{ "id": "840d3250-1f5e-4f39-b4ef-77dc0ca6bf03", "created_at": "2026-04-06T15:53:27.145916Z", "updated_at": "2026-04-10T03:32:43.607281Z", "deleted_at": null, "sha1_hash": "3c51fec0e28825a56586d1e67042537980f59219", "title": "‘Decrypting APT33’s Dropshot Malware with Radare2 and Cutter – Part 1’", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 160379, "plain_text": "‘Decrypting APT33’s Dropshot Malware with Radare2 and Cutter\r\n– Part 1’\r\nBy Itay Cohen\r\nPublished: 2018-05-21 · Archived: 2026-04-06 15:38:20 UTC\r\nPrologue\r\nAs a reverse engineer and malware researcher, the tools I use are super important for me. I have invested hours\r\nand hours in creating the best malware analysis environment for myself and chose the best tools for me and my\r\nneeds. For the last two years, radare2 is my go-to tool for a lot of reverse-engineering tasks such as automating RE\r\nrelated work, scripting, CTFing, exploitation and more. That said, I almost never used radare2 for malware\r\nanalysis, or more accurately, for analysis of malware for Windows. The main reason was that radare2 command-line interface felt too clumsy, complicated and an over-kill. IDA Pro was simply better for these tasks, a quick\r\ninspection of functions, data structures, renaming, commenting, et cetera. It felt more intuitive for me and that\r\nwhat I was searching for while doing malware analysis. And then came Cutter.\r\nCutter\r\nAlong the years, the radare2 community had tried to develop many different graphic-interfaces for radare2. None\r\nof them came even close to Cutter. Cutter is a QT C++ based GUI for radare2. In my opinion, it is the GUI that\r\nradare2 deserves. To quote from Cutter’s Github page:\r\nCutter is not aimed at existing radare2 users. It instead focuses on those whose are not yet radare2 users\r\nbecause of the learning curve, because they don’t like CLI applications or because of the difficulty…\r\nCutter is a young project, only one-year-old, and it is the official GUI of radare2 (the first and only GUI to be\r\nannounced “official”). Cutter is a cross-platform GUI that aims to export radare2’s plenty of functionality into a\r\nuser-friendly and modern GUI. In this post, I’ll show you some of Cutter’s features and how I work with it. To be\r\nhonest, Cutter is intuitive so you probably won’t need me to show you around, but just in case.\r\nDownloading and installing Cutter\r\nCutter is available for all platforms (Linux, OS X, Windows). You can download the latest release here. If you are\r\nusing Linux, the fastest way to use Cutter is to use the AppImage file.\r\nIf you want to use the newest version available, with new features and bug fixes, you should build Cutter from\r\nsource by yourself. It isn’t a complicated task and it is the version I use.\r\nFirst, you must clone the repository:\r\nhttps://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/\r\nPage 1 of 11\n\ngit clone --recurse-submodules https://github.com/radareorg/cutter\ncd cutter\nBuilding on Linux:\n```default ./build.sh ```\nBuilding on Windows:\nprepare_r2.bat\nbuild.bat\nIf any of those do not work, check the more detailed instruction page here.\nDropshot \\ StoneDrill\nDropshot, also known as StoneDrill, is a wiper malware associated with the APT33 group which targeted mostly\norganizations in Saudi Arabia. Dropshot is a sophisticated malware sample, that employed advanced anti-emulation techniques and has a lot of interesting functionalities. The malware is most likely related to the\ninfamous Shamoon malware. Dropshot was analyzed thoroughly by Kaspersky and later on by FireEye. In this\narticle, we’ll focus on analyzing how Dropshot decrypted the strings inside it in order to evade analysis. In part 2\nof this article, which will be published soon, we’ll focus on decrypting the encrypted resource of Dropshot which\ncontains the actual payload of the malware.\nThe Dropshot sample can be downloaded from here (password: infected). I suggest you star (★) the repository to\nget updates on more radare2 tutorials 🙂\nPlease, be careful when using this sample. It is a real malware, and more than that, a wiper! Use with\ncaution!\nSince we’ll analyze Dropshot statically, you can use a Linux machine, as I did.\nWho said radare2 doesn’t have a decent GUI? | Decrypting the encrypted strings of APT33’s Dropshot\nmalware using Cutter (@r2gui) and @radareorg‘s Python API. Check it out @\nhttps://t.co/u50oaVYsOU pic.twitter.com/8loEAG07IW\n— Itay Cohen (@megabeets_)\n\ncan tell radare2 how to analyze the file. By expanding the “Advanced options”, we can set a specific Architecture,\r\na CPU, choose a file format and many more.\r\nIn order to analyze this sample more accurately, I chose to modify a more advanced option. By moving the\r\nAnalysis slider we can modify the level of Analysis. We’ll move it to the right in order to choose the Advanced\r\nanalysis mode. Then, disable the auto-renaming of functions by removing the check from “Autorename functions\r\nbased on context ( aan )”. I chose to disable aan  since in this sample, the algorithm behind aan  is renaming\r\nsome functions with confusing names.\r\nAfter clicking “OK” we’ll see the main window of Cutter, the dashboard. In your case, it might look different than\r\nmine but it can be easily configured. For example, by clicking “View -\u003e Preferences” you will be able to change\r\nthe theme colors and to configure the disassembly. The widgets are very flexible and can be located almost\r\nanywhere on the screen. You can also add more widgets to the screen by choosing the desired widget from the\r\n“Window” menu item. Take a few minutes to play with the environment since we’ll not dive deep into the\r\ninterface.\r\nBasic static analysis\r\nWhen analyzing a malware sample, I usually start by statically examining the binary. A basic static analysis can\r\nsometimes confirm whether a file is malicious, provide information about its functionality, and help us understand\r\nwhat we are facing. Although the basic static analysis is straightforward and can be quick, it’s largely ineffective\r\nagainst sophisticated malware. So before reading any assembly, let’s have a look around on some widgets.\r\nStrings\r\nStarting with the Strings widget, we are not seeing anything too interesting. Some strings might indicate names of\r\nfiles to be dropped – like “C-Dlt-C-Org-T.vbs” and “C-Dlt-C-Trsh-T.tmp”, others look unique but not telling us\r\nmuch, for example, “Hello dear”. We can also see some API functions and library strings we are familiar with, but\r\nthere’s no “smoking gun”.\r\nEntropy\r\nAnother attribute that is worth checking is the file’s entropy. What is an entropy of a binary file? I’ll use a nice\r\nquote which is originated from this page (in Russian, I have no idea what is written here) but was taken by me\r\nfrom this great article about entropy.\r\nOh, what’s the way this word hasn’t been mocked in thermodynamics! The measure of order in the\r\nsystem, the measure of energy dissipating and what’s not! Without any doubt, a real physicist will be\r\nsick of our definition while a real mathematician is going to be outraged. Nevertheless, as true\r\ndilettantes, let’s define the word “entropy” as a measure of the efficiency of information storage.\r\nhttps://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/\r\nPage 3 of 11\n\nSimply put, entropy (in our case) is the measurement of randomness in a given set of values (data). The Entropy of\r\na file (or data) is calculated similarly in different programs. Usually, it is a number between 0.0 to 8.0. The value\r\nof entropy is a reliable sign that the file is packed, compressed or contains packed or compressed data inside. A\r\npacked binary will probably have high entropy value. How high? Well, it differs. Some would say that 6.0 is high\r\nenough, some will say that 7.0 and above. I prefer to be somewhere in the middle and to treat 6.8 as good\r\nindicator that the binary or some of its components are compressed or packed.\r\nWe can easily see the calculated entropy of Dropshot by looking at Cutter’s Dashboard widget:\r\nAs you can see, our file has an entropy of 7.1 which is a very good indication of a compressed\\packed data. To be\r\nmore specific, we can see in the Sections widget the entropy of each section:\r\nLook how high the entropy of .rsrc  section is. Remember that the highest possible entropy value is 8.0. No\r\ndoubt, we have an interesting data in this section. We’ll get to that later in the 2nd part of this series.\r\nUnderstanding the strings decryption process\r\nWhile I was going through Dropshot code, I found that it is using a rather not-too-complicated method to decrypt\r\nits embedded strings (well, most of them). This function stood up in my analysis mainly because it was called\r\nmany many times in the code and was used mainly before LoadLibraryA  and GetProcAddress . So it looked to\r\nme as a technique to load libraries and functions dynamically in order to complicate analysis. A very popular\r\napproach among malware authors. The aim of this article is not to understand every component of the malware,\r\nbut to get familiar with Cutter, scripting with radare2, and how both can be used by malware researchers. Thus,\r\n(sadly) I won’t explain every step I took to find the decryption function.\r\nAs said before, spotting the decryption function was done thanks to its popularity and its cruciality to the\r\nprogram’s flow. If you want to give it a shot and try to find it by yourself — this is the time.\r\nWhether you found it or were too lazy to even search, here’s the answer — the decryption function is located at\r\n0x4012a0  and appears to take two parameters. In the next screenshot, we’ll see a function which is using the\r\ndecryption function.\r\nThe demonstrated function above ( 0x4017a0 ) is passing two parameters into our decryption function\r\n( 0x4012a0 ). The first argument is 0xb  (Decimal: 11) and the second argument is an address at 0x41b8cc . This\r\nis the time to rename our strings decryption function in order to ease our analysis. It can be easily done by clicking\r\non fcn.004012a0  and pressing  Shift + N  or by right-clicking and choosing “Rename  fcn.004012a0 “. Enter\r\nthe new name and press OK. I chose to call it strings_decrypter .\r\nhttps://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/\r\nPage 4 of 11\n\nNext, we can see that the output of strings_decrypter  ( eax ) is being pushed to another function at\r\n0x4013b0  in addition to another argument, 1. Let’s have a look at this function:\r\nThe function is taking the right branch if the argument passed to it is 0 (i.e EAX == 0 ) and the left branch if it is\r\nnot. Either way, it will call LoadLibraryA  with a string that would be decrypted using our beloved decryption\r\nfunction. I’ll spoil it for you — the function would load ntdll.dll  on the right branch and kernel32.dll  on\r\nthe left. Simply put, the function is loading the required library in order to use a function from it. I’ll rename this\r\nfunction to load_ntdll_or_kernel32 . Now let’s get back to the previous function and continue to examine it.\r\nAfter choosing loading either  ntdll.dll  or kernel32.dll , the function calls  GetProcAddress with a handle\r\nto the loaded library and the string that it decrypted at the beginning. We can be sure that this string is an exported\r\nAPI function of kernel32.dll . A few instructions later we can see that the referenced API function is being\r\ncalled.\r\nWe don’t have any idea which API function is being called. That’s why we need to understand how\r\nstrings_decrypter  is working and what is each parameter that is being passed to it.\r\nAnalyzing the decryption function\r\nWe talked about this function constantly but we didn’t see it yet. Here’s the graph of the function as created by\r\nCutter:\r\nSo, what do we have here? We obviously won’t go over it step by step, but we need to, and will, understand the\r\ngeneral idea. We already know that this function receives two arguments. The first one is an address and the\r\nsecond is a number. The address argument is held by a variable named arg_8h , the integer is stored at arg_ch .\r\nAt the first block, starting at  0x4012a0 , we can see that a buffer at the size of arg_ch+1 is allocated by\r\nVirtualAlloc . Then the address to the allocated buffer is assigned to local_8h . We can rename it to\r\nbuffer  by clicking on its name and pressing Shift+N. This can also be done using the right-click context menu.\r\nAfter that, we can see that zero is assigned to local_4h . The next block is a starting of a loop. We can see that\r\nthe integer stored at arg_ch  is assigned to edx which in turn is compared with local_4h . We can understand\r\nnow that arg_ch  is some kind of length or size and local_4h  is a loop index. Let’s rename both to\r\nlength  and index . Now that we know the purpose of one argument of the two and the purpose of the two local\r\nvariables, we need to understand what is in the address that is passed via arg_8h . In our example, we saw the\r\nvalue  0x41b8cc  being passed to our strings_decrypter function. Let’s go to the Hexdump widget and seek to\r\nthis address. Just type this address in the upper textbox in order to seek a flag or an address. We can see that this is\r\na half-word (2 bytes) array of integers that starts from  0x41b8cc  and ends at  0x0041b8e1 . Using another great\r\nfeature from Cutter (at the right side of the screen), we can generate a C array of half-words:\r\nThat’s a really great feature, right?! Cutter can generate different types of arrays to ease scripting tasks. Here are\r\nsome examples:\r\nhttps://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/\r\nPage 5 of 11\n\nC half-words (Little Endian):\r\n#define _BUFFER_SIZE 11\r\nconst uint16_t buffer[11] = {\r\n 0x0005, 0x0006, 0x000e, 0x0006, 0x001c, 0x0006, 0x0007, 0x000b,\r\n 0x000e, 0x0006, 0x0022};\r\nPython:\r\nimport struct\r\nbuf = struct.pack (\"22B\", *[\r\n0x05,0x00,0x06,0x00,0x0e,0x00,0x06,0x00,0x1c,0x00,0x06,\r\n0x00,0x07,0x00,0x0b,0x00,0x0e,0x00,0x06,0x00,0x22,0x00])\r\nJavascript:\r\nvar buffer = new Buffer(\"BQAGAA4ABgAcAAYABwALAA4ABgAiAA==\", 'base64');\r\nThis array will help us later to write the decryption script. For now, let’s continue to figure out how\r\nstrings_decrypter  works. Entering the loop, we can see that eax  will hold the index  and ecx will hold the\r\naforementioned array. Then, a byte from [ecx + eax*2]  is moved to edx . Basically,  edx  now equals to\r\nhalf_word_array[index*2] . Next, our buffer is moved to eax which in turn is being added with the value of\r\nindex , setting eax  to a specific offset in the allocated buffer. Then, at 0x004012eb , we can see that a byte is\r\nmoved to cl . This byte is taken from index [edx]  of a pre-defined string. Double-clicking the string will\r\nreveal us the full string — AaCcdDeFfGhiKLlMmnNoOpPrRsSTtUuVvwWxyZz32.\\EbgjHI\r\n_YQB:\"/@\\x0a\\x0d\\x1a . Immediately after that, the byte from  cl  is copied into the specific index in our\r\nbuffer . The loop continues  length  times.\r\nAfter all this mess we can say that the array which is passed to this function,  arg_8h , is simply an array of\r\noffsets in this string and length  is the length of the string to be built. This is how Dropshot builds its strings, by\r\npassing the offsets array and the string’s length. Let’s confirm this claim by testing it with Python.\r\nThis is where another great feature of Cutter is being used, an integrated Jupyter notebook. We don’t need to open\r\nany external Python shell, we can use Cutter’s Jupyter widget.\r\nOh, I love this feature!\r\nSo let’s write a quick proof of concept to confirm that this is really how this decryption function works. Here’s the\r\nquick POC in python:\r\n# The pre-defined decryption table (the string)\r\ndecryption_table = 'AaCcdDeFfGhiKLlMmnNoOpPrRsSTtUuVvwWxyZz32.\\EbgjHI _YQB:\"/@\\x0a\\x0d\\x1a'\r\n# The offsets array (0x41b8cc) which is passed to the function\r\nhttps://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/\r\nPage 6 of 11\n\noffsets_array = [\r\n0x05,0x00,0x06,0x00,0x0e,0x00,0x06,0x00,0x1c,0x00,0x06,\r\n0x00,0x07,0x00,0x0b,0x00,0x0e,0x00,0x06,0x00,0x22,0x00]\r\n# The length which is passed to the function\r\nlength = 11\r\ndecrypted_string = ''\r\nfor i in range(length):\r\n decrypted_string += decryption_table[ offsets_array[ i*2 ] ]\r\nprint (\"Decrypted: %s\" % (decrypted_string))\r\nAnd let’s run it in Jupyter:\r\nGreat! We can see that we successfully decrypted the string and got “DeleteFileW” which is an API function. So\r\nnow we can feel confident to rename the last argument, arg_8h , to “offsets_array”.\r\nNow that we figured out how strings_decrypter  is working, and even decrypted one string, we can see where\r\nelse this function is being called and decrypt all the other strings. To see the cross-references to\r\nstrings_decypter , click on its name and press X on the keyboard. This will open the xrefs window. Cutter will\r\nalso show us a preview of each reference to this function which makes the task of inspecting xrefs much easier.\r\nWe can see dozens of calls to strings_decrypter , too much for a manual decryption. That is where the power of\r\nradare2 and Cutter scripting will come handy!\r\nScripting time! Decrypting the strings\r\nScripting radare2 is really easy thanks to r2pipe. It is the best programming interface for radare2.\r\nThe r2pipe APIs are based on a single r2 primitive found behind  r_core_cmd_str()  which is a\r\nfunction that accepts a string parameter describing the r2 command to run and returns a string with the\r\nresult.\r\nr2pipe supports many programming languages including Python, NodeJS, Rust, C, and others.\r\nLucky us, Cutter is coming with the python bindings of r2pipe  integrated into its Jupyter component. We’ll\r\nwrite an r2pipe script that will do the following:\r\nDeclare constant variables for the addresses we already know (decryption function, decryption table)\r\nDump the content of the decryption table to a variable\r\nIterate over all the references to the decryption table and save the arguments passed to it\r\nManually decrypt the encrypted string\r\nPrint the decrypted function to the screen and add inline comments in the assembly\r\nhttps://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/\r\nPage 7 of 11\n\n* Note that the following script requires an understanding of radare2 commands. Most of the commands I’ll use\r\nhere explained in my previous articles on my series of articles: “A journey into Radare 2”. Make sure to check it\r\nout!\r\nThe first item on our list is to define the addresses of the components we have already detected: the decryption\r\ntable and the decryption function.\r\nimport cutter\r\n# Declaration of decryption-table related variables\r\ndecryption_table = 0x41BA3C\r\ndecryption_table_end = 0x41BA77\r\ndecryption_table_len = decryption_table_end - decryption_table\r\ndecryption_function = 0x4012A0\r\nNext, we need to analyze the binary so radare2 will detect the xrefs and functions. aa  is a basic analysis\r\ncommand of radare2. cutter.cmd  is a function that receives a radare2 command and returns its output, if there’s\r\nany output at all.\r\ncutter.cmd('aa')\r\nLet’s move on and dump the content of the decryption_table to a variable. pxj  is used to print hexdump, the j\r\nsuffix can be used in most of the radare2 commands to get a JSON output. cutter.cmdj  will parse the JSON\r\noutput for us.\r\n# Dump the decryption table to a variable\r\ndecryption_table_content = cutter.cmdj(\r\n \"pxj %d @ %d\" % (decryption_table_len, decryption_table))\r\nSo basically in this piece of code, we are telling radare2 to take decryption_table_len  bytes from ( @ ) the\r\naddress of decryption_table . Now we have all the data we need in order to start iterate over the references to\r\nthe decryption function.\r\nUsing a Python for  loop, we will iterate over the output of axtj . This command stands for analyze xrefs to\r\nand it is being used to list all the data and code references to a specific address. In our case, this address will be\r\nour decryption function. The first thing that we will do in each iteration is to parse the two arguments that are\r\npassed to the decryption function. These will be the offset array and the length of the string to be decrypted. We’ll\r\nparse the arguments using pdj -2 @ \u003csome xref address\u003e . pdj  stands for print disassembly. Passing -2  to\r\npdj  is telling radare2 to print 2 instructions before the given address. We assume that these two arguments will\r\nbe passed to the function right before it is being called by the program.\r\n# Iterate x-refs to the decryption function\r\nfor xref in cutter.cmdj('axtj %d' % decryption_function):\r\nhttps://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/\r\nPage 8 of 11\n\n# Get the arguments passed to the decryption function: length and encrypted string\r\n length_arg, offsets_arg = cutter.cmdj('pdj -2 @ %d' % (xref['from']))\r\n # String variable to store the decrypted string\r\n decrypted_string = \"\"\r\n # Guard rail to avoid exception\r\n if (not 'val' in length_arg):\r\n continue\r\nNow for the fun part, decrypting the string. Since we already did a POC of it, we know how the decryption works.\r\nThis will be easy to implement using a for loop:\r\n# Manually decrypt the encrypted string\r\n for i in range(0, length_arg['val']):\r\n decrypted_string += chr(decryption_table_content[cutter.cmdj(\r\n 'pxj 1 @ %d' % (offsets_arg['val'] + (i*2)))[0]])\r\nGreat! Now decypted_string  is holding the, well, the decrypted string. All we left to do is to print it to the\r\nconsole and add inline-comments in each call. The command  CC  will be used to add the comments.\r\n# Print the decrypted and the address it was referenced to the console\r\n print(decrypted_string + \" @ \" + hex(xref['from']))\r\n # Add comments to each call of the decryption function\r\n cutter.cmd('CC Decrypted: %s @ %d' % (decrypted_string, xref['from']))\r\nNow we can combine it all into one script:\r\nimport cutter\r\n \r\n# Declaration of decryption-table related variables\r\ndecryption_table = 0x41BA3C\r\ndecryption_table_end = 0x41BA77\r\ndecryption_table_len = decryption_table_end - decryption_table\r\ndecryption_function = 0x4012A0\r\ncutter.cmd('aa')\r\n# Dump the decryption table to a variable\r\ndecryption_table_content = cutter.cmdj(\r\n \"pxj %d @ %d\" % (decryption_table_len, decryption_table))\r\n# Iterate x-refs to the decryption function\r\nfor xref in cutter.cmdj('axtj %d' % decryption_function):\r\nhttps://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/\r\nPage 9 of 11\n\n# Get the arguments passed to the decryption function: length and encrypted string\r\n length_arg, offsets_arg = cutter.cmdj('pdj -2 @ %d' % (xref['from']))\r\n \r\n # String variable to store the decrypted string\r\n decrypted_string = \"\"\r\n \r\n # Guard rail to avoid exception\r\n if (not 'val' in length_arg):\r\n continue\r\n \r\n # Manually decrypt the encrypted string\r\n for i in range(0, length_arg['val']):\r\n decrypted_string += chr(decryption_table_content[cutter.cmdj(\r\n 'pxj 1 @ %d' % (offsets_arg['val'] + (i*2)))[0]])\r\n # Print the decrypted and the address it was referenced to the console\r\n print(decrypted_string + \" @ \" + hex(xref['from']))\r\n \r\n # Add comments to each call of the decryption function\r\n cutter.cmd('CC Decrypted: %s @ %d' % (decrypted_string, xref['from']))\r\n # Refresh the interface\r\n cutter.refresh()\r\nNow we can paste the script to the Jupyter notebook inside Cutter and execute it. A second after, we can take a\r\nlook at the Comments widget and see that our script worked and updated the comments:\r\nWe can also see these comments inline in the disassembly:\r\nAwesome! We did it, we decrypted the encrypted strings and added inline comments to ease the analysis process.\r\nThe final script can be found here.\r\nEpilogue\r\nHere comes to an end the first part of this article about decrypting Dropshot with Cutter and r2pipe. We got\r\nfamiliar with Cutter, radare2 GUI, and wrote a decryption script in r2pipe’s Python binding. We also analyzed\r\nsome components of APT33’s Dropshot, an advanced malware.\r\nThe next part will be shorter and in it, we’ll see how to decrypt an encrypted resource inside Dropshot. This\r\nresource is the actual payload of Dropshot. So stay tuned!\r\nAs always, please post comments to this post or message me privately if something is wrong, not accurate, needs\r\nfurther explanation or you simply don’t get it. Don’t hesitate to share your thoughts with me.\r\nSubscribe on the left if you want to get the next articles straight in your inbox.\r\nhttps://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/\r\nPage 10 of 11\n\nSource: https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/\r\nhttps://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/" ], "report_names": [ "decrypting-dropshot-with-radare2-and-cutter-part-1" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775490807, "ts_updated_at": 1775791963, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3c51fec0e28825a56586d1e67042537980f59219.pdf", "text": "https://archive.orkl.eu/3c51fec0e28825a56586d1e67042537980f59219.txt", "img": "https://archive.orkl.eu/3c51fec0e28825a56586d1e67042537980f59219.jpg" } }