{ "id": "016cd779-78db-4328-afbc-cf0057f427bd", "created_at": "2026-04-06T01:31:19.27949Z", "updated_at": "2026-04-10T03:38:20.728783Z", "deleted_at": null, "sha1_hash": "1ee8f4b78d4f341ae6fad3619649be8cd6d73218", "title": "MagicRAT: Lazarus’ latest gateway into victim networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 635883, "plain_text": "MagicRAT: Lazarus’ latest gateway into victim networks\r\nBy Asheer Malhotra\r\nPublished: 2022-09-07 · Archived: 2026-04-06 00:28:59 UTC\r\nWednesday, September 7, 2022 08:01\r\nCisco Talos has discovered a new remote access trojan (RAT) we're calling \"MagicRAT,\" developed and\r\noperated by the Lazarus APT group, which the U.S. government believes is a North Korean state-sponsored actor.\r\nLazarus deployed MagicRAT after the successful exploitation of vulnerabilities in VMWare Horizon\r\nplatforms.\r\nWe've also found links between MagicRAT and another RAT known as \"TigerRAT,\" disclosed and\r\nattributed to Lazarus by the Korean Internet \u0026 Security Agency (KISA) recently.\r\nTigerRAT has evolved over the past year to include new functionalities that we illustrate in this blog.\r\nExecutive Summary\r\nCisco Talos has discovered a new remote access trojan (RAT), which we are calling \"MagicRAT,\" that we are\r\nattributing with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North\r\nKorea by the U.S. Cyber Security \u0026 Infrastructure Agency (CISA). This new RAT was found on victims that had\r\nbeen initially compromised through the exploitation of publicly exposed VMware Horizon platforms. While being\r\na relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of\r\nmaking human analysis harder, and automated detection through machine learning and heuristics less likely.\r\nWe have also found evidence to suggest that once MagicRAT is deployed on infected systems, it launches\r\nadditional payloads such as custom-built port scanners. Additionally, we've found that MagicRAT's C2\r\ninfrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT.\r\nhttps://blog.talosintelligence.com/2022/09/lazarus-magicrat.html\r\nPage 1 of 11\n\nThe discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke\r\nmalware to use along with their previously known malware such as TigerRAT to target organizations worldwide.\r\nActor profile\r\nAttribution\r\nCisco Talos assesses with moderate to high confidence these attacks have been conducted by the North Korean\r\nstate-sponsored threat actor Lazarus Group. This attribution is based on tactics, techniques and procedures (TTPs),\r\nmalware implants and infrastructure overlap with known Lazarus campaigns.\r\nWe have observed overlaps in C2 servers serving MagicRAT and previously disclosed Lazarus campaigns\r\nutilizing the Dtrack RAT family. Furthermore, Talos has also discovered C2 servers hosting and serving TigerRAT\r\nto existing MagicRAT infections. TigerRAT is a malware family attributed to the Lazarus APT groups by the\r\nKorean Internet \u0026 Security Agency (KISA).\r\nIn some infections, we observed the deployment of MagicRAT by the attackers for some time, followed by its\r\nremoval and the subsequent download and execution of another custom-developed malware called \"VSingle,\"\r\nanother implant disclosed and attributed to Lazarus by JPCERT.\r\nTechnical analysis\r\nMagicRATMagicRAT is programmed in C++ programming language and uses the Qt Framework by statically\r\nlinking it to the RAT on 32- and 64-bit versions. The Qt Framework is a programming library for developing\r\ngraphical user interfaces, of which this RAT has none. Talos believes that the objective was to increase the\r\ncomplexity of the code, thus making human analysis harder. On the other hand, since there are very few examples\r\n(if any) of malware programmed with Qt Framework, this also makes machine learning and heuristic analysis\r\ndetection less reliable.\r\nhttps://blog.talosintelligence.com/2022/09/lazarus-magicrat.html\r\nPage 2 of 11\n\nThe 32-bit version was compiled with GCC v3.4 using mingw/cygwin for support on the Microsoft Windows\r\nplatform, the 64-bit version, however, was compiled with VisualC64, version 7.14.\r\nThe RAT uses the Qt classes throughout its entire code. The configuration is dynamically stored in a QSettings\r\nclass eventually being saved to disk, a typical functionality provided by that class.\r\nThe malware configuration (containing author-defined QSettings) is stored in the file \"visual.1991-\r\n06.com.microsoft_sd.kit\" in the path \"\\ProgramData\\WindowsSoftwareToolkit\"- names and paths obviously\r\nchosen to trick the victim into believing they were part of the operating system.\r\nThe image below shows an example of a configuration file. During our analysis, we identified three sections in the\r\nconfiguration file:\r\n[os] which contains the command and control (C2) URLs.\r\n[General] which holds general information.\r\n[company] which holds data used in the communication with the C2.\r\nAll analyzed samples had three encoded C2 URLs that are used to register infections and then receive commands\r\nto execute on the infected endpoint. The URLs are stored in the configuration file with the keys \"windows\",\r\n\"linux\" and \"mac.\" The values are prefixed with \"LR02DPt22R\" followed by the URL encoded in base64.\r\nUpon execution, MagicRAT achieves persistence for itself by executing a hardcoded command that creates\r\nscheduled tasks on the victim machine.\r\nCommand Intent\r\nschtasks /create /tn \"OneDrive AutoRemove\" /tr \"C:\\Windows\\System32\\cmd.exe\r\n/c del /f /q C:/TEMP/[MagicRAT_file_name].exe\" /sc daily /st 10:30:30 /ru\r\nSYSTEM\r\nScheduled task starting\r\nat a specific time\r\n[T1053/005]\r\nschtasks /create /tn \"Microsoft\\Windows\\light Service Manager\" /tr\r\nC:/TEMP/[MagicRAT_file_name].exe /sc onstart /ru SYSTEM\r\nScheduled task starting\r\nat a different time an\r\npath [T1053/005]\r\nhttps://blog.talosintelligence.com/2022/09/lazarus-magicrat.html\r\nPage 3 of 11\n\nCommand Intent\r\n%HOME%/AppData/Roaming/Microsoft/Windows/Start\r\nMenu/Programs/Startup/OneNote.lnk\r\nLink created on startup\r\nfolder [T1547/001]\r\nUpon achieving persistence, the RAT contacts the C2.\r\nDuring the initial stages of execution, MagicRAT will perform just enough system reconnaissance to identify the\r\nsystem and environment in which the attackers are operating. This is done by executing the commands whoami,\r\nsysteminfo and ipconfig /all. The last command has its results returned via the upload of the file zero_dump.mix to\r\nthe C2.\r\nMagicRAT is rather simple — it provides the operator with a remote shell on the victim's system for arbitrary\r\ncommand execution, along with the ability to rename, move and delete files on the endpoint. The operator can\r\ndetermine the timing for the implant to sleep, change the C2 URLs and delete the implant from the infected\r\nsystem.\r\nWe also discovered a new variant of MagicRAT in the wild generated in April 2022. This sample now consisted of\r\nthe ability to delete itself from the infected endpoint using a BAT file.\r\nAdditional malware\r\nOne of the C2 servers used by the new MagicRAT sample, 64[.]188[.]27[.]73, hosted two more distinct implants\r\nmasquerading as GIF URLs. Now, MagicRAT can make requests to its C2 and download a GIF file, which is\r\nactually an executable.\r\nLightweight port scanner\r\nhttps://blog.talosintelligence.com/2022/09/lazarus-magicrat.html\r\nPage 4 of 11\n\nOne of the GIF files discovered on the MagicRAT C2 is called \"pct.gif,\" which is an extremely simple port\r\nscanner, whose main code fits into the image below.\r\nIt takes three arguments: The IP to connect to, followed by the port number and, finally, a value dictating whether\r\nthe output of the port scan must be written to a log file on disk or the standard output. After a successful\r\nconnection, the executable will either write the string \"Connection success!\" to the standard output or to a log file\r\ncalled \"Ahnupdate.log\" located in the current user's temporary directory.\r\nTigerRAT\r\nThe second implant hosted on MagicRAT's C2 is a remote access trojan (RAT) known as TigerRAT. TigerRAT is\r\nan implant disclosed in 2021 by KISA and KRCERT as part of \"Operation ByteTiger'' detailing TigerRAT and its\r\ndownloader \"TigerDownloader.\"\r\nThis implant consists of several RAT capabilities, ranging from arbitrary command execution to file management.\r\nCapabilities of the implant include:\r\nhttps://blog.talosintelligence.com/2022/09/lazarus-magicrat.html\r\nPage 5 of 11\n\nGather system information: username, computer name, network interface info, system info including\r\nproduct and version.\r\nRun arbitrary commands on the endpoint: set/get CWD, run command via cmd.exe\r\nImplant capability to run arbitrary commands.\r\nScreen capture.\r\nSocks tunneling.\r\nKeylogging.\r\nFile Management: drive reconnaissance, enumerate/delete files, create and write to files, read files and\r\nupload contents to C2, create processes,\r\nSelf delete/uninstall from system.The latest TigerRAT versions included one new capability with indicators\r\nof a second capability set to be introduced soon. One of these capabilities is called \"USB dump.\" The\r\nauthors have also created skeleton code in preparation for implementing video capture from Web cameras,\r\nthough it hasn't been implemented yet.\r\nUSB Dump\r\nhttps://blog.talosintelligence.com/2022/09/lazarus-magicrat.html\r\nPage 6 of 11\n\nThe USB Dump capability gives the attackers the ability to:\r\nEnumerate files for path \"LOCAL_APPDATA\\GDIFONTC\".\r\nDelete files.\r\nFind files of specific extensions in a specified drive and folder: .docx, .hwp, .doc, .txt, .pdf, .zip, .zoo, .arc,\r\n.lzh, .arj, .gz, .tgz. Add these files to an existing archive - in preparation for exfiltration. This is the main\r\nfunctionality of this new capability.\r\nThe image below shows the code used to check the file extensions.\r\nLazarus' implants commonly stitch together functionalities, including occasionally removing and adding different\r\nfunctions, which is evident from the latest TigerRAT samples:\r\nhttps://blog.talosintelligence.com/2022/09/lazarus-magicrat.html\r\nPage 7 of 11\n\nWhile Lazarus added a new capability (USB dumping and skeleton code for Webcam capture) they removed the\r\nport forwarding capability in the latest version. Older variants of TigerRAT (seen in 2020-2021) consisted of\r\nencrypted strings but the latest variant consists of strings in plaintext.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2022/09/lazarus-magicrat.html\r\nPage 8 of 11\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nhttps://blog.talosintelligence.com/2022/09/lazarus-magicrat.html\r\nPage 9 of 11\n\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nOrbital Queries\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click here.\r\nIOCs\r\nThe IOC list is also available in Talos' Github repo here.\r\nMagicRAT\r\nf6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332\r\nTigerRAT\r\nf78cabf7a0e7ed3ef2d1c976c1486281f56a6503354b87219b466f2f7a0b65c4\r\n1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392\r\nbffe910904efd1f69544daa9b72f2a70fb29f73c51070bde4ea563de862ce4b1\r\n196fb1b6eff4e7a049cea323459cfd6c0e3900d8d69e1d80bffbaabd24c06eba\r\nTigerRAT unpacked\r\n1c926fb3bd99f4a586ed476e4683163892f3958581bf8c24235cd2a415513b7f\r\nf32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c\r\n23eff00dde0ee27dabad28c1f4ffb8b09e876f1e1a77c1e6fb735ab517d79b76\r\nca932ccaa30955f2fffb1122234fb1524f7de3a8e0044de1ed4fe05cab8702a5\r\nPort Scanner\r\nd20959b615af699d8fff3f0087faade16ed4919355a458a32f5ae61badb5b0ca\r\nURLs\r\nhxxp[://]64[.]188[.]27[.]73/adm_bord/login_new_check[.]php\r\nhxxp[://]gendoraduragonkgp126[.]com/board/index[.]php\r\nhttps://blog.talosintelligence.com/2022/09/lazarus-magicrat.html\r\nPage 10 of 11\n\nhxxp[://]64[.]188[.]27[.]73/board/mfcom1.gif\r\nhxxp[://]64[.]188[.]27[.]73/board/pct.gif\r\nhxxp[://]64[.]188[.]27[.]73/board/logo_adm_org.gif\r\nhxxp[://]64[.]188[.]27[.]73/board/tour_upt.html\r\nIPs\r\n193[.]56[.]28[.]251\r\n52[.]202[.]193[.]124\r\n64[.]188[.]27[.]73\r\n151[.]106[.]2[.]139\r\n66[.]154[.]102[.]91\r\nSource: https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html\r\nhttps://blog.talosintelligence.com/2022/09/lazarus-magicrat.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html" ], "report_names": [ "lazarus-magicrat.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439079, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1ee8f4b78d4f341ae6fad3619649be8cd6d73218.pdf", "text": "https://archive.orkl.eu/1ee8f4b78d4f341ae6fad3619649be8cd6d73218.txt", "img": "https://archive.orkl.eu/1ee8f4b78d4f341ae6fad3619649be8cd6d73218.jpg" } }