{ "id": "4ffeff45-3d42-48d3-b0b3-b115f34435d0", "created_at": "2026-04-06T00:22:12.445357Z", "updated_at": "2026-04-10T13:13:09.875354Z", "deleted_at": null, "sha1_hash": "2d748de8f242cb2d232362b7880100c6cfa1802b", "title": "Tracing a Paper Werewolf campaign through AI-generated decoys and Excel XLLs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2310054, "plain_text": "Tracing a Paper Werewolf campaign through AI-generated decoys and\r\nExcel XLLs\r\nBy Nicole Fishbein\r\nPublished: 2025-12-19 · Archived: 2026-04-05 19:54:05 UTC\r\nAn XLL is a native Windows DLL that Excel loads as an add-in, allowing it to execute arbitrary code through exported\r\nfunctions like xlAutoOpen. Since at least mid-2017, threat actors began abusing Microsoft Excel add-ins via the .XLL\r\nformat, the earliest documented misuse is by the threat group APT10 (aka Stone Panda / Potassium) injecting backdoor\r\npayloads via XLLs. \r\nSince 2021, a growing number of commodity malware families and cyber-crime actors have added XLL-based delivery to\r\ntheir arsenals. Notable examples include Agent Tesla and Dridex, researchers observed an increase of these malware being\r\ndropped via malicious XLL add-ins.\r\nAttackers typically embed their malicious code in the standard add-in export functions, such as xlAutoOpen. When a user\r\nenables the add-in in Excel, the malicious payload executes automatically, dropping or downloading a malicious payload.\r\nSome malware families use legitimate frameworks to create XLL (Excel Add-in) files. One common example is Excel-DNA, a popular open-source framework.\r\nThese frameworks make it easier for attackers to build and load malicious XLLs. In some cases, they also allow threat actors\r\nto pack and execute additional payloads directly in memory.\r\nIn late October 2025, a 64-bit DLL compiled as an XLL add-in was submitted to VirusTotal from two different countries.\r\nThe first submission came from Ukraine on October 26, followed by three separate submissions from Russia beginning on\r\nOctober 27. The Russian-submitted samples were named Плановые цели противника.xll (“enemy’s planned targets”) and\r\nПлановые цели противника НЕ ЗАПУСКАТЬ.xll, which depending on context can mean either “Do NOT release the\r\nenemy’s planned targets” or “Do NOT activate the enemy’s scheduled targets.”\r\nThis DLL contains an embedded second-stage payload, a backdoor we named EchoGather. Once launched, the backdoor\r\ncollects system information, communicates with a hardcoded command-and-control (C2) server, and supports command\r\nexecution and file transfer operations. While it uses the XLL format for delivery, its execution chain and payload behavior\r\ndiffer from previously documented threats abusing Excel add-ins. Through pivoting on infrastructure and TTPs we were\r\nable to link this campaign to Paper Werewolf (aka GOFFEE), a group that has been targeting Russian organizations.\r\nExplore how Intezer Forensic AI SOC eliminates alert noise so you can focus on real threats.\r\nTechnical analysis\r\nLet’s dive in deeper.\r\nWhat is an XLL?\r\nAn XLL is an Excel add-in implemented as a DLL that Excel loads directly, usually with the .xll extension. Microsoft\r\nexplicitly describes XLL files as a DLL-style add-in that extends Excel with custom functions. \r\nWhen a user double clicks the file with the .xll extension, Excel is launched, loads the DLL and calls its exported functions\r\nsuch as xlAutoOpen, initialization code, or xlAutoClose, when unloading. Often malicious XLLs embed their payload inside\r\nxlAutoOpen or through a secondary loader, so that code runs immediately once Excel imports the DLL.\r\nExcel XLL add-ins and macros differ mainly in how they execute and the level of control they provide an attacker. Macros,\r\nVBA or legacy XLM, run as scripts inside Excel’s macro engine and are constrained by Microsoft’s security model, which\r\nnow includes blocking macros from the internet, signature requirements, and multiple user-facing warnings. XLLs, on the\r\nother hand, are compiled DLLs that Excel loads directly into its own process using LoadLibrary(), giving them the full\r\npower of native code without going through macro security checks. While macros rely on interpreted scripting and COM\r\ninteractions, XLLs can call any Windows API, inject into other processes, or act as full-featured malware loaders. This\r\nmakes XLLs far more capable and harder to analyze, and it may explain why some threat actors chose XLL-based delivery\r\nmethods rather than macro-based.\r\nLoader behavior\r\nThe DLL exports two functions, xlAutoOpen and xlAutoClose, both of which return zero. This behavior differs from that\r\nof legitimate XLL add-ins as well as from previously documented threats abusing the XLL format, such as those described\r\nin the most recent CERT-UA publication. In this case, the malicious logic is not tied to the typical export functions but\r\ninstead is triggered through dllmain. The main function of the loader is called when fdwReason \u003e 2 meaning that\r\nhttps://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/\r\nPage 1 of 8\n\ndllmain_dispatch was called with DLL_THREAD_DETACH (=3). Essentially the main function will be called when any\r\nthread in Excel that previously called into the XLL (even Excel’s own threads) exits.\r\nTriggering the malicious payload during DLL_THREAD_DETACH helps the malware evade detection by delaying\r\nexecution until a thread exits. This bypasses typical behavior-based detection, which focuses on early-stage activity like\r\nPROCESS_ATTACH, making the execution appear benign at first and allowing the second-stage payload to activate\r\ncovertly after the sandbox times out or AV heuristics complete.\r\nSHA-256: 0506a6fcee0d4bf731f1825484582180978995a8f9b84fc59b6e631f720915da\r\nA call to the function that loads and executes the backdoor.\r\nThe embedded file is dropped as mswp.exe in %APPDATA%\\Microsoft\\Windows, then executed as a hidden process using\r\nCreateProcessW with CREATE_NO_WINDOW. Standard Output and Error is captured and redirected via anonymous\r\npipes. If process creation succeeds, the function returns true otherwise, it cleans up and returns false.\r\nThe backdoor: EchoGather\r\nWe refer to this backdoor as EchoGather due to its focus on system reconnaissance and repeated beaconing behavior. \r\nSHA-256: 74fab6adc77307ef9767e710d97c885352763e68518b2109d860bb45e9d0a8eb\r\nThe dropped payload is a 64-bit backdoor with hardcoded configuration and C2 address. It collects system information and\r\ncommunicates with the C2 over HTTP(S) using the WinHTTP API.\r\nhttps://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/\r\nPage 2 of 8\n\nMain function of EchoGather.\r\nThe data collected by EchoGather consists of:\r\nIPv4 addresses\r\nOS type (“Windows”)\r\nArchitecture\r\nNetBIOS name\r\nUsername\r\nWorkstation domain\r\nProcess ID\r\nExecutable path\r\nStatic version string: 1.1.1.1\r\nNext, EchoGather encodes that data using Base64 and sends it to the C2 using POST method. The C2 address is constructed\r\nfrom hardcoded strings. In the analyzed sample the C2 address was: https://fast-eda[.]my:443/dostavka/lavka/kategorii/zakuski/sushi/sety/skidki/regiony/msk/birylievo\r\nThis transmission occurs in an infinite loop with randomized sleep intervals between 300–360 seconds.\r\nIn all of its C2 communications, EchoGather uses the WinHTTP API. It supports various proxy configurations and is\r\ndesigned to ignore SSL/TLS certificate validation errors, allowing it to operate in environments with custom or\r\nmisconfigured proxy and certificate settings.\r\nSupported commands \r\nEchoGather supports four commands. \r\nAll outgoing communication with the C2 is encoded using standard Base64. When a command is received from the C2 the\r\nfirst 36 bytes contain the request ID, it’s a unique identifier that is being used when the backdoor needs to send the\r\ninformation is several packages. \r\n0x54 Remote Command Execution\r\nEchoGather first extracts the request ID, followed by the command that needs to be executed. It then decrypts the string\r\ncmd.exe /C %s using a hardcoded XOR key (0xCA), which serves as a template for command execution. Using this\r\ntemplate, it executes the specified command via cmd.exe. The output of the command is captured through a pipe and sent\r\nback to the C2 server, with the request ID prepended to the response.\r\n0x45 Return Configuration\r\nSends the embedded configuration structure to the C2.\r\n0x56 File Exfiltration\r\nThe backdoor begins by extracting a request ID and the name of the file to be exfiltrated. It opens the specified file,\r\ndetermines its total size, and calculates how many 512 KB chunks are required for transmission. A transfer header\r\ncontaining metadata about the chunk count and size is then sent to the C2 server. In response, the backdoor receives the\r\nrequest ID used to identify the session. The file is read and transmitted in chunks, with each chunk containing the request\r\nID, chunk index, file tag, data length, and raw file data. \r\nhttps://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/\r\nPage 3 of 8\n\n0x57 Remote File Write\r\nEchoGather receives a filename from the C2 and writes the incoming data chunks to the system, reconstructing the file as\r\nthe chunks arrive.\r\nInfrastructure analysis\r\nDuring our research we found two domains that were used by the threat actors.\r\nIP Resolutions for fast-eda.my\r\nThe domain was registered on September 12, 2025.\r\nThe very first resolution was between September 12th and 14th, the domain was resolved to 199.59.243[.]228.\r\nAfter that and until November 26th all of the resolutions were on Cloudflare instances. \r\nFrom September 18th to November 24th the domain was resolved to 172.64.80[.]1\r\nOn November 27th it was resolved to 94.103.3[.]82 the address is connected to Russia based on geolocation.\r\nWhen we looked up the related files to this domain on VirusTotal, we found 7 files.\r\nTwo of them are powershell scripts that load the backdoor: mswt.ps1 and the second one wasn’t submitted with a name.\r\nThe two scripts are identical, including their execution flow. Both first decode two Base64-encoded files: a PDF document\r\nand the EchoGather payload. The PDF is opened, while the payload is executed in the background. The document appears to\r\nbe an invitation, written in Russian, to a concert for high-ranking officers. However, the PDF is AI-generated and contains\r\nseveral noticeable inconsistencies. For instance, the stamp in the lower right corner appears to be an AI-generated attempt at\r\nrecreating Russia’s national emblem, the double-headed eagle, but the result resembles a distorted or bird-like figure rather\r\nthan the intended symbol. The text also includes several errors. Some Cyrillic letters are incorrect, for example, the letter Д\r\nis used in place of Л in multiple instances, and the word праздиика is a misspelled version of праздника. Additionally, the\r\nphrase «с глубоким уважением приглашает» (translated as “with deep respect invites (you)”) is unnatural and not\r\nidiomatic in the context of formal Russian invitations.\r\nhttps://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/\r\nPage 4 of 8\n\nDecoy document, and invite to a concert.\r\nIP Resolutions for ruzede.com\r\nFirst seen on 2025-05-21, resolved to 162.255.119[.]43 and later to 5.45.85[.]43 until October 2nd.\r\nOn October 2nd it was resolved to IP addresses in Cloudflare.\r\nFrom October 4th to November 26th the domain was resolved to the same address seen in the previous domain:\r\n172.64.80[.]1\r\nOn November 26th it was resolved to 193.233.18[.]137 in Russia based on geolocation.\r\nThe ip address is linked to different malicious domains. \r\nUsing VirusTotal, we pivoted on the domain ruzede[.]com, and we identified a RAR archive that exploits a known\r\nvulnerability, CVE-2025-8088, a vulnerability in WinRAR that involves the abuse of NTFS alternate data streams (ADSes)\r\nin combination with path traversal. This flaw allows attackers to embed malicious content within seemingly harmless\r\nfilenames by appending ADSes that include relative path traversal sequences. \r\nThe archive contains a file named Вх.письмо_Мипромторг.lnk:.._.._.._.._.._Roaming_Microsoft_Windows_run.bat \r\nWhen the archive is opened, WinRAR fails to properly sanitize these ADS paths and extracts the hidden data streams,\r\nplacing them in unintended or sensitive locations such as %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. \r\nhttps://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/\r\nPage 5 of 8\n\nConnected file to the domain ruzede[.]com\r\nThe phrase “письмо Мипромторг” is misspelled; the correct form is “письмо Минпромторга.” This term refers to an\r\nofficial letter or communication issued by the Ministry of Industry and Trade of the Russian Federation (Минпромторг\r\nРоссии). The same misspelling error is in the archive file name: Вх.письмо_Мипромторг.rar.\r\nEssentially the file in the archive is a batch script that launches a hidden PowerShell process. This process navigates to a\r\nuser-specific AppData directory, then downloads a PowerShell script named docc1.ps1 from a remote URL (https://2k-linep[.]com/upload/docc1.ps1) and saves it to the current working directory. The script is then executed via a new\r\nPowerShell instance with execution policy restrictions bypassed.\r\nThe downloaded script (docc1.ps1) extracts both a PDF file and an EchoGather payload, using a technique similar to the one\r\ndescribed previously. However, in this instance, the embedded PDF differs from earlier samples. This document is allegedly\r\nsent from the deputy of the Ministry of Industry and Trade of the Russian Federation, asking for price justification\r\ndocumentation under the state defense order, focusing on violations of deadlines and reporting on pricing approval\r\nprocesses.\r\nThe companies listed with their emails on the top right side of the first page (Almaz-Antey, Shvabe, and the United\r\nInstrument-Making Corporation) are major Russian defense-industry and high-technology enterprises, and they might be the\r\nintended recipients of this decoy document.\r\nPage 1\r\nhttps://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/\r\nPage 6 of 8\n\nPage 2\r\nPage 3\r\nThe same vulnerability was used by several threat actors including RomCom (Russia-aligned) and Paper Werewolf, a\r\ncyberespionage group targeting Russian organizations and active since 2022. In early August, BI.ZONE Threat Intelligence\r\npublished a report about an ongoing campaign of Paper Werewolf that exploits CVE-2025-6218, affects WinRAR versions\r\nup to and including 7.11 and enables directory traversal attacks that allow malicious archives to extract files outside their\r\nintended directories. A second zero-day, at the time, vulnerability that abuses ADSs for path traversal. The report doesn’t\r\nmention CVE-2025-8088, but based on the description we assume that is the same vulnerability.\r\nThe interesting part is that we can see similarities between the decoy documents from the report to the document above.\r\nFirst, the filename of the decoy document in the report is запрос Минпромторга РФ.pdf (Request of the Ministry of\r\nIndustry and Trade of the Russian Federation.pdf) no misspellings in the filename. It refers to the same office. The document\r\nasks to assess the impact of a specific government resolution on production capacities of subsidy recipients. Next, both\r\ndocuments share the same template and structure: red stamp on the left side, followed by the same information about the\r\noffice, the date and the request id. Both documents contain a request for information to be submitted to a government-affiliated organization.\r\nAttribution\r\nBased on the shared infrastructure, such as the ruzede[.]com domain, as well as notable similarities in decoy document\r\nconstruction and the exploitation of the WINRAR vulnerability that leverages ADSs, we attribute this campaign to the\r\nPaper Werewolf (aka GOFFEE) threat group. The recent use of XLL files suggests that the group is experimenting with\r\nnew delivery methods while continuing to rely on established infrastructure, possibly in an attempt to evade detection. In\r\naddition, the use of a new, yet simple, backdoor may indicate an effort to improve and evolve their toolset.\r\nSummary\r\nIt’s less common to see public reporting on threats targeting Russian organizations, which makes this campaign worth\r\nhighlighting. The threat actor appears to be actively exploring new methods to evade detection, including the use of XLL-based delivery techniques and newly developed payloads. These changes suggest an effort to enhance their capabilities.\r\nHowever, there are still clear gaps in both technical execution and linguistic accuracy, indicating that their tradecraft is still\r\ndeveloping. \r\nhttps://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/\r\nPage 7 of 8\n\nIOCs\r\nXLL Loader\r\n0506a6fcee0d4bf731f1825484582180978995a8f9b84fc59b6e631f720915da\r\nEchoGather Hashes and C2 Infrastructure\r\nsha256 C2 Address\r\nc3e04bb4f4d51bb1ae8e67ce72aff1c3abeca84523ea7137379f06eb347e1669\r\n   \r\nhttps://ruzede[.]com/blogs/drafts/publish/schedule/seosso/login/ 0d1dd7a62f3ea0d0fbeea905a48ae8794f49319ee0c34f15a3a871899404bf05\r\nb2419afcfc24955b4439100706858d7e7fc9fdf8af0bb03b70e13d8eed52935c\r\n    https://fast-eda.my/dostavka/lavka/kategorii/zakuski/sushi/se\r\n23d917781e288a6fa9a1296404682e6cf47f11f2a09b7e4f340501bf92d68514\r\ndd5a16d0132eb38f64293b8419bab3a3a80f48dc050129a8752989539a5c97bf\r\n74fab6adc77307ef9767e710d97c885352763e68518b2109d860bb45e9d0a8eb\r\nOther Files\r\nsha256 File name (based on VirusTotal)\r\nb6914d702969bc92e8716ece92287c0f52fc129c6fb4796676a738b103a6e039 mswt.ps1\r\n29101c580b33b77b51a6afe389955b151a4d0913716b253672cc0c0a41e5ccc8 N/A\r\ncdc3355ae57cc371c6c0918c0b5451b9298fc7d7c7035fa4b24d0cd08af4122c C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\docc1.ps\r\ndc2df351c306a314569b1eeaccf5046ce5a64df487fa51c907cb065e968bba80 Вх.письмо_Мипромторг.lnk:.._.._.._.._.._Roaming_Microsoft_\r\n76e4d344b3ec52d3f1a81de235022ad2b983eb868b001b93e56deee54ae593c5 Вх.письмо_Мипромторг.rar\r\n6a00b1ed5afcd63758b9be4bd1c870dbfe880a1a3d4e852bb05c92418d33e6da invite.pdf\r\n2abb9e7c155beaa3dcfa38682633dcbea42f07740385cac463e4ca5c6598b438 (pdf document)\r\nExplore which AI SOC platform is right for you.\r\nSource: https://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/\r\nhttps://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/" ], "report_names": [ "tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "120b98af-cc15-468d-ae91-52d5af9216e4", "created_at": "2025-05-29T02:00:03.189197Z", "updated_at": "2026-04-10T02:00:03.84415Z", "deleted_at": null, "main_name": "GOFFEE", "aliases": [], "source_name": "MISPGALAXY:GOFFEE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434932, "ts_updated_at": 1775826789, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2d748de8f242cb2d232362b7880100c6cfa1802b.pdf", "text": "https://archive.orkl.eu/2d748de8f242cb2d232362b7880100c6cfa1802b.txt", "img": "https://archive.orkl.eu/2d748de8f242cb2d232362b7880100c6cfa1802b.jpg" } }