{ "id": "2cdbf4af-6b28-4cd4-9538-09e52532db76", "created_at": "2026-04-06T00:17:50.252238Z", "updated_at": "2026-04-10T13:12:43.156081Z", "deleted_at": null, "sha1_hash": "2e7f21a7335ce963482ec9dbf8e2a39ad0dcf1c7", "title": "Unit42-timely-threat-intel/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt at main · PaloAltoNetworks/Unit42-timely-threat-intel", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 132822, "plain_text": "Unit42-timely-threat-intel/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt at main ·\r\nPaloAltoNetworks/Unit42-timely-threat-intel\r\nBy brad-duncan\r\nArchived: 2026-04-05 17:41:49 UTC\r\n2020-08-20-IOCs-for-Emotet-infection-with-Qakbot.txt\r\n2020-08-24-IOCs-for-Trickbot-gtag-ono66.txt\r\n2020-08-25-IOCs-for-Emotet-with-Trickbot.txt\r\n2020-09-01-IOCs-for-Raccoon-Stealer.txt\r\n2020-09-07-IOCs-for-Dridex-infection.txt\r\n2020-09-21-IOCs-for-Dridex-infection.txt\r\n2020-09-28-IOCs-for-Qakbot-activity.txt\r\n2020-10-01-IOCs-for-Formbook-infection.txt\r\n2020-10-05-IOCs-from-AZORult-infection.txt\r\n2020-10-26-IOCs-for-Emotet-epoch-2-with-Trickbot-gtag-mor137.txt\r\n2020-11-05-IOCs-for-Hancitor-activity.txt\r\n2020-11-16-IOCs-for-Cobalt-Strike-activity.txt\r\n2020-11-23-IOCs-for-SmokeLoader-Dridex-and-Webshell.txt\r\n2020-12-02-IOCs-for-Astaroth-activity.txt\r\n2020-12-10-IOCs-from-Ursnif-infection-with-Delf-variant.txt\r\n2020-12-11-Zepplin-ransomware-note.txt\r\n2020-12-14-IOCs-from-Qakbot-activity.txt\r\n2021-01-05-IOCs-for-Emotet-with-Trickbot.txt\r\n2021-01-06-SystemBC-domain-list.txt\r\n2021-01-08-IOCs-from-Ave-Maria-RAT.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 1 of 15\n\n2021-01-11-IOCs-for-Dridex-traffic-with-webshell.txt\r\n2021-01-20-IOCs-from-Emotet-epoch1-infection.txt\r\n2021-02-01-IOCs-for-TA551-Qakbot.txt\r\n2021-02-22-IOCs-from-Guildma-infection.txt\r\n2021-03-01-IOCs-from-IcedID-with-Cobalt-Strike.txt\r\n2021-03-08-IOCs-from-Banload-infection.txt\r\n2021-03-15-IOCs-from-IcedID-infection.txt\r\n2021-03-19-Mirai-variant-update.txt\r\n2021-03-22-IOCs-from-Dridex-infection.txt\r\n2021-03-24-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt\r\n2021-04-12-IOCs-for-IcedID-infection.txt\r\n2021-04-15-IOCs-for-AsyncRAT-activity.txt\r\n2021-04-26-IOCs-for-IcedID-with-Cobalt-Strike.txt\r\n2021-05-10-IOCs-for-TA551-pushing-IcedID.txt\r\n2021-05-17-IOCs-for-TA551-IcedID.txt\r\n2021-06-07-IOCs-update-for-Mirai.txt\r\n2021-06-21-TA551-IOCs-for-Ursnif.txt\r\n2021-06-28-TA551-IOCs-for-Trickbot.txt\r\n2021-07-12-IOCs-from-Hancitor-activity.txt\r\n2021-07-20-IOCs-for-BazarLoader-and-Trickbot.txt\r\n2021-07-26-IOCs-for-Trickbot-gtag-rob112.txt\r\n2021-07-29-IOCs-for-BazarLoader-CobaltStrike-PrintNightmare.txt\r\n2021-08-09-BazarLoader-and-Cobalt-Strike-IOCs.txt\r\n2021-08-16-updated-IOCs-for-Mirai.txt\r\n2021-08-18-IOCs-from-phishing-email.txt\r\n2021-08-26-IOCs-for-BazarLoader-infection.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 2 of 15\n\n2021-09-08-IOCs-for-Hancitor-with-Cobalt-Strike.txt\r\n2021-09-13-IOCs-for-TA551-Trickbot-with-Cobalt-Strike-and-DarkVNC.txt\r\n2021-09-20-IOCs-for-Squirrelwaffle-Loader-with-Cobalt-Strike.txt\r\n2021-09-29-IOCs-for-TA551-BazarLoader-with-Cobalt-Strike.txt\r\n2021-10-07-IOCs-for-Qakbot-obama111-and-Cobalt-Strike.txt\r\n2021-10-18-IOCs-for-TR-based-Qakbot-with-Cobalt-Strike.txt\r\n2021-11-03-IOCs-for-TA551-BazarLoader.txt\r\n2021-11-04-IOCs-for-TR-Qakbot-with-Cobalt-Strike.txt\r\n2021-11-05-IOCs-for-TA551-activity.txt\r\n2021-11-15-IOCs-for-Matanbuchus-Qakbot-CobaltStrike-and-spambot-activity.txt\r\n2021-11-22-IOCs-for-Contact-Forms-campaign-activity.txt\r\n2021-12-07-IOCs-for-Qakbot-and-Matanbuchus-activity.txt\r\n2021-12-10-IOCs-for-TA551-IcedID-infection-with-Cobalt-Strike-and-DarkVNC.txt\r\n2022-01-04-IOCs-from-Remcos-RAT-infection.txt\r\n2022-01-05-IOCs-for-TA551-IcedID-with-Cobalt-Strike.txt\r\n2022-01-12-IOCs-for-IcedID-with-Cobalt-Strike-and-DarkVNC.txt\r\n2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt\r\n2022-01-27-IOCs-for-Contact-Forms-IcedID-with-Cobalt-Strike.txt\r\n2022-02-07-IOCs-for-BazarLoader-with-Cobalt-Strike.txt\r\n2022-02-10-IOCs-for-Emotet-epoch5-infection-with-Cobalt-Strike.txt\r\n2022-02-17-IOCs-for-Bazil-targeted-malware-infection.txt\r\n2022-02-22-IOCs-for-Emotet-epoch4-activity.txt\r\n2022-02-22-IOCs-for-Emotet-epoch5-activity.txt\r\n2022-03-01-IOCs-for-Emotet-epoch4-with-Cobalt-Strike.txt\r\n2022-03-03-IOCs-for-Bazil-targeted-malware-infection.txt\r\n2022-03-03-IOCs-for-Emotet-epoch4-with-Cobalt-Strike.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 3 of 15\n\n2022-03-14-IOCs-from-Emotet-epoch5-with-Cobalt-Strike.txt\r\n2022-03-21-IOCs-for-Cobalt-Strike-from-IcedID-infection.txt\r\n2022-03-29-IOCs-for-Emotet-and-Cobalt-Strike.txt\r\n2022-04-05-IOCs-for-Bumblebee-and-Cobalt-Strike.txt\r\n2022-04-12-IOCs-for-SpringShell-exploitation-by-Enemybot.txt\r\n2022-04-14-IOCs-for-aa-Qakbot-with-Cobalt-Strike.txt\r\n2022-04-19-IOCS-for-infection-from-Brazil-malspam.txt\r\n2022-04-25-IOCs-for-Emotet-epoch4.txt\r\n2022-05-03-IOCs-for-Contact-Forms-Bumblebee-and-Cobalt-Strike.txt\r\n2022-05-10-IOCs-for-Contact-Forms-IcedID-with-Cobalt-Strike.txt\r\n2022-05-15-IOCs-for-Deadbolt-Ransomware.md\r\n2022-05-17-IOCS-for-aa-distribution-Qakbot-with-Cobalt-Strike.txt\r\n2022-05-23-IOCs-for-IcedID-and-DarkVNC.txt\r\n2022-06-07-IOCs-for-Emotet-with-Cobalt-Strike.txt\r\n2022-06-09-IOCs-from-TA578-Bumblebee-with-Cobalt-Strike.txt\r\n2022-06-14-IOCs-from-TA578-Bumblebee-with-Cobalt-Strike.txt\r\n2022-06-17-IOCs-for-Matanbuchus-with-Cobalt-Strike.txt\r\n2022-06-21-IOCs-for-AA-distribution-Qakbot-with-DarkVNC-and-Cobalt-Strike.txt\r\n2022-06-28-IOCs-for-TA578-IcedID-Cobalt-Strike-and-DarkVNC.txt\r\n2022-07-06-IOCs-for-TA578-contact-forms-IcedID-with-DarkVNC-and-Cobalt-Strike.txt\r\n2022-07-21-IOCs-for-IcedID-with-DarkVNC-and-Cobalt-Strike.txt\r\n2022-07-25-IOCs-for-IcedID-with-Cobalt-Strike.txt\r\n2022-08-03-IOCs-for-IcedID-and-Cobalt-Strike.txt\r\n2022-08-08-IOCs-for-IcedID-and-Cobalt-Strike.txt\r\n2022-08-10-IOCs-for-IcedID-and-Cobalt-Strike.txt\r\n2022-08-15-IOCs-for-Monster-Libra-SVCready.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 4 of 15\n\n2022-09-13-IOCs-for-Qakbot.txt\r\n2022-09-29-IOCs-for-Obama207-Qakbot-and-Cobalt-Strike.txt\r\n2022-10-04-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt\r\n2022-10-10-IOCs-for-Cobalt-Strike-from-Qakbot-infection.txt\r\n2022-10-17-IOCs-for-IcedID-with-Cobalt-Strike.txt\r\n2022-10-31-IOCs-for-IcedID-with-DarkVNC-and-Cobalt-Strike.txt\r\n2022-11-03-IOCs-for-Emotet-with-IcedID.txt\r\n2022-11-07-IOCs-for-Emotet-infection-with-IcedID-and-Bumblebee.txt\r\n2022-11-28-IOCs-for-BB08-Qakbot-with-Cobalt-Strike.txt\r\n2022-12-07-IOCs-for-Bumblebee-infection-with-Cobalt-Strike.txt\r\n2022-12-09-IOCs-for-HTML-smuggling-to-ISO-files-for-Cobalt-Strike.txt\r\n2022-12-20-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt\r\n2022-12-28-IOCs-for-NetSupport-RAT-infection.txt\r\n2022-12-29-IOCs-for-malware-from-fake-Adobe-Reader-page.txt\r\n2023-01-05-IOCs-from-Agent-Tesla-variant-infection.txt\r\n2023-01-12-IOCs-from-IcedID-and-Cobalt-Strike-infection.txt\r\n2023-01-16-IOCs-for-malware-from-fake-7zip-page.txt\r\n2023-01-23-IOCs-for-Google-ad-for-possible-TA505-activity.txt\r\n2023-01-31-IOCs-for-BB12-Qakbot-infection.txt\r\n2023-02-07-IOCs-for-probable-Matanbuchus-activity.txt\r\n2023-02-08-IOCs-for-Cobalt-Strike-from-IcedID.txt\r\n2023-02-13-IOCs-for-IcedID-infection-from-fake-Microsoft-Teams-page.txt\r\n2023-02-24-IOCs-for-IcedID-infection-with-BackConnect-and-Cobalt-Strike.txt\r\n2023-03-06-IOCs-for-Gozi-infection.txt\r\n2023-03-07-IOCs-for-Emotet-activity.txt\r\n2023-03-10-IOCs-for-CloakedUrsa-APT29-Activity.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 5 of 15\n\n2023-03-16-IOCs-for-Emotet-E5-activity.txt\r\n2023-03-22-some-IOCs-for-Emotet-E4-activity.txt\r\n2023-04-05-IOCs-for-STRRAT-activity.txt\r\n2023-04-13-IOCs-for-MetaStealer-infection.txt\r\n2023-05-02-IOCs-for-obama259-Qakbot.txt\r\n2023-05-10-IOCs-for-IcedID-with-BackConnect-and-Keyhole-VNC-and-Cobalt-Strike.txt\r\n2023-05-10-IOCs-for-obama262-Qakbot-with-DarkCat-VNC-and-Cobalt-Strike.txt\r\n2023-05-17-IOCs-for-Pikabot-with-Cobalt-Strike.txt\r\n2023-05-22-IOCs-for-Pikabot-infection-with-Cobalt-Strike.txt\r\n2023-05-23-IOCs-for-Pikabot-with-Cobalt-Strike.txt\r\n2023-06-28-IOCs-for-IcedID-activity.txt\r\n2023-07-12-IOCs-from-Gozi-infection-with-Cobalt-Strike.txt\r\n2023-08-03-IOCs-for-malicious-ad-to-Danabot.txt\r\n2023-08-09-IOCs-from-IcedID-infection.txt\r\n2023-08-29-IOCs-for-IcedID-activity.txt\r\n2023-08-31-IOCs-for-IcedID-activity.txt\r\n2023-09-21-thru-09-25-IOCs-for-AgentTesla-activity.txt\r\n2023-09-28-IOCs-for-IcedID-with-KeyholeVNC-and-Cobalt-Strike.txt\r\n2023-10-03-IOCs-for-Pikabot-infection-with-Cobalt-Strike.txt\r\n2023-10-12-IOCs-for-DarkGate-from-Teams-chat.txt\r\n2023-10-17-IOCs-for-Netscaler-CVE-2023-3519-activity.txt\r\n2023-10-17-IOCs-for-TA577-Pikabot-infection.txt\r\n2023-10-18-IOCs-from-IcedID-forked-variant-with-VNC-and-Cobalt-Strike.txt\r\n2023-10-23-IOCs-from-404TDS-Async-RAT-infection.txt\r\n2023-10-25-IOCs-from-DarkGate-activity.txt\r\n2023-10-31-IOCs-for-IcedID-infection.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 6 of 15\n\n2023-11-02-IOCs-for-TA577-Pikabot-activity.txt\r\n2023-11-20-IOCs-for-DarkGate-infection.txt\r\n2023-11-27-IOCs-for-TA577-pushing-IcedID-variant.txt\r\n2023-11-29-IOCs-for-JinxLoader-to-Formbook-XLoader.txt\r\n2023-11-30-IOCs-for-DarkGate-activity.txt\r\n2023-12-05-IOCs-from-loader-to-unidentified-malware.txt\r\n2023-12-07-IOCs-for-DarkGate-infection.txt\r\n2023-12-11-IOCs-for-Astaroth-Guildma-activity.txt\r\n2023-12-15-IOCs-for-TA577-Pikabot-infection.txt\r\n2023-12-18-IOCs-for-Pikabot-with-Cobalt-Strike.txt\r\n2024-01-08-IOCs-for-GootLoader-infection.txt\r\n2024-01-12-IOCs-from-StealC-activity.txt\r\n2024-01-17-IOCs-for-WikiLoader-activity.txt\r\n2024-01-19-IOCs-for-GootLoader-infection.txt\r\n2024-01-23-IOCs-from-UltraVNC-infection.txt\r\n2024-01-25-IOCs-for-DarkGate-activity.txt\r\n2024-01-30-IOCs-for-DarkGate-activity.txt\r\n2024-01-31-IOCs-from-Timely-Threat-Intel-post.txt\r\n2024-02-08-IOCs-from-TA577-Pikabot-infection.txt\r\n2024-02-14-IOCs-from-Danabot-infection.txt\r\n2024-02-21-IOCs-from-SocGholish-AsyncRAT-infection.txt\r\n2024-02-24-IOCs-for-possible-Lockbit-4.0-imposters.txt\r\n2024-02-27-IOCs-for-Akira-Ransomware.txt\r\n2024-03-06-IOCs-for-Pikabot-and-Meduza-Stealer-activity.txt\r\n2024-03-07-IOCs-for-Latrodectus-and-Lumma-Stealer.txt\r\n2024-03-13-IOCs-from-GootLoader-infection.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 7 of 15\n\n2024-03-14-IOCs-from-malware-possibly-targeting-Spain.txt\r\n2024-03-19-IOCs-from-DarkGate-infection.txt\r\n2024-03-24-thru-26-IOCs-for-Fortnet-EMS-exploit-activity.txt\r\n2024-03-25-Timeline-for-misake-by-Playful-Taurus.txt\r\n2024-03-26-IOCs-for-Matanbuchus-infection-with-Danabot.txt\r\n2024-03-27-IOCs-for-Google-ad-leading-to-Netsupport-RAT.txt\r\n2024-04-04-IOCs-from-Koi-Loader-Stealer-activity.txt\r\n2024-04-15-IOC-for-Contact-Forms-campaign-SSLoad-activity.txt\r\n2024-04-18-IOCs-from-SSLoad-infection-with-Cobalt-Strike-DLL.txt\r\n2024-04-30-examples-of-web-skimmers.txt\r\n2024-05-09-IOCs-from-GootLoader-activity.txt\r\n2024-05-14-IOCs-for-DarkGate-activity.txt\r\n2024-05-16-IOCs-for-credit-card-scams.txt\r\n2024-05-21-IOCs-for-Deepfake-scam-campaigns.txt\r\n2024-06-11-CVE-2024-4577.txt\r\n2024-06-12-IOCs-for-Koi-Loader-Stealer-infection.txt\r\n2024-06-17-IOCs-from-Matanbuchus-infection-with-Danabot.txt\r\n2024-06-24-IOCs-for-ClickFix-pushing-Lumma-Stealer.txt\r\n2024-06-25-IOCs-from-Latrodectus-activity.txt\r\n2024-06-27-deepfake-scams.txt\r\n2024-07-15-IOCs-from-recent-phishing-campaign.txt\r\n2024-07-20-squatting-and-improsonation-domains.txt\r\n2024-07-24-new-Ransomhub-verson-or-variant.txt\r\n2024-07-25-Paris-2024-Olympics-scams.txt\r\n2024-07-30-Olympics-themed-investment-scam.txt\r\n2024-07-31-increase-of-tech-support-scam-URLs.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 8 of 15\n\n2024-08-01-Cryptocurrency-Phishing-Scams.txt\r\n2024-08-05-Google-drawings-and-slides-abuse-for-phishing.txt\r\n2024-08-06-Xerxes-Android-Botnet-activity.txt\r\n2024-08-07-domains-impersonating-postal-services.txt\r\n2024-08-09-olympic-themed-domains-for-Chinese-gambling-sites.txt\r\n2024-08-09-scam-impersonating-legit-crypto-exchange.txt\r\n2024-08-12-Olympic-themed-domains-similar-infrastructure-2020-and-2024.txt\r\n2024-08-14-crytpo-investment-scams-impersonating-Tesla.txt\r\n2024-08-21-Kematian-Stealer-info.txt\r\n2024-08-22-Black-Myth-Wukong-themed-phishing-and-scam-domains.txt\r\n2024-08-26-GuLoader-for-Remcos-RAT-IOCs.txt\r\n2024-08-28-IOCs-for-Lumman-Stealer-from-fake-human-captcha-copy-paste-script.txt\r\n2024-09-04-IOCs-for-EtherHiding-popups.txt\r\n2024-09-16-IOCs-for-Snake-KeyLogger.txt\r\n2024-09-19-IOCs-for-file-downloader-to-Lumma-Stealer.txt\r\n2024-09-20-IOCs-for-Revolver-Rabbit-RDGA.txt\r\n2024-09-24-IOCs-for-Libra-themed-investment-scam.txt\r\n2024-09-25-IOCs-for-domains-spoofing-Deribit.txt\r\n2024-09-26-IOCs-for-Capybara-DNS-tunneling-campaign.txt\r\n2024-10-01-IOCs-for-RMS-based-malware.txt\r\n2024-10-03-IOCs-for-SmartLoader-to-Lumma-Stealer.txt\r\n2024-10-08-IOCs-for-malware-from-fake-Clockify-site.txt\r\n2024-10-09-IOCs-for-Lumma-Stealer-from-typosquatted-domain.txt\r\n2024-10-10-crypto-investment-scams.txt\r\n2024-10-11-IOCs-for-advanced-phishing-activity.txt\r\n2024-10-14-IOCs-for-fake-shopping-scam-sites.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 9 of 15\n\n2024-10-17-IOCs-for-TLD-CyberSquatting.txt\r\n2024-10-24-IOCs-for-crypto-investment-scam.txt\r\n2024-10-28-IOCs-for-phising-campaign.txt\r\n2024-10-29-IOCs-for-US-election-scams.txt\r\n2024-10-30-IOCs-for-xAI-crypto-scam.txt\r\n2024-11-04-IOCs-for-cash-and-loan-scam.txt\r\n2024-11-05-Roblox-phishing-campaign.txt\r\n2024-11-08-domains-for-Japan-targeted-phishing.txt\r\n2024-11-13-phishing-domains-for-the-holidays.txt\r\n2024-11-14-IOCs-for-Raspberry-Robin-activity.txt\r\n2024-11-15-IOCs-for-redir_pup_apk_dist.txt\r\n2024-11-19-IOC-updates-for-ApateWeb-campaign.txt\r\n2024-11-25-IOCs-for-Christmas-themed-scam-sites.txt\r\n2024-11-26-IOCs-for-tech-support-scams.txt\r\n2024-Boggy-Serpens-use-of-AutodialDLL.txt\r\n2025-01-06-changes-to-HeartCrypt-packed-malware.txt\r\n2025-01-09-IOCs-for-stockpiled-domains-delivering-suspicious-android-app.txt\r\n2025-01-10-IOCs-for-CVE-2017-0199-XLS-infection-chain.txt\r\n2025-01-13-IOCs-for-Kongtuke-activity.txt\r\n2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\n2025-01-22-IOCs-for-malware-from-fake-Microsoft-Teams-site.txt\r\n2025-01-23-IOCs-for-wp3-xyz-activity.txt\r\n2025-01-24-IOCs-for-phishing-campaign-impersonating-amazon.txt\r\n2025-01-24-IOCs-for-phishing-pages-targeting-online-shoppers.txt\r\n2025-01-29-IOCs-for-DeepSeek-themed-phishing-domains.txt\r\n2025-02-03-IOCs-for-Netflix-themed-survey-phishing-campaign.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 10 of 15\n\n2025-02-04-IOCs-for-stockpiled-domains-for-gift-card-scam.txt\r\n2025-02-06-IOCs-for-Crypto-investment-scam-phishing-campaign.txt\r\n2025-02-10-IOCs-for-StrelaStealer-activity.txt\r\n2025-02-11-IOCs-for-sports-themed-crypto-scams.txt\r\n2025-02-18-IOCs-for-SmartApeSG-fake-browser-update-leads-to-NetSupport-RAT-and-StealC.txt\r\n2025-02-21-IOCs-for-tunneling-platforms-for-phishing-sites.txt\r\n2025-02-25-IOCs-Stately-Taurus-Pubload-activity.txt\r\n2025-02-26-IOCs-for-XLoader-infection.txt\r\n2025-03-04-group-likely-impersonating-BIanLian.md\r\n2025-03-05-IOCs-for-Click-Fix-distribution-of-Lumma-Stealer.txt\r\n2025-03-06-IOCs-for-smishing-activity.txt\r\n2025-03-10-IOCs-for-Remcos-RAT-activity.txt\r\n2025-03-12-IOCs-for-phishing-activity.txt\r\n2025-03-14-Testing-CVE-2025-24813.md\r\n2025-03-18-IOCs-for-APT-C-36-activity.txt\r\n2025-03-19-IOCs-for-Chinese-Language-trojanized-installers.txt\r\n2025-03-20-IOCs-for-strategically-aged-domain-activity.txt\r\n2025-03-31-IOCs-for-evasive-campaign-pushing-Legion-Loader.txt\r\n2025-04-04-IOCs-forKongTuke-web-inject-leading-to-fake-CAPTHA-page.txt\r\n2025-04-10-phishing-campaign-impersonating-Nintendo.txt\r\n2025-04-14-persistence-of-CVE-2024-27564-probes.txt\r\n2025-04-15-IOCs-for-IRS-themed-domains-used-in-CAPTCHA-style-paste-hijacking.txt\r\n2025-04-15-IOCs-for-tax-return-related-phishing-and-scams.txt\r\n2025-04-16-IOCs-for-tunneling-based-scans-for-DNS-resolvers.txt\r\n2025-04-17-IngressNightmare-Scans-and-Testing.md\r\n2025-04-23-IOCs-for-domains-impersonating-OnChain.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 11 of 15\n\n2025-04-23-IOCs-for-smishing-activity-update.txt\r\n2025-04-25-IOCs-for-Blitz-malware.txt\r\n2025-04-30-IOCs-for-suspciouis-search-pages.txt\r\n2025-05-02-IOCs-for-Unknown-Loader.txt\r\n2025-05-07-IOCs-from-Teams-phishing-for-MadMxShell.txt\r\n2025-05-16-IOCs-on-recent-ClickFix-activity.txt\r\n2025-05-19-IOCs-for-CypherIT-and-AutoIt-used-in-distribution-of-Lumma-Stealer.txt\r\n2025-05-20-IOCs-for-AdaptixC2-activity.txt\r\n2025-05-20-IOCs-for-TDS-leading-to-UP-X-gambling-platform.txt\r\n2025-05-21-IOCs-for-BTMOB-RAT-activity.txt\r\n2025-05-22-campaign-switches-from-Lumma-to-StealC-v2.txt\r\n2025-05-30-IOCs-for-Chinese-language-campaign-impersonating-legitimate-applications.txt\r\n2025-06-09-IOCs-for-Agent-Serpens-activity.txt\r\n2025-06-10-IOCs-for-cryptocurrency-scam-impersonating-WWDC25.txt\r\n2025-06-11-IOCs-for-Neptune-RAT-version-5.3.txt\r\n2025-06-12-Iron-Taurus-remains-an-active-threat.txt\r\n2025-06-20-IOCs-for-malware-disgused-as-cracked-software.txt\r\n2025-06-24-IOCs-for-01flip-ransomware.txt\r\n2025-06-25-IOCs-for-phishing-campaign-impersonating-Telegram.txt\r\n2025-06-26-IOCs-for-phishing-campaing-impersonating-Microsoft-login-pages.txt\r\n2025-06-30-IOCs-for-Labubu-scam-domains.txt\r\n2025-07-17-IOCs-for-Soul-Stealer-2025-update.txt\r\n2025-07-19-Microsoft-SharePoint-vulnerabilities-CVE-2025-49704-and-49706.txt\r\n2025-07-24-IOCs-for-Vidar-activity.txt\r\n2025-07-29-IOCs-for-Replit-activity.txt\r\n2025-07-31-4L4MD4R-ransomware-from-ToolShell-exploit-activity.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 12 of 15\n\n2025-08-11-AI-summary-browser-extensions.txt\r\n2025-08-13-IOCs-for-Smishing-activity.txt\r\n2025-08-15-IOCs-for-Lumma-Stealer-infection-with-Sectop-RAT.txt\r\n2025-08-18-IOCs-for-Chrome-extensions-leading-to-thank-you-pages-for-unwanted-content.txt\r\n2025-08-19-IOCs-for-Chrome-extensions-leading-to-adware-or-PUP.txt\r\n2025-08-28-Vishing-activity.txt\r\n2025-08-29-IOCs-for-luxury-shop-fraud.txt\r\n2025-09-05-IOCs-for-Smishing-impersonating-CA-francise-tax-board.txt\r\n2025-09-09-scam-domains-related-to-2026-FIFA-World-Cup.txt\r\n2025-09-11-dangling-commits-used-in-GitHub-malvertising.txt\r\n2025-09-19-phishing-activity-targeting-Japanese-speakers.txt\r\n2025-09-23-IOCs-for-phishing-campaign-using-BitM-pages.txt\r\n2025-09-24-IOCs-for-AI-prompt-hijacker-extensions.txt\r\n2025-09-25-IOCs-for-NFC-relay-Android-malware.txt\r\n2025-10-01-IOCs-for-possible-Rhadamanthys.txt\r\n2025-10-02-IOCs-for-phishing-pages-using-blob-URLs.txt\r\n2025-10-02-IOCs-for-updated-smishing-URL-tactics.txt\r\n2025-10-09-White-Lynx-Activity.txt\r\n2025-10-10-domains-impersonating-Sora-2-sites.txt\r\n2025-10-15-C2-sock-phishing-campaign.txt\r\n2025-10-16-Multi-Stage-Android-Malware-Campaign.md\r\n2025-10-17-IOCs-for-phishing-abusing-web-form-services.txt\r\n2025-10-23-OAuth-flow-phishing.txt\r\n2025-10-30-IOCs-for-cryptocurrency-scams-using-fake-chatbots.txt\r\n2025-11-07-IOCs-for-phishing-activity-spoofing-spam-filters.txt\r\n2025-11-10-IOCs-from-Stately-Taurus-activity.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 13 of 15\n\n2025-11-11-IOCs-for-TDS-pushing-PUP.txt\r\n2025-11-13-IOCs-for-Squeamish-Libra-activity.txt\r\n2025-11-21-IOCs-for-ShinySp1d3r-ransomware.txt\r\n2025-11-24-ongoing-testing-of-malicious-Chrome-extension-samples.txt\r\n2025-11-25-Domains-for-Black-Friday-scams.txt\r\n2025-12-03-recent-surge-in-ClickFix-activity.txt\r\n2025-12-08-White-Lynx-uses-CAPTCHA-macros.txt\r\n2025-12-15-real-world-case-of-malicious-indirect-prompt-injection.md\r\n2025-12-18-phishing-for-authentication-tokens.txt\r\n2026-01-07-scams-using-calendar-invites.txt\r\n2026-01-16-W-8BEN-themed-phishing-activity.txt\r\n2026-01-22-Attack-chain-targeting-users-looking-for-legitimate-tools.txt\r\n2026-01-30-IOCs-for-traffic-ticket-search-portal-themed-phishing.txt\r\n2026-02-03-IOCs-from-KongTuke-ClickFix-activity.txt\r\n2026-02-04-IOCs-for-December-2025-Contagious-Interview-activity.txt\r\n2026-02-05-IOCs-for-phishing-and-scams.txt\r\n2026-02-06-IOCs-for-Super-Bowl-LX-scams.txt\r\n2026-02-10-IOCs-for-smishing-impersonating-US-wireless-carriers.txt\r\n2026-02-11-IOCs-for-RAT-disguinsed-as-AI-based-browser-extension.txt\r\n2026-02-13-IOCs-for-tactics-by-browser-extensions-to-avoid-bans.txt\r\n2026-02-20- AI-Accelerated Malicious Chrome Extension Campaigns.txt\r\n2026-02-20-IOCs-for-tech-support-scam-activity.txt\r\n2026-02-27-IOCs-for-Alloy-Taurus-infrastructure\r\n2026-03-09-Threat-Alert-30K-domains-distributing-malicious-AI-related-browser-extension.txt\r\n2026-03-10-IOCs-for-VoidLink-activity.txt\r\n2026-03-12-Vishing-Campaigns-Lead-to-Data-Theft-and-Extortion.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 14 of 15\n\n2026-03-19-THE-GHOST-IN-CAMPAIGN.txt\r\n2026-03-23- Device-Code-based-OAuth-Phishing.txt\r\n2026-03-30-KIMWOLF-V7-IoT.txt\r\n2026-03-31-SHub-Stealer-Activity.txt\r\n2026-04-02-Threat-Actor-Targets-Military-Entities.txt\r\nSource: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-D\r\nark-Scorpius.txt\r\nhttps://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt" ], "report_names": [ "2025-01-17-IOCs-for-infrastructure-used-by-affiliate-of-Dark-Scorpius.txt" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "62585174-b1f8-47b1-9165-19b594160b01", "created_at": "2023-01-06T13:46:39.369991Z", "updated_at": "2026-04-10T02:00:03.304964Z", "deleted_at": null, "main_name": "TA578", "aliases": [], "source_name": "MISPGALAXY:TA578", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0", "created_at": "2024-11-01T02:00:52.694476Z", "updated_at": "2026-04-10T02:00:05.410572Z", "deleted_at": null, "main_name": "TA578", "aliases": [ "TA578" ], "source_name": "MITRE:TA578", "tools": [ "Latrodectus", "IcedID" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "2c936440-1695-4b9d-88c1-32ab6df31d1b", "created_at": "2025-03-04T02:00:03.004127Z", "updated_at": "2026-04-10T02:00:03.816503Z", "deleted_at": null, "main_name": "GOLD REBELLION", "aliases": [ "WANDERING SPIDER", "White Dev 115", "Dark Scorpius" ], "source_name": "MISPGALAXY:GOLD REBELLION", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null }, { "id": "e0e0d07f-a178-479c-9915-0d83fe8791a8", "created_at": "2026-04-10T02:00:04.010629Z", "updated_at": "2026-04-10T02:00:04.010629Z", "deleted_at": null, "main_name": "Bearlyfy", "aliases": [ "Labubu" ], "source_name": "MISPGALAXY:Bearlyfy", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434670, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2e7f21a7335ce963482ec9dbf8e2a39ad0dcf1c7.pdf", "text": "https://archive.orkl.eu/2e7f21a7335ce963482ec9dbf8e2a39ad0dcf1c7.txt", "img": "https://archive.orkl.eu/2e7f21a7335ce963482ec9dbf8e2a39ad0dcf1c7.jpg" } }