{ "id": "f8d884f5-c990-49fb-b0d2-f9e91da6110b", "created_at": "2026-04-06T00:06:43.707653Z", "updated_at": "2026-04-10T03:38:20.544203Z", "deleted_at": null, "sha1_hash": "298c700a4e701ed32c7cca5f4767c933c3fe9c07", "title": "Ghost RAT (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 172256, "plain_text": "Ghost RAT (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:45:22 UTC\r\nAccording to Security Ninja, Gh0st RAT (Remote Access Terminal) is a trojan “Remote Access Tool” used on\r\nWindows platforms, and has been used to hack into some of the most sensitive computer networks on Earth.\r\nBelow is a list of Gh0st RAT capabilities.\r\nTake full control of the remote screen on the infected bot.\r\nProvide real time as well as offline keystroke logging.\r\nProvide live feed of webcam, microphone of infected host.\r\nDownload remote binaries on the infected remote host.\r\nTake control of remote shutdown and reboot of host.\r\nDisable infected computer remote pointer and keyboard input.\r\nEnter into shell of remote infected host with full control.\r\nProvide a list of all the active processes.\r\nClear all existing SSDT of all existing hooks.\r\n2025-08-05 ⋅ Defentive ⋅ Defentive Threat Research\r\nLost in Translation: Threat Actors Use SEO Poisoning and Fake DeepL Sites to Distribute Gh0st RAT\r\nGhost RAT 2025-06-24 ⋅ Bridewell ⋅ Bridewell\r\n2025 Cyber Threat Intelligence Report\r\nAsyncRAT Brute Ratel C4 Cobalt Strike Fog Ghost RAT Lumma Stealer Meduza Stealer Quasar RAT RedLine\r\nStealer Sliver 2025-04-30 ⋅ ⋅ AhnLab ⋅ ASEC\r\n(Larva-25003) Web server target IIS malware dissemination case\r\nGhost RAT 2024-07-10 ⋅ Akamai ⋅ Allen West, Kyle Lefton, Sam Tinklenberg\r\nCVE-2024-4577 Exploits in the Wild One Day After Disclosure\r\nTsunami Ghost RAT xmrig 2024-05-23 ⋅ Palo Alto Networks Unit 42 ⋅ Daniel Frank, Lior Rochberger\r\nOperation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target\r\nGovernmental Entities in the Middle East, Africa and Asia\r\nAgent Racoon CHINACHOPPER Ghost RAT JuicyPotato MimiKatz Ntospy PlugX SweetSpecter TunnelSpecter\r\nCL-STA-0043 2023-05-03 ⋅ Sophos ⋅ Andrew Brandt, Gabor Szappanos, Xinran Wu\r\nA doubled “Dragon Breath” adds new air to DLL sideloading attacks\r\nGhost RAT DragonBreath 2023-04-24 ⋅ Cofense ⋅ Austin Jones\r\nOpen-Source Gh0st RAT Still Haunting Inboxes 15 Years After Release\r\nGhost RAT 2023-04-13 ⋅ Intel 471 ⋅ Jorge Rodriguez, Souhail Hammou\r\nFrom GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT\r\nBBSRAT Gh0stTimes Ghost RAT PseudoManuscrypt 2022-09-15 ⋅ Symantec ⋅ Threat Hunter Team\r\nWebworm: Espionage Attackers Testing and Using Older Modified RATs\r\n9002 RAT Ghost RAT Trochilus RAT 2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat\r\nPage 1 of 5\n\nIron Taurus\r\nCHINACHOPPER Ghost RAT Wonknu ZXShell APT27 2022-05-23 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nOperation Earth Berberoka\r\nreptile oRAT Ghost RAT PlugX pupy Earth Berberoka 2022-04-27 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nNew APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware\r\nHelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka 2022-04-27 ⋅ Trendmicro ⋅ Daniel\r\nLunghi, Jaromír Hořejší\r\nOperation Gambling Puppet\r\nreptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka\r\n2022-04-15 ⋅ Center for Internet Security ⋅ CIS\r\nTop 10 Malware March 2022\r\nMirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus 2022-04-01 ⋅ The Hacker News ⋅\r\nRavie Lakshmanan\r\nChinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit\r\nFire Chili Ghost RAT 2022-03-30 ⋅ Fortinet ⋅ Eliran Voronovitch, Rotem Sde-Or\r\nNew Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits\r\nFire Chili Ghost RAT 2022-03-16 ⋅ AhnLab ⋅ ASEC Analysis Team\r\nGh0stCringe RAT Being Distributed to Vulnerable Database Servers\r\nGhost RAT Kingminer 2022-02-11 ⋅ Cisco Talos ⋅ Talos\r\nThreat Roundup for February 4 to February 11\r\nDarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus 2021-12-14 ⋅ Trend Micro ⋅ Nick Dai, Ted Lee,\r\nVickie Su\r\nCollecting In the Dark: Tropic Trooper Targets Transportation and Government\r\nChiserClient Ghost RAT Lilith Quasar RAT xPack APT23 2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research \u0026\r\nIntelligence Team\r\nDrawing a Dragon: Connecting the Dots to Find APT41\r\nCobalt Strike Ghost RAT 2021-10-04 ⋅ JPCERT/CC ⋅ Shusei Tomonaga\r\nMalware Gh0stTimes Used by BlackTech\r\nGh0stTimes Ghost RAT 2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Manohar Ghule, Mohd Sadique\r\nCatching RATs Over Custom Protocols Analysis of top non-HTTP/S threats\r\nAgent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT\r\nRemcos 2021-04-28 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph C Chen\r\nWater Pamola Attacked Online Shops Via Malicious Orders\r\nGhost RAT 2021-04-02 ⋅ Dr.Web ⋅ Dr.Web\r\nStudy of targeted attacks on Russian research institutes\r\nCotx RAT Ghost RAT TA428 2021-02-22 ⋅ tccontre Blog ⋅ tcontre\r\nGh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload\r\nGhost RAT 2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou\r\nOperation NightScout: Supply‑chain attack targets online gaming in Asia\r\nGhost RAT NoxPlayer Poison Ivy Red Dev 17 2021-01-15 ⋅ Swisscom ⋅ Markus Neis\r\nCracking a Soft Cell is Harder Than You Think\r\nGhost RAT MimiKatz PlugX Poison Ivy Trochilus RAT 2020-12-18 ⋅ Seqrite ⋅ Pavankumar Chaudhari\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat\r\nPage 2 of 5\n\nRAT used by Chinese cyberspies infiltrating Indian businesses\r\nGhost RAT 2020-12-10 ⋅ Intel 471 ⋅ Intel 471\r\nNo pandas, just people: The current state of China’s cybercrime underground\r\nAnubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT 2020-12-10 ⋅ US-CERT ⋅ FBI, MS-ISAC, US-CERT\r\nAlert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data\r\nPerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim\r\nREvil Ryuk Zeus 2020-10-27 ⋅ Dr.Web ⋅ Dr.Web\r\nStudy of the ShadowPad APT backdoor and its relation to PlugX\r\nGhost RAT PlugX ShadowPad 2020-07-28 ⋅ ⋅ NTT ⋅ NTT Security\r\nCraftyPanda 標的型攻撃解析レポート\r\nGhost RAT PlugX 2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon\r\nWhat even is Winnti?\r\nCCleaner Backdoor Ghost RAT PlugX ZXShell 2020-06-14 ⋅ BushidoToken ⋅ BushidoToken\r\nDeep-dive: The DarkHotel APT\r\nAsruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode) 2020-06-05 ⋅ Prevailion ⋅ Danny\r\nAdamitis\r\nThe Gh0st Remains the Same\r\nGhost RAT 2020-06-04 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence\r\nCOVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group\r\nGhost RAT SongXY 2020-05-20 ⋅ Medium Asuna Amawaka ⋅ Asuna Amawaka\r\nWhat happened between the BigBadWolf and the Tiger?\r\nGhost RAT 2020-05-14 ⋅ Avast Decoded ⋅ Luigino Camastra\r\nAPT Group Planted Backdoors Targeting High Profile Networks in Central Asia\r\nBYEBY Ghost RAT Microcin MimiKatz Vicious Panda 2020-03-05 ⋅ SophosLabs ⋅ Sergei Shevchenko\r\nCloud Snooper Attack Bypasses AWS Security Measures\r\nCloud Snooper Ghost RAT 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE EDISON\r\nGhost RAT sykipot APT4 SAMURAI PANDA 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE FLEETWOOD\r\nBinanen Ghost RAT OrcaRAT APT5 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE GLOBE\r\nEtumBot Ghost RAT APT12 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE UNION\r\n9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell\r\nAPT27 2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center\r\nGALLIUM: Targeting global telecom\r\nCHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM 2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani\r\nFraser\r\nAchievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions\r\nMESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT\r\nHIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell 2019-11-04 ⋅ ⋅\r\nTencent ⋅ Tencent Security Mikan TIC\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat\r\nPage 3 of 5\n\nAPT attack group \"Higaisa\" attack activity disclosed\r\nGhost RAT Higaisa 2019-09-23 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nAPT41\r\nDerusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire\r\nDownloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 2019-09-17 ⋅ Talos ⋅ Christopher\r\nEvans, David Liebenberg\r\nCryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”\r\nGhost RAT 2019-04-25 ⋅ ⋅ DATANET ⋅ Kim Seon-ae\r\nChinese-based hackers attack domestic energy institutions\r\nCALMTHORN Ghost RAT 2019-02-27 ⋅ Secureworks ⋅ CTU Research Team\r\nA Peek into BRONZE UNION’s Toolbox\r\nGhost RAT HyperBro ZXShell 2019-01-07 ⋅ Intezer ⋅ Ignacio Sanmillan\r\nChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups\r\nGhost RAT 2018-09-19 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles\r\nHex-Rays Microcode API vs. Obfuscating Compiler\r\nGhost RAT 2018-04-20 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos\r\nDecoding network data from a Gh0st RAT variant\r\nGhost RAT APT27 2018-04-17 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos\r\nDecoding network data from a Gh0st RAT variant\r\nGhost RAT APT27 2018-02-01 ⋅ Bitdefender ⋅ Bitdefender Team\r\nOperation PZCHAO Inside a highly specialized espionage infrastructure\r\nGhost RAT APT27 2018-01-04 ⋅ Malware Traffic Analysis ⋅ Brad Duncan\r\nMALSPAM PUSHING PCRAT/GH0ST\r\nGhost RAT 2017-12-19 ⋅ Proofpoint ⋅ Darien Huss\r\nNorth Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group\r\nGhost RAT 2017-12-19 ⋅ Proofpoint ⋅ Darien Huss\r\nNorth Korea Bitten by Bitcoin Bug\r\nQUICKCAFE PowerSpritz Ghost RAT PowerRatankba 2017-05-31 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nPittyTiger\r\nEnfal Ghost RAT MimiKatz Poison Ivy APT24 2017-05-31 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nAxiom\r\nDerusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17 2017-05-31 ⋅ MITRE ⋅ MITRE\r\nAPT18\r\nGhost RAT HttpBrowser APT18 2017-02-25 ⋅ Financial Security Institute ⋅ Kyoung-Ju Kwak (郭炅周)\r\nSilent RIFLE: Response Against Advanced Threat\r\nGhost RAT 2016-04-22 ⋅ Cylance ⋅ Isaac Palmer\r\nThe Ghost Dragon\r\nGhost RAT 2012-01-01 ⋅ Norman ASA ⋅ Snorre Fagerland\r\nThe many faces of Gh0st Rat\r\nGhost RAT 2011-06-29 ⋅ Symantec ⋅ John McDonald\r\nInside a Back Door Attack\r\nGhost RAT Dust Storm 2009-03-28 ⋅ Infinitum Labs ⋅ Information Warfare Monitor\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat\r\nPage 4 of 5\n\nTracking GhostNet: Investigating a Cyber Espionage Network\r\nGhost RAT GhostNet\r\n[TLP:WHITE] win_ghost_rat_auto (20251219 | Detects win.ghost_rat.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat\r\nPage 5 of 5\n\nBBSRAT Gh0stTimes Webworm: Espionage Ghost RAT Attackers PseudoManuscrypt Testing and Using 2022-09-15 Older Modified ⋅ Symantec ⋅ Threat RATs Hunter Team\n9002 RAT Ghost RAT Trochilus RAT 2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\n Page 1 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat" ], "report_names": [ "win.ghost_rat" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "1b77c737-ab1f-45e9-ae50-996741d94ab2", "created_at": "2022-10-25T15:50:23.842907Z", "updated_at": "2026-04-10T02:00:05.401907Z", "deleted_at": null, "main_name": "PittyTiger", "aliases": [ "PittyTiger" ], "source_name": "MITRE:PittyTiger", "tools": [ "gh0st RAT", "Lurid", "gsecdump", "PoisonIvy", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "536ca49a-2666-4005-8a50-e552fc7e16ef", "created_at": "2023-11-21T02:00:07.375813Z", "updated_at": "2026-04-10T02:00:03.471967Z", "deleted_at": null, "main_name": "Webworm", "aliases": [ "Space Pirates" ], "source_name": "MISPGALAXY:Webworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "068b67c8-604c-4272-b808-350413fa9ee3", "created_at": "2022-10-25T16:07:23.975708Z", "updated_at": "2026-04-10T02:00:04.816253Z", "deleted_at": null, "main_name": "Operation NightScout", "aliases": [], "source_name": "ETDA:Operation NightScout", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "3cc6c262-df23-4075-a93f-b496e8908eb2", "created_at": "2022-10-25T16:07:23.682239Z", "updated_at": "2026-04-10T02:00:04.708878Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "GhostNet", "Snooping Dragon" ], "source_name": "ETDA:GhostNet", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Gh0stnet", "Ghost RAT", "Ghostnet", "Moudour", "Mydoor", "PCRat", "Remosh", "TOM-Skype" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6241b9be-9c59-4164-a7f2-c45844b14a56", "created_at": "2023-01-06T13:46:38.321506Z", "updated_at": "2026-04-10T02:00:02.926657Z", "deleted_at": null, "main_name": "APT24", "aliases": [ "PITTY PANDA", "G0011", "Temp.Pittytiger" ], "source_name": "MISPGALAXY:APT24", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ffc66b49-9396-46af-966f-9376c4315f32", "created_at": "2023-11-21T02:00:07.339061Z", "updated_at": "2026-04-10T02:00:03.462317Z", "deleted_at": null, "main_name": "CL-STA-0043", "aliases": [ "TGR-STA-0043" ], "source_name": "MISPGALAXY:CL-STA-0043", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fda88fa-7c1f-4e84-b3c8-56f73f21aaf5", "created_at": "2022-10-25T16:07:24.147011Z", "updated_at": "2026-04-10T02:00:04.881289Z", "deleted_at": null, "main_name": "Samurai Panda", "aliases": [], "source_name": "ETDA:Samurai Panda", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Getkys", "IsSpace", "KABOB", "Kaba", "Korplug", "NfLog RAT", "PlugX", "Poldat", "RedDelta", "Sogu", "Sykipot", "TIGERPLUG", "TVT", "Thoper", "Wkysol", "Xamtrav", "Zlib", "ffrat" ], "source_id": "ETDA", "reports": null }, { "id": "e91dae30-a513-4fb1-aace-4457466313b3", "created_at": "2023-01-06T13:46:38.974913Z", "updated_at": "2026-04-10T02:00:03.168521Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "Snooping Dragon" ], "source_name": "MISPGALAXY:GhostNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null }, { "id": "13bedce4-3115-4563-afd5-068e3930e68e", "created_at": "2023-01-06T13:46:38.623775Z", "updated_at": "2026-04-10T02:00:03.042652Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "KEYHOLE PANDA", "BRONZE FLEETWOOD", "TEMP.Bottle", "Mulberry Typhoon", "Poisoned Flight" ], "source_name": "MISPGALAXY:APT5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20", "created_at": "2023-01-06T13:46:39.138138Z", "updated_at": "2026-04-10T02:00:03.227223Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [], "source_name": "MISPGALAXY:Higaisa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "f5c5d5d4-3969-4e34-9982-55144c3908eb", "created_at": "2022-10-25T16:07:24.37846Z", "updated_at": "2026-04-10T02:00:04.965506Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "Bronze Dudley" ], "source_name": "ETDA:Vicious Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "BBSRAT", "Byeby", "Cmstar", "Enfal", "Lurid", "Pylot", "RoyalRoad", "Travle", "meciv" ], "source_id": "ETDA", "reports": null }, { "id": "08472d2c-8fbc-4705-ad7a-eb618557cbd2", "created_at": "2023-01-06T13:46:38.23674Z", "updated_at": "2026-04-10T02:00:02.889753Z", "deleted_at": null, "main_name": "Dust Storm", "aliases": [ "G0031" ], "source_name": "MISPGALAXY:Dust Storm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "64ca1755-3883-4173-8e0a-6e5cf92faafd", "created_at": "2022-10-25T15:50:23.636456Z", "updated_at": "2026-04-10T02:00:05.389234Z", "deleted_at": null, "main_name": "Deep Panda", "aliases": [ "Deep Panda", "Shell Crew", "KungFu Kittens", "PinkPanther", "Black Vine" ], "source_name": "MITRE:Deep Panda", "tools": [ "Mivast", "StreamEx", "Sakula", "Tasklist", "Derusbi" ], "source_id": "MITRE", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01", "created_at": "2022-10-25T16:07:23.562676Z", "updated_at": "2026-04-10T02:00:04.662064Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "ETDA:Earth Berberoka", "tools": [ "Agent.dhwf", "AngryRebel", "AsyncRAT", "CinaRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "PuppetLoader", "Quasar RAT", "QuasarRAT", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav", "Yggdrasil", "oRAT" ], "source_id": "ETDA", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "0639667a-fb3f-43d9-a38c-6c123fd19c7f", "created_at": "2022-10-25T16:07:23.335869Z", "updated_at": "2026-04-10T02:00:04.547702Z", "deleted_at": null, "main_name": "APT 19", "aliases": [ "APT 19", "Bronze Firestone", "C0d0so0", "Checkered Typhoon", "Codoso", "Deep Panda", "G0009", "G0073", "Operation Kingslayer", "Red Pegasus", "Sunshop Group", "TG-3551" ], "source_name": "ETDA:APT 19", "tools": [ "Agentemis", "C0d0so0", "Cobalt Strike", "CobaltStrike", "Derusbi", "EmPyre", "EmpireProject", "Fire Chili", "PowerShell Empire", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c5f79f58-db78-4cd7-88cf-c029a2199360", "created_at": "2022-10-25T16:07:23.325227Z", "updated_at": "2026-04-10T02:00:04.542909Z", "deleted_at": null, "main_name": "APT 12", "aliases": [ "APT 12", "BeeBus", "Bronze Globe", "CTG-8223", "Calc Team", "Crimson Iron", "DNSCalc", "DynCALC", "G0005", "Group 22", "Hexagon Typhoon", "Numbered Panda" ], "source_name": "ETDA:APT 12", "tools": [ "AUMLIB", "ETUMBOT", "Exploz", "Graftor", "HIGHTIDE", "IHEATE", "IXESHE", "RIPTIDE", "RapidStealer", "Specfix", "THREEBYTE", "bbsinfo", "mswab", "yayih" ], "source_id": "ETDA", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "e6c64ba5-12e1-4f04-97d5-077d83da95e1", "created_at": "2024-10-08T02:00:04.466964Z", "updated_at": "2026-04-10T02:00:03.724238Z", "deleted_at": null, "main_name": "SongXY", "aliases": [], "source_name": "MISPGALAXY:SongXY", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0", "created_at": "2022-10-25T15:50:23.400822Z", "updated_at": "2026-04-10T02:00:05.350302Z", "deleted_at": null, "main_name": "Higaisa", "aliases": [ "Higaisa" ], "source_name": "MITRE:Higaisa", "tools": [ "PlugX", "certutil", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "2ac8fb39-1ad4-407c-bf51-249751a575ba", "created_at": "2023-01-06T13:46:38.337728Z", "updated_at": "2026-04-10T02:00:02.933527Z", "deleted_at": null, "main_name": "SAMURAI PANDA", "aliases": [ "PLA Navy", "Wisp Team" ], "source_name": "MISPGALAXY:SAMURAI PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d18fe42c-8407-4f96-aee0-a04e6dce219a", "created_at": "2023-01-06T13:46:38.275292Z", "updated_at": "2026-04-10T02:00:02.907303Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "Group 22", "Calc Team", "DNSCalc", "IXESHE", "Hexagon Typhoon", "BeeBus", "DynCalc", "Crimson Iron", "BRONZE GLOBE", "NUMBERED PANDA", "TG-2754" ], "source_name": "MISPGALAXY:APT12", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55", "created_at": "2024-04-24T02:00:49.599348Z", "updated_at": "2026-04-10T02:00:05.303948Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "APT5", "Mulberry Typhoon", "BRONZE FLEETWOOD", "Keyhole Panda", "UNC2630" ], "source_name": "MITRE:APT5", "tools": [ "Tasklist", "PoisonIvy", "RAPIDPULSE", "PcShare", "Mimikatz", "SLOWPULSE", "SLIGHTPULSE", "Skeleton Key", "gh0st RAT", "PULSECHECK", "netstat" ], "source_id": "MITRE", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "37941e7c-1966-4afa-b116-753e19e72808", "created_at": "2022-10-25T16:07:23.321195Z", "updated_at": "2026-04-10T02:00:04.540299Z", "deleted_at": null, "main_name": "APT 5", "aliases": [ "APT 5", "Bronze Fleetwood", "Keyhole Panda", "Mulberry Typhoon", "Poisoned Flight", "TEMP.Bottle", "TG-2754" ], "source_name": "ETDA:APT 5", "tools": [ "LEOUNCIA", "shoco" ], "source_id": "ETDA", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c2ef6b18-12c4-4879-a408-be4c9b03eb6e", "created_at": "2022-10-25T16:07:24.055115Z", "updated_at": "2026-04-10T02:00:04.852387Z", "deleted_at": null, "main_name": "PittyTiger", "aliases": [ "G0011", "Operation The Eye of the Tiger", "Pitty Panda", "PittyTiger" ], "source_name": "ETDA:PittyTiger", "tools": [ "AngryRebel", "Chymine", "Darkmoon", "Enfal", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Leo RAT", "Lurid", "Mimikatz", "Moudour", "Mydoor", "PCRat", "Paladin", "Paladin RAT", "Pitty", "PittyTiger RAT", "Poison Ivy", "ReRol", "SPIVY", "gsecdump", "pgift", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4", "created_at": "2022-10-25T16:07:24.219051Z", "updated_at": "2026-04-10T02:00:04.902017Z", "deleted_at": null, "main_name": "Space Pirates", "aliases": [ "Erudite Mogwai", "Webworm" ], "source_name": "ETDA:Space Pirates", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BH_A006", "Chymine", "Darkmoon", "Deed RAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "MyKLoadClient", "Mydoor", "PCRat", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SnappyBee", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "XShellGhost", "Xamtrav", "Zupdax", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "6a660ea2-1118-404a-9f8f-f0d6a1e9f184", "created_at": "2022-10-25T15:50:23.685924Z", "updated_at": "2026-04-10T02:00:05.364493Z", "deleted_at": null, "main_name": "APT12", "aliases": [ "APT12", "IXESHE", "DynCalc", "Numbered Panda", "DNSCALC" ], "source_name": "MITRE:APT12", "tools": [ "Ixeshe", "RIPTIDE", "HTRAN" ], "source_id": "MITRE", "reports": null }, { "id": "a0f6bde9-34cb-46bf-88b7-b4e54c96beaa", "created_at": "2022-10-25T15:50:23.646492Z", "updated_at": "2026-04-10T02:00:05.37108Z", "deleted_at": null, "main_name": "Dust Storm", "aliases": [ "Dust Storm" ], "source_name": "MITRE:Dust Storm", "tools": [ "S-Type", "Mis-Type", "ZLib", "Misdat" ], "source_id": "MITRE", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "87a842ac-ca8b-41a6-9137-d2cd286e1f51", "created_at": "2022-10-25T16:07:23.559995Z", "updated_at": "2026-04-10T02:00:04.656872Z", "deleted_at": null, "main_name": "Dust Storm", "aliases": [ "G0031" ], "source_name": "ETDA:Dust Storm", "tools": [ "AngryRebel", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "MiS-Type", "Misdat", "Moudour", "Mydoor", "PCRat", "Poison Ivy", "S-Type", "SPIVY", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "373f8e81-4d9c-4590-9039-9526e8c99aef", "created_at": "2023-01-06T13:46:39.454601Z", "updated_at": "2026-04-10T02:00:03.334758Z", "deleted_at": null, "main_name": "Red Dev 17", "aliases": [], "source_name": "MISPGALAXY:Red Dev 17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2664d6f5-f918-4978-87f8-f6afad7402c6", "created_at": "2023-01-06T13:46:39.393669Z", "updated_at": "2026-04-10T02:00:03.312065Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "MISPGALAXY:Earth Berberoka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "cff2cedd-a198-4e79-ae67-19048084ae7f", "created_at": "2024-06-20T02:02:09.945126Z", "updated_at": "2026-04-10T02:00:04.79991Z", "deleted_at": null, "main_name": "Operation Diplomatic Specter", "aliases": [ "CL-STA-0043", "TGR-STA-0043" ], "source_name": "ETDA:Operation Diplomatic Specter", "tools": [ "Agent Racoon", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "HTran", "HUC Packet Transmit Tool", "JuicyPotatoNG", "Kaba", "Korplug", "LadonGo", "Mimikatz", "Mimilite", "Moudour", "Mydoor", "NBTscan", "Ntospy", "PCRat", "PlugX", "RedDelta", "SharpEfsPotato", "SinoChopper", "Sogu", "SweetSpecter", "TIGERPLUG", "TVT", "Thoper", "TunnelSpecter", "Xamtrav", "Yasso", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "47a8f6c7-5b29-4892-8f47-1d46be71714f", "created_at": "2025-08-07T02:03:24.599925Z", "updated_at": "2026-04-10T02:00:03.720795Z", "deleted_at": null, "main_name": "BRONZE FLEETWOOD", "aliases": [ "APT5 ", "DPD ", "Keyhole Panda ", "Mulberry Typhoon ", "Poisoned Flight ", "TG-2754 " ], "source_name": "Secureworks:BRONZE FLEETWOOD", "tools": [ "Binanen", "Comfoo", "Gh0st RAT", "Isastart", "Leouncia", "Marade", "OrcaRAT", "PCShare", "Protux", "Skeleton Key", "SlyPidgin", "VinSelf" ], "source_id": "Secureworks", "reports": null }, { "id": "dc0eb4da-1f8c-4f2a-9530-62b0efbb1c35", "created_at": "2025-08-07T02:03:24.608888Z", "updated_at": "2026-04-10T02:00:03.749632Z", "deleted_at": null, "main_name": "BRONZE GLOBE", "aliases": [ "APT12 ", "CTG-8223 ", "DyncCalc ", "Numbered Panda ", "PortCalc" ], "source_name": "Secureworks:BRONZE GLOBE", "tools": [ "Badpuck", "BeepService", "Etumbot", "Gh0st RAT", "Ixeshe", "Mswab", "RAdmin", "Seatran", "SvcInstaller", "Ziyang" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null }, { "id": "5abbd961-c51b-45e2-9632-e94e48a051b0", "created_at": "2026-01-22T02:00:03.673383Z", "updated_at": "2026-04-10T02:00:03.924422Z", "deleted_at": null, "main_name": "DragonBreath", "aliases": [ "Golden Eye Dog", "APT-Q-27," ], "source_name": "MISPGALAXY:DragonBreath", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434003, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/298c700a4e701ed32c7cca5f4767c933c3fe9c07.pdf", "text": "https://archive.orkl.eu/298c700a4e701ed32c7cca5f4767c933c3fe9c07.txt", "img": "https://archive.orkl.eu/298c700a4e701ed32c7cca5f4767c933c3fe9c07.jpg" } }