{ "id": "bf96a582-aa1e-4e2c-bf7b-71676fffc0b2", "created_at": "2026-04-06T00:21:18.815753Z", "updated_at": "2026-04-10T03:37:26.661939Z", "deleted_at": null, "sha1_hash": "2f49ff497ae714eae5dfec80606dc4e242305fa5", "title": "How Initial Access Brokers Lead to Ransomware | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 306726, "plain_text": "How Initial Access Brokers Lead to Ransomware | Proofpoint US\r\nBy June 16, 2021 Selena Larson, Daniel Blackford, and Garrett G\r\nPublished: 2021-06-14 · Archived: 2026-04-05 15:47:21 UTC\r\nKey Findings \r\nPreventing ransomware today largely has shifted from a direct email threat to an indirect threat where\r\nemail is only part of the attack chain.  \r\nRansomware threat actors leverage cybercriminal enterprises – largely banking trojan distributors –\r\nfor malware deployment. These access facilitators distribute their backdoors via malicious links and\r\nattachments sent via email. \r\nBanking trojans were the most popular malware distributed via email, representing almost 20% of malware\r\nseen in Proofpoint data the first half of 2021.  \r\nProofpoint currently tracks at least 10 threat actors acting as initial access facilitators or likely ransomware\r\naffiliates. \r\nRansomware is rarely distributed directly via email. Just one ransomware strain accounts for 95% of\r\nransomware as a first-stage email payload between 2020 and 2021. \r\nThere is not a 1:1 relationship between malware loaders and ransomware attacks. Multiple threat actors use\r\nthe same malware payloads for ransomware distribution. \r\nOverview \r\nRansomware attacks still use email -- but not in the way you might think. Ransomware operators often buy access\r\nfrom independent cybercriminal groups who infiltrate major targets and then sell access to the\r\nransomware actors for a slice of the ill-gotten gains. Cybercriminal threat groups already distributing banking\r\nmalware or other trojans may also become part of a ransomware affiliate network. The result is a robust and\r\nlucrative criminal ecosystem in which different individuals and organizations increasingly specialize to the tune of\r\ngreater profits for all—except, of course, the victims.  \r\nPreventing ransomware via email is straightforward: block the loader, and you block the ransomware.  \r\nTypically, initial access brokers are understood to be opportunistic threat actors supplying affiliates and other\r\ncybercrime threat actors after the fact, for example by advertising access for sale on forums. But for the purposes\r\nof this report, we consider initial access brokers to be the groups who obtain initial access via first-stage malware\r\npayloads and may or may not work directly with the ransomware threat actors. \r\nThese criminal threat actors compromise victim organizations with first-stage malware like The Trick, Dridex, or\r\nBuer Loader and will then sell their access to ransomware operators to deploy data theft and encryption\r\noperations. According to Proofpoint data, banking trojans – often used as ransomware loaders – represented\r\nalmost 20% of malware observed in identified campaigns in the first half of 2021 and is the most popular malware\r\ntype Proofpoint sees in the landscape. Proofpoint has also observed evidence of ransomware deployed\r\nhttps://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware\r\nPage 1 of 7\n\nvia SocGholish which uses fake updates and website redirects to infect users, and via Keitaro traffic distribution\r\nsystem (TDS) and follow-on exploit kits which operators use to evade detection.  \r\nProofpoint has unique visibility into initial access payloads – and threat actors that deliver them – often used by\r\nransomware threat actors. It is important to note ransomware is not the only second-stage payload associated with\r\nthe identified malware. In addition to email threat vectors, ransomware threat actors leverage vulnerabilities in\r\nsoftware running on network devices exposed to the internet or insecure remote access services for initial access. \r\nMap of the Ransomware Ecosystem \r\nProofpoint currently tracks around a dozen threat actors likely operating as initial access brokers, and many of the\r\nemail threat campaigns distributing malware loaders observed by Proofpoint have led to ransomware infections.\r\nConfirmation of actor collaboration between access brokers and ransomware threat actors is difficult due to threat\r\nactors working hard to conceal their identity and evade detection. It is possible that initial access brokers and\r\nmalware backdoor developers directly collaborate with – or operate as – ransomware-specific threat actors. \r\nInitial Access Facilitators  \r\nThe versatile and disruptive malware Emotet previously served as one of the most prolific distributors of malware\r\nenabling costly ransomware infections between 2018 and 2020. However, international law enforcement disrupted\r\nthe malware in January 2021, wiping out its infrastructure and preventing further infections.  \r\nSince the Emotet takedown, Proofpoint observed consistent, ongoing activity from The\r\nTrick, Dridex, Qbot, IcedID, ZLoader, Ursnif, and many others in our data serving as first-stage malware payloads\r\nin attempts to enable further infections, including ransomware attacks. Proofpoint tracks these malware families\r\nunder the “banking” family. Over the last six months, banking trojans were associated with more than 16 million\r\nmessages, representing the most common malware type observed in our data.  \r\nAdditionally, Proofpoint tracks downloaders such as Buer Loader and BazaLoader that are often used as an initial\r\naccess vector for ransomware attacks. In the last six months, Proofpoint identified almost 300 downloader\r\ncampaigns distributing almost six million malicious messages. \r\nProofpoint researchers track backdoor access advertised on hacking forums from various threat actors. Depending\r\non the compromised organization and its profit margins, access can be sold anywhere from a few hundred to\r\nthousands of dollars. Access can be purchased with cryptocurrency, most commonly bitcoin. \r\nProofpoint observes overlap between various threat actors, malware, and ransomware deployments. Our data and\r\nthird-party reporting indicate for example, Conti ransomware has been associated with multiple first-stage loaders\r\nincluding Buer, the Trick, Zloader, and IcedID. IcedID has also been associated with Sodinokibi, Maze, and\r\nEgregor ransomware events. \r\nTA800\r\nTA800 is a large cybercrime actor Proofpoint has tracked since mid-2019. This threat actor attempts to deliver and\r\ninstall banking malware or malware loaders including The Trick, BazaLoader, Buer Loader, and Ostap. Its\r\npayloads have been observed distributing ransomware. Proofpoint assesses with high confidence TA800 is\r\nhttps://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware\r\nPage 2 of 7\n\nrelated to third-party reporting detailing BazaLoader implants that threat actors leveraged to distribute Ryuk\r\nransomware.  \r\nTA577 \r\nTA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad\r\ntargeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads\r\nincluding Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.  \r\nProofpoint assesses with high confidence TA577 is associated with a March 2021 Sodinokibi\r\nransomware infection. TA577 initially compromised the victim via emails containing malicious Microsoft Office\r\nattachments, which, when macros are enabled, download and run IcedID. Activity observed by this\r\nactor increased 225% in the last six months.  \r\nTA569 \r\nTA569 is a traffic and load seller known for compromising content management servers and injecting and\r\nredirecting web traffic to a social engineering kit. The threat actor leverages fake updates to prompt users to\r\nupdate their browser and download a malicious script. Proofpoint has tracked TA569 since 2018, but the actor has\r\nexisted since at least the end of 2016.  \r\nProofpoint assesses with high confidence TA569 is associated with WastedLocker ransomware campaigns that\r\nappeared in 2020 that leveraged the SocGholish fake update framework for ransomware distribution. Third-party\r\nentities associate this ransomware with a Russian cybercrime group known as Evil Corp. However, Proofpoint\r\ndoes not assess TA569 is Evil Corp. \r\nTA551 \r\nTA551 is a threat actor tracked by Proofpoint since 2016. This actor frequently leverages thread hijacking to\r\ndistribute malicious Office documents via email and demonstrates broad geographic and industry targeting.\r\nProofpoint has observed TA551 distribute Ursnif, IcedED, Qbot, and Emotet.  \r\nProofpoint assesses with high confidence TA551 IcedID implants were associated with Maze and Egregor\r\nransomware events in 2020.  \r\nTA570 \r\nOne of the most active Qbot malware affiliates, Proofpoint has tracked the large cybercrime threat actor TA570\r\nsince 2018. Qbot has been observed delivering ransomware including ProLock and Egregor. TA570 may use\r\ncompromised WordPress sites or file hosting sites to host their payloads. TA570 has been observed\r\nconducting thread hijacking that distributes malicious attachments or URLs. In the last six months, TA570 activity\r\nis up almost 12%. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware\r\nPage 3 of 7\n\nFigure 1: A sampling of observed threat actors, initial access payloads they delivered, and the\r\nassociated ransomware deployed because of the initial access. Sourcing for these items is linked in the above\r\ndescriptions for each actor. \r\nTA547 \r\nTA547 is a prolific cybercriminal threat group primarily distributing banking trojans to various geographic regions\r\nincluding ZLoader, The Trick, and Ursnif. This actor often uses geofencing, so payloads may not be accessible to\r\nusers in all regions. Attempts to access payloads from VPNs are also often unsuccessful since the actor blacklists\r\nVPN exit IP addresses. Over the last six months, the number of identified campaigns from this actor spiked almost\r\n30%. \r\nTA544 \r\nThis high-volume cybercriminal threat actor regularly installs banking malware and other malware\r\npayloads, various geographic targeting including Italy and Japan. This threat actor is likely a malware affiliate\r\nworking with different developers. TA544 has been observed distributing Ursnif and Dridex trojans and has sent\r\nover eight million malicious messages in the last six months according to Proofpoint campaign data. \r\nTA571 \r\nSince 2019, Proofpoint has tracked TA571 and its attempts to distribute and install banking malware. This actor\r\ndistributes Ursnif, ZLoader, and Danabot and often uses legitimate file hosting services or compromised or\r\nspoofed infrastructure for payload hosting. Typically, TA571 distributes more than 2,000 messages per campaign. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware\r\nPage 4 of 7\n\nTA574 \r\nProofpoint researchers observed TA574 distribute over one million messages in the last six months according to\r\ncampaign data. This high-volume cybercrime threat actor conducts broad industry targeting and attempts to\r\ndeliver and install malware including ZLoader. Typically, this group distributes malicious Office attachments and\r\nleverages some techniques including geotargeting and detecting User Agents before malware is\r\ndeployed. Proofpoint researchers have tracked TA574 since June 2020.  \r\nTA575 \r\nTA575 is a Dridex affiliate tracked by Proofpoint since late 2020. This group distributes malware via malicious\r\nURLs, Office attachments, and password-protected files. On average, TA575 distributes almost 4,000 messages\r\nper campaign impacting hundreds of organizations.  \r\nFirst-Stage Ransomware \r\nProofpoint still sees ransomware distributed via email directly, as attachments or links in email, at considerably\r\nlower volumes. For example, in 2020 and 2021 Proofpoint identified 54 ransomware campaigns distributing\r\njust over one million messages.  \r\nOf these, Proofpoint identified four Avaddon campaigns containing about a million messages in\r\n2020, representing 95% of the total. In May 2021, the U.S. Federal Bureau of Investigation released details on an\r\nincrease in Avaddon activity, noting the ransomware operators obtained initial access via remote access portals\r\nsuch as RDP and VPN, a pivot away from direct email access. This operational shift is consistent with Avaddon\r\ncampaigns observed in Proofpoint data.  \r\nOther ransomware leveraging email directly as an access vector and have appeared in Proofpoint data this\r\nyear include Hentai OniChan, BigLock, Thanos, Demonware, and Xorist. \r\nDiversification of the Criminal Enterprise \r\nProofpoint’s Threat Research team analyzed data from 2013 to present to better understand observed trends\r\nassociated with ransomware and email as an initial access vector. Proofpoint observed that ransomware campaigns\r\ndistributed directly via email as attachments or links occurred at relatively low, consistent volumes before 2015, at\r\nwhich point threat actors began distributing ransomware via email at considerably higher volumes. Threat actors\r\nwould send large numbers of messages to individual email addresses containing the malicious files or URLs that\r\nwould infect the victim when clicked on or downloaded. Locky, for example, was sent in as many as one million\r\nmessages per day in 2017 before its operations abruptly stopped.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware\r\nPage 5 of 7\n\nFigure 2: Ransomware volumes as a first-stage malware \r\nProofpoint data shows a significant drop in first-stage ransomware campaigns in 2018. Multiple factors\r\ncontributed to the pivot away from ransomware as a first-stage payload, including improved threat detection,\r\nindividual encryption activities resulting in limited payouts, and the introduction of wormable and human-operated threats that had exponentially more disruptive capabilities. \r\nHow Hackers Hunt \r\nRansomware threat actors currently carry out “big game hunting,” conducting open-source surveillance to identify\r\nhigh-value organizations, susceptible targets, and companies’ likely willingness to pay a ransom. Working with\r\ninitial access brokers, ransomware threat actors can leverage existing malware backdoors to enable lateral\r\nmovement and full domain compromise before successful encryption.  \r\nAn attack chain leveraging initial access brokers could look like this: \r\n1. A threat actor sends emails containing a malicious Office document \r\n2. A user downloads the document and enables macros which drops a malware payload \r\n3. The actor leverages the backdoor access to exfiltrate system information \r\n4. At this point, the initial access broker can sell access to another threat actor \r\n5. The actor deploys Cobalt Strike via the malware backdoor access which enables lateral movement within\r\nthe network \r\n6. The actor obtains full domain compromise via Active Directory \r\n7. The actor deploys ransomware to all domain-joined workstations \r\nhttps://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware\r\nPage 6 of 7\n\nFigure 3: Sample attack chain via initial access broker \r\nOutlook \r\nSo far in 2021, Proofpoint continuously observes email-based threats including downloaders and bankers with\r\nmulti-stage payloads that often lead to ransomware infections. The threat actors are conducting extensive\r\nreconnaissance, privilege escalation, and lateral movement within the environment before manually deploying the\r\nransomware payload. One key metric to watch is dwell time. Over the last two years, multiple public reports from\r\nincident response companies point to a decrease in the amount of time threat actors spend within an environment\r\nbefore encryption activities. Some incidents are reporting two-day infection timelines between initial access and\r\nransomware deployment compared to reported averages of 40 days in 2019. \r\nShort dwell times, high payouts, and collaboration across cybercriminal ecosystems have led to a perfect storm of\r\ncybercrime that the world’s governments are taking seriously. In response to recent high-profile ransomware\r\nattacks, the United States government proposed new efforts to combat ransomware, and it was a hot topic at the\r\n2021 G7 conference. It is possible with new disruptive efforts focused on the threat and growing investments in\r\ncyber defense across supply chains, ransomware attacks will decrease in frequency and efficacy.\r\nLearn more about ransomware attacks and prevention.\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware\r\nhttps://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware" ], "report_names": [ "first-step-initial-access-leads-ransomware" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7583fbd4-2bc9-458d-81da-50b27b84e136", "created_at": "2023-02-15T02:01:49.565258Z", "updated_at": "2026-04-10T02:00:03.349283Z", "deleted_at": null, "main_name": "TA575", "aliases": [], "source_name": "MISPGALAXY:TA575", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34", "created_at": "2024-06-19T02:03:08.096988Z", "updated_at": "2026-04-10T02:00:03.82859Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "Mustard Tempest ", "TA569 ", "UNC1543 " ], "source_name": "Secureworks:GOLD PRELUDE", "tools": [ "SocGholish" ], "source_id": "Secureworks", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72bc3519-a265-4136-b85a-d5e331f085b1", "created_at": "2023-01-06T13:46:39.313045Z", "updated_at": "2026-04-10T02:00:03.28438Z", "deleted_at": null, "main_name": "TA547", "aliases": [], "source_name": "MISPGALAXY:TA547", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf32661e-7543-4b57-8665-7f8101a000e9", "created_at": "2023-01-06T13:46:39.322379Z", "updated_at": "2026-04-10T02:00:03.287241Z", "deleted_at": null, "main_name": "TA800", "aliases": [], "source_name": "MISPGALAXY:TA800", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544cac23-af15-4100-8f20-46c07962cbfa", "created_at": "2023-01-06T13:46:39.484133Z", "updated_at": "2026-04-10T02:00:03.34364Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "TA569", "UNC1543" ], "source_name": "MISPGALAXY:GOLD PRELUDE", "tools": [ "FakeUpdates", "FakeUpdate", "SocGholish" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "96d5b301-0872-444c-ba32-eecf7a9241c0", "created_at": "2023-02-15T02:01:49.560566Z", "updated_at": "2026-04-10T02:00:03.347926Z", "deleted_at": null, "main_name": "TA570", "aliases": [ "DEV-0450" ], "source_name": "MISPGALAXY:TA570", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7183913d-9a43-4362-96e1-9af522b6ab84", "created_at": "2024-06-19T02:00:04.377344Z", "updated_at": "2026-04-10T02:00:03.653777Z", "deleted_at": null, "main_name": "TA571", "aliases": [], "source_name": "MISPGALAXY:TA571", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434878, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2f49ff497ae714eae5dfec80606dc4e242305fa5.pdf", "text": "https://archive.orkl.eu/2f49ff497ae714eae5dfec80606dc4e242305fa5.txt", "img": "https://archive.orkl.eu/2f49ff497ae714eae5dfec80606dc4e242305fa5.jpg" } }