{ "id": "99fe5701-ad36-4794-bd71-334940e6d8e5", "created_at": "2026-04-06T00:12:52.515934Z", "updated_at": "2026-04-10T13:13:04.899788Z", "deleted_at": null, "sha1_hash": "2c2e74d9ea4c9fc3823b4d193124297bd4886d59", "title": "Anchor Project | The Deadly Planeswalker: How The TrickBot Group United High-Tech Crimeware \u0026 APT - SentinelLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1469309, "plain_text": "Anchor Project | The Deadly Planeswalker: How The TrickBot\r\nGroup United High-Tech Crimeware \u0026 APT - SentinelLabs\r\nBy Vitali Kremez\r\nPublished: 2019-12-10 · Archived: 2026-04-05 14:38:00 UTC\r\nResearch by: Vitali Kremez, Joshua Platt and Jason Reaves\r\nThe Wind of Time Shakes the Underground | High-Tech Cybercrime \u0026 APT | Most Sophisticated\r\n\u0026 Resourceful Crimeware Group\r\nRead the Full Report\r\nWhen we talk about cybercrime, we often portray a hidden, hazardous realm, which is radically different from the\r\none that we live in. In fact, hackers and their cybercrime enterprises exist in the same world as ours and undergo\r\nthe same social and economic transformations as those which shape our reality.\r\nWhen cybercrime emerged, it followed the rules of the late industrial age. Despite their Fin de siècle fleur of\r\nharbingers of the radically novel era, cybercriminal communities relied on standard, if not mundane operational\r\nrules of classic enterprises — separation of functions, division of labor, focused specialization. In other words,\r\nunderground malware engineers who developed information stealers most likely never had a chance or intent to\r\nhttps://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\nPage 1 of 8\n\ntalk to hackers who developed ransomware; hacktivists did not collaborate with cyber fraudsters or carders, while\r\nfor-profit criminals and nation-state advanced persistent threat (APT) operatives preferred to maintain a clear\r\nseparation line.\r\nEverything changed with time. Unlike its predecessor which valued separation and operational boundaries, the\r\n21st century manifested the interconnectivity as its essential trait. Facebook, Google, Uber, all succeeded because\r\nthey were able to unite the previously “ununitable.” This strive to merge domains and cross borders became a rule\r\nfor success, a natural destination of evolution. Like other humans, cybercriminals felt the zeitgeist — they evolved\r\naccordingly. However, only one group was able to crown this evolution — the elite “TrickBot” group.\r\nThis story begins in the year in which the century clearly demonstrated its rapidly changing nature. 2013 — the\r\ncall for radical social change shakes the Middle East and Europe alike; the Pope announces his renunciation the\r\nfirst time in 700 years; the Voyager 1 exits the Solar System and reaches the interstellar medium. The\r\ntransformations of cybercrime were no less fundamental. Banking malware — a malware designed to steal\r\nfinancial information — were rapidly acquiring new functions and traits consummating with the success of\r\nGameOver Zeus, also known as “Peer-to-Peer Zeus”, cybercrime group that became known as “Business Club.”\r\nThe developers of this crimeware employed an alternative approach to their botnet — offering it as a service for\r\nother threat actors. The GameOver Zeus service also pioneered the deployment of ransomware such as a prolific\r\n“Cryptolocker” responsible in millions of losses and affecting victims worldwide. Overall, GameOver Zeus was a\r\nmajor success in introducing a profoundly new model — cybercrime-as-a-service (CaaS). This model was based\r\non automation, customization, and client-oriented approach and perfectly fit the demand of the expanding\r\npostindustrial private market. The Business Club model was operated by the most wanted cybercriminal, a\r\nRussian national Evgeniy Mihailovich Bogachev, or simply known as “Slavik” amongst the club members fellow\r\ncybercriminals.\r\nIt was only a matter of time when other groups will incorporate GameOver Zeus’s innovative modeling. In 2014,\r\ntwo cybercrime teams and former customers and members of “Business Club” form separate crimeware models\r\nbecame known as “Dridex” and “Dyre.” Both Dridex and Dyre made its way to the headlines by advancing the\r\nCaaS model and supplying various types of cybercriminals with their botnet solutions.\r\nIn the meantime, Dridex and their operators, also known as “Evil Corp,” continues to successful experimenting\r\nwith targeted highly-impactful bank fraud and ransomware operations including working with such targeted\r\nransomware variants as “BitPaymer” and “DoppelPaymer” responsible for multiple worldwide ransomware\r\ndisruptions including the PEMEX intrusion. In December 2019, the Dridex botnet operators were charged and\r\nindicted by the international law enforcement and sanctioned the leader behind Makism Yakubets, known as\r\n“aqua,” and its administrator Igor Turashev, known as “nintutu,” for their involvement in another massive more\r\nthan $100-million bank fraud and ransomware operations. Notably, Yakubetz was alleged close involvement with\r\nthe Russian government and the FSB operations acquiring confidential documents through cyber-enabled means\r\nand cyber-enabled operations on its behalf.\r\nIn 2016, Dyre operators were alleged to be arrested in Moscow, Russia; however, their work and ideas\r\naccumulated in the tool — TrickBot. Trickbot engineers designed the bot in such a way to plug into the Dyre\r\nbackend systems seamlessly while preserving independence from the Dyre components.\r\nhttps://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\nPage 2 of 8\n\nTrickBot Race to Perfection: The Aesthetics of Blurred Lines\r\nTrickBot was developed in 2016 as a banking malware. However, since then it has developed into something\r\nessentially different — a flexible, universal, module-based crimeware solution. TrickBot has been evolved to\r\nspecifically attack corporations. The three pillars of TrickBot’s success were ironically the buzzwords of the post-industrial revolution — automation, decentralization, and integration.\r\nEarly reports on TrickBot appeared in Fall 2016. By November 2016, the malware was already tested and\r\nfunctional. TrickBot developers began to add new functions to cross the borders — first, literal borders. Initially\r\ntargeting Australian banks, by November 2016 TrickBot had included New Zealand, British, German, and\r\nCanadian banks into its victim list. In July 2017, TrickBot was equipped with advanced automation — another\r\ncrucial trait that characterized this malware. TrickBot was now capable of worm-like spreading within the network\r\nafter the initial infection.\r\nThen the expansion of functions followed. In October 2017, the crimeware group gathered data from mail clients\r\nand scraped web-history in search of personal identifiers. Later, new password grabber modules turned TrickBot\r\ninto a fully-fledged stealing tool that was able to browse Google Chrome, Mozilla Firefox, Microsoft Edge, and\r\nother applications containing passwords and credentials.\r\nAs a result, by 2018, the TrickBot group was swamped by a humongous data flow from infected machines. The\r\ngroup faced “big data” problems which required them to engineer a custom solution dealing with commercial size\r\ndata flows and essentially design a “data lake” service to process it. The group faced a paradox in which its\r\ntechnological efficiency was not matched by the capabilities to process and monetize the information stolen. It\r\nwas this moment when the organizational and strategic talent of the operators, and, possibly, the experience of\r\nDyre came to play.\r\nInstead of harvesting and storing the compromised information as raw material, TrickBot decided to process and\r\nindex it and offer access to it as a service. For instance, the spying capability was redesigned with a new feature\r\nwith which TrickBot gathered and transferred network and domain controller victim information. With this\r\nfunction, TrickBot could provide other groups with critical security information which was then used to prioritize\r\nvictims. In other words, a TrickBot customer knew who was the least protected prey in the lists. In other instances,\r\nbreaches and botnet data were indexed through the backend to track the high-value targets. In this sense, the group\r\nweaponized these infections for the potent, targeted ransomware, or as they called it a “cryptolocker,” which\r\nbecame known as “Ryuk” ransomware affecting and crippling industries worldwide across multiple market\r\nsegments, including healthcare and aviation industries. The criminal groups used specific digital identifiers\r\nobtained via TrickBot to spot the most lucrative industry targets for their ransomware campaigns.\r\nMoreover, the group decentralized if not “Uberized” its operations and started to massively sublet its technical\r\nsolutions to affiliate groups. TrickBot products have often used a combination with other malware including\r\nhighly infective Emotet, IcedID/BokBot, and Gozi ISFB v2.\r\nThe flexibility was achieved through active use of modules. The modular structure allowed TrickBot to efficiently\r\noperate in different environments which were previously separated. TrickBot and its modules acted in the\r\nfollowing major ways:\r\nhttps://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\nPage 3 of 8\n\na perfect information stealer grabbing personal information, which was then sold on the underground and\r\nused privately,\r\na banker, stealing corporate data which monetized through account takeover and card fraud\r\na distributor, delivering ransomware, and\r\na cryptominer.\r\nBy 2019, Automation, Decentralization, and Integration enabled TrickBot to introduce a game-changing model.\r\nTheir domain controller harvester enabled automatic network information collection and automated lateral\r\nmovement within networks, not even mentioning the completely automated process of credential harvesting. The\r\nability to integrate different cybercrime segments allowed to perform sophisticated bank fraud operations for\r\nmoney laundering, engage in ransomware and tax fraud. Decentralization created a flexible business model, where\r\nTrickBot offered attack tools to vetted vendors and used the tools of others to increase the infectivity.\r\nIn blurring the lines between breaches, data theft, ransomware, and cyber fraud, the group has almost reached the\r\npinnacle, and almost united the cybercrime territories. However, there was one final challenge separating TrickBot\r\nfrom perfection — the APTs.\r\nThe “Anchor” Mystery\r\nAdvanced Persistent Threat is a type of cybercrime which is most often associated with the nation-state actors.\r\nWhile the attribution is often a subject of political accusations and social discussion, the APT groups are indeed\r\nextremely sophisticated and are characterized by an ultimate focus on espionage. This defines the persistence in\r\ntheir operations — to accomplish their mission targets, APT teams need to secretly remain in the system, navigate\r\nand observe. APTs saw their heyday in 2016 and 2017 when professional intrusion teams performed massive\r\noperations against top-banks and attacks against the SWIFT payment system.\r\nhttps://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\nPage 4 of 8\n\nThe modus operandi of APT has targeted attacks on extremely secure networks, remaining persistent and\r\nundetected for long periods, and espionage separates them from crimeware and TrickBot which are generally are\r\ndeployed merely for monetary gain. This is why it was highly unlikely that TrickBot would attempt to integrate\r\nAPTs into their operations. Until a new TrickBot derivative project called “Anchor” was discovered.\r\nWhile investigating the Anchor project we observed a framework of tools that allows the actors — potential\r\nTrickBot customers — to leverage this framework against higher-profile victims. Some of the pieces we have\r\nfound for this framework can be seen below in the form of PDB paths. Anchor consists of several segments each\r\nwith a specific function:\r\nanchorInstaller\r\nanchorDeInstaller\r\nAnchorBot\r\nBin2hex\r\npsExecutor\r\nmemoryScraper\r\nThis structure is designed to secretly upload the malware and clean up all the evidence of the attack. However, the\r\nultimate goal of this innovation is unclear until we examine other modules. From looking at any TrickBot modules\r\nwe can clearly understand its purpose. But when it comes to Anchor we see a combination of functionality, tools,\r\nand methods. What is out of the question, however, is the sophistication of this technology including an integrated\r\nmethodology of loading such frameworks Metasploit, Cobalt Strike, TerraLoader, and PowerShell Empire to\r\nperform further victim post-exploitation.\r\nhttps://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\nPage 5 of 8\n\nThe Anchor project combines a collection of tools — from the initial installation tool to the cleanup meant to\r\nscrub the existence of malware on the victim machine. In other words, Anchor presents as an all-in-one attack\r\nframework designed to compromise enterprise environments using both custom and existing toolage.\r\nAs described earlier, TrickBot modules are customer-based, designed for the needs of a specific criminal activity.\r\nThe Anchor project is a complex and stealthy tool for targeted data extraction from secure environments and long-term persistency. Logically, this tool will be a very tempting acquisition for high-profile, possibly nation-state\r\ngroups. However, the Anchor is also be used for large cyber heists and point-of-sale card theft operations\r\nleveraging its custom card scraping malware. Among the nation-state groups, only a few are interested in both\r\ndata collection and financial gain, and one of them is Lazarus.\r\nLazarus Group (also known as “Lazarus,” “Hidden Cobra,” and “Kimsuky”) is an advanced persistent threat\r\n(APT) group comprised of operators from “Bureau 121” (121국), the cyber warfare division of North Korea’s\r\nRGB. The group has been active since at least 2009 and is presumed to operate out of a multitude of international\r\nlocations.\r\nLazarus appears to have been interested in a variety of sectors and targets in the last eighteen months, including\r\ncryptocurrency exchanges, financial institutions, non-governmental organizations, and South Korean individuals.\r\nMany North Korea cyber operators are likely not only self-funded but also tasked with earning income for the\r\nNorth Korean regime; Lazarus Group has likely targeted banks cryptocurrency exchanges and users to achieve\r\nthis goal.\r\nDuring our investigation of Anchor, we discovered the tool PowerRatankba that was previously linked to the\r\npurported North Korean group was, in fact, used in Anchor.\r\nThe specific evidence pointed out that this Lazarus group toolkit was loaded via the TrickBot Anchor project\r\npointing to the now-unmasked relationship between the tools attributed to TrickBot “Anchor” group and Lazarus.\r\nUniting the Ununitible — Crimeware Meets APT\r\nhttps://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\nPage 6 of 8\n\nThe integration of these tools into the Anchor implies that TrickBot was able to overcome the final barrier in\r\nintegrating different domains into its model. By integrating the APT approach to its model the group turned its\r\nenterprise into a holistic ecosystem of cybercrime, becoming an essentially new phenomenon. In this ecosystem,\r\ncrimeware and APT are no longer siloed; on the opposite, each type of crime creates added value for the other,\r\neach becomes a force multiplier.\r\nConclusion: The Deadly Planeswalker\r\nThe Anchor is not simply a new addition to a long list of TrickBot modules and projects, it is a conclusion of\r\nmany years of the cybercrime evolution, a point at which all puzzles assemble. Through its history, TrickBot was\r\nadding new markets to its area of operations, steadily conquering the cybercrime world. First, it blurred the line\r\nbetween infostealing and bankers then between trojans and ransomware and between financial fraud and malware.\r\nThrough the history of cybercrime, APT was a Kantian “thing-in-itself”; making it an integral part of a broader\r\nbusiness model required a technical and organizational revolution. With the Anchor project, TrickBot became this\r\nrevolutioner. TrickBot and Dridex groups remained to be some of the most sophisticated crimeware groups since\r\n“Business Club.” While Dridex’s “Evil Corp” members were publically charged and outed responsible for over\r\n$100 million in losses, the TrickBot group continued to innovate and stay active with more diverse crimeware\r\nmodels than Dridex.\r\nThe ability to seamlessly integrate the APT into a monetization business model is evidence of a quantum shift. By\r\naccomplishing this integration, TrickBot overtly demonstrates that they have achieved a qualitatively new level of\r\na cybercrime enterprise, which was never seen before in magnitude and complexity superseding and dethroning\r\nthe legacy of its previous inspiration and its playground known as “Business Club.”\r\nhttps://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\nPage 7 of 8\n\nRead the Full Report\r\nIOCs on GitHub\r\nSource: https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\nhttps://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/" ], "report_names": [ "the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "91ff2504-6c1a-4eaa-832b-2c5e297426c5", "created_at": "2022-10-25T16:47:55.740817Z", "updated_at": "2026-04-10T02:00:03.678203Z", "deleted_at": null, "main_name": "GOLD EVERGREEN", "aliases": [ "The Business Club" ], "source_name": "Secureworks:GOLD EVERGREEN", "tools": [ "CryptoLocker", "JabberZeus", "Pony", "Zeus" ], "source_id": "Secureworks", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7", "created_at": "2022-10-25T16:07:23.704358Z", "updated_at": "2026-04-10T02:00:04.718034Z", "deleted_at": null, "main_name": "Harvester", "aliases": [], "source_name": "ETDA:Harvester", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Graphon", "Metasploit", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434372, "ts_updated_at": 1775826784, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2c2e74d9ea4c9fc3823b4d193124297bd4886d59.pdf", "text": "https://archive.orkl.eu/2c2e74d9ea4c9fc3823b4d193124297bd4886d59.txt", "img": "https://archive.orkl.eu/2c2e74d9ea4c9fc3823b4d193124297bd4886d59.jpg" } }