{ "id": "c3d56338-cada-4de9-9fe2-1142854058e1", "created_at": "2026-04-06T00:19:33.474665Z", "updated_at": "2026-04-10T03:38:01.852065Z", "deleted_at": null, "sha1_hash": "22d22d9c3e7d349ffec264370abfda2dcb4a62dc", "title": "Cobalt Strike: Favorite APT Tool to Crimeware | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 426248, "plain_text": "Cobalt Strike: Favorite APT Tool to Crimeware | Proofpoint US\r\nBy June 29, 2021 Selena Larson and Daniel Blackford\r\nPublished: 2021-06-23 · Archived: 2026-04-05 19:26:08 UTC\r\n(Updated 8/18/2021 at the request of a third-party)\r\nKey Findings \r\nMalicious use of Cobalt Strike in threat actor campaigns is increasing. \r\nThreat actor use of Cobalt Strike increased 161 percent from 2019 to 2020 and remains a high-volume threat in 2021. \r\nCobalt Strike is currently used by more cybercrime and general commodity malware operators than APT\r\nand espionage threat actors. \r\nOverview \r\nIn 2021, Cobalt Strike is appearing in Proofpoint threat data more frequently than ever. Cobalt Strike is a\r\nlegitimate security tool used by penetration testers to emulate threat actor activity in a network. However, it\r\nis also increasingly used by malicious actors – Proofpoint saw a 161 percent increase in threat actor use of the\r\ntool from 2019 to 2020. This aligns with observations from other security firms as more threat actors adopt\r\nhacking tools in their operations.  \r\nWhen mapped to the MITRE ATT\u0026CK framework, Proofpoint’s visibility into the attack chain focuses on Initial\r\nAccess, Execution, and Persistence mechanisms. That is: How are threat actors attempting to compromise hosts\r\nand what payloads are they deploying first? Our corpus of threat actor data includes criminal and state-associated threat actor groups. Based on our data, Proofpoint assesses with high confidence that Cobalt Strike is\r\nbecoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat\r\nactors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt\r\nStrike campaigns in 2020. \r\nBackground \r\nIn December 2020, the world learned about an expansive and effective espionage campaign that successfully\r\nbackdoored the popular network monitoring software SolarWinds. Investigators revealed tools used by the threat\r\nactors included Cobalt Strike Beacon. This campaign was attributed to threat actors working for Russia’s Foreign\r\nIntelligence Service – a group with Cobalt Strike in their toolbox since at least 2018. This high-profile activity\r\nwas part of a clever attack chain enabling advanced threat actors to surreptitiously compromise a relatively small\r\nnumber of victims. The tool used, and customized to fit their needs, is almost a decade old but increasingly\r\npopular. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware\r\nPage 1 of 9\n\nCobalt Strike debuted in 2012 in response to perceived gaps in an existing red team tool, the Metasploit\r\nFramework. In 2015, Cobalt Strike 3.0 launched as a standalone adversary emulation platform. By\r\n2016, Proofpoint researchers began observing threat actors using Cobalt Strike.  \r\nHistorically, Cobalt Strike use in malicious operations was largely associated with well-resourced threat\r\nactors, including large cybercrime operators like TA3546 (also known as FIN7), and advanced persistent threat\r\n(APT) groups such as TA423 (also known as Leviathan or APT40). Proofpoint researchers have attributed two-thirds of identified Cobalt Strike campaigns from 2016 through 2018 to well-resourced cybercrime organizations\r\nor APT groups. That ratio decreased dramatically the following years – between 2019 and present, just\r\n15 percent of Cobalt Strike campaigns were attributable to known threat actors.  \r\n \r\nFigure 1: Number of email messages associated with a Cobalt Strike payload observed over time. Note: 2021\r\nfigures include data through May 2021. \r\nThreat actors can obtain Cobalt Strike in a variety of ways: purchasing it directly from the vendor’s website,\r\nwhich requires verification; buying a version on the dark web via various hacking forums; or using cracked,\r\nillegitimate versions of the software. In March 2020, a cracked version of Cobalt Strike 4.0 was released and made\r\navailable to threat actors. \r\nCobalt Strike’s Appeal \r\nCobalt Strike is used by a diverse array of threat actors, and while it is not unusual for cybercriminal and APT\r\nactors to leverage similar tooling in their campaigns, Cobalt Strike is unique in that  its built-in capabilities enable\r\nit to be quickly deployed and operationalized regardless of actor sophistication or access to human or financial\r\nhttps://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware\r\nPage 2 of 9\n\nresources. The job of simulating actor attacks and penetrating defenses might become a bit more straightforward\r\nwhen both sides are using the same tool.  \r\nCobalt Strike is also session-based — that is, if threat actors can access a host and complete an operation without\r\nneeding to establish ongoing persistence, there will not be remaining artifacts on the host after it is no longer\r\nrunning in-memory. In essence: they can hit it and forget it. \r\nThreat actors can also use the malleability of Cobalt Strike to create customized builds that add or remove features\r\nto achieve objectives or evade detection. For example, APT29 frequently uses custom Cobalt Strike Beacon\r\nloaders to blend in with legitimate traffic or evade analysis. \r\n For defenders, customized Cobalt Strike modules often require unique signatures, so threat detection engineers\r\nmay be required to play catch-up to Cobalt Strike use in the wild. Cobalt Strike is also appealing to threat\r\nactors for its inherent obfuscation. Attribution gets more difficult if everyone is using the same tool. If an\r\norganization has a red team actively making use of it, it is possible malicious traffic could be mistaken as\r\nlegitimate. The software’s ease of use can improve the capabilities of less sophisticated actors. For sophisticated\r\nactors, why spend development cycles on something new when you already have a great tool for the job? \r\nProofpoint data shows Cobalt Strike is a popular tool for everything from strategic compromises to noisy,\r\nwidespread campaigns. The following examples illustrate a small sampling of the types of threat actors leveraging\r\nCobalt Strike tracked by Proofpoint. \r\nThreat Actors \r\nTA800 \r\nTA800 is a large crimeware group tracked by Proofpoint since mid-2019. This actor attempts to deliver and install\r\nbanking malware or malware loaders, including The Trick and BazaLoader. In April 2020, TA800 became the first\r\ngroup observed distributing BazaLoader. In these early campaigns, the threat actor distributed emails with a\r\nmalicious link to an executable or a landing page hosted on Google Docs with a link to an executable. The\r\nexecutable downloaded the BazaLoader backdoor which in turn downloaded Cobalt Strike. In February 2021, the\r\ngroup pivoted to distributing Cobalt Strike as a first-stage payload via malicious URLs. There has been some\r\nevidence suggesting TA800’s NimzaLoader is being used to download and execute Cobalt Strike as its secondary\r\npayload.  \r\nTA547 \r\nTA547 is a crimeware actor tracked by Proofpoint since October 2017. This group appears to be interested in\r\ndistributing primarily banking trojans – including The Trick and ZLoader – to various geographic regions. Since\r\nmid-2020, this actor favors using malicious Microsoft Office attachments to distribute malware. In February 2021,\r\nTA547 began distributing Cobalt Strike as a second-stage payload for command and control.  \r\nTA415 \r\nTA415 is an APT actor believed to be associated with People’s Republic of China (PRC) state interests. The group\r\nhas been noted in United States court filings to be tied to PRC’s Ministry of State Security. TA415 is also known\r\nhttps://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware\r\nPage 3 of 9\n\nas Barium and APT41. Proofpoint identified TA415 delivering Cobalt Strike as a first-stage payload in limited\r\ncampaigns during mid-2020. In September 2020, the United States Department of Justice announced the\r\nindictment of several threat actors associated with this threat group, and detailed the threat actors use of Cobalt\r\nStrike in the indictment. Based on recent reporting by Group-IB, TA415 used Cobalt Strike in a campaign against\r\nan entity in the airlines sector.\r\nThe following timeline provides a small sample of threat actor use of Cobalt Strike across cybercrime and APT\r\nthreats. The selected events were identified based on their significance, and are not representative of the full\r\nCobalt Strike threat landscape.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware\r\nPage 4 of 9\n\nhttps://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware\r\nPage 5 of 9\n\nFigure 2: Timeline of threats using Cobalt Strike. Links to the sources are available in the References section. \r\nAttack Chain \r\nProofpoint has observed dozens of threat actors using Cobalt Strike. However, like their legitimate counterparts,\r\nthreat actors exhibit many attack paths and use cases of the malicious actor emulation software. Threat actors use\r\ndifferent lure themes, threat types, droppers, and payloads. For example, the earliest Cobalt Strike campaigns\r\ndistributed email threats with malicious document attachments to distribute the malware, but campaigns\r\ndistributing malicious URLs directly in the email body have overtaken attachments as the more frequently utilized\r\nthreat type.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware\r\nPage 6 of 9\n\nWhile instances of Cobalt Strike being sent directly as an initial payload have dramatically increased, deployment\r\nas a second stage payload remains popular. Cobalt Strike has been observed in a variety of attack chains alongside\r\nmalware such as The Trick, BazaLoader, Ursnif, IcedID, and many more popular loaders. In these cases, the\r\npreceding malware typically loads and executes Cobalt Strike. Likewise, there is a wide array of techniques\r\nleveraged in cases where Cobalt Strike is delivered directly, such as via malicious macros in weaponized Office\r\ndocuments, compressed executables, PowerShell, dynamic data exchange (DDE), HTA/HTML files, and traffic\r\ndistribution systems. \r\nAfter Cobalt Strike has been executed and a Beacon established for C2 communication, actors have been observed\r\nattempting to enumerate network connections and dumping Active Directory credentials as they try to move\r\nlaterally to a network resource such as a Domain Controller, allowing for deployment of ransomware to all\r\nnetworked systems. For example, the Cobalt Strike documentation states:  \r\nUse the net dclist command to find the Domain Controller for the domain the target is joined to. Use the net\r\nview command to find targets on the domain the target is joined to. \r\nIn addition to network discovery and credential dumping, Cobalt Strike Beacon also has the capability to elevate\r\nprivileges, load and execute additional tools, and to inject these functions into existing running host processes to\r\nattempt to avoid detection. \r\nOutlook \r\nProofpoint researchers anticipate Cobalt Strike will continue to be a commonly used tool in threat actor toolsets.\r\nAccording to internal data, tens of thousands of organizations have already been targeted with Cobalt Strike, based\r\non observed campaigns. We expect this number to increase in 2021. \r\n   \r\nFigure 3: Number of customers targeted by threats using Cobalt Strike \r\nConclusion \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware\r\nPage 7 of 9\n\nCobalt Strike is a useful tool, for legitimate security researchers and threat actors alike. Its malleability coupled\r\nwith its usability makes it a robust and effective tool for siphoning data, moving laterally, and loading additional\r\nmalware payloads.  \r\nCobalt Strike is not the only red team tool appearing more often in Proofpoint data. Others include Mythic,\r\nMeterpreter, and the Veil Framework.  \r\nThe use of publicly available tooling aligns with a broader trend observed by Proofpoint: Threat actors are using\r\nas many legitimate tools as possible, including executing Windows processes like PowerShell and WMI; injecting\r\nmalicious code into legitimate binaries; and frequently using allowable services like Dropbox, Google Drive,\r\nSendGrid, and Constant Contact to host and distribute malware.  \r\nReferences \r\nThe following references are associated with the above timeline.  \r\nJanuary 2016 – Odinaff: New Trojan used in high level financial attacks \r\nMay 2017 – Microsoft Word Intruder Integrates CVE-2017-0199, Utilized by Cobalt Group to Target Financial\r\nInstitutions \r\nOctober 2017 – Leviathan: Espionage actor spearphishes maritime and defense targets \r\nApril 2018 – APT攻撃者グループ menuPass(APT10) による新たな攻撃を確認 \r\nNovember 2018 – Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign \r\n 2019 – Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer\r\nIntrusion Campaigns Against More Than 100 Victims Globally  \r\nNovember 2019 – TA2101 plays government imposter to distribute malware to German, Italian, and US\r\norganizations \r\nSeptember 2020 – Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity \r\nDecember 2020 – Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global\r\nVictims With SUNBURST Backdoor \r\nMarch 2021 – NimzaLoader: TA800’s New Initial Access Malware \r\nMay 2021 – New sophisticated email-based attack from NOBELIUM \r\nDetections \r\nProofpoint Emerging Threats includes robust detections for Cobalt Strike. The following are a sample of our\r\ndetections as they relate to the behaviors described in this report. \r\n2028591 ET TROJAN Cobalt Strike Malleable C2 Request YouTube Profile \r\nhttps://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware\r\nPage 8 of 9\n\n2028589 ET TROJAN Cobalt Strike Malleable C2 Response O365 Profile M2 \r\n2032749 ET TROJAN Cobalt Strike Malleable C2 Amazon Profile \r\n2032746 ET TROJAN Cobalt Strike Malleable C2 QiHoo Profile \r\n2027082 ET TROJAN Observed Malicious SSL Cert CobaltStrike C2 \r\n2023629 ET INFO Suspicious Empty SSL Certificate - Observed in Cobalt Strike \r\n2032362 ET TROJAN Cobalt Strike Beacon Activity \r\n2032951 ET TROJAN Observed Cobalt Strike User-Agent\r\nIs your organization protected against malicious threat actors? Learn about Malware protection.\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware\r\nhttps://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware" ], "report_names": [ "cobalt-strike-favorite-tool-apt-crimeware" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "72bc3519-a265-4136-b85a-d5e331f085b1", "created_at": "2023-01-06T13:46:39.313045Z", "updated_at": "2026-04-10T02:00:03.28438Z", "deleted_at": null, "main_name": "TA547", "aliases": [], "source_name": "MISPGALAXY:TA547", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf32661e-7543-4b57-8665-7f8101a000e9", "created_at": "2023-01-06T13:46:39.322379Z", "updated_at": "2026-04-10T02:00:03.287241Z", "deleted_at": null, "main_name": "TA800", "aliases": [], "source_name": "MISPGALAXY:TA800", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434773, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/22d22d9c3e7d349ffec264370abfda2dcb4a62dc.pdf", "text": "https://archive.orkl.eu/22d22d9c3e7d349ffec264370abfda2dcb4a62dc.txt", "img": "https://archive.orkl.eu/22d22d9c3e7d349ffec264370abfda2dcb4a62dc.jpg" } }