{ "id": "8e4c9033-e5ac-426d-83e5-dd41a24a4cb5", "created_at": "2026-04-06T00:18:41.049852Z", "updated_at": "2026-04-10T13:12:06.838864Z", "deleted_at": null, "sha1_hash": "23fb128332711cf87eb640270eda57bafcf72a7a", "title": "APTs Targeting Journalists \u0026 Media Organizations | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2481814, "plain_text": "APTs Targeting Journalists \u0026 Media Organizations | Proofpoint\r\nUS\r\nBy Crista Giering, Joshua Miller, Michael Raggi and the Proofpoint Threat Research Team\r\nPublished: 2022-07-11 · Archived: 2026-04-05 18:23:20 UTC\r\nKey Takeaways\r\nThose involved in media make for appealing targets given the unique access, information, and insights they\r\ncan provide on topics of state-designated import.\r\nProofpoint researchers have observed APT actors since early 2021 regularly targeting and posing as\r\njournalists and media organizations to advance their state-aligned collection requirements and initiatives.\r\nThe identified campaigns have leveraged a variety of techniques from using web beacons for\r\nreconnaissance to sending malware to establish initial access into the target’s network.\r\nThe focus on media by APTs is unlikely to ever wane, making it important for journalists to protect\r\nthemselves, their sources, and the integrity of their information by ensuring they have an accurate threat\r\nmodel and secure themselves appropriately. \r\nOverview\r\nJournalists and media organizations suffer from many of the same threats as everyone else. Between threat actors\r\nwanting to steal credentials to resell or to utilize compromised hosts for brokered initial access to spread\r\nransomware, among other threats, this sector is no stranger to the dangers of the threat landscape. Advanced\r\npersistent threat (APT) actors, however, look to those in the field of media for different purposes; ones that could\r\nhave far-reaching impacts.\r\nJournalists and media organizations are well sought-after targets with Proofpoint researchers observing APT\r\nactors, specifically those that are state-sponsored or state-aligned, routinely masquerading as or targeting\r\njournalists and media organizations because of the unique access and information they can provide. The media\r\nsector and those that work within it can open doors that others cannot. A well-timed, successful attack on a\r\njournalist’s email account could provide insights into sensitive, budding stories and source identification. A\r\ncompromised account could be used to spread disinformation or pro-state propaganda, provide disinformation\r\nduring times of war or pandemic, or be used to influence a politically charged atmosphere. Most commonly,\r\nphishing attacks targeting journalists are used for espionage or to gain key insights into the inner workings of\r\nanother government, company, or other area of state-designated import.\r\nProofpoint data since early 2021 shows a sustained effort by APT actors worldwide attempting to target or\r\nleverage journalists and media personas in a variety of campaigns, including those well-timed to sensitive political\r\nevents in the United States. Some campaigns have targeted the media for a competitive intelligence edge while\r\nothers have targeted journalists immediately following their coverage painting a regime in a poor light or as a\r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 1 of 14\n\nmeans to spread disinformation or propaganda. For the purposes of this report, we focus on the activities of a\r\nhandful of APT actors assessed to be aligned with the state interests of China, North Korea, Iran, and Turkey.\r\nTargeting Journalists’ Work Email Accounts\r\nAs observed in Proofpoint data, targeting journalists’ work email accounts is by far the most seen locus of attack\r\nused by APT actors against this target set. It is important to note that journalists are communicating with external,\r\nforeign, and often semi-anonymous parties to gather information. This outreach increases the risk of phishing\r\nsince journalists, often by necessity, communicate with unknown recipients more so than the average user.\r\nVerifying or gaining access to such accounts can be an entry point for threat actors for later stage attacks on a\r\nmedia organization’s network or to gain access to desired information.\r\nChina\r\nSince early 2021, the APT actor tracked by Proofpoint as TA412, known also as Zirconium based on public\r\nreporting by Microsoft about a phishing reconnaissance team within this larger APT threat actor designation, has\r\nengaged in numerous reconnaissance phishing campaigns targeting US-based journalists. TA412, which is\r\nbelieved to be aligned with the Chinese state interest and to have strategic espionage objectives, has favored using\r\nmalicious emails containing web beacons in these campaigns. This is a technique consistently used by the threat\r\nactor since at least 2016, however, it was likely in use for years prior. Web beacons, which are commonly referred\r\nto as tracking pixels, tracking beacons, and web bugs, embed a hyperlinked non-visible object within the body of\r\nan email that, when enabled, attempts to retrieve a benign image file from an actor-controlled server.\r\nProofpoint researchers assess these campaigns have been intended to validate targeted emails are active and to\r\ngain fundamental information about the recipients’ network environments. Web beacons can provide the following\r\ntechnical artifacts to an attacker which, in turn, can serve as reconnaissance information as a threat actor plans\r\ntheir next stage of attack:\r\nExternally visible IP addresses\r\nUser-Agent string\r\nEmail address \r\nValidation that the targeted user account is active\r\nThe campaigns by TA412 and their ilk evolved over the course of months, adjusting lures to best fit the current US\r\npolitical environment and switching to target US-based journalists focused on different areas of interest to the\r\nChinese government. The campaigns which targeted journalists were part of a broader pattern of reconnaissance\r\nphishing conducted by this threat actor over many years.\r\n2021: Between January and February 2021, Proofpoint researchers identified five campaigns by TA412 targeting\r\nUS-based journalists, most notably those covering US politics and national security during events that gained\r\ninternational attention. Of note a very abrupt shift in targeting of reconnaissance phishing occurred in the days\r\nimmediately preceding the 6 January 2021 attack on the US Capitol Building. Proofpoint researchers observed a\r\nfocus on Washington DC and White House correspondents during this time. The malicious emails utilized subject\r\nlines pulled from recent US news articles, such as “Jobless Benefits Run Out as Trump Resists Signing Relief\r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 2 of 14\n\nBill,” “US issues Russia threat to China,” and “Trump Call to Georgia Official Might Violate State and Federal\r\nLaw.” \r\nThe message bodies duplicated text included in the news articles and the web beacon URLs included a benign\r\nPNG file with a 0x0 aspect ratio that was retrieved as part of the web beacon in the following format: \r\nhxxp://www.actor-controlled domain[.]com/Free/\u003cTargeted User Email Fragment\u003e/0103/Customer.png.\r\nThe URL structure designates an actor-controlled domain, a campaign identifier, a victim identifier, a campaign\r\ndate, and the name of the benign PNG resource.\r\nFigure 1. Sample of a TA412 web beacon reconnaissance email. If an email client is configured to block\r\ndownloadable content, then the web beacon URL should be presented to the target with an option to download the\r\nremote content, as seen in this image.\r\nIn August 2021, after a months-long break, TA412 again turned to targeting journalists, but this time those\r\nworking cybersecurity, surveillance, and privacy issues with a focus on China. Those targeted appeared to have\r\nwritten extensively on social media privacy issues and Chinese disinformation campaigns, signaling an interest by\r\nthe Chinese state in media narratives that could push a negative global opinion or perception of China. These\r\ncampaigns mirrored those identified earlier in 2021 but demonstrated an evolving web beacon URL structure that\r\nchanges over time. The observed structure was: \r\nhxxp://[actor-controlled\r\ndomain/IP]/stringhere/AbbreviatedVictimAddress[@]AbbreviatedTargetedOrganization/filename[. ]png. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 3 of 14\n\n2022: After an observed pause in targeting journalists, Proofpoint researchers identified a resumption of targeting\r\nthis sector on February 9, 2022. The campaigns were numerous and occurred over a period of ten days. These\r\ncampaigns strongly resembled those noted in early 2021 and indicated a desire to collect on US-based media\r\norganizations and contributors with a focus on those reporting on US and European engagement in the anticipated\r\nRussia-Ukraine war. \r\nSubjects included:\r\nNew bill aims to prohibit US military aid to Ukraine\r\nUS issues Russia threat to China\r\nMacron reveals Putin 'guarantees'\r\nUK to arm Ukraine with anti-ship missiles against Russia - Kiev's envoy\r\nUS says how Ukraine stand-off can be resolved\r\nUK says invasion 'highly likely'\r\nWhite House says door for diplomacy with Russia remains open, but troop buildup is continuing\r\nAnother Chinese APT group, TA459, in late April 2022 targeted media personnel with emails containing a\r\nmalicious Royal Road RTF attachment (acknowledge.doc) that, if opened, would install and execute Chinoxy\r\nmalware. This malware is a backdoor that is used to gain persistence on a victim’s machine. Researchers at\r\nBitdefender have observed the threat actor’s use of Chinoxy extensively in Southeast Asia since at least 2018. Of\r\nnote, the targeted entity was responsible for reporting on the Russia-Ukraine conflict, which aligns with TA459’s\r\nhistoric mandate of collecting on intelligence matters related to Russia and Belarus.\r\nFigure 2. The Word document attachment, file name acknowledge.doc. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 4 of 14\n\nThis campaign used a possibly compromised Pakistani government email address to send the emails and looked to\r\nentice media recipients with a lure on foreign policy in Afghanistan. To add to the credibility of the emails, TA459\r\nincluded links to a benign YouTube video produced by the Islamabad Security Dialogue, which references\r\ndisinformation campaigns.\r\nFigure 3. Screenshot of the YouTube video link included in the malicious emails.\r\nNorth Korea\r\nIn a vengeful twist, the North Korea-aligned TA404 in early 2022 targeted a US-based media organization with\r\njob opportunity-themed phishing. This attack occurred after the organization published an article critical of North\r\nKorean leader Kim Jong Un—a well-known motivator for action by North Korea-aligned APT actors. TA404,\r\nknown more broadly as Lazarus, typically engages in highly targeted campaigns that begin with benign messages.\r\nThis campaign aligned with that expected behavior. It started with reconnaissance phishing that used URLs\r\ncustomized to each recipient. The URLs impersonated a job posting with landing pages designed to look like a\r\nbranded job posting site. If a victim interacted with the URL, which contained a unique target ID, the server\r\nresolving the domain would have received confirmation that the email was delivered, and the intended target had\r\ninteracted with it. This request also provides identifying information about the computer, or device, allowing the\r\nhost to keep track of the intended target.\r\nWhile Proofpoint researchers did not observe follow-up emails, considering this threat actor’s proclivity for later\r\nsending malware-laden email attachments, it is likely that TA404 would have attempted to send malicious\r\ntemplate document attachment or something similar in the future. Researchers at the Google Threat Analysis\r\nGroup (TAG) on March 24, 2022 disclosed details on this campaign as part of “Operation Dream Job.” While\r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 5 of 14\n\njournalism and media were not listed among the targeted sectors, Proofpoint has observed shared indicators of\r\ncompromise utilized in both campaigns identified earlier this year and those reported by Google TAG.\r\nTargeting Journalists’ Social Media Accounts\r\nTargeting journalists and media organizations for their social media account credentials can have significant\r\nconsequences. For example, in 2013 a threat actor took over the official Associated Press Twitter account and\r\nposted a tweet claiming President Barack Obama had been injured in an attack on the White House. The stock\r\nmarket dropped more than 100 points in roughly two minutes following the tweet. Two years later, in 2015, a\r\nthreat actor compromised about 130 Twitter accounts of influential individuals and tricked some of their followers\r\ninto transferring more than $100,000 in Bitcoin to attacker-controlled accounts.\r\nWhile often times campaigns looking to compromise social media accounts, including those by APTs, do not\r\nresult in such severe or observable outcomes, they can still wind up requiring more than just an account reset or\r\nthe activation of multi-factor authentication (MFA), especially since enabling MFA is not a guarantee of complete\r\naccount protection.\r\nTurkey\r\nSince early 2022, Proofpoint researchers have observed a prolific threat actor, tracked as TA482, regularly\r\nengaging in credential harvesting campaigns that target the social media accounts of mostly US-based journalists\r\nand media organizations. This victimology, TA482’s use of services originating from Turkey to host its domains\r\nand infrastructure, as well as Turkey’s history of leveraging social media to spread pro-President Recep Tayyip\r\nErdogan and pro-Justice and Development Party (Turkey’s ruling party) propaganda support Proofpoint’s\r\nassessment that TA482 is aligned with the Turkish state.\r\nOngoing campaigns have narrowed in on Twitter credentials of any individuals that write for media publications.\r\nThis includes journalists from well-known news outlets to those writing for an academic institution and everything\r\nin-between. The malicious emails are typically Twitter security themed and attempt to grab a recipient’s attention\r\nwith subjects alerting the user to a suspicious or new login location. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 6 of 14\n\nFigure 4. A typical TA482 Twitter-themed credential phishing email.\r\nIf the target clicks on the link supplied in the email, they are taken to a credential harvesting landing page which\r\nimpersonates a Twitter login page to reset their password.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 7 of 14\n\nFigure 5. A TA482 landing page designed to steal a user’s credentials.\r\nProofpoint researchers cannot independently verify the motivations behind these campaigns, but the possibilities\r\nabound and, based on historical Turkey threat actor activity, could include using the compromised accounts to\r\ntarget a journalist’s social media contacts, use the accounts for defacement, or to spread propaganda. It is possible\r\nthese attacks will ramp up as Turkey’s 2023 parliamentary and presidential elections draw near.\r\nPosing as Journalists\r\nThere is an inherent sense of intrigue when one is approached by a journalist to discuss an area of expertise. The\r\nallure of having research highlighted in the media is often a great motivator to overlook or disregard signs that this\r\nopportunity may not be entirely legitimate. This social engineering tactic successfully exploits the human desire\r\nfor recognition and is being leveraged by APT actors wishing to target academics and foreign policy experts\r\nworldwide, likely in an effort to gain access to sensitive information.\r\nIran\r\nMultiple Iran-aligned APT actors use journalists or newspapers as pretexts to surveil targets and attempt to harvest\r\ntheir credentials. One of the most active in Proofpoint telemetry is TA453, also known as Charming Kitten.\r\nTA453, which we assess with high confidence supports the Islamic Revolutionary Guard Corps intelligence\r\ncollection efforts, routinely masquerades as journalists from around the world. The threat actor uses these personas\r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 8 of 14\n\nto engage in benign conversations with targets, which consist mostly of academics and policy experts working on\r\nMiddle Eastern foreign affairs.\r\nAs can be seen in Figure 6, the content of TA453’s initial outreach emails indicate a degree of research on the\r\nintended target likely to enhance the believability of the request and to encourage further dialogue.\r\nFigure 6. Screenshot of a benign TA453 conversation starter, posted by and used with permission from Mahsa\r\nAlimardani via Twitter.  \r\nIf the initial email is ignored, TA453 will often recontact individuals to follow up (Figure 7). If the targeted\r\nrecipient does engage in conversation with the persona, TA453 will eventually invite them to a virtual meeting to\r\nhave further discussions via a customized, but benign PDF (Figure 8).\r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 9 of 14\n\nFigure 7. Example of a TA453 follow-up email attempting to solicit a response from the target.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 10 of 14\n\nFigure 8. Example of a TA453 benign PDF uploaded to VirusTotal.\r\nThe vast majority of TA453 campaigns ultimately lead to credential harvesting. The benign PDFs, similar to\r\nFigure 8, are typically delivered from file hosting services and almost always contain a link to a URL shortener\r\nand IP tracker that redirects targets to the credential harvesting domains on actor-controlled infrastructure.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 11 of 14\n\nFigure 9. Standard TA453 attack chain.\r\nTA456, also known as Tortoiseshell, is another Iran-aligned threat actor that routinely masquerades as media\r\norganizations sending newsletters across the ideological spectrum, including Fox News and the Guardian. TA456\r\nhas repeatedly targeted the same users with newsletter themed emails containing web beacons. This activity likely\r\nhas complemented TA456's efforts to deliver malware via relationships built on social media similar to previous\r\ncampaigns.\r\nFigure 10. Examples of the newsletter-themes used by TA456 in the bodies of their phishing emails.\r\nLastly, TA457, an Iran-aligned threat actor active in Proofpoint data since late 2021, has been known to\r\nmasquerade as an “iNews Reporter” to deliver malware to public relations personnel for companies located in the\r\nUS, Israel, and Saudi Arabia. For example, in early March 2022, TA457 sent an email with the ironic subject “Iran\r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 12 of 14\n\nCyber War” and the actor-controlled domain news-spot[.]live. The campaign continued TA457’s pattern of using\r\nnews themed lure websites to deliver a malicious URL. The URL structure (news-spot[.]live/Reports/1/?id=\r\n[Campaign/Lure Identifier]\u0026pid=[TargetIdentifier]) has both an identifier to track which lure documents to deliver\r\nalong with a PID to determine which recipient is receiving the phish. The themes of documents have included\r\nIran, Russia, drones, war crimes, “secret weapons,” and more. When a user clicks the malicious URL, two files\r\nare downloaded: a Word document and an .scr file. When macros are enabled on the document, it drops an\r\nembedded executable file (DnsDig.exe). When the reader.scr file is dropped, it downloads DnsDig.exe from the\r\nURL and also drops iran.pdf as a decoy to the user. DnsDig is a TA457 remote access trojan that uses DNS\r\ntunneling to a hardcoded domain (cyberclub[.]one).    Figure 11. Attack chain of TA457 “Iran Cyber War”\r\ncampaign.\r\nFigure 11. Attack chain of TA457 “Iran Cyber War” campaign. \r\nBetween September 2021 and March 2022, Proofpoint observed TA457 campaigns approximately every two to\r\nthree weeks. The March 2022 campaign targeted both individual and generic, group email addresses such as\r\ninternational.media@[redacted].com at less than ten Proofpoint customers involved in energy, media, government,\r\nand manufacturing.\r\nConclusion\r\nTargeting journalists and media organizations is not novel. APT actors, regardless of their state affiliation, have\r\nand will likely always have a mandate to target journalists and media organizations and will use associated\r\npersonas to further their objectives and collection priorities. From intentions to gather sensitive information to\r\nattempts to manipulate public perceptions, the knowledge and access that a journalist or news outlet can provide is\r\nunique in the public space. Targeting the media sector also lowers the risk of failure or discovery to an APT actor\r\nthan going after other, more hardened targets of interest, such as government entities.\r\nThe varied approaches by APT actors—using web beacons for reconnaissance, credential harvesting, and sending\r\nmalware to gain a foothold in a recipient’s network—means those operating in the media space need to stay\r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 13 of 14\n\nvigilant. Assessing one’s personal level of risk can give an individual a good sense of the odds they will end up as\r\na target. Such as, if you report on China or North Korea or associated threat actors, you may become part of their\r\ncollection requirements in the future. Being aware of the broad attack surface—all the varied online platforms\r\nused for sharing information and news—an APT actor can leverage is also key to preventing oneself from\r\nbecoming a victim. And ultimately practicing caution and verifying the identity or source of an email can halt an\r\nAPT attack in its nascent stage.\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nhttps://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists" ], "report_names": [ "above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "09eb43c0-33b8-4067-97b6-545249dbb31d", "created_at": "2023-11-14T02:00:07.088904Z", "updated_at": "2026-04-10T02:00:03.447919Z", "deleted_at": null, "main_name": "TA482", "aliases": [], "source_name": "MISPGALAXY:TA482", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7041fcf5-b34d-47c3-be4c-3c40f243af89", "created_at": "2023-01-06T13:46:38.611261Z", "updated_at": "2026-04-10T02:00:03.038745Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "G0062" ], "source_name": "MISPGALAXY:TA459", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0bf35542-9ebc-44a9-b319-b6df0bee4bac", "created_at": "2022-10-25T15:50:23.437853Z", "updated_at": "2026-04-10T02:00:05.36762Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "TA459" ], "source_name": "MITRE:TA459", "tools": [ "gh0st RAT", "NetTraveler", "PlugX", "ZeroT" ], "source_id": "MITRE", "reports": null }, { "id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2", "created_at": "2023-04-26T02:03:02.969306Z", "updated_at": "2026-04-10T02:00:05.341127Z", "deleted_at": null, "main_name": "CURIUM", "aliases": [ "CURIUM", "Crimson Sandstorm", "TA456", "Tortoise Shell", "Yellow Liderc" ], "source_name": "MITRE:CURIUM", "tools": [ "IMAPLoader" ], "source_id": "MITRE", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "802552ac-1f16-4b85-8d78-76d683684124", "created_at": "2022-10-25T16:07:24.28032Z", "updated_at": "2026-04-10T02:00:04.920517Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "G0062" ], "source_name": "ETDA:TA459", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "NetTraveler", "Netfile", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav", "ZeroT" ], "source_id": "ETDA", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434721, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/23fb128332711cf87eb640270eda57bafcf72a7a.pdf", "text": "https://archive.orkl.eu/23fb128332711cf87eb640270eda57bafcf72a7a.txt", "img": "https://archive.orkl.eu/23fb128332711cf87eb640270eda57bafcf72a7a.jpg" } }