{
	"id": "4722ba5e-5ebe-4442-9d1d-76509034ff81",
	"created_at": "2026-04-06T00:19:46.875436Z",
	"updated_at": "2026-04-10T03:24:23.674707Z",
	"deleted_at": null,
	"sha1_hash": "19a5471944319d2428bce7f9a9ff63e98ce66a21",
	"title": "Hancitor Continues to Push Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2271644,
	"plain_text": "Hancitor Continues to Push Cobalt Strike\r\nBy editor\r\nPublished: 2021-06-28 · Archived: 2026-04-05 23:06:39 UTC\r\nFirst observed in 2014, Hancitor (also known as Chanitor and Tordal) is a downloader trojan that has been\r\nused to deliver multiple different malware such as Pony, Vawtrak, and DELoader. [1]\r\nHere’s some great write ups on Hancitor:\r\nBinary Defense – Analysis of Hancitor – When Boring Begets Beacon – Binary Defense\r\nGroup IB – Connecting the Bots: Hancitor fuels Cuba Ransomware Operations (group-ib.com)\r\nUnit 42 – Recent Hancitor Infections Use Cobalt Strike and a Network Ping Tool (paloaltonetworks.com)\r\nCase Summary\r\nIn this short intrusion, the threat actor gained initial access on a system through a maldoc campaign which made use of\r\nthe Hancitor downloader. The first-stage DLL, which was dropped by a malicious Word document, attempted to\r\ndownload multiple malware payloads on the beachhead system, including Ficker Stealer. In addition, a Cobalt Strike\r\nbeacon payload was downloaded, and deployed to perform post-exploitation activities. Once inside the target\r\nenvironment, port scans and a large amount of ICMP traffic was observed–to identify additional active systems. After\r\nabout 20 minutes, the threat actor copied a batch script file and DLL file to another system using the SMB protocol. A\r\nremote service was installed to start the batch file, which executed the Cobalt Strike shellcode-embedded DLL. On the\r\nsecond compromised system, various discovery-related commands were executed before going silent. The threat actors\r\nwere evicted before completing their mission.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as\r\nCobalt Strike, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here. One of\r\nthe Cobalt Strike servers used in this intrusion was known about as far back as February and the other 2 were added to\r\nour Threat Feed on 5/20/21.\r\nWe also have artifacts available from this case such as pcaps, memory captures, files, Kape packages, and more, under\r\nour Security Researcher and Organization services.\r\n Timeline \r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 1 of 17\n\nAnalysis and reporting completed by @pigerlin and @v3t0_\r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 2 of 17\n\nReviewed by @_pete_0\r\nMITRE ATT\u0026CK v9\r\nInitial Access \r\nThe Hancitor malware was embedded in a macro-based Word document. This single-paged document contained a\r\npicture with instructions, attempting to lure the victim into enabling macros.  \r\n \r\nWhen the macro was enabled, the infection chain started, and the first-stage Hancitor DLL was dropped to disk. \r\nReviewing the macro we can see that in sub yyy (towards the bottom) content within the document is being copied and\r\nused to create a file object by sub xxx which then is executed by the shell call to rundll32.\r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 3 of 17\n\nLooking at the strings of the word document, we can see that there’s an embedded OLE object, which appears to be a PE\r\nfile.\r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 4 of 17\n\nExecution \r\nThe malicious Hancitor DLL in the OLE object, named “rem.r”, was executed via rundll32.exe by passing the entry\r\npoint “ESLMJYVFM”. \r\nThe botnet ID and C2 were extracted using Hatching Triage:\r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 5 of 17\n\nLater on in the intrusion, the threat actor used the following command to execute a Cobalt Strike Beacon on another\r\nmachine:\r\nrundll32.exe c:\\programdata\\95.dll,TstSec 11985756\r\nDefense Evasion \r\nOn the beachhead system, the malicious Hancitor DLL injected into the svchost.exe process. The code was injected into\r\nmultiple instances of svchost.exe.\r\nMemory analysis also shows suspicious memory protections (page_execute_readwrite) and regions of the particular\r\nprocess. \r\n Finally, when looking at the process tree, we can identify the unusual parent-child process relationship of rundll32.exe\r\nstarting svchost.exe.   \r\nThe svchost.exe process, in turn, injected a Cobalt Strike beacon into multiple rundll32.exe instances. One of the\r\ninjected rundll32.exe instance was also observed connecting to the Cobalt Strike C2 server. \r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 6 of 17\n\nIn addition, the malicious 95.dll, which was observed during the lateral movement phase, is also designed to evade\r\nautomated sandbox analysis. This DLL is crafted in such a way that it wouldn’t show malicious behavior if an exported\r\nfunction is not called by passing a specific parameter. The DLL contains the Cobalt Strike shellcode and will only\r\nexecute if the “11985756” parameter is passed to the TstSec function. \r\n \r\nAfter extracting the Cobalt Strike shellcode from 95.dll and emulating it via scdbg, we found that it’s connecting to\r\n162.244.83[.]95 over port 8080.\r\nSince 95.dll was executed by rundll32.exe, and from the host logs, it is evident  that rundll32.exe connected to\r\n162.244.83[.]95 over port 8080. \r\nPacket analysis to the IP address mentioned above, shows that it’s downloading the Cobalt Strike beacon by initiating a\r\nHTTP GET request to /hVVH URI. \r\nOnce downloaded, the stager allocates a new memory region inside the current rundll32.exe process and loads it into the\r\nmemory and starts the C2 activity. \r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 7 of 17\n\nDiscovery \r\nOn the beachhead system, the threat actor started exploring their options to move laterally within the target network. The\r\nlogged-on user account was utilized to interact with IPC$ shares.\r\nFor one specific system, for which the threat actor showed interest, the contents of the C$ share was listed–we assess, to\r\nverify if the account had access permissions to the share before copying the malware to it: \r\nThe threat actor also pinged one of the Active Directory domain controllers from the beachhead machine. \r\nA high amount of ICMP traffic, targeting various Class-A subnets ranges, was observed and used to identify other active\r\nsystems within the environment. \r\nOn the second system, to which the adversary laterally moved (see section below), the following discovery commands\r\nwere executed: \r\nnltest /domain_trusts\r\nnet view /domain\r\nnet time\r\nLateral Movement \r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 8 of 17\n\nThe injected svchost process dropped two files: a batch-file named: “95.bat” and a DLL-file named: “95.dll”. Both files\r\nwere copied to the ProgramData folder of another system within the environment. \r\nThe content of the batch file can be seen below–it executes the transferred DLL and then deletes itself: \r\n \r\nTo execute the batch file, the threat actor installed, and started, a remote service on the other system. \r\nCredential Access \r\nAn attempt to open lsass.exe process was observed on the system where lateral movement occurred but there were no\r\nsigns of successful read attempts.\r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 9 of 17\n\nCommand and Control \r\nIn the network traffic, we can identify a data stream pattern that is distinctive to Hancitor malware. \r\nFirst, the malware performed a lookup of the external IP-address of the infected system (1). This was followed by\r\nHancitor C2 traffic, sent via HTTP POST requests, which included unique attributes of the infected system, such as\r\nhostname and username information (2). \r\nHancitor then attempted to download additional malware. This included the info-stealer known as “Ficker Stealer” (4),\r\nfor which the DNS traffic corresponds to a recent article posted by Brad. However, in our case, the post infection HTTP\r\ntraffic of Ficker Stealer was not observed. \r\nHancitor also attempted to download Cobalt Strike stagers (.bin files) (3), and Cobalt Strike traffic was sent both\r\nencrypted and unencrypted (5).\r\nHancitor\r\nvaethemanic[.]com/8/forum.php \r\ntembovewinated[.]ru/8/forum.php \r\nprournauseent[.]ru/8/forum.php \r\n Cobalt Strike\r\n 216.250.248[.]88 \r\nConfig:\r\n\"x64\":\r\n\"config\": \r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 10 of 17\n\n\"Jitter\": 0,\r\n\"Method 2\": \"POST\",\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Watermark\": 0,\r\n\"Method 1\": \"GET\",\r\n\"Polling\": 60000,\r\n\"C2 Server\": \"216.250.248.88,/ga.js\",\r\n\"Port\": 80,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n\"C2 Host Header\": \"\",\r\n\"HTTP Method Path 2\": \"/submit.php\"\r\n\"x86\": \r\n\"config\": \r\n\"Jitter\": 0,\r\n\"Method 2\": \"POST\",\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"Watermark\": 0,\r\n\"Method 1\": \"GET\",\r\n\"Polling\": 60000,\r\n\"C2 Server\": \"216.250.248.88,/ptj\",\r\n\"Port\": 80,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n\"C2 Host Header\": \"\",\r\n\"HTTP Method Path 2\": \"/submit.php\"\r\n162.244.83[.]95 \r\nConfig:\r\n\"x64\":\r\n\"sha1\": \"93d1f927eae5d7cee5a36c4b5570fedd1e04f362\",\r\n\"uri_queried\": \"/WZSY\",\r\n\"sha256\": \"0e5f353721f618b1d1ec89570443a4a42ae5e41d466f9a022ace75bf74ff9dcd\",\r\n\"config\":\r\n\"HTTP Method Path 2\": \"/submit.php\",\r\n\"C2 Host Header\": \"\",\r\n\"Watermark\": 0,\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n\"Method 1\": \"GET\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n\"Polling\": 60000,\r\n\"C2 Server\": \"162.244.83.95,/fwlink\",\r\n\"Port\": 8080,\r\n\"Method 2\": \"POST\",\r\n\"Jitter\": 0,\r\n\"Beacon Type\": \"0 (HTTP)\"\r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 11 of 17\n\n\"x86\":\r\n\"sha1\": \"d8f0bda5ee2416d7059b9ff58aa6c7f5357d3a6d\",\r\n\"uri_queried\": \"/Vdn4\",\r\n\"sha256\": \"c0ef889bda5881d8c5441ba7bed8655851d9f734d1ede2bb934f2c5060b65e61\",\r\n\"config\":\r\n\"HTTP Method Path 2\": \"/submit.php\",\r\n\"C2 Host Header\": \"\",\r\n\"Watermark\": 0,\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n\"Method 1\": \"GET\",\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n\"Polling\": 60000,\r\n\"C2 Server\": \"162.244.83.95,/match\",\r\n\"Port\": 8080,\r\n\"Method 2\": \"POST\",\r\n\"Jitter\": 0,\r\n\"Beacon Type\": \"0 (HTTP)\"\r\n80.209.242[.]9\r\nja3: 72a589da586844d7f0818ce684948eea\r\nja3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate:[6e:ce:5e:ce:41:92:68:3d:2d:84:e2:5b:0b:a7:e0:4f:9c:b7:eb:7c ]\r\nNot Before: 2015/05/20 14:26:24\r\nNot After: 2025/05/17 14:26:24\r\nIssuer Org\r\nSubject Common\r\nSubject Org\r\nPublic Algorithm:rsaEncryption\r\nConfig:\r\n\"x86\":\r\n\"sha256\": \"57d4976c4daee794299e5e7c6374db3494e9a1df1f967aa9010624099ed6da16\",\r\n\"time\": 1621526952543.7,\r\n\"sha1\": \"0aea959b387c58f1ac47fb6946d1330cab301c2e\",\r\n\"md5\": \"494db8c61916acc6ae99b868d4869089\",\r\n\"config\":\r\n\"Port\": 80,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"C2 Server\": \"80.209.242.9,/match\",\r\n\"HTTP Method Path 2\": \"/submit.php\",\r\n\"Method 2\": \"POST\",\r\n\"Method 1\": \"GET\",\r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 12 of 17\n\n\"Polling\": 60000,\r\n\"Jitter\": 0\r\n\"x64\":\r\n\"sha256\": \"e468e4c9226f47815dee0bfd35a2b065e7375a7be228845e35607ea00c87b6ac\",\r\n\"time\": 1621526967489.4,\r\n\"sha1\": \"db3a7c60fc281a200a3cf1554bae5f99491fa744\",\r\n\"md5\": \"b4589d6f80fa1131e8ab7504793f878b\",\r\n\"config\":\r\n\"Port\": 80,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n\"Beacon Type\": \"0 (HTTP)\",\r\n\"C2 Server\": \"80.209.242.9,/updates.rss\",\r\n\"HTTP Method Path 2\": \"/submit.php\",\r\n\"Method 2\": \"POST\",\r\n\"Method 1\": \"GET\",\r\n\"Polling\": 60000,\r\n\"Jitter\": 0\r\n\"x86\":\r\n\"sha256\": \"e9a95e09e762020f23d238b364be8b5b61c6662099f5bdf4ac5a102bd31fec98\",\r\n\"time\": 1621526949089.5,\r\n\"sha1\": \"45d1f56ccbe33d0f8c727ef2c740fdd1b3eee01b\",\r\n\"md5\": \"d1f6ba82ba87e4a957e73160773e782a\",\r\n\"config\":\r\n\"Port\": 443,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"C2 Server\": \"80.209.242.9,/ca\",\r\n\"HTTP Method Path 2\": \"/submit.php\",\r\n\"Method 2\": \"POST\",\r\n\"Method 1\": \"GET\",\r\n\"Polling\": 60000,\r\n\"Jitter\": 0\r\n\"x64\":\r\n\"sha256\": \"0fdf544145bd491fa7a19b24875f0231f414fbde07e50e1af219d063c08989f9\",\r\n\"time\": 1621526962664.6,\r\n\"sha1\": \"67213613a61c9552955e068ad417e48b7bad8fa6\",\r\n\"md5\": \"a4e1f497c424a259d2b52d6414a6365f\",\r\n\"config\":\r\n\"Port\": 443,\r\n\"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n\"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n\"Beacon Type\": \"8 (HTTPS)\",\r\n\"C2 Server\": \"80.209.242.9,/ca\",\r\n\"HTTP Method Path 2\": \"/submit.php\",\r\n\"Method 2\": \"POST\",\r\n\"Method 1\": \"GET\",\r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 13 of 17\n\n\"Polling\": 60000,\r\n\"Jitter\": 0\r\nImpact\r\nIn this intrusion we did not see a final action on objectives.\r\nIOC’s\r\nFiles\r\n95.dll\r\n98b2fff45a9474d61c1bd71b7a60712b\r\n3b0ec4b6ad3cf558cac6b2c6e7d8024c438cfbc5\r\n7b2144f2b5d722a1a8a0c47a43ecaf029b434bfb34a5cffe651fda2adf401131\r\n95.bat\r\n5b3c525c2883ba588d0cfe848c0151b3\r\n012c934a2e4536398ac2c3a1614a3927709e7d61\r\n28b3b7d1421b39ad747d3ddfe2322bfe505a00f43d0adab80671e9c442f1472e\r\nrem.r\r\nf7b1fc5b175b40bcddf6170ed265b442\r\nf67c640d6b00c7bcd0d498c8de1b6eee6868d41f\r\n50b63958880b915219d5364d08593dce44effd49a0f25f7b0609cab8f1e0ec5d\r\n0520_656407893761.doc\r\n632c214b5a3f8bdfa91197e121f41db1\r\n9744884a328416906de484acbe1200a83cb7b5fa\r\nd43ec0226fd6af4d0848cd1fa2329b93fb73341814dd8536c53b6da0e31b3844\r\n \r\nNetwork \r\ntembovewinated[.]ru\r\nprournauseent[.]ru\r\nsweyblidian[.]com\r\nvaethemanic[.]com\r\nq09pi7[.]ru\r\n216.250.248[.]88\r\n162.244.83[.]95\r\n80.209.242[.]9\r\nDetections\r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 14 of 17\n\nSuricata \r\nET POLICY External IP Lookup (ipfy.org) \r\nET INFO Suspicious Empty SSL Certificate – Observed in Cobalt Strike \r\nET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 \r\nET NETBIOS DCERPC SVCCTL – Remote Service Control Manager Access \r\nET TROJAN Observed Cobalt Strike User-Agent\r\nETPRO TROJAN Tordal/Hancitor/Chanitor Checkin\r\nETPRO TROJAN Cobalt Strike Beacon Observed\r\nSnort\r\nBinary Defense Created - alert tcp any any -\u003e any $HTTP_PORTS (msg:\"Possible Hancitor Checkin\"; flow:estab\r\nSigma \r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_svchost.yml   \r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml\r\n \r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_trust_discovery.yml  \r\nYARA\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2021-06-27\r\nIdentifier: 4301 Hancitor\r\nReference: https://thedfirreport.com\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule sig_95_dll_cobalt_strike {\r\nmeta:\r\ndescription = \"file 95.dll\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-06-24\"\r\nhash1 = \"7b2144f2b5d722a1a8a0c47a43ecaf029b434bfb34a5cffe651fda2adf401131\"\r\nstrings:\r\n$s1 = \"TstDll.dll\" fullword ascii\r\n$s2 = \"!This is a Windows NT windowed dynamic link library\" fullword ascii\r\n$s3 = \"AserSec\" fullword ascii\r\n$s4 = \"`.idata\" fullword ascii /* Goodware String - occured 1 times */\r\n$s5 = \"vEYd!W\" fullword ascii\r\n$s6 = \"[KpjrRdX\u0026b\" fullword ascii\r\n$s7 = \"XXXXXXHHHHHHHHHHHHHHHHHHHH\" fullword ascii /* Goodware String - occured 2 times */\r\n$s8 = \"%$N8 2\" fullword ascii\r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 15 of 17\n\n$s9 = \"%{~=vP\" fullword ascii\r\n$s10 = \"it~?KVT\" fullword ascii\r\n$s11 = \"UwaG+A\" fullword ascii\r\n$s12 = \"mj_.%/2\" fullword ascii\r\n$s13 = \"BnP#lyp\" fullword ascii\r\n$s14 = \"(N\\\"-%IB\" fullword ascii\r\n$s15 = \"KkL{xK\" fullword ascii\r\n$s16 = \")[IyU,\" fullword ascii\r\n$s17 = \"|+uo6\\\\\" fullword ascii\r\n$s18 = \"@s?.N^\" fullword ascii\r\n$s19 = \"R%jdzV\" fullword ascii\r\n$s20 = \"R!-q$Fl\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 100KB and\r\n( pe.imphash() == \"67fdc237b514ec9fab9c4500917eb60f\" and ( pe.exports(\"AserSec\") and pe.exports(\"TstSec\")\r\n}\r\nrule cobalt_strike_shellcode_95_dll {\r\nmeta:\r\ndescription = \"Cobalt Strike Shellcode\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-06-23\"\r\nhash = \"7b2144f2b5d722a1a8a0c47a43ecaf029b434bfb34a5cffe651fda2adf401131\"\r\nstrings:\r\n$str_1 = { E8 89 00 00 00 60 89 E5 31 D2 64 8B 52 30 8B 52 }\r\n$str_2 = \"/hVVH\"\r\n$str_3 = \"User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENGB)\"\r\ncondition:\r\n3 of them\r\n}\r\nMITRE \r\nUser Execution – T1204\r\nWeb Protocols – T1071.001\r\nDynamic-link Library Injection – T1055.001\r\nRemote System Discovery – T1018\r\nNetwork Service Scanning – T1046\r\nWindows Service – T1543.003\r\nDomain Trust Discovery – T1482\r\nSystem Time Discovery – T1124\r\nNetwork Share Discovery – T1135\r\nFile Deletion – T1070.004\r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 16 of 17\n\nInternal case 4301\r\nSource: https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nhttps://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/"
	],
	"report_names": [
		"hancitor-continues-to-push-cobalt-strike"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434786,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/19a5471944319d2428bce7f9a9ff63e98ce66a21.pdf",
		"text": "https://archive.orkl.eu/19a5471944319d2428bce7f9a9ff63e98ce66a21.txt",
		"img": "https://archive.orkl.eu/19a5471944319d2428bce7f9a9ff63e98ce66a21.jpg"
	}
}