{ "id": "45ad60ca-54c1-4aeb-a4f1-3e64ed05f628", "created_at": "2026-04-06T00:18:37.991612Z", "updated_at": "2026-04-10T03:28:20.573443Z", "deleted_at": null, "sha1_hash": "22c7a4577f38f1ea8986f0c7cdcd965a070a994a", "title": "Look how many cybercriminals love Cobalt Strike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 67283, "plain_text": "Look how many cybercriminals love Cobalt Strike\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 15:57:06 UTC\r\nSince its release in 2012, Cobalt Strike has been one of the most popular tools for penetration testers to use when simulating\r\nhow known threat actor tools will look when targeting an organization's network. However, there is a downside to that\r\npopularity: the criminals love it, too. And if they are using it, it’s definitely not to simulate any sort of attack.\r\nCobalt Strike has become a very common second-stage payload for many malware campaigns across many malware\r\nfamilies. Access to this powerful and highly flexible tool has been limited by the product’s developers, but leaked versions\r\nhave long spread across the internet. Additionally, there are tons of tutorials, education videos and other public\r\ndocumentation that can help newcomers understand how to effectively use it, lowering the bar for entry in the cybercrime\r\nworld.\r\nThe cybercrime underground’s adoption of Cobalt Strike correlates with the rise in ransomware activity over the past few\r\nyears, while also being tied to numerous other types of malware that either lead to ransomware attacks, data exfiltration, or\r\nboth. Despite all of the cybercriminal activity that can be launched with this pen testing tool, it can be difficult to figure out\r\nwho is actually controlling a malicious Cobalt Strike team server. Additionally, Cobalt Strike allows users to build\r\n“malleable” command and control, which allows for easy modifications of network signatures.\r\nDespite the obfuscation techniques, Intel 471 has collected a wealth of information on how the cybercrime underground has\r\nrefashioned this security tool to its advantage. The following takes a deeper look at which threat actor groups and malware\r\nfamilies are dropping Cobalt Strike for post-exploitation.\r\nTrickbot\r\nIt should come as no surprise that Trickbot is on this list. Public reports of Trickbot operators dropping Cobalt Strike go back\r\nto 2019 [1].\r\nWe recently observed Trickbot infections associated with a specific “gtag” — a tracking ID used by the malware’s\r\ndevelopers — directly dropping Cobalt Strike stagers that were code-signed by Sectigo.\r\nTrickbot operators using the “rob” gtag pushed a variety of Cobalt Strike stagers (http, https, x86, x64) through Trickbot’s\r\ndownload-and-execute capabilities (command 43). Each Cobalt Strike variant was fetched from the very same server\r\n(http[:]//107.173.49.118) and tried to connect to https[:]//olhnmn.com (http[:]//217.12.201.194) based on the preferred\r\ncommunication protocol. We noticed that the Malleable-C2 profile was based off this public profile on Github:\r\nOther researchers have also written about Cobalt Strike activity originating from TrickBot infections. Walmart Global Tech\r\n[2] has published details from a ransomware operation involving Cobalt Strike leveraged by a group utilizing the Trickbot\r\nbanking trojan. The watermark — a distinct number attached to the make and model of Cobalt Strike — observed in the\r\npayload is 1359593325.\r\nAnother security researcher has detailed in his blog [3] the phases that originated with an Emotet infection, a subsequent\r\nTrickbot install, plus the use of a series of plot-exploitation tools and frameworks that eventually took advantage of Cobalt\r\nStrike.\r\nAs an example, Cobalt Strike was loaded in an advanced stage of the operation detailed in the blog post above. Our events\r\nregistering Cobalt Strike as a download \u0026 execute were recorded right after Trickbot issued the modules that the malware\r\nfetches when initiating an infection. That may be an indicator that different threat groups may be using the same tool, but\r\nleveraged different TTPs.\r\nAs a reference, the following table gathers the Cobalt Strike hashes collected by our tracking that were originated with\r\nTrickbot “rob” gtag:\r\nSAMPLE NAME SHA256\r\ncrypt_run2.exe 246c91ac7955ba97cc3c1aaf7b35a1798b72d7a3f82dca445e2e401430697ceb\r\ncrypt_run1.exe c4b4eb963c91fb4e82b0fbe510c35212d1f59850de82b04b0916ffd0cf5ef2af\r\nhttps_444_x86.exe d67baca49193bd23451cca76ff7a08f79262bf17fb1d8eb7adaf7296dca77ad6\r\nhttps_444_x64.exe 12dd3add463863ab1f294f2038e5832ff5e0adf2a3ca28e42202a0705c6f3cec\r\nhttp_444_x86.exe 7c76a27f3f9af16b5f7872e4bb459f0d4860d295d60e5f88fdc0eec16972e093\r\nhttp_444_x64.exe 28c3f5bcedbea2c97d5baa8c12353d6c79ba0cb94512f322487dc166b54fdb27\r\nhttp://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor\r\nPage 1 of 6\n\nThe Cobalt Strike watermark that Intel 471 discovered from Trickbot payloads is 305419896.\r\nOther sources have also reported Cobalt Strike activity originating from the rob Trickbot infections. In May 2021, The\r\nDFIR report [4] blogged their observations when discovering Cobalt Strike activity after an intrusion that started with\r\nTrickbot.\r\nEven though the same gtag is behind both Cobalt Strike deployments, the configuration extracted from the beacons\r\ncompletely differs from those observed in the DFIR Report article. This may suggest multiple threat actors are performing\r\npost-infection activity that leads to ransomware and data exfiltration. It could also mean that the operators pay close\r\nattention to operational security and try to avoid re-using infrastructure or methodologies across different attacks.\r\nHancitor\r\nThe actors behind Hancitor use Cobalt Strike, but this hasn’t always been the case. This threat actor group preferred to drop\r\nthe Gozi ISFB trojan and Evil Pony credential harvester until mid-2019, when the group replaced Gozi ISFB with Cobalt\r\nStrike. This switch serves as a signal of when the group may have decided to pursue ransomware instead of account\r\ntakeovers. As we will demonstrate later in this section, the Cobalt Strike deployments from Hancitor payloads are strikingly\r\nsimilar. This leads us to believe one threat-actor group is managing these particular Cobalt Strike team servers, as well as the\r\ninfected machines.\r\nThe group setting up the Cobalt Strike team servers related to Hancitor prefer to host their CS beacons on hosts without a\r\ndomain. The CS beacons will call home to the same set of IPs. Stagers are downloaded from infrastructure set up via\r\nYalishanda bulletproof hosting service.\r\nIt’s important to note that Hancitor only drops Cobalt Strike on machines that are connected to a Windows domain. When\r\nthis condition isn’t met, Hancitor may drop SendSafe (a spambot), the Onliner IMAP checker, or the Ficker information\r\nstealer.\r\nStager distribution URLs (where Hancitor fetches CS stagers):\r\nhttp://tren0[.]ru/0504.bin\r\nhttp://tren0[.]ru/0504s.bin\r\nhttp://pipopetfiu[.]ru/0104.bin\r\nhttp://s5iwc[.]ru/0804s.bin\r\nhttp://pipopetfiu[.]ru/0104s.bin\r\nhttp://clublifes[.]ru/2903.bin\r\nhttp://45des29[.]ru/1504s.bin\r\nhttp://bambinoska[.]ru/2104.bin\r\nhttp://g1smurt[.]ru/2303s.bin\r\nhttp://man70[.]ru/2204s.bin\r\nhttp://masaddrino[.]ru/1904.bin\r\nhttp://q17ar45[.]ru/3003s.bin\r\nhttp://gru77[.]ru/2704.bin\r\nhttp://derferper[.]ru/1204s.bin\r\nhttp://pirijinko[.]ru/1703s.bin\r\nhttp://qm30098[.]ru/1404.bin\r\nhttp://67xfjk[.]ru/0704.bin\r\nStager download URLs (CS stagers fetch CS beacon from here):\r\nhttp://185.172.129[.]132:80/jDEi\r\nhttp://192.95.16[.]245:80/OMkU\r\nhttp://37.1.211[.]126:80/tV9Y\r\nhttp://45.136.113[.]10:80/fk5V\r\nhttp://45.138.27[.]44:80/w9aK\r\nhttp://45.176.188[.]137:80/pFq5\r\nhttp://66.165.240[.]211:80/l9Jm\r\nhttp://74.121.191[.]2:80/wXY4\r\nhttp://74.50.60[.]96:80/9Wic\r\nhttp://80.92.205[.]9:80/CbKl\r\nhttp://82.117.252[.]78:80/zGi2\r\nBeacon C2 URLs (Beacons check in here):\r\nhttps://74.50.60[.]96/cx\r\nhttp://192.95.16[.]245/activity\r\nhttps://45.176.188[.]137/ptj\r\nhttps://45.136.113[.]10/dpixel\r\nhttp://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor\r\nPage 2 of 6\n\nhttp://80.92.205[.]9/cx\r\nhttps://80.92.205[.]9/updates.rss\r\nhttp://45.170.245[.]190/visit.js\r\nhttps://173.199.115[.]116/cm\r\nhttp://185.172.129[.]132/j.ad\r\nhttps://80.92.205[.]9/__utm.gif\r\nThe public RSA key used by Hancitor team’s Cobalt Strike beacons doesn’t change often. The key we observe in recent\r\nsamples is:\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjIm\r\nQbot\r\nWhile it has been around since 2007, the banking trojan Qbot (or Qakbot) is still being used by cybercriminals. Not only do\r\nthe core components receive major updates every few months, but due to its modular design, the developers are able to push\r\na variety of plug-ins to enhance the bot’s capabilities. One of these plug-ins equips the bot with the tools to join the\r\nCobaltStrike trend.\r\nOur Qbot tracking has registered attempts to load these CobaltStrike loader binaries. The controller instruction here differs\r\nfrom other families as the CobaltStrike loader is shipped to Qbot bots as a plug-in. The download plug-in directive reveals\r\nthe internal name given to the plug-in DLL by Qbot developers: plugin_cobalt_power3.\r\nAn example of a plugin_cobalt_power3 collected from Qbot is available in the table below.\r\nSHA256 Controller\r\ncd406baf24626545dc66102b593fdf70b1922d9497e95a92b1a2e5db277603e0 https://saferem[.]com https://saferem[.]com\r\nhttps://saferem[.]com\r\nThe configuration extracted from the Qbot-related Cobalt Strike beacon doesn’t show any links to any other groups that we\r\nare aware of. Additionally, the CobaltStrike watermark from the beacon is 1580103814.\r\nWhen comparing this activity to samples reported by other researchers, we observed different public malleable-C2 profiles\r\nused, but commonalities in hosting infrastructure.\r\nSystemBC\r\nSystemBC is malware leveraging socket secure internet protocol (SOCKS5) to hide malicious traffic and to evade detection.\r\nIt includes download and execute functionalities and supports self-updates. Cybersecurity firm Proofpoint published an\r\nextensive report in August 2019 about this malware family [5].\r\nSystemBC is often observed as one part of an extensive infection chain. Some targeted ransomware operators seem to use it\r\nto maintain a secondary backdoor channel into a breached network. We observed SystemBC dropping Cobalt Strike during\r\nmid-to-late 2020 and early 2021. Let’s see an overall summary of the SystemBC activity that leads to Cobalt Strike being\r\ndropped:\r\nSystemBC\r\ncontroller\r\ntcp[:]//80.85.84.79:4001\r\nActivity\r\nperiod\r\nNov. 15, 2020 - Nov. 27, 2020\r\nNov 15\r\nIt downloaded a Cobalt Strike Beacon from: http[:]//activedirectorysearch.com:8000/beac_prx8.exe\r\nHash: d5f3ba52e0b71e8367636d60b13722b184cc764be4af0226429fe2a656c6653c Controller:\r\nhttps[:]//activedirectorysearch.com/api/beta/Users(' Watermark: 305419896\r\nNov 24\r\nIt downloaded Cobalt Strike Beacon from: http[:]//activedirectorysearch.com:8000/beac_prx8.exe Hash:\r\n5e5e25a926e27bdd67ffcbace103dc5d0e0cdcf2f04c9fb17d92e3bb1a85086c Controller:\r\nhttps[:]//activedirectorysearch.com/api/beta/Users( Watermark: \u003cunknown\u003e\r\nNov 27\r\nIt tried to download an unknown sample from: https[:]//activedirectorysearch.com/crypt_socks.exe The\r\nsample was not found.\r\nThis SystemBC controller was only active during that short period of time and only downloaded those samples. We cannot\r\nlink this IP to any known actor or infrastructure. Also, the controller configured in those Cobalt Strike samples does not\r\nappear in any other sample we have in our collection.\r\nhttp://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor\r\nPage 3 of 6\n\nThe domain is still active and the server is up, but there is no trace to Cobalt Strike resources. The IP, 212.47.228[.]134,\r\nwhich is the one hosting ‘activedirectorysearch[.]com’ responds with a ‘bad gateway’ message, which means that it was an\r\nnginx reverse proxy and the endpoint is not connected anymore. This IP is linked to several pieces of malware and has\r\nhosted a lot of malicious activity. By looking at all traces in VirusTotal, we can see multiple domains and resources with\r\ntraces to phishing attacks, APK deployment, and more malicious activities.\r\nSystemBC\r\ncontroller\r\ntcp[:]//172.105.253.97:4001\r\nActivity\r\nperiod\r\nNov. 29, 2020 - Dec. 15, 2020\r\nNov. 29 -\r\nDec. 10\r\nIt downloaded a VBS script used for doing reconnaissance of Windows networks:\r\nhttp[:]//172.105.253.97/systembc/exec.vbs Hash:\r\ne86d3fd7a2ff1bc75d750b661dfd3ab357b611028abfbbedd4653b930160d6d2 Summary: The script was an\r\nearly stage reconnaissance tool aimed at adding a new user on the victim machine, making this user an\r\nadministrator, enabling remote desktop capability and collecting network information about the infected\r\nmachine. The tactics, techniques and procedures (TTPs) used by the operator or operators of the VBScript\r\ntool suggested they might be operating undisclosed ransomware and using the script at the initial\r\ncompromise stage and to conduct reconnaissance in the system. Through the course of our research, we\r\nidentified 18 entities in Canada, Germany, Ireland, Luxembourg, the U.K. and the U.S. where the script\r\nwas deployed.\r\nDec. 10 -\r\nDec. 11\r\nIt downloaded Cobalt Strike Beacon from: http[:]//172.105.253.97/coba.exe Hash:\r\n45deabe9eb879879da56164dccbe7efa02f4943e691045fdee2531bd1e7ad8d3\r\nController:https://lsass.cloud/pixel Watermark: 0\r\nDec. 15\r\nIt tried to download an unknown sample from: http[:]//172.105.253.97/all_xxx.exe And also downloaded\r\nCobalt Strike Loader from: http[:]//172.105.253.97/artif_pp.exe Hash:\r\n6b3991d59e49312c4f6dc09ba900d4cff475598e6a190da340466313be48c4f3 Controller:\r\nhttps[:]//lsass.cloud:443/1kxH\r\nThe infrastructure used for this operation was shared between SystemBC and CobaltStrike. The IPs used in SystemBC and\r\nalso for all CobaltStrike stages (beacon drop and controllers), including also the domain ‘lsass.cloud’ - which resolved to\r\n172.105.34.105, hosted by Linode.\r\nSomething interesting to notice here is that there are also some Cobalt Strike stager samples that download Beacon from the\r\nsame IP/Domain but they are not directly dropped by SystemBC. This demonstrates what other researchers have also found,\r\nthat SystemBC is used as an alternative backdoor into breached networks.\r\nCobalt Strike stager: 575f230f54f769aa3a9ea3a5e76d64a8419501d16651fac0c0e2247f4a41e16e\r\nDownload URL:https[:]//lsass.cloud:443/2tsC\r\nCobalt Strike Beacon:5259695c25fa6cc27334d3c9d16a307f1762ca0aa3b0cc3e153f271b2df4e6c4\r\nController: \"https[:]//lsass.cloud/api/beta/Users('\r\nUsing OSINT it’s possible to find some more CobaltStrike samples sharing this domain:\r\nhttps[:]//lsass.cloud/pixel\r\nhttps[:]//lsass.cloud/g.pixel\r\nhttps[:]//lsass.cloud/dpixel\r\nhttps[:]//lsass.cloud/8Amv\r\nhttps[:]//lsass.cloud:443/1kxH\r\nSmokeloader\r\nCobalt Strike is most often selectively deployed on targets that meet a certain criteria. However, Intel 471 found an instance\r\nwhere Cobalt Strike was haphazardly deployed across a range of infected systems, alongside several other malware samples.\r\nThis was most likely the work of a malware install service, where threat actors can buy “loads” (installs) in bulk.\r\nThe nexus of this activity was an actor that maintains large botnets made up of a modular loader known as Smokeloader,\r\nwhich was revealed in 2011 and exists in resident and non-resident versions. Despite its age, Smokeloader still is used in the\r\nwild and received several code updates from its author, Smokeldr. It includes a lot of features and accepts multiple\r\nmodules. It is able to steal files, browser data and mine different cryptocurrencies. Among those features, it also can\r\ndownload and execute additional payloads.\r\nThe typical payloads distributed by this threat actor are various stealers and RATs. However, on one occasion, Intel 471\r\nuncovered a Cobalt Strike stager.\r\nhttp://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor\r\nPage 4 of 6\n\nThe controller which delivered the download command was:\r\nh[tt]p://dsdett[.]com/upload/\r\nThis Smokeloader controller was hosted by a bulletproof hoster known as CCweb (also known as Fluxxy). The CS stager\r\nwas downloaded from:\r\nh[tt]p://persoonlijknab[.]com/putty.exe\r\nCobalt Strike beacon was downloaded from:\r\nh[tt]p://164.90.173[.]158:80/VYy4\r\nand reported back to:\r\nhttp://164.90.173[.]158/push\r\nThis Cobalt Strike control server was hosted at Digital Ocean, and was found with a watermark of 1359593325.\r\nWhat this shows us is even lower-tier cybercriminals that are buying installs, rather than setting up their own dedicated\r\ninfection campaigns are using Cobalt Strike\r\nBazar\r\nBazar is a loader and backdoor pair that emerged in April 2020. Also known as Baza, the backdoor allows its operators to\r\nexecute commands, exfiltrate files and download additional malware onto an infected system.\r\nIncidents of the Bazar backdoor downloading and executing Cobalt Strike have been documented in other previous reports.\r\nIn late March 2021, Intel 471’s automated tracking systems received commands to execute the reconnaissance batch script\r\nbelow from two Bazar backdoor controllers: 3.89.160[.]167 and 34.239.255[.]128. We believe that this stage precedes the\r\ndeployment of Cobalt Strike on hosts deemed of interest to the operators. As such, it is also a precursor to data exfiltration\r\nand deployment of ransomware performed by targeted ransomware operators.\r\n@echo off\r\necho General Info:\r\nsysteminfo echo.\r\necho My Username:\r\nwhoami echo.\r\necho Network Neighbourghoud:\r\nnet view /all echo.\r\necho Domain Neighbourghoud:\r\nnet view /all /domain echo.\r\necho Domain Trust:\r\nnltest /domain_trusts /all_trusts echo.\r\necho Installed Programs:\r\nreg query hklm\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall /v \"DisplayName\" /s echo.\r\necho Installed Programs (wow64):\r\nreg query hklm\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall /v \"DisplayName\" /s echo.\r\necho Installed Programs (current user):\r\nreg query hkcu\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall /v \"DisplayName\" /s echo.\r\necho Installed Programs (current user, wow64):\r\nreg query hkcu\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall /v \"DisplayName\" /s echo. echo\r\nProcess List:\r\ntasklist\r\nIn early 2021, Bazar campaigns were distributing a Cobalt Strike loader variant instead of the conventional Bazar loader.\r\nThe samples were signed and fully undetectable by antivirus engines on platforms such as VirusTotal at the time of those\r\ncampaigns. Below are some artifacts from samples of this variant:\r\nLoader URLs:\r\nhxxps://finderout[.]com:443/components/af.png\r\nhxxps://lionpick[.]com:443/image-directory/profile.jpg\r\nhxxps://hdhuge[.]com:443/files/remove.gif Beacon URLs:\r\nhxxps://finderout[.]com/mobile-ipad-home.css\r\nhxxps://lionpick[.]com:443/media.css\r\nhxxps://hdhuge[.]com:443/skin\r\nhttp://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor\r\nPage 5 of 6\n\nConclusion\r\nCobalt Strike is a powerful tool that’s being leveraged by people that shouldn’t be leveraging it at all: a growing number of\r\ncybercriminals. That said, not all deployments of Cobalt Strike are the same. As this blog has shown, some deployments\r\ndemonstrate bad operational security by re-using infrastructure and not changing their malleable-C2 profiles. Additionally,\r\nsome operators drop Cobalt Strike on many infected systems, while others will only deploy the tool very selectively.\r\nCobalt Strike, while used by security practitioners to ultimately thwart cybercrime, is now a common tool in the arsenal of\r\ncybercriminals. For now, most threat actors are relying on open source methods for deployment and configuration, but we\r\nexpect cybercriminals to begin to innovate and develop new tactics that defenders will have to adapt to. We expect these\r\ninnovations particularly from those cybercriminal groups that are using the tool in targeted ransomware attacks.\r\nFor more on what Intel 471 has observed, download our white paper.\r\n1. Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware\r\nhttps://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware\r\n2. TrickBot Crews New CobaltStrike Loader\r\nhttps://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c\r\n3. TRICKBOT - Analysis Part II\r\nhttps://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/\r\n4. Trickbot Brief: Creds and Beacons\r\nhttps://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons\r\nSource: http://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor\r\nhttp://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "http://www.intel471.com/blog/cobalt-strike-cybercriminals-trickbot-qbot-hancitor" ], "report_names": [ "cobalt-strike-cybercriminals-trickbot-qbot-hancitor" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434717, "ts_updated_at": 1775791700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/22c7a4577f38f1ea8986f0c7cdcd965a070a994a.pdf", "text": "https://archive.orkl.eu/22c7a4577f38f1ea8986f0c7cdcd965a070a994a.txt", "img": "https://archive.orkl.eu/22c7a4577f38f1ea8986f0c7cdcd965a070a994a.jpg" } }