{ "id": "0501121a-4896-4130-8263-757be7f674df", "created_at": "2026-04-06T00:17:47.798483Z", "updated_at": "2026-04-10T13:12:23.563611Z", "deleted_at": null, "sha1_hash": "391b510cbd7882afabf8866ce5d3b7a4fdefafaa", "title": "Securonix Threat Research: Detecting LockerGoga Targeted IT/OT Cyber Sabotage/Ransomware Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4389101, "plain_text": "Securonix Threat Research: Detecting LockerGoga Targeted\r\nIT/OT Cyber Sabotage/Ransomware Attacks\r\nArchived: 2026-04-05 12:59:20 UTC\r\nBy Oleg Kolesnikov and Harshvardhan Parashar, Securonix Threat Research Team\r\nUpdated April 30, 2019\r\nFigure 1: LockerGoga Targeted Malicious Cyber Sabotage/Ransomware Implant in Action\r\nIntroduction\r\nThe Securonix Threat Research Team has been closely monitoring the LockerGoga targeted cyber\r\nsabotage/ransomware (TC/R) attacks impacting Norsk Hydro (one of the largest aluminum companies\r\nworldwide), Hexion/Momentive (a chemical manufacturer), and other companies’ IT and operational technology\r\n(OT) infrastructure, causing over US$40 million in damages [1][2].\r\nIn this report is a summary of what we currently know about these high-profile attacks and our recommendations\r\nfor some Securonix predictive indicators and security analytics to use to increase your chances of detecting such\r\nattacks targeting industrial operations and operational technology companies.\r\nhttps://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/\r\nPage 1 of 10\n\nFigure 2: LockerGoga Digital Certificate Used to Evade EDR Detection\r\nSummary\r\nHere is a summary of some of the key details about some of the LockerGoga TC/R attack attacks we have been\r\nobserving:\r\nImpact\r\nCaused the temporary shutdown of production networks, forcing companies to switch to manual operations and\r\nprocedures. The financial impact for one of the largest targets, Norsk Hydro, is estimated to be between US$35\r\nmillion and $41 million [5].\r\nInfiltration Vector(s)\r\nUnconfirmed; possibly a phishing email campaign containing specially crafted Microsoft Word documents or RTF\r\nattachments with macro/OLE content.\r\nAttribution\r\nLockerGoga is currently attributed to the FIN6 malicious threat actor [13]. In addition to industrial/manufacturing\r\ncompanies, the malicious threat actor is also known to target healthcare and insurance companies in the US and\r\nAsia [15].\r\nDefense Evasion\r\nhttps://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/\r\nPage 2 of 10\n\nLockerGoga payloads are signed with a valid digital certificate issued by multiple certificate authorities (CA) –\r\nnamely Alisa Ltd., Kitty Ltd., and Sectigo and Mikl Limited – which allowed the LockerGoga TC/R attacks to\r\nevade detection. Some LockerGoga variants are also known to leverage the ‘taskkill’ command to disable\r\nantivirus (AV) and endpoint detection processes [6]. Some variants of the LockerGoga TC/R attack are capable of\r\ndeleting windows event logs using wevtultil.exe [3].\r\nFigure 3: Examples of LockerGoga Activity in Logs\r\nPropagation\r\nMost likely required operator placement, with the LockerGoga malicious threat actors observed moving the\r\npayload around the network using SMB [7]. In some incidents, the actors have also been using Active Directory\r\nmanagement services to distribute the payload in the network. Specifically, the malicious binaries were believed to\r\nbe distributed using the NETLOGON directory of the Domain Admin Group account which allowed the binaries\r\nto automatically propagate (more details below) [11].\r\nObserved Artifacts\r\nHash Values (SHA-256) [7]\r\nae7e9839b7fb750128147a9227d3733dde2faacd13c478e8f4d8d6c6c2fc1a55\r\nf474a8c0f66dee3d504fff1e49342ee70dd6f402c3fa0687b15ea9d0dd15613a\r\nffab69deafa647e2b54d8daf8c740b559a7982c3c7c1506ac6efc8de30c37fd5\r\nc1670e190409619b5a541706976e5a649bef75c75b4b82caf00e9d85afc91881\r\n65d5dd067e5550867b532f4e52af47b320bd31bc906d7bf5db889d0ff3f73041\r\n31fdce53ee34dbc8e7a9f57b30a0fbb416ab1b3e0c145edd28b65bd6794047c1\r\n32d959169ab8ad7e9d4bd046cdb585036c71380d9c45e7bb9513935cd1e225b5\r\ne00a36f4295bb3ba17d36d75ee27f7d2c20646b6e0352e6d765b7ac738ebe5ee\r\n6d8f1a20dc0b67eb1c3393c6c7fc859f99a12abbca9c45dcbc0efd4dc712fb7c\r\nhttps://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/\r\nPage 3 of 10\n\n79c11575f0495a3daaf93392bc8134c652360c5561e6f32d002209bc41471a07\r\n050b4028b76cd907aabce3d07ebd9f38e56c48c991378d1c65442f9f5628aa9e\r\n1f9b5fa30fd8835815270f7951f624698529332931725c1e17c41fd3dd040afe\r\n276104ba67006897630a7bdaa22343944983d9397a538504935f2ec7ac10b534\r\n88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f\r\nc97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15\r\n06e3924a863f12f57e903ae565052271740c4096bd4b47c38a9604951383bcd1\r\na845c34b0f675827444d6c502c0c461ed4445a00d83b31d5769646b88d7bbedf\r\n7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26\r\nba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f\r\neda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0\r\n7852b47e7a9e3f792755395584c64dd81b68ab3cbcdf82f60e50dc5fa7385125\r\n14e8a8095426245633cd6c3440afc5b29d0c8cd4acefd10e16f82eb3295077ca\r\n47f5a231f7cd0e36508ca6ff8c21c08a7248f0f2bd79c1e772b73443597b09b4\r\nf3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192\r\n9128e1c56463b3ce7d4578ef14ccdfdba15ccc2d73545cb541ea3e80344b173c\r\nc3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a\r\n6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77\r\n8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29\r\nbdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f\r\n5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c\r\nc7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4\r\nLockerGoga T/CR Attacks: High-Level Behaviors\r\nRansomware\r\nAt a high level, the LockerGoga TC/R attacks aim at encrypting files with the extensions: .doc, .dot, .docx, .docb,\r\n.dotx, .wkb, .xlm, .xml, .xls, .xlsx, .xlt, .xltx, .xlsb, .xlw, .ppt, .pps, .pot, .ppsx, .pptx, .posx, .potx, .sldx, .pdf, .db,\r\n.sql, .cs, .ts, .js, and .py. The attacks use the embedded RSA-1024 public key in the binaries to encrypt the AES-256 key used to encrypt the individual files. The encrypted files are stored with extension *.LOCKED.\r\nCyber Sabotage\r\nBesides encrypting files, some LockerGoga variants include code that actually made it harder for the victims to\r\npay ransom. This is done by changing administrator passwords and logging users off using logoff.exe (see below).\r\nThis indicates that the attackers objectives’ may have included additional goals that are not part of a traditional\r\nransomware modus operandi, such as cyber sabotage.\r\nLateral Movement\r\nWhile the known variants of LockerGoga do not appear to include code to enable lateral movement, according to\r\nNorCert, the threat actors were able to move laterally, infecting the entire organization. The most likely attack\r\nprogression was that an initial compromise was followed by manual operator placement and modification of one\r\nhttps://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/\r\nPage 4 of 10\n\nof the existing logon script entries in the Netlogon directory on an AD resource, for example\r\n\\WINDOWS\\sysvol\\sysvol\\\u003cDOMAIN\u003e\\scripts, which allowed the binary to automatically propagate and be\r\nexecuted by users within the organization during a logon session. It is also possible that the threat actors created a\r\nnew logon script and added a new logon GPO entry to execute the binary on all of the systems applying the logon\r\nscript to the organizational unit or the complete organization (see Figure 4).\r\nFigure 4: Logon Scripts Likely Utilized by LockerGoga for Lateral Movement\r\nFile Encryption\r\nAs soon as the endpoint is infected with the LockerGoga TC/R attack payload, the payload is moved to %TEMP%\r\ndirectory and executes a master/parent process which enumerates files on the endpoint and spawns slave/child\r\nprocesses to encrypt the individual files [8]. A high number of worker processes is known to be spawned by this\r\nthreat in order to leverage additional CPU resources available on targets with multiple processors/cores.\r\nPassword Modification\r\nLockerGoga variants are known to modify the password of the administrator accounts to\r\nHuHuHUHoHo283283@dJD and run logoff.exe in order to force a log off of the users and locking them out.\r\nLockerGoga also enumerates all the Ethernet and wireless interfaces on the endpoint and disables them using the\r\nCreateProcessW function via command line (netsh.exe interface set interface DISABLE) to isolate the endpoint\r\n[9].\r\nDefense Evasion\r\nhttps://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/\r\nPage 5 of 10\n\nSome LockerGoga variants are known to utilize trivial defense evasion techniques, including basic anti-VM and\r\nanti-sandbox mechanisms in a virtual environment, by leveraging functions like GetLastError(),\r\nIsDebuggerPresent, and OutputDebugStringA() [4]. As mentioned earlier, the LockerGoga binaries are signed by\r\na valid certificate issued by a legitimate CA. Many variants use the ‘taskkill’ command to terminate AVassociated\r\nprocesses and also attempt to clear windows logs using the ‘C:\\Windows\\ system32\\wevtutil.exe cl Microsoft-Windows-WMI-Activity/Trace’ command [3].\r\nWindows API Calls\r\nLockerGoga is also known to use some undocumented Window API calls (NtQuerySection) and import\r\nWS2_32.dll to support process communications, which shows the level of sophistication of the actors [7].\r\nSample Securonix Spotter Search Queries\r\nHere are some sample Securonix Spotter search queries to assist with detection of the existing infections.\r\nETDR Process Monitoring (Process Hash Conditions)\r\n(rg_category contains “Endpoint” OR rg_category contains “ips” OR rg_category contains “ids”) AND\r\n(customstring3= ae7e9839b7fb750128147a9227d3733dde2faacd13c478e8f4d8d6c6c2fc1a55 or customstring3=\r\nf474a8c0f66dee3d504fff1e49342ee70dd6f402c3fa0687b15ea9d0dd15613a or customstring3=\r\nffab69deafa647e2b54d8daf8c740b559a7982c3c7c1506ac6efc8de30c37fd5 or customstring3=\r\nc1670e190409619b5a541706976e5a649bef75c75b4b82caf00e9d85afc91881 or customstring3=\r\n65d5dd067e5550867b532f4e52af47b320bd31bc906d7bf5db889d0ff3f73041 or customstring3=\r\n31fdce53ee34dbc8e7a9f57b30a0fbb416ab1b3e0c145edd28b65bd6794047c1 or customstring3=\r\n32d959169ab8ad7e9d4bd046cdb585036c71380d9c45e7bb9513935cd1e225b5 or customstring3=\r\ne00a36f4295bb3ba17d36d75ee27f7d2c20646b6e0352e6d765b7ac738ebe5ee or customstring3=\r\n6d8f1a20dc0b67eb1c3393c6c7fc859f99a12abbca9c45dcbc0efd4dc712fb7c or customstring3=\r\n79c11575f0495a3daaf93392bc8134c652360c5561e6f32d002209bc41471a07 or customstring3=\r\n050b4028b76cd907aabce3d07ebd9f38e56c48c991378d1c65442f9f5628aa9e or customstring3=\r\n1f9b5fa30fd8835815270f7951f624698529332931725c1e17c41fd3dd040afe or customstring3=\r\n276104ba67006897630a7bdaa22343944983d9397a538504935f2ec7ac10b534 or customstring3=\r\n88d149f3e47dc337695d76da52b25660e3a454768af0d7e59c913995af496a0f or customstring3=\r\nc97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15 or customstring3=\r\n06e3924a863f12f57e903ae565052271740c4096bd4b47c38a9604951383bcd1 or customstring3=\r\na845c34b0f675827444d6c502c0c461ed4445a00d83b31d5769646b88d7bbedf or customstring3=\r\n7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26 or customstring3=\r\nba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f or customstring3=\r\neda26a1cd80aac1c42cdbba9af813d9c4bc81f6052080bc33435d1e076e75aa0 or customstring3=\r\n7852b47e7a9e3f792755395584c64dd81b68ab3cbcdf82f60e50dc5fa7385125 or customstring3=\r\n14e8a8095426245633cd6c3440afc5b29d0c8cd4acefd10e16f82eb3295077ca or customstring3=\r\n47f5a231f7cd0e36508ca6ff8c21c08a7248f0f2bd79c1e772b73443597b09b4 or customstring3=\r\nf3c58f6de17d2ef3e894c09bc68c0afcce23254916c182e44056db3cad710192 or customstring3=\r\n9128e1c56463b3ce7d4578ef14ccdfdba15ccc2d73545cb541ea3e80344b173c or customstring3=\r\nhttps://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/\r\nPage 6 of 10\n\nc3d334cb7f6007c9ebee1a68c4f3f72eac9b3c102461d39f2a0a4b32a053843a or customstring3=\r\n6e69548b1ae61d951452b65db15716a5ee2f9373be05011e897c61118c239a77 or customstring3=\r\n8cfbd38855d2d6033847142fdfa74710b796daf465ab94216fbbbe85971aee29 or customstring3=\r\nbdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f or customstring3=\r\n5b0b972713cd8611b04e4673676cdff70345ac7301b2c23173cdfeaff564225c or customstring3=\r\nc7a69dcfb6a3fe433a52a71d85a7e90df25b1db1bc843a541eb08ea2fd1052a4\r\nFigure 5: LockerGoga Malicious TC/R Implant Detection Using Securonix\r\nETDR Process Monitoring (Trivial Process Name Conditions)\r\n(rg_category contains “Endpoint” OR rg_category contains “ips” OR rg_category contains “ids”) AND\r\n(sourceprocessname starts with tgytutrc)\r\nSecuronix Detection: Some Examples of Securonix Predictive Indicators\r\nSome high-level examples of the relevant Securonix behavior analytics and predictive indicators that could help\r\ndetect such attacks in your IT/OT environments are given below. Figures 4 and 5 show a practical example of the\r\ndetection of the LockerGoga attacks using Securonix.\r\nSuspicious Process Activity – Potential Sysvol/Netlogon Lateral Movement Execution Analytic\r\nThis can be leveraged to detect the lateral movement of the malicious LockerGoga implants associated with\r\nnetlogon, for example gpscript execution, to help cover both the current LockerGoga variants where operator\r\nplacement is required and potentially future variants involving more automation.\r\nSuspicious Process Activity – Targeted – Potential Phishing Sequence II Malicious Payload Open Browser\r\nModality Analytic\r\nThis can be used to detect the likely initial infiltration vectors used by the malicious LockerGoga attacks.\r\nhttps://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/\r\nPage 7 of 10\n\nSuspicious Process Activity – Rare Parent-Child Relationship For Host Analytic\r\nThis can help detect the initial compromise and the behaviors associated with the operator placement required for\r\nlateral propagation.\r\nSuspicious Process Activity – Peak Netsh Execution For User Analytic\r\nThis can be utilized to identify unusual activity associated with disconnecting the network interfaces on the targets\r\nusing netsh disable.\r\nSuspicious Registry Activity – Diurnal Sysvol/Netlogon Script Changes Analytic\r\nThis can help detect initial operator placement needed for lateral movement in the form of unusual GPO\r\nsysvol/scripts registry updates associated with the logon scripts GPO changes.\r\nAnd a number of other Securonix behavioral analytics and predictive indicators, including: EDR-SYM5-ERI,\r\nEDR-SYM11-ERI, SST-SYM3-BPI, WEL-TAN1-BAI, EDR-SYM7-ERI, WELOTH1- RUN, EDR-SYM21-\r\nRUN, SST-SYM3-BPI et al.\r\nMitigation and Prevention: Securonix Recommendations\r\nHere are some of the Securonix recommendations to help customers prevent and/or mitigate the attack:\r\n1. Review your backup version retention policies. Make sure that your backups are stored in a location that\r\ncannot be accessed/encrypted by the LockerGoga TC/R attack. For example, consider using remote write-only backup locations.\r\n2. One of the possible ad hoc prevention or ‘inoculation’ methods for this particular threat could leverage an\r\nunhandled exception in the LockerGoga source code. While enumerating the target files, if the parent\r\nprocess encounters a malformed “.lnk” file (contains invalid network path and has no associated RPC\r\nendpoint) the process is terminated without any further encryption [10].\r\n3. Implement an end user security training program since end users are ransomware targets and it is important\r\nfor them to be aware of the threat of ransomware and how it occurs.\r\n4. Patch operating systems, software, and firmware on your infrastructure. Consider leveraging a centralized\r\npatch management system.\r\n5. For your Windows systems, consider enabling and auditing controlled folder access/turn on the protected\r\nfolders feature. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enablecontrolled-folders-exploit-guard\r\nUpdates\r\nApril 30, 2019\r\nAdded Attribution section\r\nUpdated list of references\r\nhttps://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/\r\nPage 8 of 10\n\nReferences\r\n[1] Altran Technologies, Stéphanie Bia. Press release- Information on a cyber attack. January 01, 2019.\r\nhttps://ml.globenewswire.com/Resource/Download/0663f8d4-0acf-4463-b0fd-bb05042d1373. Last Accessed:\r\nMarch 28, 2019.\r\n[2] Norsk Hydro ASA. Update on cyber attacks March 21. March 21, 2019. https://www.hydro.com/nl-NL/media/news/2019/update-on-cyber-attacks-march-21/. Last Accessed: March 28, 2019.\r\n[3] Nick Biasini. Ransomware or Wiper? LockerGoga Straddles the Line. March 20, 2019.\r\nhttps://blog.talosintelligence.com/2019/03/lockergoga.html. Last Accessed: March 28, 2019.\r\n[4] Pierluigi Paganini. [SI-LAB] LockerGoga is the most active ransomware that focuses on targeting companies.\r\nMarch 21, 2019. https://securityaffairs.co/wordpress/82684/malware/lockergogaransomware-spreads.html. Last\r\nAccessed: March 28, 2019.\r\n[5] Nerijus Adomaitis. Norsk Hydro’s initial loss from cyber attack may exceed $40 million. March 26, 2019.\r\nhttps://www.reuters.com/article/us-norway-cyber/norsk-hydros-initial-loss-from-cyber-attack-mayexceed-40-\r\nmillion-idUSKCN1R71X9. Last Accessed: March 28, 2019.\r\n[6] Andy Greenberg. A Guide To LockerGogoa, The Ransomware Crippiling Industrial Firms. March 25, 2019.\r\nhttps://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms. Last Accessed: March 28, 2019.\r\n[7] Mike Harbison. Born This Way? Origins of LockerGoga. March 26, 2019.\r\nhttps://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga. Last Accessed: March 28, 2019.\r\n[8] Khasaia.Analysis of LockerGoga Ransomware. March 27, 2019. https://labsblog.f-secure.com/2019/03/27/analysis-of-lockergoga-ransomware/. Last Accessed: March 28, 2019.\r\n[9] Trend Micro™ Security. What You Need to Know About the LockerGoga Ransomware. March 20, 2019.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/what-you-need-to-knowabout-the-lockergoga-ransomware. Last Accessed: March 28, 2019.\r\n[10] Alert Logic. Halting the Lockergoga Ransomware. March 25, 2019. https://blog.alertlogic.com/halting-the-lockergoga-ransomware/. Last Accessed: March 28, 2019.\r\n[11] Alessandro Di Pinto, Heather MacKenzie. Breaking Research: LockerGoga Ransomware Impacts Norsk\r\nHydro. March 19, 2019. https://www.nozominetworks.com/blog/breaking-research-lockergoga-ransomware-impacts-norsk-hydro/. Last Accessed: March 28, 2019.\r\n[12] Mike Harbison – Palo Alto Unit 42. Born this Way: Origins of LockerGoga. March 26, 2019.\r\nhttps://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga. Last Accessed: March 28, 2019.\r\nhttps://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/\r\nPage 9 of 10\n\n[13] Brendan McKeague et al. Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and\r\nLockerGoga Ransomware. April 5, 2019. https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga. Last Accessed: April 17, 2019.\r\n[14] Jasper Manuel et al.. LockerGoga: Ransomware Targeting Critical Infrastructure. April 11, 2019.\r\nhttps://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga. Last Accessed: April 17, 2019.\r\n[15] Cyware. Dissecting the activities and operations of FIN6 threat actor group. April 30, 2019.\r\nhttps://cyware.com/news/dissecting-the-activities-and-operations-of-fin6-threat-actor-group-ebc7df0a. Last\r\nAccessed: April 13, 2019.\r\nVisit the Securonix Threat Research Lab\r\nSource: https://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/\r\nhttps://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/" ], "report_names": [ "securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434667, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/391b510cbd7882afabf8866ce5d3b7a4fdefafaa.pdf", "text": "https://archive.orkl.eu/391b510cbd7882afabf8866ce5d3b7a4fdefafaa.txt", "img": "https://archive.orkl.eu/391b510cbd7882afabf8866ce5d3b7a4fdefafaa.jpg" } }