{ "id": "304b3d5a-edfd-43cd-8a93-f1d674d82160", "created_at": "2026-04-06T00:21:26.608328Z", "updated_at": "2026-04-10T03:37:32.904799Z", "deleted_at": null, "sha1_hash": "2c39a0f9869f00fefed1f1177c92d592daefb1bb", "title": "Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 113898, "plain_text": "Sophisticated Spearphishing Campaign Targets Government\r\nOrganizations, IGOs, and NGOs | CISA\r\nPublished: 2021-05-29 · Archived: 2026-04-05 20:36:23 UTC\r\nSummary\r\nThis Joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge\r\n(ATT\u0026CK®) framework, Version 9. See the ATT\u0026CK for Enterprise for all referenced threat actor tactics and\r\ntechniques.\r\nThe Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are\r\nengaged in addressing a spearphishing campaign targeting government organizations, intergovernmental\r\norganizations (IGOs), and non-governmental organizations (NGOs). A sophisticated cyber threat actor leveraged a\r\ncompromised end-user account from Constant Contact, a legitimate email marketing software company, to spoof a\r\nU.S.-based government organization and distribute links to malicious URLs.[1 ] CISA and FBI have not\r\ndetermined that any individual accounts have been specifically targeted by this campaign.\r\nNote: CISA and FBI acknowledge open-source reporting attributing the activity discussed in the report to APT29\r\n(also known as Nobelium, The Dukes, and Cozy Bear).[2 ,3 ] However, CISA and FBI are investigating this\r\nactivity and have not attributed it to any threat actor at this time. CISA and FBI will update this Joint\r\nCybersecurity Advisory as new information becomes available. Note:\r\nThis Joint Cybersecurity Advisory contains information on tactics, techniques, and procedures (TTPs) and\r\nmalware associated with this campaign. For more information on the malware, refer to Malware Analysis Report\r\nMAR-10339794-1.v1: Cobalt Strike Beacon.\r\nCISA and FBI urge governmental and international affairs organizations and individuals associated with such\r\norganizations to adopt a heightened state of awareness and implement the recommendations in the Mitigations\r\nsection of this advisory.\r\nFor a downloadable list of indicators of compromise (IOCs), refer to AA21-148A.stix, and MAR-10339794-\r\n1.v1.stix.\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nBased on incident reports, malware collection, and trusted third-party reporting, CISA and FBI are engaged in\r\naddressing a sophisticated spearphishing campaign. A cyber threat actor leveraged a compromised end-user\r\naccount from Constant Contact, a legitimate email marketing software company, to send phishing emails to more\r\nthan 7,000 accounts across approximately 350 government organizations, IGOs, and NGOs. The threat actor sent\r\nspoofed emails that appeared to originate from a U.S. Government organization. The emails contained a legitimate\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-148a\r\nPage 1 of 7\n\nConstant Contact link that redirected to a malicious URL [T1566.002 , T1204.001 ], from which a malicious\r\nISO file was dropped onto the victim’s machine.\r\nThe ISO file contained (1) a malicious Dynamic Link Library (DLL) named Documents.dll [T1055.001 ], which\r\nis a custom Cobalt Strike Beacon version 4 implant, (2) a malicious shortcut file that executes the Cobalt Strike\r\nBeacon loader [T1105 ], and (3) a benign decoy PDF titled “Foreign Threats to the 2020 US Federal Elections”\r\nwith file name “ICA-declass.pdf” (see figure 1). Note: The decoy file appears to be a copy of the declassified\r\nIntelligence Community Assessment pursuant to Executive Order 13848 Section 1(a), which is available at\r\nhttps://www.intelligence.gov/index.php/ic-on-the-record-database/results/1046-foreign-threats-to-the-2020-us-federal-elections-intelligence-community-assessment.\r\nFigure 1: Decoy PDF: ICA-declass.pdf\r\nCobalt Strike is a commercial penetration testing tool used to conduct red team operations.[4 ] It contains a\r\nnumber of tools that complement the cyber threat actor’s exploitation efforts, such as a keystroke logger, file\r\ninjection capability, and network services scanners. The Cobalt Strike Beacon is the malicious implant that calls\r\nback to attacker-controlled infrastructure and checks for additional commands to execute on the compromised\r\nsystem [TA0011 ].\r\nThe configuration file for this Cobalt Strike Beacon implant contained communications protocols, an implant\r\nwatermark, and the following hardcoded command and control (C2) domains:\r\ndataplane.theyardservice[.]com/jquery-3.3.1.min.woff2\r\ncdn.theyardservice[.]com/jquery-3.3.1.min.woff2\r\nstatic.theyardservice[.]com/jquery-3.3.1.min.woff2\r\nworldhomeoutlet[.]com/jquery-3.3.1.min.woff2\r\nThe configuration file was encoded via an XOR with the key 0x2e and a 16-bit byte swap.\r\nFor more information on the ISO file and Cobalt Strike Beacon implant, including IOCs, refer to Malware\r\nAnalysis Report MAR-10339794-1.v1: Cobalt Strike Beacon.\r\nIndicators of Compromise\r\nThe following IOCS were derived from trusted third parties and open-source research. For a downloadable list of\r\nIOCs, refer to AA21-148A.stix and MAR-10339794-1.v1.stix.\r\nURL: https[:]//r20.rs6.net/tn.jsp?f=\r\nHost IP: 208.75.122[.]11 (US)\r\nOwner: Constant Contact, Inc.\r\nActivity: legitimate Constant Contact link found in phishing email that redirects victims to actor-controlled\r\ninfrastructure at https[:]//usaid.theyardservice.com/d/\u003ctarget_email_address\u003e\r\n \r\nURL: https[:]//usaid.theyardservice.com/d/\u003ctarget_email_address\u003e\r\nHost IP: 83.171.237[.]173 (Germany)\r\nOwner: [redacted]\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-148a\r\nPage 2 of 7\n\nFirst Seen: May 25, 2021\r\nActivity: actor-controlled URL that was redirected from https[:]//r20.rs6.net/tn.jsp?f= ; the domain\r\nusaid[.]theyardservice.com was detected as a malware site; hosted a malicious ISO file\r\n\" usaid[.]theyardservice.com \"\r\n \r\nFile: ICA-declass.iso [MD5: cbc1dc536cd6f4fb9648e229e5d23361 ]\r\nFile Type: Macintosh Disk Image\r\nDetection: Artemis!7EDF943ED251 , Trojan: Win32/Cobaltstrike!MSR , or other malware\r\nActivity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple\r\nURLs, domains, and IP addresses\r\n \r\nFile: /d/ [ MD5: ebe2f8df39b4a94fb408580a728d351f ]\r\nFile Type: Macintosh Disk Image\r\nDetection: Cobalt, Artemis!7EDF943ED251, or other malware\r\nActivity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple\r\nURLs, domains, and IP addresses\r\n \r\nFile: ICA-declass.iso [MD5: 29e2ef8ef5c6ff95e98bff095e63dc05]\r\nFile Type: Macintosh Disk Image\r\nDetection: Cobalt Strike, Rozena, or other malware\r\nActivity: ISO file container; contains a custom Cobalt Strike Beacon loader; communicated with multiple\r\nURLs, domains, and IP addresses\r\n \r\nFile: Reports.lnk [MD5: dcfd60883c73c3d92fceb6ac910d5b80 ]\r\nFile Type: LNK (Windows shortcut)\r\nDetection: Worm: Win32-Script.Save.df8efe7a , Static AI - Suspicious LNK, or other malware\r\nActivity: shortcut contained in malicious ISO files; executes a custom Cobalt Strike Beacon loader\r\n \r\nFile: ICA-declass.pdf [MD5: b40b30329489d342b2aa5ef8309ad388 ]\r\nFile Type: PDF\r\nDetection: undetected\r\nActivity: benign, password-protected PDF displayed to victim as a decoy; currently unrecognized by\r\nantivirus software\r\n \r\nFile: DOCUMENT.DLL [MD5: 7edf943ed251fa480c5ca5abb2446c75 ]\r\nFile Type: Win32 DLL\r\nDetection: Trojan: Win32/Cobaltstrike!MSR , Rozena, or other malware\r\nActivity: custom Cobalt Strike Beacon loader contained in malicious ISO files; communicating with\r\nmultiple URLs, domains, and IP addresses by antivirus software\r\n \r\nFile: DOCUMENT.DLL [MD5: 1c3b8ae594cb4ce24c2680b47cebf808 ]\r\nFile Type: Win32 DLL\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-148a\r\nPage 3 of 7\n\nDetection: Cobalt Strike, Razy, Khalesi, or other malware\r\nActivity: Custom Cobalt Strike Beacon loader contained in malicious ISO files; communicating with\r\nmultiple URLs, domains, and IP addresses by antivirus software\r\n \r\nDomain: usaid[.]theyardservice.com\r\nHost IP: 83.171.237[.]173 (Germany)\r\nFirst Seen: May 25, 2021\r\nOwner: Withheld for Privacy Purposes\r\nActivity: subdomain used to distribute ISO file according to the trusted third party; detected as a malware\r\nsite by antivirus programs\r\n \r\nDomain: worldhomeoutlet.com\r\nHost IP: 192.99.221[.]77 (Canada)\r\nCreated Date: March 11, 2020\r\nOwner: Withheld for Privacy Purposes by Registrar\r\nActivity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and\r\nobserved communicating with multiple malicious files according to antivirus software; associated with\r\nCobalt Strike malware\r\n \r\nDomain: dataplane.theyardservice[.]com\r\nHost IP: 83.171.237[.]173 (Germany)\r\nFirst Seen: May 25, 2021\r\nOwner: [redacted]\r\nActivity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and\r\nobserved communicating with multiple malicious files according to antivirus software; observed in\r\nphishing, malware, and spam activity\r\n \r\nDomain: cdn.theyardservice[.]com\r\nHost IP: 83.171.237[.]173 (Germany)\r\nFirst Seen: May 25, 2021\r\nOwner: Withheld for Privacy Purposes by Registrar\r\nActivity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and\r\nobserved communicating with multiple malicious files according to antivirus software\r\n \r\nDomain: static.theyardservice[.]com\r\nHost IP: 83.171.237[.]173 (Germany)\r\nFirst Seen: May 25, 2021\r\nOwner: Withheld for Privacy Purposes\r\nActivity: Cobalt Strike C2 subdomain according to the trusted third party; categorized as suspicious and\r\nobserved communicating with multiple malicious files according to antivirus software\r\n \r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-148a\r\nPage 4 of 7\n\nIP: 192.99.221[.]77\r\nOrganization: OVH SAS\r\nResolutions: 7\r\nGeolocation: Canada\r\nActivity: detected as a malware site; hosts a suspicious domain worldhomeoutlet[.]com ; observed in\r\nCobalt Strike activity\r\n \r\nIP: 83.171.237[.]173\r\nOrganization: Droptop GmbH\r\nResolutions: 15\r\nGeolocation: Germany\r\nActivity: Categorized as malicious by antivirus software; hosted multiple suspicious domains and multiple\r\nmalicious files were observed downloaded from this IP address; observed in Cobalt Strike and activity\r\n \r\nDomain: theyardservice[.]com\r\nHost IP: 83.171.237[.]173 (Germany)\r\nCreated Date: January 27, 2010\r\nOwner: Withheld for Privacy Purposes\r\nActivity: Threat actor controlled domain according to the trusted third party; categorized as suspicious by\r\nantivirus software; observed in Cobalt Strike activity\r\nTable 1 provides a summary of the MITRE ATT\u0026CK techniques observed.\r\nTable 1: MITRE ATT\u0026CK techniques observed\r\nTechnique Title Technique ID\r\nProcess Injection: Dynamic-link Library Injection T1055.001\r\nIngress Tool Transfer T1105\r\nUser Execution: Malicious Link T1204.001\r\nPhishing: Spearphishing Link T1566.002\r\nMitigations\r\nCISA and FBI urge CI owners and operators to apply the following mitigations.\r\nImplement multi-factor authentication (MFA) for every account. While privileged accounts and remote\r\naccess systems are critical, it is also important to ensure full coverage across SaaS solutions. Enabling\r\nMFA for corporate communications platforms (as with all other accounts) provides vital defense against\r\nthese types of attacks and, in many cases, can prevent them.\r\nKeep all software up to date. The most effective cybersecurity programs quickly update all of their\r\nsoftware as soon as patches are available. If your organization is unable to update all software shortly after\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-148a\r\nPage 5 of 7\n\na patch is released, prioritize implementing patches for CVEs that are already known to be exploited.\r\nImplement endpoint and detection response (EDR) tools. EDR allows a high degree of visibility into the\r\nsecurity status of endpoints and is can be an effective tool against threat actors.\r\nNote: Organizations using Microsoft Defender for Endpoint or Microsoft 365 Defense should refer to\r\nMicrosoft: Use attack surface reduction rules to prevent malware infection for more information on\r\nhardening the enterprise attack surface.\r\nImplement centralized log management for host monitoring. A centralized logging application allows\r\ntechnicians to look out for anomalous activity in the network environment, such as new applications\r\nrunning on hosts, out-of-place communication between devices, or unaccountable login failures on\r\nmachines. It also aids in troubleshooting applications or equipment in the event of a fault. CISA and the\r\nFBI recommend that organizations:\r\nForward logs from local hosts to a centralized log management server—often referred to as a\r\nsecurity information and event management (SIEM) tool.\r\nEnsure logs are searchable. The ability to search, analyze, and visualize communications will help\r\nanalysts diagnose issues and may lead to detection of anomalous activity.\r\nCorrelate logs from both network and host security devices. By reviewing logs from multiple\r\nsources, an organization can better triage an individual event and determine its impact to the\r\norganization as a whole.\r\nReview both centralized and local log management policies to maximize efficiency and retain\r\nhistorical data. Organizations should retain critical logs for a minimum of 30 days.\r\nDeploy signatures to detect and/or block inbound connection from Cobalt Strike servers and other post-exploitation tools.\r\nImplement unauthorized execution prevention by disabling macro scripts from Microsoft Office files\r\ntransmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via\r\nemail instead of full Microsoft Office suite applications.\r\nConfigure and maintain user and administrative accounts using a strong account management policy.\r\nUse administrative accounts on dedicated administration workstations.\r\nLimit access to and use of administrative accounts.\r\nUse strong passwords. For more information on strong passwords, refer to CISA Tip: Choosing and\r\nProtecting Passwords and National Institute of Standards (NIST) SP 800-63: Digital Identity\r\nGuidelines: Authentication and Lifecycle Management.\r\nRemove default accounts if unneeded. Change the password of default accounts that are needed.\r\nDisable all unused accounts.\r\nImplement a user training program and simulated attacks for spearphishing to discourage users from\r\nvisiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses\r\nto spearphishing emails.\r\nRESOURCES\r\nVolexity Blog: Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns |\r\nVolexity\r\nMicrosoft Blog: New sophisticated email-based attack from NOBELIUM - Microsoft Security\r\nMicrosoft Blog: Another Nobelium Cyberattack\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-148a\r\nPage 6 of 7\n\nContact Information\r\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact\r\nyour local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855)\r\n292-3937 or by e-mail at CyWatch@fbi.gov . When available, please include the following information\r\nregarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of\r\nequipment used for the activity; the name of the submitting company or organization; and a designated point of\r\ncontact. To request incident response resources or technical assistance related to these threats, contact CISA at\r\ncentral@cisa.dhs.gov .\r\nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when\r\ninformation carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures\r\nfor public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without\r\nrestriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp/.\r\nReferences\r\n[1] Microsoft Blog: New Sophisticated Email-Based Attack from NOBELIUM\r\n[2] Ibid.\r\nVolexity Blog: Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns\r\n[4] MITRE ATT\u0026CK: Cobalt Strike\r\nRevisions\r\nMay 28, 2021: Initial version|May 29, 2021: Added final sentence of first paragraph in Summary section\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa21-148a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-148a\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://us-cert.cisa.gov/ncas/alerts/aa21-148a" ], "report_names": [ "aa21-148a" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434886, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2c39a0f9869f00fefed1f1177c92d592daefb1bb.pdf", "text": "https://archive.orkl.eu/2c39a0f9869f00fefed1f1177c92d592daefb1bb.txt", "img": "https://archive.orkl.eu/2c39a0f9869f00fefed1f1177c92d592daefb1bb.jpg" } }