{
	"id": "cf885370-60c6-442a-8a2c-d9c0280ae94c",
	"created_at": "2026-04-06T00:17:41.21184Z",
	"updated_at": "2026-04-10T03:24:24.378932Z",
	"deleted_at": null,
	"sha1_hash": "202d2e8cf5cec632205a8be49de4513d3a7cbcde",
	"title": "The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 10944411,
	"plain_text": "The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”\r\nBy Eli Salem\r\nPublished: 2021-09-21 · Archived: 2026-04-05 16:52:42 UTC\r\nJust Squirrel with waffle\r\nSince early-mid of September 2021, a new malware loader dubbed “Squirrelwaffle” has been discovered and\r\nobserved delivering the attack framework Cobalt-Strike.\r\nIn the recent cybercrime landscape, several prolific malware has either gone or been less observed. This newly\r\ncreated gap gives opportunities for the birth of a new malware such as Squirrelwaffle to fill the hole that others\r\nleft.\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 1 of 32\n\nIn this article, I will present an analysis of this new threat. Similar to most of my malware analysis articles, the\r\narticle will be a mix between a presentation and a step by step dynamic or static analysis, with an emphasis on\r\nSquirrelWaffle download capabilities.\r\nThe dropper\r\nIn terms of the initial attack vector, the malware is being delivered by classic phishing documents and continues\r\nwith dropping .vbs files and launching Powershell.\r\nThe initial access phase ends with an executable dropper being downloaded to the infected machine.\r\nThe dropper is a 32-bit DLL file, which also packed with a custom crypter.\r\nPress enter or click to view image in full size\r\nDropper PEStudio\r\nFurthermore, the dropper has 8 export functions in addition to the DllEntryPoint one. This tactic was also\r\nobserved in Ursnif’s dropper, which has been observed having a large number of export functions.\r\nUsually, the reason for that is to slow down analysis.\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 2 of 32\n\nDropper export functions\r\nUnpacking mechanism\r\nTo manually unpack this sample, and also observe the interesting parts of the unpacking mechanism we’ll do the\r\nfollowing:\r\nFirst, we’ll set a breakpoint on VirtualAlloc and hit Run, once we reach the first breakpoint, click “Return to user\r\ncode” or “execute till return + step over”.\r\nNow we can observe the following:\r\n1. Call to ebx+2113E4 - which is the call to VirtualAlloc\r\n2. rep movsb -which will write shellcode to the newly allocated memory\r\n3. jmp eax - execute the shellcode instructions\r\nBecause the shellcode is stored in the EAX register, we can observe it if we’ll click “follow in dump” on the EAX\r\nregister. we can see the bytes E8 00 00 00 00 which is a classic trick shellcode uses to obtain the next instructions.\r\nFrom this behavior, we can also assume that the entire unpacking mechanism will occur within the context of a\r\nshellcode.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 3 of 32\n\nDropper shellcode execution\r\nNext, click Run twice until we’ll reach the third instance of VirtualAlloc. After reaching it do the following:\r\n1. Click “execute til return” + “step over”\r\n2. Go to the EAX register and click “follow in dump”\r\n3. Set a write hardware breakpoint on the first bytes of the newly allocated memory buffer.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 4 of 32\n\nUnpacking the dropper\r\nAfter setting the breakpoint, click Run three times. We’ll notice that the buffer inside the allocated memory will be\r\nfilled with content.\r\nWhen reaching the third Run, we’ll find ourselves in a small loop with some classic opcodes that we expect to see\r\nin unpacking loops such as rotate right and exclusion or (ror and xor opcodes) .\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 5 of 32\n\nUnpacking the dropper\r\nIn fact, this specific loop, and the majority of this crypter were observed during the last two years in other\r\nmalware droppers, such as: Ursnif, Zloader, and Hancitor.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 6 of 32\n\nDropper unpacking\r\nBy setting a breakpoint on the leave opcode we can go to the place where the loop ends. Once we did it, we can\r\nsee the ASCII characters M8Z which indicates an APLIB compression.\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 7 of 32\n\nAPLIB indication\r\nNow that we know that this content is compressed with APLIB, the most logical thing to expect is a\r\ndecompressing mechanism.\r\nTo observe this mechanism do the following:\r\n1. Remove the write hardware breakpoint from the buffer\r\n2. Set a new Access hardware breakpoint on the first bytes of the APLIB header.\r\n3. Click Run\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 8 of 32\n\nUnpacking the dropper\r\nAfter clicking Run, we found ourselves in a loop that consists of several functions, this loop will be the one that\r\ndecompresses the APLIB content.\r\nIn terms of decompression location, this mechanism works in the following way:\r\n1. It will get bytes from the beginning of the APLIB content, manipulate them, and will store them in the ESI\r\nregister.\r\n2. It will copy the decoded content at offset 7040, the offset where the content will be written will be stored in\r\nthe EDI register.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 9 of 32\n\nUnpacking the dropper\r\nTo skip the entire unpacking and decompressing process, in the loop, we can scroll down, and we’ll see three ret\r\nopcodes, set a breakpoint on the third one, and hit Run.\r\nPress enter or click to view image in full size\r\nUnpacking the dropper\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 10 of 32\n\nNow, follow in dump in the EDI register where we know the unpacked content should be stored. We can see now\r\nthe MZ header and the unpacked SquirrelWaffle malware.\r\nTo dump it, we can mark the entire content from the MZ header until the end and save it as binary using the xdbg,\r\nor just use the pe-sieve tool.\r\nDropper crypter unpacking\r\nSquirrelWaffle\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 11 of 32\n\nSimilar to the dropper, SquirrelWaffle is also a 32-bit DLL file.\r\nPress enter or click to view image in full size\r\nSquirrelWaffle in PEStudio\r\nIn contrast to the dropper, this DLL file has only one export function called “ldr”. Also, it seems that the file itself\r\nis has a DLL name in it called “Dll1.dll”. This fixed name of a DLL file was also observed in Qbot (stager_1.dll),\r\nTrickbot(templ.dll), and IcedID (loader_64_dll.dll).\r\nSquirrelWaffle export and DLL name\r\nWhen we investigate statically the malware from the “ldr” export function, we can see that the function invokes\r\nonly one very long and nested function. For this analysis, and to make tracking the article more easier, we’ll\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 12 of 32\n\nlabeled it as “the core function”.\r\nThe function starts with the malware attempt to get the environment variables of the APPDATA and TEMP\r\ndirectories.\r\nCore function begins with getting environment variables\r\nHowever, some of the malware functions are not easily understandable, and some deal with content decryption. To\r\nverify it, we need to investigate dynamically.\r\nTo do so, we’ll need to start from the “ldr” export function, there are two ways to reach it.\r\nFirst way\r\nThe first way will be to start the Xdbg with loading Rundll32 and assign the malware path with the ldr export\r\nfunction as an argument. (In my analysis I called the unpacked file “time.dll”)\r\nExecuting the DLL using Rundll32\r\nHowever, I sometimes found this method not reliable, and the DLL file often goes to the DllEntryPoint function\r\ninstead.\r\nSecond way\r\nThe second route is a cool memory trick, that will work as the following:\r\n1. we’ll first go to the DllEntryPoint\r\n2. We already know from the first glance of static investigation that the ldr function should start with getenv()\r\nfunction that searched the APPDATA and TEMP environment variables.\r\n3. Because the APPDATA and TEMP strings are hardcoded in the malware we’ll search for their location.\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 13 of 32\n\n4. we’ll direct our malware execution flow to go directly to the location of the function that the APPDATA\r\nand TEMP are found.\r\nGetting the location of the APPDATA \u0026 TEMP function\r\nTo do so, once we are in the DllEntryPoint, do:\r\n1. Right click\r\n2. Search for\r\n3. Current region\r\n4. String references\r\nPress enter or click to view image in full size\r\nGetting the string references\r\nNow, we found ourselves with the entire list of the hardcoded strings of the malware, there we can also see our\r\nAPPDATA \u0026 TEMP strings. let's click on one of them.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 14 of 32\n\nHardcoded strings\r\nOnce we click, we can see the places where the APPDATA and getenv() function will be executed, this is also the\r\nfunction that the ldr export function calls aka the core function.\r\nThis is the place we want to start our dynamic investigation, and therefore, we would want to direct the malware\r\nto start at the beginning of this function.\r\nPress enter or click to view image in full size\r\nBegining of core function\r\nChanging the malware execution flow\r\nTo change the direction of the malware to start in this function, do the following:\r\n1. Right click on the first function line of code\r\n2. Copy\r\n3. Address\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 15 of 32\n\nGetting the address of the core function\r\nNow, at the right side of the debugger, you can see the EIP register which is responsible for holding the next\r\ninstruction to be executed, we’ll want to manipulate it.\r\nTo do so, do the following:\r\n1. Right-click on the EIP register\r\n2. Modify value\r\n3. In the Expression box, paste the address you copied.\r\n4. Click OK\r\nChanging the EIP\r\nAfter clicking OK we can see that the instruction pointer was changed to the start of the core function, now our\r\ndynamic analysis can be performed.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 16 of 32\n\nExecution flow now at the start of the core function\r\nCore function\r\nAs mentioned, the ldr export function leads us to one specific big function which we call “the core function.\r\nThis function will have several objectives and will also call to other functions that will take part in this malware\r\ndownload mechanism.\r\nObservable functions\r\nBefore digging into the more challenging functions, let's talk about the more visible API calls that this function\r\nconsists of.\r\nThe majority of these functions are aimed to collect information about the infected machine.\r\nAs already mentioned, the malware attempt to collect information about the environment variables\r\nc:\\users\\user\\appdata\\roaming and c:\\users\\user\\appdata\\local\\temp using the getenv() function.\r\nGetting environment variables\r\nThe malware also attempts to collect the name of the local computer using the GetComputerNameW() function.\r\nGetting the machine name\r\nThe malware then attempts to get the machine’s user name using the GetUserNameW() function.\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 17 of 32\n\nGetting the user name\r\nThe malware will extract information about the configuration of a workstation using the function\r\nNetWkstaGetInfo().\r\nGetting info on workstation’s configuration\r\nMaintenance functions\r\nAs we enter the malware’s core function, we observe a function named “sub_10006A20” (name can change with\r\nother instances) that will repeat itself multiple times during the malware’s execution.\r\nThis function receives three arguments, two pointers, and a length, the function will copy the data from one\r\npointer and assign it to another.\r\nGet Eli Salem’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nFor example, in the first iteration, we can see sub_10006A20 do the following:\r\n1. gets the pointer of environment variable stored in v0\r\n2. gets the environment variable length\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 18 of 32\n\n3. copy the data into v180\r\nsub_10006A20 Copy from v0 to v180\r\nIn addition, we also see the function being used four times at the beginning of the malware.\r\n1. The first two iterations will copy the environment variables as mentioned.\r\n2. The third iteration will copy a large chunk of code “unk_100A5D8” which be later discovered as the\r\nmalware’s config.\r\n3. The fourth iteration will copy a hardcoded string which will take part in the config decryption part.\r\nPress enter or click to view image in full size\r\nsub_10006A20 usages\r\nunk_100A5D8 array of bytes:\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 19 of 32\n\nunk_100A5D8\r\nAnother function that is interesting is sub_100058F0. This function will copy the data from Src into the variable\r\n156 (internally it will do it using memcpy, the memcpy function is very common in this sample).\r\nWe can see that the Src argument is the copied config that was stored in unk_1000A5D8.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 20 of 32\n\nsub_100058F0\r\nThen, the copied content (156) will be sent to the function sub_100019B0 which will deal with the config\r\ndecryption.\r\nPress enter or click to view image in full size\r\nsub_100019B0 deals with config decryption\r\nThere are two ways to get the config, one of them is very trivial and easy, but where is the fun in that? (we’ll\r\ndiscuss this way at the end of this config section).\r\nObserving the config decryption\r\nIf we want to observe some key features of the config decryption mechanism we’ll have to jump inside\r\nsub_100019B0.\r\nWhen we step into the function dynamically, we can see several xor and copying activities, which eventually lead\r\nus to a memcpy function that will write the IP addresses.\r\nTo observe it, we can just follow in dump on the EDI register.\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 21 of 32\n\nmemcpy writing the IP adress\r\nThen, the malware will check the size of the written content, allocate new memory using Malloc and assign\r\npointer to it.\r\nThis small allocation and pointer assign activity will happen in the function 724D7840 (in the followed image).\r\nThen, the first four bytes will be changed to the address that will contain the new buffer of the IP addresses.\r\nBefore executing 724D7840\r\nAs expected, right after passing the function, we can see that the first four bytes have been changed to be a pointer.\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 22 of 32\n\nAfter executing 724D7840\r\nIf we want to see the array of IP addresses that this pointer points to, do the following:\r\n1. Right-click on the pointer\r\n2. Follow DWORD in Dump\r\n3. Select your preferable dump\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 23 of 32\n\nFollowing in the pointer dump\r\nOnce we click, we could see the array of IP addresses\r\nIP addresses array\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 24 of 32\n\nThis activity of writing and assigning a new address for the config will happen several times inside a loop,\r\ntherefore, to skip it we would want to set a breakpoint right after the loop.\r\nBreaking after the config decryption loop ends\r\nAnd just like before, we can click on the pointer and follow in dump to see the config.\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 25 of 32\n\nAfter getting the config, we can get out of the entire function.\r\nRemember I said there is an easier way to get the config? well, when sub_100019B0 ends, it returns (in the EAX\r\nregister) the address of the pointer to the config.\r\nPress enter or click to view image in full size\r\nAfter sub_100019B0 ends, the EAX register holds the config\r\nTo recap, the start of the core function and config extraction can be seen in this pseudo code.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 26 of 32\n\nRecap\r\nNow that we are more familiar with the malware “maintenance functions”, we can speed things up.\r\nNetwork function\r\nOne of the interesting functions is sub_10001DB0, which appears within the largest loop in the core function. To\r\neasily locate this function in your code, search for a sleep() function with 0x5DC0 as an argument.\r\nsub_10001DB0 will be the function that responsible for SquirrelWaffle’s network activity.\r\nPress enter or click to view image in full size\r\nNetwork function\r\nRight after entering the function, we encounter the familiar function sub_100019B0, which as we remember also\r\nused to decrypt the config.\r\nIt also seems to follow a similar pattern of the config extraction:\r\n1. sub_10006A20 receive embedded hardcoded content and copy it to he memory.\r\n2. Another sub_10006A20 function recieve long hardcoded string.\r\n3. sub_100058F0 take the copied content and assign it\r\n4. sub_100019B0 take the pointer of the obfuscated content, and the hardcoded string as an arguments.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 27 of 32\n\nsub_100019B0 in the Network Function\r\nBecause we have already seen this pattern, we remember that if we step over sub_100019B0 we would see some\r\ncontent returned. Interestingly, now the content is a list of C2 domains.\r\nPress enter or click to view image in full size\r\nReturned list of C2 domains\r\nAfter collecting the C2 domains and IP addresses the malware can finally communicate externally. The\r\ncommunication is done using the classic WS_32 API calls.\r\nThe malware first create a socket, send the data using send() and receive information from the C2 using recv().\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 28 of 32\n\nSquirrelWaffle communication functions\r\nOnce the network function finishes its activity its returns to the core function, then we start to see signs and clues\r\nabout the content to be download.\r\nFinal payload\r\nAs mentioned by several security researchers, SquirrelWaffle aims to download the Cobalt-Strike framework.\r\nOnce downloaded, the SquirrelWaffle store the binary as a .txt file. A maybe possible indication of this activity\r\ncan be seen in the code with the hardcoded “.txt” strings.\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 29 of 32\n\nIndication of .txt extension\r\nThe malware has execution capabilities using the WinExec function. The function itself can be executed in three\r\ndifferent locations during the malware execution.\r\nWinExec\r\nRecap\r\nIn this technical analysis, we discussed multiple topics\r\n1. SquirrelWaffle dropper and how to unpack it\r\n2. SquirrelWaffle core function\r\n3. SquirrelWaffle network capabilities as a downloader\r\n4. How to observe the SquirrelWaffle list of C2 domains and IP addresses\r\nThe entire analysis flow can also be seen in the following graph:\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 30 of 32\n\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 31 of 32\n\nConclusion and thoughts\r\nIn this article, I presented the newly emerged malware downloader SquirrelWaffle. Although SquirrelWaffle is\r\n“the new kid on the block” in the cybercrime ecosystem, its dropper already using a very known crypter that was\r\nused by other famous malware.\r\nThese findings raise the question of whether the threat actor behind SquirrelWaffle is an already known group.\r\nAlso, many ransomware attacks have initially started after a successful deployment of the Cobalt-Strike\r\nframework, it will be interesting to see how many ransomware attacks will happen because of infiltration by\r\nSquirrelWaffle, and which ransomware group will operate with it.\r\nFurthermore, because this malware is new, more features are most likely to be discovered in the near future. It will\r\nbe interesting to track this malware evolution as times goes on.\r\nReferences:\r\n1. https://twitter.com/malware_traffic/status/1439052358437253123\r\n2. https://www.malware-traffic-analysis.net/2021/09/17/index.html\r\n3. https://security-soup.net/squirrelwaffle-maldoc-analysis/\r\n4. https://twitter.com/Max_Mal_/status/1439415164605018113\r\nSource: https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73db\r\nd9f9\r\nhttps://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9\r\nPage 32 of 32",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9"
	],
	"report_names": [
		"the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434661,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/202d2e8cf5cec632205a8be49de4513d3a7cbcde.pdf",
		"text": "https://archive.orkl.eu/202d2e8cf5cec632205a8be49de4513d3a7cbcde.txt",
		"img": "https://archive.orkl.eu/202d2e8cf5cec632205a8be49de4513d3a7cbcde.jpg"
	}
}