{ "id": "0e24476c-b998-4a20-80bf-2ee6210f2a93", "created_at": "2026-04-06T00:08:36.709223Z", "updated_at": "2026-04-10T03:37:50.318027Z", "deleted_at": null, "sha1_hash": "1c077e95fd513ff03dc3cecb9678794ac01f0ad4", "title": "The New and Improved macOS Backdoor from OceanLotus", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 854821, "plain_text": "The New and Improved macOS Backdoor from OceanLotus\r\nBy Erye Hernandez, Danny Tsechansky\r\nPublished: 2017-06-22 · Archived: 2026-04-05 14:23:42 UTC\r\nIntroduction\r\nRecently, we discovered a new version of the OceanLotus backdoor in our WildFire cloud analysis platform which may be\r\none of the more advanced backdoors we have seen on macOS to date. This iteration is targeted towards victims in Vietnam\r\nand still maintains extremely low AV detection almost a year after it was first discovered. Despite having been in the wild\r\nfor an extended period of time, the operation appears to still be active. During our analysis, we were able communicate\r\ndirectly with the command and control server as recently as early June 2017.\r\nWhile there seem to be similarities to an OceanLotus sample discovered in May 2015, a variety of improvements have been\r\nmade since then. Some of the improvements include the use of a decoy document, elimination of the use of command line\r\nutilities, a robust string encoding mechanism, custom binary protocol traffic with encryption, and a modularized backdoor.\r\nInfection Vector\r\nThe new OceanLotus backdoor is distributed in a zip file. While we don’t have direct evidence for the initial infection vector\r\nwe presume it’s most likely via an email attachment. Once the user has extracted the zip file, they see a directory containing\r\na file with a Microsoft Word document icon. The file is actually an application bundle, which contains executable code. (see\r\nFigure 1).  Once the user double clicks on the purported Word document, the Trojan executes and then launches Word to\r\ndisplay a decoy document.\r\nThe malware uses the decoy document to help mask the execution of the malware. This technique is a common one for\r\nWindows-based malware, but rare on macOS. In order to achieve this layer of obfuscation, the malware author had to trick\r\nthe operating system into believing the folder is an application bundle despite the .docx extension. Traditionally, macOS\r\nmalware have emulated legitimate application installers such as Adobe Flash, which was how the previous version of\r\nOceanLotus was packaged.\r\nFigure 1. Context menu and file listing\r\nOnce the application bundle is launched, it opens a hidden file in the bundle’s Resources folder named .CFUserEncoding\r\nwhich is a password-protected Word document (see Figure 2). It also copies this file to the executable path and essentially\r\nreplaces the application bundle after persistence has been set up. This would lead the victim to believe that nothing was\r\namiss, as they thought they were opening a Word document and a Word document opened. In this case, the Word file has the\r\nname “Noi dung chi tiet.docx”, which is Vietnamese for “Details.”\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/\r\nPage 1 of 8\n\nFigure 2. Decoy document prompts for a password to open the file\r\nPersistence\r\nCompared to the previous version of this backdoor, the persistence mechanism for this remained largely the same. This\r\nversion creates a Launch Agent  that runs when the victim host starts up, where as in the previous version execution was\r\nupon when a user logs in. It also copies itself to a different location and filename based on the UID of the user who ran the\r\napplication.\r\nFor a user other than root, it takes the MD5 hash of the structure returned by getpwuid() and breaks the hash down into\r\nsegments \u003cfirst 8 chars of hash\u003e-\u003cnext 16 chars of hash\u003e-\u003clast 8 chars of hash\u003e. This segmented MD5 hash is prepended\r\nwith “0000-“ then used as a directory in ~/Library/OpenSSL/ to store the executable file (see Figure 3). If the user is root,\r\nthe executable is stored in the system wide library directory at /Library/TimeMachine/bin/mtmfs.\r\nIt is interesting to note that the executable and plist locations look like legitimate applications.\r\nUID plist Location Executable Location\r\n0 /Library/LaunchDaemons/com.apple.mtmfsd.plist /Library/TimeMachine/bin/mtmfs\r\n\u003e 0 ~/Library/LaunchAgents/com.apple.openssl.plist\r\n~/Library/OpenSSL/0000-\u003csegmented MD5\r\nhash\u003e/servicessl\r\nFigure 3. plist and executable names and locations based on UID\r\nOnce the malware has set up persistence, it deletes the application bundle from the executable path leaving the decoy\r\ndocument in its place and launches itself as a service from the new location.\r\nNo Command Line Utilities\r\nOne of the first things we noticed about this backdoor is the lack of suspicious strings which often times provides context as\r\nto what the malware might do on a victim host. In most macOS malware, calls to the system() or exec() functions  to run\r\nadditional scripts are in place. In this case, these were not present nor were there command line utility strings that may easily\r\nconvey the malicious intention of the application. This shows a deep level of understanding of the macOS platform by the\r\nauthor of this backdoor compared to other threat actors that will commonly copy and paste scripts from the Internet.\r\nThe lack of these strings may also double as an anti-analysis technique to make the malware seem less suspicious, especially\r\nto basic static analysis.\r\nString Decoding\r\nSince there appear to be no obvious suspicious strings in plaintext, we move onto the possibility of use of encoded, or\r\nobfuscated strings.\r\nThe string decode routine for this backdoor is an upgrade from previous versions in which strings were XOR encoded with\r\nthe word “Variable” as a key. The string decode routine now consists of a combination of bit shifting and XOR operations\r\nwith a variable key that depends on the length of the string that was encoded. If the computation for the variable XOR key\r\nturns out to be 0, the default XOR key of 0x1B is used. Figure 4 shows a Python implementation of the decode function.\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/\r\nPage 2 of 8\n\nFigure 4.  Python implementation of the malware’s string decode function\r\nAfter decoding the strings (see Figure 5), we can glean that the malware sets up persistence, surveys the victim’s computer,\r\nand sends this information back to a server. At this point, it is still not obvious that this malware contains backdoor\r\nfunctionality.\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/\r\nPage 3 of 8\n\nFigure 5. List of decoded strings\r\nCustom Binary Protocol and Encrypted Traffic\r\nThe threat actors responsible for this malware appear to have spent some amount of effort to develop their own custom\r\ncommunication protocol. They did not simply use an off-the-shelf web server for their command and control server, as is\r\ncommonly done. Instead, they created their own command and control mechanism.\r\nThe backdoor uses a custom binary protocol on TCP port 443, a well-known port that is unlikely to be blocked by traditional\r\nfirewalls due to its use in HTTPS connections. The packet seen in Figure 6 is encoded with a combination of bit shifting (see\r\nFigure 7) and XOR with a key of 0x1B before it is sent. The bits are always rotated to the left 3 times before doing the XOR\r\noperation. This is an improvement from the previous version where the packet was only XOR encoded with a key of 0x1B.\r\nFigure 6. Initial packet sent by the client to the server\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/\r\nPage 4 of 8\n\nFigure 7. Bit shifting function used in the encode/decode routine for network packets\r\nAfter decoding the packet, we can see a breakdown of different fields. Figure 8 shows the initial packet sent by the client to\r\nthe server. It is relatively empty aside from the “magic” bytes, length of data and type of communication.\r\nFigure 8. Initial packet sent by the client to the server (decoded)\r\nDepending on the command response sent from the server, a packet may be bigger than 0x52 bytes. Data beyond 0x52 bytes\r\nis zlib compressed then encrypted with AES in CBC mode with a null initialization vector (IV) and a key sent from the\r\nserver that is padded to 32 bytes.\r\nWe captured live traffic from the server, and observed that the encryption keys sent from the server are ephemeral. This\r\nmeans that each new session with the server is given a different key used to encrypt data sent back and forth within that\r\nsession. This is a marked improvement compared to the previous version, where only XOR encoding with a one-byte key\r\nwas used for encryption.\r\nAfter decoding the packet it receives from the server, the backdoor validates certain fields like the “magic” bytes and makes\r\nsure the length of the data being received is not over a certain amount. Throughout the program execution, it also checks and\r\nhandles any errors that may have been generated.\r\nCommand and Control Communications\r\nThe command and control server communication sequence is as follows:\r\n1. The client initiates a session with the server by sending a packet with 0x2170272 in the command field.\r\n2. The server then responds with an ephemeral encryption key and a command.\r\n3. The client checks if the received packet from the server is valid.\r\n4. The client executes the command sent by the server and responds with a zlib compressed and AES encrypted blob of\r\nthe result then sends this back to the server.\r\nUnlike the previous versions of OceanLotus where the commands can be easily gathered from its strings, the author has\r\nobfuscated the functions with constant values. We decoded the following available commands as seen in Figure 9.\r\nCommand Command Description\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/\r\nPage 5 of 8\n\n0x2170272 Initialize\r\n0x5CCA727 ???\r\n0x2E25992 receive file from server\r\n0x2CD9070 get info on a file / directory\r\n0x12B3629 delete file / directory\r\n0x138E3E6 ???\r\n0x25D5082 execute function from a dynamic library\r\n0x25360EA send file to server\r\n0x17B1CC4 ???\r\n0x18320E0 send victim and computer information together with the backdoor’s watermark\r\n0x1B25503 execute a function from a dynamic library\r\n0x1532E65 execute a function from a dynamic library\r\nFigure 9. List of commands available\r\nCommand 0x2170272\r\nWhen the backdoor is launched, a file is created in /Library/Preferences/.files or ~/Library/Preferences/.files depending on\r\nthe victim’s user ID. This file (see Figure 10) contains a timestamp and the victim’s name concatenated with the machine’s\r\nserial number which is then hashed twice with MD5. This is then copied to a buffer that is 0x110 bytes long and AES\r\nencrypted in CBC mode with a null IV and a key of “pth”. It is then saved into the file.\r\nTimestamp + MD5(MD5(\u003cvictim’s name + machine serial number\u003e))\r\nAfter this file is created, the client sends its first packet to the server with 0x2170272 in the command field. The server\r\nacknowledges and responds with the same command and the client verifies that the file has been created.\r\n \r\n\\xa7\\xf1\\xd9*\\x82\\xc8\\xd8\\xfe4137674062B3226FE630C24F7DE1021E\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\r\nFigure 10. Decrypted contents of ~/Library/Preferences/.files\r\nCommand 0x18320E0\r\nThe server then sends this command with an ephemeral key shortly after it sends the 0x2170272 command. The client\r\ngathers all the data seen in Figure 11, encrypts it with the key provided by the server and sends it back. One thing to note is\r\nthe Base64 string that is sent in this packet. This string is static in the binary and does not change, which may be indicative\r\nof a marker for campaign or version identification.\r\n \r\n\\x00\\x00\\x004137674062B3226FE630C24F7DE1021E\\xe9\\x0f\\x00\\x00\\x00Mac OS X 10.X.X\\xb6\\x03\\x00\\x00\r\n\\x00username\\t\\x00\\x00\\x00localhost\\x18\\x00\\x00\\x00Ze0pXcpfbqbS4wD0eS/LVQ==\\xb6\\xbc\\x1cY\\x00\\x00\\x00\\x00M\\x00\\x00\\x00/Users/usernam\r\nABCDEF01-23456789ABCDEF01-23456789/\r\nservicessl\\x8b\\xbc\\x1cY\\x00\\x00\\x00\\x00\\x17\\x00\\x00\\x00en0 : AA:BB:CC:DD:EE:FF[\\x00\\x00\\x00lo0 : fe80::1\\nlo0 :\r\n127.0.0.1\\nlo0 : ::1\\nen0 : fe80::aaaa:bbbb:cccc:111\\nen0 : 192.168.1.254\r\n\\x05\\x01\\x00\\x00f\\x00\\x00\\x00Model ID:iMac8,1\\nCPU:Intel(R) Core(TM)2 Duo CPU     T7700  @\r\n2.40GHz\\nMemory:4.00\\nSerial No:XXXXXXXXXXX\\x00\\x00\\x00\\x00\r\nFigure 11. Decrypted contents of a packet sent by the client to the server\r\nNot highlighted in Figure 11 but also included in this packet is the kernel boot time which may be used by the C2 server to\r\nhelp determine if the backdoor is being run in a sandbox environment.\r\nCommands 0x25D5082, 0x1B25503, 0x1532E65\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/\r\nPage 6 of 8\n\nThese commands load a dynamic library using dlopen() and obtains a function pointer to execute within that shared library\r\nusing dlsym(). Unfortunately, we do not know which dynamic libraries or functions are used for each command since these\r\nare server supplied and we were not able to capture any communication that used these commands.\r\nHowever, we can postulate that since the parameters to the functions have the same number of arguments with the first being\r\na fairly large constant similar to the command constants, (see Figure 12) and the backdoor has a function for receiving files,\r\nit is possible that these functions correspond to a shared library that the server uploads to the victim host. This means that\r\nadditional functionality can be added to this backdoor by loading modules directly from the C2 server.\r\nFigure 12. Snippets showing loaded function pointers and their parameters\r\nConclusion\r\nMost macOS malware in the wild today are not very complex, but threat actors have been quickly improving their tradecraft.\r\nThe increased level of sophistication and complexity may be indicative of increased targeting of macOS hosts looking to the\r\nfuture. With this OceanLotus attack in combination with recent macOS versions of the Sofacy group’s toolset, we have now\r\nobserved multiple espionage motivated threat actors targeting macOS. It is imperative that the same types of strong security\r\npractices and policies organizations use to defend Windows devices are applied universally to include macOS devices as\r\nwell.\r\nApple has already updated the macOS protection systems to address this variant of OceanLotus.\r\nPalo Alto Networks customers are protected and may learn more via the following:\r\nSamples are classified as malicious by WildFire\r\nDomains and IPs have been classified as malicious and IPS signatures generated\r\nAutoFocus users may learn more via the OceanLotus tag\r\nIndicators of Compromise\r\nHashes\r\nb33370167853330704945684c50ce0af6eb27838e1e3f88ea457d2c88a223d8b  Noi dung chi tiet.zip\r\nb3cf3e3b52b4b899cd0814fc75698ea24f08ce18642665adcd3555a068b5c16d  Info.plist\r\n07154b7a45937f2f5a2cda5b701504b179d0304fc653edb2d0672f54796c35f7  Noi dung chi tiet\r\n82502191c9484b04d685374f9879a0066069c49b8acae7a04b01d38d07e8eca0  PkgInfo\r\nf0c1b360c0b24b5450a79138650e6ee254afae6ce8f6c68da7d1f32f91582680  .CFUserEncoding\r\ne84b5c5152d8edf1e814cc4b4975bfe4dc0063ef90294cc96b383f523042f783  info.icns\r\nC2 Server\r\ncall[.]raidstore[.]org\r\ntechnology[.]macosevents[.]com\r\npress[.]infomapress[.]com\r\n24h[.]centralstatus[.]net\r\n93.115.38.178\r\nDropped Files\r\nUID == 0 UID \u003e 0\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/\r\nPage 7 of 8\n\n/Library/LaunchDaemons/com.apple.mtmfsd.plist ~/Library/LaunchAgents/com.apple.openssl.plist\r\n/Library/TimeMachine/bin/mtmfs ~/Library/OpenSSL/0000-\u003csegmented MD5 hash\u003e/servicessl\r\n/Library/Preferences/.files ~/Library/Preferences/.files\r\nSource: https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/\r\nhttps://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/" ], "report_names": [ "unit42-new-improved-macos-backdoor-oceanlotus" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434116, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c077e95fd513ff03dc3cecb9678794ac01f0ad4.pdf", "text": "https://archive.orkl.eu/1c077e95fd513ff03dc3cecb9678794ac01f0ad4.txt", "img": "https://archive.orkl.eu/1c077e95fd513ff03dc3cecb9678794ac01f0ad4.jpg" } }