{ "id": "aa24976a-8094-45e8-a6d8-76343c5f98a0", "created_at": "2026-04-06T00:21:31.865811Z", "updated_at": "2026-04-10T03:38:20.449522Z", "deleted_at": null, "sha1_hash": "1ff9aae2e240844b9df305f6d1c60446c4c8b3fa", "title": "North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6618612, "plain_text": "North Korea’s Lazarus APT leverages Windows Update client,\r\nGitHub in latest campaign\r\nPublished: 2022-01-21 · Archived: 2026-04-05 18:16:00 UTC\r\nThis blog was authored by Ankur Saini and Hossein Jazi\r\nLazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is\r\nresponsible for many high profile attacks in the past and has gained worldwide attention. The Malwarebytes\r\nThreat Intelligence team is actively monitoring its activities and was able to spot a new campaign on Jan 18th\r\n2022.\r\nIn this campaign, Lazarus conducted spear phishing attacks weaponized with malicious documents that use\r\ntheir known job opportunities theme. We identified two decoy documents masquerading as American global\r\nsecurity and aerospace giant Lockheed Martin.\r\nIn this blog post, we provide technical analysis of this latest attack including a clever use of Windows Update to\r\nexecute the malicious payload and GitHub as a command and control server. We have reported the rogue GitHub\r\naccount for harmful content.\r\nAnalysis\r\nThe two macro-embedded documents seem to be luring the targets about new job opportunities at Lockheed\r\nMartin:\r\nArticle continues below this ad.\r\nLockheed_Martin_JobOpportunities.docx\r\nSalary_Lockheed_Martin_job_opportunities_confidential.doc\r\nThe compilation time for both of these documents is 2020-04-24, but we have enough indicators that confirm that\r\nthey have been used in a campaign around late December 2021 and early 2022. Some of the indicators that shows\r\nthis attack operated recently are the domains used by the threat actor.\r\nBoth of the documents use the same attack theme and have some common things like embedded macros but the\r\nfull attack chain seems to be totally different. The analysis provided in the blog is mainly based on the\r\n“Lockheed_Martin_JobOpportunities.docx” document but we also provide brief analysis for the second document\r\n(Salary_Lockheed_Martin_job_opportunities_confidential.doc) at the end of this blog.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nPage 1 of 13\n\nAttack Process\r\nThe below image shows the full attack process which we will discuss in detail in this article. The attack starts by\r\nexecuting the malicious macros that are embedded in the Word document. The malware performs a series of\r\ninjections and achieves startup persistence in the target system. In the next section we will provide technical\r\ndetails about various stages of this attack and its payload capabilities.\r\nMacros: Control flow hijacking through KernelCallbackTable\r\nThe above code uses a very unusual and lesser known technique to hijack the control flow and execute malicious\r\ncode. The malware retrieves the address of the “WMIsAvailableOffline” function from “wmvcore.dll”, then it\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nPage 2 of 13\n\nchanges the memory protection permissions for code in “WMIsAvailableOffline” and proceeds to overwrite the\r\ncode in memory with the malicious base64 decoded shell-code.\r\nAnother interesting thing happening in the above code is the control flow hijacking through\r\nthe KernelCallbackTable member of the PEB. A call to NtQueryInformationProcess is made\r\nwith ProcessBasicInformation class as the parameter which helps the malware to retrieve the address of PEB and\r\nthus retrieving the KernelCallbackTable pointer.\r\nKernelCallbackTable is initialized to an array of callback functions when user32.dll is loaded into memory, which\r\nare used whenever a graphical call (GDI) is made by the process. To hijack the control flow, malware replaces\r\nthe USER32!_fnDWORD callback in the table with the malicious WMIsAvailableOffline function. Once the flow is\r\nhijacked and malicious code is executed the rest of the code takes care of restoring the KernelCallbackTable to its\r\noriginal state.\r\nShellcode Analysis\r\nThe shellcode loaded by the macro contains an encrypted DLL which is decrypted at runtime and then manually\r\nmapped into memory by the shellcode. After mapping the DLL, the shellcode jumps to the entry point of that\r\nDLL. The shellcode uses some kind of custom hashing method to resolve the APIs. We used hollows_hunter to\r\ndump the DLL and reconstruct the IAT once it is fully mapped into memory.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nPage 3 of 13\n\nThe hashing function accepts two parameters: the hash of the DLL and the hash of the function we are looking for\r\nin that DLL. A very simple algorithm is used for hashing APIs. The following code block shows this algorithm:\r\ndef string_hashing(name): hash = 0 for i in range(0, len(name)): hash = 2 * (hash + (ord(name[i\r\nThe shellcode and all the subsequent inter-process Code/DLL injections in the attack chain use the same injection\r\nmethod as described below.\r\nCode Injection\r\nThe injection function is responsible for resolving all the required API calls. It then opens a handle to the target\r\nprocess by using the OpenProcess API. It uses the SizeOfImage field in the NT header of the DLL to be injected\r\ninto allocated space into the target process along with a separate space for the init_dll function. The purpose of\r\nthe init_dll function is to initialize the injected DLL and then pass the control flow to the entry point of the DLL.\r\nOne thing to note here is a simple CreateRemoteThread method is used to start a thread inside the target process\r\nunlike the KernelCallbackTable technique used in our macro.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nPage 4 of 13\n\nMalware Components\r\nstage1_winword.dll – This is the DLL which is mapped inside the Word process. This DLL is responsible\r\nfor restoring the original state of KernelCallbackTable and then injecting stage2_explorer.dll into\r\nthe explorer.exe process.\r\nstage2_explorer.dll – The winword.exe process injects this DLL into the explorer.exe process. With brief\r\nanalysis we find out that the .data section contains two additional DLLs. We refer to them\r\nas drops_lnk.dll and stage3_runtimebroker.dll. By analyzing stage2_explorer.dll a bit further we can easily\r\nunderstand the purpose of this DLL.\r\nThe above code snippet shows the main routine of stage2_explorer.dll. As you can see it checks for the existence\r\nof “C:Wíndowssystem32wuaueng.dll” and then if it doesn’t exist it takes its path to drop additional files. It\r\nexecutes the drops_lnk.dll in the current process and then tries to create the RuntimeBroker process and if\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nPage 5 of 13\n\nsuccessful in creating RuntimeBroker, it injects stage3_runtimebroker.dll into the newly created process. If for\r\nsome reason process creation fails, it just executes stage3_runtimebroker.dll in the current explorer.exe process.\r\ndrops_lnk.dll – This DLL is loaded and executed inside the explorer.exe process, it mainly drops the lnk\r\nfile (WindowsUpdateConf.lnk) into the startup folder and then it checks for the existence of wuaueng.dll in\r\nthe malicious directory and manually loads and executes it from the disk if it exists. The lnk file\r\n(WindowsUpdateConf.lnk) executes “C:Windowssystem32wuauclt.exe” /UpdateDeploymentProvider\r\nC:Wíndowssystem32wuaueng.dll /RunHandlerComServer. This is an interesting technique used by Lazarus\r\nto run its malicious DLL using the Windows Update Client to bypass security detection mechanisms. With\r\nthis method, the threat actor can execute its malicious code through the Microsoft Windows Update client\r\nby passing the following arguments: /UpdateDeploymentProvider, Path to malicious dll and\r\n/RunHandlerComServer argument after the dll.\r\nstage3_runtimebroker.dll – This DLL is responsible for creating the malicious directory\r\n(“C:Wíndowssystem32”) and then drops the wuaueng.dll in that directory, furthermore it sets the attributes\r\nof the directory to make it hidden.\r\nwuaueng.dll – This is one of the most important DLLs in the attack chain. This malicious DLL is signed\r\nwith a certificate which seems to belong to “SAMOYAJ LIMITED”, Till 20 January 2022, the DLL had\r\n(0/65) AV detections and presently only 5/65 detect it as malicious. This DLL has embedded inside another\r\nDLL which contains the core module (core_module.dll) of this malware responsible for communicating\r\nwith the Command and Control (C2) server. This DLL can be loaded into memory in two ways:\r\n– If drops_lnk.dll loads this DLL into explorer.exe then it loads the core_module.dll and then executes it\r\n– If it is being executed from wuauclt.exe, then it retrieves the PID of explorer.exe and injects\r\nthe core_module.dll into that process.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nPage 6 of 13\n\nThe Core module and GitHub as a C2\r\nRarely do we see malware using GitHub as C2 and this is the first time we’ve observed Lazarus leveraging it.\r\nUsing Github as a C2 has its own drawbacks but it is a clever choice for targeted and short term attacks as it\r\nmakes it harder for security products to differentiate between legitimate and malicious connections. While\r\nanalyzing the core module we were able to get the required details to access the C2 but unfortunately it was\r\nalready cleaned and we were not able to get much except one of the additional modules loaded by\r\nthe core_module.dll remotely (thanks to @jaydinbas who shared the module with us).\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nPage 7 of 13\n\nThere seems to be no type of string encoding used so we can clearly see the strings which makes the analysis\r\neasy. get_module_from_repo uses the hardcoded username, repo_name, directory, token to make a http request to\r\nGitHub and retrieves the files present in the “images” directory of the repository.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nPage 8 of 13\n\nThe HTTP request retrieves contents of the files present in the repository with an interesting validation which\r\nchecks that the retrieved file is a PNG. The file that was earlier retrieved was named “readme.png”; this PNG file\r\nhas one of the malicious modules embedded in it. The strings in the module reveal that the module’s original name\r\nis “GetBaseInfo.dll”. Once the malware retrieves the module it uses the map_module function to map the DLL\r\nand then looks for an exported function named “GetNumberOfMethods” in the malicious module. It then\r\nexecutes GetNumberOfMethods and saves the result obtained by the module. This result is committed to the\r\nremote repo under the metafiles directory with a filename denoting the time at which the module was executed.\r\nThis file committed to the repo contains the result of the commands executed by the module on the target system.\r\nTo commit the file the malware makes a PUT HTTP request to Github.\r\nAdditional Modules (GetBaseInfo.dll)\r\nThis was the only module which we were able to get our hands on. Only a single module does limit us in finding\r\nall the capabilities this malware has. Also its a bit difficult to hunt for these modules as they never really touch the\r\ndisk which makes them harder to detect by AVs. The only way to get the modules would be to access the C2 and\r\ndownload the modules while they are live. Coming back to this module, it has very limited capabilities. It retrieves\r\nthe Username, ComputerName and a list of all the running processes on the system and then returns the result so\r\nit can be committed to the C2.\r\nGitHub Account\r\nThe account with the username “DanielManwarningRep” is used to operate the malware. The account was created\r\non January 17th, 2022 and other than this we were not able to find any information related to the account.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nPage 9 of 13\n\nSecond Malicious Document used in the campaign\r\nMalicious Document – Salary_Lockheed_Martin_job_opportunities_confidential.doc\r\n(0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1)\r\nThe initial attack vector used in this document is similar to the first document but the malware dropped by the\r\nmacro is totally different. Sadly, the C2 for this malware was down by the time we started analyzing it.\r\nThis document uses KernelCallbackTable as well to hijack the control flow just like our first module, the injection\r\ntechnique used by the shellcode also resembles the first document. The major difference in this document is that it\r\ntries to retrieve a remote HTML page and then executes it using mshta.exe. The remote HTML page is located\r\nat https[:]//markettrendingcenter[.]com/member.htm and throws a 404 Not Found which makes it difficult for us\r\nto analyze this document any further.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nPage 10 of 13\n\nAttribution\r\nThere are multiple indicators that suggest that this campaign has been operated by the Lazarus threat actor. In this\r\nsection we provide some of the indicators that confirm the actor behind this attack is Lazarus:\r\nUsing job opportunities as template is the known method used by Lazarus to target its victims. The\r\ndocuments created by this actor are well designed and contain a large icon for a known company such as\r\nLockHeed Martin, BAE Systems, Boeing and Northrop Grumman in the template.\r\nIn this campaign the actor has targeted people that are looking for job opportunities at Lockheed Martin.\r\nTargeting the defense industry and specifically Lockheed Martin is a known target for this actor.\r\nThe document’s metadata used in this campaign links them to several other documents used by this actor in\r\nthe past.\r\nUsing Frame1_Layout for macro execution and using lesser known API calls for shellcode execution is\r\nknown to be used by Lazarus.\r\nWe also were able to find infrastructure overlap between this campaign and past campaigns of Lazarus\r\n(Figure 19).\r\nConclusion\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nPage 11 of 13\n\nLazarus APT is one of the advanced APT groups that is known to target the defense industry. The group keeps\r\nupdating its toolset to evade security mechanisms. In this blog post we provided a detailed analysis about the new\r\ncampaign operated by this actor. Even though they have used their old job theme method, they employed several\r\nnew techniques to bypass detections:\r\nUse of KernelCallbackTable to hijack the control flow and shellcode execution\r\nUse of the Windows Update client for malicious code execution\r\nUse of GitHub for C2 communication\r\nIOCs:\r\nMaldocs:\r\n0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b\r\nLockheed_Martin_JobOpportunities.docx\r\n0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1\r\nSalary_Lockheed_Martin_job_opportunities_confidential.doc\r\nDomains:\r\nmarkettrendingcenter.com\r\nlm-career.com\r\nPayloads:\r\nName Sha256\r\nreadme.png 4216f63870e2cdfe499d09fce9caa301f9546f60a69c4032cb5fb6d5ceb9af32\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nPage 12 of 13\n\nwuaueng.dll 829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1\r\nstage1_winword.dll f14b1a91ed1ecd365088ba6de5846788f86689c6c2f2182855d5e0954d62af3b\r\nstage2_explorer.dll 660e60cc1fd3e155017848a1f6befc4a335825a6ae04f3416b9b148ff156d143\r\ndrops_lnk.dll 11b5944715da95e4a57ea54968439d955114088222fd2032d4e0282d12a58abb\r\nstage3_runtimebroker.dll 9d18defe7390c59a1473f79a2407d072a3f365de9834b8d8be25f7e35a76d818\r\ncore_module.dll c677a79b853d3858f8c8b86ccd8c76ebbd1508cc9550f1da2d30be491625b744\r\nGetBaseInfo.dll 5098ec21c88e14d9039d232106560b3c87487b51b40d6fef28254c37e4865182\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" ], "report_names": [ "north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434891, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1ff9aae2e240844b9df305f6d1c60446c4c8b3fa.pdf", "text": "https://archive.orkl.eu/1ff9aae2e240844b9df305f6d1c60446c4c8b3fa.txt", "img": "https://archive.orkl.eu/1ff9aae2e240844b9df305f6d1c60446c4c8b3fa.jpg" } }