{ "id": "9dc05606-328a-4e8d-8b74-0cecbf580170", "created_at": "2026-04-06T00:11:22.027052Z", "updated_at": "2026-04-10T13:11:53.708094Z", "deleted_at": null, "sha1_hash": "1b4e448e7ab202c5ac3427ac50e5afa8d07f4748", "title": "Profiling \u0026 Disrupting an APT Spear Phishing Campaign Targeting Slack users in the Financial Sector", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 628475, "plain_text": "Profiling \u0026 Disrupting an APT Spear Phishing Campaign\r\nTargeting Slack users in the Financial Sector\r\nBy Mauro Eldritch\r\nPublished: 2024-02-21 · Archived: 2026-04-05 17:37:03 UTC\r\n@MauroEldritch, Quetzal Team @ Bitso — 2024\r\nPress enter or click to view image in full size\r\nCredits: Pixabay\r\nIntroduction\r\nIn January 2024, we first identified a Spear Phishing campaign targeting Slack users in the financial sector.\r\nThe threat actor used a template for the deceptive email with high attention to detail, making it highly convincing.\r\nHowever, part of its infrastructure is recycled, having been used in previous campaigns, and it shows activity\r\nconsistent with an Advanced Persistent Threat (APT).\r\nAs of the date of this investigation, there are no public mentions of the indicators of this campaign, suggesting that\r\nwe are among the first to discover and profile it [1].\r\nhttps://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2\r\nPage 1 of 13\n\nTechnical Analysis\r\nThe attacker uses Google email servers (108.177.16.4, 209.85.218.68 \u0026 209.85.166.169), which are whitelisted\r\non most security providers, to gain a reputational advantage and evade potential blocks based on SPAM lists\r\n(source: Cisco Talos).\r\nThe body of the email is static, but the subject and malicious action button links change per recipient. The\r\ntemplate is highly sophisticated, with particular attention to detail, including links and buttons redirecting to\r\nofficial Slack application sites and social networks. However, the language used in the email body and the email\r\nsubjects reveals the deceptive nature of the communication, as analyzed in the ‘Language Analysis’ section below.\r\nMalicious domains used by the threat actor are hosted on PorkBun, similar to those used by QRLog. At the time of\r\nwriting this report, all these domains display a “Maintenance” message, as seen below. This is likely a response to\r\nus releasing IOCs (Indicators of Compromise) on various intelligence platforms (available in the ‘References’\r\nsection).\r\nDomains were created on January 3rd except for slack-hub.com which exists since May, 2021. All of them have\r\nnone or positive reputation.\r\nLanguage Analysis\r\nEmail Body\r\nKindly acknowledge receiving of our deal!\r\nWe urge you to immediately address the requirement to accept our recent updated deal through your\r\ncompany‘s messaging platform. Kindly enter your official communication account and promptly\r\nacknowledge your business‘s newest deal.\r\nUse of “receiving of” instead of “receipt of.”\r\nUse of “recent updated” instead of “recently updated.”\r\nUse of “kindly,” a word uncommon in normal communications and very frequent in deceptive emails.\r\nSubjects\r\nTake Immediate Action: Accept Your Latest Business Agreement on Slack!\r\nAction Needed: Log in and Consent to the Revised Agreement on Communication!\r\nTime-sensitive: Verify Your Company’s New Slack Deal Immediately!\r\nTime’s Running Out: Recognize Your Recently Company Agreement on Slack!\r\nURGENT: Approval Required for the Fresh Business Contract on Messaging!\r\nCritical Mission: Acknowledge Your Business’s Latest Agreement on Communication!\r\nVital Update: Accept Your Recent Company Pact on Slack!\r\nhttps://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2\r\nPage 2 of 13\n\nCrucial: Acknowledge the New Contract on Company’s Messaging!\r\nDon’t Miss Out on This: Acknowledge Your Company’s Newest Agreement on Slack!\r\nAct Now: Accept Your Newest Company Terms on Slack!\r\nVITAL: Approval Required for the New Company Pact on Slack!\r\nRespond Immediately: Validate Your Latest Corporate Agreement on Slack!\r\nCritical Assignment: Validate Your Company’s Most Recent Agreement on Slack!\r\nCritical Task: Confirm Your Company’s Newest Deal on Slack!\r\nImportant Update: Accept Your Most Recent Company Deal on Slack!\r\nPRESSING: Approval Required for the New Company Agreement on Slack!\r\nUrgent: Login and Endorse the Updated Agreement on Slack!\r\nEssential Duty: Authorize Your Company’s Recent Contract on Messaging!\r\nUse of a common pattern: [Alert Phrase]: [Action Needed]!.\r\nUse of a common pattern attempting to deceive the user through a false sense of urgency.\r\nUse of unnecessary exclamation marks.\r\nUse of uncommon words and phrases in corporate communications such as “Pressing,” “Vital,” “Respond\r\nImmediately,” “Crucial.”\r\nPresumed generation of subjects by an LLM model like ChatGPT.\r\nIOCs\r\nPRIMARY\r\nDomain:slackcloud.network\r\nDomain:slack-hub.com\r\nDomain:slack-sso.com\r\nDomain:slack-protect.com\r\nDomain:gfylinks.com\r\nDomain:badtastecru.co.uk\r\nDomain:ssoslack.com\r\nDomain:slack.com.slackcloud.network\r\nDomain:slack.com.ssoslack.com\r\nhttps://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2\r\nPage 3 of 13\n\nDomain:com.ssoslack.com\r\nIP:44.227.65.245\r\nIP:44.227.76.166\r\nURL:http://com.ssoslack.com/signin\r\nURL:http://slack.com.ssoslack.com/signin\r\nURL:http://ssoslack.com/signin\r\nURL:https://badtastecru.co.uk/jxp8g\r\nURL:https://gfylinks.com/saa5l\r\nURL:https://slack.com.slackcloud.network/signin#/signin\r\nString:Take Immediate Action: Accept Your Latest Business Agreement on Slack!\r\nString:Action Needed: Log in and Consent to the Revised Agreement on Communication!\r\nString:Time-sensitive: Verify Your Company’s New Slack Deal Immediately!\r\nString:Time’s Running Out: Recognize Your Recently Company Agreement on Slack!\r\nString:URGENT: Approval Required for the Fresh Business Contract on Messaging!\r\nString:Critical Mission: Acknowledge Your Business’s Latest Agreement on Communication!\r\nString:Vital Update: Accept Your Recent Company Pact on Slack!\r\nString:Crucial: Acknowledge the New Contract on Company’s Messaging!\r\nString:Don’t Miss Out on This: Acknowledge Your Company’s Newest Agreement on Slack!\r\nString:Act Now: Accept Your Newest Company Terms on Slack!\r\nString:VITAL: Approval Required for the New Company Pact on Slack!\r\nString:Respond Immediately: Validate Your Latest Corporate Agreement on Slack!\r\nString:Critical Assignment: Validate Your Company’s Most Recent Agreement on Slack!\r\nString:Critical Task: Confirm Your Company’s Newest Deal on Slack!\r\nString:Important Update: Accept Your Most Recent Company Deal on Slack!\r\nString:PRESSING: Approval Required for the New Company Agreement on Slack!\r\nString:Urgent: Login and Endorse the Updated Agreement on Slack!\r\nhttps://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2\r\nPage 4 of 13\n\nString:Essential Duty: Authorize Your Company’s Recent Contract on Messaging!\r\nSECONDARY / ASSOCIATED\r\nDomain:pa7ypal.com\r\nDomain:connect-jnj.com\r\nDomain:xhams6er.com\r\nDomain:cooporatestock.com\r\nDomain:whatsappweb.xyz\r\nDomain:acess-logon-security.com\r\nDomain:info-spedizioni-xme.com\r\nDomain:recent-check-info.com\r\nDomain:cpamvitaie-fr.com\r\nDomain:superimarkets.com\r\nDomain:covidvaxonline.com\r\nDomain:review-transaction-attempt.com\r\nDomain:pay7pal.com\r\nDomain:gokcsbus.com\r\nDomain:noblearab.com\r\nDomain:portail-espace-sante.com\r\nDomain:nqf279d0booy.fun\r\nDomain:noodagency.com\r\nDomain:cit1zens-portal.com\r\nDomain:bhuiridh-gauge.com\r\nDomain:revertinstruction.com\r\nDomain:4pcstar.com\r\nDomain:review-new-applogon.com\r\nDomain:prodigalaudio.com\r\nhttps://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2\r\nPage 5 of 13\n\nDomain:livespory.com\r\nDomain:camvaclimlted.com\r\nDomain:2kclass.com\r\nDomain:1jdm.com\r\nDomain:sykes-sso.com\r\nDomain:ask-jnj.com\r\nDomain:concrecapital.com\r\nDomain:baidru.com\r\nDomain:mo-s.online\r\nDomain:checked-mobile-logon.com\r\nDomain:hempenvalley.com\r\nDomain:thecovidconspiracy.com\r\nDomain:cryptochampion.game\r\nDomain:manage-cyber-security.com\r\nDomain:007.bond\r\nDomain:azureservicesapi.com\r\nDomain:palashtv.com\r\nDomain:shareena.net\r\nDomain:bagtroop.com\r\nDomain:pharmerica.bar\r\nDomain:mktrending.com\r\nDomain:russ1ano.xyz\r\nDomain:giftstrendy.com\r\nDomain:manage-storedpayees109.com\r\nDomain:rumat-circle.com\r\nDomain:change-manage-add.com\r\nhttps://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2\r\nPage 6 of 13\n\nDomain:jumphigherventures.com\r\nDomain:10hoursleepsounds.com\r\nDomain:02261988.xyz\r\nDomain:2ody.com\r\nDomain:2faweb3ga.xyz\r\nDomain:att-rsa.com\r\nDomain:02mbnwsxctgbp.xyz\r\nDomain:austinpublicradio.com\r\nDomain:deflsolutions.com\r\nDomain:12bet1gom.com\r\nDomain:13westy37.xyz\r\nDomain:288908.xyz\r\nDomain:german0.xyz\r\nDomain:manage-added-attempted.com\r\nDomain:dunyaservices.com\r\nDomain:360lifeinabox.com\r\nDomain:microsoft-sso.net\r\nDomain:1gomkubet.com\r\nDomain:orkney-circle.com\r\nDomain:wellmarkhealth.com\r\nDomain:226616.xyz\r\nDomain:symantecq.com\r\nDomain:bankbazaronline.com\r\nDomain:fssd11asdflokmn.xyz\r\nDomain:jeuriderspaceacprints.com\r\nDomain:4yqw.com\r\nhttps://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2\r\nPage 7 of 13\n\nDomain:new-info-added.com\r\nDomain:covidvaxasap.com\r\nDomain:uid-amazio0m.xyz\r\nDomain:1gomw88.com\r\nDomain:1drvmicrosoft.com\r\nDomain:iopta.com\r\nDomain:226616.com\r\nDomain:arthot.com\r\nDomain:covidvaxtoday.com\r\nDomain:conferma-anagrafe-bpercard.com\r\nDomain:rpoqgfw.xyz\r\nDomain:1tal1ano.xyz\r\nDomain:noticeyahoo-conf2.xyz\r\nDomain:covidvaxcolombia.com\r\nDomain:inside-aol.com\r\nDomain:nichon18.rest\r\nDomain:speculumlover.com\r\nDomain:giottmart.com\r\nDomain:0mud.quest\r\nDomain:ivancarabantes.com\r\nDomain:roysalbank.com\r\nDomain:eliminate-corona.com\r\nDomain:mon-portail-colissimo.com\r\nDomain:att-mfa.com\r\nDomain:acespec.org\r\nDomain:sportline.one\r\nhttps://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2\r\nPage 8 of 13\n\nDomain:viagrawallet.org\r\nDomain:noipv6.wtf\r\nDomain:sparkasse.wiki\r\nDomain:vtb-tech.info\r\nDomain:adaloappdocs.top\r\nDomain:usp-blauder.us\r\nDomain:nikologios.wiki\r\nDomain:discounthouse.zone\r\nDomain:walletmanagements.com\r\nDomain:dlsneyplus-at.info\r\nDomain:3fw51.buzz\r\nDomain:review-confirmation-app.info\r\nDomain:adam2christ.org\r\nDomain:batcoin.biz\r\nDomain:banca-sella.co\r\nDomain:usp-saco.us\r\nDomain:mlcrosoft.info\r\nDomain:ca-ref12786378993290038.cloud\r\nDomain:deny-logon-attempted.info\r\nDomain:16206.tel\r\nDomain:covidhistory.org\r\nDomain:bottom.wiki\r\nDomain:mon-espace-sfr.org\r\nDomain:1k67s.buzz\r\nDomain:1001tutorialjahitan.buzz\r\nDomain:vivaless.buzz\r\nhttps://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2\r\nPage 9 of 13\n\nDomain:jessica-and-daniel.nyc\r\nDomain:operation-handling.info\r\nDomain:aiou.io\r\nDomain:dlsneyplus-app.info\r\nDomain:usp-mingodix.us\r\nDomain:removeaddin.info\r\nDomain:anpost-review.info\r\nDomain:glass.house\r\nDomain:yd1s.top\r\nDomain:berrybull.us\r\nDomain:purbno.us\r\nDomain:usp-daliver.us\r\nDomain:check-active-app.info\r\nDomain:documentshare.info\r\nDomain:mathlab.info\r\nDomain:usp-yinoksuz.us\r\nDomain:analyze-resolve.info\r\nDomain:coviddeaths.foundation\r\nDomain:godofwar.buzz\r\nPossible Attribution\r\nGet Mauro Eldritch’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe infrastructure used for this campaign is recycled, having been part of previous campaigns. While the domains\r\nare new, the linked IP addresses have more than 100 mentions on the AlienVault OTX platform [2] [3].\r\nAfter an analysis with the bIOChip tool [6], I found links to Advance Persistent Threats (APTs) EVILNUM\r\n(mostly) [4] [5] and Lazarus (secondarily) [8] [9]. Remember that the domains used in the QRLog campaign by\r\nhttps://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2\r\nPage 10 of 13\n\nLazarus were also hosted on Porkbun, a noteworthy detail.\r\nbIOChip Output\r\n⚠️ Report for concrecapital.com: Malicious activity found.\r\n🥷🏻 Domain is linked to known adversaries:\r\n* Lazarus (1)\r\n☣️ Domain is linked to malware activity:\r\n* WifiCloudWidget (1)\r\n* Targeted: Crypto.com (1)\r\n* Targeted: Coinbase (1)\r\n⚠️ Report for superimarkets.com: Malicious activity found.\r\n☣️ Domain is linked to malware activity:\r\n* VileLoader (1)\r\n* DeathStalker (1)\r\n* Stonefly (1)\r\n* Maui (1)\r\n* EVILNUM (1)\r\n⚠️ Report for 1jdm.com: Malicious activity found.\r\n☣️ Domain is linked to malware activity:\r\n* AM (1)\r\n* Agent Tesla (1)\r\n* Malware (1)\r\n* Tulach Malware (1)\r\n* adware.pcappstore/veryfast (1)\r\n* NSIS (1)\r\n* Static AI — Malicious PE (1)\r\n* HoneyPot (1)\r\nhttps://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2\r\nPage 11 of 13\n\n⚠️ Report for azureservicesapi.com: Malicious activity found.\r\n☣️ Domain is linked to malware activity:\r\n* VileLoader (1)\r\n* DeathStalker (1)\r\n* Stonefly (1)\r\n* Maui (1)\r\n* EVILNUM (1)\r\n⚠️ Report for symantecq.com: Malicious activity found.\r\n☣️ Domain is linked to malware activity:\r\n* VileLoader (1)\r\n* DeathStalker (1)\r\n* Stonefly (1)\r\n* Maui (1)\r\n* EVILNUM (1)\r\n⚠️ Report for slack-sso.com: Malicious activity found.\r\n🥷🏻 Domain is linked to known adversaries:\r\n* Evilnum (1)\r\n☣️ Domain is linked to malware activity:\r\n* EVILNUM (1)\r\n⚠️ Report for slack-hub.com: Malicious activity found.\r\n🥷🏻 Domain is linked to known adversaries:\r\n* Evilnum (1)\r\n☣️ Domain is linked to malware activity:\r\n* EVILNUM (1)\r\n⚠️ Report for slack-protect.com: Malicious activity found.\r\n🥷🏻 Domain is linked to known adversaries:\r\nhttps://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2\r\nPage 12 of 13\n\n* Evilnum (1)\r\n☣️ Domain is linked to malware activity:\r\n* EVILNUM (1)\r\nAbout EVILNUM\r\nEvilnum, DeathStalker, TA4563, or Knockout Spider is an advanced threat actor focused on victims in the\r\nfinancial sector and cryptocurrencies. First observed in 2017, it remains active. It is known for employing Spear\r\nPhishing among its TTPs (Tactics, Techniques, Procedures) and using its toolset, including PyVil RAT (a Python-written Trojan) and EVILNUM. It has also been observed using third-party tools like More_Eggs and open-source\r\ntools like LaZagne [7].\r\nIt has links with Golden Chickens, providers of MaaS (malware as a service).\r\nConclusions\r\nIn conclusion, this targeted Spear Phishing campaign demonstrated sophistication, affirming its bespoke nature\r\nover a random, mass-spamming attempt. The potential consequences were significant despite using less refined\r\nlanguage and recycled infrastructure. The incident highlights the crucial role of threat intelligence, emphasizing\r\nthe necessity for swift and extensive sharing to defend against advanced threats effectively.\r\nWe must remember that the “P” in APT is for “Persistent”, so it’s vital to predict that this campaign might change\r\nand come back with a different focus but still operated by the same actor.\r\nAcknowledgments\r\nLuis Noriega, Nelson Colón \u0026 Emilio Revelo from the Information Security Team actively participated in\r\nthis investigation. Rob Harrop for his corrections.\r\nReferences\r\n1. AlienVault OTX Intelligence Pulse on the campaign\r\n2. AlienVault OTX Intelligence Pulses on infrastructure\r\n3. AlienVault OTX Intelligence Pulses on infrastructure\r\n4. CrowdStrike Falcon profile of EVILNUM\r\n5. EVILNUM profile on Mitre\r\n6. bIOChip\r\n7. EVILNUM Toolset on Mitre\r\n8. Lazarus profile on Mitre\r\n9. CrowdStrike Falcon profile of Lazarus: Labyrinth Chollima\r\nSource: https://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sect\r\nor-9389533d5fc2\r\nhttps://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2" ], "report_names": [ "profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "f7aa6029-2b01-4eee-8fe6-287330e087c9", "created_at": "2022-10-25T16:07:23.536763Z", "updated_at": "2026-04-10T02:00:04.646542Z", "deleted_at": null, "main_name": "Deceptikons", "aliases": [ "DeathStalker", "Deceptikons" ], "source_name": "ETDA:Deceptikons", "tools": [ "EVILNUM", "Evilnum", "Janicab", "PowerPepper", "Powersing", "VileRAT" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "f5c90ccc-0f18-4e07-a246-b62101ab2f6f", "created_at": "2023-01-06T13:46:38.854407Z", "updated_at": "2026-04-10T02:00:03.122844Z", "deleted_at": null, "main_name": "GC02", "aliases": [ "Golden Chickens", "Golden Chickens02", "Golden Chickens 02" ], "source_name": "MISPGALAXY:GC02", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc3b971a-f262-4ab9-a48d-bb6e0b52c184", "created_at": "2022-10-25T16:07:23.236669Z", "updated_at": "2026-04-10T02:00:04.501012Z", "deleted_at": null, "main_name": "Knockout Spider", "aliases": [], "source_name": "ETDA:Knockout Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "88802a4b-5b3d-42ee-99e6-8a4f5fd231f6", "created_at": "2023-01-06T13:46:38.851345Z", "updated_at": "2026-04-10T02:00:03.121861Z", "deleted_at": null, "main_name": "GC01", "aliases": [ "Golden Chickens", "Golden Chickens01", "Golden Chickens 01" ], "source_name": "MISPGALAXY:GC01", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434282, "ts_updated_at": 1775826713, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1b4e448e7ab202c5ac3427ac50e5afa8d07f4748.pdf", "text": "https://archive.orkl.eu/1b4e448e7ab202c5ac3427ac50e5afa8d07f4748.txt", "img": "https://archive.orkl.eu/1b4e448e7ab202c5ac3427ac50e5afa8d07f4748.jpg" } }