{ "id": "f1886c4f-d335-42b2-8fda-8c02fa85dbef", "created_at": "2026-04-06T00:12:23.949717Z", "updated_at": "2026-04-10T03:36:50.334695Z", "deleted_at": null, "sha1_hash": "2cd442ab5fa8f8cf15bd0f4fdcb18917ca52c156", "title": "NetWire RC (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 174459, "plain_text": "NetWire RC (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 18:10:16 UTC\r\nNetWire RC\r\naka: NetWeird, NetWire, Recam\r\nActor(s): APT33\r\nVTCollection     URLhaus      \r\nNetwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote\r\ncontrol capabilities as well.\r\nKeylog files are stored on the infected machine in an obfuscated form. The algorithm is:\r\nfor i in range(0,num_read):\r\nbuffer[i] = ((buffer[i]-0x24)^0x9D)\u00260xFF\r\nReferences\r\n2023-09-08 ⋅\r\nUncovering DDGroup — A long-time threat actor\r\nAsyncRAT Ave Maria BitRAT DBatLoader NetWire RC Quasar RAT XWorm\r\n2023-03-30 ⋅ loginsoft ⋅ Saharsh Agrawal\r\nFrom Innocence to Malice: The OneNote Malware Campaign Uncovered\r\nAgent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT\r\nRedLine Stealer XWorm\r\n2023-03-10 ⋅ The Register ⋅ Jessica Lyons Hardcastle\r\nFBI and international cops catch a NetWire RAT\r\nNetWire RC\r\n2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein\r\nFollowing the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware\r\nAgent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer\r\n(PWS) Maze NetWire RC Remcos REvil TrickBot\r\n2023-01-05 ⋅ Symantec ⋅ Threat Hunter Team\r\nBluebottle: Campaign Hits Banks in French-speaking Countries in Africa\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.netwire\r\nPage 1 of 6\n\nCloudEyE Cobalt Strike MimiKatz NetWire RC POORTRY Quasar RAT BlueBottle\r\n2022-12-18 ⋅ ZAYOTEM ⋅ Enes Şakir Çolak\r\nNetWire Technical Analysis Report\r\nNetWire RC\r\n2022-11-06 ⋅ LMNTRIX ⋅ LMNTRIX\r\nAnalysis Of Netwire RAT\r\nNetWire RC\r\n2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2022\r\nFluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password\r\nStealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars\r\nTofsee Vjw0rm\r\n2022-06-02 ⋅ FortiGuard Labs ⋅ Fred Gutierrez, Gergely Revay, James Slaughter, Shunichi Imano\r\nThreat Actors Prey on Eager Travelers\r\nAsyncRAT NetWire RC Quasar RAT\r\n2022-02-18 ⋅ YouTube (John Hammond) ⋅ John Hammond\r\nUncovering NETWIRE Malware - Discovery \u0026 Deobfuscation\r\nNetWire RC\r\n2022-02-15 ⋅ BleepingComputer ⋅ Ionut Ilascu\r\nUnskilled hacker linked to years of attacks on aviation, transport sectors\r\nAsyncRAT Houdini NetWire RC Parallax RAT\r\n2022-02-15 ⋅ Threat Post ⋅ Elizabeth Montalbano\r\nTA2541: APT Has Been Shooting RATs at Aviation for Years\r\nAsyncRAT Houdini NetWire RC Parallax RAT\r\n2022-02-09 ⋅ SentinelOne ⋅ Juan Andrés Guerrero-Saade, Tom Hegel\r\nModified Elephant APT and a Decade of Fabricating Evidence\r\nDarkComet Incubator NetWire RC\r\n2022-02-09 ⋅ Sentinel LABS ⋅ Tom Hegel\r\nModifiedElephant APT and a Decade of Fabricating Evidence\r\nDarkComet Incubator NetWire RC ModifiedElephant\r\n2022-01-12 ⋅ Cisco ⋅ Chetan Raghuprasad, Vanja Svajcer\r\nNanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure\r\nAsyncRAT Nanocore RAT NetWire RC\r\n2021-12-13 ⋅ RiskIQ ⋅ Jordan Herman\r\nRiskIQ: Connections between Nanocore, Netwire, and AsyncRAT and Vjw0rm dynamic DNS C2\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.netwire\r\nPage 2 of 6\n\ninfrastructure\r\nAsyncRAT Nanocore RAT NetWire RC Vjw0rm\r\n2021-10-01 ⋅ HP ⋅ HP Wolf Security\r\nThreat Insights Report Q3 - 2021\r\nSTRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm\r\n2021-09-23 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil, Vanja Svajcer\r\nOperation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs\r\nAve Maria NetWire RC\r\n2021-09-16 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nThreat Thursday: NetWire RAT is Coming Down the Line\r\nNetWire RC\r\n2021-09-01 ⋅ ⋅ 360 Threat Intelligence Center ⋅ Advanced Threat Institute\r\nAPT-C-56 (Transparent Tribe) Latest Attack Analysis and Associated Suspected Gorgon Group Attack\r\nAnalysis Alert\r\nCrimson RAT NetWire RC\r\n2021-08-05 ⋅ ⋅ Twitter (@BaoshengbinCumt) ⋅ 2ero\r\nAttacks on NCGSA, MOITT, MOD, NSCP and SCO in Pakistan\r\nNetWire RC\r\n2021-07-12 ⋅ Cipher Tech Solutions ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki\r\nPassword Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos\r\n2021-07-12 ⋅ IBM ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki\r\nPassword Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos\r\n2021-06-10 ⋅ ZAYOTEM ⋅ Fatma Helin Çakmak, Fatma Nur Gözüküçük, Hakan Soysal, Halil Filik, Yasin Mersin\r\nNetWire Technical Analysis Report\r\nNetWire RC\r\n2021-05-07 ⋅ Morphisec ⋅ Nadav Lorber\r\nRevealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader\r\nAgent Tesla AsyncRAT NetWire RC Revenge RAT\r\n2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Manohar Ghule, Mohd Sadique\r\nCatching RATs Over Custom Protocols Analysis of top non-HTTP/S threats\r\nAgent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar\r\nRAT Remcos\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.netwire\r\nPage 3 of 6\n\n2021-04-21 ⋅ Talos ⋅ Vanja Svajcer\r\nA year of Fajan evolution and Bloomberg themed campaigns\r\nMASS Logger Nanocore RAT NetWire RC Revenge RAT XpertRAT\r\n2021-04-14 ⋅ Zscaler ⋅ Atinderpal Singh, Rohit Chaturvedi, Tarun Dewan\r\nA look at HydroJiin campaign\r\nNetWire RC Quasar RAT\r\n2021-03-18 ⋅ Cybereason ⋅ Daniel Frank\r\nCybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware\r\nNetWire RC Remcos\r\n2021-02-08 ⋅ Arsenal Consulting ⋅ Arsenal Consulting\r\nNational Investigation Agency VS Sudhir Pralhad Dhawale \u0026 others Report 1\r\nNetWire RC\r\n2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli\r\nCommand and Control Traffic Patterns\r\nostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID\r\nISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot\r\n2020-11-18 ⋅ G Data ⋅ G-Data\r\nBusiness as usual: Criminal Activities in Times of a Global Pandemic\r\nAgent Tesla Nanocore RAT NetWire RC Remcos\r\n2020-09-22 ⋅ vmware ⋅ Omar Elgebaly, Takahiro Haruyama\r\nDetecting Threats in Real-time With Active C2 Information\r\nAgent.BTZ Cobalt Strike Dacls NetWire RC PoshC2 Winnti\r\n2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2020\r\nAdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT\r\nStealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer\r\nRemcos Zloader\r\n2020-07-14 ⋅ SophosLabs Uncut ⋅ Markel Picado, Sean Gallagher\r\nRATicate upgrades “RATs as a Service” attacks with commercial “crypter”\r\nLokiBot BetaBot CloudEyE NetWire RC\r\n2020-06-15 ⋅ Amnesty International ⋅ Amnesty International\r\nIndia: Human Rights Defenders Targeted by a Coordinated Spyware Operation\r\nNetWire RC\r\n2020-05-21 ⋅ Malwarebytes ⋅ Malwarebytes Labs\r\nCybercrime tactics and techniques\r\nAve Maria Azorult DanaBot Loki Password Stealer (PWS) NetWire RC\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.netwire\r\nPage 4 of 6\n\n2020-05-14 ⋅ SophosLabs ⋅ Markel Picado\r\nRATicate: an attacker’s waves of information-stealing malware\r\nAgent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos\r\n2020-05-06 ⋅ Yoroi ⋅ Davide Testa, Luca Mella, Luigi Martire\r\nNew Cyber Operation Targets Italy: Digging Into the Netwire Attack Chain\r\nNetWire RC\r\n2020-04-03 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan\r\nGuLoader: Malspam Campaign Installing NetWire RAT\r\nCloudEyE NetWire RC\r\n2020-04-01 ⋅ Cisco ⋅ Andrea Kaiser, Shyam Sundar Ramaswami\r\nNavigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors\r\nAzorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot\r\n2020-03-05 ⋅ ⋅ VinCSS ⋅ Dang Dinh Phuong\r\n[RE011] Unpack crypter của malware Netwire bằng x64dbg\r\nNetWire RC\r\n2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nCOBALT TRINITY\r\nPOWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33\r\n2019-11-20 ⋅ vmware ⋅ Takahiro Haruyama\r\nActive C2 Discovery Using Protocol Emulation Part1 (HYDSEVEN NetWire)\r\nNetWire RC\r\n2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser\r\nAchievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions\r\nMESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost\r\nRAT HIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell\r\n2019-09-26 ⋅ Proofpoint ⋅ Bryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team\r\nNew WhiteShadow downloader uses Microsoft SQL to retrieve malware\r\nWhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos\r\n2019-09-12 ⋅ Avast ⋅ Adolf Středa, Luigino Camastra\r\nThe tangle of WiryJMPer’s obfuscation\r\nNetWire RC\r\n2019-05-08 ⋅ Dr.Web ⋅ Dr.Web\r\nA new threat for macOS spreads as WhatsApp\r\nNetWire RC\r\n2019-03-27 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team\r\nElfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.netwire\r\nPage 5 of 6\n\nDarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP\r\nAPT33\r\n2019-01-30 ⋅ Samip Pokharel\r\nAnalysis of NetWiredRC trojan\r\nNetWire RC\r\n2017-12-06 ⋅ Cisco ⋅ Christopher Marczewski, Holger Unterbrink\r\nRecam Redux - DeConfusing ConfuserEx\r\nNetWire RC\r\n2017-09-20 ⋅ FireEye ⋅ Jacqueline O’Leary, Josiah Kimble, Kelli Vanderlee, Nalani Fraser\r\nInsights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to\r\nDestructive Malware\r\nDROPSHOT Nanocore RAT NetWire RC SHAPESHIFT TURNEDUP APT33\r\n2016-11-28 ⋅ Secureworks ⋅ Incident Reponse Team\r\nNetWire RAT Steals Payment Card Data\r\nNetWire RC\r\n2014-11-26 ⋅ CIRCL ⋅ CIRCL\r\nTR-23 Analysis - NetWiredRC malware\r\nNetWire RC\r\n2014-08-04 ⋅ Palo Alto Networks Unit 42 ⋅ Phil Da Silva, Rob Downs, Ryan Olson\r\nNew Release: Decrypting NetWire C2 Traffic\r\nNetWire RC\r\nYara Rules\r\n[TLP:WHITE] win_netwire_auto (20251219 | Detects win.netwire.)\r\n[TLP:WHITE] win_netwire_w0   (20170517 | NetWiredRC)\r\n[TLP:WHITE] win_netwire_w1   (20170517 | No description)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.netwire\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire" ], "report_names": [ "win.netwire" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99468ac6-ccfd-4cd8-b726-791600e61431", "created_at": "2023-11-01T02:01:06.647272Z", "updated_at": "2026-04-10T02:00:05.313262Z", "deleted_at": null, "main_name": "TA2541", "aliases": [ "TA2541" ], "source_name": "MITRE:TA2541", "tools": [ "Snip3", "Revenge RAT", "jRAT", "WarzoneRAT", "Imminent Monitor", "AsyncRAT", "NETWIRE", "Agent Tesla", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "97dc332f-2241-4755-ae33-54e5eff3990a", "created_at": "2023-01-06T13:46:39.307201Z", "updated_at": "2026-04-10T02:00:03.282272Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "MISPGALAXY:TA2541", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "0d07b30c-4393-4071-82fb-22f51f7749e0", "created_at": "2022-10-25T16:07:24.097096Z", "updated_at": "2026-04-10T02:00:04.865146Z", "deleted_at": null, "main_name": "RATicate", "aliases": [], "source_name": "ETDA:RATicate", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "BetaBot", "BlackRAT", "BlackRemote", "Bladabindi", "CloudEyE", "ForeIT", "Formbook", "GuLoader", "Jorik", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NSIS", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neurevt", "Nullsoft Scriptable Install System", "Origin Logger", "Recam", "Remcos", "RemcosRAT", "Remvio", "Socmer", "ZPAQ", "njRAT", "vbdropper", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59a48c28-d918-419f-b8b8-44be0c9741c8", "created_at": "2023-11-08T02:00:07.172993Z", "updated_at": "2026-04-10T02:00:03.434175Z", "deleted_at": null, "main_name": "BlueBottle", "aliases": [], "source_name": "MISPGALAXY:BlueBottle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b01b0683-5c7c-4070-ba0c-4fdede370995", "created_at": "2022-10-25T16:07:23.925692Z", "updated_at": "2026-04-10T02:00:04.79318Z", "deleted_at": null, "main_name": "Operation Armor Piercer", "aliases": [], "source_name": "ETDA:Operation Armor Piercer", "tools": [ "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Recam", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67e56ffa-aad6-4a0d-89fe-ac443dfb2f1b", "created_at": "2023-01-06T13:46:39.364262Z", "updated_at": "2026-04-10T02:00:03.302769Z", "deleted_at": null, "main_name": "ModifiedElephant", "aliases": [], "source_name": "MISPGALAXY:ModifiedElephant", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "878ce40c-9fbc-4cff-a5c4-771086979fa7", "created_at": "2022-10-25T16:07:24.264056Z", "updated_at": "2026-04-10T02:00:04.915395Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "ETDA:TA2541", "tools": [ "AVE_MARIA", "AgenTesla", "Agent Tesla", "AgentTesla", "AsyncRAT", "Ave Maria", "AveMariaRAT", "DarkRAT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Imminent Monitor", "Imminent Monitor RAT", "Iniduoh", "Jenxcus", "Kognito", "Luminosity RAT", "LuminosityLink", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Njw0rm", "Origin Logger", "Parallax", "Parallax RAT", "ParallaxRAT", "Recam", "Revenge RAT", "RevengeRAT", "Revetrat", "WSHRAT", "ZPAQ", "avemaria", "dinihou", "dunihi" ], "source_id": "ETDA", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434343, "ts_updated_at": 1775792210, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2cd442ab5fa8f8cf15bd0f4fdcb18917ca52c156.pdf", "text": "https://archive.orkl.eu/2cd442ab5fa8f8cf15bd0f4fdcb18917ca52c156.txt", "img": "https://archive.orkl.eu/2cd442ab5fa8f8cf15bd0f4fdcb18917ca52c156.jpg" } }