{ "id": "68cd49da-bd42-4a9f-8ce6-59909bb345ee", "created_at": "2026-04-06T00:17:16.692029Z", "updated_at": "2026-04-10T03:36:13.941221Z", "deleted_at": null, "sha1_hash": "23ea7ce9f823969c9d01d9c9bc92c7041e961b74", "title": "New Evidence Linking Kwampirs Malware to Shamoon APTS (Technical Blog)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5420407, "plain_text": "New Evidence Linking Kwampirs Malware to Shamoon APTS\r\n(Technical Blog)\r\nBy Pablo Rincon Crespo, VP of Cybersecurity\r\nPublished: 2022-03-08 · Archived: 2026-04-05 12:53:18 UTC\r\nCylera Labs has been investigating the Kwampirs malware actively since August 2018, and was the first to\r\nidentify the similarities with Shamoon. In 2019, Pablo Rincón Crespo, vice president of Cybersecurity and lead\r\nresearcher of Cylera Labs, released the first public findings pointing to important code similarities between\r\nShamoon and Kwampirs at the XIII STIC conference held in Madrid on December 11th, 2019.\r\nBut having similarities in the tool doesn't necessarily mean the same threat actors are behind both malware\r\nfamilies. Therefore, further investigation was necessary to discard the possibilities of potentially stolen code, or\r\nfalse flag operations. Shortly after Rincón's presentation at XIII STIC conference, two FBI Flashes and one FBI\r\nPrivate Industry Notification (PIN) were released, alerting about Kwampirs (January 6, February 5, and March 30,\r\n2020), and some researchers have also tweeted about similarities between both malware families.\r\nCylera Labs Summary\r\nAt that point, we had all the known campaigns sinkholed, many victims identified (from small hospitals to\r\n“medical cities,” and gov institutions of Middle East countries), had already found the template system and were\r\nalready trying to understand the evolution of all the Kwampirs artifacts available for download via public malware\r\nrepositories (mainly VirusTotal and Hybrid Analysis). Our differential analysis was done with the help of radiff2\r\n(part of radare2 toolkit) and diaphora+IDA, and then reviewing manually the full sets of differences between\r\nevery single version to understand all the divergence between the two malware families. During this process we\r\nalso identified some additional components that went unnoticed for some time but that link the two families even\r\nmore closely together.\r\nThe newly issued, in-depth Cylera Labs Kwampirs Shamoon Technical Report explains extensively, with artifacts,\r\nthe different phases of the investigation, analysis and findings related to the evolution of Kwampirs and its\r\nconnections with Shamoon 1 and 2 - where Kwampirs starts its activity between both Shamoon versions.\r\nAt Cylera Labs we assess with medium-high confidence that Shamoon and Kwapirs are the same group or really\r\nclose collaborators, sharing updates, techniques and code over the course of multiple years, and this blogpost\r\nsummarizes some of the key findings of our investigation:\r\nFrom Shamoon 1 to Kwampirs\r\nDuring the investigation, Cylera discovered a malware artifact (dubbed “886e7” in the technical report) that is an\r\nintermediate version between Shamoon and Kwampirs. It's basically a Shamoon Dropper in which the destructive\r\ncomponents were not included, but\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 1 of 14\n\ninstead, only computer and network exploration code in the form of two reporters, probably in the middle of a\r\nrefactor of the code.\r\nDropper sample: 886e7271b1a0b0b6c8b2a180c2f34b1d08d899b1e4f806037a3c15feee604d7b\r\nWhat are the key properties of 886e7 similar to Shamoon 1?\r\nThe main architecture of the Dropper is similar to Shamoon 1.\r\nThere's some dead code, unreachable by default, indicating that this sample was probably compiled in the\r\nmiddle of a refactor (or repurpose process).\r\nPayloads are embedded in the resources, which are named PKCS12 and PKCS7, similar to the first\r\nShamoon\r\nThere are two reporter modules in this sample. One of these Reporter modules sends data similar to the\r\ndata sent by Shamoon 1, including a similar format and similar values (i.e., tick count for cache busting).\r\nThe C2s are hardcoded in clear text within the binary, just like Shamoon 1.\r\nThe propagation and infection code is similar to Shamoon 1. It is almost the same, just like Kwampirs,\r\nwith nearly a one by one correspondence of the code. But then both Kwampirs and 886e7 share a small\r\npropagation method addition, in a separate thread, with a slightly more aggressive strategy that we explain\r\na bit later.\r\nOk… But what about the 886e7 link with Kwampirs?\r\nThe resources are executables, similar to Shamoon, but the downloaded components are DLLs, with\r\nexactly the same loader code as Kwampirs.\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 2 of 14\n\nBoth reporters use “ItIsMe” as the user agent, like the early Kwampirs samples. It seems like a\r\ncontinuation of the one used by Shamoon (“you”). We found requests with this user-agent at the sinkhole\r\nserver, indicating that there is still some activity of early kwampirs-infected hosts. See for example the\r\nKwampirs sample: a5e5b4e6caf7ac3ac8d9b7b3527f767ff011d138246686822fea213a3b0597fc.\r\nThe Dropper resources contain only “Reporter” modules. The reporters are the main payloads. No wiper,\r\njust like Kwampirs.\r\nIn Kwampirs, when the reporter executes the downloaded component (DLL), it will search for an exported\r\nfunction called “CF”. Turns out this 886 Reporter uses the same DLL loader code and searches the callback\r\nstring “cmdFunc” for the same purpose, so “CF” is probably the acronym in which it evolved, maybe to\r\nevade antivirus signatures based in static strings.\r\nThe second reporter reduces the number of parameters in the URL format and encodes everything into a\r\nbase64 string, except the value of GetTickCount() as a cache busting value, in a very similar way as\r\nKwampirs does. Kwampirs evolves on top of this second Reporter, taking out the cache parameter, leaving\r\nonly one parameter that packs multiple values inside. Shamoon 2 will inherit this format too.\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 3 of 14\n\nThe C2 returns data in the format of the Kwampirs C2, not like Shamoon 1. We know this because the\r\nsample explicitly looks for “911:” in the messages received (Figure 47), which is a string used by the\r\nKwampirs C2 while downloading additional modules. Later versions remove the check of the “911:”\r\nstring, but add cryptographic signature checks.\r\nThe sample uses GetExtendedTcpTable(), similar to Kwampirs' use of GetTcpTable(). Both functions allow\r\nKwampirs (and 886e7) to propagate more aggressively over the network, allowing intents of propagation\r\nover windows-based networks even if they are not in the same IPv4 range, which is ideal for supply chain\r\nexplorations and infection intents over manufacturer VPN connections. On the other hand, Shamoon\r\nversions do not use any of these propagation methods. Some hypotheses for this limitation are explained in\r\nthe Shamoons usage section of the report, but summarizing it, they would just limit the damage of the\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 4 of 14\n\ndestructive components (wipers) this way, but they use them in Kwampirs to perform more aggressive\r\npropagations while doing reconnaissance operations.\r\nFrom Kwampirs to Shamoon 2\r\nWe found and identified a common template system between Kwampirs and Shamoon 2, that with the known\r\ntimeline was first developed for Kwampirs, then implemented in Shamoon 2.\r\nThe Kwampirs Unrendered Template:\r\nFirst, we found a Kwampirs artifact embedding an extra component that was a Kwampirs template itself, with\r\nunrendered labels (placeholders).\r\nThe binary template of this table can be found in the dropper with hash\r\n1314a078a06d1dc528014715d229b173ed5fbdff42ccde33fb933cdb0b82727e\r\nInside, there is the resource named 102, that contains the hash\r\nbbd346e70b3858682f9f54ff9a3aa86dd286a98ff2386fbaa929edf86bb6d3f2\r\nAnd also you can find the rendered DLL at resource 101 with hash\r\n3c51cc159d604627e8e0d53373b49453d80b200e8cc4ffe1552574e4aeb8a3a3\r\nThis template was likely embedded by mistake by either the developers or the operators configuring an artifact for\r\na new attack campaign (if any different). There are a few more droppers carrying unrendered templates (listed in\r\nthe report). We have documented the variables of the template in the following table:\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 5 of 14\n\nWhy do we believe it was not present in Shamoon 1?\r\nShamoon 1 definitely didn't have this template system. This system adds auxiliary code preprocessing the values\r\nof the rendered placeholders. This auxiliary code is simply not present in Shamoon 1. It includes the preprocessing\r\nand building arrays based on data present in buffers with new lines as separators for multiple configuration\r\nparameters (in example, the C2 lists and options are built this way).\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 6 of 14\n\nAnd also there are traces that the values are embedded in ASCII, even for the numbers, because you can see the\r\nuse of atoi() to convert them to integer format. The size of buffers, number of items, etc, are processed by atoi()\r\nfunction calls, which doesn't happen in Shamoon 1.\r\nAnd guess why they use atoi()...? Because in order to get the placeholders into the binary they inserted the\r\nplaceholders as string literals, to let the project compile with those unrendered placeholders (ASCII, not numbers\r\nyet) without failing the compilation. And this also indicates that the template system was designed and\r\nimplemented at a source code level, not overwriting values directly at binary executables.\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 7 of 14\n\nHow does this template system link with Shamoon 2?\r\nLooking closely at Shamoon 264bit Dropper,\r\n(the one with sha256 hash 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842), in\r\nexample, the one used against GACA, one can find the following unrendered placeholders:\r\n###AV1### and ###AV2###\r\nThese placeholders are related to the resource embedding parameters needed to access the payload to drop, which\r\nis the Reporter component, with the difference that Kwampirs will also add a simple steganographic layer on top,\r\nto hide the payload a bit more. But both of the placeholders match the format of Kwampirs placeholders. With this\r\nwe get a better picture of the full process.\r\nFirst the reporters are rendered, then they are embedded into the droppers which also use another template for the\r\nDropper, with the correct parameters of the payloads to drop. The only difference is that Shamoon has more\r\ncomponents (the Wiper executable plus driver), and has a 32bit version of all its components as well as a 64bit\r\nversion of all them, packed in a 64bit Dropper which goes embedded in the 32bit Dropper.\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 8 of 14\n\nUsing a template system with a builder just makes sense to avoid steps of failure in the configuration of new\r\ncampaigns. The rendering process of both malware families would look like the following diagrams:\r\nShamoon 2 New Campaign Building Process:\r\nKwampirs New Campaign Building Process:\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 9 of 14\n\nBut This is Not a Template. Why are Shamoon 2 Placeholders Unrendered?\r\nIt's complex to control mistakes when you have too many components carrying other components and different\r\narchitectures carrying other architecture components.. and maybe the luck aligns to not even let you know.\r\nShamoon has 32-bit and 64-bit components, but they don't duplicate the code such as they have one codebase for\r\n32-bit and another for 64-bit.\r\nWe believe they share the same code and use C macros, preprocessor options for the compiler, to enable and\r\ndisable things specific to the architecture. One of these things is the process of checking the architecture and\r\ndropping and executing the 64-bit Dropper component, which only happens when the execution detects that the\r\nsystem is 64-bit based.\r\nBut when the 64-bit Dropper starts its execution, it shouldn't perform the same checks and it shouldn't drop any\r\nother payload. And it doesn't, but the template system mistakenly embedded part of the code related to the 64-bit\r\ndropper, and at the auxiliary code of the template system it leaves the placeholders unrendered, which are not\r\nreally used, and that's why the program doesn't crash during execution. This way, the developers probably didn't\r\nrealize they were embedding unrendered placeholders, leaking their format.\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 10 of 14\n\nSummarizing, ###AV1### and ###AV2### are related to the payload dropping of the 64-bit version of the\r\nDropper, which is not used by the 64-bit version itself (otherwise it would drop yet another copy of itself!), and\r\nthey didn't wrap correctly with architecture based macros so they got embedded in the template systems' auxiliary\r\ncode…and this became a fingerprint of themselves! Oops - problem now!\r\nAnd Why Kwampirs before Shamoon 2 and not the opposite?\r\nTraces of the auxiliary code, as well as the placeholders, were identified in Shamoon 2 (in all \"Shamoon 2\"\r\ncampaigns), with a flow graph slightly different, probably to bypass Antivirus signatures and automated clustering\r\nsystems, but it still can be easily identified with the auxiliary code of the template system.\r\nWe believe Shamoon 2 inherited all this code from Kwampirs, and not the opposite, because Shamoon 1 didn't\r\nhave this template system back in 2012, and it was first seen in Kwampirs artifacts dated (and uploaded to\r\nVirusTotal) before Shamoon 2 attacks of November 2016.\r\nFor example, the sample with hash\r\n6f7173b7ae87b5f3262e24a5177dbbd4413d999627f767754f08d8289f359bb3 belongs to\r\nKwampirs campaign E, and it was uploaded to VirusTotal with a first submission date of 2016-06-23 15:40:12, 6\r\nmonths before “the known return of Shamoon 2”, which happened in November 2016 (as far as OSINT tells us).\r\nWe could not find evidence that the template system was yet correctly identified by other investigators in either\r\nKwampirs or Shamoon 2 malware families. A few researchers said the threat actors were probably using a builder,\r\nbecause of unused values, or filled with dumb data, which is right. But this association with Kwampirs has not yet\r\nbeen referenced that we've seen.\r\nKwampirs and Shamoon 1, 2, 3 Timelines:\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 11 of 14\n\nAny Other Shared Updates Apart From the Template System?\r\nShamoon 2 developers based many changes on Kwampirs improvements. Both, Shamoon 2 and Kwampirs\r\nReporters, collect the same initial set of data to build the first request to their Command \u0026 Control servers:\r\nMAC Address\r\nSystem and version information\r\nKeyboard layout list\r\nShamoon 2 Reporter:\r\nShamoon 2 (and 3) gathers the same host info as Kwampirs, used also as a bot ID (mac, system and\r\nversion info, keyboard layout list)\r\nKwampirs Reporter:\r\nKwampirs gathers the same host info as Shamoon 2 (and 3), but also uses an encrypted cache file for this\r\nvalues\r\nThe data is customarily packed using the same procedures as Kwampirs, using a field separator specified with the\r\ntemplate system, then the full buffer is encrypted with an xor-cyclic algorithm and then encoded with base64.\r\nIn Kwampirs the final URL will look like:\r\nhxxp://18.25.62[.]70/groupgroup/default.php?q=[base64_string]\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 12 of 14\n\nAnd in Shamoon 2 URLs will look like:\r\nhxxp://server/category/page.php?shinu=[base64_string]\r\nWhat Else is in the Technical Report?\r\nWe identified a malware component that was created independently and embedded in the Reporter\r\nresources, acting as a proxy, taking advantage of the user token of the explorer.exe process, ala mimikatz\r\nstyle. This functionality was later embedded as part of Kwampirs dropper, adding different runmodes to the\r\nKwampirs dropper components. The communication with this component (which as we said is later the\r\ndropper itself) is performed using Pipes.\r\nWe further give some details about a C2 misconfigured with an Open Directory Listing, and what we were\r\nable to gather from it.\r\nWe explain some technical reasons why we believe Kwampirs is not based on Open-Shamoon, a reverse-engineered version of Shamoon that has been around for a while.\r\nWe also talk about some live-hunting samples found in VirusTotal using Yara rules, and about some\r\nallegedly Iranian APTs that have been historically associated with Shamoon activity.\r\nAll these details and more are well-covered in the more expanded Cylera Labs Kwampirs Technical Report.\r\nAnd What About Attributions and Our Final Conclusions?\r\nWe believe with medium-high confidence that Kwampirs and Shamoon 2 are maintained by the same group. But\r\nShamoon 2 is already attributed to a set of actors based on the code, victims, and common infrastructure, which is\r\na subgroup of APT33/APT34/Magic Hound, which seems to be no different than Shamoon 1. If one day Shamoon\r\n2 is said to be a false flag operation from a different country or APT group, then Kwampirs attribution would also\r\nneed to be reevaluated as well.\r\nWith the data we have gathered right now, Kwampirs is very likely an Iranian APT that has been targeting\r\nhealthcare and supply chains of multiple countries around the globe since at least 2015, with no clear intention,\r\ncontrolling the position for pivoting over these artifacts (even if they don't take it in a destructive direction yet).\r\nCybercriminals of all types and with a range of attack vectors and malware variants are targeting the healthcare\r\nindustry and supply chains. Motivations can vary from just industrial espionage (intellectual property, scientific\r\nresearch), exfiltration and exposure of PHI records (of dissidents or key personalities), to the damaging extreme of\r\nenabling the creation of a crippling cyber-physical impact through wiper attacks if things get really ugly in a\r\ncyberwar scenario. The healthcare industry is a valuable, priority target and needs attention to assure defensive\r\nmeasures are in place, just as for any other critical infrastructure.\r\nFor the general, Non-Technical Blog or read the full report: Cylera Labs Kwampirs Technical Report\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 13 of 14\n\nPablo Rincón, VP of Cybersecurity at Cylera, is a seasoned expert in IoT and medical device security. With\r\na background at Alienvault and Qualys, he's a pioneer in various security technologies and a trusted figure\r\nin incident response and malware analysis.\r\nSource: https://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nhttps://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://resources.cylera.com/new-evidence-linking-kwampirs-malware-to-shamoon-apts" ], "report_names": [ "new-evidence-linking-kwampirs-malware-to-shamoon-apts" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434636, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/23ea7ce9f823969c9d01d9c9bc92c7041e961b74.pdf", "text": "https://archive.orkl.eu/23ea7ce9f823969c9d01d9c9bc92c7041e961b74.txt", "img": "https://archive.orkl.eu/23ea7ce9f823969c9d01d9c9bc92c7041e961b74.jpg" } }