{ "id": "47929428-8279-4f74-9130-ee5547f730e2", "created_at": "2026-04-06T00:18:36.101035Z", "updated_at": "2026-04-10T03:32:43.74658Z", "deleted_at": null, "sha1_hash": "1c8fcda6344f74a8b148f92ba86838bb0d12e221", "title": "APT33 Targets Aerospace \u0026 Energy Sectors | Spear Phishing", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 876502, "plain_text": "APT33 Targets Aerospace \u0026 Energy Sectors | Spear Phishing\r\nBy Mandiant\r\nPublished: 2017-09-20 · Archived: 2026-04-05 14:02:02 UTC\r\nWritten by: Jacqueline O'Leary, Josiah Kimble, Kelli Vanderlee, Nalani Fraser\r\nWhen discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think\r\nof the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the\r\nPersian Gulf. However, over the past few years, we have been tracking a separate, less widely known suspected\r\nIranian group with potential destructive capabilities, whom we call APT33. Our analysis reveals that APT33 is a\r\ncapable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the\r\nbehest of the Iranian government.\r\nRecent investigations by FireEye’s Mandiant incident response consultants combined with FireEye iSIGHT Threat\r\nIntelligence analysis have given us a more complete picture of APT33’s operations, capabilities, and potential\r\nmotivations. This blog highlights some of our analysis. Our detailed report on FireEye Threat Intelligence contains\r\na more thorough review of our supporting evidence and analysis. We will also be discussing this threat group\r\nfurther during our webinar on Sept. 21 at 8 a.m. ET.\r\nTargeting\r\nAPT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi\r\nArabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in\r\nboth military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical\r\nproduction.\r\nFrom mid-2016 through early 2017, APT33 compromised a U.S. organization in the aerospace sector and targeted\r\na business conglomerate located in Saudi Arabia with aviation holdings.\r\nDuring the same time period, APT33 also targeted a South Korean company involved in oil refining and\r\npetrochemicals. More recently, in May 2017, APT33 appeared to target a Saudi organization and a South Korean\r\nbusiness conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi\r\nArabian petrochemical company.\r\nWe assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that\r\nAPT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s\r\ndomestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia.\r\nWe believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals,\r\nwhile the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s\r\npetrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies. Iran has\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\r\nPage 1 of 11\n\nexpressed interest in growing their petrochemical industry and often posited this expansion in competition to\r\nSaudi petrochemical companies. APT33 may have targeted these organizations as a result of Iran’s desire to\r\nexpand its own petrochemical production and improve its competitiveness within the region.\r\nThe generalized targeting of organizations involved in energy and petrochemicals mirrors previously observed\r\ntargeting by other suspected Iranian threat groups, indicating a common interest in the sectors across Iranian\r\nactors.\r\nFigure 1 shows the global scope of APT33 targeting.\r\nFigure 1: Scope of APT33 Targeting\r\nSpear Phishing\r\nAPT33 sent spear phishing emails to employees whose jobs related to the aviation industry. These emails included\r\nrecruitment themed lures and contained links to malicious HTML application (.hta) files. The .hta files contained\r\njob descriptions and links to legitimate job postings on popular employment websites that would be relevant to the\r\ntargeted individuals.\r\nAn example .hta file excerpt is provided in Figure 2. To the user, the file would appear as benign references to\r\nlegitimate job postings; however, unbeknownst to the user, the .hta file also contained embedded code that\r\nautomatically downloaded a custom APT33 backdoor.\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\r\nPage 2 of 11\n\nFigure 2: Excerpt of an APT33 malicious .hta file\r\nWe assess APT33 used a built-in phishing module within the publicly available ALFA TEaM Shell (aka\r\nALFASHELL) to send hundreds of spear phishing emails to targeted individuals in 2016. Many of the phishing\r\nemails appeared legitimate – they referenced a specific job opportunity and salary, provided a link to the spoofed\r\ncompany’s employment website, and even included the spoofed company’s Equal Opportunity hiring statement.\r\nHowever, in a few cases, APT33 operators left in the default values of the shell’s phishing module. These appear\r\nto be mistakes, as minutes after sending the emails with the default values, APT33 sent emails to the same\r\nrecipients with the default values removed.\r\nAs shown in Figure 3, the “fake mail” phishing module in the ALFA Shell contains default values, including the\r\nsender email address (solevisible@gmail[.]com), subject line (“your site hacked by me”), and email body (“Hi\r\nDear Admin”).\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\r\nPage 3 of 11\n\nFigure 3: ALFA TEaM Shell v2-Fake Mail (Default)\r\nFigure 4 shows an example email containing the default values the shell.\r\nFigure 4: Example Email Generated by the ALFA Shell with Default Values\r\nDomain Masquerading\r\nAPT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western\r\norganizations that together have partnerships to provide training, maintenance and support for Saudi’s military and\r\ncommercial fleet. Based on observed targeting patterns, APT33 likely used these domains in spear phishing emails\r\nto target victim organizations.\r\nThe following domains masquerade as these organizations: Boeing, Alsalam Aircraft Company, Northrop\r\nGrumman Aviation Arabia (NGAAKSA), and Vinnell Arabia.\r\nboeing.servehttp[.]com\r\nalsalam.ddns[.]net\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\r\nPage 4 of 11\n\nngaaksa.ddns[.]net\r\nngaaksa.sytes[.]net\r\nvinnellarabia.myftp[.]org\r\nBoeing, Alsalam Aircraft company, and Saudia Aerospace Engineering Industries entered into a joint venture to\r\ncreate the Saudi Rotorcraft Support Center in Saudi Arabia in 2015 with the goal of servicing Saudi Arabia’s\r\nrotorcraft fleet and building a self-sustaining workforce in the Saudi aerospace supply base.\r\nAlsalam Aircraft Company also offers military and commercial maintenance, technical support, and interior\r\ndesign and refurbishment services.\r\nTwo of the domains appeared to mimic Northrop Grumman joint ventures. These joint ventures – Vinnell Arabia\r\nand Northrop Grumman Aviation Arabia – provide aviation support in the Middle East, specifically in Saudi\r\nArabia. Both Vinnell Arabia and Northrop Grumman Aviation Arabia have been involved in contracts to train\r\nSaudi Arabia’s Ministry of National Guard.\r\nIdentified Persona Linked to Iranian Government\r\nWe identified APT33 malware tied to an Iranian persona who may have been employed by the Iranian government\r\nto conduct cyber threat activity against its adversaries.\r\nWe assess an actor using the handle “xman_1365_x” may have been involved in the development and potential\r\nuse of APT33’s TURNEDUP backdoor due to the inclusion of the handle in the processing-debugging (PDB)\r\npaths of many of TURNEDUP samples. An example can be seen in Figure 5.\r\nFigure 5: “xman_1365_x\" PDB String in TURNEDUP Sample\r\nXman_1365_x was also a community manager in the Barnamenevis Iranian programming and software\r\nengineering forum, and registered accounts in the well-known Iranian Shabgard and Ashiyane forums, though we\r\ndid not find evidence to suggest that this actor was ever a formal member of the Shabgard or Ashiyane hacktivist\r\ngroups.\r\nOpen source reporting links the “xman_1365_x” actor to the “Nasr Institute,” which is purported to be equivalent\r\nto Iran’s “cyber army” and controlled by the Iranian government. Separately, additional evidence ties the “Nasr\r\nInstitute” to the 2011-2013 attacks on the financial industry, a series of denial of service attacks dubbed Operation\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\r\nPage 5 of 11\n\nAbabil. In March 2016, the U.S. Department of Justice unsealed an indictment that named two individuals\r\nallegedly hired by the Iranian government to build attack infrastructure and conduct distributed denial of service\r\nattacks in support of Operation Ababil. While the individuals and the activity described in indictment are different\r\nthan what is discussed in this report, it provides some evidence that individuals associated with the “Nasr\r\nInstitute” may have ties to the Iranian government.\r\nPotential Ties to Destructive Capabilities and Comparisons with SHAMOON\r\nOne of the droppers used by APT33, which we refer to as DROPSHOT, has been linked to the wiper malware\r\nSHAPESHIFT. Open source research indicates SHAPESHIFT may have been used to target organizations in\r\nSaudi Arabia.\r\nAlthough we have only directly observed APT33 use DROPSHOT to deliver the TURNEDUP backdoor, we have\r\nidentified multiple DROPSHOT samples in the wild that drop SHAPESHIFT. The SHAPESHIFT malware is\r\ncapable of wiping disks, erasing volumes and deleting files, depending on its configuration. Both DROPSHOT\r\nand SHAPESHIFT contain Farsi language artifacts, which indicates they may have been developed by a Farsi\r\nlanguage speaker (Farsi is the predominant and official language of Iran).\r\nWhile we have not directly observed APT33 use SHAPESHIFT or otherwise carry out destructive operations,\r\nAPT33 is the only group that we have observed use the DROPSHOT dropper. It is possible that DROPSHOT may\r\nbe shared amongst Iran-based threat groups, but we do not have any evidence that this is the case.\r\nIn March 2017, Kasperksy released a report that compared DROPSHOT (which they call Stonedrill) with the most\r\nrecent variant of SHAMOON (referred to as Shamoon 2.0). They stated that both wipers employ anti-emulation\r\ntechniques and were used to target organizations in Saudi Arabia, but also mentioned several differences. For\r\nexample, they stated DROPSHOT uses more advanced anti-emulation techniques, utilizes external scripts for self-deletion, and uses memory injection versus external drivers for deployment. Kaspersky also noted the difference\r\nin resource language sections: SHAMOON embeds Arabic-Yemen language resources while DROPSHOT embeds\r\nFarsi (Persian) language resources.\r\nWe have also observed differences in both targeting and tactics, techniques and procedures (TTPs) associated with\r\nthe group using SHAMOON and APT33. For example, we have observed SHAMOON being used to target\r\ngovernment organizations in the Middle East, whereas APT33 has targeted several commercial organizations both\r\nin the Middle East and globally. APT33 has also utilized a wide range of custom and publicly available tools\r\nduring their operations. In contrast, we have not observed the full lifecycle of operations associated with\r\nSHAMOON, in part due to the wiper removing artifacts of the earlier stages of the attack lifecycle.\r\nRegardless of whether DROPSHOT is exclusive to APT33, both the malware and the threat activity appear to be\r\ndistinct from the group using SHAMOON. Therefore, we assess there may be multiple Iran-based threat groups\r\ncapable of carrying out destructive operations.\r\nAdditional Ties Bolster Attribution to Iran\r\nAPT33’s targeting of organizations involved in aerospace and energy most closely aligns with nation-state\r\ninterests, implying that the threat actor is most likely government sponsored. This coupled with the timing of\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\r\nPage 6 of 11\n\noperations – which coincides with Iranian working hours – and the use of multiple Iranian hacker tools and name\r\nservers bolsters our assessment that APT33 may have operated on behalf of the Iranian government.\r\nThe times of day that APT33 threat actors were active suggests that they were operating in a time zone close to\r\n04:30 hours ahead of Coordinated Universal Time (UTC). The time of the observed attacker activity coincides\r\nwith Iran’s Daylight Time, which is +0430 UTC.\r\nAPT33 largely operated on days that correspond to Iran’s workweek, Saturday to Wednesday. This is evident by\r\nthe lack of attacker activity on Thursday, as shown in Figure 6. Public sources report that Iran works a Saturday to\r\nWednesday or Saturday to Thursday work week, with government offices closed on Thursday and some private\r\nbusinesses operating on a half day schedule on Thursday.\r\n Many other Middle East countries have elected to have a\r\nFriday and Saturday weekend.Iran is one of few countries that subscribes to a Saturday to Wednesday workweek.\r\nAPT33 leverages popular Iranian hacker tools and DNS servers used by other suspected Iranian threat groups. The\r\npublicly available backdoors and tools utilized by APT33 – including NANOCORE, NETWIRE, and ALFA Shell\r\n– are all available on Iranian hacking websites, associated with Iranian hackers, and used by other suspected\r\nIranian threat groups. While not conclusive by itself, the use of publicly available Iranian hacking tools and\r\npopular Iranian hosting companies may be a result of APT33’s familiarity with them and lends support to the\r\nassessment that APT33 may be based in Iran.\r\nFigure 6: APT33 Interactive Commands by Day of Week\r\nOutlook and Implications\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\r\nPage 7 of 11\n\nBased on observed targeting, we believe APT33 engages in strategic espionage by targeting geographically\r\ndiverse organizations across multiple industries. Specifically, the targeting of organizations in the aerospace and\r\nenergy sectors indicates that the threat group is likely in search of strategic intelligence capable of benefitting a\r\ngovernment or military sponsor. APT33’s focus on aviation may indicate the group’s desire to gain insight into\r\nregional military aviation capabilities to enhance Iran’s aviation capabilities or to support Iran’s military and\r\nstrategic decision making. Their targeting of multiple holding companies and organizations in the energy sectors\r\nalign with Iranian national priorities for growth, especially as it relates to increasing petrochemical production. We\r\nexpect APT33 activity will continue to cover a broad scope of targeted entities, and may spread into other regions\r\nand sectors as Iranian interests dictate.\r\nAPT33’s use of multiple custom backdoors suggests that they have access to some of their own development\r\nresources, with which they can support their operations, while also making use of publicly available tools. The ties\r\nto SHAPESHIFT may suggest that APT33 engages in destructive operations or that they share tools or a developer\r\nwith another Iran-based threat group that conducts destructive operations.\r\nAppendix\r\nMalware Family Descriptions\r\nMalware\r\nFamily\r\nDescription Availability\r\nDROPSHOT\r\nDropper that has been observed dropping and launching the TURNEDUP\r\nbackdoor, as well as the SHAPESHIFT wiper malware\r\nNon-Public\r\nNANOCORE\r\nPublicly available remote access Trojan (RAT) available for purchase. It is a\r\nfull-featured backdoor with a plugin framework\r\nPublic\r\nNETWIRE\r\nBackdoor that attempts to steal credentials from the local machine from a\r\nvariety of sources and supports other standard backdoor features.\r\nPublic\r\nTURNEDUP\r\nBackdoor capable of uploading and downloading files, creating a reverse\r\nshell, taking screenshots, and gathering system information\r\nNon-Public\r\nIndicators of Compromise\r\nAPT33 Domains Likely Used in Initial Targeting\r\nDomain\r\nboeing.servehttp[.]com\r\nalsalam.ddns[.]net\r\nngaaksa.ddns[.]net\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\r\nPage 8 of 11\n\nngaaksa.sytes[.]net\r\nvinnellarabia.myftp[.]org\r\nAPT33 Domains / IPs Used for C2\r\nC2 Domain MALWARE\r\nmanagehelpdesk[.]com NANOCORE\r\nmicrosoftupdated[.]com NANOCORE\r\nosupd[.]com NANOCORE\r\nmywinnetwork.ddns[.]net NETWIRE\r\nwww.chromup[.]com TURNEDUP\r\nwww.securityupdated[.]com TURNEDUP\r\ngooglmail[.]net TURNEDUP\r\nmicrosoftupdated[.]net TURNEDUP\r\nsyn.broadcaster[.]rocks TURNEDUP\r\nwww.googlmail[.]net TURNEDUP\r\nPublicly Available Tools used by APT33\r\nMD5 MALWARE Compile Time (UTC)\r\n3f5329cf2a829f8840ba6a903f17a1bf NANOCORE 2017/1/11 2:20\r\n10f58774cd52f71cd4438547c39b1aa7 NANOCORE 2016/3/9 23:48\r\n663c18cfcedd90a3c91a09478f1e91bc NETWIRE 2016/6/29 13:44\r\n6f1d5c57b3b415edc3767b079999dd50 NETWIRE 2016/5/29 14:11\r\nUnattributed DROPSHOT / SHAPESHIFT MD5 Hashes\r\nMD5 MALWARE Compile Time (UTC)\r\n0ccc9ec82f1d44c243329014b82d3125\r\nDROPSHOT\r\n(drops SHAPESHIFT\r\nn/a - timestomped\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\r\nPage 9 of 11\n\nfb21f3cea1aa051ba2a45e75d46b98b8 DROPSHOT n/a - timestomped\r\n3e8a4d654d5baa99f8913d8e2bd8a184 SHAPESHIFT 2016/11/14 21:16:40\r\n6b41980aa6966dda6c3f68aeeb9ae2e0 SHAPESHIFT 2016/11/14 21:16:40\r\nAPT33 Malware MD5 Hashes\r\nMD5 MALWARE Compile Time (UTC)\r\n8e67f4c98754a2373a49eaf53425d79a DROPSHOT (drops TURNEDUP) 2016/10/19 14:26\r\nc57c5529d91cffef3ec8dadf61c5ffb2 TURNEDUP 2014/6/1 11:01\r\nc02689449a4ce73ec79a52595ab590f6 TURNEDUP 2016/9/18 10:50\r\n59d0d27360c9534d55596891049eb3ef TURNEDUP 2016/3/8 12:34\r\n59d0d27360c9534d55596891049eb3ef TURNEDUP 2016/3/8 12:34\r\n797bc06d3e0f5891591b68885d99b4e1 TURNEDUP 2015/3/12 5:59\r\n8e6d5ef3f6912a7c49f8eb6a71e18ee2 TURNEDUP 2015/3/12 5:59\r\n32a9a9aa9a81be6186937b99e04ad4be TURNEDUP 2015/3/12 5:59\r\na272326cb5f0b73eb9a42c9e629a0fd8 TURNEDUP 2015/3/9 16:56\r\na813dd6b81db331f10efaf1173f1da5d TURNEDUP 2015/3/9 16:56\r\nde9e3b4124292b4fba0c5284155fa317 TURNEDUP 2015/3/9 16:56\r\na272326cb5f0b73eb9a42c9e629a0fd8 TURNEDUP 2015/3/9 16:56\r\nb3d73364995815d78f6d66101e718837 TURNEDUP 2014/6/1 11:01\r\nde7a44518d67b13cda535474ffedf36b TURNEDUP 2014/6/1 11:01\r\nb5f69841bf4e0e96a99aa811b52d0e90 TURNEDUP 2014/6/1 11:01\r\na2af2e6bbb6551ddf09f0a7204b5952e TURNEDUP 2014/6/1 11:01\r\nb189b21aafd206625e6c4e4a42c8ba76 TURNEDUP 2014/6/1 11:01\r\naa63b16b6bf326dd3b4e82ffad4c1338 TURNEDUP 2014/6/1 11:01\r\nc55b002ae9db4dbb2992f7ef0fbc86cb TURNEDUP 2014/6/1 11:01\r\nc2d472bdb8b98ed83cc8ded68a79c425 TURNEDUP 2014/6/1 11:01\r\nc6f2f502ad268248d6c0087a2538cad0 TURNEDUP 2014/6/1 11:01\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\r\nPage 10 of 11\n\nc66422d3a9ebe5f323d29a7be76bc57a TURNEDUP 2014/6/1 11:01\r\nae47d53fe8ced620e9969cea58e87d9a TURNEDUP 2014/6/1 11:01\r\nb12faab84e2140dfa5852411c91a3474 TURNEDUP 2014/6/1 11:01\r\nc2fbb3ac76b0839e0a744ad8bdddba0e TURNEDUP 2014/6/1 11:01\r\na80c7ce33769ada7b4d56733d02afbe5 TURNEDUP 2014/6/1 11:01\r\n6a0f07e322d3b7bc88e2468f9e4b861b TURNEDUP 2014/6/1 11:01\r\nb681aa600be5e3ca550d4ff4c884dc3d TURNEDUP 2014/6/1 11:01\r\nae870c46f3b8f44e576ffa1528c3ea37 TURNEDUP 2014/6/1 11:01\r\nbbdd6bb2e8827e64cd1a440e05c0d537 TURNEDUP 2014/6/1 11:01\r\n0753857710dcf96b950e07df9cdf7911 TURNEDUP 2013/4/10 10:43\r\nd01781f1246fd1b64e09170bd6600fe1 TURNEDUP 2013/4/10 10:43\r\n1381148d543c0de493b13ba8ca17c14f TURNEDUP 2013/4/10 10:43\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ], "report_names": [ "apt33-insights-into-iranian-cyber-espionage.html" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434716, "ts_updated_at": 1775791963, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c8fcda6344f74a8b148f92ba86838bb0d12e221.pdf", "text": "https://archive.orkl.eu/1c8fcda6344f74a8b148f92ba86838bb0d12e221.txt", "img": "https://archive.orkl.eu/1c8fcda6344f74a8b148f92ba86838bb0d12e221.jpg" } }