{ "id": "0c601bdb-dcf2-413e-9027-600a14629ac2", "created_at": "2026-04-06T00:10:17.504769Z", "updated_at": "2026-04-10T13:12:15.35328Z", "deleted_at": null, "sha1_hash": "23159a7b614699b40e0cf08cd7ee7a00d67d54b6", "title": "Deconstructing Defray777 Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 963640, "plain_text": "Deconstructing Defray777 Ransomware\r\nBy Threat Analysis Unit, Sebastiano Mariani, Stefano Ortolani, Baibhav Singh, Giovanni Vigna, Jason Zhang, Brian Baskin,\r\nGeorge Allen, Scott Knight\r\nPublished: 2021-03-11 · Archived: 2026-04-05 20:40:09 UTC\r\nRecently, reports surfaced describing ransomware attacks targeting VMware ESXi servers. While many of these attacks\r\nwere initially based upon credential theft, the goal was to unleash one of a series of ransomware families, including\r\nDefray777 and Darkside, to encrypt the files associated with virtualized hosts.\r\nThese families of ransomware are related to examples that the VMware Threat Research teams had seen previously in the\r\nwild. Specifically, based upon their ransom notes and file extensions, they appeared to be variants of the RansomEXX\r\nransomware family. In the second half of 2020 these variants of ransomware, including Defray777, have been witnessed\r\ntargeting both Windows and Linux systems.\r\nThese attacks also leveraged several ancillary tools such as downloaders, RATs, and exploitation tools to obtain initial access\r\nto a system and spread within the target network.\r\nIn the following, we provide a technical description of the Defray777 ransomware and a brief discussion of the other\r\ncomponents that have been observed in combination with this malware sample.\r\nWhat is Defray777?\r\nThe version of Defray777 analyzed here is a Linux-based, command-line driven ransomware attack that employs traditional\r\nmethods of enumerating folders and files on a system and then encrypting them using hardcoded encryption keys. This\r\nsample requires a set of command line arguments that specify the folder in which the ransomware should start its encryption.\r\nMultiple variants of the Defray777 malware were acquired from external sources for analysis. They all represent nearly\r\nidentical versions of this ransomware family. During analysis it was confirmed that each file contained data specific to a\r\nsingular victim. Due to this, metadata for each file will not be provided to avoid wider exposure.\r\nUnlike many malware samples in the wild, these samples of the ransomware were not “stripped” of their debugging\r\ninformation. This means that the original routines and much of the code is in its original state with the names given by the\r\nadversaries. The examples of code in the following section are representations of potential original source code.\r\nUpon execution, the malware creates an encryption key through multiple methods–one of which is an embedded public key\r\nstored as converted to hex (Figure 1.)\r\nFigure 1: Example of the hard-coded encryption key within the malware.\r\nThe malware then enumerates through all folders and files in the specified directory, targeting files names that do not\r\ncontain the encrypted extension nor file names that match the ransom note filename. (Figure 2.)\r\nhttps://blogs.vmware.com/networkvirtualization/2021/03/deconstructing-defray777.html/\r\nPage 1 of 7\n\nFigure 2: Example of the code used to check each filename to ensure there is not repeated encryption.\r\nThe data from this file is then read, encrypted, and written to a new file with the encrypted file extension tag (Figure 3.)\r\nFigure 3: Example of the code used to receive a file, append a new extension, and encrypt data.\r\nhttps://blogs.vmware.com/networkvirtualization/2021/03/deconstructing-defray777.html/\r\nPage 2 of 7\n\nFinally, the ransom note is created and written on the filesystem (Figure 4.)\r\nFigure 4: Example of the code used to create the personalized ransom note.\r\nIs Defray777 Related to Other Threats?\r\nAnalysis of the code within the Defray777 malware suggests that it is an evolution of the RansomEXX ransomware threat.\r\nThis is based partially on the similarities of hardcoded data but also very similar programming styles. For example,\r\nreversing the code of the two threats highlights some striking similarities. In Figure 5 we can see how the two samples use\r\nthe “mbedtls” library in a remarkably similar way. The “mbedtls” library represents a third-party library that provides\r\nnetwork encryption via SSL/TLS. Its mere presence, as well as its method of integration, are strong indicators to the\r\nsimilarities between the two families of malware.\r\nFigure 5: Comparison of RansomEXX and Defray777 code (“mbedtls” library calls).\r\nIn Figure 6, we can see these similarities in the ransom note style shown to the victim, and in the format of the filename. In\r\nanalysis of multiple forms of this ransom note it was apparent that each ransom note contained a similar structure but with\r\nvarying words of the same meaning. For example, one note reads “CLOSELY” while the other contains “CAREFULLY”.\r\nSimilar are the uses of “Your data” versus “Your files”, as well as “Your data” and “Your files”. This is a method to confuse\r\nanalysis efforts that attempt to identify a ransomware family based upon its ransom note contents.\r\nhttps://blogs.vmware.com/networkvirtualization/2021/03/deconstructing-defray777.html/\r\nPage 3 of 7\n\nFigure 6: Comparison of RansomEXX and Defray777 code (text style similarities).\r\nWe also analyzed the similarities among the three Linux samples of Defray777 currently available on VirusTotal. The\r\nanalysis performed using BinDiff reveals a perfect code similarity among all of them (Figure 7 and Figure 8).\r\nFigure 7: Comparison between 08113ca015468d6c29af4e4e4754c003dacc194ce4a254e15f38060854f18867\r\nand 78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d.\r\nFigure 8: Comparison between 78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d\r\nand cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849.\r\nWhat Kill-Chain Tools Does Defray777 Use?\r\nThe execution of the Defray777 ransomware is the last step in a breach that can involve several other components. These\r\ninclude Pyxie RAT, Cobalt Strike, Lazagne, and Mimikatz.\r\nPyxie RAT\r\nPyXie RAT is an important component used by attackers to provide RAT functionalities after successfully breaching the\r\nperimeter. Distributed in PYX files, PyXie is reportedly executed by custom-compiled Python interpreters. The tool can\r\ncollect and exfiltrate data and can allow for privilege escalation and/or drop additional malware. PyXie is designed to work\r\nwell with external tools and provides a set of built-in commands to ease deployment and execution. For example, it can run\r\nMimikatz with two simple commands: “!mimi_32” and “!mimi_grab”. The command “!get_password” invokes LaZagne  to\r\nharvest local credentials from browsers and other applications. This RAT also enables further reconnaissance by providing\r\nhttps://blogs.vmware.com/networkvirtualization/2021/03/deconstructing-defray777.html/\r\nPage 4 of 7\n\ncommands to execute SharpHound (SMB scanning) and advanced info stealing capabilities that include keylogging and\r\nvideo recording.\r\nRecent reports also detail an updated version of PyXie RAT termed PyXie Lite. Although packed with fewer functionalities\r\n(resulting in a smaller code base), it is still distributed with a custom-compiled Python interpreter. In this instance, PiXie’s\r\nsource files are contained in an encrypted ZIP file embedded in the interpreter itself rather than in a separate archive.  As\r\npublicly documented, the smaller set of modules is due to a change of core functionalities–from providing a generic access\r\npoint to laterally propagate–to automate data collection and exfiltration. This is an interesting trend seen in other targeted\r\nBig Game Hunting (BGH) campaigns where toolsets are getting incrementally refined to be more effective through a smaller\r\nmemory footprint. With a more repeatable deployments, Pyxie RAT indicates that threat actors are getting more comfortable\r\nexecuting this type of campaign.\r\nCobalt Strike\r\nCobalt Strike is a tool that supports Red Teams in attack simulation exercises, providing a number of techniques that allow a\r\nRed Team to execute sophisticated attacks to compromise a target network, established a bridge head in the network, and\r\nthen move laterally to gain additional access to computers, accounts, and, eventually, data.\r\nWhile the goal of Cobalt Strike is to provide a framework to test network defences in order to support the development of\r\neffective detection mechanisms and incident response procedures, the power provided by the tools is not lost on malicious\r\nactors who have copied, modified, and included Cobalt Strike modules in tools they use to carry out other sophisticated\r\nattacks.\r\nIn particular, Cobalt Strike components are often used to move laterally after acquiring an initial foothold in the target\r\nnetwork or to enable the execution of other payloads.\r\nThe Vatet loader is publicly documented as used on Windows hosts to execute a Cobalt Strike Beacon payload, which, in\r\nturn, loads the Defray777 in memory and executes it without leaving any artifacts on the filesystem.\r\nLaZagne\r\nLaZagne is an open-source tool that retrieves passwords stored on a system whether it is Windows, Linux, or macOS. This\r\ntool supports a variety of applications such as mail, WiFi, browsers, databases and macOS keychains and has been added to\r\nPupy (a remote administration tool) to allow it to run in memory without leaving a footprint on disk.\r\nThe application can help IT administrators and pentesters easily recover passwords in a system. On the other hand, like\r\nmany tools designed for good purposes, hackers are known to leverage LaZagne as a post-exploitation tool. After gaining\r\naccess to a victim’s machine, the attacker installs the tool and uses it to retrieve the victim’s credentials for various\r\napplications. Threat groups that are known to use this application include APT3, APT33 and Inception.\r\nMimikatz\r\nMimikatz is considered a versatile tool that gathers credentials data from Windows systems. Mimikatz requires a higher\r\nprivilege, such as administrator or SYSTEM, and often debug rights to perform specific actions and to interact and dump\r\ncredentials out of LSASS.\r\nThe main functions that Mimikatz enables include:\r\nExtracting passwords from memory. When run with admin or system privileges, attackers can use Mimikatz to\r\nextract plaintext authentication tokens.\r\nExtracting Kerberos tickets. Using a Kerberos module, Mimikatz can access the Kerberos API, enabling a number of\r\ndifferent Kerberos exploits that use tickets that have been extracted from system memory.\r\nhttps://blogs.vmware.com/networkvirtualization/2021/03/deconstructing-defray777.html/\r\nPage 5 of 7\n\nExtracting certificates and their private keys. A Windows CryptoAPI module enables Mimikatz to extract certificates\r\nand the private keys associated with them that are stored on the victim system.\r\nWhat is the Bottom Line?\r\nThe Defray777 ransomware is a simple yet very effective threat that has been used to target Linux systems and, in particular,\r\nthe instances of virtualized hosts running on ESXi servers.\r\nRansomware continues to be the most destructive forms of attacks that affect businesses and organizations of all sizes. With\r\nyears of experience in analyzing ransomware attacks the VMware Threat Research teams have identified many areas in\r\nwhich defenses can be deployed to block the malware before damage can occur. On Windows-based systems this includes\r\nthe attempted deletion of Volume Shadow Copies (internal Windows data backups) as well as foreseeable file enumeration\r\nmethods: areas in which the VMware Carbon Black suite of endpoint security solutions provide detection and prevention\r\ncapabilities.\r\nVMware’s NSX Advanced Threat Prevention offering for the NSX Service-defined Firewall delivers the broadest set of\r\nthreat detection capabilities that span network IDS/IPS and behavior-based network traffic analysis. This also includes\r\nVMware NSX Advanced Threat Analyzer™, a sandbox offering based on a full-system emulation technology that has\r\nvisibility into every malware action. VMware NSX is purpose-built to protect data center traffic with the industry’s highest\r\nfidelity insights into advanced threats.\r\nSpecifically, VMware NSX Advanced Threat Analyzer™ has detection and prevention capabilities for these threats and\r\nexamples of detection and analysis overviews are below:\r\nDefray777 –\r\nhttps://user.lastline.com/report_viewer.html?\r\nreport_token=715043573:78ae1dd:EBgZWsHCOmUQq4cV#/analyst/task/a721c65a5f8800102fb960cc50c308b8/overview \r\nPyxie RAT –\r\nhttps://user.lastline.com/report_viewer.html?\r\nreport_token=715043573:97e321e:se3libkSi3X0xXfB#/analyst/task/fa88100810b800201c3200d073302bf7/overview\r\nCobalt Stike –\r\nhttps://user.lastline.com/report_viewer/715043573:ccc031e:7zNUGDMQsnR6My5k#/task/a34ea55d588100100e39365d8fafd\r\nLaZagne –\r\nhttps://user.lastline.com/report_viewer/715043573:fea4a4b:9eFjlyzpdi2UEa6t#/task/b1cfee3048e30010252e61cf51a2f046\r\nMimikatz –\r\nhttps://user.lastline.com/report_viewer/715043573:ae7d669:rZvoa5SX7K2Yw8eY#/task/b8a4ed748fb50010024b8d20217ca7\r\nSources\r\nhttps://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/\r\nhttps://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/\r\nhttps://blogs.blackberry.com/en/2019/12/meet-pyxie-a-nefarious-new-python-rat\r\nhttps://www.hhs.gov/sites/default/files/pyxie-remote-access-trojan-rat.pdf\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/\r\nhttps://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html\r\nhttps://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/\r\nhttps://www.zdnet.com/article/ransomware-gangs-are-abusing-vmware-esxi-exploits-to-encrypt-virtual-hard-disks/\r\nhttps://www.reddit.com/r/sysadmin/comments/kysqsc/the_esxi_ransomware_postmortem/?\r\nutm_source=share\u0026utm_medium=web2x\u0026context=3\r\nhttps://blogs.vmware.com/networkvirtualization/2021/03/deconstructing-defray777.html/\r\nPage 6 of 7\n\nDefray777 Samples\r\nWindows\r\n4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458 (source: PAN)\r\nLinux\r\n78147d3be7dc8cf7f631de59ab7797679aba167f82655bcae2c1b70f1fafc13d (source: PAN, TrendMicro)\r\ncb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849 (source: PAN, CrowdStrike,\r\nSecureList, TrendMicro)\r\n08113ca015468d6c29af4e4e4754c003dacc194ce4a254e15f38060854f18867 (source: TrendMicro)\r\nSource: https://blogs.vmware.com/networkvirtualization/2021/03/deconstructing-defray777.html/\r\nhttps://blogs.vmware.com/networkvirtualization/2021/03/deconstructing-defray777.html/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blogs.vmware.com/networkvirtualization/2021/03/deconstructing-defray777.html/" ], "report_names": [ "deconstructing-defray777.html" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434217, "ts_updated_at": 1775826735, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/23159a7b614699b40e0cf08cd7ee7a00d67d54b6.pdf", "text": "https://archive.orkl.eu/23159a7b614699b40e0cf08cd7ee7a00d67d54b6.txt", "img": "https://archive.orkl.eu/23159a7b614699b40e0cf08cd7ee7a00d67d54b6.jpg" } }