{ "id": "e4039391-87f5-44a6-ae97-c373e1487886", "created_at": "2026-04-06T00:20:56.002305Z", "updated_at": "2026-04-10T13:12:23.002093Z", "deleted_at": null, "sha1_hash": "3b7f9ed3189c471dfcfdd6d25db9b9ee3677f996", "title": "Trick or Threat: Ryuk Ransomware Targets Health Care Industry", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6371057, "plain_text": "Trick or Threat: Ryuk Ransomware Targets Health Care Industry\r\nBy Giovanni Vigna, Stefano Ortolani, Jason Zhang, Baibhav Singh\r\nPublished: 2020-11-03 · Archived: 2026-04-05 13:25:18 UTC\r\nIntroduction\r\nA recent report [1] from the Cybersecurity and Infrastructure and Security Agency (CISA) has alerted the public\r\nabout possible forthcoming ransomware attacks that target the health industry.\r\nThis report has raised concerns [2] especially because of the current pandemic, which has strained the resources of\r\nhospitals and care centers. As a consequence, a ransomware attack, in addition to crippling a healthcare provider’s\r\ninfrastructure, might actually put at risk the lives of patients.\r\nThe advisory describes in detail the tactics, techniques, and procedures (TTPs) followed by the malicious actors\r\nwho, at the moment, seem to be associated with Russian crime groups.\r\nThe attack uses a number of malware components, such as TrickBot, BazarLoader, Ryuk, and Cobalt Strike, in\r\norder to compromise networks, create bridgeheads, and then move laterally so that, eventually, a ransomware\r\nattack can be successfully carried out.\r\nIn the rest of this report, we present the characteristics of the various components of the attacks. We look at both\r\nthe actual malware components (i.e., the code that performs the malicious actions), as well as the network\r\nevidence associated with their actions. Even though a number of these components (as well as similar ones) have\r\nbeen covered previously by our threat intelligence group [3] [4] and recently by other researchers [5], it is useful\r\nto see how this particular attack plays out and how it can be detected.\r\nArtifact Analysis\r\nIn most cases, the initial steps of the attack are social engineering attacks that trick users into downloading and\r\nexecuting downloaders (TrickBot and BazarLoader), which, in turn, download the ransomware (Ryuk).\r\nIn this analysis, we cover TrickBot, BazarLoader, and Ryuk in more detail.\r\nAll three malware samples are successfully identified as malicious by our artifact analysis sandbox, by relaying on\r\nthe extracted malicious behaviors.\r\nTrickBot\r\nTrickBot was initially devised as a banking Trojan, and, since its inception, has evolved in a number of different\r\nways, adding new modules that provide different types of functionality.\r\nIn the attacks that have been observed recently, TrickBot has been mainly used as a conduit to drop additional\r\nmalware, and, in this particular case, the Ryuk ransomware.\r\nAn interesting aspect of TrickBot is the recent introduction of a DNS tunneling component, called Anchor DNS,\r\nwhich allows the malware to establish a command-and-control channel with\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 1 of 17\n\nan outside host. DNS tunneling is often leveraged because outgoing TCP connections might be blocked or receive\r\nunwanted attention, while, instead, DNS requests to outside hosts are usually allowed as they are necessary for the\r\nnormal operation of the network. An interesting aspect of this DNS tunnel is the use of a simple obfuscation\r\ntechnique (i.e., XOR-ing the content with a single byte) to avoid immediate detection. Some example of this kind\r\nof behavior were detected and blocked on our customers’ networks as early as August 2020.\r\nWe were able to collect a number of TrickBot samples and we used our sandbox analysis systems to extract the\r\nbehavior of the samples. Error! Reference source not found. below shows the results of the analysis of one of the\r\nsamples.\r\nTable 1: One of the TrickBot samples collected.\r\nIn the following figure, we can see the full behavioral analysis when analyzing the sample dynamically.\r\nFigure 1: Analysis overview for the sample shown in Table 1.\r\nIn addition to the TrickBot samples discussed above, we also identified some specific instances of the Anchor\r\nDNS module. Figure 2 shows the detection timeline of Anchor DNS by VMware NSX. Interestingly, the\r\ndetonations go as far back as late August 2020, showing that the threat was active since then.\r\nFigure 2: Detection timeline of Anchor DNS by VMware NSX.\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 2 of 17\n\nThe most peculiar aspect of Anchor DNS is its ability to communicate to the C2 servers over DNS in an\r\nobfuscated fashion [6]. Emerging Threat describes both protocol and signatures in a recent report [7]. Figure\r\nbelow shows how the network activity produced by analyzing dynamically the sample\r\n942701c5dc21bd6af902181fa673d8459683479b in the VMware NSX sandbox.\r\nFigure 3: Analysis overview of an Anchor DNS sample.\r\nBazarLoader\r\nBazarLoader is another malware downloader similar to TrickBot, often used as a precursor of a ransomware attack\r\nthat involves Ryuk.\r\nUsually BazarLoader is delivered through social engineering, by luring an unsuspecting user into clicking on an\r\nemail link.\r\nThe link often points to a file on Google Drive that appears to be a PDF file, which, in turn, contains a URL that\r\npoints to the malware payload [8].\r\nBelow (see Figure 4) there is an analysis of a BazarLoader sample that was associated with the “Text_Report.exe”\r\nfile name, which is one of the IoCs described in the recent advisory [1]. See Figure 5 for the PCAP analysis of the\r\ngenerated network traffic.\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 3 of 17\n\nFigure 4: Analysis overview for a BazarLoader sample.\r\nFigure 5: PCAP analysis detecting resolution of the bazar domain.\r\nRyuk\r\nRyuk is a ransomware that uses a number of techniques to spread through a network and encrypt files [9]. Ryuk is\r\nbelieved to be an evolution of the HERMES ransomware, which appeared first in 2017 [10].\r\nRyuk relies on both Cobalt Strike and PowerShell Empire, as well as “live off the land” tools, such as RDP, in\r\norder to move laterally through the network, using a combination of scanning techniques and credentials\r\nharvesting.\r\nSimilar to other ransomware threats, once the target has been profiled, the ransomware encrypts the files, and\r\nattempts to delete any backup and shadow copies.\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 4 of 17\n\nTable 2: One of the Ryuk samples collected.\r\nFigure 6: Analysis overview for a Ryuk sample in VMware NSX sandbox.\r\nNetwork Evidence\r\nOur solution provides a number of signatures to detect various aspects of the network behavior of the malware\r\ncomponents described in the previous section.\r\nMore precisely the following table shows the currently deployed network signatures that target these threats.\r\nTable 3: Network signatures for the threats under analysis.\r\nAs shown in the figure below, our threat intelligence sensors have been detecting malicious network activity\r\noriginating from the IP addresses included in the CISA report [1] in the month of October.\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 5 of 17\n\nFigure 7: Detection timeline of malicious network activities from the IP addresses in [1].\r\nWhile 5% of all the detection is related to education, 95% of all detections targeted the Healthcare sector, and\r\ninvolved the IP address 38.89.106[.]69.\r\nIn-depth Analysis\r\nIn the following, we provide an in-depth analysis that focuses on the following samples:\r\nBazar Loader (EXE)\r\nc361742189a14d011847080f6becd024\r\n1e30713681e7439b059ea95431be132a [11]\r\n704dea93ef129b6c10b5b02433b51ec2\r\n45ed8898bead32070cf1eb25640b414cRyuk (DLL)• 890206F0C506366D480E02FC9FED988A Ryuk\r\n(EXE)• 85057B3F1210043CE7821E249AC96B29\r\nThe chain of attack starts with a phishing email. The user clicks on the link in the email, which downloads an\r\nexecutable and runs it. The executable is a BazarLoader, which downloads and runs the Bazar Backdoor. The\r\nbackdoor runs Cobalt Strike and eventually starts the Ryuk ransomware (for a more detailed analysis of this kill\r\nchain see [11]).\r\nBazarLoader’s main tactic is to use as many legitimate services as possible, namely:\r\nGoogle Docs links in emails\r\nSigned executables with correct signatures\r\nEmerDNS (decentralized blockchain DNS) for communication with C\u0026C server -using .bazar domains\r\nAll samples are trying to reach a C\u0026C via a normal domain name to download and run the Bazar\r\nEXE (1e30713681e7439b059ea95431be132a)\r\nBazarLoader runs a shellcode similarly to Ryuk’s EXEs and DLLs (see below). The shellcode is almost the same\r\none which is used in Ryuk (see below) except for the constants that the code loads into the registers:\r\nRyuk rasadhlp EXE (85057B3F1210043CE7821E249AC96B29)\r\nEven though this file is an EXE file (not a DLL), it mimics rasadhlp.dll:\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 6 of 17\n\nFigure 8: Ryuk mimics rasdhlp.dll.\r\nThis component is signed by MADAS d.o.o.:\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 7 of 17\n\nFigure 9: The Ryuk rasdhlp.dll certificate.\r\nThe executable is a matryoshka-style malware:\r\nEXE\r\nWinMain:\r\n1. There is a shellcode in EXE’s resources;\r\n2. The shellcode contains a DLL;\r\n3. The DLL contains another DLL stored in the .data section, where the main functionality is.\r\n1. EXE exports a function called “CSBhvSWCvFRvfCfAoJdoFuAUmK” that contains the main functionality.\r\nGetProcAddress helps getting its address.\r\n2. Calls CSBhvSWCvFRvfCfAoJdoFuAUmK\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 8 of 17\n\n3. Creates a hidden window with class name “SBhvSWCvFRvfCfAoJdoFuAUmK” and windowname “PNG\r\nDemo V1.00“: CreateWindowExA, ShowWindow, UpdateWindow\r\n4. Performs standard windows message loop: GetMessageA, TranslateMessage,DispatchMessageA\r\nCSBhvSWCvFRvfCfAoJdoFuAUmK runs the next stage – the shellcode:\r\n1. Calls GetProcAddress to get the address of VirtualAlloc\r\n2. Loads resource 888\\8895 with help of: FindResourceA, LoadResource, SizeofResource 3. Allocates 0x4461E\r\nbytes of RWX memory with VirtualAlloc\r\n4. Copies the shellcode into the allocated memory, then decrypt it\r\n5. Calls the beginning of the allocated memory\r\nShellcode\r\nThe purpose of the shellcode is to map the next stage DLL into memory and then transfer execution:\r\n1. By manually parsing the TEB, PEB, etc., it retrieves pointers to: LoadLibraryA, GetProcAddress,\r\nVirtualAlloc, VirtualProtect, ZwFlushInstructionCache, GetNativeSystemInfo. It then stores and calculates\r\nhashes of function names.\r\n2. Maps sections into memory, fixes imports by parsing them ,and then finds addresses via LoadLibraryA and\r\nGetProcAddress\r\n3. Transfers execution to the first DLL\r\nBeginning of the shellcode:\r\nFirst DLL\r\nThis is not a sophisticated component: with the help of VirtualAlloc, LoadLibraryA and GetProcAddress it maps\r\nthe second DLL into memory, fixes imports, and then, with the help of GetProcAddress, finds a function called\r\n“StartFunc”, which the second DLLs exports. It calls that StartFunc and then calls ExitProcess.\r\nSecond DLL\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 9 of 17\n\nThe DLL is lightly obfuscated. StartFunc starts by setting up a timer for 60 seconds with SetTimer call and then\r\nwaits for the signal calling GetMessageA and DispatchMessageA in a cycle. Even though it is importing a\r\nsignificant amount of normal-looking APIs, it retrieves pointers to the most interesting ones manually:\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 10 of 17\n\nWinsock functions as well:\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 11 of 17\n\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 12 of 17\n\nBefore the DLL performs anything malicious, it makes sure it is not running on a Russian system:\r\n1. Decrypts the word “Russia”\r\n2. Calls GetLocaleInfoA to retrieve current country and language setting\r\n3. Calls wnsprintfA to form a string “country_language”, e.g., “United States_English“\r\n4. Immediately exits if StrStrA finds “Russia” in that string\r\nRyuk implements HTTPS with help of CryptXxx functions from advapi32.dll and CertXxx functions from\r\ncrypt32.dll. The Winsock functions from ws2_32.dll mentioned above are used for data transfer.\r\nThis is the first message sent out by the DLL:\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 13 of 17\n\nRyuk PluginSample.dll (890206F0C506366D480E02FC9FED988A)\r\nAttackers run this DLL manually (according to [12], [13]):\r\nrundll32 C:\\\\PerfLogs\\\\socks64.dll, rundll\r\nDespite the name used, it is not a SOCKS library. This DLL acts similarly to EXE described above:\r\n1. Loads a shellcode from resources;\r\n2. The shellcode maps and runs the first DLL;\r\n3. The first DLL maps and runs second DLL, where the main functionality is.\r\nPluginSample.dll\r\nThe most important functions exported by the DLL are called “rundll” and “SGeruIUrgVdfMaxMccIKRh”. rundll\r\nis the starting point, which must be executed manually. It finds the address of SGeruIUrgVdfMaxMccIKRh in the\r\nexports, and then calls it. SGeruIUrgVdfMaxMccIKRh loads the shellcode in a similar way to\r\nCSBhvSWCvFRvfCfAoJdoFuAUmK (as described above).\r\nAfterwards the sample adds itself to autorun:\r\n1. Calls StringFromGUID2 to get “{9E683E3F-9A8E-4109-B067-0CD924DB653E}”\r\n2. Calls GetModuleFileNameW to get its full path\r\n3. Calls a series of RegCreateKeyExW+RegSetValueExW+RegCloseKey calls to create this\r\nhierarchy (assuming that “C:\\\\share\\\\socks64.dll” is DLL’s full path):\r\n[HKEY_CLASSES_ROOT\\CLSID\\{9E683E3F-9A8E-4109-B067-0CD924DB653E}]\r\n@=”Read-Only Photo Acquire Plugin”\r\n[HKEY_CLASSES_ROOT\\CLSID\\{9E683E3F-9A8E-4109-B067-0CD924DB653E}\\InprocServer32]\r\n@=”C:\\\\share\\\\socks64.dll”\r\n“ThreadingModel”=”Apartment”\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PhotoAcquisition]\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Photo\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Photo\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 14 of 17\n\nAcquisition\\Plugins\\{9E683E3F-9A8E-4109-B067-0CD924DB653E}]\r\n“DisplayName”=”@C:\\\\share\\\\socks64.dll,-1”\r\nShellcode\r\nThe shellcode is identical to the one found in EXE (see above).\r\nFirst DLL\r\nThe technique used to run the second DLL is identical to the one found in EXE (see above).\r\nSecond DLL\r\nThis DLL contains the main functionality. Before it does anything malicious it needs to reach its C\u0026C server. All\r\ninteresting strings (such as IP addresses) are encrypted. It decrypts them on the fly, holding decrypted strings on\r\nthe stack for the time of use. It does not perform any further actions until it establishes connection with a server. It\r\ndoes so repetitively:\r\n10\r\nIf the connection succeeds, then the sample:\r\nCalls interesting APIs (GetVolumeInformationA)\r\nConnects to https://api.ipify.org/ and https://ip4.seeip.org/\r\nUses Tor. The sample contains hardcoded IP address of Tor nodes as well as some strings from the Tor\r\nRendezvous Specification:\r\nRuns PowerShell scripts with – WindowStyle Hidden -ep bypass -file\r\nConclusions\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 15 of 17\n\nThe combination of the TrickBot and BazarLoader downloaders with the Ryuk ransomware represents a notable\r\nthreat.\r\nThese malware samples can be detected by performing behavioral analysis (i.e., executing the artifacts in a\r\nsandbox) or by building models (both signatures and anomaly detectors) that identify both malicious and\r\nsuspicious network activity.\r\nVMware NSX, by composing network analysis with program analysis, provides complete visibility into this\r\nthreat.\r\nBibliography\r\n[1]  CISA, “Ransomware Activity Targeting the Healthcare and Public Health Sector,” 28 October 2020. [Online].\r\nAvailable: https://us-cert.cisa.gov/ncas/alerts/aa20-302a.\r\n[2]  NPR, “U.S. Hospitals Targeted In Rising Wave Of Ransomware Attacks, Federal Agencies Say,” 29 October\r\n2020. [Online]. Available: https://www.npr.org/2020/10/29/928979988/u-s-hospitals-targeted-in-rising-wave-of-ransomware-attacks-federal-agencies-say.\r\n[3]  R. Henderson, “Ryuk: Defending Against This Increasingly Busy Ransomware Family,” 27 February 2020.\r\n[Online]. Available: https://www.lastline.com/blog/threat-intelligence- bulletin-week-ending-feb-7-2/.\r\n[4]  S. Ortolani and J. Haughom, “Evolution of Excel 4.0 Macro Weaponization,” 2 June 2020. [Online].\r\nAvailable: https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro- weaponization/.\r\n[5]  Sophos, “They’re back: inside a new Ryuk ransomware attack,” 14 October 2020. [Online]. Available:\r\nhttps://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware- attack/.\r\n[6]  Cybereason, “Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware,” 11\r\nDecember 2019. [Online]. Available: https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the- discovery-of-the-anchor-malware.\r\n[7]  NTT, “TrickBot variant “Anchor_DNS” communicating over DNS,” [Online]. Available:\r\nhttps://hello.global.ntt/insights/blog/trickbot-variant-communicating-over-dns.\r\n[8]  FireEye, “Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser,” 28 October\r\n2020. [Online]. Available: https://www.fireeye.com/blog/threat- research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html.\r\n[9]  Crowdstrike, “Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware,” 10 January 2019.\r\n[Online]. Available: https://www.crowdstrike.com/blog/big-game-hunting- with-ryuk-another-lucrative-targeted-ransomware/.\r\n[10]  TrendMicro, “Examining Ryuk Ransomware Through the Lens of Managed Detection and Response,” 14\r\nMarch 2019. [Online]. Available: https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-threats/examining-ryuk-ransomware-through-the-lens-of-managed-detection-and- response.\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 16 of 17\n\n[11]  R. Marshanski and V. Kremez, “”Front Door” into BazarBackdoor: Stealthy Cybercrime Weapon,” 12\r\nOctober 2020. [Online]. Available: https://www.advanced- intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon.\r\n[12]  The DFIR Report, “Ryuk in 5 Hours,” 18 October 2020. [Online]. Available:\r\nhttps://thedfirreport.com/2020/10/18/ryuk-in-5-hours/.\r\n[13]  The DIFR Report, “Ryuk’s Return,” 8 October 2020. [Online]. Available:\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nSource: https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nhttps://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/" ], "report_names": [ "trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434856, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3b7f9ed3189c471dfcfdd6d25db9b9ee3677f996.pdf", "text": "https://archive.orkl.eu/3b7f9ed3189c471dfcfdd6d25db9b9ee3677f996.txt", "img": "https://archive.orkl.eu/3b7f9ed3189c471dfcfdd6d25db9b9ee3677f996.jpg" } }