{ "id": "53e39629-9631-469a-95a6-23906ee207c9", "created_at": "2026-04-06T00:10:55.729861Z", "updated_at": "2026-04-10T03:38:19.745171Z", "deleted_at": null, "sha1_hash": "296690290086bf1651c74db8b1f2337bd39ecd3a", "title": "APT45: North Korea’s Digital Military Machine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 988674, "plain_text": "APT45: North Korea’s Digital Military Machine\r\nBy Mandiant\r\nPublished: 2024-07-25 · Archived: 2026-04-05 14:04:08 UTC\r\nWritten by: Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, Michael Barnhart\r\nExecutive Summary\r\nAPT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out\r\nespionage campaigns as early as 2009.\r\nAPT45 has gradually expanded into financially-motivated operations, and the group’s suspected\r\ndevelopment and deployment of ransomware sets it apart from other North Korean operators. \r\nAPT45 and activity clusters suspected of being linked to the group are strongly associated with a distinct\r\ngenealogy of malware families separate from peer North Korean operators like TEMP.Hermit and APT43. \r\nAmong the groups assessed to operate from the Democratic People's Republic of Korea (DPRK), APT45\r\nhas been the most frequently observed targeting critical infrastructure.\r\nOverview\r\nMandiant assesses with high confidence that APT45 is a moderately sophisticated cyber operator that supports the\r\ninterests of the DPRK. Since at least 2009, APT45 has carried out a range of cyber operations aligned with the\r\nshifting geopolitical interests of the North Korean state. Although the group's earliest observed activities consisted\r\nof espionage campaigns against government agencies and defense industries, APT45 has expanded its remit to\r\nfinancially-motivated operations, including targeting of the financial vertical; we also assess with moderate\r\nconfidence that APT45 has engaged in the development of ransomware. Additionally, while multiple DPRK-nexus\r\ngroups focused on healthcare and pharmaceuticals during the initial stages of the COVID-19 pandemic, APT45\r\nhas continued to target this vertical longer than other groups, suggesting an ongoing mandate to collect related\r\ninformation. Separately, the group has conducted operations against nuclear-related entities, underscoring its role\r\nin supporting DPRK priorities.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine\r\nPage 1 of 8\n\nShifts in Targeting and Expanding Operations\r\nSimilar to other cyber threat activity attributed to North Korea-nexus groups, shifts in APT45 operations have\r\nreflected the DPRK's changing priorities. Malware samples indicate the group was active as early as 2009,\r\nalthough an observed focus on government agencies and the defense industry was observed beginning in 2017.\r\nIdentified activity in 2019 aligned with Pyongyang’s continued interest in nuclear issues and energy. Although it is\r\nnot clear if financially-motivated operations are a focus of APT45’s current mandate, the group is distinct from\r\nother North Korean operators in its suspected interest in ransomware. Given available information, it is possible\r\nthat APT45 is carrying out financially-motivated cybercrime not only in support of its own operations but to\r\ngenerate funds for other North Korean state priorities.\r\nFinancial Sector\r\nLike other North Korea-nexus actors, APT45 targeting includes the financial sector. In 2016, APT45 likely\r\nleveraged RIFLE to target a South Korean financial organization. Direct targeting continued through at least 2021\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine\r\nPage 2 of 8\n\nwhen the group was identified spear-phishing a South Asian bank. \r\nCritical Infrastructure\r\nIn 2019, APT45 directly targeted nuclear research facilities and nuclear power plants such as the Kudankulam\r\nNuclear Power Plant in India, marking one of the few publicly known instances of North Korean cyber operations\r\ntargeting critical infrastructure.\r\nIntellectual Property Theft to Address Domestic Deficiencies\r\nIn September 2020, APT45 targeted the crop science division of a multinational corporation, possibly due to the\r\nexacerbation of deteriorating agricultural production following the closure of border trade related to COVID-19\r\ncontagion fears. \r\nMultiple North Korea-nexus operators, including APT45, focused on the healthcare and pharmaceutical verticals\r\nduring a suspected COVID-19 outbreak in North Korea in 2021.\r\nActivity observed from APT45 indicating continued interest in health-related research in 2023 suggests the\r\ncontinued assignment of resources to related targeting.\r\nPotential Ransomware Use\r\nMandiant tracks several clusters of activity where we suspect, but cannot confirm APT45 attribution. Public\r\nreporting has claimed that these clusters have used ransomware, possibly to fund their operations or generate\r\nrevenue for the regime. While Mandiant cannot confirm this ransomware use by APT45, it is plausible as they\r\nhave employed diverse schemes to raise money.\r\nIn 2022, the U.S. Cybersecurity and Infrastructure Security Agency reported on North Korean state-sponsored actors' use of MAUI ransomware to target the healthcare and public health sectors.\r\nIn 2021, Kaspersky reported on the identification of ransomware tracked by Mandiant as\r\nSHATTEREDGLASS, which has been used by suspected APT45 clusters.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine\r\nPage 3 of 8\n\nFigure 1: Countries targeted by APT45\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine\r\nPage 4 of 8\n\nFigure 2: Industries targeted by APT45\r\nMalware\r\nAPT45 relies on a mix of publicly available tools such as 3PROXY, malware modified from publicly available\r\nmalware such as ROGUEEYE, and custom malware families. Like most groups of DPRK activity, APT45\r\nmalware exhibits distinct shared characteristics over time, including the re-use of code, unique custom encoding,\r\nand passwords. APT45 leverages a library of malware tools which are relatively distinct from other North Korean\r\nactivity clusters.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine\r\nPage 5 of 8\n\nFigure 3: APT45 Malware Overlap\r\nAttribution and Links to Other Tracked Operations\r\nMandiant assesses with high confidence that APT45 is a state-sponsored cyber operator conducting threat activity\r\nin support of the North Korean regime. We assess with moderate confidence that APT45 is attributable specifically\r\nto North Korea’s Reconnaissance General Bureau (RGB). \r\nActivity attributed to APT45 by Mandiant has been publicly reported as “Andariel”, \"Onyx Sleet\", “Stonefly”, and\r\n“Silent Chollima”. The group's activity is also frequently reported as linked to “Lazarus Group”.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine\r\nPage 6 of 8\n\nFigure 4: Assessed structure of DPRK cyber operations in 2024\r\nLooking Ahead\r\nAPT45 is one of North Korea’s longest running cyber operators, and the group’s activity mirrors the regime’s\r\ngeopolitical priorities even as operations have shifted from classic cyber espionage against government and\r\ndefense entities to include healthcare and crop science. Financially motivated activity occurring alongside\r\nintelligence collection has become a defining characteristic of North Korean cyber operations, and we expect\r\nAPT45 to continue both missions. As the country has become reliant on its cyber operations as an instrument of\r\nnational power, the operations carried out by APT45 and other North Korean cyber operators may reflect the\r\nchanging priorities of the country’s leadership.\r\nAcknowledgements\r\nSpecial thanks to Mandiant Advanced Practices, Mandiant FLARE, Mandiant Validation, and FBI Kansas City.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine\r\nPage 7 of 8\n\nTechnical Annex: Attack Lifecycle\r\nFigure 5: Attack Lifecycle\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine" ], "report_names": [ "apt45-north-korea-digital-military-machine" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c1eadfd8-6e9c-4024-902d-555c9530fcea", "created_at": "2023-01-06T13:46:38.645834Z", "updated_at": "2026-04-10T02:00:03.04985Z", "deleted_at": null, "main_name": "TEMP.Hermit", "aliases": [], "source_name": "MISPGALAXY:TEMP.Hermit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "88bd3777-de28-4ed2-a994-e38275333256", "created_at": "2024-07-28T02:00:04.697991Z", "updated_at": "2026-04-10T02:00:03.683368Z", "deleted_at": null, "main_name": "APT45", "aliases": [], "source_name": "MISPGALAXY:APT45", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434255, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/296690290086bf1651c74db8b1f2337bd39ecd3a.pdf", "text": "https://archive.orkl.eu/296690290086bf1651c74db8b1f2337bd39ecd3a.txt", "img": "https://archive.orkl.eu/296690290086bf1651c74db8b1f2337bd39ecd3a.jpg" } }