{ "id": "c3b97231-82e1-4f02-a2dc-2cc69e736706", "created_at": "2026-04-06T00:10:09.315105Z", "updated_at": "2026-04-10T03:37:32.662468Z", "deleted_at": null, "sha1_hash": "1d85fe3666be2b707c99943844dc63287d787e08", "title": "UNC2452 Merged into APT29 | Russia-Based Espionage Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 905767, "plain_text": "UNC2452 Merged into APT29 | Russia-Based Espionage Group\r\nBy Mandiant\r\nPublished: 2022-04-27 · Archived: 2026-04-05 21:31:30 UTC\r\nWritten by: Mandiant\r\nMandiant has gathered sufficient evidence to assess that the activity tracked as UNC2452, the group name used to\r\ntrack the SolarWinds compromise in December 2020, is attributable to APT29.\r\nThis conclusion matches attribution statements previously made by the U.S. Government that the SolarWinds\r\nsupply chain compromise was conducted by APT29, a Russia-based espionage group assessed to be sponsored by\r\nthe Russian Foreign Intelligence Service (SVR). Our evaluation is based on firsthand data gathered by Mandiant\r\nand is the result of an extensive comparison and review of UNC2452 and our detailed knowledge of APT29.\r\nThe merge of UNC2452 into APT29 significantly expands our knowledge of APT29 and showcases an evolving,\r\ndisciplined, and highly skilled threat actor that operates with a heightened level of operational security (OPSEC)\r\nfor the purposes of intelligence collection. This blog post builds on our efforts to share information and provide\r\nawareness related to APT29’s developments.\r\nEvolving Tradecraft\r\nAPT29 is a highly sophisticated group that has continued to evolve and refine its operational and behavioral\r\ntactics, techniques, and procedures (TTPs) to better obfuscate activity and limit its digital footprint to avoid\r\ndetection. The merge expands APT29’s operational profile, emphasizing the group’s well-resourced nature,\r\nlongevity of operations, time on targets, OPSEC, adaptability, and stealth. The group has been steadily advancing\r\nits TTPs and adopting new measures as new technologies emerge.\r\nHigh Operational Tempo and Scale. Mandiant has tracked APT29 activity since at least 2014 and despite\r\nsignificant public exposure following the SolarWinds compromise in 2020, the group has continued to\r\nconduct multiple, large-scale compromises simultaneously in different time zones throughout 2020 and\r\n2021 at a high operational tempo. In 2021 and 2022, we observed APT29 conduct large-scale phishing\r\ncampaigns targeting diplomatic entities in Europe, North America, and Asia. The scale and scope of this\r\nactivity suggests the group is well-resourced.\r\nWide Operational Scope. APT29 has targeted Western and European governments and a range of\r\nadditional industries including education, telecommunications, government-adjacent organizations,\r\nmedical research entities, and organizations that provide third party access, such as technology companies\r\nand IT and business service providers.\r\nVictimology and Data Theft. APT29 has maintained a consistent focus on aggressively gaining and\r\nmaintaining access to email mailboxes. More recently, they also targeted cloud-based resources and source\r\nhttps://www.mandiant.com/resources/blog/unc2452-merged-into-apt29\r\nPage 1 of 8\n\ncode repositories to hunt for data relevant to Russian strategic interests, conduct operational planning, and\r\nto use access to third parties as a point of entry to downstream customers.\r\nFigure 1: APT29 Victimology\r\nMandiant observed APT29 evolve its already advanced tradecraft to adapt to different victim environments and\r\nemerging technology in the following ways:\r\nVarying Intrusion Vectors. Since 2020, APT29 increasingly sought to exploit trust relationships between\r\ncustomers and third parties and abuse the supply chain, as evidenced by the prolific nature of the\r\nSolarWinds compromise. Mandiant observed APT29 leverage varying operational techniques to gain initial\r\naccess to victims including stolen credentials, web server compromises, password sprays, and spear\r\nphishing. Notably, from 2021 to the present, Mandiant observed APT29 alter its TTPs slightly to deploy\r\nCobalt Strike BEACON via spear phishing campaigns likely due to the availability and success of the\r\npublicly available malware, as well as to complicate attribution efforts given the tool’s wide use.\r\nhttps://www.mandiant.com/resources/blog/unc2452-merged-into-apt29\r\nPage 2 of 8\n\nFigure 2: Initial Infection Vectors used by APT29\r\nHeightened OPSEC. APT29 is known for its extensive operational discipline and continues to maintain a\r\nstrong OPSEC posture across all operations. APT29 demonstrates a heightened level of OPSEC to protect\r\nsecondary backdoors, lateral movement attempts, and data theft. For instance, APT29 went to considerable\r\nlengths to hide its SUNBURST backdoor within the legitimate SolarWinds code during the initial\r\ncampaign. Additionally, Mandiant previously identified the group attempts to compromise multiple\r\naccounts within an environment while keeping the use of each account separate by function, using one for\r\nreconnaissance and the others for lateral movement. This reduces the likelihood that detecting one\r\ncompromised account’s activity could expose the entire scope of the intrusion.\r\nSince 2018, APT29 has consistently enhanced the operation security of its command and control (C2)\r\ninfrastructure using legitimate services and compromised infrastructure, as well as using domain fronting\r\ntechniques, and reliance on anonymized internet access, such as using proxy services and the TOR\r\nnetwork. In addition, APT29 has continued to demonstrate a clear understanding of security operations,\r\nincident response, remediation efforts, and network detection mechanisms. Table 1 provides some\r\nexamples of additional OPSEC measures taken by the group.\r\nNetwork-based OPSEC Host-based OPSEC\r\nC2 Consideration\r\nUsed legitimate services for C2\r\nAdjusted C2 callout intervals\r\nBlending In\r\nLooking Legitimate\r\nModified a legitimate Microsoft DLL to\r\nenable the DLL Side Loading of a malicious\r\npayload\r\nhttps://www.mandiant.com/resources/blog/unc2452-merged-into-apt29\r\nPage 3 of 8\n\nMatched hostnames to the victim\r\nenvironment’s naming convention\r\nLeveraged native Microsoft tools\r\nInfrastructure OPSEC, as detailed in this post\r\nLocalized “last mile” infrastructure near\r\nvictim organizations by using residential IP\r\naddress ranges to authenticate to victim\r\nenvironments\r\nGeolocating Azure infrastructure in the same\r\ngeography as the victim infrastructure\r\nUsed a mixture of TOR, VPS, and VPNs to\r\naccess victim environments\r\nUsed IP address proxy providers that proxy\r\ntraffic though mobile devices, to make traffic\r\nappear as if it was originating from domestic\r\nISPs and devices\r\nSeparate Infrastructure\r\nSeparated SUNBURST callback infrastructure\r\nfrom other follow-on malware families to\r\npreserve access and protect this toolset if\r\nfollow-on activity was discovered\r\nRestricted C2 reuse by establishing unique C2\r\nservers per victim and single-use C2 servers\r\nfor individual hosts\r\nMasqueraded malicious scheduled tasks,\r\nprocesses, and shortcut files as legitimate\r\ntasks, binaries, and documents\r\nReplaced a legitimate binary with a malicious\r\nfile of the same name and then reinstalled the\r\noriginal file after the malicious binary\r\ncompleted execution\r\nMinimized the size of exfiltrated data and\r\nused encrypted connections for data\r\nexfiltration\r\nDisabling Security Controls\r\nDetected and disabled antivirus and system\r\nlogging features then reenabled these features\r\nin some cases upon completion of malicious\r\nactivity\r\nDisabled SysInternals Sysmon and Splunk\r\nForwarders on victim machines that they\r\naccessed via Microsoft Remote Desktop\r\nCovering Tracks\r\nCleared Windows Event Logs\r\nEstablished persistence to perform\r\nreconnaissance, removed it before moving\r\nlaterally to another system, and then verified\r\nthat the persistence was removed\r\nExtensive use of Microsoft’s secure delete\r\ntool (SDELETE) following interactive\r\noperations on a host\r\nMonitoring Remediation\r\nAccessed IT personnel mailboxes to monitor\r\nremediation efforts and adjust TTPs as\r\nneeded\r\nUsing Varying TTPs\r\nEmployed slight variations in TTPs and\r\nmalware for spear phishing campaigns\r\nTable 1: Examples of APT29 network- and host-based OPSEC measures\r\nhttps://www.mandiant.com/resources/blog/unc2452-merged-into-apt29\r\nPage 4 of 8\n\nSophistication. APT29 has a proven ability to adapt quickly during operations. The group uses innovative\r\nand novel techniques to bypass detection and strong authentication requirements in victim environments. In\r\nmore recent operations, their fundamental understanding of native M365 features allowed them to move\r\neasily between on-premises and cloud resources without using a substantial amount of malware. We\r\nbelieve these measures, combined with a high level of OPSEC, longevity of the group’s operations, and\r\ntheir time on targets demonstrate a well-resourced and highly sophisticated actor.\r\nOn-prem to Cloud. APT29’s advanced knowledge of Microsoft tools and cloud environments\r\nallows the group to abuse product features to achieve and maintain access—despite strong\r\nauthentication requirements– without using specific vulnerabilities or deploying custom malware.\r\nThis enables them to easily pivot from on-premises networks to cloud resources to create persistent\r\naccess to targets and sensitive data. Mandiant observed APT29 target and move laterally to the\r\nM365 environment starting in 2018 by using a combination of seven primary techniques detailed in\r\nour guidance.\r\nBypassing Multi-Factor Authentication (MFA): From 2018 to 2020, APT29 used an assortment\r\nof methods to satisfy strong authentication requirements in victim environments for lateral\r\nmovement. These included enrolling devices for MFA or bypassing it via legacy authentication,\r\nadding credentials to service principals and app registrations, and utilizing precomputed cookies to\r\nbypass MFA requirements and log in successfully without raising any alarms. The group also\r\nleveraged legitimate credentials to abuse repeated MFA push notifications to an end user’s\r\nlegitimate device until the user accepted the authentication. We also observed the group evolve from\r\nusing Golden Tickets to access sensitive data from on-premises systems to Golden SAML (Security\r\nAssertion Markup Language) for victim environments that used cloud hosted resources. Both\r\ntechniques allow attackers to bypass authentication requirements and access the victim environment\r\nwith any privileges and as any user, even after a domain-wide password reset of user accounts.\r\nMaintaining a Light Malware Footprint: APT29 shifted away from using a toolkit of customized\r\ntools to maintaining a relatively light malware footprint since 2018, likely due to extensive open-source reporting on the group’s toolkit. This allows for fewer detection opportunities by anti-virus\r\nengines and complicates attribution efforts. The group appears to favor the use of stolen credentials,\r\nabusing native Microsoft features to maintain access to victim environments. In some cases, we\r\nhave observed the group shift from deploying custom tools after gaining a foothold to deploying\r\nBEACON. This is likely due to the success, availability, modification potential, and attribution\r\ncomplications provided by BEACON. From 2018 to 2021, APT29 limited their use of custom tools\r\nto a little under half of all observed compromises. For compromises during that timeframe that\r\nfeatured custom tools, APT29 used custom malware families including SUNBURST, BEACON\r\ndroppers RAINDROP and TEARDROP, a credential theft tool called MAMADOGS, and\r\nCRIMSONBOX; a .NET tool that extracts the token signing certificate from an ADFS\r\nconfiguration, assisting the group in forging SAML tokens.\r\nSpeed and Agility. APT29 can quickly adjust their tools and TTPs to adapt to victim environments\r\nand to retain access through remediation efforts. In multiple cases, APT29 was able to gain Domain\r\nAdministrator privileges less than 12 hours after the initial execution of a phishing payload. In\r\n2020, approximately five days after the public disclosure of the SolarWinds supply chain\r\ncompromise, APT29 moved the persistent BEACON backdoor to an additional system in a new\r\nhttps://www.mandiant.com/resources/blog/unc2452-merged-into-apt29\r\nPage 5 of 8\n\nsubnet following an email sent from the internal information security team to IT administrators to\r\nrequest an image of the SolarWinds system. This suggests the group was monitoring the\r\norganizations' emails and subsequently employed countermeasures to maintain access.\r\nFollow the Data. Since 2018, Mandiant observed APT29 adjust their tactics to access victim\r\nenvironments to avoid losing access to critical data located on-premises and in cloud environments.\r\nMandiant observed the group use different methods to gather emails from different victim\r\nenvironments. These include using publicly available tools that harvest local OST and PST files for\r\non-premises systems and switching to abusing service principals, adding permissions to victims'\r\nmailboxes and mailbox folders, and using application impersonation for cloud environments.\r\nOutlook and Implications\r\nSince Mandiant began tracking APT29 in 2014, the group has continued to advance its significant technical\r\ntradecraft and OPSEC. The consistent and steady advancement in TTPs speaks to its disciplined nature and\r\ncommitment to stealthy operations and persistence. Merging UNC2452 into APT29 has given us a better\r\nunderstanding of how APT29’s operations have evolved over the years, including how the group further honed its\r\ntechnical skills to bypass security controls, scale TTPs for emerging technology, blend in with victim\r\nenvironments, and hinder detection across all aspects of its operations. Mandiant is almost certain that APT29 will\r\ncontinue to evolve its operational and behavioral TTPs based on its advanced skillset and ability to creatively\r\nemploy novel TTPs and tools to gain persistent access to targets.\r\nPlease refer to our white paper on remediating and hardening strategies to defend against APT29, and check out\r\nour webinar for even more information.\r\nMITRE ATT\u0026CK Techniques Added as a Result of the Merge\r\nResource Development\r\nT1583.003: Virtual Private Server\r\nInitial Access\r\nT1195.002: Compromise Software Supply Chain\r\nT1199: Trusted Relationship\r\nExecution\r\nT1059.007: JavaScript\r\nPersistence\r\nT1098: Account Manipulation\r\nT1098.001: Additional Cloud Credentials\r\nT1547.009: Shortcut Modification\r\nT1574.008: Path Interception by Search Order Hijacking\r\nhttps://www.mandiant.com/resources/blog/unc2452-merged-into-apt29\r\nPage 6 of 8\n\nPrivilege Escalation\r\nT1055.002: Portable Executable Injection\r\nT1134.001: Token Impersonation/Theft\r\nT1484.002: Domain Trust Modification\r\nT1547.009: Shortcut Modification\r\nT1574.008: Path Interception by Search Order Hijacking\r\nDefense Evasion\r\nT1027.003: Steganography\r\nT1027.005: Indicator Removal from Tools\r\nT1036.005: Match Legitimate Name or Location\r\nT1055.002: Portable Executable Injection\r\nT1070: Indicator Removal on Host\r\nT1070.001: Clear Windows Event Logs\r\nT1070.006: Timestomp\r\nT1134.001: Token Impersonation/Theft\r\nT1218.005: Mshta\r\nT1218.011: Rundll32\r\nT1480: Execution Guardrails\r\nT1497.003: Time Based Evasion\r\nT1550.001: Application Access Token\r\nT1562.001: Disable or Modify Tools\r\nT1574.008: Path Interception by Search Order Hijacking\r\nCredential Access\r\nT1003.003: NTDS\r\nT1003.006: DCSync\r\nT1003.008: /etc/passwd and /etc/shadow\r\nT1110.003: Password Spraying\r\nT1111: Two-Factor Authentication Interception\r\nT1552.001: Credentials In Files\r\nT1552.004: Private Keys\r\nT1552.006: Group Policy Preferences\r\nT1555.005: Password Managers\r\nT1558: Steal or Forge Kerberos Tickets\r\nT1558.003: Kerberoasting\r\nT1606.001: Web Cookies\r\nT1606.002: SAML Tokens\r\nDiscovery\r\nT1016.001: Internet Connection Discovery\r\nhttps://www.mandiant.com/resources/blog/unc2452-merged-into-apt29\r\nPage 7 of 8\n\nT1046: Network Service Scanning\r\nT1497.003: Time Based Evasion\r\nT1526: Cloud Service Discovery\r\nLateral Movement\r\nT1550.001: Application Access Token\r\nCollection\r\nT1005: Data from Local System\r\nT1039: Data from Network Shared Drive\r\nT1074: Data Staged\r\nT1114.002: Remote Email Collection\r\nT1213.002: Sharepoint\r\nT1213.003: Code Repositories\r\nT1560.001: Archive via Utility\r\nCommand and Control\r\nT1071: Application Layer Protocol\r\nT1071.004: DNS\r\nT1090.003: Multi-hop Proxy\r\nT1568.002: Domain Generation Algorithms\r\nT1571: Non-Standard Port\r\nT1573.001: Symmetric Cryptography\r\nExfiltration\r\nT1030: Data Transfer Size Limits\r\nT1567: Exfiltration Over Web Service\r\nT1567.001: Exfiltration to Code Repository\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29\r\nhttps://www.mandiant.com/resources/blog/unc2452-merged-into-apt29\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29" ], "report_names": [ "unc2452-merged-into-apt29" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434209, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d85fe3666be2b707c99943844dc63287d787e08.pdf", "text": "https://archive.orkl.eu/1d85fe3666be2b707c99943844dc63287d787e08.txt", "img": "https://archive.orkl.eu/1d85fe3666be2b707c99943844dc63287d787e08.jpg" } }