{ "id": "8618c6ae-8284-4f74-88e2-eaec48fbd962", "created_at": "2026-04-06T00:18:08.798532Z", "updated_at": "2026-04-10T03:37:09.011841Z", "deleted_at": null, "sha1_hash": "340f9d8907bfd9cde3fc72712ded0c26af16a7fa", "title": "Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1547818, "plain_text": "Significant FormBook Distribution Campaigns Impacting the U.S.\r\nand South Korea | Mandiant\r\nBy Mandiant\r\nPublished: 2017-10-05 · Archived: 2026-04-05 14:06:24 UTC\r\nWritten by: Nart Villeneuve, Randi Eitzman, Sandor Nemes, Tyler Dean\r\nWe observed several high-volume FormBook malware distribution campaigns primarily taking aim at Aerospace,\r\nDefense Contractor, and Manufacturing sectors within the U.S. and South Korea during the past few months. The\r\nattackers involved in these email campaigns leveraged a variety of distribution mechanisms to deliver the\r\ninformation stealing FormBook malware, including:\r\nPDFs with download links\r\nDOC and XLS files with malicious macros\r\nArchive files (ZIP, RAR, ACE, and ISOs) containing EXE payloads\r\nThe PDF and DOC/XLS campaigns primarily impacted the United States and the Archive campaigns largely\r\nimpacted the Unites States and South Korea.\r\nFormBook Overview\r\nFormBook is a data stealer and form grabber that has been advertised in various hacking forums since early 2016.\r\nFigure 1 and Figure 2 show the online advertisement for the malware.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 1 of 20\n\nFigure 1: FormBook advertisement\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 2 of 20\n\nFigure 2: FormBook underground pricing\r\nThe malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard\r\ncontents, and extract data from HTTP sessions. The malware can also execute commands from a command and\r\ncontrol (C2) server. The commands include instructing the malware to download and execute files, start processes,\r\nshutdown and reboot the system, and steal cookies and local passwords.\r\nOne of the malware's most interesting features is that it reads Windows’ ntdll.dll module from disk into memory,\r\nand calls its exported functions directly, rendering user-mode hooking and API monitoring mechanisms\r\nineffective. The malware author calls this technique \"Lagos Island method\" (allegedly originating from a userland\r\nrootkit with this name).\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 3 of 20\n\nIt also features a persistence method that randomly changes the path, filename, file extension, and the registry key\r\nused for persistence.\r\nThe malware author does not sell the builder, but only sells the panel, and then generates the executable files as a\r\nservice.\r\nCapabilities\r\nFormBook is a data stealer, but not a full-fledged banker (banking malware). It does not currently have any\r\nextensions or plug-ins. Its capabilities include:\r\nKey logging\r\nClipboard monitoring\r\nGrabbing HTTP/HTTPS/SPDY/HTTP2 forms and network requests\r\nGrabbing passwords from browsers and email clients\r\nScreenshots\r\nFormBook can receive the following remote commands from the C2 server:\r\nUpdate bot on host system\r\nDownload and execute file\r\nRemove bot from host system\r\nLaunch a command via ShellExecute\r\nClear browser cookies\r\nReboot system\r\nShutdown system\r\nCollect passwords and create a screenshot\r\nDownload and unpack ZIP archive\r\nInfrastructure\r\nThe C2 domains typically leverage less widespread, newer generic top-level domains (gTLDs) such as .site,\r\n.website, .tech, .online, and .info.\r\nThe C2 domains used for this recently observed FormBook activity have been registered using the WhoisGuard\r\nprivacy protection service. The server infrastructure is hosted on BlazingFast.io, a Ukrainian hosting provider.\r\nEach server typically has multiple FormBook panel installation locations, which could be indicative of an affiliate\r\nmodel.\r\nBehavior Details\r\nFile Characteristics\r\nOur analysis in this blog post is based on the following representative sample:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 4 of 20\n\nFilename MD5 Hash Size (bytes) Compile Time\r\nUnavailable CE84640C3228925CC4815116DDE968CB 747,652 2012-06-09 13:19:49Z\r\nTable 1: FormBook sample details\r\nPacker\r\nThe malware is a self-extracting RAR file that starts an AutoIt loader. The AutoIt loader compiles and runs an\r\nAutoIt script. The script decrypts the FormBook payload file, loads it into memory, and then executes it.\r\nInstallation\r\nThe FormBook malware copies itself to a new location. The malware first chooses one of the following strings to\r\nuse as a prefix for its installed filename:\r\nms, win, gdi, mfc, vga, igfx, user, help, config, update, regsvc, chkdsk, systray, audiodg, certmgr, autochk,\r\ntaskhost, colorcpl, services, IconCache, ThumbCache, Cookies\r\nIt then generates two to five random characters and appends those to the chosen string above\r\nfollowed by one of the following file extensions:\r\n.exe, .com, .scr, .pif, .cmd, .bat\r\nIf the malware is running with elevated privileges, it copies itself to one of the following directories:\r\n%ProgramFiles%\r\n%CommonProgramFiles%\r\nIf running with normal privileges, it copies itself to one of the following directories:\r\n%USERPROFILE%\r\n%APPDATA%\r\n%TEMP%\r\nPersistence\r\nThe malware uses the same aforementioned string list with a random string to create a prefix, appends one to five\r\nrandom characters, and uses this value as the registry value name.\r\nThe malware configures persistence to one of the following two locations depending on its privileges:\r\n(HKCU|HKLM)\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\n(HKCU|HKLM)\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\r\nStartup\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 5 of 20\n\nThe malware creates two 16-byte mutexes. The first mutex is the client identifier (e.g., 8-3503835SZBFHHZ).\r\nThe second mutex value is derived from the C2 information and the username (e.g., LL9PSC56RW7Bx3A5).\r\nThe malware then iterates over a process listing and calculates a checksum value of process names (rather than\r\nchecking the name itself) to figure out which process to inject. The malware may inject itself into browser\r\nprocesses and explorer.exe. Depending on the target process, the malware installs different function hooks (see the\r\nFunction Hooks section for further detail).\r\nAnti-Analysis\r\nThe malware uses several techniques to complicate malware analysis:\r\nTiming checks using the RDTSC instruction\r\nCalls NtQueryInformationProcess with InfoClass=7 (ProcessDebugPort)\r\nSample path and filename checks (sample filename must be shorter than 32 characters)\r\nHash-based module blacklist\r\nHash-based process blacklist\r\nHash-based username blacklist\r\nBefore communicating, it checks whether the C2 server is present in the hosts file\r\nThe results of these tests are then placed into a 16-byte array, and a SHA1 hash is calculated on the array, which\r\nwill be later used as the decryption key for subsequent strings (e.g. DLL names to load). Failed checks may go\r\nunnoticed until the sample tries to load the supporting DLLs (kernel32.dll and advapi32.dll).\r\nThe correct 16-byte array holding the result of the checks is:\r\n00 00 01 01 00 00 01 00 01 00 01 00 00 00 00 00\r\nHaving a SHA1 value of:\r\n5b85aaa14f74e7e8adb93b040b0914a10b8b19b2\r\nAfter completing all anti-analysis checks, the sample manually maps ntdll.dll from disk into memory and uses its\r\nexported functions directly in the code. All API functions will have a small stub function in the code that looks up\r\nthe address of the API in the mapped ntdll.dll using the CRC32 checksum of the API name, and sets up the\r\nparameters on the stack.\r\nThis will be followed by a direct register call to the mapped ntdll.dll module. This makes regular debugger\r\nbreakpoints on APIs inoperable, as execution will never go through the system mapped ntdll.dll.\r\nProcess Injection\r\nThe sample loops through all the running processes to find explorer.exe by the CRC32 checksum of its process\r\nname. It then injects into explorer.exe using the following API calls (avoiding more commonly identifiable\r\ntechniques such as WriteProcessMemory and CreateRemoteThread):\r\nNtMapViewOfSection\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 6 of 20\n\nNtSetContextThread\r\nNtQueueUserAPC\r\nThe injected code in the hijacked instance of explorer.exe randomly selects and launches (as a suspended process)\r\na built-in Windows executable from the following list:\r\nsvchost.exe, msiexec.exe, wuauclt.exe, lsass.exe, wlanext.exe, msg.exe, lsm.exe, dwm.exe, help.exe,\r\nchkdsk.exe, cmmon32.exe, nbtstat.exe, spoolsv.exe, rdpclip.exe, control.exe, taskhost.exe, rundll32.exe,\r\nsystray.exe, audiodg.exe, wininit.exe, services.exe, autochk.exe, autoconv.exe, autofmt.exe, cmstp.exe,\r\ncolorcpl.exe, cscript.exe, explorer.exe, WWAHost.exe, ipconfig.exe, msdt.exe, mstsc.exe, NAPSTAT.EXE,\r\nnetsh.exe, NETSTAT.EXE, raserver.exe, wscript.exe, wuapp.exe, cmd.exe\r\nThe original process reads the randomly selected executable from the memory of explorer.exe and migrates into\r\nthis new process via NtMapViewOfSection, NtSetContextThread, and NtQueueUserAPC.\r\nThe new process then deletes the original sample and sets up persistence (see the Persistence section for more\r\ndetail). It then goes into a loop that constantly enumerates running processes and looks for targets based on the\r\nCRC32 checksum of the process name.\r\nTargeted process names include, but are not limited to:\r\niexplore.exe, firefox.exe, chrome.exe, MicrosoftEdgeCP.exe, explorer.exe, opera.exe, safari.exe, torch.exe,\r\nmaxthon.exe, seamonkey.exe, avant.exe, deepnet.exe, k-meleon.exe, citrio.exe, coolnovo.exe, coowon.exe,\r\ncyberfox.exe, dooble.exe, vivaldi.exe, iridium.exe, epic.exe, midori.exe, mustang.exe, orbitum.exe,\r\npalemoon.exe, qupzilla.exe, sleipnir.exe, superbird.exe, outlook.exe, thunderbird.exe, totalcmd.exe\r\nAfter injecting into any of the target processes, it sets up user-mode API hooks based on the process.\r\nThe malware installs different function hooks depending on the process. The primary purpose of these function\r\nhooks is to log keystrokes, steal clipboard data, and extract authentication information from browser HTTP\r\nsessions. The malware stores data in local password log files. The directory name is derived from the C2\r\ninformation and the username (the same as the second mutex created above: LL9PSC56RW7Bx3A5).\r\nHowever, only eight bytes from this value are used as the directory name (e.g., LL9PSC56). Next, the first three\r\ncharacters from the derived directory name are used as a prefix for the log file followed by the string log.\r\nFollowing this prefix are names corresponding to the type of log file. For example, for Internet Explorer\r\npasswords, the following log file would be created:\r\n%APPDATA%\\LL9PSC56\\LL9logri.ini.\r\nThe following are the password log filenames without the prefix:\r\n(no name): Keylog data\r\nrg.ini: Chrome passwords\r\nrf.ini: Firefox passwords\r\nrt.ini: Thunderbird passwords\r\nri.ini: Internet Explorer passwords\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 7 of 20\n\nrc.ini: Outlook passwords\r\nrv.ini: Windows Vault passwords\r\nro.ini: Opera passwords\r\nOne additional file that does not use the .INI file extension is a screenshot file:\r\nim.jpeg\r\nFunction Hooks\r\nKeylog/clipboard monitoring:\r\nGetMessageA\r\nGetMessageW\r\nPeekMessageA\r\nPeekMessageW\r\nSendMessageA\r\nSendMessageW\r\nBrowser hooks:\r\nPR_Write\r\nHttpSendRequestA\r\nHttpSendRequestW\r\nInternetQueryOptionW\r\nEncryptMessage\r\nWSASend\r\nThe browser hooks look for certain strings in the content of HTTP requests and, if a match is found, information\r\nabout the request is extracted. The targeted strings are:\r\npass\r\ntoken\r\nemail\r\nlogin\r\nsignin\r\naccount\r\npersistent\r\nNetwork Communications\r\nThe malware communicates with the following C2 server using HTTP requests:\r\nwww[.]clicks-track[.]info/list/hx28/\r\nBeacon\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 8 of 20\n\nAs seen in Figure 3, FormBook sends a beacon request (controlled by a timer/counter) using HTTP GET with an\r\n\"id\" parameter in the URL.\r\nFigure 3: FormBook beacon\r\nThe decoded \"id\" parameter is as follows:\r\nFBNG:134C0ABB 2.9:Windows 7 Professional x86:VXNlcg==\r\nWhere:\r\n\"FBNG\" - magic bytes\r\n\"134C0ABB\" - the CRC32 checksum of the user's SID\r\n\"2.9\" - the bot version\r\n\"Windows 7 Professional\" – operating system version\r\n\"x86\" – operating system architecture\r\n\"VXNlcg==\" - the Base64 encoded username (i.e., \"User\" in this case)\r\nCommunication Encryption\r\nThe malware sends HTTP requests using hard-coded HTTP header values. The HTTP headers shown in Figure 4\r\nare hardcoded.\r\nFigure 4: Hard-coded HTTP header values\r\nMessages to the C2 server are sent RC4 encrypted and Base64 encoded. The malware uses a slightly altered\r\nBase64 alphabet, and also uses the character \".\" instead of \"=\" as the pad character:\r\nStandard Alphabet:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 9 of 20\n\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\r\nModified Alphabet:\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_\r\nThe RC4 key is created using an implementation of the SHA1 hashing algorithm with the C2 URL. The standard\r\nSHA1 algorithm reverses the DWORD endianness at the end of the algorithm. This implementation does not,\r\nwhich results in a reverse endian DWORDs. For example, the SHA1 hash for the aforementioned URL is\r\n\"9b198a3cfa6ff461cc40b754c90740a81559b9ae,\" but when reordering the DWORDs, it produces the correct RC4\r\nkey: 3c8a199b61f46ffa54b740cca84007c9aeb95915. The first DWORD \"9b198a3c\" becomes \"3c8a199b.\"\r\nFigure 5 shows an example HTTP POST request.\r\nFigure 5: Example HTTP POST request\r\nIn this example, the decoded result is:\r\nClipboard\\r\\n\\r\\nBlank Page - Windows Internet Explorer\\r\\n\\r\\ncEXN{3wutV,\r\nAccepted Commands\r\nWhen a command is sent by the C2 server, the HTTP response body has the format shown in Figure 6.\r\nFigure 6: FormBook C2 server response with command\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 10 of 20\n\nThe data begins with the magic bytes \"FBNG,\" and a one-byte command code from hex bytes 31 to 39 (i.e., from\r\n\"1\" to \"9\") in clear text. This is then followed by the RC4-encoded command data (where the RC4 key is the same\r\nas the one used for the request). In the decrypted data, another occurrence of the magic FBNG bytes indicates the\r\nend of the command data.\r\nThe malware accepts the commands shown in Table 2.\r\nCommand Parameters (after decryption) Purpose\r\n'1' (0x31) \u003cpe_file_data\u003eFBNG Download and execute file from %TEMP% directory\r\n'2' (0x32) \u003cpe_file_data\u003eFBNG Update bot on host machine\r\n'3' (0x33) FBNG Remove bot from host machine\r\n'4' (0x34) \u003ccommand_string\u003eFBNG Launch a command via ShellExecute\r\n'5' (0x35) FBNG Clear browser cookies\r\n'6' (0x36) FBNG Reboot operating system\r\n'7' (0x37) FBNG Shutdown operating system\r\n'8' (0x38) FBNG Collect email/browser passwords and create a screenshot\r\n'9' (0x39) \u003czip_file_data\u003eFBNG Download and unpack ZIP archive into %TEMP% directory\r\nTable 2: FormBook accepted commands\r\nDistribution Campaigns\r\nFireEye researchers observed FormBook distributed via email campaigns using a variety of different attachments:\r\nPDFs with links to the \"tny.im\" URL-shortening service, which then redirected to a staging server that\r\ncontained FormBook executable payloads\r\nDOC and XLS attachments that contained malicious macros that, when enabled, initiated the download of\r\nFormBook payloads\r\nZIP, RAR, ACE, and ISO attachments that contained FormBook executable files\r\nThe PDF Campaigns\r\nThe PDF campaigns leveraged FedEx and DHL shipping/package delivery themes (Figure 7 and Figure 8), as well\r\nas a document-sharing theme. The PDFs distributed did not contain malicious code, just a link to download the\r\nFormBook payload.\r\nThe staging servers (shown in Table 3) appeared to be compromised websites.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 11 of 20\n\nFigure 7: Example PDF campaign email lure with attachment\r\nFigure 8: Example PDF campaign attachment\r\nSample Subject Lines Shorted URLs Staging Servers\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 12 of 20\n\n\u003cRecipient’s_Name\u003e - You have a parcel awaiting pick up\r\n\u003cRecipient’s_Name\u003e – I shared a file with you\r\ntny[.]im/9TK\r\ntny[.]im/9Uw\r\ntny[.]im/9G1\r\ntny[.]im/9Q6\r\ntny[.]im/9H1\r\ntny[.]im/9R7\r\ntny[.]im/9Tc\r\ntny[.]im/9RM\r\ntny[.]im/9G0\r\ntny[.]im/9Oq\r\ntny[.]im/9Oh\r\nmaxsutton[.]co[.]uk\r\nsolderie[.]dream3w[.]com\r\nlifekeeper[.]com[.]au\r\nbrinematriscript[.]com\r\njaimagroup[.]com\r\nTable 3: Observed email subjects and download URLs for PDF campaign\r\nBased on data from the tny.im-shortened links, there were a total of 716 hits across 36 countries. As seen in Figure\r\n9, most of the malicious activity from the PDF campaign impacted the United States.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 13 of 20\n\nFigure 9: Geolocation statistics from tny.im URL shortener\r\nThe DOC/XLS Campaigns\r\nThe email campaigns distributing DOC and XLS files relied on the use of malicious macros to download the\r\nexecutable payload. When the macros are enabled, the download URL retrieves an executable file with a PDF\r\nextension. Table 4 shows observed email subjects and download URLs used in these campaigns.\r\nSample Subject Lines Staging Server URL Paths\r\n61_Invoice_6654\r\nACS PO 1528\r\nNEW ORDER - PO-074\r\nNEW ORDER - PO#074\r\nREQUEST FOR QUOTATION/CONTRACT OVERHAUL\r\nMV OCEAN MANTA//SUPPLY P-3PROPELLER\r\nsdvernoms[.]ml\r\n/oc/runpie.pdf\r\n/sem/essen.pdf\r\n/drops/microcore.pdf\r\n/damp/10939453.pdf\r\n/sem/essentials.exe\r\n/oc/runpie.pdf\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 14 of 20\n\nURGENT PURCHASE ORDER 1800027695 /sem/ampama.pdf\r\n/js/21509671Packed.pdf\r\n/sem/essen.pdf\r\nTable 4: Observed email subjects and download URLs for the DOC/XLS campaign\r\nFireEye detection technologies observed this malicious activity between Aug. 11 and Aug. 22, 2017 (Figure 10).\r\nMuch of the activity was observed in the United States (Figure 11), and the most targeted industry vertical was\r\nAerospace/Defense Contractors (Figure 12).\r\nFigure 10: DOC/XLS campaign malicious activity by date\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 15 of 20\n\nFigure 11: Top 10 countries affected by the DOC/XLS campaign\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 16 of 20\n\nFigure 12: Top 10 industry verticals affected by the DOC/XLS campaign\r\nThe Archive Campaign\r\nThe Archive campaign delivered a variety of archive formats, including ZIP, RAR, ACE, and ISO, and accounted\r\nfor the highest distribution volume. It leveraged a myriad of subject lines that were characteristically business\r\nrelated and often regarding payment or purchase orders:\r\nSample Subject Lines\r\nHSBC MT103 PAYMENT CONFIRMATION Our Ref: HBCCTKF8003445VTC\r\nMT103 PAYMENT CONFIRMATION Our Ref: BCCMKE806868TSC Counterparty:.\r\nFwd: INQUIRY RFQ-18 H0018\r\nFw: Remittance Confirmation\r\nNEW ORDER FROM COBRA INDUSTRIAL MACHINES IN SHARJAH\r\nPO. NO.: 10701 - Send Quotaion Pls\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 17 of 20\n\nRe: bgcqatar project\r\nRe: August korea ORDER\r\nPurchase Order #234579\r\npurchase order for August017\r\nFireEye detection technologies observed this campaign activity between July 18 and Aug. 17, 2017 (Figure 13).\r\nMuch of the activity was observed in South Korea and the United States (Figure 14), with the Manufacturing\r\nindustry vertical being the most impacted (Figure 15).\r\nFigure 13: Archive campaign malicious activity by date\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 18 of 20\n\nFigure 14: Top 10 countries affected by the Archive campaign\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 19 of 20\n\nFigure 15: Top 10 industry verticals affected by the Archive campaign \r\nConclusion\r\nWhile FormBook is not unique in either its functionality or distribution mechanisms, its relative ease of use,\r\naffordable pricing structure, and open availability make FormBook an attractive option for cyber criminals of\r\nvarying skill levels. In the last few weeks, FormBook was seen downloading other malware families such as\r\nNanoCore. The credentials and other data harvested by successful FormBook infections could be used for\r\nadditional cyber crime activities including, but not limited to: identity theft, continued phishing operations, bank\r\nfraud and extortion.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/formbook-malware-distribution-campaigns/" ], "report_names": [ "formbook-malware-distribution-campaigns" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434688, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/340f9d8907bfd9cde3fc72712ded0c26af16a7fa.pdf", "text": "https://archive.orkl.eu/340f9d8907bfd9cde3fc72712ded0c26af16a7fa.txt", "img": "https://archive.orkl.eu/340f9d8907bfd9cde3fc72712ded0c26af16a7fa.jpg" } }