{ "id": "9ead9473-1d8e-4171-9ee6-d3b69b62cf09", "created_at": "2026-04-06T00:15:52.579021Z", "updated_at": "2026-04-10T03:38:20.032387Z", "deleted_at": null, "sha1_hash": "32fd4ad5f243f8cb30a7ff9baefeadcc276d8bb5", "title": "Lazarus Group Attacks in 2025: Here’s Everything SOC Teams Need to Know", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 83491, "plain_text": "Lazarus Group Attacks in 2025: Here’s Everything SOC Teams\r\nNeed to Know\r\nBy ANY.RUN\r\nPublished: 2025-09-10 · Archived: 2026-04-05 21:41:17 UTC\r\nThe Lazarus Group, North Korea’s state-sponsored hacking collective, has held the title of the most notorious\r\nadvanced persistent threat (APT) for almost two decades now. In 2025, it escalated its cyber operations, targeting\r\ntech industries with fake IT workers, fraudulent job interviews, and hijacked open-source software.  \r\nIt’s time to take a closer look at its current activities and see how SOC teams can proactively detect and track the\r\ngroup attacks using ANY.RUN’s solutions. \r\nBiggest Lazarus Group Campaigns So Far \r\nLazarus’s 2025 campaigns combine sophisticated social engineering and supply chain attacks, posing severe risks\r\nto businesses’ financial stability, data security, and operational continuity. \r\nNorth Korean IT Workers \r\nSince 2024, Lazarus Group has been deploying North Korean operatives posing as legitimate remote IT workers\r\nto infiltrate companies, particularly in the U.S. and UK. Using stolen or AI-enhanced identities, these operatives\r\nsecure tech roles to steal sensitive data, deploy malware, or generate illicit revenue for North Korea. \r\nAccording to the U.S. Department of Justice, these schemes compromised over 100 U.S. companies, including\r\nFortune 500 firms. For example, an Atlanta-based blockchain company lost over $900,000 in virtual currency due\r\nto insider access by fake IT workers. \r\nBeyond financial losses, businesses face reputational damage, loss of intellectual property, and regulatory scrutiny\r\nfor hiring vulnerabilities. Extortion attempts, where operatives hold stolen data hostage, further disrupt operations\r\nand erode customer trust. \r\nhttps://any.run/cybersecurity-blog/lazarus-group-attacks-2025/\r\nPage 1 of 11\n\nPyLangGhost, malware operated by Lazarus, analyzed in ANY.RUN’s Interactive Sandbox\r\nTo detect such attacks early, SOC teams require a reliable solution for proactive analysis of suspicious files and\r\nURLs. ANY.RUN’s Interactive Sandbox provides a fast, isolated, and hands-on way to expose malware and\r\nphishing in seconds.  \r\nOperation 99: Fake Job Interviews (Contagious Interview) \r\nOperation 99 (aka “Contagious Interview”) is a campaign from Lazarus and its subgroups like Famous Chollima\r\nthat targets tech, crypto developers and CEOs, with fake job and partnership interviews.  \r\nPosing as recruiters on LinkedIn, Telegram, or Calendly, Lazarus lures victims with fraudulent coding tests hosted\r\non malicious GitLab repositories. As part of the scheme, Lazarus hackers utilize NPM packages.  \r\nFor C-suite targets, criminals typically share fake Zoom executables and malware disguised as other software\r\nwidely used in corporate environments. \r\nhttps://any.run/cybersecurity-blog/lazarus-group-attacks-2025/\r\nPage 2 of 11\n\nExample of a fake job proposal from a Lazarus operative. Source: Mauro Eldritch, Bitso Quetzal\r\nTeam’s Medium \r\nThe common losses for victims include stolen cryptocurrency and credentials, compromised systems, and\r\ndisrupted operations. In some cases, device infections led to downstream supply chain attacks, affecting customers\r\nand partners. Crypto and tech firms rely on skilled developers, making them prime targets for social engineering.\r\nThese attacks disrupt product development, expose proprietary code, and undermine trust in hiring processes,\r\nwhile recovery costs (e.g., system remediation, legal fees) strain budgets. \r\nHijacking Open Source Packages \r\nDespite doing it since September 2024, Lazarus Group continues to embed malicious backdoors in cloned open-source software packages on repositories like GitHub and PyPI, targeting developers in both medium and large\r\nenterprises. Over 230 malicious packages have been identified since the start of 2025, affecting 36,000 firms in\r\nEurope, India, and Brazil.  \r\nVictims face losses from stolen credentials, authentication tokens, and system data, with recovery costs exceeding\r\nmillions. Open-source software is critical to tech and crypto industries.  \r\nGiven that many IT companies work in tight cooperation, a successful attack on an endpoint at one firm can lead\r\nto major incidents in other businesses down the supply chain. A notable example here is the $1.5 billion ByBit\r\nhack orchestrated by Lazarus. \r\nThe initial compromise occurred on a developer’s machine at Safe{Wallet}, a multisignature provider used by\r\nByBit, through a malicious Docker project. From there, the attackers gained access to Safe{Wallet}’s Amazon\r\nWeb Services (AWS) S3 bucket and managed to push a malicious script to the system. This resulted in ByBit’s\r\ntransaction being hijacked and the funds funneled to a wallet controlled by Lazarus Group. \r\nhttps://any.run/cybersecurity-blog/lazarus-group-attacks-2025/\r\nPage 3 of 11\n\nCurrent Lazarus Malware Threats and How to Detect Them \r\nLazarus’s 2025 operations leverage advanced malware and TTPs, tailored to maximize damage to businesses\r\nthrough data theft, system compromise, and financial extortion. \r\nLet’s take a look at several examples of malware families employed by Lazarus Group in their attacks and see\r\nhow sandboxing simplifies their identification. \r\nInvisibleFerret \r\nInvisibleFerret is a modular malware often deployed by Lazarus hackers via fake job interviews, capable of\r\nkeylogging, screen capturing, and establishing persistent C2 connections to steal sensitive data. \r\nRead technical analysis of InvisibleFerret \r\nAnalysis of an InvisibleFerret sample inside ANY.RUN’s Interactive Sandbox \r\nInvisibleFerret compromises developer endpoints, exposing proprietary code and client data.  \r\nhttps://any.run/cybersecurity-blog/lazarus-group-attacks-2025/\r\nPage 4 of 11\n\nANY.RUN highlights malicious actions of InvisibleFerret on the system \r\nAs shown in a sandbox analysis session, the malware engages in several activities on an infected system, such as\r\nattempting to connect to an unusual port.\r\nIn a business setting, armed with this knowledge, SOCs can act proactively and prevent the incident, keeping the\r\nnetwork safe. \r\nHigher detection rate with deep insights into threat behavior.\r\nShorter MTTR with fast identification of malware and detailed reports for informed mitigation.\r\nReduced manual effort with analysis automation.\r\nOtterCookie \r\nOtterCookie is a malware which is often embedded in hijacked open-source packages. It is used as part of the\r\nContagious Interview campaign to extract authentication tokens, session data, and crypto wallets. Stolen tokens\r\nallow attackers to bypass authentication, access corporate systems, or customer accounts. \r\nRead technical analysis of OtterCookie \r\nhttps://any.run/cybersecurity-blog/lazarus-group-attacks-2025/\r\nPage 5 of 11\n\nOtterCookie malware analysis inside ANY.RUN’s Interactive Sandbox \r\nThanks to the analysis inside ANY.RUN’s Interactive Sandbox, we can observe the entire attack chain for this\r\nmalware. \r\nOtterCookie payload being downloaded from an external server \r\nThe sandbox session shows that attackers use a fake error and a try/catch block to download and run a piece of\r\nmalicious code responsible for deploying OtterCookie on the system. This is an evasion technique which may\r\nescape detection by signature-based solutions.  \r\nWith ANY.RUN’s advanced threat tracking, we get notified about the malicious activity and can stop the attack\r\nearly, keeping our company’s infrastructure secure and free from disruptions. \r\nPyLangGhost RAT \r\nhttps://any.run/cybersecurity-blog/lazarus-group-attacks-2025/\r\nPage 6 of 11\n\nPyLangGhost is a relatively new remote access trojan from Lazarus APT. Delivered via fake interviews or\r\nmalicious packages, it enables long-term espionage and data theft, compromising trade secrets and customer data.\r\nAs a result of its activities, businesses may face prolonged downtime during remediation and regulatory fines for\r\ndata breaches. \r\nRead technical analysis of OtterCookie \r\nA fake error, prompting the user to run a command. Source: BlockOSINT \r\nThe malware has been observed in attacks involving the use of the ClickFix tactic, a trick that presents victims\r\nwith a fake page instructing them to run a malicious script on their system as a way to solve an error or verify their\r\nidentity.  \r\nANY.RUN’s Interactive Sandbox lets analysts run the malicious script to ensure full detection\r\nIn the case of PyLangGhost, users were often asked to paste and run a command on their computer to fix an issue\r\nwith their camera. Using the interactivity of ANY.RUN’s sandbox, we can manually perform these actions in an\r\nhttps://any.run/cybersecurity-blog/lazarus-group-attacks-2025/\r\nPage 7 of 11\n\nisolated, cloud-based virtual environment to trigger the threat’s execution. The result is a malware being installed\r\non the system, as you can see in the analysis. \r\nANY.RUN’s Interactive Sandbox detects PyLangGhost and its activities in seconds \r\nThe sandbox marks the processes spawned by the threat as malicious, providing analysts with a definitive and\r\nactionable verdict for instant incident resolution. \r\nANY.RUN’s Interactive Sandbox collects and displays all IOCs collected during analysis \r\nOnce the investigation is over, we can collect the indicators of compromise (IOCs) gathered by ANY.RUN and use\r\nthem to create detection rules to spot future attacks in advance. \r\nhttps://any.run/cybersecurity-blog/lazarus-group-attacks-2025/\r\nPage 8 of 11\n\nHow to Identify and Track Lazarus Attacks with Threat Intelligence \r\nTo keep up with the evolution of Lazarus Group’s attacks, we can utilize ANY.RUN’s Threat Intelligence Lookup.\r\nIt is a free-access database of the latest indicators of compromise, behavior (IOBs), and attack (IOAs). This data is\r\nextracted from live sandbox analyses of active malware and phishing attacks across 15,000 SOCs, ensuring the\r\nindicators are fresh and available quickly after an attack. \r\nTo see examples of Lazarus Group’s recent attacks, we can start with a simple query: \r\nthreatName:”lazarus” \r\nTI Lookup provides fresh sandbox reports on Lazarus attacks \r\nThe service provides us with a list of sandbox sessions with threats attributed to the Lazarus APT. This provides us\r\nwith rich context about the current malware families, TTPs, and campaigns run by the group. For example, as\r\nvisible from a report from August 17, the OtterCookie malware is still in use.  \r\nhttps://any.run/cybersecurity-blog/lazarus-group-attacks-2025/\r\nPage 9 of 11\n\nSuricata IDS rule identifying OtterCookie triggered inside ANY.RUN’s Interactive Sandbox \r\nWe can dive deeper into each report to collect actionable indicators for detection rules and see what threats the\r\nNorth Korean hackers are using right now. \r\nWith TI Lookup, SOC teams can: \r\nAccelerated Response: Reduce MTTR by quickly understanding threat behavior, objectives, and targets\r\nthrough sandbox analysis.  \r\nEnriched Threat Investigations: Gain deeper insight into threats by connecting existing artifacts with\r\nreal-world attacks.  \r\nStronger Proactive Defense: Gather intelligence on emerging threats to act before they cause damage.  \r\nImproved Detection Rules: Leverage intelligence from TI Lookup to refine SIEM, IDS/IPS, and EDR\r\nrules for stronger proactive defense.  \r\nAbout ANY.RUN \r\nOver 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other\r\nsectors rely on ANY.RUN to streamline malware investigations worldwide.  \r\nSpeed up triage and response by detonating suspicious files in ANY.RUN’s Interactive Sandbox, observing\r\nmalicious behavior in real time, and gathering insights for faster, more confident security decisions. Paired with\r\nThreat Intelligence Lookup and Threat Intelligence Feeds, it provides actionable data on cyberattacks to improve\r\ndetection and deepen your understanding of evolving threats.  \r\nExplore more ANY.RUN’s capabilities during 14-day trial→ \r\nhttps://any.run/cybersecurity-blog/lazarus-group-attacks-2025/\r\nPage 10 of 11\n\nSource: https://any.run/cybersecurity-blog/lazarus-group-attacks-2025/\r\nhttps://any.run/cybersecurity-blog/lazarus-group-attacks-2025/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://any.run/cybersecurity-blog/lazarus-group-attacks-2025/" ], "report_names": [ "lazarus-group-attacks-2025" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434552, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/32fd4ad5f243f8cb30a7ff9baefeadcc276d8bb5.pdf", "text": "https://archive.orkl.eu/32fd4ad5f243f8cb30a7ff9baefeadcc276d8bb5.txt", "img": "https://archive.orkl.eu/32fd4ad5f243f8cb30a7ff9baefeadcc276d8bb5.jpg" } }