{ "id": "95efbbfc-6128-46ce-a5cb-153c2e854fd9", "created_at": "2026-04-06T01:31:31.609929Z", "updated_at": "2026-04-10T13:12:18.515433Z", "deleted_at": null, "sha1_hash": "1b2ff3206088d60b5b7c14a56514a0648a576314", "title": "APT trends report Q1 2021", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64869, "plain_text": "APT trends report Q1 2021\r\nBy GReAT\r\nPublished: 2021-04-27 · Archived: 2026-04-06 00:14:20 UTC\r\nFor four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly\r\nsummaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence\r\nresearch and provide a representative snapshot of what we have published and discussed in greater detail in our\r\nprivate APT reports. They are designed to highlight the significant events and findings that we feel people should\r\nbe aware of.\r\nThis is our latest installment, focusing on activities that we observed during Q1 2021.\r\nReaders who would like to learn more about our intelligence reports or request more information on a specific\r\nreport are encouraged to contact intelreports@kaspersky.com.\r\nIn December, SolarWinds, a well-known IT managed services provider, fell victim to a sophisticated supply-chain\r\nattack. The company’s Orion IT, a solution for monitoring and managing customers’ IT infrastructure, was\r\ncompromised. This resulted in the deployment of a custom backdoor, named Sunburst, on the networks of more\r\nthan 18,000 SolarWinds customers, including many large corporations and government bodies, in North America,\r\nEurope, the Middle East and Asia. In our initial report on Sunburst, we examined the method used by the malware\r\nto communicate with its C2 (command-and-control) server and the protocol used to upgrade victims for further\r\nexploitation. Further investigation of the Sunburst backdoor revealed several features that overlap with a\r\npreviously identified backdoor known as Kazuar, a .NET backdoor first reported in 2017 and tentatively linked to\r\nthe Turla APT group. The shared features between Sunburst and Kazuar include the victim UID generation\r\nalgorithm, code similarities in the initial sleep algorithm and the extensive usage of the FNV1a hash to obfuscate\r\nstring comparisons. There are several possibilities: Sunburst may have been developed by the same group as\r\nKazuar; the developers of Sunburst may have adopted some ideas or code from Kazuar; both groups obtained their\r\nmalware from the same source; some Kazuar developers moved to another team, taking knowledge and tools with\r\nthem; or the developers of Sunburst introduced these links as a form of false flag. Hopefully, further analysis will\r\nmake things clearer.\r\nOn March 2, Microsoft reported a new APT actor named HAFNIUM, exploiting four zero-days in Exchange\r\nServer in what they called “limited and targeted attacks”. At the time, Microsoft claimed that, in addition to\r\nHAFNIUM, several other actors were exploiting them as well. In parallel, Volexity also reported the same\r\nExchange zero-days being in use in early 2021. According to Volexity’s telemetry, some of the exploits in use are\r\nshared across several actors, besides the one Microsoft designates as HAFNIUM. Kaspersky telemetry revealed a\r\nspike in exploitation attempts for these vulnerabilities following the public disclosure and patch from Microsoft.\r\nDuring the first week of March, we identified approximately 1,400 unique servers that had been targeted, in which\r\none or more of these vulnerabilities were used to obtain initial access. Prior to the posts, on February 28, we\r\nidentified related exploitation on less than a dozen Exchange systems; we also found more than a dozen Exchange\r\nartefacts indicating exploitation uploaded to multi-scanner services. According to our telemetry, most exploitation\r\nhttps://securelist.com/apt-trends-report-q1-2021/101967\r\nPage 1 of 8\n\nattempts were observed for servers in Europe and the United States. Some of the servers were targeted multiple\r\ntimes by what appear to be different threat actors (based on the command execution patterns), suggesting the\r\nexploits are now available to multiple groups.\r\nWe have also discovered a campaign active since mid-March targeting governmental entities in the Russian\r\nFederation, using the aforementioned Exchange zero-day exploits. This campaign made use of a previously\r\nunknown malware family we dubbed FourteenHi. Further investigation revealed traces of activity involving\r\nvariants of this malware dating back a year. We also found some overlaps in these sets of activities with\r\nHAFNIUM in terms of infrastructure and TTPs as well as the use of ShadowPad malware during the same\r\ntimeframe.\r\nEurope\r\nDuring routine monitoring of detections for FinFisher spyware tools, we discovered traces that point to recent\r\nFinFly Web deployments. In particular, we discovered two servers with web applications that we suspect, with\r\nhigh confidence, were generated using FinFly Web. FinFly Web is, in essence, a suite of tools and packages that\r\nimplement a web-based exploitation server. It was first publicly documented in 2014, in the aftermath of the\r\nGamma Group hacking incident. One of the suspected FinFly Web servers was active for more than a year\r\nbetween October 2019 and December 2020. This server was disabled a day after our discovery last December.\r\nNevertheless, we were able to capture a copy of its landing page, which included JavaScript used to profile\r\nvictims using what appears to be previously unknown code. In the second case, the server hosting FinFly Web was\r\nalready offline at the moment of discovery, so we drew our conclusions using available historical data. As it turned\r\nout, it was active for a very short time around September 2020 on a host that appears to have been impersonating\r\nthe popular Mail.ru service. Surprisingly, this server began answering queries again on January 12. So far, we\r\nhaven’t seen any related payloads being dropped by these web pages.\r\nRussian-speaking activity\r\nKazuar is a .NET backdoor usually associated with the Turla threat actor (aka Snake and Uroboros). Recently,\r\nKazuar received renewed interest due to its similarities with the Sunburst backdoor. Although the capabilities of\r\nKazuar have already been exposed in public research, many interesting facts about this backdoor were not made\r\npublic. Our latest reports focus on the changes the threat actor made to the September and November versions of\r\nits backdoor.\r\nOn February 24, the National Security Defense Council of Ukraine (NSDC) publicly warned that a threat actor\r\nhad exploited a national documents circulation system (SEI EB) to distribute malicious documents to Ukrainian\r\npublic authorities. The alert contained a few related network IoCs, and specified that the documents used\r\nmalicious macros in order to drop an implant onto targeted systems. Thanks to the shared IoCs, we were able to\r\nattribute this attack, with high confidence, to the Gamaredon threat actor. The malicious server IP mentioned by\r\nthe NSDC has been known to Kaspersky since February as Gamaredon infrastructure.\r\nOn January 27, the French national cybersecurity agency (ANSSI) published a report describing an attack\r\ncampaign that targeted publicly exposed and obsolete Centreon systems between 2017 and 2020, in order to\r\ndeploy Fobushell (aka P.A.S.) webshells and Exaramel implants. ANSSI associated the campaign with the\r\nhttps://securelist.com/apt-trends-report-q1-2021/101967\r\nPage 2 of 8\n\nSandworm intrusion-set, which we refer to as Hades. Although we specifically looked for additional compromised\r\nCentreon systems, Exaramel implant samples or associated infrastructure, we were unable to retrieve any useful\r\nartifacts from which we could initiate a comprehensive investigation. However, we did identify three Centreon\r\nservers where a Fobushell webshell had been deployed. One of those Fobushell samples was identical to another\r\nwe previously identified on a Zebrocy C2 server.\r\nChinese-speaking activity\r\nWe discovered a set of malicious activities, which we named EdwardsPheasant, targeting mainly government\r\norganizations in Vietnam since June 2020. The attackers leverage previously unknown and obfuscated backdoors\r\nand loaders. The activities peaked in November 2020, but are still ongoing. The associated threat actor continues\r\nto leverage its tools and tactics (described in our private report) to compromise targets or maintain access in their\r\nnetworks. While we could identify similarities with the tools and tactics associated with Cycldek (aka Goblin\r\nPanda) and Lucky Mouse (aka Emissary Panda), we have been unable to attribute this set of activities to either of\r\nthem conclusively.\r\nWe investigated a long-running espionage campaign, dubbed A41APT, targeting multiple industries, including the\r\nJapanese manufacturing industry and its overseas bases, which has been active since March 2019. The attackers\r\nused vulnerabilities in an SSL-VPN product to deploy a multi-layered loader we dubbed Ecipekac (aka\r\nDESLoader, SigLoader and HEAVYHAND). We attribute this activity to APT10 with high confidence. Most of\r\nthe discovered payloads deployed by this loader are fileless and have not been seen before. We observed\r\nSodaMaster (aka DelfsCake, dfls and DARKTOWN), P8RAT (aka GreetCake and HEAVYPOT), and FYAnti (aka\r\nDILLJUICE Stage 2) which in turn loads QuasarRAT. In November and December 2020, two public blog posts\r\nwere published about this campaign. One month later, we observed new activities from the actor with an updated\r\nversion of some of their implants designed to evade security products and make analysis harder for researchers.\r\nYou can read more in our public report.\r\nMiddle East\r\nWe recently came across previously unknown malicious artifacts that we attributed to the Lyceum/Hexane threat\r\ngroup, showing that the attackers behind it are still active and have been developing their toolset during the last\r\nyear. Although Lyceum still prefers taking advantage of DNS tunneling, it appears to have replaced the previously\r\ndocumented .NET payload with a new C++ backdoor and a PowerShell script that serve the same purpose. Our\r\ntelemetry revealed that the threat group’s latest endeavors are focused on going after entities within one country –\r\nTunisia. The victims we observed were all high-profile Tunisian organizations, such as telecommunications or\r\naviation companies. Based on the targeted industries, we assume that the attackers may have been interested in\r\ncompromising these entities to track the movements and communications of individuals that are of interest to\r\nthem. This could mean that the latest Lyceum cluster has an operational focus on targeting Tunisia, or that it is a\r\nsubset of broader activity that is yet to be discovered.\r\nOn November 19, 2020, Shadow Chaser Group tweeted about a suspected MuddyWater APT malicious document\r\npotentially targeting a university in the United Arab Emirates. Based on our analysis since then, we suspect this\r\nintrusion is part of a campaign that started at least in early October 2020 and was last seen active in late December\r\n2020. The threat actor relied on VBS-based malware to infect organizations from government, NGO and\r\nhttps://securelist.com/apt-trends-report-q1-2021/101967\r\nPage 3 of 8\n\neducation sectors. Our telemetry, however, indicates that no further tools were deployed and we do not believe\r\nthat data theft took place either. This indicates to us that the attackers are currently in the reconnaissance phase of\r\ntheir operation, and we expect subsequent waves of attacks to follow in the near future. In our private report, we\r\nprovide an in-depth analysis of the malicious documents used by this threat actor and study their similarities to\r\nknown MuddyWater tooling. The infrastructure setup and communications scheme are also similar to past\r\nincidents attributed to this group. The actor maintains a small set of first-stage C2 servers to connect back from the\r\nVBS implant for initial communications. Initial reconnaissance is performed by the actor and communication with\r\nthe implant is handed off to a second-stage C2 for additional downloads. Finally, we present similarities with\r\nknown TTPs of the MuddyWater group and attribute this campaign to them with medium confidence.\r\nDomestic Kitten is a threat group mainly known for its mobile backdoors. The group’s operations were exposed in\r\n2018, showing that it was conducting surveillance attacks against individuals in the Middle East. The threat group\r\ntargeted Android users by sending them popular and well-known applications that were backdoored and contained\r\nmalicious code. Many of the applications had religious or political themes and were intended for Farsi, Arabic and\r\nKurdish speakers, possibly alluding to this attack’s main targets. We have discovered new evidence showing that\r\nDomestic Kitten has been using PE executables to target victims using Windows since at least 2013, with some\r\nevidence that it goes back to 2011. The Windows version, which, to the best of our knowledge, has not been\r\ndescribed in the past, was delivered in several versions, with the more recent one used for at least three and a half\r\nyears to target individuals in parallel to the group’s mobile campaigns. The implant functionality and\r\ninfrastructure in that version have remained the same all along, and have been used in the group’s activity\r\nwitnessed this year.\r\nFerocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and\r\nappears to be based in Iran. Although it has been active over a large timespan, the group has mostly operated\r\nunder the radar and, to the best of our knowledge, has not been covered by security researchers. It only recently\r\nattracted attention when a lure document was uploaded to VirusTotal and was brought to public knowledge by\r\nresearchers on Twitter. Subsequently, one of its implants was analyzed by a Chinese intelligence firm. We have\r\nbeen able to expand some of the findings on the group and provide insights on additional variants. The malware\r\ndropped from the aforementioned document is dubbed MarkiRAT and is used to record keystrokes and clipboard\r\ncontent, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the\r\nvictim’s machine. We were able to trace the implant back to at least 2015, along with variants intended to hijack\r\nthe execution of the Telegram and Chrome applications as a persistence method. Interestingly, some of the TTPs\r\nused by this threat actor are reminiscent of other groups operating in the domain of dissident surveillance. For\r\nexample, it used the same C2 domains across its implants for years, which was witnessed in the activity of\r\nDomestic Kitten. In the same vein, the Telegram execution hijacking technique observed in this campaign by\r\nFerocious Kitten was also observed being used by Rampant Kitten, as covered by Check Point. In our private\r\nreport, we expand the details on these findings as well as provide analysis and mechanics of the MarkiRAT\r\nmalware.\r\nKarkadann is a threat actor that has been targeting government bodies and news outlets in the Middle East since at\r\nleast October 2020. The threat actor leverages tailor-made malicious documents with embedded macros that\r\ntrigger an infection chain, opening a URL in Internet Explorer. The minimal functionality present in the macros\r\nand the browser specification suggest that the threat actor might be exploiting a privilege-escalation vulnerability\r\nhttps://securelist.com/apt-trends-report-q1-2021/101967\r\nPage 4 of 8\n\nin Internet Explorer. Despite the small amount of evidence available for analysis in the Karkadann case, we were\r\nable to find several similarities to the Piwiks case, a watering-hole attack we discovered that targeted multiple\r\nprominent websites in the Middle East. Our private report presents the recent Karkadann campaigns and the\r\nsimilarities between this campaign and the Piwiks case. The report concludes with some infrastructure overlaps\r\nwith unattributed clusters that we have seen since last year that are potentially linked to the same threat actor.\r\nSoutheast Asia and Korean Peninsula\r\nWe discovered that the Kimsuky group adopted a new method to deliver its malware in its latest campaign on a\r\nSouth Korean stock trading application. In this campaign, beginning in December 2020, the group compromised a\r\nwebsite belonging to the vendor of stock trading software, replacing the hosted installation package with a\r\nmalicious one. Kimsuky also delivered its malware by utilizing a malicious Hangul (HWP) document containing\r\nCOVID-19-related bait that discusses a government relief fund. Both infection vectors ultimately deliver the\r\nQuasar RAT. Compared to Kimsuky’s last reported infection chain, composed of various scripts, the new scheme\r\nadds complications and introduces less popular file types, involving VBS scripts, XML and Extensible Stylesheet\r\nLanguage (XSL) files with embedded C# code in order to fetch and execute stagers and payloads. Based on the\r\nlure document and characteristics of the compromised installation package, we conclude that this attack is\r\nfinancially motivated, which, as we have previously reported, is one of Kimsuky’s main focus areas.\r\nOn January 25, the Google Threat Analysis Group (TAG) announced that a North Korean-related threat actor had\r\ntargeted security researchers. According to Google TAG’s blog, this actor used highly sophisticated social\r\nengineering, approached security researchers through social media, and delivered a compromised Visual Studio\r\nproject file or lured them to their blog and installed a Chrome exploit. On March 31, Google TAG released an\r\nupdate on this activity showing another wave of fake social media profiles and a company the actor set up mid-March. We can confirm that several infrastructures on the blog overlap with our previously published reporting\r\nabout Lazarus group’s ThreatNeedle cluster. Moreover, the malware mentioned by Google matched ThreatNeedle\r\n– malware that we have been tracking since 2018. While investigating associated information, a fellow external\r\nresearcher confirmed that he was also compromised by this attack, sharing information for us to investigate. We\r\ndiscovered additional C2 servers after decrypting configuration data from the compromised host. The servers were\r\nstill in use during our investigation, and we were able to get additional data, analyzing logs and files present on\r\nthe servers. We assess that the published infrastructure was used not only to target security researchers but also in\r\nother Lazarus attacks. We found a relatively large number of hosts communicating with the C2s at the time of our\r\nresearch. You can read our public report here.\r\nFollowing up our previous investigation into Lazarus attacks on the defense industry using ThreatNeedle, we\r\ndiscovered another malware cluster named CookieTime used in a campaign mainly focused on the defense\r\nindustry. We detected activity in September and November 2020, with samples dating back to April 2020.\r\nCompared to the already known malware clusters of the Lazarus group, CookieTime shows a different structure\r\nand functionality. This malware communicates with the C2 server using the HTTP protocol. In order to deliver the\r\nrequest type to the C2 server, it uses encoded cookie values and fetches command files from the C2 server. The C2\r\ncommunication takes advantage of steganography techniques, delivered in files exchanged between infected\r\nclients and the C2 server. The contents are disguised as GIF image files, but contain encrypted commands from\r\nthe C2 server and command execution results. We had a chance to look into the command and control script as a\r\nhttps://securelist.com/apt-trends-report-q1-2021/101967\r\nPage 5 of 8\n\nresult of working closely with a local CERT to take down the threat actor’s infrastructure. The malware control\r\nservers are configured in a multi-stage fashion and only deliver the command file to valuable hosts.\r\nWhile investigating the artifacts of a supply-chain attack on the Vietnam Government Certification Authority’s\r\n(VGCA) website, we discovered that the first Trojanized package dates to June 2020. Unravelling that thread, we\r\nidentified a number of post-compromise tools in the form of plugins deployed using PhantomNet malware, which\r\nwas delivered using Trojanized packages. Our analysis of these plugins revealed similarities with the previously\r\nanalyzed CoughingDown malware. In our private report, we offer a detailed description for each post-compromise\r\ntool used in the attack, as well as other tools belonging to the actor’s arsenal. Finally, we also explore\r\nCoughingDown attribution in the light of recent discoveries.\r\nOn February 10, DBAPPSecurity published details about a zero-day exploit they discovered last December. Aside\r\nfrom the details of the exploit itself, researchers also mentioned it being used in the wild by BitterAPT. While no\r\nsuch subsequent information was given in the initial report to explain the attribution claims, our investigation into\r\nthis activity confirms the exploit was in fact being used exclusively by this actor. We assigned the name\r\nTurtlePower to the campaign that makes use of this exploit, along with the other tools used to target governmental\r\nand telecom entities in Pakistan and China. We have also confidently linked the origin of this exploit to a broker\r\nwe refer to as Moses. Moses has been responsible for the development of at least five exploits patched in the last\r\ntwo years. We have also been able to tie the usage of some of these exploits to at least two different actors thus far\r\n– BitterAPT and DarkHotel. At this time, it is unclear how these threat actors are obtaining exploits from Moses,\r\nwhether it is through direct purchase or another third-party provider. During the TurtlePower campaign, BitterAPT\r\nused a wide array of tools on its victims to include a stage one payload named ArtraDownloader, a stage two\r\npayload named Splinter, a keylogger named SourLogger, an infostealer named SourFilling, as well as variations of\r\nMimikatz to gather specific files and maintain its access. This particular campaign also appears to be narrowly\r\nfocused on targets within Pakistan and China (based on the initial report referenced). While we can verify specific\r\ntargeting within Pakistan using our own data, we have not been able to do the same regarding China. Use of CVE-2021-1732 peaked between June and July 2020, but the overall campaign is still ongoing.\r\nIn 2020, we observed new waves of attacks related to Dropping Elephant (aka Patchwork, Chinastrats), focusing\r\non targets in China and Pakistan. We also noted a few targets outside of the group’s traditional area of operations,\r\nnamely in the Middle East, and a growing interest in the African continent. The attacks followed the group’s well-established TTPs, which include the use of malicious documents crafted to exploit a remote code execution\r\nvulnerability in Microsoft Office, and the signature JakyllHyde (aka BadNews) Trojan in the later infection stages.\r\nDropping Elephant introduced a new loader for JakyllHyde, a tool we named Crypta. It contains mechanisms to\r\nhinder detection and appears to be a core component of this APT actor’s recent toolset. Crypta and its variants\r\nhave been observed in multiple scenarios loading a wide range of subsequent payloads, such as Bozok RAT,\r\nQuasar RAT and LokiBot. An additional Trojan discovered during our research was PubFantacy. To our\r\nknowledge, this tool has never been publicly described and has been used to target Windows servers since at least\r\n2018.\r\nWe recently discovered a previously publicly unknown Android implant used in 2018-2019 by the SideWinder\r\nthreat group, which we dubbed BroStealer. The main purpose of the BroStealer implant is to collect sensitive\r\ninformation from a victim’s device, such as photos, SMS messages, call recordings and files from various\r\nhttps://securelist.com/apt-trends-report-q1-2021/101967\r\nPage 6 of 8\n\nmessaging applications. Although SideWinder has numerous campaigns against victims using the Windows\r\nplatform, recent reports have shown that this threat group also goes after its targets via the mobile platform.\r\nOther interesting discoveries\r\nIn February 2019, multiple antivirus companies received a collection of malware samples, most of them\r\nassociated with various known APT groups. Some of the samples cannot be associated with any known activity.\r\nSome, in particular, attracted our attention due to their sophistication. The samples were compiled in 2014 and,\r\naccordingly, were likely deployed in 2014 and possibly as late as 2015. Although we have not found any shared\r\ncode with any other known malware, the samples have intersections of coding patterns, style and techniques that\r\nhave been seen in various Lambert families. We therefore named this malware Purple Lambert. Purple Lambert is\r\ncomposed of several modules, with its network module passively listening for a magic packet. It is capable of\r\nproviding an attacker with basic information about the infected system and executing a received payload. Its\r\nfunctionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a\r\nreplacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple\r\nLambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert. Our\r\nreport, available to subscribers of our APT threat reports, includes discussion of both the passive-listener payload\r\nand the loader functionality included in the main module.\r\nFinal thoughts\r\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a\r\nmeans of gaining a foothold in a target organization or compromising an individual’s device, others refresh their\r\ntoolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key\r\ndevelopments of APT groups.\r\nHere are the main trends that we’ve seen in Q1 2021:\r\nPerhaps the most predominant attack we researched in this quarter was the SolarWinds attack. SolarWinds\r\nshowed once again how successful a supply-chain attack can be, especially where attackers go the extra\r\nmile to remain hidden and maintain persistence in a target network. The scope of this attack is still being\r\ninvestigated as more zero-day flaws are discovered in SolarWinds products.\r\nAnother critical wave of attacks was the exploitation of Microsoft Exchange zero-day vulnerabilities by\r\nmultiple threat actors. We recently discovered another campaign using these exploits with different\r\ntargeting, possibly related to the same cluster of activities already reported.\r\nLazarus group’s bold campaign targeting security researchers worldwide also utilized zero-day\r\nvulnerabilities in browsers to compromise their targets. Their campaigns used themes centered on the use\r\nof zero-days to lure relevant researchers, possibly in an attempt to steal vulnerability research.\r\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it\r\nshould be borne in mind that, while we strive to continually improve, there is always the possibility that other\r\nsophisticated attacks may fly under our radar.\r\nhttps://securelist.com/apt-trends-report-q1-2021/101967\r\nPage 7 of 8\n\nSource: https://securelist.com/apt-trends-report-q1-2021/101967\r\nhttps://securelist.com/apt-trends-report-q1-2021/101967\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://securelist.com/apt-trends-report-q1-2021/101967" ], "report_names": [ "101967" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "4a1e62ec-42d0-47c3-8b65-b3c5d9c496c0", "created_at": "2022-10-25T16:07:23.609046Z", "updated_at": "2026-04-10T02:00:04.686029Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [ "G0137" ], "source_name": "ETDA:Ferocious Kitten", "tools": [ "MarkiRAT" ], "source_id": "ETDA", "reports": null }, { "id": "5e034014-1f6e-424d-adfa-49557e655e08", "created_at": "2024-02-06T02:00:04.118601Z", "updated_at": "2026-04-10T02:00:03.572699Z", "deleted_at": null, "main_name": "Karkadann", "aliases": [ "Piwiks" ], "source_name": "MISPGALAXY:Karkadann", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "8f6bd9b8-e46e-4c3b-9a08-41fee319f273", "created_at": "2022-10-25T16:07:23.747959Z", "updated_at": "2026-04-10T02:00:04.735963Z", "deleted_at": null, "main_name": "Karkadann", "aliases": [], "source_name": "ETDA:Karkadann", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "44d5df14-6a25-41d6-a54c-7c7ebac358cf", "created_at": "2023-01-06T13:46:38.817312Z", "updated_at": "2026-04-10T02:00:03.111227Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "Bouncing Golf", "APT-C-50" ], "source_name": "MISPGALAXY:Domestic Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "e580dec5-1558-4c79-8eda-c968d1cd206f", "created_at": "2022-10-25T16:07:24.090829Z", "updated_at": "2026-04-10T02:00:04.863398Z", "deleted_at": null, "main_name": "Rampant Kitten", "aliases": [], "source_name": "ETDA:Rampant Kitten", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-10T02:00:03.195743Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133", "COBALT LYCEUM", "UNC1530" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-10T02:00:03.619131Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "115ee14e-a122-47a4-bef7-5d3668cda109", "created_at": "2025-01-10T02:00:03.15179Z", "updated_at": "2026-04-10T02:00:03.800179Z", "deleted_at": null, "main_name": "CoughingDown", "aliases": [], "source_name": "MISPGALAXY:CoughingDown", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75297180-4681-4500-ad0e-cde0edeb1ed2", "created_at": "2024-02-06T02:00:04.156486Z", "updated_at": "2026-04-10T02:00:03.581217Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [], "source_name": "MISPGALAXY:Ferocious Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "30f6ddb3-f5aa-4b78-a1a5-e37c42b2c560", "created_at": "2022-10-25T16:07:23.544297Z", "updated_at": "2026-04-10T02:00:04.64999Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "APT-C-50", "Bouncing Golf", "G0097" ], "source_name": "ETDA:Domestic Kitten", "tools": [ "FurBall", "GolfSpy" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "306b00c6-fec4-4698-86c5-2aed9feedd38", "created_at": "2022-10-25T15:50:23.444155Z", "updated_at": "2026-04-10T02:00:05.401052Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [ "Ferocious Kitten" ], "source_name": "MITRE:Ferocious Kitten", "tools": [ "MarkiRAT", "BITSAdmin" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439091, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1b2ff3206088d60b5b7c14a56514a0648a576314.pdf", "text": "https://archive.orkl.eu/1b2ff3206088d60b5b7c14a56514a0648a576314.txt", "img": "https://archive.orkl.eu/1b2ff3206088d60b5b7c14a56514a0648a576314.jpg" } }