{ "id": "a0805696-cf65-4e25-a8c2-1ae88ba37f98", "created_at": "2026-04-06T00:22:12.59389Z", "updated_at": "2026-04-10T03:37:50.477172Z", "deleted_at": null, "sha1_hash": "2546860f12bfcb521cc86de399931a1bab9e90c6", "title": "Lapsus$ Activity Betrays Nation-State Motivation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 221292, "plain_text": "Lapsus$ Activity Betrays Nation-State Motivation\r\nBy Sam Curry\r\nArchived: 2026-04-05 18:37:34 UTC\r\nA new cybercrime group has made headlines recently with a release of evidence they had hacked both Okta and\r\nMicrosoft. Lapsus$--which emerged only a few months ago—seems reminiscent of early script-kiddie groups\r\nmotivated by notoriety and claims to be in it for the money.\r\nHowever, a closer examination of the group’s tactics and targets suggests they may have a different agenda\r\nbecause Russia has used mercenaries from the Wagner Group–both in Syria and currently in its invasion of\r\nUkraine–to execute operations they don’t want directly traceable to the Kremlin. It is fair to assume they also may\r\nengage cyber mercenaries and follow a similar strategy for cyberattacks. \r\nLapsus$ Hacking Group\r\nLapsus$ is a relatively new hacker group that is believed to be based in Brazil. A profile by Wired from March 15,\r\n2022 notes that their initial attacks primarily targeted Portuguese-language targets. “In December and January, the\r\ngroup hacked and attempted to extort Brazil’s health ministry, the Portuguese media giant Impresa, the South\r\nAmerican telecoms Claro and Embratel, and Brazilian car rental company Localiza, among others.”\r\nThe group is not a ransomware gang. They have focused on data theft and extortion but have not been known to\r\nencrypt systems or data. Lapsus$ originally seemed to gain access to victim networks and systems through\r\nphishing attacks. They have also been known to use denial-of-service attacks and more mischievous tactics like\r\nredirecting a victim’s website to an adult entertainment site in their self-proclaimed pursuit of non-state-sponsored\r\nprofit. \r\nBloomberg published a story identifying a British teen as the mastermind behind Lapsus$, and police in the\r\nUnited Kingdom subsequently arrested 7 suspects ranging in age from 16 to 21. However, it is still unclear\r\nwhether those suspects are actually connected to Lapsus$ at all.\r\nThe last message published by Lapsus$ on their Telegram account last week stated, “A few of our members has a\r\nvacation until 30/3/2022. We might be quiet for some times. Thanks for understand us - we will try to leak stuff\r\nASAP.\" And, as promised, Lapsus$ returned on March 30 to publish a 70GB torrent file with data allegedly stolen\r\nfrom Globant–a large software development consultancy. \r\nLapsus$ is also linked to a group called “Recursion Team” in a recent report that claims they were able to obtain\r\nsensitive user data from Apple, Meta, and other tech companies by posing as law enforcement officials and using\r\nforged “emergency data requests.” Recursion Team is no longer active, but cybersecurity researchers believe that\r\nsome of the individuals associated with Recursion Team moved on to form or join Lapsus$.\r\nIt is worth noting that Lapsus$ also claims that the suspects arrested in the United Kingdom are not part of the\r\ngroup and that no members of Lapsus$ have been arrested. Perhaps that is true, or maybe Lapsus$ recruited\r\nhttps://www.cybereason.com/blog/lapsus-activity-betrays-nation-state-motivation\r\nPage 1 of 7\n\nminors with the intent to expose them as a distraction if needed. Whether the individuals arrested in the United\r\nKingdom are part of Lapsus$ or not, it seems like Lapsus$ is still going strong and there is still a question about\r\nwhat their motives are.\r\nMe Thinks Thou Dost Protest Too Much\r\nThe group has gone out of its way to emphasize that they are financially motivated and that they are not a nation-state threat actor. \r\nLapsus$ issued a statement in December on its Telegram channel stressing, “Remember: The only goal is money,\r\nour reasons are not political.”\r\nThe Wired profile points out that Lapsus$ reiterated this after breaching Nvidia in February. The group shared on\r\nTelegram, “Please note: We are not state sponsored and we are not in politics AT ALL.”\r\nWhile it may be true that Lapsus$ is just a group of malicious hackers looking for quick cash, the statements also\r\nseem suspect. The very fact that they are so vocal about not being a nation-state actor raises the question of\r\nwhether they might be just that.\r\nProfit Motive with No Profit\r\nWhatever the group started out as, or whatever it claims to be, the pattern and profile of recent targets indicate a\r\nradical change in behavior and personality.  There no longer appears to be any profit motive for recent attacks, and\r\nthere is no logical business model at face value. \r\nA cybercrime gang that is motivated by money would focus on simple, low-cost attacks that have the highest\r\npotential for a quick and lucrative return. The reason ransomware is popular is that it enables attackers to generate\r\nsignificant revenue with very little effort and even less chance of being caught and held accountable. They would\r\nalso not be spending money absent a business model on credentials, as they advertise on Telegram:\r\nhttps://www.cybereason.com/blog/lapsus-activity-betrays-nation-state-motivation\r\nPage 2 of 7\n\nKrebsonsecurity.com shared a screenshot of a Lapsus$ post on its Telegram channel soliciting insiders from\r\ntelecom and tech companies to provide credentials for attacks.  \r\nBut, Lapsus$ is not using ransomware, and no longer seems to be pursuing profit at all. They have shifted\r\nradically from DDoS extortion attacks against companies in Latin America to attacks against large global tech\r\ngiants—companies like Samsung, Nvidia, Ubisoft, Okta, and Microsoft that millions of companies and\r\ngovernment agencies around the world rely on. \r\nNot only are the Lapsus$ attacks not generating revenue as far as we know, but the group is actually investing\r\nmoney in the attacks. Lapsus$ is reportedly bribing employees at target companies or their partners and suppliers\r\nto share credentials to facilitate the attacks. This significantly drives up the cost of the attacks, but there is no\r\nevidence they are realizing any return on the investment. \r\nThat is unless someone else is paying them. \r\nLapsus$ Business Model\r\nhttps://www.cybereason.com/blog/lapsus-activity-betrays-nation-state-motivation\r\nPage 3 of 7\n\nThe burning question when it comes to Lapsus$ is, “What is their business model now that they have shifted\r\ntactics and targets?”\r\nEither the initial attacks and statements were outright lies or an elaborate ruse, or there is something else going on\r\nbehind the scenes. It does not make any sense for Lapsus$ to spend money and resources on high-profile attacks\r\nthat do not yield any profit. \r\nThe pattern and current business model lead to two potential conclusions. Either Lapsus$ is engaged in contract\r\nwork on behalf of a third party, or the group is actually a nation-state threat actor hiding behind a script-kiddie\r\nfaçade. \r\nEither way, the most obvious puppet master is Russia. \r\nFrom Russia, With Love\r\nRussia spent the first couple of months of this year massing its military strategically along the border with Ukraine\r\n—both from Russia and “conducting joint military exercises” with Ukraine’s northern neighbor, Belarus. Despite\r\naggressive efforts to find a diplomatic solution to convince Putin to deescalate, Russia invaded Ukraine at the end\r\nof February. \r\nAs tensions increased, there was much speculation that Russia would engage in widespread cyberattacks prior to\r\nor in conjunction with the launch of the military invasion. However, that didn’t really happen. There were some\r\nminor attacks and evidence of malicious wipers planted on some servers in Ukraine, but nothing like the scale or\r\nscope of attacks that were expected. \r\nThat may be strategic. Russia likely understands that there is an ongoing debate about the line between cyberwar\r\nand traditional war, and whether or not a cyberattack warrants a kinetic response. Russia talks big, but Putin and\r\nhis advisors probably understand that an overt cyberattack from Russia risks escalation that might give nations\r\nlike the United States and NATO allies justification to respond. \r\nRussia has two notorious world-class APTs. APT-28 is a function of Russia’s military intelligence agency (GRU),\r\nand APT-29 is associated with the Foreign Intelligence Service (SVR) and/or the Federal Security Service (FSB).\r\nMajor cyberattacks and disinformation campaigns, including the hack of the Democratic National Committee,\r\nNotPetya, and the SolarWinds hack, have been attributed to these two APTs. So, why is Russia not using these\r\nresources more aggressively with regard to the invasion of Ukraine? \r\nOne likely answer is that they don’t want to burn their stockpile of zero-days or perhaps even grow it. If APT28\r\nand APT29 use their zero-day exploits, they will lose effectiveness as cybersecurity vendors and the world’s de\r\nfacto immune system reacts and identifies the IOCs to render them useless. It is fair to assume that Russia has a\r\nhoard of dangerous zero-day exploits, but that this may not be the right time to use them. It would make sense to\r\nuse such exploits in a massive, simultaneous assault on adversary critical infrastructure targets at a future date. \r\nRussia also has access to a number of cybercrime gangs. Groups like Conti, Darkside, and REvil are private\r\nentities, but with ties to the Russian intelligence apparatus. Russia allows them to operate in a state-ignored or\r\nstate-condoned way with attacks that align with Russian state interests but give Putin and the Russian government\r\nsome degree of plausible deniability. \r\nhttps://www.cybereason.com/blog/lapsus-activity-betrays-nation-state-motivation\r\nPage 4 of 7\n\nThat arms-length separation may not be enough right now, though. Perhaps Russia is cognizant of the risk that\r\ncyberattacks from Russia itself or Russian threat actors believed to be working on behalf of Russia would likely\r\nresult in a much stronger response from the United States and NATO allies that could escalate the conflict beyond\r\nwhat Russia is comfortable with. \r\nIf It Quacks Like a Duck\r\nThat is where Lapsus$ comes in. The recent change in tactics and behavior could be an indication that the group\r\nhas been commissioned as “cyber mercenaries” working on Russia’s behalf. It benefits Russia to have an\r\n“independent” cybercrime gang wreak havoc on adversary nations and gain access to source code and valuable\r\nintelligence that Russia can use for future cyberattacks, delivery mechanisms, and tools. \r\nThe fact that Lapsus$ is spending money to buy credentials to carry out operations implies they are getting the\r\nmoney from somewhere—or they are themselves a nation-state threat actor. Either Russia (or another threat actor\r\naligned with Russia) is paying them, or they lied about being financially motivated in the first place and they’re\r\nactually a nation-state threat actor using the Brazil script-kiddie façade as cover. Either way, the tactics, and\r\nmotives only make sense if there is a nation-state actor involved. \r\nIn either case, if it’s true that Lapsus$ is working with or for Russia, then the war in Ukraine has expanded even\r\nfurther beyond the nations’ borders. It’s possible we are only seeing the tip of the iceberg where cyber mercenaries\r\nand Russian interests are concerned. The potential exists that we may be at risk of a massive, coordinated attack\r\ntargeting multiple critical entities simultaneously. \r\nThis is all speculation at this point. It is just educated guesses and analysis of evidence and trends to arrive at\r\npossible—or probable—conclusions. But, if it walks like a duck and quacks like a duck, it’s probably a Russian\r\nthreat actor.\r\nhttps://www.cybereason.com/blog/lapsus-activity-betrays-nation-state-motivation\r\nPage 5 of 7\n\nAbout the Author\r\nSam Curry\r\n \r\nSam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was\r\nCTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R\u0026D at MicroStrategy in addition to\r\nholding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief\r\nTechnologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect,\r\nhas been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH\r\nCommunications and of Sequitur Labs.\r\nAll Posts by Sam Curry\r\nhttps://www.cybereason.com/blog/lapsus-activity-betrays-nation-state-motivation\r\nPage 6 of 7\n\nSource: https://www.cybereason.com/blog/lapsus-activity-betrays-nation-state-motivation\r\nhttps://www.cybereason.com/blog/lapsus-activity-betrays-nation-state-motivation\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cybereason.com/blog/lapsus-activity-betrays-nation-state-motivation" ], "report_names": [ "lapsus-activity-betrays-nation-state-motivation" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434932, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2546860f12bfcb521cc86de399931a1bab9e90c6.pdf", "text": "https://archive.orkl.eu/2546860f12bfcb521cc86de399931a1bab9e90c6.txt", "img": "https://archive.orkl.eu/2546860f12bfcb521cc86de399931a1bab9e90c6.jpg" } }