{ "id": "2785a67d-e9a5-4380-a4b5-ec2149cbb2cf", "created_at": "2026-04-06T00:19:38.006426Z", "updated_at": "2026-04-10T03:37:37.034526Z", "deleted_at": null, "sha1_hash": "375a4796d1ad0c6ecc87cf366b83b3ada99d19b4", "title": "Iranian State-Sponsored and Aligned Attacks: What You Need to Know and Steps to Protect Yourself | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82037, "plain_text": "Iranian State-Sponsored and Aligned Attacks: What You Need to\r\nKnow and Steps to Protect Yourself | Proofpoint US\r\nPublished: 2020-01-10 · Archived: 2026-04-05 13:09:30 UTC\r\nJanuary 10, 2020\r\nRecent events have led to a surge in concern about possible cyberattacks coming out of Iran. Below are the\r\nProofpoint Threat Research team’s latest findings on state-sponsored and aligned Iranian attacks, details on\r\n11 Iranian attack groups and their preferred tactics, and most importantly, security recommendations.\r\nIranian Threat Actors: Operation Trends and Our Recent Findings\r\nIranian cyberattack capability first came on the world stage around 2013, three years after the Stuxnet attack.\r\nState-sponsored and aligned attackers have been an ongoing threat and have targeted governments, organizations,\r\nand citizens around the world with significant impacts.\r\nProofpoint’s Threat Research team is continuing to see activity that is consistent with the campaigns that were\r\nstarted in early December 2019. Based on past actions by Iranian threat actors, it is unlikely that new activity will\r\nhappen immediately as they are often very methodical and are known to be deliberate over time.\r\nWhile we cannot predict the likelihood of increased attacks or what they might look like, it is valuable to examine\r\nprevious attacks to better understand these threat actors. Historical data shows that this is not a threat to be taken\r\nlightly. Iranian attackers may not be as well-known as those from other countries, but they’ve successfully carried\r\nout many operations over the years, sometimes with significant, even devastating effects.\r\nIranian attack groups mostly operate below the radar of major news coverage (with the exception of the Shamoon\r\nattacks). This is due to the methodical nature of their work and their ability to avoid causing major headline-grabbing incidents. They choose their targets carefully and infiltrate them slowly, frequently silently, for\r\nreconnaissance, espionage, or later attacks. These groups often specifically harvest credentials and hold them over\r\ntime for maximum damage. This means Iranian attacks could already have information and a presence on target\r\nnetworks that could be mobilized in new attacks.\r\nIranian attackers target not just the United States, Israel, and Saudi Arabia: they operate on a truly global scale.\r\nAnd while government and military targets are obvious ones, they also pursue telecommunications companies,\r\nfinance organizations, human rights groups, and even academia. Worldwide organizations, across many sectors,\r\nshould take this potential threat seriously.\r\n11 Iranian Threat Actor Groups and Their Tactics\r\nBelow, you’ll find information on major Iranian threat actor groups, the industries and countries and regions\r\nthey’ve been known to target, and an overview of their tactics. This list includes information from MITRE’s\r\nATT\u0026CK framework on threat actor groups, publicly available information, and Proofpoint’s threat research.\r\nhttps://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect\r\nPage 1 of 4\n\nIranian Attack Groups\r\n1. APT 33/Elfin: A group that since 2013 has been targeting aviation, energy, government, health care, and\r\ntransportation sectors in Saudi Arabia, South Korea, and the United States. Some believe this group is\r\nresponsible for the Shamoon attacks. Proofpoint tracks this group as TA451 and they have been active as\r\nrecently as December 2019.\r\n2. APT 39/Chafer: A group that since 2014 has been targeting government, telecommunications, and travel\r\nsectors to collect personal information. Proofpoint tracks this group as TA454 and they have been active as\r\nrecently as June 2019.\r\n3. Charming Kitten: A group that since 2014 has been targeting individuals in academic research,\r\ngovernment, human rights groups, media, military, and technology sectors in Iran, the United States, Israel,\r\nand the United Kingdom by gaining access to personal email and Facebook accounts. Proofpoint tracks this\r\ngroup as TA453 and they have been active as recently as September 2019.\r\n4. Cleaver: A group or operation that was first tracked in 2014 targeting aviation, energy, military,\r\ntransportation, health care, and utilities sectors in China, France, Germany, India, Israel, Saudi Arabia, and\r\nthe United States. They are believed to have used fake LinkedIn accounts as part of their attacks.\r\n5. CopyKittens: A group that since 2013 has been targeting users in Germany, Jordan, Turkey, Saudi Arabia,\r\nand the United States.\r\n6. Group5 (Suspected):  Attribution to Iran is not definitive but this group has targeted individuals connected\r\nto the Syrian opposition with malware through spearphishing and watering hole attacks.\r\n7. LeafMiner: A group that since 2017 has targeted the email of individuals in government and businesses in\r\nthe Middle East.\r\n8. Magic Hound: A group that since 2014 has targeted the energy, government, and technology sectors in\r\nSaudi Arabia.\r\n9. MuddyWater: A group that since 2017 has targeted the energy, government, media, and\r\ntelecommunications sectors in Europe, the Middle East, and North America. Proofpoint tracks this group as\r\nTA450 and they have been active as recently as January 2020.\r\n10. OilRig: A group that since 2014 has targeted the aviation, energy, financial, government, media,\r\ntechnology, telecommunications, and transportation sectors in the Middle East. Proofpoint tracks this group\r\nas TA452 and they have been active as recently as December 2019.\r\n11. Silent Librarian/Cobalt Dickens: Silent Librarian is a group that since 2013 has targeted universities around\r\nthe world. Proofpoint tracks this group as TA407. A related group known as Cobalt Dickens has targeted\r\nconstruction, media, health care, higher education/academia, health care, and transportation sectors.\r\nProofpoint tracks this group as TA4900. These groups were active as recently as December 2019 and\r\nSeptember 2019 respectively.\r\nIndustries Targeted by Iranian Attack Groups\r\nGovernment: APT 33/Elfin, APT 39/Chafer, Charming Kitten, LeafMiner, Magic Hound, MuddyWater,\r\nOilRig\r\nEnergy: APT 33/Elfin, Cleaver, Magic Hound, MuddyWater, OilRig\r\nMedia: Charming Kitten, MuddyWater, OilRig, Silent Librarian/Cobalt Dickens\r\nTelecommunications: APT 39/Chafer, MuddyWater, OilRig\r\nhttps://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect\r\nPage 2 of 4\n\nAviation: APT 33/Elfin, Cleaver, OilRig\r\nHealth Care: APT 33/Elfin, Cleaver, Silent Librarian/Cobalt Dickens\r\nTechnology: Charming Kitten, Magic Hound, OilRig\r\nTransportation: APT 33/Elfin, Cleaver, OilRig, Silent Librarian/Cobalt Dickens\r\nConstruction: Silent Librarian/Cobalt Dickens\r\nHigher Education/Academia: Charming Kitten, Silent Librarian/Cobalt Dickens\r\nMilitary: Charming Kitten, Cleaver\r\nFinancial: OilRig\r\nHuman Rights Groups: Charming Kitten\r\nTravel: APT 39/Chafer\r\nUtilities: Cleaver\r\nCountries and Regions Targeted by Iranian Attackers\r\nSaudi Arabia: APT 33/Elfin, Cleaver, CopyKittens, Magic Hound, OilRig\r\nUnited States: APT 33/Elfin, Charming Kitten, Cleaver, CopyKittens\r\nIsrael: Charming Kitten, Cleaver, CopyKittens\r\nChina: Cleaver\r\nFrance: Cleaver\r\nGermany: Cleaver, CopyKittens\r\nIndia: Cleaver\r\nIran: Charming Kitten\r\nJordan: CopyKittens:\r\nSouth Korea: APT 33/Elfin\r\nTurkey: CopyKittens\r\nUnited Kingdom: Charming Kitten\r\nEuropean Union: MuddyWater\r\nMiddle East: LeafMiner, MuddyWater, OilRig\r\nNorth America: LeafMiner, MuddyWater\r\nTactics Favored by Iranian Attackers\r\nStolen Credentials: APT 33/Elfin, APT 39/Chafer, Magic Hound, MuddyWater, OilRig, Silent Librarian\r\nEmail Infiltration: Charming Kitten, LeafMiner, Magic Hound, Silent Librarian\r\nMalware: CopyKittens, Group5, Magic Hound\r\nPersonal Information Gathering: Charming Kitten\r\nSocial Media Targeting: : Charming Kitten, Cleaver\r\nPhishing: Group5, Magic Hound, Silent Librarian\r\nWatering Hole Attacks: Group5\r\nSecurity Recommendations\r\nSophisticated Iranian state-sponsored and affiliate threats require careful focus internally and externally (in\r\npartnership with vendors, suppliers, and others) to improve the overall security posture of an organization—an\r\nhttps://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect\r\nPage 3 of 4\n\nelementary approach isn’t going to be enough. An immediate and effective action you can take to help protect\r\nyour organization is mitigating the effects of stolen credentials, particularly those with administrative privileges.\r\nSome organizations should consider forcing password resets, including for service accounts.\r\nBe sure to reduce your attack surface, complete security program updates, and make sure employees are trained to\r\nidentify possible threats. Watch what’s coming in and out of the network, and watch what employees are clicking\r\non, opening, and distributing with the company. The smaller the surface, the harder it is for attackers to do\r\nanything. Make sure systems are patched because open source tools are available to anyone. We’ve seen APT\r\ngroups use public vulnerabilities when they are released because it’s low hanging fruit.\r\nAnd finally, work actively with security leadership to implement a response plan that involves not just your\r\norganization but also your employees, vendors, and partners.\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-prote\r\nct\r\nhttps://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect" ], "report_names": [ "iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9aa9b489-a297-4dbd-8601-8fc0370201a6", "created_at": "2022-10-25T16:07:23.696796Z", "updated_at": "2026-04-10T02:00:04.71508Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "G0043" ], "source_name": "ETDA:Group5", "tools": [ "Atros2.CKPN", "Bladabindi", "DroidJack", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "81d49904-579d-45b3-ace2-1fdf0a713bc4", "created_at": "2022-10-25T15:50:23.331457Z", "updated_at": "2026-04-10T02:00:05.291098Z", "deleted_at": null, "main_name": "Leafminer", "aliases": [ "Leafminer", "Raspite" ], "source_name": "MITRE:Leafminer", "tools": [ "LaZagne", "Mimikatz", "MailSniper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "552eeef7-4a19-44de-9147-db8893c115ef", "created_at": "2023-01-06T13:46:38.598788Z", "updated_at": "2026-04-10T02:00:03.034846Z", "deleted_at": null, "main_name": "RASPITE", "aliases": [ "LeafMiner", "Raspite" ], "source_name": "MISPGALAXY:RASPITE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf0704ab-99e4-44d7-96d9-3cba91339229", "created_at": "2022-10-25T15:50:23.485375Z", "updated_at": "2026-04-10T02:00:05.332806Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "Group5" ], "source_name": "MITRE:Group5", "tools": [ "njRAT", "NanoCore" ], "source_id": "MITRE", "reports": null }, { "id": "9fb19abe-4035-4f22-a595-641b7f3443a9", "created_at": "2022-10-25T15:50:23.748944Z", "updated_at": "2026-04-10T02:00:05.395401Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "CopyKittens" ], "source_name": "MITRE:CopyKittens", "tools": [ "Cobalt Strike", "TDTESS", "Matryoshka" ], "source_id": "MITRE", "reports": null }, { "id": "094d8210-4c64-4457-ad97-a94fc7af7630", "created_at": "2023-01-06T13:46:38.98103Z", "updated_at": "2026-04-10T02:00:03.170376Z", "deleted_at": null, "main_name": "Group5", "aliases": [ "G0043" ], "source_name": "MISPGALAXY:Group5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49f1ada0-181f-4e89-a449-e6bc13c8c6b1", "created_at": "2022-10-25T15:50:23.561511Z", "updated_at": "2026-04-10T02:00:05.382592Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "Threat Group 2889", "TG-2889" ], "source_name": "MITRE:Cleaver", "tools": [ "Net Crawler", "PsExec", "TinyZBot", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "adc8bb1a-6ded-4b27-8163-8069d5a6d492", "created_at": "2022-10-25T15:50:23.566869Z", "updated_at": "2026-04-10T02:00:05.385876Z", "deleted_at": null, "main_name": "Silent Librarian", "aliases": [ "Silent Librarian", "TA407", "COBALT DICKENS" ], "source_name": "MITRE:Silent Librarian", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "42e41377-c64c-4be9-87a0-ee903e4b9055", "created_at": "2023-01-06T13:46:38.950322Z", "updated_at": "2026-04-10T02:00:03.158476Z", "deleted_at": null, "main_name": "Silent Librarian", "aliases": [ "Mabna Institute", "TA407", "TA4900", "Yellow Nabu", "COBALT DICKENS" ], "source_name": "MISPGALAXY:Silent Librarian", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d", "created_at": "2023-01-06T13:46:38.883911Z", "updated_at": "2026-04-10T02:00:03.132231Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "COBALT HICKMAN", "G0087", "Radio Serpens", "TA454", "ITG07", "Burgundy Sandstorm", "REMIX KITTEN" ], "source_name": "MISPGALAXY:APT39", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d4c0e20f-e199-448e-9056-88bb1cf1c63e", "created_at": "2025-08-07T02:03:24.717633Z", "updated_at": "2026-04-10T02:00:03.630245Z", "deleted_at": null, "main_name": "COBALT DICKENS", "aliases": [ "ITG22 ", "SilentLibrarian ", "TA407 ", "Yellow Nabu " ], "source_name": "Secureworks:COBALT DICKENS", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4557ed9-2455-44c5-a768-dfb80ccae259", "created_at": "2023-01-06T13:46:38.652329Z", "updated_at": "2026-04-10T02:00:03.055638Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "Slayer Kitten", "G0052" ], "source_name": "MISPGALAXY:CopyKittens", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ba9e3e3-1cef-4e20-be7e-95f05e8295d7", "created_at": "2022-10-25T16:07:23.821494Z", "updated_at": "2026-04-10T02:00:04.759302Z", "deleted_at": null, "main_name": "Mabna Institute", "aliases": [ "Academic Serpens", "Cobalt Dickens", "G0122", "Mabna Institute", "Silent Librarian", "TA407", "TA4900", "Yellow Nabu" ], "source_name": "ETDA:Mabna Institute", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "467c5e72-55a6-40a9-9b73-bb764889c0a5", "created_at": "2022-10-25T16:07:23.486532Z", "updated_at": "2026-04-10T02:00:04.628477Z", "deleted_at": null, "main_name": "CopyKittens", "aliases": [ "CopyKittens", "G0052", "Operation Wilted Tulip", "Slayer Kitten" ], "source_name": "ETDA:CopyKittens", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "EmPyre", "EmpireProject", "Matryoshka", "Matryoshka RAT", "PowerShell Empire", "TDTESS", "Vminst", "ZPP", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "32c8c1a1-ae5c-4a05-a95d-2e970a46cd1e", "created_at": "2022-10-25T16:07:23.777999Z", "updated_at": "2026-04-10T02:00:04.747552Z", "deleted_at": null, "main_name": "Leafminer", "aliases": [ "Flash Kitten", "G0077", "Leafminer", "Raspite" ], "source_name": "ETDA:Leafminer", "tools": [ "Imecab", "LaZagne", "Mimikatz", "PhpSpy", "Sorgu" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434778, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/375a4796d1ad0c6ecc87cf366b83b3ada99d19b4.pdf", "text": "https://archive.orkl.eu/375a4796d1ad0c6ecc87cf366b83b3ada99d19b4.txt", "img": "https://archive.orkl.eu/375a4796d1ad0c6ecc87cf366b83b3ada99d19b4.jpg" } }