{ "id": "9a8884e9-007a-424e-83c2-d4aefa98808e", "created_at": "2026-04-06T00:14:18.32677Z", "updated_at": "2026-04-10T03:35:53.069062Z", "deleted_at": null, "sha1_hash": "1c6f4e9cd95df2174b083e1eb9e0a67c68c9ee65", "title": "TRACKING RANSOMWARE : JANUARY 2025 - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 550321, "plain_text": "TRACKING RANSOMWARE : JANUARY 2025 - CYFIRMA\r\nArchived: 2026-04-02 10:39:19 UTC\r\nPublished On : 2025-02-10\r\nEXECUTIVE SUMMARY\r\nJanuary 2025 saw consistent ransomware incidents, with 510 reported victims globally. Akira led the landscape,\r\nwhile new groups like MORPHEUS and Gd Lockersec emerged. The Manufacturing sector remained the primary\r\ntarget, with Finance and IT also heavily impacted. The USA remained the most targeted region. This report\r\nexplores key ransomware trends, highlighting the growing sophistication of threat actors and their increasing\r\nfocus on regions across the globe, emphasizing the need for stronger cybersecurity measures.\r\nINTRODUCTION\r\nThe ransomware landscape in January 2025 showed a slight decline, yet the frequency and complexity of attacks\r\nremained consistent. This report provides a comprehensive analysis of ransomware activity, comparing trends\r\nfrom previous months. It highlights the most affected industries, regions, and the emergence of new ransomware\r\nhttps://www.cyfirma.com/research/tracking-ransomware-january-2025/\r\nPage 1 of 11\n\ngroups. Additionally, the report examines the evolving tactics of prominent threat actors, including Python-based\r\nmalware deployments and VMware ESXi exploitation, offering insights into the shifting cyber threat landscape.\r\nKEY POINTS\r\nIn January 2025, the Akira ransomware group emerged as a significant threat, with a victim count of 72.\r\nThe Manufacturing sector is the primary target of ransomware attacks experiencing 75 incidents globally in\r\nJanuary 2025.\r\nThe USA was the most targeted geography in January 2025.\r\nMORPHEUS and Gd Lockersec emerged as new threats in the ransomware landscape.\r\nTREND COMPARISON OF JANUARY 2025’s TOP 5 RANSOMWARE GROUPS.\r\nThroughout January 2025, there was notable activity from several ransomware groups. Here are the trends\r\nregarding the top 5:\r\nIn January 2025, Akira’s activity surged by 60%, while Lynx and Incransom saw sharp increases of 200% and\r\n250%, respectively. In contrast, Cl0p experienced a 12% decline, and RansomHub dropped by 20%. These trends\r\nhighlight the evolving ransomware landscape and the shifting focus of threat actors across industries.\r\nINDUSTRIES TARGETED IN JANUARY 2025 COMPARED WITH DECEMBER 2024\r\nhttps://www.cyfirma.com/research/tracking-ransomware-january-2025/\r\nPage 2 of 11\n\nThe graph highlights shifting ransomware trends across industries in January 2025 compared to December 2024.\r\nIT surged by 60%, driven by its critical data and supply chain access. Healthcare rose by 31.25%, reflecting\r\nincreased targeting of sensitive medical data. Government \u0026 Law saw a 9% downfall, while Education and\r\nTransportation spiked by 93% and 69%, respectively, due to their expanding digital footprints. FMCG and\r\nHospitality saw marginal increases of 8% and 5%, respectively. Conversely, Banking \u0026 finance dropped by 54%,\r\nand Manufacturing declined slightly by 2.6%. These trends highlight the evolving threat landscape, necessitating\r\nrobust cybersecurity strategies across all sectors.\r\nTREND COMPARISON OF RANSOMWARE ATTACKS\r\nJanuary 2025 experienced a 3.95% decline in victims when compared to December 2024.\r\nHowever, the long-term trend remains alarming. January victims rose from 205 in 2023 to 280 in 2024, then\r\nsurged to 510 in 2025 – an 82.14% increase in a year. This sharp rise highlights ransomware’s growing impact,\r\nfueled by evolving tactics, expanded attack surfaces, and heightened targeting of enterprises across critical\r\nindustries.\r\nGEOGRAPHICAL TARGETS: TOP 5 LOCATIONS\r\nhttps://www.cyfirma.com/research/tracking-ransomware-january-2025/\r\nPage 3 of 11\n\nThe data reveals that ransomware attacks in January 2025 were heavily concentrated in the United States (259),\r\nfollowed by Canada (29), the United Kingdom (25), France (18), and Germany (15). These regions are prime\r\ntargets due to their strong economies, data-rich enterprises, critical infrastructure, and high ransom-paying\r\npotential, making them lucrative for cybercriminals.\r\nEVOLUTION OF RANSOMWARE GROUPS IN JANUARY 2025\r\nPython-Based Malware Fuels RansomHub Ransomware Operations\r\nA recent campaign has been observed utilizing a Python-based backdoor to deploy RansomHub ransomware\r\nacross compromised networks. Initial access was achieved using SocGholish, a JavaScript-based malware\r\ndistributed through drive-by downloads and SEO poisoning techniques. SocGholish targeted outdated WordPress\r\nSEO plugins like Yoast and Rank Math PRO for exploitation. After the initial infection, the Python backdoor was\r\ndropped within 20 minutes and propagated laterally using RDP sessions.\r\nThe Python script functions as a reverse proxy, establishing a tunnel based on the SOCKS5 protocol after a C2\r\nhandshake. It is highly obfuscated but features distinct classes, detailed method names, error handling, and\r\nverbose debugging. These characteristics indicate a sophisticated development process, potentially assisted by AI\r\ntools. The backdoor facilitates lateral movement, enabling ransomware deployment while bypassing detection.\r\nETLM Assessment\r\nRansomware campaigns will increasingly leverage Python-based backdoors for seamless network infiltration and\r\npropagation. These backdoors, combined with advanced obfuscation and lateral movement capabilities, will\r\nenable ransomware groups to exploit critical vulnerabilities in cloud infrastructure and legacy systems. This\r\nevolution signals a growing focus on targeting enterprises with complex network environments for maximum\r\nimpact.\r\nRansomware groups stealthily infiltrate VMware ESXi using SSH tunnels.\r\nRansomware actors are increasingly targeting VMware ESXi bare-metal hypervisors due to their critical role in\r\nvirtualized infrastructures, hosting multiple virtual machines on a single physical server. These appliances are\r\noften unmonitored, making them ideal targets for attackers to establish persistence, exfiltrate data, encrypt files,\r\nand cripple an organization’s operations by rendering virtual machines inaccessible.\r\nhttps://www.cyfirma.com/research/tracking-ransomware-january-2025/\r\nPage 4 of 11\n\nA common technique involves abusing ESXi’s built-in SSH service, intended for administrative management, to\r\nestablish stealthy persistence. Threat actors compromise these systems using either administrative credentials or\r\nby exploiting known vulnerabilities. Once access is gained, SSH tunneling is configured to create a SOCKS\r\nconnection to the attackers’ command-and-control (C2) server. This allows the attackers to move laterally, deploy\r\nransomware payloads, and maintain a persistent backdoor. The resilience of ESXi appliances, which are rarely\r\nshut down, further enhances the stealth of this approach.\r\nMonitoring and detecting these attacks are challenging due to ESXi’s distributed logging mechanism, where logs\r\nare separated into multiple files instead of a consolidated syslog. Critical logs include /var/log/shell.log (command\r\nexecution), /var/log/hostd.log (administrative activities), /var/log/auth.log (authentication events), and\r\n/var/log/vobd.log (system and security events). Threat actors often manipulate or clear these logs to hide traces of\r\ntheir activity.\r\nETLM Assessment\r\nRansomware actors will likely continue exploiting VMware ESXi hypervisors due to their critical role in\r\nvirtualized environments and limited monitoring. Threat actors may integrate advanced tunneling techniques, log\r\nmanipulation tactics, and automated persistence mechanisms, emphasizing the need for proactive defenses,\r\ncentralized logging, and robust access controls to mitigate emerging threats.\r\nExperts discover a shared codebase between Morpheus and HellCat ransomware.\r\nThe HellCat and Morpheus ransomware operations, which emerged in October and December 2024, respectively,\r\nare employing an identical payload code, suggesting shared development resources or a common builder\r\napplication. Both ransomware strains utilize 64-bit executable payloads requiring a specified input path. They\r\nexclude the \\Windows\\System32 folder and file extensions like .dll, .sys, .exe, .drv, .com, and .cat from\r\nencryption, showcasing targeted file exclusion techniques.\r\nAn unusual feature is that neither ransomware alters the extensions or metadata of encrypted files. While the file\r\ncontents are encrypted, the original filenames and extensions remain intact. Encryption is performed using the\r\nWindows Cryptographic API, relying on the BCrypt algorithm for key generation and file encryption.\r\nThe ransom notes dropped by both operations share structural similarities, resembling templates used by earlier\r\nransomware schemes, though the payloads differ functionally. Unlike many ransomware families, HellCat and\r\nMorpheus do not modify system settings, such as desktop wallpaper, or establish persistence mechanisms on\r\ninfected systems, focusing solely on encryption and extortion.\r\nETLM Assessment\r\nThe rise of shared ransomware codebases and decentralized affiliate models signals a shift toward more efficient\r\nand widespread operations in 2025. Emerging groups like Morpheus and HellCat may drive innovation in stealthy\r\nencryption techniques, targeting high-value enterprises. Increased competition among threat actors could also lead\r\nto faster adoption of advanced evasion and encryption methods.\r\nTRIPLESTRENGTH targets cloud for cryptojacking and on-premises infrastructures\r\nA financially motivated threat actor, dubbed TRIPLESTRENGTH, has been identified targeting cloud\r\nenvironments and on-premises infrastructures for cryptojacking, ransomware, and extortion. This group leverages\r\na combination of stolen credentials, cookies, and information stealer logs to gain unauthorized access to cloud\r\nhttps://www.cyfirma.com/research/tracking-ransomware-january-2025/\r\nPage 5 of 11\n\ninstances from platforms like Google Cloud, AWS, and Microsoft Azure. Once access is achieved, hijacked\r\nenvironments are exploited to deploy cryptocurrency mining operations using the unMiner application and\r\nunMineable mining pools, optimized for CPU and GPU mining.\r\nTRIPLESTRENGTH further escalates by utilizing privileged accounts to add attacker-controlled billing contacts\r\nto victim cloud projects, enabling large-scale mining. While cryptojacking targets cloud resources, its ransomware\r\nactivities focus on on-premises systems, using lockers such as Phobos, LokiLocker, and RCRU64. These\r\noperations involve lateral movement, antivirus evasion, and mass encryption on targeted hosts.\r\nThe group also advertises access to compromised servers and promotes RCRU64 ransomware-as-a-service on\r\nTelegram, actively seeking collaborators for ransomware and extortion campaigns. Observed attacks highlight\r\nvulnerabilities in remote access services, which are exploited for initial access, often bypassing security\r\nmechanisms like MFA.\r\nETLM Assessment\r\nTRIPLESTRENGTH and other threat actors are likely to refine their ransomware arsenal, shifting focus toward\r\nhybrid cloud environments to exploit their critical role in enterprise operations. Expect advanced ransomware\r\npayloads targeting high-value on-premise systems and cloud platforms, with increased use of RaaS models and\r\npartnerships to scale extortion campaigns globally.\r\nRansomware groups impersonate I.T. support in Teams’ phishing schemes.\r\nIn recent days, ransomware operators have been leveraging email bombing and impersonation in Microsoft Teams\r\ncalls to infiltrate corporate networks. This tactic was first observed in attacks attributed to Black Basta\r\nransomware. Recent findings reveal similar methods being used by groups that researchers called STAC5143 and\r\nSTAC5777.\r\nSTAC5143 initiated attacks by overwhelming targets with spam emails – 3,000 messages within 45 minutes –\r\nfollowed by external Teams calls from accounts like “Help Desk Manager.” Victims were tricked into granting\r\nremote access, allowing the attackers to deploy a Java archive (MailQueue-Handler.jar) and RPivot malware.\r\nRPivot, previously linked to FIN7 operations, established encrypted command-and-control communication.\r\nAlthough the obfuscation techniques suggest ties to FIN7, the public availability of the tools complicates\r\nattribution.\r\nMore recent activity from STAC5777 involved similar tactics but used Microsoft Quick Assist for direct access.\r\nThe group deployed malware that logged keystrokes, harvested credentials, and scanned networks. Evidence\r\nsuggests STAC5777 attempted to deploy Black Basta ransomware, highlighting potential collaboration or overlap\r\nbetween the groups. These findings demonstrate the evolution of ransomware tactics, emphasizing sophisticated\r\nsocial engineering and tool integration.\r\nETLM Assessment\r\nRansomware groups will increasingly adopt these advanced tactics, exploiting collaboration tools like Microsoft\r\nTeams. Inspired by methods used by Black Basta, and others, future campaigns will likely target critical industries\r\nwith refined approaches to maximize impact.\r\nhttps://www.cyfirma.com/research/tracking-ransomware-january-2025/\r\nPage 6 of 11\n\nRansomware exploits AWS feature and encrypts S3 buckets for ransom demands.\r\nThe ransomware campaign by Codefinger targets Amazon S3 buckets by exploiting compromised AWS\r\ncredentials with ‘s3:GetObject’ and ‘s3:PutObject’ privileges. The attackers use AWS’s Server-Side Encryption\r\nwith Customer Provided Keys (SSE-C) to encrypt data, generating a custom AES-256 key locally that is unknown\r\nto the victim. Since AWS does not store these keys, decryption is impossible without the attacker’s cooperation.\r\nRansom notes are placed in affected directories, demanding Bitcoin payments for the decryption key, while a\r\nseven-day file deletion policy is enforced via the S3 Object Lifecycle Management API. Victims are warned\r\nagainst altering account permissions, as doing so results in negotiation termination. The attack leverages AWS’s\r\nnative services and achieves encryption in a way that is both secure and unrecoverable without their cooperation.\r\nETLM Assessment\r\nThe success of Codefinger’s tactics may encourage more ransomware groups to adopt cloud-native encryption\r\ntechniques, making data recovery nearly impossible without paying ransom. Future attacks could expand beyond\r\nS3 to other cloud storage services, exploiting misconfigured IAM policies and automation tools and increasing the\r\nrisk of large-scale, undetectable ransomware operations.\r\nEMERGING GROUPS\r\nMORPHEUS\r\nResearchers have identified a new ransomware named Morpheus, this ransomware has potentially been active\r\nsince the end of December 2024 but only published victims – on a data leak site – since January 2025. By the time\r\nof writing this report, the group has claimed 3 victims.\r\nAppearance of the Onion site (Source: Underground Forum)\r\nGd Lockersec\r\nBy the end of January 2025, our researchers observed the launch of a leak site by Gd Lockersec, a newly emerged\r\nhttps://www.cyfirma.com/research/tracking-ransomware-january-2025/\r\nPage 7 of 11\n\nransomware group. The group describes itself as being composed of members from various countries, with a sole\r\nfocus on financial gains. They have outlined specific restrictions, including prohibiting attacks on entities based in\r\nCIS countries, Cuba, North Korea, and China. Additionally, Gd Lockersec does not target non-profit hospitals or\r\ncertain non-profit organizations. They also emphasize that companies that already paid a ransom are exempt from\r\nre-attacks.\r\nDuring the drafting of this report, the group has claimed 5 victims.\r\nAppearance of the Onion site (Source: Underground Forum)\r\nKEY RANSOMWARE EVENTS IN JANUARY 2025\r\nRhode Island’s RIBridges stolen data leaks\r\nThe Brain Cipher ransomware gang has initiated the release of data stolen from Rhode Island’s RIBridges social\r\nservices platform, impacting approximately 650,000 individuals. RIBridges, an integrated eligibility system for\r\nmanaging state social assistance programs, was compromised in an attack first detected on December 5, 2024.\r\nConfirmation of data theft occurred on December 10, based on evidence provided by the attackers. Malicious code\r\nwas identified on December 13, prompting the platform’s shutdown for remediation.\r\nThe leaked data includes personally identifiable information (PII) of adults and minors, such as names, addresses,\r\nSocial Security numbers, and banking details. The group used an encryptor based on the leaked LockBit 3.0\r\nbuilder and operates a data leak site for extortion purposes. While the data leak site is currently offline, the Tor\r\nnegotiation page remains active. Victims are advised to monitor their credit and remain vigilant against phishing\r\nscams leveraging the stolen data.\r\nUS charges cryptomixer operators for aiding ransomware gangs’ activities\r\nRecently, three operators of cryptocurrency mixing services were indicted for aiding ransomware groups and\r\nstate-sponsored hackers in laundering illicit funds. These mixers facilitated the obfuscation of ransomware\r\nproceeds by mixing crypto assets and redistributing them to customer-controlled wallets. The services, active\r\nhttps://www.cyfirma.com/research/tracking-ransomware-january-2025/\r\nPage 8 of 11\n\nbetween 2018 and 2023, were linked to the laundering of over $500 million stolen during major ransomware and\r\nhacking campaigns, including operations by North Korean groups.\r\nOne service shut down in 2022, was directly tied to laundering funds from a high-profile cryptocurrency bridge\r\nhack, while its successor continued similar operations until seized by international law enforcement in 2023. Both\r\nservices were sanctioned for their role in enabling ransomware gangs and hackers to launder stolen virtual\r\ncurrency.\r\nTwo operators were apprehended in December 2024, while a third remains at large. This indictment underscores\r\nlaw enforcement’s focus on dismantling financial infrastructures that enable ransomware attacks and cybercrime\r\non a global scale.\r\nTata Technologies suspended some IT services following a ransomware attack.\r\nThe ransomware attack on Tata Technologies resulted in the temporary suspension of select IT services, though\r\nclient delivery operations remained unaffected. The company has since restored impacted assets and is conducting\r\na detailed investigation with cybersecurity experts. While the attacker’s identity remains unknown, no major\r\nransomware groups have claimed responsibility. It is also unclear whether data exfiltration occurred. However,\r\nransomware incidents often involve data theft, even if encryption is prevented. Given Tata Technologies’ role in\r\nautomotive design, aerospace, and R\u0026D, any potential data compromise could expose intellectual property and\r\nconfidential engineering documents. This incident follows a 2022 attack on Tata Power, where exfiltrated data was\r\nleaked.\r\nThe attack highlights the ongoing threat to technology firms, particularly those involved in state projects and\r\ncritical sectors. Without clear attribution, the motive remains uncertain, but data theft remains a key concern.\r\nOrganizations in similar industries should reinforce cybersecurity to mitigate evolving ransomware tactics.\r\nNew York blood donation giant faces ransomware attack\r\nThe ransomware attack on the New York Blood Center (NYBC) led to operational disruptions, forcing the\r\nrescheduling of some donor appointments and blood drives. The incident was detected on January 26 after\r\nsuspicious activity was observed on its IT systems. In response, NYBC engaged cybersecurity experts, took\r\naffected systems offline, and initiated containment measures. While donation services remain active, ongoing\r\ndisruptions continue to impact scheduling and logistics. The attack coincided with a severe blood shortage,\r\nexacerbating supply challenges. No ransomware group has claimed responsibility, and it is unclear whether donor\r\npersonal or health data was compromised.\r\nBUSINESS IMPACT ANALYSIS\r\nBased on available public reports approximately 31% of enterprises are compelled to halt their operations, either\r\ntemporarily or permanently, in the aftermath of a ransomware onslaught. The ripple effects extend beyond\r\noperational disruptions, as detailed by additional metrics:\r\nA significant 40% of affected organizations are forced into downsizing their workforce due to the financial\r\nstrain caused by the attack.\r\nThe aftermath sees 35% of businesses experiencing turnover at the executive level, with C-suite members\r\nstepping down in the wake of the security breach.\r\nhttps://www.cyfirma.com/research/tracking-ransomware-january-2025/\r\nPage 9 of 11\n\nThe financial toll of cyber incidents is staggering, with the average cost burden to companies, irrespective\r\nof their size, estimated at around $200,000. This figure underscores the substantial economic impact of\r\ncyber threats.\r\nAlarmingly, 75% of small to medium-sized enterprises (SMEs) face existential threats, admitting the\r\nlikelihood of closure should cybercriminals extort them for ransom to avoid malware infection.\r\nThe long-term viability of these entities is also in jeopardy, with 60% of small businesses shutting down\r\nwithin six months post-attack, highlighting the enduring impact of such security breaches.\r\nEven in instances where ransoms are not conceded to, organizations bear significant financial weight in\r\ntheir recovery and remediation endeavors to restore normality and secure their systems.\r\nEXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW\r\nImpact Assessment\r\nRansomware poses a significant threat to both organizations and individuals by encrypting critical data and\r\ndemanding payment for decryption. Beyond the ransom itself, these attacks lead to substantial financial burdens\r\ndue to recovery efforts and cybersecurity measures, disrupt operations, and erode customer trust. Victims often\r\nsuffer reputational damage, regulatory penalties, and market instability, further undermining consumer confidence.\r\nTo safeguard financial stability and public trust, it is crucial for businesses and governments to prioritize proactive\r\nmeasures against ransomware threats.\r\nVictimology\r\nCybercriminals are increasingly targeting businesses that handle large volumes of sensitive data, including\r\npersonal information, financial records, and intellectual property. Industries such as manufacturing, real estate,\r\nhealthcare, FMCG, e-commerce, finance, and technology are particularly vulnerable due to their extensive data\r\nrepositories. These attackers focus on nations with strong economies and advanced digital infrastructures,\r\nexploiting vulnerabilities to encrypt critical data and demand substantial ransoms. Their goal is to maximize\r\nfinancial gains through sophisticated and calculated strategies.\r\nCONCLUSION\r\nJanuary 2025 ransomware activities saw a small decline yet consistency, highlighting the persistent evolution of\r\ncyber threats, with increased sophistication in attack methods. Key industries, including manufacturing,\r\nhealthcare, and finance, remain at heightened risk. Organizations must prioritize robust cybersecurity measures,\r\nincluding regular patching, employee training, and incident response planning, to mitigate risks. Strengthening\r\ndefenses against ransomware is essential to safeguard operations, protect sensitive data, and ensure resilience\r\nagainst this escalating global cyber threat.\r\nSTRATEGIC RECOMMENDATIONS:\r\n1. Strengthen cybersecurity measures: invest in robust cybersecurity solutions, including advanced threat\r\ndetection and prevention tools, to proactively defend against evolving ransomware threats.\r\n2. Employee training and awareness: conduct regular cybersecurity training for employees to educate them\r\nabout phishing, social engineering, and safe online practices to minimize the risk of ransomware infections.\r\nhttps://www.cyfirma.com/research/tracking-ransomware-january-2025/\r\nPage 10 of 11\n\n3. Incident response planning: develop and regularly update a comprehensive incident response plan to ensure\r\na swift and effective response in case of a ransomware attack, reducing the potential impact and downtime.\r\nMANAGEMENT RECOMMENDATIONS:\r\n1. Cyber Insurance: Evaluate and consider cyber insurance policies that cover ransomware incidents to\r\nmitigate financial losses and protect the organization against potential extortion demands.\r\n2. Security audits: conduct periodic security audits and assessments to identify and address potential\r\nweaknesses in the organization’s infrastructure and processes.\r\n3. Security governance: establish a strong security governance framework that ensures accountability and\r\nclear responsibilities for cybersecurity across the organization.\r\nTACTICAL RECOMMENDATIONS:\r\n1. Patch management: regularly update software and systems with the latest security patches to mitigate\r\nvulnerabilities that threat actors may exploit.\r\n2. Network segmentation: implement network segmentation to limit the lateral movement of ransomware\r\nwithin the network, isolating critical assets from potential infections.\r\n3. Multi-Factor authentication (MFA): enable MFA for all privileged accounts and critical systems to add an\r\nextra layer of security against unauthorized access.\r\nSource: https://www.cyfirma.com/research/tracking-ransomware-january-2025/\r\nhttps://www.cyfirma.com/research/tracking-ransomware-january-2025/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.cyfirma.com/research/tracking-ransomware-january-2025/" ], "report_names": [ "tracking-ransomware-january-2025" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a602818a-34da-445f-9bac-715cc9b47a3d", "created_at": "2025-07-12T02:04:58.190857Z", "updated_at": "2026-04-10T02:00:03.850831Z", "deleted_at": null, "main_name": "GOLD PUMPKIN", "aliases": [ "HellCat" ], "source_name": "Secureworks:GOLD PUMPKIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "908cf62e-45cd-492b-bf12-d0902e12fece", "created_at": "2024-08-20T02:00:04.543947Z", "updated_at": "2026-04-10T02:00:03.68848Z", "deleted_at": null, "main_name": "UNC4393", "aliases": [ "Storm-1811", "CURLY SPIDER", "STAC5777" ], "source_name": "MISPGALAXY:UNC4393", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fb23d29-6c6c-459b-8985-e11f125cebcf", "created_at": "2025-03-07T02:00:03.805635Z", "updated_at": "2026-04-10T02:00:03.83403Z", "deleted_at": null, "main_name": "TRIPLESTRENGTH", "aliases": [], "source_name": "MISPGALAXY:TRIPLESTRENGTH", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5db75358-a99f-4023-b081-6fdc33996906", "created_at": "2025-01-21T02:00:03.595641Z", "updated_at": "2026-04-10T02:00:03.803086Z", "deleted_at": null, "main_name": "Codefinger", "aliases": [], "source_name": "MISPGALAXY:Codefinger", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "6ed6a54a-1e8f-45f7-997a-4424eb2bcac8", "created_at": "2025-03-04T02:00:03.001987Z", "updated_at": "2026-04-10T02:00:03.815321Z", "deleted_at": null, "main_name": "STAC5143", "aliases": [], "source_name": "MISPGALAXY:STAC5143", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434458, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c6f4e9cd95df2174b083e1eb9e0a67c68c9ee65.pdf", "text": "https://archive.orkl.eu/1c6f4e9cd95df2174b083e1eb9e0a67c68c9ee65.txt", "img": "https://archive.orkl.eu/1c6f4e9cd95df2174b083e1eb9e0a67c68c9ee65.jpg" } }