ae16-31e83d9d91d9", "created_at": "2023-06-23T02:04:34.088425Z", "updated_at": "2026-04-10T02:00:04.573175Z", "deleted_at": null, "main_name": "Bad Magic", "aliases": [ "Bad Magic", "CloudWizard", "RedStinger" ], "source_name": "ETDA:Bad Magic", "tools": [ "CommonMagic", "PowerMagic" ], "source_id": "ETDA", "reports": null }, { "id": "ad08bd3d-e65c-4cfd-874a-9944380573fd", "created_at": "2023-06-23T02:04:34.517668Z", "updated_at": "2026-04-10T02:00:04.842233Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "ETDA:Operation Triangulation", "tools": [ "TriangleDB" ], "source_id": "ETDA", "reports": null }, { "id": "493c47f7-b265-4b10-95de-d86af942c543", "created_at": "2023-04-27T02:04:45.385041Z", "updated_at": "2026-04-10T02:00:04.939878Z", "deleted_at": null, "main_name": "Tomiris", "aliases": [], "source_name": "ETDA:Tomiris", "tools": [ "JLOGRAB", "JLORAT", "Kapushka", "KopiLuwak", "Meterpreter", "QUIETCANARY", "RATel", "RocketMan", "Roopy", "Telemiris", "Tomiris", "Topinambour", "Tunnus", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "4989a6be-779c-49fa-9732-51f44b269ee2", "created_at": "2023-01-06T13:46:38.573168Z", "updated_at": "2026-04-10T02:00:03.027853Z", "deleted_at": null, "main_name": "Groundbait", "aliases": [], "source_name": "MISPGALAXY:Groundbait", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "113b8930-4626-4fa0-9a3a-bcf3ef86f595", "created_at": "2024-02-06T02:00:04.14393Z", "updated_at": "2026-04-10T02:00:03.578394Z", "deleted_at": null, "main_name": "Operation Triangulation", "aliases": [], "source_name": "MISPGALAXY:Operation Triangulation", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ff5a7bd9-75a5-43fe-ba4c-27dab43e1f61", "created_at": "2023-11-07T02:00:07.086058Z", "updated_at": "2026-04-10T02:00:03.403516Z", "deleted_at": null, "main_name": "RedStinger", "aliases": [ "Bad Magic" ], "source_name": "MISPGALAXY:RedStinger", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0be8b203-93b1-4d58-bcc1-1a33e15b06c0", "created_at": "2023-01-06T13:46:38.808048Z", "updated_at": "2026-04-10T02:00:03.108155Z", "deleted_at": null, "main_name": "Operation BugDrop", "aliases": [], "source_name": "MISPGALAXY:Operation BugDrop", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bacb81f4-18d1-4dcd-b277-65a9dac41b61", "created_at": "2023-11-04T02:00:07.680044Z", "updated_at": "2026-04-10T02:00:03.390891Z", "deleted_at": null, "main_name": "GoldenJackal", "aliases": [], "source_name": "MISPGALAXY:GoldenJackal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "73446bf0-6d25-4f73-ab37-78c41d19ade9", "created_at": "2022-10-25T16:07:23.961856Z", "updated_at": "2026-04-10T02:00:04.809181Z", "deleted_at": null, "main_name": "Operation Groundbait", "aliases": [], "source_name": "ETDA:Operation Groundbait", "tools": [ "Prikormka" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "59abc77c-5d6f-4042-b465-95d2f0857f57", "created_at": "2022-10-25T16:07:23.937297Z", "updated_at": "2026-04-10T02:00:04.795893Z", "deleted_at": null, "main_name": "Operation BugDrop", "aliases": [], "source_name": "ETDA:Operation BugDrop", "tools": [ "Dropbox" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434430, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/167d65bdb8e80b6068ec1fe36dfdda1abc6f9df1.pdf", "text": "https://archive.orkl.eu/167d65bdb8e80b6068ec1fe36dfdda1abc6f9df1.txt", "img": "https://archive.orkl.eu/167d65bdb8e80b6068ec1fe36dfdda1abc6f9df1.jpg" } }