{ "id": "5e6af3e1-1617-45b1-9c2b-966075fd91db", "created_at": "2026-04-06T00:09:59.991536Z", "updated_at": "2026-04-10T03:38:19.000995Z", "deleted_at": null, "sha1_hash": "267af4fb18a810acf2a7a7376bc2ad4fbbdd0372", "title": "The DPRK delicate sound of cyber", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1530821, "plain_text": "The DPRK delicate sound of cyber\r\nBy Sekoia TDR\r\nPublished: 2022-12-16 · Archived: 2026-04-05 23:35:55 UTC\r\nTable of contents\r\nA saucerful of Secrets\r\nThe DPRK side of the mo(o)ney\r\nThe Peek at the gates\r\nHousehold objects\r\nWish you were here\r\nThe Sanction bell\r\nAssessements\r\nExternal References\r\nThis blogpost aims at contextualising and analysing trends pertaining to cyber malicious activities associated to the\r\nDemocratic People’s Republic of Korea-nexus Intrusion Sets reported in open sources in 2022.\r\nTLDR;\r\n• All known Intrusion Sets associated to the Democratic People’s Republic of Korea (DPRK) were reported being active\r\nover the year, Lazarus and Kimsuky activities being the most reported on.\r\n• Kimsuky, Bluenoroff, and Lazarus mandates continue to overlap, and Lazarus, Bluenoroff and Andariel keep on\r\nconducting dual objectives operations pertaining to revenue generation (AppleJeus, SnatchCrypto) and cyberespionage\r\n(DreamJob), in line with Pyongyang strategic interests.\r\n• DPRK associated Intrusion Sets continued demonstrating efforts to update their TTPs and expand their toolset\r\n(Lazarus’use of the BYOVD technique and Kimsuky’s Sharpext malware) further contributing to these groups’ stealthiness\r\nand goals achievement.\r\n• SEKOIA.IO analysts assess cyber malicious campaigns orchestrated by Pyongyang will almost certainly continue in the\r\nshort-term.\r\n________________________________________________________________________________________________________\r\nhttps://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/\r\nPage 1 of 11\n\nAssociated with the development of a ballistic, nuclear, and bacteriological arsenal, the cybernetic component, called “secret\r\nwar” by Pyongyang, is part of the North Korean offensive approach since at least 2004. DPRK offensive cyber activities\r\ninclude cyberespionage and lucrative campaigns and are resolutely asymmetrical and a force multiplier in subverting\r\ninternational sanctions and funding Pyongyang’s economy. These facets contribute to the survival of the North Korean state,\r\nas well as maintaining its position within the international system as a “small great power.”\r\nhttps://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/\r\nPage 2 of 11\n\nDPRK malicious cyber activities involve multiple state organisations, including the Ministry of State Security (MSS aka\r\nBowibu) and the Reconnaissance General Bureau. Associated Intrusion Sets include Lazarus, Bluenoroff, Andariel, Reaper,\r\nand Kimsuky.\r\nA saucerful of Secrets\r\nLet there be more spy\r\nAll North-Korea-associated Intrusion Sets continued carrying out cyberespionage activities throughout the year, with a\r\nparticularly high tempo of activity demonstrated by Lazarus and Kimsuky. Targeted sectors notably included a strong focus\r\non cryptocurrency-related entities and the aerospace and defence industry (operation DreamJob). Additional sectors of\r\ninterest include technology, civil society (journalists, activists, defectors), academia, think tanks, media, and diplomacy,\r\nnotably pertaining to nuclear policy, Korean Peninsula and Asia-Pacific subject matters. Reported malicious activities\r\nsuggest a renewed interest in targeting international organisations [1] [2] for strategic intelligence collection.\r\nSEKOIA.IO analysts noticed Kimsuky refocusing on their traditional assigned locations,\r\nnamely the United States (U.S.), Japan, and the Republic of Korea (aka RoK and South Korea),\r\nand refocusing on military intelligence collection, as well as expanding their victimology\r\nto target the shipping industry [3] and a company involved in carbon credits [4].\r\nLast reported in April 2022, DPRK-nexus Intrusion Set Reaper was seen carrying out targeted surveillance operations\r\nagainst human rights activists, journalists, and defectors from\r\nNorth Korea notably leveraging the Chinotto malware [5], Goldbackdoor, a variant of the BlueLight malware [6], and newly\r\ndiscovered CloudMensis, a spyware based on RokRAT and designed to target Windows and MacOS systems [7].\r\nAdditional DPRK-aligned cyberespionage activities include the targeting of the energy and\r\nmilitary sectors [8], as well as energy providers in Canada, Japan, and the United States\r\nbetween February and July 2022 [9]. Of note, energy-related targeting is a consistent longstanding assignment for the\r\nAndariel Intrusion Set. Additionally, Andariel was reported deploying their signature Maui ransomware on at least one\r\noccasion in 2022 [10]. Based on available information, it is not clear whether the deployment of Maui was part of a lucrative\r\nobjective and / or an anti-forensic effort from the Intrusion Set. It is also plausible ransomware operations carried out by\r\nAndariel are part of moonlighting activities for personal gain or selffunding.\r\nYou get a good (Dream)job\r\n2022 saw the continuation of DreamJob (aka ShowState, DeathNote, Operation In(ter)ception),\r\na two-fold campaign run by Lazarus since March 2019. DreamJob encompasses the targeting\r\nof aerospace and defence related organisations and individuals, security researchers, and\r\ncryptocurrency related entities for cyberespionage and lucrative objectives.\r\nLazarus continued relying on social engineering, including leveraging social networks and\r\nmessaging applications (notably LinkedIn, WhatsApp and Slack) masquerading as recruiters\r\nfrom defence [11] and cryptocurrency high profile companies. Recent victimology notably includes defence contractors in\r\nFrance, Belgium, Italy, Spain, Germany, Czech Republic, the\r\nNetherlands, Poland, Ukraine, Turkey, South Africa, Qatar, and Brazil [12].\r\nSEKOIA.IO analysts assess the targeting of security researchers observed in this campaign\r\nlikely provides Lazarus with knowledge to improve their Tactics, Techniques and Procedures\r\n(TTPs), notably those pertaining to persistence, defence evasion and anti-forensics efforts.\r\nhttps://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/\r\nPage 3 of 11\n\nThis activity also possibly aims at contributing to capacity building for Lazarus, providing\r\nthem with new tools and malware for follow-up operations.\r\nThe DPRK side of the mo(o)ney\r\nDPRK-nexus Intrusion Sets, including Lazarus and Bluenoroff continued carrying out lucrative cyber campaigns, notably\r\ntargeting cryptocurrency and financial technology-related activities. As previously mentioned, this includes part of\r\nOperation DreamJob conducted by Lazarus, whose financially motivated aspect was notably illustrated by the targeting of a\r\nBrazilian cryptocurrency company with NukeSped [13]. Of note, SEKOIA.IO assess it is likely that Brazil “Bitcoin Law”\r\ndebates occurring in October 2021 [14] renewed Lazarus’ interest in targeting this country in lucrative motivated campaigns.\r\nApples and Oranges\r\nLazarus also continued running the AppleJeus campaign, targeting cryptocurrency and fintech platforms and users with\r\nbackdoored cryptocurrency trading applications, active since at least 2018 [15]. The U.S. Cybersecurity and Infrastructure\r\nSecurity Agency (CISA) publicly attributed the malicious campaign against decentralized finance (DeFi) platform Ronin\r\nNetwork (Axie Infinity) that occurred in March to Lazarus [16].\r\nSnatch that cash\r\nAnother long-running campaign called SnatchCrypto (aka CryptoCore, DangerousPassword)\r\ncarried out by Bluenoroff since 2017 was still active through 2022 [17]. From SEKOIA.IO analysts’ vantage point, this\r\ncampaign notably includes TraderTraitor activities, a series of malicious applications masquerading as trading or price\r\nhttps://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/\r\nPage 4 of 11\n\nprediction tools, using the Electron framework and cross-platform JavaScript code to deliver the Manuscrypt RAT [18]. This\r\ncampaign appears opportunistic in nature, victimology notably includes Europe, Asia, the U.S., and the UAE.\r\nFinancially motivated campaigns are a trademark of DPRK-nexus Intrusion Sets, almost certainly to evade economic\r\nsanctions and funding of follow-up cyber malicious campaigns. Open-source reports also indicate funding of nuclear\r\nweapons through the Reconnaissance General Bureau (RGB), specifically Bureau 121, which Lazarus, Andariel and\r\nBluenoroff are allegedly subordinated to. However, recent reporting indicates that DPRK-nexus Intrusion Sets tend to hold\r\nstolen cryptocurrency for several years, possibly as part of their monetary policy. Another hypothesis is that unlaundered\r\ncryptocurrency funds could possibly result from an operator error.\r\nFigure 1. DPRK-nexus Intrusion Sets 2022 activities. Source : SEKOIA.IO\r\nThe Peek at the gates\r\nBased on reported TTPs and malware analysis provided in open sources, SEKOIA.IO analysts observed North Korea-nexus\r\nIntrusion Sets strong and continued efforts in selectively targeting their victims and improving their stealthiness.\r\nhttps://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/\r\nPage 5 of 11\n\nBesides advanced reconnaissance efforts, Intrusion Sets can further screen their targets before delivering their payload. For\r\ninstance, Kimsuky was recently observed using an IP validation method as part of its GoldDragon infection mechanism\r\n[19]. The same Intrusion Set also newly implemented a geofencing mechanism in their signature malware Konni RAT [20],\r\nand similar behaviour was observed in the FastSpy infection chain [21]. In a recent campaign Kimsuky also used a file\r\nexfiltrator component to find and collect specific files of interest via filelists hosted on a remote server [22].\r\nWhile North Korea-nexus Intrusion Sets traditionally reuse their infrastructure, they demonstrate increased efforts to achieve\r\nstealthiness, notably through obfuscation, defence evasion mechanisms as well as regularly updating their infection chain.\r\nOf note, spearphishing remains the principal observed vector of intrusion in these Intrusion Sets malicious cyber activities.\r\nIn a campaign against South Korean diplomacy and security-related entities, Kimsuky impersonated a South Korean\r\ninstitution to engage in an email exchange, sending a malicious URL only if the recipient responds positively to the initial\r\nemail. Similarly, Lazarus was observed hosting a ZIP file containing a malicious document to bypass recent changes made\r\nby Microsoft for Office macros [23] . Also increasingly reported is the hosting of malicious Command and Control (C2)\r\non open-source hosting services such as DropBox, GitHub or Blogspot.\r\nOf particular interest and documented as a first seen in the wild in 2022 (although leveraged at least since October 2021 as\r\npart of Operation DreamJob), Lazarus’ Bring Your Own Vulnerable Driver (BYOVD) technique to deploy\r\nBLINDINGCAN [24]. Lazarus was also observed leveraging CVE-2022-0609, a 0-day remote code execution vulnerability\r\nhttps://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/\r\nPage 6 of 11\n\nin Google Chrome web browser to target cryptocurrency and fintech entities through spearphishing, fake websites, or\r\ncompromised legitimate websites.\r\nThese TTPs are a sign of adaptability by North Korea-nexus Intrusion Sets, and SEKOIA.IO analysts assess this is almost\r\ncertainly a way to preserve their offensive capabilities.\r\nHousehold objects\r\nOver the course of this year, North Korea-nexus Intrusion Sets continuously dedicated efforts to update and / or renew\r\ntheir toolsets. Notable changes to SEKOIA.IO analysts include:\r\nLazarus recent development of KiTTY, a weaponized PuTTY fork, as part of its BLINDINGCAN infection chain\r\n[25].\r\nMagicRAT, a new C++ malware delivered after exploitation of publicly exposed VMware Horizon platforms [26].\r\nAs touched upon before, Kimsuky was observed leveraging new Android malware known as FastFire, FastViewer,\r\nand FastSpy. Another interesting malicious web browser extension used by Kimsuky is Sharpext, used by Kimsuky\r\na post-exploitation tool since 2021 [27].\r\nIs there anybody out there?\r\nUs and them\r\nIn 2022, open-source reports mentioned overlaps between DPRK Intrusion Sets and cybercriminal groups, including:\r\nSuspected links between Lazarus and Wizard Spider\r\nBased on infrastructure links, security researchers initially assessed a potential connection between Russia-based\r\ncybercriminal group Wizard Spider and Lazarus [28]. Based on the report documenting the Exotic Lily Initial Access Broker\r\n(IAB), SEKOIA.IO assess it is likely that Lazarus resorted to IAB services, including Exotic Lily’s, and entertain\r\nconnections with the cybercriminal ecosystem.\r\nConnections between Quantum Builder and Lazarus\r\nA report published in open sources in June 2022 mentioned a possible use of the .lnk builder Quantum Software / Quantum\r\nBuilder by Lazarus [29]. Upon script comparison, it was observed the PowerShell script deobfuscation loop and\r\ninitialization of variables were similar. As Lazarus increasingly resorted to .lnk since the second half of 2020, SEKOIA\r\nanalysts assess it is plausible they use Quantum Builder as part of their toolset.\r\nConnections between DEV-0530 and Andariel\r\nTracked under the DEV-0530 alias, the cybercriminal group which developed the H0lyGh0st ransomware is assessed to be\r\noriginating from the DPRK [30]. Microsoft security researchers assess that DEV-0530 “has connections” with Andariel. This\r\nassessment is notably based on the observation of communication between DEV-0530 email accounts and Andariel\r\naccounts, infrastructure links, as well as DEV0530’s use of tools exclusively used by Andariel. SEKOIA.IO analysts concur\r\nwith Microsoft hypothesis of moonlighting activities. It is likely that DEV-0530 is an offshoot of Andariel.\r\nWish you were here\r\nIn 2022, the DPRK cyber offensive strategy continued relying on the physical layer.\r\nhttps://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/\r\nPage 7 of 11\n\nIn April 2022, two South Korean individuals, the CEO of a virtual asset investment company and an active-duty officer,\r\nwere charged with violating the South Korea National Security Act for leaking military information to a suspected North\r\nKorean agent [32]. The operation reportedly involved a camera watch and a PoisonTap USB device [33] to infiltrate a South\r\nKorean military base and gain access to a military laptop between January and March 2022.\r\nIn May 2022, the U.S. Department of State issued an advisory, alerting organisations against hiring North Korean IT\r\nworkers [34].\r\nThis highlights that North Korean intelligence operatives continue leveraging individuals, including insider threats, that will\r\nnotably assist in obtaining access to systems of interest. SEKOIA.IO assess that part of stolen cryptocurrency plausibly\r\ncontributes to fund incentives for such operations. Furthermore, it is also possible that North Korean IT workers abroad\r\ncould leverage the acquired skills to carry out malicious campaigns in line with Pyongyang interests.\r\nThe Sanction bell\r\nIn 2022, DPRK-associated cyber malicious activities garnered increased attention, in a context of heightened tensions in\r\nthe Korean Peninsula.\r\nIn January, North Korea’s Internet was hit by two waves of Distributed Denial of Service (DDoS) attacks [35] which turned\r\nout to be a hackback carried out by a hacker in retaliation to Lazarus DreamJob campaign [36].\r\nIn addition, Nation-State political and economic measures were undertaken. SEKOIA.IO analysts notably observed a more\r\ncoordinated, time-constrained approach to the attribution process and efforts to hinder malicious cyber activities. U.S.\r\nhttps://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/\r\nPage 8 of 11\n\nagencies officially attributed the TraderTraitor campaign to Bluenoroff, the Maui ransomware to Andariel [37], and the\r\nRonin Network cryptocurrency theft to Lazarus.\r\nIn March 2022, the U.S. Department of Treasury sanctioned Blender.io, a virtual currency mixer, used by Lazarus to launder\r\nUSD 20.5 million (out of the USD 620 million stolen) on the account of financially supporting DPRK [38]. In August 2022,\r\nthe U.S. also blacklisted Tornado Cash, a virtual currency mixer used by Lazarus to launder at least USD 7 billion worth of\r\nvirtual currency since its creation in 2019 [39]. This was followed by the arrest of a Tornado Cash developer in the\r\nNetherlands by the Fiscal Information and Investigation Service (FIOD) [40].\r\nAssessements\r\nBased on DPRK-nexus Intrusion Sets reported activities, SEKOIA.IO analysts assess the following:\r\nIt is almost certain financially motivated cyber campaigns will remain a high priority for Pyongyang. DPRK-nexus Intrusion Sets lucrative activities will continue in the short-to-medium term, with a consistent targeting of\r\ncryptocurrency and fintech related entities and individuals. It is likely Lazarus and Bluenoroff will expand their\r\nvictimology to include countries inclined to legalise cryptocurrency and / or where cryptocurrency is a legal\r\ntender (i.e., Ecuador, Central Africa, Salvador).\r\nIt is almost certain that military intelligence, strategic intelligence, and economic intelligence collection and\r\nsurveillance will remain strong drivers for DPRK-originating cyberespionage campaigns. This notably includes\r\ncontinuation of the long-running campaign DreamJob.\r\nWhile ongoing sanction measures are likely to slow down DPRK Intrusion Sets activities in the short-term,\r\nSEKOIA.IO analysts assess this is unlikely to disrupt cyber malicious campaigns orchestrated by Pyongyang.\r\nSEKOIA.IO will continue monitoring and tracking Intrusion Sets associated to DPRK and welcome any feedback and / or\r\nadditional input to further contribute to understanding and countering this threat.\r\nExternal References\r\n[1] [Nikkei] North Korea targeted IAEA in cyberattacks: draft U.N. report.\r\n[2] [Ahnlab] Attack on word documents targeting companies specializing in carbon emissions.\r\n[3] [ESET] (Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor.\r\n[4] [Cluster25] Le groupe nord-coréen « KONNI » cible le secteur diplomatique russe avec de nouvelles versions d’implants\r\nde logiciels malveillants.\r\n[5] [Securelist] ScarCruft surveilling North Korean defectors and human rights activists.\r\n[6] [Stairwell]  The ink-stained trail of GOLDBACKDOOR.\r\n[7] [ESET]  I see what you did there: A look at the CloudMensis macOS spyware.\r\n[8][Symantec]  Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/stonefly-north-korea-espionage\r\n[9] [Talos] Lazarus and the tale of three RATs.\r\n[10] [Securelist] Andariel deploys DTrack and Maui ransomware.\r\n[11] [MalwareBytes] North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign.\r\n[12] [ESET] Lazarus attacks aerospace and defence contractors worldwide while misusing LinkedIn and WhatsApp.\r\n[13] [ESET] An instance of Operation In(ter)ception by Lazarus for Mac.\r\n[14] [Decrypt] Brazilian Lawmaker Aims to Make Bitcoin a Legal ‘Payment Currency’.\r\n[15] [Google TAG] Countering threats from North Korea.\r\n[16] [The Record] US agency attributes \\$540 million Ronin hack to North Korean APT group.\r\n[17] [Securelist] The BlueNoroff cryptocurrency hunt is still on.\r\nhttps://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/\r\nPage 9 of 11\n\n[18] [U.S. CISA] TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies.\r\n[19] [Securelist] Kimsuky’s GoldDragon cluster and its C2 operations.\r\n[20] [Ahnlab] Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed.\r\n[21] [S2W] Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware.\r\n[22] [Talos] North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets.\r\n[23] [MalwareBytes] Microsoft is now disabling Excel 4.0 macros by default.\r\n[24] [Ahnlab] A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the\r\nBYOVD Technique.\r\n[25] [Microsoft]ZINC weaponizing open-source software.\r\n[26]Talos]MagicRAT: Lazarus’ latest gateway into victim networks. (last accessed 16/12/2022)\r\n[27] [Volexity] SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”.\r\n[28][Prevailion] What Wicked Webs We Un-weave : https://www.prevailion.com/what-wicked-webs-we-unweave/ (last\r\naccessed 16/12/2022)\r\n[29] [Cyble] Quantum Software:  LNK File-Based Builders Growing In Popularity.\r\n[30] [Microsoft] North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware.\r\n[31] [Reversing Labs] GwisinLocker ransomware targets South Korean industrial and pharma firms.\r\n[32] [YNA] Leaked military secrets by enlisting active duty officers…Cryptocurrency exchange representative arrested and\r\nindicted.\r\n[33] [Samy Kamkar] PoisonTap.\r\n[34] [U.S. Department of State] Guidance on the Democratic People’s Republic of Korea Information Technology Workers.\r\n[35] [Reuters] N.Korean internet downed by suspected cyber attacks -43.\r\n[36] [Wired] North Korea Hacked Him. So He Took Down Its Internet.\r\n[37] [U.S. CISA] North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public\r\nHealth Sector.\r\n[38] [U.S. Dpt of Treasury] U.S. Treasury Sanctions-Notorious Virtual Currency Mixer Tornado Cash.\r\n[39] [FIOD] Arrest of suspected developer of Tornado Cash.\r\n[40] [NK News] Japan sanctions 5 North Korean companies, following US and South Korea’s lead.\r\nRead other blogpost :\r\nShare\r\nAPT CTI Cybercrime Ransomware\r\nTDR is the Sekoia Threat Detection \u0026 Research team. Created in 2020, TDR provides exclusive Threat Intelligence,\r\nincluding fresh and contextualised IOCs and threat reports for the Sekoia SOC Platform TDR is also responsible for\r\nproducing detection materials through a built-in Sigma, Sigma Correlation and Anomaly rules catalogue. TDR is a team of\r\nmultidisciplinary and passionate cybersecurity experts, including security researchers, detection engineers, reverse\r\nengineers, and technical and strategic threat intelligence analysts. Threat Intelligence analysts and researchers are looking at\r\nstate-sponsored \u0026 cybercrime threats from a strategic to a technical perspective to track, hunt and detect adversaries.\r\nDetection engineers focus on creating and maintaining high-quality detection rules to detect the TTPs most widely exploited\r\nby adversaries. TDR experts regularly share their analysis and discoveries with the community through our research blog,\r\nGitHub repository or X / Twitter account. You may also come across some of our analysts and experts at international\r\nhttps://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/\r\nPage 10 of 11\n\nconferences (such as BotConf, Virus Bulletin, CoRIIN and many others), where they present the results of their research\r\nwork and investigations.\r\nShare this post:\r\nSource: https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/\r\nhttps://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/\r\nPage 11 of 11\n\nOf particular part of Operation interest and documented DreamJob), Lazarus’ as a first Bring Your seen in the wild Own Vulnerable in 2022 (although Driver (BYOVD) leveraged at least technique since October to deploy 2021 as\nBLINDINGCAN [24]. Lazarus was also observed leveraging CVe-2022-0609, a 0-day remote code execution vulnerability\n Page 6 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/" ], "report_names": [ "the-dprk-delicate-sound-of-cyber" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "4594f985-865e-4862-8047-2e80226e246a", "created_at": "2022-10-27T08:27:12.984825Z", "updated_at": "2026-04-10T02:00:05.293575Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "EXOTIC LILY" ], "source_name": "MITRE:EXOTIC LILY", "tools": [ "Bazar" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40ec2da8-7156-4bff-b878-41984eb70df4", "created_at": "2024-02-02T02:00:04.080917Z", "updated_at": "2026-04-10T02:00:03.555365Z", "deleted_at": null, "main_name": "Storm-0530", "aliases": [ "DEV-0530", "H0lyGh0st" ], "source_name": "MISPGALAXY:Storm-0530", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "56384d06-abc2-4853-8440-db4d7b7d1b5f", "created_at": "2023-01-06T13:46:39.367122Z", "updated_at": "2026-04-10T02:00:03.303733Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "DEV-0413" ], "source_name": "MISPGALAXY:EXOTIC LILY", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "dcbff54d-13ec-40b5-b3b9-b74a315669e1", "created_at": "2026-02-03T02:00:03.428641Z", "updated_at": "2026-04-10T02:00:03.937539Z", "deleted_at": null, "main_name": "UNC1069", "aliases": [ "MASAN", "CryptoCore" ], "source_name": "MISPGALAXY:UNC1069", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434199, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/267af4fb18a810acf2a7a7376bc2ad4fbbdd0372.pdf", "text": "https://archive.orkl.eu/267af4fb18a810acf2a7a7376bc2ad4fbbdd0372.txt", "img": "https://archive.orkl.eu/267af4fb18a810acf2a7a7376bc2ad4fbbdd0372.jpg" } }