{ "id": "7cf7eb93-4380-48d6-a3bf-09b4e3fff192", "created_at": "2026-04-06T00:12:28.264235Z", "updated_at": "2026-04-10T13:12:52.305392Z", "deleted_at": null, "sha1_hash": "1b764998137a949084d2695db4f9714880a24ec9", "title": "MirrorBlast (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43726, "plain_text": "MirrorBlast (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 19:52:03 UTC\r\nwin.mirrorblast (Back to overview)\r\nMirrorBlast\r\nActor(s): TA505\r\nAccording to Minerva Labs, MirrorBlast malware is a trojan that is known for attacking users’ browsers. It usually\r\npretends to be a legitimate browser add-on however it has now evolved additional capabilities, whereby other\r\nmalwares are installed simultaneously. Recently, this trojan is thought to have tentative links to TA505 and PYSA\r\ngroups.\r\nReferences\r\n2021-10-19 ⋅ Proofpoint ⋅ Axel F, Brandon Murphy, Crista Giering, Georgi Mladenov, Matthew Mesa, Zydeca Cass\r\nWhatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant\r\nFlawedGrace MirrorBlast\r\n2021-10-14 ⋅ Morphisec ⋅ Arnold Osipov\r\nExplosive New MirrorBlast Campaign Targets Financial Companies\r\nMirrorBlast\r\n2021-10-05 ⋅ FRSecure ⋅ Oscar Minks\r\nThe REBOL Yell: A New Novel REBOL Exploit\r\nMirrorBlast\r\n2021-09-24 ⋅ Proofpoint ⋅ Proofpoint\r\nDaily Ruleset Update Summary 2021/09/24\r\nMirrorBlast\r\n2021-09-19 ⋅ HP ⋅ Patrick Schläpfer\r\nMirrorBlast and TA505: Examining Similarities in Tactics, Techniques and Procedures\r\nMirrorBlast\r\nThere is no Yara-Signature yet.\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast\r\nPage 1 of 2\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast" ], "report_names": [ "win.mirrorblast" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434348, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1b764998137a949084d2695db4f9714880a24ec9.pdf", "text": "https://archive.orkl.eu/1b764998137a949084d2695db4f9714880a24ec9.txt", "img": "https://archive.orkl.eu/1b764998137a949084d2695db4f9714880a24ec9.jpg" } }