{ "id": "e76024b4-ffb7-4015-a8b0-56f393f4b470", "created_at": "2026-04-06T00:21:31.493884Z", "updated_at": "2026-04-10T03:38:19.139744Z", "deleted_at": null, "sha1_hash": "19d4efdd3e528c6aee16eec51f162b8641c027bb", "title": "Sunburst backdoor - code overlaps with Kazuar", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2334026, "plain_text": "Sunburst backdoor - code overlaps with Kazuar\r\nBy Georgy Kucherin\r\nPublished: 2021-01-11 · Archived: 2026-04-05 21:45:02 UTC\r\nAPT reports\r\nAPT reports\r\n11 Jan 2021\r\n 25 minute read\r\nIntroduction\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 1 of 19\n\nOn December 13, 2020, FireEye published a blog post detailing a supply chain attack leveraging Orion IT, an infrastructure\r\nmonitoring and management platform by SolarWinds. In parallel, Volexity published an article with their analysis of related\r\nattacks, attributed to an actor named “Dark Halo”. FireEye did not link this activity to any known actor; instead, they gave it\r\nan unknown, temporary moniker – “UNC2452”.\r\nThis attack is remarkable from many points of view, including its stealthiness, precision targeting and the custom malware\r\nleveraged by the attackers, named “Sunburst” by FireEye.\r\nIn a previous blog, we dissected the method used by Sunburst to communicate with its C2 server and the protocol by which\r\nvictims are upgraded for further exploitation. Similarly, many other security companies published their own analysis of the\r\nSunburst backdoor, various operational details and how to defend against this attack. Yet, besides some media articles, no\r\nsolid technical papers have been published that could potentially link it to previously known activity.\r\nWhile looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor\r\nknown as Kazuar. Kazuar is a .NET backdoor first reported by Palo Alto in 2017. Palo Alto tentatively linked Kazuar to the\r\nTurla APT group, although no solid attribution link has been made public. Our own observations indeed confirm that Kazuar\r\nwas used together with other Turla tools during multiple breaches in past years.\r\nA number of unusual, shared features between Sunburst and Kazuar include the victim UID generation algorithm, the\r\nsleeping algorithm and the extensive usage of the FNV-1a hash.\r\nWe describe these similarities in detail below.\r\nFor a summary of this analysis and FAQs, feel free to scroll down to “Conclusions“.\r\nWe believe it’s important that other researchers around the world investigate these similarities and attempt to discover\r\nmore facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach. If we consider past\r\nexperience, looking back to the WannaCry attack, in the early days, there were very few facts linking them to the Lazarus\r\ngroup. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further\r\nresearch on this topic can be crucial in connecting the dots.\r\nMore information about UNC2452, DarkHalo, Sunburst and Kazuar is available to customers of the Kaspersky\r\nIntelligence Reporting service. Contact: intelreports[at]kaspersky.com\r\nTechnical Details\r\nBackground\r\nWhile looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor\r\nknown as Kazuar. Kazuar is a .NET backdoor first reported by Palo Alto in 2017.\r\nThroughout the years, Kazuar has been under constant development. Its developers have been regularly improving it,\r\nswitching from one obfuscator to another, changing algorithms and updating features. We looked at all versions of Kazuar\r\nsince 2015, in order to better understand its development timeline.\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 2 of 19\n\nKazuar development and evolution timeline\r\nIn the following sections, we look at some of the similarities between Kazuar and Sunburst. First, we will discuss how a\r\nparticular feature is used in Kazuar, and then we will describe the implementation of the same feature in Sunburst.\r\nComparison of the sleeping algorithms\r\nBoth Kazuar and Sunburst have implemented a delay between connections to a C2 server, likely designed to make the\r\nnetwork activity less obvious.\r\nKazuar\r\nKazuar calculates the time it sleeps between two C2 server connections as follows: it takes two timestamps, the minimal\r\nsleeping time and the maximal sleeping time, and calculates the waiting period with the following formula:\r\ngenerated_sleeping_time = sleeping_timemin + x (sleeping_timemax - sleeping_timemin)\r\nwhere x is a random floating-point number ranging from 0 to 1 obtained by calling the NextDouble method, while\r\nsleeping_timemin and sleeping_timemax are time periods obtained from the C2 configuration which can be changed with the\r\nhelp of a backdoor command. As a result of the calculations, the generated time will fall in the [sleeping_timemin,\r\nsleeping_timemax] range. By default, sleeping_timemin equals two weeks and sleeping_timemax equals four weeks in most\r\nsamples of Kazuar we analysed. After calculating the sleeping time, it invokes the Sleep method in a loop.\r\nKazuar implements this algorithm in the following lines of code (class names were omitted from the code for clarity):\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n  long random_multiplication(Random random_0, long long_0) {\r\nreturn (long)(random_0.NextDouble() * (double)long_0);\r\n  }\r\nTimeSpan get_randomized_sleeping_time(Random random_0, TimeSpan timeSpan_0, TimeSpan timeSpan_1) {\r\n    if (timeSpan_0 \u003e timeSpan_1) {\r\n      TimeSpan timeSpan = timeSpan_0;\r\n      timeSpan_0 = timeSpan_1;\r\n      timeSpan_1 = timeSpan;\r\n    }\r\n    long num = random_multiplication(random_0, timeSpan_1.Ticks - timeSpan_0.Ticks);\r\n// randomize the sleeping time\r\n    return new TimeSpan(timeSpan_0.Ticks + num);\r\n  }\r\nTimeSpan get_remaining_time(TimeSpan timeSpan_0, TimeSpan timeSpan_1) {\r\n    if (!(timeSpan_0 \u003e timeSpan_1)) {\r\n      return timeSpan_0;\r\n    }\r\n    return timeSpan_1;\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 3 of 19\n\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n  }\r\n  void wait_between_connections() {\r\n    for (;;) { // the sleeping loop\r\n      TimeSpan[] array = get_min_and_max_sleep_time();\r\n/* the previous line retrieves sleeping_time_min and sleeping_time_max from the configuration */\r\n      TimeSpan timeSpan = get_randomized_sleeping_time(this.random_number, array[0], array[1]);\r\n      DateTime last_c2_connection = get_last_c2_connection();\r\n      TimeSpan timeSpan2 = DateTime.Now - last_c2_connection;\r\n      if (timeSpan2 \u003e= timeSpan) {\r\n        break;\r\n/* enough time has passed, the backdoor may connect to the C2 server */\r\n      }\r\nTimeSpan timeout = get_remaining_time(timeSpan - timeSpan2, this.timespan); // this.timespan equals 1 minute\r\n      Thread.Sleep(timeout);\r\n    }\r\n  }\r\nSunburst\r\nSunburst uses exactly the same formula to calculate sleeping time, relying on NextDouble to generate a random number. It\r\nthen calls the sleeping function in a loop. The only difference is that the code is somewhat less complex. Below we compare\r\nan extract of the sleeping algorithm found in Kazuar and the code discovered in Sunburst.\r\nKazuar Sunburst\r\nThe listed code is used in multiple versions of the backdoor,\r\nincluding samples with MD5\r\n150D0ADDF65B6524EB92B9762DB6F074 (2016) and\r\n1F70BEF5D79EFBDAC63C9935AA353955 (2019+).\r\nThe random waiting time generation algorithm and the sleeping\r\nloop.\r\nMD5\r\n2C4A910A1299CDAE2A4E55988A2F102E.\r\nThe random waiting time generation algorithm\r\nand the sleeping loop.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nlong random_multiplication(Random random_0, long\r\nlong_0) {\r\nreturn (long)(random_0.NextDouble() *\r\n(double)long_0);\r\n  }\r\nTimeSpan get_randomized_sleeping_time(Random\r\nrandom_0,\r\n         TimeSpan timeSpan_0, TimeSpan timeSpan_1)\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\nprivate static void DelayMs(double\r\nminMs, double maxMs)\r\n{\r\n  if ((int)maxMs == 0)\r\n  {\r\n    minMs = 1000.0;\r\n    maxMs = 2000.0;\r\n  }\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 4 of 19\n\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n  {\r\n    if (timeSpan_0 \u003e timeSpan_1)\r\n    {\r\n      TimeSpan timeSpan = timeSpan_0;\r\n      timeSpan_0 = timeSpan_1;\r\n      timeSpan_1 = timeSpan;\r\n    }\r\n    long num = random_multiplication(random_0,\r\n               timeSpan_1.Ticks - timeSpan_0.Ticks);\r\n    return new TimeSpan(timeSpan_0.Ticks + num);\r\n  }\r\nvoid wait_between_connections() {\r\n    for (;;) {\r\n      ...\r\n      if (timeSpan2 \u003e= timeSpan) {\r\n        break;\r\n      }\r\nTimeSpan timeout = get_remaining_time(timeSpan -\r\ntimeSpan2,\r\n                                       this.timespan);      \r\n    Thread.Sleep(timeout);\r\n    }\r\n  }\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n  double num;\r\n  for (num = minMs + new\r\nRandom().NextDouble() * (maxMs -\r\nminMs);\r\n       num \u003e= 2147483647.0; num -=\r\n2147483647.0)\r\n  {\r\n    Thread.Sleep(int.MaxValue);\r\n  }\r\n  Thread.Sleep((int)num);\r\n}\r\nComparing the two code fragments outlined above, we see that the algorithms are similar.\r\nIt’s noteworthy that both Kazuar and Sunburst wait for quite a long time before or in-between C2 connections. By default,\r\nKazuar chooses a random sleeping time between two and four weeks, while Sunburst waits from 12 to 14 days.\r\nSunburst, like Kazuar, implements a command which allows the operators to change the waiting time between two C2\r\nconnections.\r\nBased on the analysis of the sleeping algorithm, we conclude:\r\nKazuar and Sunburst use the same mathematical formula, relying on Random().NextDouble() to calculate the waiting\r\ntime\r\nKazuar randomly selects a sleeping period between two and four weeks between C2 connections\r\nSunburst randomly selects a sleeping period between twelve and fourteen days before contacting its C2\r\nSuch long sleep periods in C2 connections are not very common for typical APT malware\r\nWhile Kazuar does a Thread.Sleep using a TimeSpan object, Sunburst uses an Int32 value; due to the fact that\r\nInt32.MaxValue is limited to roughly 24 days of sleep, the developers “emulate” longer sleeps in a loop to get past\r\nthis limitation\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 5 of 19\n\nIn case of both Kazuar and Sunburst, the sleeping time between two connections can be changed with the help of a\r\ncommand sent by the C2 server\r\nThe FNV-1a hashing algorithm\r\nSunburst uses the FNV-1a hashing algorithm extensively throughout its code. This detail initially attracted our attention and\r\nwe tried to look for other malware that uses the same algorithm. It should be pointed out that the usage of this hashing\r\nalgorithm is not unique to Kazuar and Sunburst. However, it provides an interesting starting point for finding more\r\nsimilarities. FNV-1a has been widely used by the Kazuar .NET Backdoor since its early versions. We compare the usage of\r\nFNV-1a in Kazuar and Sunburst below.\r\nKazuar\r\nThe shellcode used in Kazuar finds addresses of library functions with a variation of the FNV-1a hashing algorithm. The\r\nway of finding these addresses is traditional: the shellcode traverses the export address table of a DLL, fetches the name of\r\nan API function, hashes it and then compares the hash with a given value.\r\nA variation of the FNV-1a hashing algorithm in Kazuar shellcode present in 2015-autumn 2020 samples, using a 0x1000197\r\nmodified constant instead of the default FNV_32_PRIME 0x1000193 (MD5 150D0ADDF65B6524EB92B9762DB6F074)\r\nThis customized FNV-1a 32-bit hashing algorithm has been present in the Kazuar shellcode since 2015. For the Kazuar\r\nbinaries used in 2020, a modified 64-bit FNV-1a appeared in the code:\r\nKazuar\r\nMD5 804785B5ED71AADF9878E7FC4BA4295C (Dec 2020).\r\nImplementation of a modified FNV-1a algorithm (64-bit version).\r\n1\r\n2\r\n3\r\n4\r\npublic static ulong bu(string pK)\r\n  {\r\n    byte[] bytes = Encoding.UTF8.GetBytes(pK);\r\n    ulong num = 0xCBF29CE484222325UL;\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 6 of 19\n\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n    ulong num2 = 0x69294589840FB0E8UL;\r\n    ulong num3 = 0x100000001B3UL;\r\n    for (int i = 0; i \u003c bytes.Length; i++)\r\n    {\r\n      num ^= (ulong)bytes[i];\r\n      num *= num3;\r\n    }\r\n    return num ^ num2;\r\n}\r\nWe observed that the 64-bit FNV-1a hash present in the 2020 Kazuar sample is also not standard. When the loop with the\r\nXOR and multiplication operations finishes execution, the resulting value is XOR-ed with a constant (XOR\r\n0x69294589840FB0E8UL). In the original implementation of the FNV-1a hash, no XOR operation is applied after the loop.\r\nSunburst\r\nSunburst uses a modified, 64-bit FNV-1a hash for the purpose of string obfuscation. For example, when started, Sunburst\r\nfirst takes the FNV-1a hash of its process name (solarwinds.businesslayerhost) and checks if it is equal to a hardcoded value\r\n(0xEFF8D627F39A2A9DUL). If the hashes do not coincide, the backdoor code will not be executed:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\npublic static void Initialize()\r\n{\r\n  try\r\n  {\r\n   if (OrionImprovementBusinessLayer.GetHash(Process.GetCurrentProcess().ProcessName.ToLower()) ==\r\n0xEFF8D627F39A2A9DUL) //\"solarwinds.businesslayerhost\"\r\n    {\r\n     // backdoor execution code\r\n    }\r\n  }\r\n}\r\nHashes are also used to detect security tools running on the system. During its execution Sunburst iterates through the list of\r\nprocesses (Process.GetProcesses()), services (from “SYSTEM\\\\CurrentControlSet\\\\services“) and drivers (WMI, “Select *\r\nFrom Win32_SystemDriver“), hashes their names and looks them up in arrays containing the corresponding hardcoded\r\nhashes:\r\n1\r\n2\r\nprivate static bool SearchAssemblies(Process[] processes)\r\n{\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 7 of 19\n\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n  for (int i = 0; i \u003c processes.Length; i++)\r\n  {\r\n    ulong hash = OrionImprovementBusinessLayer.GetHash(processes[i].ProcessName.ToLower());\r\n    if (Array.IndexOf\u003culong\u003e(OrionImprovementBusinessLayer.assemblyTimeStamps, hash) != -1)\r\n    {\r\n      return true;\r\n    }\r\n  }\r\n  return false;\r\n}\r\nBelow we compare the modified FNV-1a implementations of the two algorithms in Kazuar and Sunburst.\r\nString obfuscation comparison\r\nKazuar Sunburst\r\nCode adapted from MD5\r\n804785B5ED71AADF9878E7FC4BA4295C (Dec 2020).\r\nImplementation of a modified 64-bit FNV-1a algorithm\r\n(deobfuscated, with constant folding applied).\r\nMD5\r\n2C4A910A1299CDAE2A4E55988A2F102E.\r\nImplementation of the modified 64-bit FNV-1a\r\nalgorithm.\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 8 of 19\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\npublic static ulong bu(string pK)\r\n{\r\n  byte[] bytes = Encoding.UTF8.GetBytes(pK);\r\n  ulong num = 0xCBF29CE484222325UL;\r\n  ulong num2 = 0x69294589840FB0E8UL;\r\n  ulong num3 = 0x100000001B3UL;\r\n  for (int i = 0; i \u003c bytes.Length; i++)\r\n  {\r\n    num ^= (ulong)bytes[i];\r\n    num *= num3;\r\n  }\r\n  return num ^ num2;\r\n}\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\nprivate static ulong GetHash(string s)\r\n{\r\n   ulong num =\r\n0xCBF29CE484222325UL;\r\n   try\r\n   {\r\n     foreach (byte b in\r\nEncoding.UTF8.GetBytes(s))\r\n     {\r\n       num ^= (ulong)b;\r\n       num *= 0x100000001B3UL;\r\n     }\r\n   }\r\n   catch\r\n   {\r\n   }\r\n   return num ^\r\n0x5BAC903BA7D81967UL;\r\n}\r\nIt should be noted that both Kazuar and Sunburst use a modified 64-bit FNV-1a hash, which adds an extra step after the\r\nloop, XOR’ing the final result with a 64-bit constant.\r\nSome readers might assume that the FNV-1a hashing was inserted by the compiler because C# compilers can optimize\r\nswitch statements with strings into a series of if statements. In this compiler optimized code, the 32-bit FNV-1a algorithm is\r\nused to calculate hashes of strings:\r\nClean executable Sunburst\r\nOptimized switch statement.\r\nMD5 2C4A910A1299CDAE2A4E55988A2F102E.\r\nSwitch statement.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nstring key = keyValuePair.Key;\r\n        uint num =\r\n\u003cPrivateImplementationDetails\u003e.ComputeStringHash(key);\r\n// computes 32-bit FNV-1a\r\n        if (num \u003c= 0x848C8620U)\r\n        {\r\n          if (num \u003c= 0x3A79338FU)\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nulong hash =\r\nOrionImprovementBusinessLayer.GetHash(text3.ToLow\r\nif (hash \u003c= 0x7B2647ACD648B3BFUL)\r\n   {\r\n     if (hash \u003c= 0x54E145F4CDA21B52UL)\r\n         {\r\n           if (hash != 0x25F3EA85AE88826EUL)\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 9 of 19\n\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n          {\r\n            if (num \u003c= 0x150EFE0DU)\r\n            {\r\n              if (num != 0x11DE6CDCU)\r\n              {\r\n                if (num != 0x13F0FB79U)\r\n                {\r\n                  if (num == 0x150EFE0DU)\r\n                  {\r\n                    // direct string compare:\r\n                    if (key == \"divisibleBy\")\r\n                    {\r\n                          // case handling code                  \r\n                    }\r\n                     ...\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n              {\r\n               if (hash == 0x54E145F4CDA21B52UL)\r\n                    {\r\n                 // direct string compare missing                  \r\n                 // case handling code                  \r\n                    }\r\n                  ...\r\nIn the case of Sunburst, the hashes in the switch statement do not appear to be compiler-generated. In fact, the C# compiler\r\nuses 32-bit, not 64-bit hashing. The hashing algorithm added by the compiler also does not have an additional XOR\r\noperation in the end. The compiler inserts the hashing method in the class, while in Sunburst the same code is implemented\r\nwithin the OrionImprovementBusinessLayer class. The compiler-emitted FNV-1a method will have the ComputeStringHash\r\nname. In case of Sunburst, the name of the method is GetHash. Additionally, the compiler inserts a check which compares\r\nthe hashed string with a hardcoded value in order to eliminate the possibility of a collision. In Sunburst, there are no such\r\nstring comparisons, which suggests these hash checks are not a compiler optimization.\r\nTo conclude the findings, we summarize them as follows:\r\nBoth Sunburst and Kazuar use FNV-1a hashing throughout their code\r\nA modified 32-bit FNV-1a hashing algorithm has been used by the Kazuar shellcode since 2015 to resolve APIs\r\nThis Kazuar shellcode uses a modified FNV-1a hash where its FNV_32_PRIME is 0x1000197 (instead of the default\r\nFNV_32_PRIME 0x1000193)\r\nA modified 64-bit version of the FNV-1a hashing algorithm was implemented in Kazuar versions found in 2020\r\nThe modified 64-bit FNV-1a hashing algorithms implemented in Kazuar (November and December 2020 variants)\r\nhave one extra step: after the hash is calculated, it is XORed with a hardcoded constant (0x69294589840FB0E8UL)\r\nSunburst also uses a modified 64-bit FNV-1a hashing algorithm, with one extra step: after the hash is calculated, it is\r\nXORed with a hardcoded constant (0x5BAC903BA7D81967UL)\r\nThe 64-bit constant used in the last step of the hashing is different between Kazuar and Sunburst\r\nThe aforementioned hashing algorithm is used to conceal plain strings in Sunburst\r\nThe algorithm used to generate victim identifiers\r\nAnother similarity between Kazuar and Sunburst can be found in the algorithm used to generate the unique victim\r\nidentifiers, described below.\r\nKazuar\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 10 of 19\n\nIn order to generate unique strings (across different victims), such as client identifiers, mutexes or file names, Kazuar uses\r\nan algorithm which accepts a string as input. To derive a unique string from the given one, the backdoor gets the MD5 hash\r\nof the string and then XORs it with a four-byte unique “seed” from the machine. The seed is obtained by fetching the serial\r\nnumber of the volume where the operating system is installed.\r\nSunburst\r\nAn MD5+XOR algorithm can also be found in Sunburst. However, instead of the volume serial number, it uses a different\r\nset of information as the machine’s unique seed, hashes it with MD5 then it XORs the two hash halves together. The two\r\nimplementations are compared in the following table:\r\nKazuar Sunburst\r\nThe listed code is used in multiple versions of the backdoor, including\r\nMD5 150D0ADDF65B6524EB92B9762DB6F074 (2016) and\r\n1F70BEF5D79EFBDAC63C9935AA353955 (2019+).\r\nThe MD5+XOR algorithm.\r\nMD5 2C4A910A1299CDAE2A4E55988A2F102E. Part of a\r\nfunction with the MD5+XOR algorithm.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\npublic static Guid md5_plus_xor(string string_0) {\r\n  byte[] bytes =\r\nBitConverter.GetBytes(parameter_class.unique_pc_identifier);\r\n  byte[] array =\r\nMD5.Create().ComputeHash(get_bytes_wrapper(string_0));\r\nfor (int i = 0; i \u003c array.Length; i++) {\r\n    byte[] array2 = array;\r\n    int num = i;\r\n    array2[num] ^= bytes[i % bytes.Length];\r\n  }\r\n  return new Guid(array);\r\n}\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\nprivate static bool GetOrCreateUserID(out byte[]\r\nhash64) {\r\n  string text =\r\nOrionImprovementBusinessLayer.ReadDeviceInfo()\r\n  hash64 = new byte[8];\r\n  Array.Clear(hash64, 0, hash64.Length);\r\n  if (text == null) {\r\n    return false;\r\n  }\r\n\u003cpart of the code omitted for clarity\u003e\r\nusing (MD5 md = MD5.Create()) {\r\n    byte[] bytes = Encoding.ASCII.GetBytes(text);\r\n    byte[] array = md.ComputeHash(bytes);\r\n    if (array.Length \u003c hash64.Length) {\r\n      return false;\r\n    }\r\n    for (int i = 0; i \u003c array.Length; i++) {\r\n      byte[] array2 = hash64;\r\n      int num = i % hash64.Length;\r\n      array2[num] ^= array[i];\r\n    }\r\n  }\r\n  return true;\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 11 of 19\n\n}\r\nTo summarize these findings:\r\nTo calculate unique victim UIDs, both Kazuar and Sunburst use a hashing algorithm which is different from their\r\notherwise “favourite” FNV-1a; a combination of MD5+XOR:\r\nKazuar XORs a full 128-bit MD5 of a pre-defined string with a four-byte key which contains the volume\r\nserial number\r\nSunburst computes an MD5 from a larger set of data, which concatenates the first adapter MAC address\r\n(retrieved using NetworkInterface.GetAllNetworkInterfaces()), the computer domain\r\n(GetIPGlobalProperties().DomainName) and machine GUID\r\n(“HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Cryptography” -\u003e “MachineGuid”) , then it XORs\r\ntogether the two halves into an eight-bytes result\r\nThis MD5+XOR algorithm is present in all Kazuar samples used before November 2020 (a massive code change,\r\nalmost a complete redesign, was applied to Kazuar in November 2020)\r\nFalse flags possibility\r\nThe possibility of a false flag is particularly interesting and deserves additional attention. In the past, we have seen\r\nsophisticated attacks such as OlympicDestroyer confusing the industry and complicating attribution. Subtle mistakes, such\r\nas the raw re-use of the Rich header from the Lazarus samples from the Bangladesh bank heist, allowed us to demonstrate\r\nthat they were indeed false flags and allowed us to eventually connect OlympicDestroyer with Hades, a sophisticated APT\r\ngroup.\r\nSupposing that Kazuar false flags were deliberately introduced into Sunburst, there are two main explanations of how this\r\nmay have happened:\r\n1. 1 The use of XOR operation after the main FNV-1a computation was introduced in the 2020 Kazuar variants after it\r\nhad appeared in the Sunburst code. In this case, the possibility of a false flag is less likely as the authors of Sunburst\r\ncouldn’t have predicted the Kazuar’s developers’ actions with such high precision.\r\n2. 2 A sample of Kazuar was released before Sunburst was written, containing the modified 64-bit hash function, and\r\nwent unnoticed by everyone except the Sunburst developers. In this case, the Sunburst developers must have been\r\naware of new Kazuar variants. Obviously, tracing all modifications of unknown code is quite a difficult and tedious\r\ntask for the following reasons:\r\nKazuar’s developers are constantly changing their code as well as the packing methods, thus making it harder\r\nto detect the backdoor with YARA rules;\r\nKazuar samples (especially the new ones) quite rarely appear on VirusTotal.\r\nThe second argument comes with a caveat; the earliest Sunburst sample with the modified algorithm we have seen was\r\ncompiled in February 2020, while the new Kazuar was compiled in or around November 2020. In the spring and summer of\r\n2020, “old” samples of Kazuar were actively used, without the 64-bit modified FNV-1a hash. This means that option 1\r\n(the extra XOR was introduced in the 2020 Kazuar variants after it had appeared in Sunburst) is more likely.\r\nNovember 2020 – a new Kazuar\r\nIn November 2020, some significant changes happened to Kazuar. On November 18, our products detected a previously\r\nunknown Kazuar sample (MD5 9A2750B3E1A22A5B614F6189EC2D67FA). In this sample, the code was refactored, and\r\nthe malware became much stealthier as most of its code no longer resembled that of the older versions. Here are the most\r\nimportant changes in Kazuar’s code:\r\nThe infamous “Kazuar’s {0} started in process {1} [{2}] as user {3}/{4}.” string was removed from the binary and\r\nreplaced with a much subtler “Agent started inside {0}.” message, meaning that the backdoor is no longer called\r\nKazuar in the logs. Despite that, the GUID, which was present in Kazuar since 2015 and serves as the backdoor’s\r\nunique identifier, still appears in the refactored version of Kazuar.\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 12 of 19\n\nDepending on the configuration, the malware may now protect itself from being detected by the Anti-Malware Scan\r\nInterface by patching the first bytes of the AmsiScanBuffer API function.\r\nNew spying features have been added to the backdoor. Now Kazuar is equipped with a keylogger and a password\r\nstealer which can fetch browser history data, cookies, proxy server credentials and, most importantly, passwords from\r\nInternet browsers, Filezilla, Outlook, Git and WinSCP. It also gets vault credentials. The stealer is implemented in the\r\nform of a C2 server command.\r\nCommands have been completely revamped. The system information retrieval function now also hunts for UAC\r\nsettings and installed hot patches and drivers. The webcam shot-taking command has been completely removed from\r\nthe backdoor. Commands which allow the execution of WMI commands and the running of arbitrary PowerShell,\r\nVBS and JS scripts have been introduced into Kazuar. The malware can now also gather forensic data (“forensic” is a\r\nname of a command present in the refactored version of Kazuar). Kazuar collects information about executables that\r\nrun at startup, recently launched executables and compatibility assistant settings. Furthermore, a command to collect\r\nsaved credentials from files left from unattended installation and IIS has been introduced into the backdoor.\r\nThe data is now exfiltrated to the C2 server using ZIP archives instead of TAR.\r\nA class that implements parsing of different file formats has been added into Kazuar. It is currently not used\r\nanywhere in the code. This class can throw exceptions with the “Fucking poltergeist” text. In earlier versions of\r\nKazuar, a “Shellcode fucking poltergeist error” message was logged if there was a problem with shellcode.\r\nThe MD5+XOR algorithm is not as widely used as before in the latest version of Kazuar. The backdoor generates\r\nmost of unique strings and identifiers with an algorithm which is based on the already discussed FNV-1a hash and\r\nBase62. The MD5+XOR algorithm itself has been modified. Its new implementation is given below:\r\nKazuar (2020). The modified MD5+XOR algorithm.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\npublic static string ZK(string X, string JK = null)\r\n{\r\n    if (YU.fG(JK))\r\n    {\r\n        JK = oR.d6;\r\n    }\r\n    string str = X.ToLower();\r\n    string s = \"pipename-\" + str + \"-\" + JK;\r\n    byte[] bytes = Encoding.UTF8.GetBytes(s);\r\n    byte[] array = MD5.Create().ComputeHash(bytes);\r\n    byte b = 42;\r\n    byte b2 = 17;    \r\n    byte b3 = 21;\r\n    for (int i = 0; i \u003c array.Length; i++)\r\n    {\r\n        b = (b * b2 \u0026 byte.MaxValue);\r\n        b = (b + b3 \u0026 byte.MaxValue);\r\n        byte[] array2 = array;\r\n        int num = i;\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 13 of 19\n\n20\r\n21\r\n22\r\n23\r\n24\r\n        array2[num] ^= b;\r\n    }\r\n    Guid guid = new Guid(array);\r\n    return guid.ToString(\"B\").ToUpper();\r\n}\r\nThe random sleeping interval generation algorithm mentioned in the main part of the report also appears to be\r\nmissing from the updated backdoor sample. In order to generate a random sleeping period, the malware now uses a\r\nmore orthodox random number generation algorithm:\r\nKazuar (2020). The new random number generation algorithm. Methods were renamed for clarity.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\npublic static long generate_random_number_in_range(long wG, long NG)\r\n{\r\n    if (wG \u003e NG)\r\n    {\r\n        utility_class.swap\u003clong\u003e(ref wG, ref NG);\r\n    }\r\n    return Math.Abs(utility_class.get_random_int64()) % (NG - wG + 1L) + wG;\r\n}\r\nThe newest sample of Kazuar (MD5 024C46493F876FA9005047866BA3ECBD) was detected by our products on\r\nDecember 29. It also contained refactored code.\r\nFor now, it’s unclear why the Kazuar developers implemented these massive code changes in November. Some possibilities\r\ninclude:\r\nIt’s a normal evolution of the codebase, where new features are constantly added while older ones are moved\r\nThe Kazuar developers wanted to avoid detection by various antivirus products or EDR solutions\r\nSuspecting the SolarWinds attack might be discovered, the Kazuar code was changed to resemble the Sunburst\r\nbackdoor as little as possible\r\nConclusions\r\nThese code overlaps between Kazuar and Sunburst are interesting and represent the first potential identified link to a\r\npreviously known malware family.\r\nAlthough the usage of the sleeping algorithm may be too wide, the custom implementation of the FNV-1a hashes and the\r\nreuse of the MD5+XOR algorithm in Sunburst are definitely important clues. We should also point out that although similar,\r\nthe UID calculation subroutine and the FNV-1a hash usage, as well the sleep loop, are still not 100% identical.\r\nPossible explanations for these similarities include:\r\nSunburst was developed by the same group as Kazuar\r\nThe Sunburst developers adopted some ideas or code from Kazuar, without having a direct connection (they used\r\nKazuar as an inspiration point)\r\nBoth groups, DarkHalo/UNC2452 and the group using Kazuar, obtained their malware from the same source\r\nSome of the Kazuar developers moved to another team, taking knowledge and tools with them\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 14 of 19\n\nThe Sunburst developers introduced these subtle links as a form of false flag, in order to shift blame to another group\r\nAt the moment, we do not know which one of these options is true. While Kazuar and Sunburst may be related, the nature of\r\nthis relation is still not clear. Through further analysis, it is possible that evidence confirming one or several of these points\r\nmight arise. At the same time, it is also possible that the Sunburst developers were really good at their opsec and didn’t make\r\nany mistakes, with this link being an elaborate false flag. In any case, this overlap doesn’t change much for the defenders.\r\nSupply chain attacks are some of the most sophisticated types of attacks nowadays and have been successfully used in the\r\npast by APT groups such as Winnti/Barium/APT41 and various cybercriminal groups.\r\nTo limit exposure to supply chain attacks, we recommend the following:\r\nIsolate network management software in separate VLANs, monitor them separately from the user networks\r\nLimit outgoing internet connections from servers or appliances that run third party software\r\nImplement regular memory dumping and analysis; checking for malicious code running in a decrypted state using a\r\ncode similarity solution such as Kaspersky Threat Attribution Engine (KTAE)\r\nMore information about UNC2452, DarkHalo, Sunburst and Kazuar is available to customers of the Kaspersky Intelligence\r\nReporting service. Contact: intelreports[at]kaspersky.com\r\nFAQ\r\n1. 1 TLDR; just tell us who’s behind the SolarWinds supply chain attack?\r\nHonestly, we don’t know. What we found so far is a couple of code similarities between Sunburst and a malware\r\ndiscovered in 2017, called Kazuar. This malware was first observed around 2015 and is still being used in the wild.\r\nThe most advanced Kazuar sample we found is from December 2020. During five years of Kazuar evolution, we\r\nobserved a continuous development, in which significant features, which bear resemblance to Sunburst, were added.\r\nWhile these similarities between Kazuar and Sunburst are notable, there could be a lot of reasons for their existence,\r\nincluding:\r\nSunburst was developed by the same group as Kazuar\r\nThe Sunburst developers used some ideas or code from Kazuar, without having a direct connection (they used\r\nKazuar code as “inspiration”)\r\nBoth groups, that is, the DarkHalo/UNC2452 and the group using Kazuar obtained their malware from the\r\nsame source\r\nOne of the Kazuar developers moved to another team, taking his knowledge and tools with them\r\nThe Sunburst developers introduced these subtle links as a form of a false flag, in order to shift the blame to\r\nanother group\r\nAt the moment, we simply do not know which of these options is true. Through further analysis, it is possible that\r\nevidence enforcing one or several of these points might arise. To clarify – we are NOT saying that DarkHalo /\r\nUNC2452, the group using Sunburst, and Kazuar or Turla are the same.\r\n2. 2 What are these similarities? Could these similarities be just coincidences?\r\nIn principle, none of these algorithms or implementations are unique. In particular, the things that attracted our\r\nattention were the obfuscation of strings through modified FNV-1a algorithms, where the hash result is XOR’ed with\r\na 64-bit constant, the implementation of the C2 connection delay, using a large (and unusual) value (Kazuar uses a\r\nrandom sleeping time between two and four weeks, while Sunburst waits from 12 to 14 days) and the calculation of\r\nthe victim UID through an MD5 + XOR algorithm. It should be pointed that none of these code fragments are\r\n100% identical. Nevertheless, they are curious coincidences, to say at least. One coincidence wouldn’t be that\r\nunusual, two coincidences would definitively raise an eyebrow, while three such coincidences are kind of suspicious\r\nto us.\r\n3. 3 What is this Kazuar malware?\r\nKazuar is a fully featured .NET backdoor, and was first reported by our colleagues from Palo Alto Networks in 2017.\r\nThe researchers surmised at the time that it may have been used by the Turla APT group, in order to replace their\r\nCarbon platform and other Turla second stage backdoors. Our own observations confirm that Kazuar was used,\r\ntogether with other Turla tools, during multiple breaches in the past few years, and is still in use. Also, Epic Turla\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 15 of 19\n\nresolves imports with another customized version of the FNV-1a hash and has code similarities with Kazuar’s\r\nshellcode.\r\n4. 4 So Sunburst is connected to Turla?\r\nNot necessarily, refer to question 1 for all possible explanations.\r\n5. 5 The media claims APT29 is responsible for the SolarWinds hack. Are you saying that’s wrong?\r\nWe do not know who is behind the SolarWinds hack – we believe attribution is a question better left for law\r\nenforcement and judicial institutions. To clarify, our research has identified a number of shared code features between\r\nthe Sunburst malware and Kazuar.\r\nOur research has placed APT29 as another potential name for “The Dukes”, which appears to be an umbrella group\r\ncomprising multiple actors and malware families. We initially reported MiniDuke, the earliest malware in this\r\numbrella, in 2013. In 2014, we reported other malware used by “The Dukes”, named CosmicDuke. In CosmicDuke,\r\nthe debug path strings from the malware seemed to indicate several build environments or groups of “users” of the\r\n“Bot Gen Studio”: “NITRO” and “Nemesis Gemina”. In short, we suspect CosmicDuke was being leveraged by up to\r\nthree different entities, raising the possibility it was shared across groups. One of the interesting observations from\r\nour 2014 research was the usage of a webshell by one of the “Bot Gen Studio” / “CosmicDuke” entities that we have\r\nseen before in use by Turla. This could suggest that Turla is possibly just one of the several users of the tools under\r\nthe “Dukes” umbrella.\r\n6. 6 How is this connected to Cozy Duke?\r\nIn 2015, we published futher research on CozyDuke, which seemed to focus on what appeared to be government\r\norganizations and commercial entities in the US, Germany and other countries. In 2014, their targets, as reported in\r\nthe media, included the White House and the US Department of State. At the time, the media also called it “the worst\r\never” hack. At the moment, we do not see any direct links between the 2015 CozyDuke and the SolarWinds attack.\r\n7. 7 How solid are the links with Kazuar?\r\nSeveral code fragments from Sunburst and various generations of Kazuar are quite similar. We should point out that,\r\nalthough similar, these code blocks, such as the UID calculation subroutine and the FNV-1a hashing algorithm\r\nusage, as well the sleep loop, are still not 100% identical. Together with certain development choices, these\r\nsuggest that a kind of a similar thought process went into the development of Kazuar and Sunburst. The Kazuar\r\nmalware continued to evolve and later 2020 variants are even more similar, in some respect, to the Sunburst branch.\r\nYet, we should emphasise again, they are definitely not identical.\r\n8. 8 So, are you saying Sunburst is essentially a modified Kazuar?\r\nWe are not saying Sunburst is Kazuar, or that it is the work of the Turla APT group. We spotted some interesting\r\nsimilarities between these two malware families and felt the world should know about them. We love to do our part,\r\ncontributing our findings to the community discussions; others can check these similarities on their own, draw their\r\nown conclusions and find more links. What is the most important thing here is to publish interesting findings and\r\nencourage others to do more research. We will, of course, continue with our own research too.\r\n9. 9 Is this the worst cyberattack in history?\r\nAttacks should always be judged from the victim’s point of view. It should also account for physical damage, if any,\r\nloss of human lives and so on. For now, it would appear the purpose of this attack was cyberespionage, that is,\r\nextraction of sensitive information. By comparison, other infamous attacks, such as NotPetya or WannaCry had a\r\nsignificantly destructive side, with victim losses in the billions of dollars. Yet, for some out there, this may be more\r\ndevastating than NotPetya or WannaCry; for others, it pales in comparison.\r\n10. 10 How did we get here?\r\nDuring the past years, we’ve observed what can be considered a “cyber arms race”. Pretty much all nation states have\r\nrushed, since the early 2000s, to develop offensive military capabilities in cyberspace, with little attention to defense.\r\nThe difference is immediately notable when it comes to the budgets available for the purchase of offensive cyber\r\ncapabilities vs the development of defensive capabilities. The world needs more balance to the (cyber-)force. Without\r\nthat, the existing cyber conflicts will continue to escalate, to the detriment of the normal internet user.\r\n11. 11 Is it possible this is a false flag?\r\nIn theory, anything is possible; and we have seen examples of sophisticated false flag attacks, such as the\r\nOlympicDestroyer attack. For a full list of possible explanations refer to question 1.\r\n12. 12 So. Now what?\r\nWe believe it’s important that other researchers around the world also investigate these similarities and attempt to\r\ndiscover more facts about Kazuar and the origin of Sunburst, the malware used in the SolarWinds breach. If we\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 16 of 19\n\nconsider past experience, for instance looking back to the WannaCry attack, in the early days, there were very few\r\nfacts linking them to the Lazarus group. In time, more evidence appeared and allowed us, and others, to link them\r\ntogether with high confidence. Further research on this topic can be crucial to connecting the dots.\r\nIndicators of Compromise\r\nFile hashes:\r\nE220EAE9F853193AFE77567EA05294C8 (First detected Kazuar sample, compiled in 2015)\r\n150D0ADDF65B6524EB92B9762DB6F074 (Kazuar sample compiled in 2016)\r\n54700C4CA2854858A572290BCD5501D4 (Kazuar sample compiled in 2017)\r\n053DDB3B6E38F9BDBC5FB51FDD44D3AC (Kazuar sample compiled in 2018)\r\n1F70BEF5D79EFBDAC63C9935AA353955 (Kazuar sample compiled in 2019)\r\n9A2750B3E1A22A5B614F6189EC2D67FA (Kazuar sample used in November 2020)\r\n804785B5ED71AADF9878E7FC4BA4295C (Kazuar sample used in December 2020)\r\n024C46493F876FA9005047866BA3ECBD (Most recent Kazuar sample)\r\n2C4A910A1299CDAE2A4E55988A2F102E (Sunburst sample)\r\nMore information about UNC2452, DarkHalo, Sunburst and Kazuar is available to customers of the Kaspersky\r\nIntelligence Reporting service. Contact: intelreports[at]kaspersky.com\r\nLatest Webinars\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 17 of 19\n\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 18 of 19\n\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka Mustang\r\nPanda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a kernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with DPAPI and\r\nRC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their signature\r\nbackdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/sunburst-backdoor-kazuar/99981/\r\nhttps://securelist.com/sunburst-backdoor-kazuar/99981/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/sunburst-backdoor-kazuar/99981/" ], "report_names": [ "99981" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434891, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/19d4efdd3e528c6aee16eec51f162b8641c027bb.pdf", "text": "https://archive.orkl.eu/19d4efdd3e528c6aee16eec51f162b8641c027bb.txt", "img": "https://archive.orkl.eu/19d4efdd3e528c6aee16eec51f162b8641c027bb.jpg" } }