{ "id": "ff6ab1dd-39a0-42a7-8341-347171dc7f3c", "created_at": "2026-04-06T00:15:12.892049Z", "updated_at": "2026-04-10T03:37:36.806947Z", "deleted_at": null, "sha1_hash": "1b7bc94d05fa6b53de1741bcfe83727bb5c048eb", "title": "CISA Alert AA22-264A - Iranian HomeLand Justice APT Group's TTPs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53592, "plain_text": "CISA Alert AA22-264A - Iranian HomeLand Justice APT Group's TTPs\r\nBy Huseyin Can YUCEEL\r\nPublished: 2022-10-03 · Archived: 2026-04-05 15:32:32 UTC\r\nOn September 21, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory with the\r\nFederal Bureau of Investigation (FBI) on the Iranian state-sponsored cyber threat group HomeLand Justice.  The threat\r\nactors stayed hidden in the Albanian government networks for nearly 14 months and conducted cyber espionage,\r\nransomware, and destructive malware attacks. \r\nPicus Labs added attack simulations to the Picus Threat Library for techniques and malware used by the HomeLand Justice\r\nThreat group. In this blog post, we explained the tactics, techniques, and procedures used by the Iranian threat group.\r\nSimulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform\r\nHomeLand Justice Threat Group\r\nHomeLand Justice is another Iranian state-sponsored cyber threat group like MuddyWater and OilRig. The threat actors'\r\nearliest known malicious activity was in May 2021, and the CISA advisory estimates that is when the threat actors gained\r\ninitial access to the Albanian government networks. Since then, they had stayed hidden in the victim's network and\r\nconducted cyber espionage on Albanian citizens and government officials, including the prime minister of Albania. In July\r\nand September 2022, HomeLand Justice group launched ransomware and destructive malware attacks against their victim\r\nand announced their criminal activities over their website. The announcement and ransom note strongly indicated that these\r\ncyber attacks were politically motivated.\r\nIn their cyber attacks, HomeLand Justice group gained initial access to the victim's network by exploiting the Microsoft\r\nSharePoint CVE-2019-0604 vulnerability. It is a remote code execution vulnerability with a CVSS score of 9.8 (Critical).\r\nThen, threat actors established persistence via webshells and moved laterally in the network via RDP, SMB, and FTP.\r\nDuring their attack, HomeLand Justice group exfiltrated the victim's sensitive data and stole credentials. Lastly, they made\r\ntheir presence known by launching ransomware and destructive malware attacks.\r\nTTPs Used by HomeLand Justice Threat Group\r\nHomeLand Justice Threat group uses the following tactics, techniques, and procedures (TTPs) in the MITRE ATT\u0026CK\r\nframework:\r\nTactic: Initial Access\r\nT1190 Exploit Public Facing Application\r\nHomeLand Justice threat actors exploited Microsoft SharePoint Remote Code Execution (CVE-2019-0604) vulnerability.\r\nAlthough the vulnerability was discovered in 2019, unpatched assets still pose risks due to the vulnerability's high CVSS\r\nscore (9.8 Critical). Organizations are advised to patch their Microsoft SharePoint update to the latest version without delay.\r\nTactic: Execution      \r\nT1059 Command and Scripting Interpreter\r\nHomeLand Justice threat actors use many batch files in their ransomware attacks. For ransomware attacks, two batch files\r\nwith the same name \"win.bat\". One file establishes persistence by running the ransomware encryptor at system startup, and\r\nthe other one changes the desktop background after the attack.\r\nstart /min C:\\ProgramData\\Microsoft\\Windows\\GoXml.exe 1 2 3 4 5 6 7\r\nExample 1: Contents of \"win.bat\" used for persistence\r\nTactic: Persistence\r\nT1505.003 Web Shell\r\nHomeLand Justice threat actors use webshells that are named pickers.aspx, error4.aspx, and ClientBin.aspx to establish\r\npersistence in the victim's compromised hosts.\r\nT1098 Account Manipulation\r\nHomeLand Justice group used compromised credentials to access Microsoft Exchange accounts, including administrator\r\naccounts. This level of access allowed threat actors to create other accounts and add them to the \"Organization\r\nhttps://www.picussecurity.com/resource/blog/cisa-alert-aa22-264a-iranian-homeland-justice-apt-groups-ttp\r\nPage 1 of 4\n\nManagement\" role group.\r\nTactic: Defense Evasion\r\nT1112 Modify Registry\r\nHomeLand Justice threat actors modify the following registry keys to disable Windows Defender.\r\nModified Registry Key Modified Value\r\nHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\TamperProtection 0\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\DisableAntiSpyware 1\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\\r\nExplorer\\StartupApproved\\Run\\SecurityHealth\r\n03 00 00 00 5D 02 00 00\r\n41 3B 47 9D\r\nHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\DisableAntiSpyware 1\r\nHKLM\\System\\CurrentControlSet\\Services\\WinDefend\\Start 3 \r\nHKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Real-Time\r\nProtection\\DisableRealtimeMonitoring\r\n1\r\nT1562:001 Impair Defenses: Disable or Modify Tools\r\nHomeLand Justice group uses disable-defender.exe to disable Windows Defender. Also, the encryptor called GoXml.exe\r\nstops the services using the commands below\r\nset SrvLst=vss sql svc$ memtas mepos sophos veeam backup GxVss GxBlr GxFWD GxCVD GxCIMgr DefWatch\r\nccEvtMgr ccSetMgr SavRoam RTVscan QBFCService QBIDPService ntuit.QuickBooks.FCS QBCFMonitorService\r\nYooBackup YooIT zhudongfangyu sophos stc_raw_agent VSNAPVSS VeeamTransportSvc VeeamDeploymentService\r\nVeeamNFSSvc veeam PDVFSService BackupExecVSSProvider BackupExecAgentAccelerator BackupExecAgentBrowser\r\nBackupExecDiveciMediaService BackupExecJobEngine BackupExecManagementService BackupExecRPCService\r\nAcrSch2Svc AcronisAgent CASAD2DWebSvc CAARCUpdateSvc\r\nfor %C in (%SrvLst%) do @net stop %C\r\nset SrvLst=\r\nset PrcLst=mysql sql oracle ocssd dbsnmp synctime agntsvc isqlplussvc xfssvccon mydesktopservice ocautoupds encsvc\r\ntbirdconfig mydesktopqos ocomm dbeng50 sqbcoreservice excel infopath msaccess mspub onenote outlook powerpnt steam\r\nthebat thunderbird visio winword wordpad notepad\r\nfor %C in (%PrcLst%) do @taskkill /f /im \"%C.exe\"\r\nset PrcLst=\r\nExample 2: Commands in \"GoXml.exe\" that disable certain services\r\nTactic: Credential Access\r\nT1003.001 OS Credential Dumping: LSASS Memory\r\nHomeLand Justice threat actors use Mimikatz to dump LSASS memory which can be used to extract credentials stored in\r\nthe compromised host.\r\nTactic: Discovery\r\nT1046 Network Service Discovery\r\nHomeLand Justice group used \"Advanced Port Scanner\" to discover open ports and services in the victim's environment.\r\nhttps://www.picussecurity.com/resource/blog/cisa-alert-aa22-264a-iranian-homeland-justice-apt-groups-ttp\r\nPage 2 of 4\n\nTactic: Lateral Movement\r\nT1021.001 Remote Services: Remote Desktop Protocol\r\nHomeLand Justice threat actors primarily used Remote Desktop Protocol (RDP) to move laterally in the victim's network.\r\nT1021.001 Remote Services: SMB/Windows Admin Shares\r\nHomeLand Justice threat actors also used SMB protocol to move laterally in the victim's network.\r\nTactic: Exfiltration\r\nT1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol\r\nHomeLand Justice threat actors were able to access administrator accounts of Microsoft Exchange service via compromised\r\ncredentials. Using this access, they searched and exfiltrated emails and other sensitive data belonging to the victim.\r\nTactic: Impact\r\nT1486 Data Encrypted for Impact\r\nHomeLand Justice threat actors used an executable called Mellona.exe to spread GoXml.exe encryptor to internal assets in\r\nthe victim's network. GoXml.exe encrypted all files in the infected hosts and left a ransom note named\r\n\"How_To_Unlock_MyFiles.txt\" in each folder that was encrypted.\r\nT1490 Inhibit System Recovery\r\nThe encryptor GoXml.exe also deletes volume shadow copies to prevent the victim from recovering the encrypted files.\r\nT1485 Data Destruction\r\nHomeLand Justice threat actors used ZeroClear disk wiper malware to delete data via raw access to the hard drive.\r\nHow Picus Helps Simulate HomeLand Justice Cyber Attacks?\r\nWe also strongly suggest simulating HomeLand Justice cyber threats to test the effectiveness of your security controls\r\nagainst ransomware attacks using the Picus Complete Security Control Validation Platform. You can test your defenses\r\nagainst HomeLand Justice threat actors and other Iranian state-sponsored APT threats such as MuddyWater, OilRig, and\r\nPHOSPHORUS within minutes with a 14-day free trial of the Picus Platform.\r\nPicus Threat Library includes the following threats for HomeLand Justice Threat Group: \r\nThreat ID Action Name Attack Module\r\n36690 HomeLand Justice Threat Group Campaign 2022 Endpoint\r\n48961 HomeLand Justice Threat Group Campaign Malware Download Threat Network Infiltration\r\n52959 HomeLand Justice Threat Group Campaign Email Threat Email Infiltration (Phishing)\r\nStart simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus Complete\r\nSecurity Control Validation Platform.\r\nIndicators of Compromises\r\nSHA-256 MD5 SHA-1\r\ne1204ebbd8f15dbf5f2e41dddc5337e3182fc4daf75b05acc948b8b965480ca0 7b71764236f244ae971742ee1bc6b098 f22a7ec80fbfdc4d8ed7961\r\nf116acc6508843f59e59fb5a8d643370dce82f492a217764521f46a856cc4cb5 bbe983dba3bf319621b447618548b740 5d117d8ef075f3f8ed1d4ed\r\nhttps://www.picussecurity.com/resource/blog/cisa-alert-aa22-264a-iranian-homeland-justice-apt-groups-ttp\r\nPage 3 of 4\n\n63dd02c371e84323c4fd9a161a75e0f525423219e8a6ec1b95dd9eda182af2c9 0738242a521bdfe1f3ecc173f1726aa1 683eaec2b3bb5436f00b21\r\n7ad64b64e0a4e510be42ba631868bbda8779139dc0daad9395ab048306cc83c5 a9fa6cfdba41c57d8094545e9b56db36 e03edd9114e7a0138d1309\r\nbad65769c0b416bb16a82b5be11f1d4788239f8b2ba77ae57948b53a69e230a6 1635e1acd72809479e21b0ac5497a79b 14b8c155e01f25e749a972\r\nec4cd040fd14bff86f6f6e7ba357e5bcf150c455532800edf97782836e97f6d2 18e01dee14167c1cf8a58b6a648ee049 fce0db6e66d227d3b82d45\r\n45bf0057b3121c6e444b316afafdd802d16083282d1cbfde3cdbf2a9d0915ace 60afb1e62ac61424a542b8c7b4d2cf01 e866cc6b1507f21f688ecc2\r\n3c9dc8ada56adf9cebfc501a2d3946680dcb0534a137e2e27a7fcb5994cd9de6 8f6e7653807ebb57ecc549cef991d505 5e061701b14faf9adec9dd0\r\ncad2bc224108142b5aa19d787c19df236b0d12c779273d05f9b0298a63dc1fe5 e9b6ecbf0783fa9d6981bba76d949c94 49fd8de33aa0ea0c7432d6\r\n  78562ba0069d4235f28efd01e3f32a82  \r\n  8f766dea3afd410ebcd5df5994a3c571  \r\n  59a85e8ec23ef5b5c215cd5c8e5bc2ab  \r\n  81e123351eb80e605ad73268a5653ff3  \r\nSource: https://www.picussecurity.com/resource/blog/cisa-alert-aa22-264a-iranian-homeland-justice-apt-groups-ttp\r\nhttps://www.picussecurity.com/resource/blog/cisa-alert-aa22-264a-iranian-homeland-justice-apt-groups-ttp\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.picussecurity.com/resource/blog/cisa-alert-aa22-264a-iranian-homeland-justice-apt-groups-ttp" ], "report_names": [ "cisa-alert-aa22-264a-iranian-homeland-justice-apt-groups-ttp" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-10T02:00:03.509338Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434512, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1b7bc94d05fa6b53de1741bcfe83727bb5c048eb.pdf", "text": "https://archive.orkl.eu/1b7bc94d05fa6b53de1741bcfe83727bb5c048eb.txt", "img": "https://archive.orkl.eu/1b7bc94d05fa6b53de1741bcfe83727bb5c048eb.jpg" } }