{ "id": "5a429b80-c125-40e5-ba7f-44e6cf1128d3", "created_at": "2026-04-06T00:17:23.982174Z", "updated_at": "2026-04-10T03:38:20.311766Z", "deleted_at": null, "sha1_hash": "361d650df3dc4c1a0982463e10fe30f31c4eeef5", "title": "Analytics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1268030, "plain_text": "Analytics\r\nBy Positive Technologies\r\nPublished: 2019-08-22 · Archived: 2026-04-05 18:49:41 UTC\r\nIn the course of cyberincident investigations and threat analysis research, Positive Technologies experts have\r\nidentified activity by a criminal group whose aims include theft of confidential documents and espionage. In this\r\nreport, we will pay a close look at the tools, techniques, and procedures employed by the group as well as share\r\nindicators of compromise for detecting attacks.\r\nIntroduction\r\nIn the course of cyberincident investigations and threat analysis research, Positive Technologies experts have\r\nidentified activity by a criminal group whose aims include theft of confidential documents and espionage. In this\r\nreport, we will pay a close look at the tools, techniques, and procedures employed by the group as well as share\r\nindicators of compromise for detecting attacks.\r\nObjectives\r\nThe main objective of the group is to steal confidential information. The attackers attempt to burrow into\r\ncorporate information systems for extended periods and obtain access to key servers, executive workstations, and\r\nbusiness-critical systems.\r\nAt one of the attacked companies, the earliest traces of the group's presence on infrastructure dated to 2010. Since\r\nthe group had obtained full control of some servers and workstations by that time, the initial breach must have\r\noccurred much earlier.\r\nMost of the attacked companies relate to manufacturing and industry. In total we are aware of compromise of over\r\n30 companies and organizations in various sectors, including:\r\nManufacturing and industry\r\nEnergy\r\nGovernment\r\nScience and technology\r\nSystems integration\r\nSoftware development\r\nGeology\r\nTransport and logistics\r\nReal estate\r\nConstruction\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 1 of 32\n\nThe group attacked companies in a number of countries. A significant number of their targets were located in\r\nRussia and the CIS.\r\nAttribution\r\nIdentified by the PT Expert Security Center in 2018, the group used an unusual method for lateral movement on\r\nnetwork infrastructure: creation of tasks in the Task Scheduler. As a result, the group has been dubbed\r\nTaskMasters.\r\nThe GitHub code of the ASPXSpy2014 web shell, which was used in the attack process, contains references to\r\nChinese developers (see Figure 1). However, the version we discovered instead contains a reference to google.ru.\r\nFigure 1. ASPXSpy: public version vs. version used in attack\r\nThe requests sent to the web shells contained IP addresses belonging to a hosting provider and printing house in\r\nEastern Europe. However, the event log of the proxy server at one of the attacked organizations captured the\r\nmoment when the attackers switched to the residential Chinese IP address 115.171.23.103. This most likely was\r\ncaused by a software VPN going offline during the attack.\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 2 of 32\n\nFigure 2. Lookup of IP address 115.171.23.103\r\nThe attackers used a copy of WinRAR that had been activated with a key widely distributed on Chinese-language\r\nweb forums.\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 3 of 32\n\nFigure 3. WinRAR license key published on Chinese-language forums\r\nOne of the tasks made use of the domain Brengkolang.com, which had been registered through a Chinese\r\nregistrar.\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 4 of 32\n\nFigure 4. Information about Brengkolang.com\r\nMany of the utilities contain error messages and other debugging information in broken English. This would be\r\nconsistent with English being a second language for the developers.\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 5 of 32\n\nFigure 5. Error messages written in broken English\r\nIn addition, some of the attackers' self-developed utilities contain the string \"by AiMi\". This artifact is present\r\nboth in client backdoors and server components.\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 6 of 32\n\nFigure 6. Reference to the developers in script interface\r\nIn a previous report, we noted that demand for malware development on the darkweb significantly exceeds\r\nsupply1. As a result, malware is increasingly available to anyone willing to pay.\r\nGrowing malware supply has pushed cybercriminals to use ready-made tools, which significantly complicate\r\nattack attribution.\r\nIf different cybercriminals use the same services, they could be mistakenly thought to be in the same group. The\r\nsame problem applies to determining the attackers' country. Code comments in any particular language only mean\r\nthat the malware was created by a speaker of that language, who may have sold it afterward. Phishing messages,\r\nwhich may have been written sloppily, are also problematic for attribution. The bottom line is that surefire\r\nidentification is possible only when attackers use exclusive exploits and malware.\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 7 of 32\n\nMethods\r\nThe overall attack vector is rather traditional. After reaching the local network, the attackers study the\r\ninfrastructure, exploit system vulnerabilities (such as CVE-2017-0176), and then download a particular toolkit to\r\ncompromised hosts and unpack it (we will call the toolkit TaskMasters, the same name as for the group itself).\r\nWith this toolkit, they search for, copy, and archive files of interest. The files are then sent to command and\r\ncontrol (C2) servers.\r\nFor lateral movement on the network, the attackers run system commands on remote hosts via the AtNow utility,\r\nwhich enables running software and commands at pre-set intervals of time. For managing hosts, they use small\r\nbackdoors, which are used to connect to C2 servers. Backup communication methods exist as well, in the form of\r\nweb shells on external resources (such as an Exchange server).\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 8 of 32\n\nFigure 7. Attack scheme\r\n1 STAGE:\r\nAttack on workstations\r\nPayoff for attackers:\r\nSensitive documents\r\nRemote administration\r\nUser credentials\r\nSTAGE 2.\r\nAttack on domain controllers\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 9 of 32\n\nPayoff for attackers:\r\nPrivileged account credentials\r\nEase and stealth in lateral movement\r\nUser credentials\r\nSTAGE 3.\r\nAttack on file, database, and application servers\r\nPayoff for attackers:\r\nSensitive documents\r\nUser credentials\r\nSTAGE 4. Attack on servers and workstations of executives, IT and security staff\r\nPayoff for attackers:\r\nFull compromise of network\r\nKnowledge of infrastructure and cybersecurity solutions in place\r\nUser credentials\r\nThe group uses Dynamic DNS infrastructure for its domains. It also makes active use of supply chain attacks.\r\nTo scan the network and compromise systems, the attackers use both software available freely online (such as\r\nNbtScan, PWDump, and Mimikatz) and custom-developed utilities. At this point, we will proceed to describe the\r\nTaskMasters arsenal in more detail.\r\nTools\r\nThe following tables are a compilation of information about software used by the group. Utilities developed by the\r\ngroup itself have been listed in a separate table.\r\nRemShell\r\nMain malware for remote command execution on infected hosts.\r\nKey features:\r\nRunning commands on a host in the form cmd.exe /c \u003ccommand\u003e with function call CreateProcessA and\r\nsending of results to the C2 server\r\nSending of attacker-specified files to server\r\nDownloading of files from server\r\nGetDir\r\nUtility for viewing files on accessible remote network resources with username and password.\r\nFCopy\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 10 of 32\n\nUtility for copying files by means of direct disk access. Can even copy files that are blocked by other processes.\r\nService utility\r\nUtility for installing and removing services. Alternative to the system utility sc.exe.\r\nPst utility\r\nUtility for extracting emails from Personal Storage Table (*.pst) files, which are used by Microsoft Exchange\r\nClient, Windows Messaging, and Microsoft Outlook.\r\nEnumLogonSession utility\r\nUtility for listing active user sessions on a local host.\r\nTimestampChange\r\nUtility for changing the timestamp of the indicated file to equal the timestamp of %WINDIR%\\\r\nSystem32\\kernel32.dll.\r\nDesigned to complicate investigators' search for forensic artifacts.\r\nHTTP ping\r\nUtility for checking the HTTP accessibility of a resource from remote computers.\r\nInterfaces with remote machines via scheduled tasks and shared network resources.\r\nLoggedOnUsers\r\nUtility for getting the list of users who are currently logged in.\r\nRedirect ports\r\nUtility for redirecting network connections from a certain host and TCP port combination to a different one. In\r\neffect, a primitive proxy server.\r\nHostUserList\r\nUtility for enumerating users on a network host.\r\nTFS\r\nUtility for uploading files to a C2 server.\r\nZB\r\nUtility for capturing network traffic. Records all captured traffic in PCAP format.\r\nWIPCS\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 11 of 32\n\nUtility for copying a specified file to a remote shared network resource.\r\n404-input-shell (web shell)\r\nWeb shells for running commands based on .NET. Functions include:\r\nRunning system commands\r\nDownloading files to server\r\nUploading files from server\r\nAuthenticating with MD5 hash (detailed in the text of this report)\r\nTable 2. Publicly available software\r\nNAME*\r\nAtNow\r\nEXAMPLES OF USE*\r\nAPT18\r\nAPT29\r\nAPT32\r\nRTM\r\nCobalt Group\r\nDESCRIPTION\r\nUtility for creating local or remote scheduled tasks, which run within 70 seconds of being scheduled. Main utility\r\nused by the attackers for lateral movement.\r\nPart of the utility suite from NirSoft.\r\nNAME*\r\nPWDump\r\nEXAMPLES OF USE*\r\nAPT1\r\nFIN5\r\nDESCRIPTION\r\nThese utilities are intended for extracting the LM or NTLM hashes of account passwords in Windows (SAM).\r\nMost of the code for these programs is open-source and freely available.\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 12 of 32\n\nNAME*\r\nGsecDump\r\nEXAMPLES OF USE*\r\nAPT1\r\nTG-3390 (APT27)\r\nDESCRIPTION\r\nUtility for extracting password hashes from SAM and Active Directory. Freely distributed.\r\nNAME*\r\nHTran\r\nEXAMPLES OF USE*\r\nAPT27\r\nDESCRIPTION\r\nUtility for redirecting traffic from the specified port of the current host to a particular port on another host. In\r\neffect, acts as a SOCKS proxy server. Freely distributed.\r\nNAME*\r\nNbtScan\r\nEXAMPLES OF USE*\r\nTG-3390\r\nDESCRIPTION\r\nScanner for detecting openly accessible NetBIOS name servers on the local TCP/IP network, which allows finding\r\naccessible network shares on hosts.\r\nNAME*\r\nRAR\r\nEXAMPLES OF USE*\r\nAPT1\r\nDaserf\r\nLurid\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 13 of 32\n\nTG-3390\r\nDESCRIPTION\r\nWinRAR. Used for packing, both to stage collected information on the target infrastructure and to send this\r\ninformation to the attackers' server.\r\nNAME*\r\nASPXSpy2014\r\n(web shell)\r\nEXAMPLES OF USE*\r\nTG-3390\r\nDESCRIPTION\r\nCapabilities of this feature-rich web shell include:\r\nAuthentication with MD5 hash\r\nFile manager\r\nFile search\r\nRunning of system commands\r\nRunning of WMI queries\r\nSelf-removal\r\nProcess killing\r\nCopying of file timestamps\r\nEnumeration of processes\r\nEnumeration of services\r\nScanning of network ports\r\nRunning of SQL queries\r\nUploading files from server\r\nDownloading files to server\r\nWeb shell is detailed in the text of this report.\r\nNAME*\r\nMimikatz\r\nDESCRIPTION\r\nUtility for extracting authentication information from memory on Windows operating systems: plaintext\r\npasswords, password hashes, Windows PIN codes, and Kerberos tickets. Also can perform attacks: pass-the-hash,\r\npass-the-ticket, and others. Freely distributed.\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 14 of 32\n\nNAME*\r\nProcDump\r\nDESCRIPTION\r\nUtility for creating process dumps. Part of Sysinternals Tools.\r\nEXAMPLES OF USE*\r\nAPT1\r\nAPT28\r\nKe3chang\r\nLazarus Group\r\nTG-3390\r\nNAME*\r\nPSExec\r\nDESCRIPTION\r\nUtility for remote command-line management of network hosts. Part of Sysinternals Tools.\r\nNAME*\r\nPSList\r\nDESCRIPTION\r\nUtility for viewing a list of processes currently running in the operating system. Part of Sysinternals Tools.\r\nEXAMPLES OF USE*\r\nKe3chang\r\nBlackEnergy\r\nAPT10\r\nAPT33\r\nAPT34\r\nAPT35\r\nNAME*\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 15 of 32\n\nDbxDump Utility\r\nDESCRIPTION\r\nUtility for extracting data from *.dbx files, which store Outlook Express folders. Alternative build of dbx_utils\r\nsource code from the Lucian Wischik utility suite.\r\nNAME*\r\nPortScan\r\nDESCRIPTION\r\nProgram for scanning open ports at a specified IP address or range of IP addresses. Multithreaded scanning.\r\nNAME*\r\nreGeorg\r\n(web shell)\r\nDESCRIPTION\r\nA web shell that acts as a SOCKS proxy server and complements reDuh, which is used for TCP tunneling over\r\nHTTP.\r\nNAME*\r\njsp File browser\r\n(web shell)\r\nDESCRIPTION\r\nA Java Server Pages web shell for performing simple file operations, such as copying, creating, and deleting files.\r\nAlso supports downloading files as a *.zip archive.\r\n* Links to publicly available software and examples of use are given in the listing on page 20.\r\nTechnical details\r\nRemShell\r\nThe main software used by the TaskMasters group, RemShell controls infected hosts and consists of two\r\ncomponents:\r\nRemShell Downloader (downloader)\r\nRemShell (main functionality) Let's look closely at each component.\r\nRemShell Downloader\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 16 of 32\n\nThis component delivers the main payload to the target system. A flowchart illustrating the downloader's operation\r\nis given in Figure 9.\r\nThe downloader accesses an HTML page (the address is set in the downloader's code) and reads the Attribute\r\nvalue of the html tag (see Figure 10). This value is then decrypted. Depending on the value, the downloader either\r\nswitches to sleep mode or saves the PE file to disk and launches it. The PE file is the payload, containing the main\r\nRemShell Trojan.\r\nFigure 9. RemShell Downloader flowchart\r\nFigure 10. Example HTML file\r\nThe downloader contains a string used for comparison purposes, in order to search for the fragment in the HTML\r\nsource with the Attribute value (see Figure 11).\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 17 of 32\n\nFigure 11. Substring in HTML file for search purposes\r\nWe also analyzed the payload encryption process. It consists of four stages:\r\n1. Key preparation (RC4KeyPrepare), with each byte XORed against a constant string.\r\n2. Base64 encoding.\r\n3. RC4 encryption.\r\n4. ZLIB compression.\r\nIn the downloader code, inside the entry for the RC4 key used for decryption, our experts uncovered friendly\r\nwishes from the developers (see Figure 12).\r\nFigure 12. RC4 key\r\nRemShell\r\nAs the main malware used to control infected hosts, RemShell offers attackers several capabilities:\r\n1. Remote control via cmd shell.\r\n2. Downloading of files to remote host.\r\n3. Uploading of files from remote host to C2 server.\r\nNote that the malware has two C2 servers. The first C2 server acts as a middleman or proxy that, when requested\r\nby the malware, provides the address of the main C2 server. The first C2 server can also send the command to\r\nhand off the malware to the other C2 proxy server. Since all changes occur in memory, after a restart the malware\r\nwill contact the C2 proxy server whose address is indicated in the malware code. Note that the malware will stop\r\nworking until it receives the address of the main C2 server (see Figure 13).\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 18 of 32\n\nFigure 13. Handoff from the first C2 server to the main C2 server\r\nWe found a number of variations of the malware. For example, some variations lacked the command to upload\r\nfiles from a host to the C2 server. In these cases, the attackers used a custom-developed utility to exfiltrate files.\r\nOther variations had commands added to enumerate running processes and kill processes by PID (process ID).\r\nConfiguration data (such as address of the C2 proxy server, port, and user agent) was encrypted with RC4 and\r\nspecified in the form of constants in the malware code (see Figure 14).\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 19 of 32\n\nFigure 14. Generation of the key used for network interaction and decryption of configuration data\r\nTraffic between C2 servers and the malware was encrypted with RC4 and additionally encoded with Base64. The\r\nRC4 key is generated by calculating an MD5 hash from a constant string. The output of commands from the C2\r\nserver is sent as an HTTP request to a URL with the atypical prefix \"1111\".\r\nThe malware also contains a heartbeat mechanism: at random intervals, the malware sends an HTTP request that\r\ncontains the output of the hostname command to the specified URL address, with the atypical prefix \"0000\" (see\r\nFigure 15).\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 20 of 32\n\nFigure 15. Heartbeat\r\nC2 servers\r\nThe server for managing malware infections consists of console ELF files. Figure 16 shows the main loop from\r\nthe server code, with original function names intact.\r\nFigure 16. Main loop of TaskMasters server code\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 21 of 32\n\nThe interface for server management is implemented as a web shell, supporting the commands listed in Figure 17.\r\nFigure 17. Reference list of server commands\r\nThe server keeps a detailed log of all commands sent to the remote host. The log files are stored on disk in\r\nencrypted form.  Encryption of the log files uses the RC4 algorithm (see Figure 18).\r\nFigure 18. Writing to log file\r\n404-Input-shell web shell\r\nThe window for logging in to the web shell is disguised as a standard IIS 404 error page. To access the command\r\nline and run commands, the attacker must first enter the password. The field for entering the password is hidden:\r\nviewing it requires double-clicking the word Back.\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 22 of 32\n\nFigure 19. Error 404 web shell (with hidden password entry form)\r\nListing 1. Event code for displaying the password entry field\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 23 of 32\n\nFigure 20. Error 404 web shell (with visible password entry form)\r\nThe attackers logged in with the password 0p;/9ol., which is the same password they used for encrypting archives.\r\nThe web shell code contains the MD5 hash of this password.\r\nListing 2. Code of the Error 404 web shell\r\nIn our investigations, we uncovered a total of three modifications of this web shell with differing functionality, as\r\nillustrated in the following screenshots.\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 24 of 32\n\nFigure 21. Error 404 web shell (modification only for uploading files from server)\r\nFigure 22. Error 404 web shell (modification only for running OS commands)\r\nConclusion\r\nOur findings confirm that cyberthreats are a real threat to companies across the board, not just banks and financial\r\ninstitutions.  In cases such as those outlined here, attackers are motivated not by financial gain, but by access to\r\ndata and control of information flows.\r\nThe priority of attackers in these espionage campaigns was long-term stealth on target infrastructure. Victims are\r\nusually unaware that they have been attacked. They tend to not have protection systems or skilled security\r\nprofessionals in place, and because there are no \"red flags\" indicating compromise (theft of funds, encrypted hard\r\ndisks, ransom demands, or clear losses to the business), the cyberincident remains unnoticed.\r\nTo determine how to protect systems—and most importantly, from whom—incident investigators must carefully\r\nconsider and analyze the techniques used. When gauging potency, it can be more useful to look at attackers'\r\nmistakes (within the target infrastructure) than at their toolkit. Unfortunately, not all companies are prepared in\r\ncase of a hack or major incident to perform an investigation and round up all artifacts, reconstruct the kill chain,\r\nand analyze the actions of attackers on infrastructure.  But in the hands of a highly qualified team with the\r\ncapacity to make recommendations for infrastructure protection, incident investigation can have a two-fold\r\nbenefit: the company's level of protection is improved and future attackers will have to contend with a hardened\r\ntarget environment.\r\nIndicators of compromise\r\nFile names\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 25 of 32\n\nHash values\r\n02E5BF4227F94E72C401EF8A052F61C370C1DCFBB4695E432CCD2982BBF529E9\r\n039C1FAF0F37F47908B213C00D1EE595ADE0E058E252596E0C92979A2B7B4143\r\n03F96088C715C06BAA00492A0A4EB5BB0D00A9DAA12F507FF77BB292ACDD5E70\r\n05732E84DE58A3CC142535431B3AA04EFBE034CC96E837F93C360A6387D8FAAD\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 26 of 32\n\n0DC5C83DA6281E026F0E05652FF7C0701F9690B43A12C661F9E077E9B365C94D\r\n11B06FC4DBACC2357D7F277E302BE9C3CE907B9FD91FFD8E847D0AFB86EEC1E2\r\n1257539E1D64D3B646C4016332338041FD11AFB3C3BBE3C1B9F1A3580968D722\r\n129CF0573D54447FA4985BC26C8A6F0CAF41F239A3E3605137ECC1365B828166\r\n12A56D1DFE0D3ED044FB1CAB55C5F444FD98835761CE2B3F7A8EA8AC2389B9AF\r\n16E2A78AB2CCB064C1F35A89CFB4BD64491AE97D48BD1E90124E1162F2804147\r\n16F413862EFDA3ABA631D8A7AE2BFFF6D84ACD9F454A7ADAA518C7A8A6F375A5\r\n1743C9DB17AA0B6D58BE9EED32330C5C0099E364D402316AF9C40AB7CAAC1BFF\r\n1789D39A2312199A41783C289D20AD655B9F4273730FE159B70E411BA4B600C0\r\n1827B320F931F6CF653A18577255E8E300D073F17FAACE10A3C75D0575D3E744\r\n18C213F57520461FC5E279B3756B6BF91ECF172E7921D50EB5A6A1D276D9A559\r\n1977D9F301ABC22E228F53386831BB1238C0BAADFFFD25C8313BFEFB20BB7E22\r\n19BD3D0A545EDA42E7F7E202BED8A69BAE101DE84B9ABCD1C32E73D9D1BF7E5E\r\n1BAAA8BC49B1FC28C423601C8DE57DBAEF93E83BAFE24495E3EF1E69B9A0B252\r\n1CE3CD926981C57F6F8374505C820A566BFE019639388DC2F10F37848E0DFD22\r\n1D867802F3A5A21A4E47E5DCC19CBA0361E7ADC943F7254D68373B132CCFF5B2\r\n1E36E7CC7EFFFAE741FFF6F6767A1119956290CA25DC56CF6408122608A8E0B7\r\n1ECD8EEC4B37234A6F7574863BD2DE4E68A657689DA2E08A9FBB5CEFBF2DA929\r\n20B5EDBA5804AAA4A3F75582F289F44005DB7391783588261AD7BCFB245B8807\r\n2216524BDBEBBBCFF6BBEB7BA0A138A4870A960ADB4CF848777DFF9DF9BFDD9F\r\n22D5ED5378BAAB14F70B6E1AB52365CEFEEC2436DDB9A5162350EB426939E2AB\r\n24CE0093EE095036A6AC214F84CCF3E5D041778A560EC62A557857F0B848CD7A\r\n2626B49EE4C59421D4731D1EEC153C87EC01763D8DF42BA903BDF269249B6279\r\n27000CB784D047F664F372E2AF1A61A0B5E9C557E215F524F5589D0FBF5A7116\r\n2725D22E16CB7E7588A7FA644723B3050D598857F3892EE33511E5B055DEA3C6\r\n28AEDF8050D2AB7A4B5028746C714023087D1F5B5767F5A6C3E1AAEA7441391B\r\n2A0760E9EEC9C3957FF78F0D8DB8DC17D92B80D1E4DC649B2886DC6A0C234187\r\n2C24EE33CA77D1C03DA75BB465019DD8778497F6E57FC06D0DA08D0DE8A2872A\r\n2C36CE8D1754145243C8C44475408018F7BE4377343019E12026BDCB712D5CB3\r\n2C96C4D32BDC02FF89ABE4DDC9A18FDB4E5E3BE0ED5FAC561A3BE8622F17B131\r\n2F3C52F9C858D38B6964B9DE37A97C251892DB941117BF6C47743272DD133AC8\r\n32AEE4C9B886CF026D55C8DE703AF5C5469CD0B2CE6CFB67E039F7C347221F92\r\n339828A0516652DC5BC61B72602DF017D6A10DB78773309E9951197AB40A2313\r\n33B06CB06E1034FAC0EA27995BD2C10CC8645D082E900BB5256C4F045403483D\r\n3470407F1F5C445660978F8990B1F515E77210AAF7314B1F407DD76C4CA1E874\r\n3497B28C5652BEE5B205818BE6C5CB90B8C8CA4BFEA0EE0817AF55E7C339FD6A\r\n35A45A79D9F3EE66DC81A8329A111FDF16A1D55D2DE8A43CAEBD5A39A04050A9\r\n36C42BDDAC7A187D82A16CD13BE8B94C47066BEEE8E0CE4E02C97FFA4B578CC3\r\n375B40C30DA648EABFBCECDC6E6392673963EAE99A73518933ABB9FA7FCC9BCE\r\n378344BE58D2277C2456825B14E008F97330C37A8AF876D18B5E9EDF568F30C8\r\n38499A5289DCD333CB50EB7AAC9886448E7B2D3792516E8ECD938A2279E5ACE1\r\n3877A9167494D8D344A0C49274C1E4F91B4C35398E74A9B941303D35822A7AEB\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 27 of 32\n\n395D40D5AB54E009A02D990A37327A477E60530C83242C3E1DE1DDE26DB7666F\r\n39D021EF22F95E8C301533E7BCA0B12B8E14909F1C4B3ED6C9B1F03D610CFBA0\r\n3A39CD5CB362188DE53B702FEC934523C27123B080803B1B8A859E288AC353DD\r\n3B178C063372245C8A6CFD4F059FB43C0BE08BFB49209096CE38E379BF521669\r\n3BA85E2C2E40FC60D62214B85FE3C46BFD11ECDABF7506A3FADD81A7360029CF\r\n3CE4B936BDB3469057CC193DFCA58EF6AE28F8B4355285AB6E97CC7457EC3CAD\r\n3D75740A1DB7A259345E100CCEE3E3CEA3ED46D707804438F2C6884197A64076\r\n3F8B447A2C0C1E677CD77481875861FD2D75B82056B129F163463B5225A6369E\r\n40361A025DED3E83A206277DE2D1A24C58932964E23D0CF7D2A2FAD287192EB7\r\n413AA698E2EDB042A3FEE76EF015A1A610F54F1502CA21F7F95A19AD2EB352D6\r\n41428673B20408C052FFF5C6E8E06DD9AAD4F151394FD248A81462D3E7416777\r\n42829129B396465F0355B88E1A4FCBD62E1DB26D6A226DA5FD045314C9DE57A9\r\n439EEEAB09BC8F7FCB65BC221D50D13989F00746F4B155516086620186C785E0\r\n4417C224C82A7DF33AF41DC4D9A07DC6955A531432048C6FD9874E48D6502D18\r\n446F84069E825062D1D56971B7578361EBC4FEB1988950701065D9C18A3E7941\r\n457E509889288C9523EBC1333682A9D9B3D913F9D49F8ED5E24ADD9CE2C813F4\r\n45EF65B99D5970C736CA5C5D84C4D335107A7F4C9C42D57CB02809819FEC722F\r\n49BBE9EF463AE3BE170016282FB34BAAF643232FDD00EC10E94C6FE3ECB5047A\r\n4CF787E9B2D3FE6E38476D280A066F0C6E7A452C14B077903009BE16BC373E0B\r\n4EAF82CC6F13A0F97CBAB23F2ACF86523768EA09F8A6172DD31DB9EF59ABF8CD\r\n4EB28758D50CBB661C0AA3DF9260D7F8214B1D74AB623B07B50CF1A98E019D52\r\n597FD8D8BF5078C2E3BCEB4B64EC88985DA9D8976B24C4D49792950BA2F79CCF\r\n5A15A3692EDB61202F1AFB8E5DA1D6F1FE73183644EFF3A38EBB69D9811783CE\r\n5A19EB4140A5871E409A6BAD547035622A0F4FF993E3D8DAA76CFC25338ACDA6\r\n5B3F3655C5683596394C44A52E002C08DFE1DA688C116DEDF0DE1C859D334B4C\r\n5BBF07235C668683B3CF1B2DFF1F815BC760A195AE7CFD62948A6EBF24F2D204\r\n5CC12AD9E80C6654D7B6C07D40EACE36CE6B6E1806BE81A50FE6BD94AECF255B\r\n5D5113B9FF6D52048E964E6C6DACA6152448AD43D809BCE29B2EF193ADE2A51A\r\n5ECCC046835C58CEA560566F6DA47D424A994773EE3A05FBF429D3C9DDE0AD7C\r\n5ECCCB17C7A529C8066F353BFAE342E9E27A1C1E8916F199E539E359757B11C5\r\n5F1D61F09D461CE6860B92C1E8D6410F511BA3428C1442364C9E052A97C48F75\r\n6195ED2380118A50740FC7CB3CB646128BDDA649FFC1F51F34E208BFC0F2D3CF\r\n6324E31D90E7CCFF78F3311A067373828D764B5EE7F1A9224E01FCFD2AA0C717\r\n63AE495D981E1EC36A32D989C2D414C03094CCBB7F5438498AF5BE8AC8E22882\r\n63B1E09BE45AB14596AA4C1F2EE406FF3E275CAEB16EBE0FD44C520BFE6B78FF\r\n6414A7DC658DA05ED0F1C3814256B9729E55560110AD46FD5E6FADEC2AA66A2C\r\n69CE2CD26E72AC68C362733D5186AB22F9266E9530C80477FAE2454631373973\r\n6BA6052F2074318E094CEEEFCD8A661EE89E178795CB3ED66BE8DAD787D695D0\r\n6BC4497B86DF521B413E4574F4CD4289C986348D2A69DA1945FF1A1784DB05DB\r\n7310A400D6CC9435323407F1E1FA9307069DE6A54A61EA39E05D161E8BB1EC38\r\n74CC653D34FBB5CE9CF6F80261E5B096C5F77939F06CABC9F0258C43751A3FDF\r\n79D531F0676A3EA00217F66FD84E2E101B6258816987E8A9FB2E5B59834A3700\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 28 of 32\n\n7AD0FA474C9D85B29A76E2D3AB28DEA27EC86D1DB63F423F276D63F345372DF8\r\n830D032697691B6819EAED2E65BBD60CFC95B935CA4CBA0784A9CA07E117962A\r\n84BE0E1CD0A8FD4231657BAA7EBF7DF2D0193AC0EC86E2115F0CA96FE5AF5391\r\n852F4A10F3077F5285A345E0CC5B24C23904C1EA81D289879C1B7A9FF8A3886A\r\n87103C8C2C26310C01545501808DA8375B1393C5666C0D3EE0532436A0787024\r\n8729E9ACC699A2663C3526C2592B6A65EB581C18E90FD658D24EBC27A145006A\r\n8864395A61E6301DE16A1BC1E44BA81EEF50F381C5C5BA96B775125D9CFE9BB5\r\n88D1F87FB3DD62742669DDCD1ED3EF75A7739B0890218B5EF9205ADD410BA9BC\r\n8A9AB306676B0FF96308A8D1C3BB2708F056BA4C40B8924E554652D9D6BAE10D\r\n8EED9833EEB8DA580C21ECC24CF11EAC9E9FCBF0CE3C590BA083FD87CB79162C\r\n8F9ED3DF67AAAE1173F812176A3AE0E55C5CF509F214B907FB2429D25E660C3B\r\n8FD5E77EB0F3793FA3EDCB37D6036837C509B73E316DE12ACEF3F9FE53785800\r\n8FF83CE96392A54E747CEE31D81C01BBAEB625D219E91E2242C7851065A132D9\r\n90C5478CDF810F74A8459C49C23F1744CA70F80E8CCDE28F7B35FDCD47058991\r\n930F71453C6DDBC130C14C5A0374B8A0A1ED9F783A1D937A95A74DA2085091F5\r\n94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC\r\n97954187FD1963FF8F3F4940DD159A5615F53414F40D2B6EC5E8C65BEAD1F823\r\n9905E15FE72312C0B331438E54D33290F3570B069D240594CFC7B29776433347\r\n9A6363406E3CC50F8933EDF57A6EB2B34397A0CA1A01E2BC15BFB631DCD39237\r\n9B645E000AE447E7B7761486F2502620A728A92F63A88350559D2CE25FD6E740\r\n9C6644DDFA0964444FFF983C69147B84663A06634D70E8A7A6AFDD83CF81B047\r\n9C83F3AD5CDC485D4537711CDFDE08F804DFF4EC5965E3CA4D592AB89C470A90\r\n9D14D680770D58EFA7CD10EDDC4D0567003CFA0C637B19293AE9947B179352B7\r\n9F59D8DA895D673B8A44CF22AF5AA102AE47BCF9C1D0747F90A20B08FA26CD51\r\n9F7F1FFAD39B78F807819D1C0A387029051BF83A5327FDD114747E69AF27DD3F\r\nA199F7CFFEDFBC29DE5038F26D787B8CEBE9419FAA3EBCC60FF525A8394CD8E6\r\nA1C5FA585FE39756B9B68C8300D004FA2197F35A5F91D45099CCA6F48A273A9E\r\nA32F9871166C20CA071BEABF31E55CD78B91C680EC4EB2974B8C6D897E4A937F\r\nA3B0472C35F9B1B831FE29A395CD03C34C805F5F1B48E4916543118EDB7BFC59\r\nA4027994D393F63C9729181364A65BA597B788F99A8F5B9071DF056A5924871A\r\nA4D43DBD89469003DB525011BF7C0F4238BCFB62EF50817AA476D0A111A9838E\r\nA5986423F0E4CBEAEA4161DE313B3F9AD5F5B0489FD49C7D646478A46030DC1F\r\nA5FFD5BE9ACC472A237F8DDDF189A46EECA6BA026FA8F3A564C533891D3A6068\r\nA65FB1FF99711B0705D290F04AC82E8B1C4D57D97609CAD1FB438E8C098EA4AC\r\nA6A0C55DE5C8DEF0EA81EDB5BEDF8B3E44847193A8A424B3FF143F0FEA527E85\r\nA9953390E2107439391EF965B29E573FFBCDEDA99A2F9B23E2B661DC0B39A2AE\r\nAA142160446A919EABA99CE15992F6E11B1FDAA7A9F569979A29068120F774CF\r\nAC2F7A35BF6467D149099BA5C7287730F9ECBDBE30620DA00EF706CACE38D52C\r\nADD1AA87AE6D4E6ADF430882B4B41C85084C456427FCCA74E04231B7AF035FD2\r\nAF5632EAE9C825A9842498DA8C8433067AEC9F5DE6E8DD6AED9869FC55E3311F\r\nB134337A9EB771DE606402D402259755C376BD3CD9A8D3B082D1A6D42082C3BA\r\nB1461180E5EC961F373353B9320396614BD103A92113C2DA8451A85D9A26D40F\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 29 of 32\n\nB3298921D64B38212D420C1DB99F7AF5131DD034045ECFD5E61C81B5132B7AA8\r\nB44F2E6EBC44DDEF1B31882FA936C5EC9C59444AEFA496E31DB78DD0496C40FF\r\nB5FAFCD5BA301BDCED4AEAD83B43776B181177C095FA77EC7C1CD20CA0C1F16A\r\nB66961D7A143258328FAF6ADFAB3A76CC6C5203DB6DE75DBC8D92188A94F6E1B\r\nB6705D56B6652327766AE0CD6D534FD1C9FA15FB285C66634A0865709B54BA4F\r\nB6BB6A615CD4B69B6EF356687C3D89AEE6C10CD9017983A0A0123DCD34B73DC7\r\nB7F81319543F16894802903DECF8E6CC67B653BCA110D46A1922110C45ECF927\r\nB872982BE285A934624A1B0062BE3F6F6D4CF581582225D462B4CA42FAC6FAC2\r\nB9AEC9FE90560AEF73D243EC98407CE16B9205C43BB479C9C48D3D6571FD3549\r\nBA7100CBDF75CB422415D92E3F40A96FCC0E1FB7371A4BF93D8B1EE6EB33A71B\r\nBB0120F8A8A47BE9B6D83BBF1A3CC88E83C7C15AD6853763B3322C23FA7DFEAE\r\nBD66C143E61378E20B8707B1087AA3CCDA89B981EA9BB0CD58AF1553AC5CCD6A\r\nC0811489113E099728A172129EB65DD83135F005228DC1C68E692B7AEBFA4F74\r\nC2D461BB057A5285C0B486191406A8CDCB27B068B85C6A2F1ED2E4440A89667C\r\nC5730237D582EBC67B16AEC7D8C2F4713374E2E24F4526012F81D691FEC4047D\r\nC5C7971596C26D2B06A681823EFF6498E2D711EF2CB835561F3F02EC939CFC70\r\nC9B7D6F903A3C60ABE223301930C83B10E5D75C766FD46AD76EFB9C06A5E9C78\r\nC9D5DC956841E000BFD8762E2F0B48B66C79B79500E894B4EFA7FB9BA17E4E9E\r\nCC65064D24DCB2A2A828A3094BC6AA8552D562EF70DD54516847EE2ED1AF505D\r\nCDA8E6FCC17EB0D20AA9F9886B68F24FE620DD62B64F24DDA2BCC631D80E5668\r\nCEBF1B189633AC68EDF0F7C5EE511C98BBFA4FAA035F03BEA9567C7618716F90\r\nCEE7EA70B2ACD485091FAD2BEBFDD94E7441E193B971933C1262DA8E0B9DC869\r\nCF5175433E33881F72310AFCADB3F2A26F2D587ED7EACBD142AE87253794BE53\r\nD7E74CAC420244D367745DAE65559483B9CE8BF503F3E673011579A5A0D5D8DB\r\nD9B584F7DC2F9DDBDE5C2100ADF8C41345844B6FE611B32C8A706985D65937F4\r\nDA913C1F55544B34F246438767BFD9E635B972A0796E214F78B94928D7301344\r\nDB0CB43151CCF1B60F7C2B2A26BE378685C9867DD67CDD9BA74C242C9D719FE3\r\nDB84364A4DD1D45C7F7EE0DA8A173A2476824F35D1802D3FFD7298BF58C506FD\r\nDBB05DEC80B41EDDBB9D28788287BCB5C976C43E9DB10E7858AC0F7CC73DC6F8\r\nDCB8ECD5BBC1D57EA7B5931D11D216A3CAD6B486072164ADCB6054914D19CA06\r\nDD23795A9B4FD3D90A74DB73A9B6D4EA51F5BE558485AE7C5C2C03D84E434B63\r\nDD8C418EBA9C96C668D744034A059B7B2208BDC57266B1D96637D9E5FF1CD61F\r\nDDBAC58F0B4BD56D398FCC7C5284E01B30451F6EB57510EB85D68602DCB3A803\r\nE0E1E5F4FC7B2DD84B8D3062547B4C339C2FB223EA691BE519DF34013EC8DB25\r\nE10AFF4DB0D0E8FFC308875D6B92A856842CA884ADEE45120B8797A5E1B4BF66\r\nE2E3689CBA34A8DD3C25A964E7993692305DDAEA9AB4D6F7289DAEC7FEC1CDEE\r\nE3CAA5762FC729758A88D19E8318A7BEC582A0545C410B9D6E83FA6BBC6F191B\r\nE3D8A0A3D83205C25372D914417360C5A6982A2265FB96BCCE7CA04E40C6BE8C\r\nE472AD43000AF4D77ACE2444345BCC66F927D835C9BD188EBB5C67A4A83B3F36\r\nE723076EE10041E3112E721EF1487BA124BA05DC0DA2CDBF288F948AA2CF080E\r\nE7E0D94408986525F439D39004292062A487FD8D0E1C5497754AC960E36DC5EE\r\nE8C54BE8487438B0956203DC5DA2C2122B999F12526E623D50F542666646F176\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 30 of 32\n\nECF37807C9F986238E3EEFFA4F9DC3514A88F03E9A9576932962AF7CB00C84AF\r\nEF0281CCDE19C2E2190617741CEC07342BA7261C30A746E2FECE1F4012C2ADFD\r\nEFB05CD4DD9C7057B56F25264715E1139B35F6C183B17528A1004AD09E3DA6F8\r\nF20E33F5D59B06ED725C8DA4429D46781D3796C0F661EBF4ABC9F8F0D95D11EC\r\nF40F0060217884E5FCD26C05EB585D548FA95BCBA2E0399E13E69110ADADC0F1\r\nF9B02A73DF01CC80F3F0E0F00C65683A853F61CB8FB9B928BFB5B3FBECDAC614\r\nC2 server IP addresses\r\nC2 domain names\r\nSoftware links and references\r\nPublicly available software: names\r\nAtNow v1.1: http://www.nirsoft.net/utils/atnow.html\r\nPWDump: https://www.openwall.com/passwords/windows-pwdump\r\nGsecDump: https://download.openwall.net/pub/projects/john/contrib/win32/pwdump/\r\nHTran: https://github.com/HiwinCN/HTran\r\nNBTScan: https://sectools.org/tool/nbtscan/\r\nRAR: https://www.win-rar.com/start.html?\u0026L=4\r\nASPXSpy2014 (web shell): https://github.com/ysrc/webshell-sample/blob/master/aspx/\r\na91320483df0178eb3cafea830c1bd94585fc896.aspx\r\nMimikatz: https://github.com/gentilkiwi/mimikatz\r\nProcDump: https://docs.microsoft.com/en-us/sysinternals/downloads/procdump\r\nPSExec: https://technet.microsoft.com/ru-ru/sysinternals/bb897553.aspx\r\nPSList: https://technet.microsoft.com/ru-ru/sysinternals/pslist.aspx\r\nDbxDump Utility: http://www.wischik.com/lu/programmer/dbx_utils.html\r\nPortScan: https://www.the-sz.com/products/portscan/\r\nreGeorg (web shell): https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx\r\nisp File browser (web shell): https://github.com/tennc/webshell/blob/master/jsp/jsp_File_browser.jsp\r\nPublicly available software: examples of use\r\nAPT18: http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 31 of 32\n\nАРТ29: http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016\r\nАРТ32: https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html\r\nRTM: https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf\r\nCobalt Group: https://www.group-ib.com/blog/cobalt\r\nАРТ1: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf\r\nFIN5: https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html\r\nTG-3390 (APT27): https://www.secureworks.com/research/threat-group-3390-targets-organizations-forcyberespionage, https://www.secureworks.com/research/bronze-union\r\nAPT27: https://www.erai.com/CustomUploads/ca/wp/2015_12_wp_operation_iron_tiger.pdf\r\nDaserf: https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan\r\nLurid: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_\r\ndissecting-lurid-apt.pdf\r\nAPT28: https://www.justice.gov/file/1080281/download\r\nKe3chang: https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/\r\nLazarus Group: https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/\r\nBlackEnergy: https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/\r\nАРТ10: https://investors.fireeye.com/static-files/b7dcb16f-44a8-4cfb-927f-efeed397dd52\r\nАРТ33: https://investors.fireeye.com/static-files/b7dcb16f-44a8-4cfb-927f-efeed397dd52\r\nАРТ34: https://investors.fireeye.com/static-files/b7dcb16f-44a8-4cfb-927f-efeed397dd52\r\nАРТ35: https://investors.fireeye.com/static-files/b7dcb16f-44a8-4cfb-927f-efeed397dd52 \r\nSource: https://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nhttps://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/\r\nPage 32 of 32", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.ptsecurity.com/ww-en/analytics/operation-taskmasters-2019/" ], "report_names": [ "operation-taskmasters-2019" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "fa3bc740-8ffc-4a49-a78f-e1f6d0d85c2b", "created_at": "2022-10-25T15:50:23.528058Z", "updated_at": "2026-04-10T02:00:05.374772Z", "deleted_at": null, "main_name": "FIN5", "aliases": [ "FIN5" ], "source_name": "MITRE:FIN5", "tools": [ "Windows Credential Editor", "PsExec", "FLIPSIDE", "pwdump", "SDelete", "RawPOS" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed4c7e37-461f-40f1-ad43-6ad7e21b32bc", "created_at": "2022-10-25T16:07:24.303712Z", "updated_at": "2026-04-10T02:00:04.929134Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [], "source_name": "ETDA:TaskMasters", "tools": [ "404-Input-shell web shell", "ASPXSpy", "ASPXTool", "AtNow", "DbxDump Utility", "HTran", "HUC Packet Transmit Tool", "Mimikatz", "NBTscan", "PortScan", "ProcDump", "PsExec", "PsList", "RemShell", "RemShell Downloader", "gsecdump", "jsp File browser", "nbtscan", "pwdump", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7e5e725c-4de5-4e14-a702-d84d23d973e9", "created_at": "2023-01-06T13:46:38.965779Z", "updated_at": "2026-04-10T02:00:03.165531Z", "deleted_at": null, "main_name": "FIN5", "aliases": [ "G0053" ], "source_name": "MISPGALAXY:FIN5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "4ae78ca3-8bc8-4d67-9df1-a85df250a8a0", "created_at": "2024-10-08T02:00:04.469211Z", "updated_at": "2026-04-10T02:00:03.726781Z", "deleted_at": null, "main_name": "TaskMasters", "aliases": [ "BlueTraveller" ], "source_name": "MISPGALAXY:TaskMasters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "820ea41f-a798-4eb9-b296-530b784c1adc", "created_at": "2022-10-25T16:07:23.613805Z", "updated_at": "2026-04-10T02:00:04.688029Z", "deleted_at": null, "main_name": "FIN5", "aliases": [ "G0053" ], "source_name": "ETDA:FIN5", "tools": [ "DRIFTWOOD", "DUEBREW", "FIENDCRY", "FLIPSIDE", "RawPOS", "SDelete", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434643, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/361d650df3dc4c1a0982463e10fe30f31c4eeef5.pdf", "text": "https://archive.orkl.eu/361d650df3dc4c1a0982463e10fe30f31c4eeef5.txt", "img": "https://archive.orkl.eu/361d650df3dc4c1a0982463e10fe30f31c4eeef5.jpg" } }