{
	"id": "4865f930-2ad8-46c6-9ded-33fdc8bd5a2a",
	"created_at": "2026-04-06T00:12:10.36226Z",
	"updated_at": "2026-04-10T03:26:56.250357Z",
	"deleted_at": null,
	"sha1_hash": "3b3a954da525222b9acd7d58c53a150455bdca99",
	"title": "LevelBlue - Open Threat Exchange",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 342552,
	"plain_text": "LevelBlue - Open Threat Exchange\r\nBy TheNewRaikage\r\nArchived: 2026-04-05 12:40:40 UTC\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:carrotball\r\nPage 1 of 4\n\nThreat Research | FireEye Inc\r\nFind out more about FireEye.com, the world's leading cyber security company, which provides security services to\r\nmore than 1.5 million customers across the globe, and offers a wide range of products and services.\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:carrotball\r\nPage 2 of 4\n\n17 Subscribers\r\n95 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:carrotball\r\nPage 3 of 4\n\nU.S. Government Targeted in Spear-Phishing Attacks\r\nFileHash-SHA256: 19 | Email: 2 | Hostname: 5\r\nBetween July and October 2019, Unit 42 observed several malware families typically associated with the Konni\r\nGroup used to primarily target a US government agency, using the ongoing and heightened geopolitical relations\r\nissues surrounding North Korea to lure targets into opening malicious email attachments. The malware families\r\nused in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders with\r\nSYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL.\r\n373,890 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:carrotball\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:carrotball\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://otx.alienvault.com/browse/pulses?q=tag:carrotball"
	],
	"report_names": [
		"pulses?q=tag:carrotball"
	],
	"threat_actors": [
		{
			"id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4",
			"created_at": "2025-08-07T02:03:25.096857Z",
			"updated_at": "2026-04-10T02:00:03.659118Z",
			"deleted_at": null,
			"main_name": "NICKEL JUNIPER",
			"aliases": [
				"Konni",
				"OSMIUM ",
				"Opal Sleet "
			],
			"source_name": "Secureworks:NICKEL JUNIPER",
			"tools": [
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b43c8747-c898-448a-88a9-76bff88e91b5",
			"created_at": "2024-02-02T02:00:04.058535Z",
			"updated_at": "2026-04-10T02:00:03.545252Z",
			"deleted_at": null,
			"main_name": "Opal Sleet",
			"aliases": [
				"Konni",
				"Vedalia",
				"OSMIUM"
			],
			"source_name": "MISPGALAXY:Opal Sleet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434330,
	"ts_updated_at": 1775791616,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b3a954da525222b9acd7d58c53a150455bdca99.pdf",
		"text": "https://archive.orkl.eu/3b3a954da525222b9acd7d58c53a150455bdca99.txt",
		"img": "https://archive.orkl.eu/3b3a954da525222b9acd7d58c53a150455bdca99.jpg"
	}
}