{ "id": "07f2bfef-f6a2-4ab2-a7e9-314b8e5a6383", "created_at": "2026-04-06T00:19:11.917639Z", "updated_at": "2026-04-10T03:36:17.360502Z", "deleted_at": null, "sha1_hash": "1c615d7dc0813d9716d27b328a88a9491775a984", "title": "Cisco Talos shares insights related to recent cyber attack on Cisco", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 187882, "plain_text": "Cisco Talos shares insights related to recent cyber attack on Cisco\r\nBy Nick Biasini\r\nPublished: 2022-08-10 · Archived: 2026-04-05 14:03:09 UTC\r\nTHIS POST IS ALSO AVAILABLE IN:\r\n日本語 (Japanese)\r\nUpdate History\r\nDate Description of Updates\r\nAug. 10th 2022 Adding clarifying details on activity involving active directory.\r\nAug. 10th 2022 Update made to the Cisco Response and Recommendations section related to MFA.\r\nExecutive summary\r\nOn May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security\r\nIncident Response (CSIRT) and Cisco Talos have been working to remediate.\r\nDuring the investigation, it was determined that a Cisco employee’s credentials were compromised after an\r\nattacker gained control of a personal Google account where credentials saved in the victim’s browser were\r\nbeing synchronized.\r\nThe attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted\r\norganizations attempting to convince the victim to accept multi-factor authentication (MFA) push\r\nnotifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push\r\nacceptance, granting them access to VPN in the context of the targeted user.\r\nCSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the\r\nattacker gained access to critical internal systems, such as those related to product development, code\r\nsigning, etc.\r\nAfter obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize\r\nforensic artifacts, and increase their level of access to systems within the environment.\r\nThe threat actor was successfully removed from the environment and displayed persistence, repeatedly\r\nattempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.\r\nWe assess with moderate to high confidence that this attack was conducted by an adversary that has been\r\npreviously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$\r\nthreat actor group, and Yanluowang ransomware operators.\r\nFor further information see the Cisco Response page here.\r\nInitial vector\r\nhttps://blog.talosintelligence.com/recent-cyber-attack/\r\nPage 1 of 12\n\nInitial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal\r\nGoogle account. The user had enabled password syncing via Google Chrome and had stored their Cisco\r\ncredentials in their browser, enabling that information to synchronize to their Google account. After obtaining the\r\nuser’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques,\r\nincluding voice phishing (aka \"vishing\") and MFA fatigue, the process of sending a high volume of push requests\r\nto the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated\r\npush notifications they are receiving. Vishing is an increasingly common social engineering technique whereby\r\nattackers try to trick employees into divulging sensitive information over the phone. In this instance, an employee\r\nreported that they received multiple calls over several days in which the callers – who spoke in English with\r\nvarious international accents and dialects – purported to be associated with support organizations trusted by the\r\nuser.\r\nOnce the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated\r\nsuccessfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to\r\nmultiple systems, which alerted our Cisco Security Incident Response Team (CSIRT), who subsequently\r\nresponded to the incident. The actor in question dropped a variety of tools, including remote access tools like\r\nLogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket,\r\nand added their own backdoor accounts and persistence mechanisms.\r\nPost-compromise TTPs\r\nFollowing initial access to the environment, the threat actor conducted a variety of activities for the purposes of\r\nmaintaining access, minimizing forensic artifacts, and increasing their level of access to systems within the\r\nenvironment.\r\nOnce on a system, the threat actor began to enumerate the environment, using common built-in Windows utilities\r\nto identify the user and group membership configuration of the system, hostname, and identify the context of the\r\nuser account under which they were operating. We periodically observed the attacker issuing commands\r\ncontaining typographical errors, indicating manual operator interaction was occurring within the environment.\r\nAfter establishing access to the VPN, the attacker then began to use the compromised user account to logon to a\r\nlarge number of systems before beginning to pivot further into the environment. They moved into the Citrix\r\nenvironment, compromising a series of Citrix servers and eventually obtained privileged access to domain\r\ncontrollers.\r\nAfter obtaining access to the domain controllers, the attacker began attempting to dump NTDS from them using\r\n“ntdsutil.exe” consistent with the following syntax:\r\npowershell ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\\users\\public' q q\r\nThey then worked to exfiltrate the dumped NTDS over SMB (TCP/445) from the domain controller to the VPN\r\nsystem under their control.\r\nhttps://blog.talosintelligence.com/recent-cyber-attack/\r\nPage 2 of 12\n\nAfter obtaining access to credential databases, the attacker was observed leveraging machine accounts for\r\nprivileged authentication and lateral movement across the environment.\r\nConsistent with activity we previously observed in other separate but similar attacks, the adversary created an\r\nadministrative user called “z” on the system using the built-in Windows “net.exe” commands. This account was\r\nthen added to the local Administrators group. We also observed instances where the threat actor changed the\r\npassword of existing local user accounts to the same value shown below. Notably, we have observed the creation\r\nof the “z” account by this actor in previous engagements prior to the Russian invasion of Ukraine.\r\nC:\\Windows\\system32\\net user z Lh199211* /add\r\nC:\\Windows\\system32\\net localgroup administrators z /add\r\nThis account was then used in some cases to execute additional utilities, such as adfind or secretsdump, to attempt\r\nto enumerate the directory services environment and obtain additional credentials. Additionally, the threat actor\r\nwas observed attempting to extract registry information, including the SAM database on compromised windows\r\nhosts.\r\nreg save hklm\\system system\r\nreg save hklm\\sam sam\r\nreg save HKLM\\security sec\r\nOn some systems, the attacker was observed employing MiniDump from Mimikatz to dump LSASS.\r\ntasklist | findstr lsass\r\nrundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump [LSASS_PID] C:\\windows\\temp\\lsass.dmp full\r\nThe attacker also took steps to remove evidence of activities performed on compromised systems by deleting the\r\npreviously created local Administrator account. They also used the “wevtutil.exe” utility to identify and clear\r\nevent logs generated on the system.\r\nwevtutil.exe el\r\nwevtutil.exe cl [LOGNAME]\r\nIn many cases, we observed the attacker removing the previously created local administrator account.\r\nhttps://blog.talosintelligence.com/recent-cyber-attack/\r\nPage 3 of 12\n\nnet user z /delete\r\nTo move files between systems within the environment, the threat actor often leveraged Remote Desktop Protocol\r\n(RDP) and Citrix. We observed them modifying the host-based firewall configurations to enable RDP access to\r\nsystems.\r\nnetsh advfirewall firewall set rule group=remote desktop new enable=Yes\r\nWe also observed the installation of additional remote access tools, such as TeamViewer and LogMeIn.\r\nC:\\Windows\\System32\\msiexec.exe /i C:\\Users\\[USERNAME]\\Pictures\\LogMeIn.msi\r\nThe attacker frequently leveraged Windows logon bypass techniques to maintain the ability to access systems in\r\nthe environment with elevated privileges. They frequently relied upon PSEXESVC.exe to remotely add the\r\nfollowing Registry key values:\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\narrator.exe /v Debugger /t REG_\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe /v Debugger /t REG_SZ\r\nThis enabled the attacker to leverage the accessibility features present on the Windows logon screen to spawn a\r\nSYSTEM level command prompt, granting them complete control of the systems. In several cases, we observed\r\nthe attacker adding these keys but not further interacting with the system, possibly as a persistence mechanism to\r\nbe used later as their primary privileged access is revoked.\r\nThroughout the attack, we observed attempts to exfiltrate information from the environment. We confirmed that\r\nthe only successful data exfiltration that occurred during the attack included the contents of a Box folder that was\r\nassociated with a compromised employee’s account and employee authentication data from active directory. The\r\nBox data obtained by the adversary in this case was not sensitive.\r\nIn the weeks following the eviction of the attacker from the environment, we observed continuous attempts to re-establish access. In most cases, the attacker was observed targeting weak password rotation hygiene following\r\nmandated employee password resets. They primarily targeted users who they believed would have made single\r\ncharacter changes to their previous passwords, attempting to leverage these credentials to authenticate and regain\r\naccess to the Cisco VPN. The attacker was initially leveraging traffic anonymization services like Tor; however,\r\nafter experiencing limited success, they switched to attempting to establish new VPN sessions from residential IP\r\nspace using accounts previously compromised during the initial stages of the attack. We also observed the\r\nregistration of several additional domains referencing the organization while responding to the attack and took\r\naction on them before they could be used for malicious purposes.\r\nAfter being successfully removed from the environment, the adversary also repeatedly attempted to establish\r\nemail communications with executive members of the organization but did not make any specific threats or\r\nhttps://blog.talosintelligence.com/recent-cyber-attack/\r\nPage 4 of 12\n\nextortion demands. In one email, they included a screenshot showing the directory listing of the Box data that was\r\npreviously exfiltrated as described earlier. Below is a screenshot of one of the received emails. The adversary\r\nredacted the directory listing screenshot prior to sending the email.\r\nBackdoor analysis\r\nThe actor dropped a series of payloads onto systems, which we continue to analyze. The first payload is a simple\r\nbackdoor that takes commands from a command and control (C2) server and executes them on the end system via\r\nthe Windows Command Processor. The commands are sent in JSON blobs and are standard for a backdoor. There\r\nis a “DELETE_SELF” command that removes the backdoor from the system completely. Another, more\r\ninteresting, command, “WIPE”, instructs the backdoor to remove the last executed command from memory, likely\r\nwith the intent of negatively impacting forensic analysis on any impacted hosts.\r\nCommands are retrieved by making HTTP GET requests to the C2 server using the following structure:\r\n/bot/cmd.php?botid=%.8x\r\nThe malware also communicates with the C2 server via HTTP GET requests that feature the following structure:\r\n/bot/gate.php?botid=%.8x\r\nFollowing the initial request from the infected system, the C2 server responds with a SHA256 hash. We observed\r\nadditional requests made every 10 seconds.\r\nThe aforementioned HTTP requests are sent using the following user-agent string:\r\nhttps://blog.talosintelligence.com/recent-cyber-attack/\r\nPage 5 of 12\n\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537\r\nThe malware also creates a file called “bdata.ini” in the malware’s current working directory that contains a value\r\nderived from the volume serial number present on the infected system. In instances where this backdoor was\r\nexecuted, the malware was observed running from the following directory location:\r\nC:\\users\\public\\win\\cmd.exe\r\nThe attacker was frequently observed staging tooling in directory locations under the Public user profile on\r\nsystems from which they were operating.\r\nBased upon analysis of C2 infrastructure associated with this backdoor, we assess that the C2 server was set up\r\nspecifically for this attack.\r\nAttack attribution\r\nBased upon artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a\r\nthorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this\r\nattack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with\r\nties to both UNC2447 and Lapsus$. IABs typically attempt to obtain privileged access to corporate network\r\nenvironments and then monetize that access by selling it to other threat actors who can then leverage it for a\r\nvariety of purposes. We have also observed previous activity linking this threat actor to the Yanluowang\r\nransomware gang, including the use of the Yanluowang data leak site for posting data stolen from compromised\r\norganizations.\r\nUNC2447 is a financially-motivated threat actor with a nexus to Russia that has been previously observed\r\nconducting ransomware attacks and leveraging a technique known as “double extortion,” in which data is\r\nexfiltrated prior to ransomware deployment in an attempt to coerce victims into paying ransom demands. Prior\r\nreporting indicates that UNC2447 has been observed operating  a variety of ransomware, including FIVEHANDS,\r\nHELLOKITTY, and more.\r\nApart from UNC2447, some of the TTPs discovered during the course of our investigation match those of the\r\nLapsus$. Lapsus$ is a threat actor group that is reported to have been responsible for several previous notable\r\nbreaches of corporate environments. Several arrests of Lapsus$ members were reported earlier this year. Lapsus$\r\nhas been observed compromising corporate environments and attempting to exfiltrate sensitive information.\r\nWhile we did not observe ransomware deployment in this attack, the TTPs used were consistent with “pre-ransomware activity,” activity commonly observed leading up to the deployment of ransomware in victim\r\nenvironments. Many of the TTPs observed are consistent with activity observed by CTIR during previous\r\nengagements. Our analysis also suggests reuse of server-side infrastructure associated with these previous\r\nengagements as well. In previous engagements, we also did not observe deployment of ransomware in the victim\r\nenvironments.\r\nhttps://blog.talosintelligence.com/recent-cyber-attack/\r\nPage 6 of 12\n\nCisco response and recommendations\r\nCisco implemented a company-wide password reset immediately upon learning of the incident. CTIR previously\r\nobserved similar TTPs in numerous investigations since 2021. Our findings and subsequent security protections\r\nresulting from those customer engagements helped us slow and contain the attacker’s progression. We created two\r\nClamAV signatures, which are listed below.\r\nWin.Exploit.Kolobko-9950675-0\r\nWin.Backdoor.Kolobko-9950676-0\r\nThreat actors commonly use social engineering techniques to compromise targets, and despite the frequency of\r\nsuch attacks, organizations continue to face challenges mitigating those threats. User education is paramount in\r\nthwarting such attacks, including making sure employees know the legitimate ways that support personnel will\r\ncontact users so that employees can identify fraudulent attempts to obtain sensitive information.\r\nGiven the actor’s demonstrated proficiency in using a wide array of techniques to obtain initial access, user\r\neducation is also a key part of countering MFA bypass techniques. Equally important to implementing MFA is\r\nensuring that employees are educated on what to do and how to respond if they get errant push requests on their\r\nrespective phones. It is also essential to educate employees about who to contact if such incidents do arise to help\r\ndetermine if the event was a technical issue or malicious.\r\nFor Duo it is beneficial to implement strong device verification by enforcing stricter controls around device status\r\nto limit or block enrollment and access from unmanaged or unknown devices. Additionally, leveraging risk\r\ndetection to highlight events like a brand-new device being used from unrealistic location or attack patterns like\r\nlogins brute force can help detect unauthorized access.\r\nPrior to allowing VPN connections from remote endpoints, ensure that posture checking is configured to enforce a\r\nbaseline set of security controls. This ensures that the connecting devices match  the security requirements present\r\nin the environment. This can also prevent rogue devices that have not been previously approved from connecting\r\nto the corporate network environment.\r\nNetwork segmentation is another important security control that organizations should employ, as it provides\r\nenhanced protection for high-value assets and also enables more effective detection and response capabilities in\r\nsituations where an adversary is able to gain initial access into the environment.\r\nCentralized log collection can help minimize the lack of visibility that results when an attacker take active steps to\r\nremove logs from systems. Ensuring that the log data generated by endpoints is centrally collected and analyzed\r\nfor anomalous or overtly malicious behavior can provide early indication when an attack is underway.\r\nIn many cases, threat actors have been observed targeting the backup infrastructure in an attempt to further\r\nremove an organization’s ability to recover following an attack. Ensuring that backups are offline and periodically\r\ntested can help mitigate this risk and ensure an organization’s ability to effectively recover following an attack.\r\nAuditing of command line execution on endpoints can also provide increased visibility into actions being\r\nperformed on systems in the environment and can be used to detect suspicious execution of built-in Windows\r\nhttps://blog.talosintelligence.com/recent-cyber-attack/\r\nPage 7 of 12\n\nutilities, which is commonly observed during intrusions where threat actors rely on benign applications or utilities\r\nalready present in the environment for enumeration, privilege escalation, and lateral movement activities.\r\nMitre ATT\u0026CK mapping\r\nAll of the previously described TTPs that were observed in this attack are listed below based on the phase of the\r\nattack in which they occurred.\r\nInitial Access\r\nATT\u0026CK Technique : Phishing (T1566)\r\nATT\u0026CK Technique : Valid Accounts (T1078)\r\nExecution\r\nATT\u0026CK Technique : System Services: Service Execution (T1569.002)\r\nPersistence\r\nATT\u0026CK Technique : Create Account: Local Account (T1136.001)\r\nATT\u0026CK Technique : Account Manipulation: Device Registration (T1098.005)\r\nPrivilege Escalation\r\nATT\u0026CK Technique : Event Triggered Execution: Image File Execution Options Injection (T1546.012)\r\nDefense Evasion\r\nATT\u0026CK Technique : Indicator Removal on Host (T1070)\r\nATT\u0026CK Technique : Indicator Removal on Host: Clear Windows Event Logs (T1070.001)\r\nATT\u0026CK Technique : Masquerading: Match Legitimate Name or Location (T1036.005)\r\nATT\u0026CK Technique : Impair Defenses: Disable or Modify System Firewall (T1562.004)\r\nATT\u0026CK Technique : Modify Registry (T1112)\r\nCredential Access\r\nATT\u0026CK Technique : OS Credential Dumping: LSASS Memory (T1003.001)\r\nATT\u0026CK Technique : OS Credential Dumping: Security Account Manager (T1003.002)\r\nATT\u0026CK Technique : OS Credential Dumping: NTDS (T1003.003)\r\nATT\u0026CK Technique : Multi-Factor Authentication Request Generation (T1621)\r\nhttps://blog.talosintelligence.com/recent-cyber-attack/\r\nPage 8 of 12\n\nLateral Movement\r\nATT\u0026CK Technique : Remote Services (T1021)\r\nDiscovery\r\nATT\u0026CK Technique : Query Registry (T1012)\r\nCommand and Control\r\nATT\u0026CK Technique : Application Layer Protocol: Web Protocols (T1071.001)\r\nATT\u0026CK Technique : Remote Access Software (T1219)\r\nATT\u0026CK Technique: Encrypted Channel: Asymmetric Cryptography (T1573.002)\r\nATT\u0026CK Technique : Proxy: Multi-hop Proxy (T1090.003)\r\nExfiltration\r\nATT\u0026CK Technique : Exfiltration Over Alternative Protocol (T1048)\r\nIndicators of compromise\r\nThe following indicators of compromise were observed associated with this attack.\r\nHashes (SHA256)\r\n184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3\r\n2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03\r\n542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d\r\n61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610\r\n753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647\r\n8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a\r\n8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190\r\n99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f\r\nbb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7\r\neb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18\r\nIP Addresses\r\n104.131.30[.]201\r\n108.191.224[.]47\r\n131.150.216[.]118\r\n134.209.88[.]140\r\n138.68.227[.]71\r\n139.177.192[.]145\r\nhttps://blog.talosintelligence.com/recent-cyber-attack/\r\nPage 9 of 12\n\n139.60.160[.]20\r\n139.60.161[.]99\r\n143.198.110[.]248\r\n143.198.131[.]210\r\n159.65.246[.]188\r\n161.35.137[.]163\r\n162.33.177[.]27\r\n162.33.178[.]244\r\n162.33.179[.]17\r\n165.227.219[.]211\r\n165.227.23[.]218\r\n165.232.154[.]73\r\n166.205.190[.]23\r\n167.99.160[.]91\r\n172.56.42[.]39\r\n172.58.220[.]52\r\n172.58.239[.]34\r\n174.205.239[.]164\r\n176.59.109[.]115\r\n178.128.171[.]206\r\n185.220.100[.]244\r\n185.220.101[.]10\r\n185.220.101[.]13\r\n185.220.101[.]15\r\n185.220.101[.]16\r\n185.220.101[.]2\r\n185.220.101[.]20\r\n185.220.101[.]34\r\n185.220.101[.]45\r\n185.220.101[.]6\r\n185.220.101[.]65\r\n185.220.101[.]73\r\n185.220.101[.]79\r\n185.220.102[.]242\r\n185.220.102[.]250\r\n192.241.133[.]130\r\n194.165.16[.]98\r\n195.149.87[.]136\r\n24.6.144[.]43\r\n45.145.67[.]170\r\n45.227.255[.]215\r\n45.32.141[.]138\r\nhttps://blog.talosintelligence.com/recent-cyber-attack/\r\nPage 10 of 12\n\n45.32.228[.]189\r\n45.32.228[.]190\r\n45.55.36[.]143\r\n45.61.136[.]207\r\n45.61.136[.]5\r\n45.61.136[.]83\r\n46.161.27[.]117\r\n5.165.200[.]7\r\n52.154.0[.]241\r\n64.227.0[.]177\r\n64.4.238[.]56\r\n65.188.102[.]43\r\n66.42.97[.]210\r\n67.171.114[.]251\r\n68.183.200[.]63\r\n68.46.232[.]60\r\n73.153.192[.]98\r\n74.119.194[.]203\r\n74.119.194[.]4\r\n76.22.236[.]142\r\n82.116.32[.]77\r\n87.251.67[.]41\r\n94.142.241[.]194\r\nDomains\r\ncisco-help[.]cf\r\ncisco-helpdesk[.]cf\r\nciscovpn1[.]com\r\nciscovpn2[.]com\r\nciscovpn3[.]com\r\ndevcisco[.]com\r\ndevciscoprograms[.]com\r\nhelpzonecisco[.]com\r\nkazaboldu[.]net\r\nmycisco[.]cf\r\nmycisco[.]gq\r\nmycisco-helpdesk[.]ml\r\nprimecisco[.]com\r\npwresetcisco[.]com\r\nEmail Addresses\r\nhttps://blog.talosintelligence.com/recent-cyber-attack/\r\nPage 11 of 12\n\ncostacancordia[@]protonmail[.]com\r\nSource: https://blog.talosintelligence.com/recent-cyber-attack/\r\nhttps://blog.talosintelligence.com/recent-cyber-attack/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://blog.talosintelligence.com/recent-cyber-attack/" ], "report_names": [ "recent-cyber-attack" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "065b7ea2-5920-4270-824e-94ea8a79d197", "created_at": "2023-12-08T02:00:05.747632Z", "updated_at": "2026-04-10T02:00:03.492858Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "MISPGALAXY:UNC2447", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51", "created_at": "2022-10-25T16:07:24.35977Z", "updated_at": "2026-04-10T02:00:04.953882Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "ETDA:UNC2447", "tools": [ "7-Zip", "AdFind", "Agentemis", "Cobalt Strike", "CobaltStrike", "DEATHRANSOM", "DeathRansom", "FIVEHANDS", "FOXGRABBER", "HELLOKITTY", "HelloKitty", "KittyCrypt", "Mimikatz", "PCHUNTER", "RCLONE", "ROUTERSCAN", "Ragnar Locker", "RagnarLocker", "Rclone", "S3BROWSER", "SombRAT", "Thieflock", "WARPRISM", "cobeacon", "deathransom", "wacatac" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434751, "ts_updated_at": 1775792177, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c615d7dc0813d9716d27b328a88a9491775a984.pdf", "text": "https://archive.orkl.eu/1c615d7dc0813d9716d27b328a88a9491775a984.txt", "img": "https://archive.orkl.eu/1c615d7dc0813d9716d27b328a88a9491775a984.jpg" } }