{ "id": "4ce1cf05-b171-4b66-b7f8-e26e9e63af60", "created_at": "2026-04-06T00:21:00.496288Z", "updated_at": "2026-04-10T13:11:54.260854Z", "deleted_at": null, "sha1_hash": "2c859b479d88ce91c8ab247797bab045e8bb8718", "title": "Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 324326, "plain_text": "Protecting customers from a private-sector offensive actor using 0-\r\nday exploits and DevilsTongue malware | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-07-15 · Archived: 2026-04-02 12:15:02 UTC\r\nThe Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC)\r\nhas uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771).\r\nPrivate-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones,\r\nnetwork infrastructure, and other devices. With these hacking packages, usually the government agencies choose\r\nthe targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies\r\nonly adds to the complexity, scale, and sophistication of attacks. We take these threats seriously and have moved\r\nswiftly alongside our partners to build in the latest protections for our customers.\r\nMSTIC believes SOURGUM is an Israel-based private-sector offensive actor. We would like to thank the Citizen\r\nLab, at the University of Toronto’s Munk School, for sharing the sample of malware that initiated this work and\r\ntheir collaboration during the investigation. In their blog, Citizen Lab asserts with high confidence that\r\nSOURGUM is an Israeli company commonly known as Candiru. Third-party reports indicate Candiru produces\r\n“hacking tools [that] are used to break into computers and servers”.  \r\nAs we shared in the Microsoft on the Issues blog, Microsoft and Citizen Lab have worked together to disable the\r\nmalware being used by SOURGUM that targeted more than 100 victims around the world including politicians,\r\nhuman rights activists, journalists, academics, embassy workers, and political dissidents. To limit these attacks,\r\nMicrosoft has created and built protections into our products against this unique malware, which we are calling\r\nDevilsTongue. We have shared these protections with the security community so that we can collectively address\r\nand mitigate this threat. We have also issued a software update that will protect Windows customers from the\r\nassociated exploits that the actor used to help deliver its highly sophisticated malware.\r\nSOURGUM victimology\r\nMedia reports (1, 2, 3) indicate that PSOAs often sell Windows exploits and malware in hacking-as-a-service\r\npackages to government agencies. Agencies in Uzbekistan, United Arab Emirates, and Saudi Arabia are among the\r\nlist of Candiru’s alleged previous customers. These agencies, then, likely choose whom to target and run the\r\ncyberoperations themselves.\r\nMicrosoft has identified over 100 victims of SOURGUM’s malware, and these victims are as geographically\r\ndiverse as would be expected when varied government agencies are believed to be selecting the targets.\r\nApproximately half of the victims were found in Palestinian Authority, with most of the remaining victims located\r\nin Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. To be\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\r\nPage 1 of 9\n\nclear, the identification of victims of the malware in a country doesn’t necessarily mean that an agency in that\r\ncountry is a SOURGUM customer, as international targeting is common.\r\nAny Microsoft 365 Defender and Microsoft Defender for Endpoint alerts containing detection names for the\r\nDevilsTongue malware name are signs of compromise by SOURGUM’s malware. We have included a\r\ncomprehensive list of detection names below for customers to perform additional hunting in their environments.\r\nExploits\r\nSOURGUM appears to use a chain of browser and Windows exploits, including 0-days, to install malware on\r\nvictim boxes. Browser exploits appear to be served via single-use URLs sent to targets on messaging applications\r\nsuch as WhatsApp.\r\nDuring the investigation, Microsoft discovered two Windows 0-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771, both of which have been fixed in the July 2021 security updates. These\r\nvulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain\r\nkernel code execution. If customers have taken the July 2021 security update, they are protected from these\r\nexploits.\r\nCVE-2021-31979 fixes an integer overflow within Windows NT-based operating system (NTOS). This overflow\r\nresults in an incorrect buffer size being calculated, which is then used to allocate a buffer in the kernel pool. A\r\nbuffer overflow subsequently occurs while copying memory to the smaller-than-expected destination buffer. This\r\nvulnerability can be leveraged to corrupt an object in an adjacent memory allocation. Using APIs from user mode,\r\nthe kernel pool memory layout can be groomed with controlled allocations, resulting in an object being placed in\r\nthe adjacent memory location. Once corrupted by the buffer overflow, this object can be turned into a user mode to\r\nkernel mode read/write primitive. With these primitives in place, an attacker can then elevate their privileges.\r\nCVE-2021-33771 addresses a race condition within NTOS resulting in the use-after-free of a kernel object. By\r\nusing multiple racing threads, the kernel object can be freed, and the freed memory reclaimed by a controllable\r\nobject. Like the previous vulnerability, the kernel pool memory can be sprayed with allocations using user mode\r\nAPIs with the hopes of landing an object allocation within the recently freed memory. If successful, the\r\ncontrollable object can be used to form a user mode to kernel mode read/write primitive and elevate privileges.\r\nDevilsTongue malware overview\r\nDevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with several novel\r\ncapabilities. Analysis is still on-going for some components and capabilities, but we’re sharing our present\r\nunderstanding of the malware so defenders can use this intelligence to protect networks and so other researchers\r\ncan build on our analysis.\r\nFor files on disk, PDB paths and PE timestamps are scrubbed, strings and configs are encrypted, and each file has\r\na unique hash. The main functionality resides in DLLs that are encrypted on disk and only decrypted in memory,\r\nmaking detection more difficult. Configuration and tasking data is separate from the malware, which makes\r\nanalysis harder.  DevilsTongue has both user mode and kernel mode capabilities. There are several novel detection\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\r\nPage 2 of 9\n\nevasion mechanisms built in. All these features are evidence that SOURGUM developers are very professional,\r\nhave extensive experience writing Windows malware, and have a good understanding of operational security.\r\nWhen the malware is installed, a first-stage ‘hijack’ malware DLL is dropped in a subfolder of\r\nC:\\Windows\\system32\\IME\\; the folders and names of the hijack DLLs blend with legitimate names in the \\IME\\\r\ndirectories. Encrypted second-stage malware and config files are dropped into subfolders of\r\nC:\\Windows\\system32\\config\\ with a .dat file extension. A third-party legitimate, signed driver physmem.sys is\r\ndropped to the system32\\drivers folder. A file called WimBootConfigurations.ini is also dropped; this file has the\r\ncommand for following the COM hijack. Finally, the malware adds the hijack DLL to a COM class registry key,\r\noverwriting the legitimate COM DLL path that was there, achieving persistence via COM hijacking.\r\nFrom the COM hijacking, the DevilsTongue first-stage hijack DLL gets loaded into a svchost.exe process to run\r\nwith SYSTEM permissions. The COM hijacking technique means that the original DLL that was in the COM\r\nregistry key isn’t loaded. This can break system functionality and trigger an investigation that could lead to the\r\ndiscovery of the malware, but DevilsTongue uses an interesting technique to avoid this. In its DllMain function it\r\ncalls LoadLibrary on the original COM DLL so it is correctly loaded into the process. DevilsTongue then searches\r\nthe call stack to find the return address of LoadLibraryExW (i.e., the function currently loading the DevilsTongue\r\nDLL),  which would usually return the base address of the DevilsTongue DLL.\r\nOnce the LoadLibraryExW return address has been found, DevilsTongue allocates a small buffer with shellcode\r\nthat puts the COM DLL’s base address (imecfmup.7FFE49060000 in Figure 1) into the rax register and then\r\njumps to the original return address of LoadLibraryExW (svchost.7FF78E903BFB in Figures 1 and 2). In Figure 1\r\nthe COM DLL is named imecfmup rather than a legitimate COM DLL name because some DevilsTongue samples\r\ncopied the COM DLL to another location and renamed it.\r\nFigure 1. DevilsTongue return address modification shellcode\r\nDevilsTongue then swaps the original LoadLibraryExW return address on the stack with the address of the\r\nshellcode so that when LoadLibraryExW returns it does so into the shellcode (Figures 2 and 3). The shellcode\r\nreplaces the DevilsTongue base address in rax with the COM DLL’s base address, making it look like\r\nLoadLibraryExW has returned the COM DLL’s address. The svchost.exe host process now uses the returned COM\r\nDLL base address as it usually would.\r\nFigure 2. Call stack before stack swap, LoadLibraryExW in kernelbase returning to svchost.exe\r\n(0x7FF78E903BFB)\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\r\nPage 3 of 9\n\nFigure 3. Call stack after stack swap, LoadLibraryExW in kernelbase returning to the shellcode address\r\n(0x156C51E0000 from Figure 1)\r\nThis technique ensures that the DevilsTongue DLL is loaded by the svchost.exe process, giving the malware\r\npersistence, but that the legitimate COM DLL is also loaded correctly so there’s no noticeable change in\r\nfunctionality on the victim’s systems.\r\nAfter this, the hijack DLL then decrypts and loads a second-stage malware DLL from one of the encrypted .dat\r\nfiles. The second-stage malware decrypts another .dat file that contains multiple helper DLLs that it relies on for\r\nfunctionality.\r\nDevilsTongue has standard malware capabilities, including file collection, registry querying, running WMI\r\ncommands, and querying SQLite databases. It’s capable of stealing victim credentials from both LSASS and from\r\nbrowsers, such as Chrome and Firefox. It also has dedicated functionality to decrypt and exfiltrate conversations\r\nfrom the Signal messaging app.\r\nIt can retrieve cookies from a variety of web browsers. These stolen cookies can later be used by the attacker to\r\nsign in as the victim to websites to enable further information gathering. Cookies can be collected from these\r\npaths (* is a wildcard to match any folders):\r\n%LOCALAPPDATA%\\Chromium\\User Data\\*\\Cookies\r\n%LOCALAPPDATA%\\Google\\Chrome\\User Data\\*\\Cookies\r\n%LOCALAPPDATA%\\Microsoft\\Windows\\INetCookies\r\n%LOCALAPPDATA%\\Packages\\*\\AC\\*\\MicrosoftEdge\\Cookies\r\n%LOCALAPPDATA%\\UCBrowser\\User Data_i18n\\*\\Cookies.9\r\n%LOCALAPPDATA%\\Yandex\\YandexBrowser\\User Data\\*\\Cookies\r\n%APPDATA%\\Apple Computer\\Safari\\Cookies\\Cookies.binarycookies\r\n%APPDATA%\\Microsoft\\Windows\\Cookies\r\n%APPDATA%\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite\r\n%APPDATA%\\Opera Software\\Opera Stable\\Cookies\r\nInterestingly, DevilsTongue seems able to use cookies directly from the victim’s computer on websites such as\r\nFacebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte to collect information, read the victim’s\r\nmessages, and retrieve photos. DevilsTongue can also send messages as the victim on some of these websites,\r\nappearing to any recipient that the victim had sent these messages. The capability to send messages could be\r\nweaponized to send malicious links to more victims.\r\nAlongside DevilsTongue a third-party signed driver is dropped to C:\\Windows\\system32\\drivers\\physmem.sys. The\r\ndriver’s description is “Physical Memory Access Driver,” and it appears to offer a “by-design” kernel read/write\r\ncapability. This appears to be abused by DevilsTongue to proxy certain API calls via the kernel to hinder\r\ndetection, including the capability to have some of the calls appear from other processes. Functions capable of\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\r\nPage 4 of 9\n\nbeing proxied include CreateProcessW, VirtualAllocEx, VirtualProtectEx, WriteProcessMemory,\r\nReadProcessMemory, CreateFileW and RegSetKeyValueW.\r\nPrevention and detection\r\nTo prevent compromise from browser exploits, it’s recommended to use an isolated environment, such as a virtual\r\nmachine, when opening links from untrusted parties. Using a modern version of Windows 10 with virtualization-based protections, such as Credential Guard, prevents DevilsTongue’s LSASS credential-stealing capabilities.\r\nEnabling the attack surface reduction rule “Block abuse of exploited vulnerable signed drivers” in Microsoft\r\nDefender for Endpoint blocks the driver that DevilsTongue uses. Network protection blocks known SOURGUM\r\ndomains.\r\nDetection opportunities\r\nThis section is intended to serve as a non-exhaustive guide to help customers and peers in the cybersecurity\r\nindustry to detect the DevilsTongue malware. We’re providing this guidance with the expectation that SOURGUM\r\nwill likely change the characteristics we identify for detection in their next iteration of the malware. Given the\r\nactor’s level of sophistication, however, we believe that outcome would likely occur irrespective of our public\r\nguidance.\r\nFile locations\r\nThe hijack DLLs are in subfolders of \\system32\\ime\\ with names starting with ‘im’. However, they are blended\r\nwith legitimate DLLs in those folders. To distinguish between the malicious and benign, the legitimate DLLs are\r\nsigned (on Windows 10) whereas the DevilsTongue files aren’t. Example paths:\r\nC:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll\r\nC:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL\r\nC:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll\r\n The DevilsTongue configuration files, which are AES-encrypted, are in subfolders of\r\nC:\\Windows\\system32\\config\\ and have a .dat extension. The exact paths are victim-specific, although some folder\r\nnames are common across victims. As the files are AES-encrypted, any files whose size mod 16 is 0 can be\r\nconsidered as a possible malware config file. The config files are always in new folders, not the legitimate existing\r\nfolders (e.g., on Windows 10, never in \\Journal, \\systemprofile, \\TxR etc.). Example paths:\r\nC:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat\r\nC:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat\r\nC:\\Windows\\system32\\config\\config\\startwus.dat\r\nCommonly reused folder names in the config file paths:\r\nspp\r\nSKB\r\ncurv\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\r\nPage 5 of 9\n\nnetworklist\r\nLicenses\r\nInputMethod\r\nRecovery\r\nThe .ini reg file has the unique name WimBootConfigurations.ini and is in a subfolder of system32\\ime\\. Example\r\npaths:\r\nC:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini\r\nC:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini\r\nC:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini\r\nThe Physmem driver is dropped into system32:\r\nC:\\Windows\\system32\\drivers\\physmem.sys\r\nBehaviors\r\nThe two COM keys that have been observed being hijacked for persistence are listed below with their default\r\nclean values. If their default value DLL is in the \\system32\\ime\\ folder, the DLL is likely DevilsTongue.\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32 =\r\n%systemroot%\\system32\\wbem\\wmiutils.dll (clean default value)\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32 =\r\n%systemroot%\\system32\\wbem\\wbemsvc.dll (clean default value)\r\nFile content and characteristics\r\nThis Yara rule can be used to find the DevilsTongue hijack DLL:\r\nimport \"pe\"\r\nrule DevilsTongue_HijackDll\r\n{\r\nmeta:\r\ndescription = \"Detects SOURGUM's DevilsTongue hijack DLL\"\r\nauthor = \"Microsoft Threat Intelligence Center (MSTIC)\"\r\ndate = \"2021-07-15\"\r\nstrings:\r\n$str1 = \"windows.old\\\\windows\" wide\r\n$str2 = \"NtQueryInformationThread\"\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\r\nPage 6 of 9\n\n$str3 = \"dbgHelp.dll\" wide\r\n$str4 = \"StackWalk64\"\r\n$str5 = \"ConvertSidToStringSidW\"\r\n$str6 = \"S-1-5-18\" wide\r\n$str7 = \"SMNew.dll\" // DLL original name\r\n// Call check in stack manipulation\r\n// B8 FF 15 00 00 mov eax, 15FFh\r\n// 66 39 41 FA cmp [rcx-6], ax\r\n// 74 06 jz short loc_1800042B9\r\n// 80 79 FB E8 cmp byte ptr [rcx-5], 0E8h ; 'è'\r\n$code1 = {B8 FF 15 00 00 66 39 41 FA 74 06 80 79 FB E8}\r\n// PRNG to generate number of times to sleep 1s before exiting\r\n// 44 8B C0 mov r8d, eax\r\n// B8 B5 81 4E 1B mov eax, 1B4E81B5h\r\n// 41 F7 E8 imul r8d\r\n// C1 FA 05 sar edx, 5\r\n// 8B CA mov ecx, edx\r\n// C1 E9 1F shr ecx, 1Fh\r\n// 03 D1 add edx, ecx\r\n// 69 CA 2C 01 00 00 imul ecx, edx, 12Ch\r\n// 44 2B C1 sub r8d, ecx\r\n// 45 85 C0 test r8d, r8d\r\n// 7E 19 jle short loc_1800014D0\r\n$code2 = {44 8B C0 B8 B5 81 4E 1B 41 F7 E8 C1 FA 05 8B CA C1 E9 1F 03 D1 69 CA 2C 01 00 00 44 2B C1\r\n45 85 C0 7E 19}\r\ncondition:\r\nfilesize \u003c 800KB and\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\r\nPage 7 of 9\n\nuint16(0) == 0x5A4D and\r\n(pe.characteristics \u0026 pe.DLL) and\r\n(\r\n4 of them or\r\n($code1 and $code2) or\r\n(pe.imphash() == \"9a964e810949704ff7b4a393d9adda60\")\r\n)\r\n}\r\nMicrosoft Defender Antivirus detections\r\nMicrosoft Defender Antivirus detects DevilsTongue malware with the following detections:\r\nTrojan:Win32/DevilsTongue.A!dha\r\nTrojan:Win32/DevilsTongue.B!dha\r\nTrojan:Script/DevilsTongueIni.A!dha\r\nVirTool:Win32/DevilsTongueConfig.A!dha\r\nHackTool:Win32/DevilsTongueDriver.A!dha\r\nMicrosoft Defender for Endpoint alerts\r\nAlerts with the following titles in the security center can indicate DevilsTongue malware activity on your network:\r\nCOM Hijacking\r\nPossible theft of sensitive web browser information\r\nStolen SSO cookies \r\nAzure Sentinel query\r\nTo locate possible SOURGUM activity using Azure Sentinel, customers can find a Sentinel query containing these\r\nindicators in this GitHub repository.\r\nIndicators of compromise (IOCs)\r\nNo malware hashes are being shared because DevilsTongue files, except for the third part driver below, all have\r\nunique hashes, and therefore, are not a useful indicator of compromise.\r\nPhysmem driver\r\nNote that this driver may be used legitimately, but if it’s seen on path\r\nC:\\Windows\\system32\\drivers\\physmem.sys then it is a high-confidence indicator of DevilsTongue activity. The\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\r\nPage 8 of 9\n\nhashes below are provided for the one driver observed in use.\r\nMD5: a0e2223868b6133c5712ba5ed20c3e8a\r\nSHA-1: 17614fdee3b89272e99758983b99111cbb1b312c\r\nSHA-256: c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d\r\nDomains\r\nnoc-service-streamer[.]com\r\nfbcdnads[.]live\r\nhilocake[.]info\r\nbackxercise[.]com\r\nwinmslaf[.]xyz\r\nservice-deamon[.]com\r\nonline-affiliate-mon[.]com\r\ncodeingasmylife[.]com\r\nkenoratravels[.]com\r\nweathercheck[.]digital\r\ncolorpallatess[.]com\r\nlibrary-update[.]com\r\nonline-source-validate[.]com\r\ngrayhornet[.]com\r\njohnshopkin[.]net\r\neulenformacion[.]com\r\npochtarossiy[.]info\r\nSource: https://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-ex\r\nploits-and-devilstongue-malware/\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/" ], "report_names": [ "protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b", "created_at": "2024-02-02T02:00:04.032871Z", "updated_at": "2026-04-10T02:00:03.532955Z", "deleted_at": null, "main_name": "Caramel Tsunami", "aliases": [ "SOURGUM", "Candiru" ], "source_name": "MISPGALAXY:Caramel Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434860, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2c859b479d88ce91c8ab247797bab045e8bb8718.pdf", "text": "https://archive.orkl.eu/2c859b479d88ce91c8ab247797bab045e8bb8718.txt", "img": "https://archive.orkl.eu/2c859b479d88ce91c8ab247797bab045e8bb8718.jpg" } }