{ "id": "f36268cc-33c6-42a9-a9a5-368bd8105519", "created_at": "2026-04-06T00:16:28.439912Z", "updated_at": "2026-04-10T03:37:49.692796Z", "deleted_at": null, "sha1_hash": "3c6101ed1b12d624c93b7a2544ca511067d775b8", "title": "Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 711206, "plain_text": "Digital Attack on German Parliament: Investigative Report on the\r\nHack of the Left Party Infrastructure in Bundestag\r\nPublished: 2015-06-19 · Archived: 2026-04-05 17:47:39 UTC\r\nServers of The Left in German Bundestag have been infected with malware, apparently by a state-sponsored\r\ngroup of Russian origin. This is the summary of an analysis by an IT security researcher, which we publish in full.\r\nThe in-depth report provides an analysis of technology, impact, possible attribution – and a signature to detect the\r\nmalware.\r\nThis analysis of security researcher Claudio Guarnieri was originally written for The Left in German Bundestag.\r\nWe’re publishing it here with permission from The Left.\r\nVon diesem Bericht existiert auch eine deutsche Übersetzung.\r\nSummary of Findings\r\nTwo suspicious artifacts have been retrieved from two separate servers within the Die Linke infrastructure. One is\r\nan open source utility used to remotely issue commands on a Windows host from a Linux host. The other is a\r\ncustom utility which, despite its large size, has limited functionality and acts as a tunnel, possibly used by the\r\nattackers to maintain persistence within the compromised network.\r\nThe combination of the two utilities seems to be enough for the attackers to maintain a foothold inside the\r\nnetwork, harvest data, and exfiltrate all the information they deemed interesting. It is, however, possible that there\r\nare additional malicious artifacts which have not yet been discovered.\r\nAttributes of one of the artifacts and intelligence gathered on the infrastructure operated by the attackers suggest\r\nthat the attack was perpetrated by a state-sponsored group known as Sofacy (or APT28). Previous work published\r\nby security vendor FireEye in October 2014 suggests the group might be of Russian origin.\r\nArtifacts\r\nThe first artifact – identified across this report as Artifact #1 – has the following attributes:\r\nName winexesvc.exe\r\nSize 23552\r\nMD5 77e7fb6b56c3ece4ef4e93b6dc608be0\r\nSHA1 f46f84e53263a33e266aae520cb2c1bd0a73354e\r\nSHA256 5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d\r\nThe second artifact – identified across this report as Artifact #2 – -has the following attributes:\r\nhttps://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/\r\nPage 1 of 9\n\nName svchost.exe.exe\r\nSize 1062912\r\nMD5 5e70a5c47c6b59dae7faf0f2d62b28b3\r\nSHA1 cdeea936331fcdd8158c876e9d23539f8976c305\r\nSHA256 730a0e3daf0b54f065bdd2ca427fbe10e8d4e28646a5dc40cbcfb15e1702ed9a\r\nCompile Time 2015-04-22 10:49:54\r\nAnalysis of Artifact #1\r\nArtifact #1 was retrieved from a File Server operated by Die Linke. The file is a 64bit-compatible compiled binary\r\nof the open source utility Winexe. Winexe is software similar to the more popular PSExec and is designed to allow\r\nsystem administrators to execute commands on remote servers. While commercial solutions like Symantec\r\npcAnywhere provide a larger feature-set, Winexe is lightweight, and doesn’t require any installation or\r\nconfiguration. One of the reasons Winexe is preferred over PSExec, is that it provides a Linux client, while\r\nPSExec doesn’t.\r\nAttackers are making growing use of utilities like Winexe and PSExec to perform lateral movement across\r\ncompromised networks. Besides providing the ability to execute arbitrary commands on the target system, these\r\nutilities normally don’t raise suspicion as they are commonly whitelisted by Antivirus and other commercial\r\nsecurity software.\r\nWinexe acts as a Windows service that can be configured to automatically start at boot and silently wait for\r\nincoming commands over a named pipe. Named pipes are a Windows inter-process communication method.\r\nThrough named pipes, processes are able to communicate and exchange data even over a network. In the case of\r\nArtifact #1, the name of the pipe is „ahexec“, computers over the network could access the pipe server by simply\r\nopening a file handle on „\\ServerNamepipeahexec“.\r\nOnce connected to the pipe, a user or a program can easily provide information required to execute command (just\r\nas they would normally through a command-line). The provided information is then passed to a\r\n„CreateProcessAsUserA“ call and the specified command is executed.\r\nOnce inside the network, Artifact #1 can be enough for the attacker to download or create additional scripts,\r\nexecute commands and exfiltrate data (for example, simply through ftp). It is plausible that Artifact #1 could be\r\npresent on other servers under different names, although it is also likely that the attacker only left it on servers to\r\nwhich they required maintainenance of persistent access.\r\nIt is important that all the deployments of this utility are identified and removed, as they are self-sufficient and\r\nthey provide easy and open access to execute commands on the host, potentially with administrator privileges.\r\nAnalysis of Artifact #2\r\nhttps://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/\r\nPage 2 of 9\n\nArtifact #2 was recovered from the Admin Controller operated by Die Linke. This is custom malware, which\r\ndespite large file size (1,1 MB), provides limited functionality. Artifact #2 operates as a backchannel for the\r\nattacker to maintain a foothold inside the compromised network. The properties of the artifact show that the same\r\nauthors of the malware seem to have called it „Xtunnel“. As the same name suggests, the artifact appears in fact to\r\nact as a tunnel for the attacker to remotely access the internal network and maintain persistence.\r\nThe artifact is dependent on a working network connection in order to function properly. In case connectivity can’t\r\nbe established, the process will lock in an endless loop as shown in the behavioral schema below:\r\nAfter initialization, the artifact will attempt to establish a connection by creating a socket. In case of failure, it will\r\nsleep for three seconds and try again. The authors of the malware didn’t appear to have spent any effort in\r\nconcealing indicators or obfuscating code – the IP address with which it tries to communicate is hardcoded in\r\nclear-text inside the binary. We can observe below, the procedure through which the artifact attempts to establish a\r\nconnection with the IP address „176.31.112.10“:\r\nThis specific IP address is a critical piece of information that enables us to connect this attack to a spree of\r\nprevious targeted campaigns. The details of this attribution is explained in a dedicated section below. We will refer\r\nto this IP address as „Command \u0026 Control“ (or „C\u0026C“).\r\nhttps://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/\r\nPage 3 of 9\n\nThe artifact is able of receiving multiple arguments, including -Si, -Sp, -Up, -Pp, -Pi and -SSL. Following are the\r\nbeaconing packets the artifact will send to Command \u0026 Control:\r\n-Si\r\n00000000 2a 00 00 00 *…\r\n00000004 b2 23 16 85 ee 59 52 a6 79 3a 2a e2 da 11 c0 1b .#…YR. y:*…..\r\n00000014 de 77 ea 47 35 11 de 8a 76 1a ee 16 d9 fd 28 0d .w.G5… v…..(.\r\n-Sp\r\n00000000 22 00 00 00 „…\r\n00000004 90 ac c6 39 09 b6 23 72 9d 36 a6 3b 2e b7 02 ce …9..#r .6.;….\r\n00000014 dd 09 d4 e4 d3 e6 01 5f 6a 37 b2 39 01 b4 0a af ……._ j7.9….\r\n-Up\r\n00000000 07 00 00 00 ….\r\n00000004 7e e2 82 05 74 be 3f 9b 8e 6a dc 5c d1 fe 85 f7 ~…t.?. .j…..\r\n00000014 5f 33 26 6e 5e 62 c1 0e c0 da a3 b3 6c f9 ca 88 _3\u0026n^b.. ….l…\r\nIf the argument -SSL is given through command-line to the artifact, these beacons will be encapsulated in an SSL\r\nconnection and a proper TLS handshake will be initiated with the C\u0026C.\r\nInterestingly, the artifact bundles a copy of OpenSSL 1.0.1e, from February 2013, which causes the unusually\r\nlarge size of the binary. More importantly, the Command \u0026 Control server (176.31.112.10) also appears to be\r\nusing an outdated version of OpenSSL and be vulnerable to Heartbleed attacks. While unlikely, it is worth\r\nconsidering that the same C\u0026C server might have been the subject of 3rd-party attacks due to this vulnerability.\r\nIf connections to the C\u0026C are blocked or terminated through a firewall, the artifact will be inhibited, as it doesn’t\r\nseem to have any fallback protocol. Additionally, since it does not execute any other functionality autonomously,\r\nit would no longer be a direct threat.\r\nA Yara signature to detect this artifact is provided in the Appendix.\r\nAnalysis of Impact\r\nDespite the simplicity of the tools collected from the compromise, the impact of the attack and the capabilities of\r\nthe attackers are not to be underestimated. From a purely operational point of view, the combination of a tunnel\r\nand a command execution utility are more than enough for an attacker with sufficient privileges to move across a\r\nnetwork undisturbed.\r\nhttps://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/\r\nPage 4 of 9\n\nIt is worth noting that Artifact #2 was compiled by the authors on „April 22nd“ 2015, which suggests that the\r\ncompromise may only have lasted a couple of weeks. As the attackers appear largely unconcerned with hiding\r\ntheir tracks or maintaining long-term persistence access (for example, they didn’t appear to have attempted to\r\ncreate additional network administrator accounts), it is probable that the operation was intentionally planned to be\r\nexecuted quickly in order to opportunistically collect and exfiltrate as much data as possible.\r\nThis is further corroborated by a recovered batch file with the following content:\r\nfor %%G in (.pdf, .xls, .xlsx, .doc, .docx) do (\r\n forfiles /P F:[REDACTED] /m *%%G /s /d +01.05.2015 /c \"cmd /c copy @path\r\nC:ProgramData[REDACTED]d@file\" )\r\nThis script identifies all PDF and Office documents dated after „May 1st“ (specified in the date format supported\r\nby Microsoft Windows in German language) and collects them in a folder, supposedly ready to be exfiltrated.\r\nWhile inone of the recovered artifacts appears to provide dedicated exfiltration functionality, the attacker may\r\nhave uploaded the documents through a common utility like ftp. It is probable that a previous version of the script\r\nwas used to collect and exfiltrate documents dated prior to May 1st 2015.\r\nDue to the nature of the attacker and their modus operandi (which we’ll describe in the Attribution section below),\r\nwe can not exclude the possibility that additional, more sophisticated artifacts have been deployed and either\r\nremain currently unidentified, or were removed upon discovery and public disclosure of the incident.\r\nThese considerations suggest that the compromise was perpetrated by an experienced attacker.\r\nAttribution\r\nWhile attribution of malware attacks is rarely simple or conclusive, during the course of this investigation I\r\nuncovered evidence that suggests the attacker might be affiliated with the state-sponsored group known as Sofacy\r\nGroup (also known as APT28 or Operation Pawn Storm). Although we are unable to provide details in support of\r\nsuch attribution, previous work by security vendor FireEye suggests the group might be of Russian origin,\r\nhowever no evidence allows to tie the attacks to governments of any particular country.\r\nSofacy is a group dedicated to the compromise of high-profile targets and the theft of confidential information.\r\nThey appear to have been active since 2006. They are believed to have successfully attacked the Ministries of\r\nInternal and Foreign Affairs of several ex-Soviet countries, as well as Eastern European governments and military\r\ninstitutions, and NATO and the White House.\r\nSofacy is known for making extensive use of phishing attacks to lure targets into revealing their credentials via\r\nrealistic reconstruction of internal systems, such as webmails, as employed against the Georgian Ministry of\r\nInternal Affairs in the infamous attacks that preceded the Georgian invasion of 2008:\r\nhttps://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/\r\nPage 5 of 9\n\nIn order to make the phishing attempts more credible, Sofacy Group has made use of „typesquatting“,\r\nintentionally using spelling mistakes (for example, replacing letters „i“ with „l“ and „g“ with „q“, or by adding\r\npunctuation) to register domains very similar to the original legitimate ones:\r\nSource: PWC.\r\nWhile Sofacy is also known to use of custom exploit frameworks and spear-phishing attacks, it is possible in this\r\ncase that they managed to obtain privileged credentials of network administrators within the Bundestag through\r\nthe use of a phishing attack, which then allowed them to navigate through the network and gain access to more\r\ndata. It is worth noting that shortly before the attack, security vendors reported the use of 0-day exploits in Flash\r\nPlayer and Microsoft Windows by the same threat actor.\r\nShared Command \u0026 Control infrastructure\r\nWhile the artifacts don’t appear to show attributes useful for attribution, the network infrastructure used during the\r\nattack led instead to interesting results. During investigation of the Command \u0026 Control server (with IP\r\n„176.31.112.10“ hardcoded in Artifact #2), we managed to identify some operational mistakes made by the\r\nattackers, allowing us to connect the incident with attacks previously associated with the Sofacy Group.\r\nThe address, 176.31.112.10, is a dedicated server provided by the French OVH hosting company, but is apparently\r\noperated by an offshore secure hosting company called CrookServers.com and seemingly located in Pakistan:\r\nCompany Address:\r\nMUAnetworks\r\nU ashraf\r\nhttps://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/\r\nPage 6 of 9\n\nVillage Kakra Town\r\nMirpur AJK\r\nPakistan\r\nIt is common for attackers to make use of offshore hosting facilities which are less likely to cooperate with law\r\nenforcement on takedown requests or requests of disclosure of their customers‘ identity.\r\nCrookServers appears to have servers scattered in a number of datacenters and dedicated server hosting providers\r\naround the world.\r\nBy researching historical data relevant to C\u0026C 176.31.112.10, we discovered that on February 16th 2015, the\r\nserver was sharing an SSL certificate with another IP address allocated to CrookServers and also hosted at OVH:\r\n„213.251.187.145“.\r\nThe recovered shared SSL certificate, obtained by a public internet-wide scanning initiative, at the time had the\r\nfollowing attributes:\r\nMD5 b84b66bcdecd4b4529014619ed649d76\r\nSHA1 fef1725ad72e4ef0432f8cb0cb73bf7ead339a7c\r\nAlgorithm sha1WithRSAEncryption\r\nSelf-Signed No\r\nSubject\r\nC: GB\r\nL: Salford\r\nST: Greater Manchester\r\nCN: mail.mfa.gov.ua\r\nO: COMODO CA Limited\r\nall: C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA\r\nLimited/CN=mail.mfa.gov.ua\r\nSerial 16474505314457171426\r\nNot before 20140414083521Z\r\nNot after 20410830083521Z\r\nAs shown, the certificate uses „mail.mfa.gov.ua“ as a Common Name. This suggests that this certificate might\r\nhave been previously used for a similar attack against the Ukrainian Ministry of Foreign Affairs, or associated\r\ntargets, although there is no documentation of such attack available to the public.\r\nhttps://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/\r\nPage 7 of 9\n\nMore importantly, the IP address this certificate was shared with – 213.251.187.145 – was previously identified as\r\nused by Sofacy Group for phishing attacks against Albanian government institutions by registering the domain\r\n„qov.al“ (notice, the letter „q“ instead of „g“) and creating realistic subdomains to lure victims into visiting. The\r\ndomain was active on the IP 213.251.187.145 from July 2014 up until March 2015.\r\nThese attacks against Albanian government institutions by the Sofacy Group were documented and reported by\r\nconsultancy corporate PwC in December 2014. It is worth noting that this server also seems to be operated by\r\nCrookServers, since among other domains, 454-reverse.crookservers.net resolved to the same IP address.\r\nSimilar Artifacts and root9B report\r\nWhile the evidence presented strongly suggests a connection with the Sofacy Group, the artifacts (in particular\r\nArtifact #2) are not publicly recognized to be part of the more traditional arsenal of these attackers.\r\nNevertheless, on May 12th 2015 (a few weeks after the attack against Bundestag appears to have started) the\r\nAmerican security firm root9B released a report containing details on malware samples very similar to Artifact #2.\r\nThe report also includes a mention of the same IP address used as Command \u0026 Control server in the attack against\r\nBundestag (176.31.112.10).\r\nWhile the report appears to contain numerous inaccuracies, some of the indicators of compromises are legitimate\r\nand appear to be correctly attributed to Sofacy.\r\nFollowing are hashes for malware artifacts showing very similar attributes to Artifact #2:\r\n566ab945f61be016bfd9e83cc1b64f783b9b8deb891e6d504d3442bc8281b092\r\nAppendix – Detection Signatures\r\nhttps://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/\r\nPage 8 of 9\n\nrule apt_sofacy_xtunnel\r\n{\r\n meta:\r\n author = \"Claudio Guarnieri\"\r\n strings:\r\n $xaps = \":\\PROJECT\\XAPS_\"\r\n $variant11 = \"XAPS_OBJECTIVE.dll\"\r\n $variant12 = \"start\"\r\n $variant21 = \"User-Agent: Mozilla/5.0 (Windows NT 6.3;\r\nWOW64; rv:28.0) Gecko/20100101 Firefox/28.0\"\r\n $variant22 = \"is you live?\"\r\n $mix1 = \"176.31.112.10\"\r\n $mix2 = \"error in select, errno %d\"\r\n $mix3 = \"no msg\"\r\n $mix4 = \"is you live?\"\r\n $mix5 = \"127.0.0.1\"\r\n $mix6 = \"err %d\"\r\n $mix7 = \"i`m wait\"\r\n $mix8 = \"hello\"\r\n $mix9 = \"OpenSSL 1.0.1e 11 Feb 2013\"\r\n $mix10 = \"Xtunnel.exe\"\r\n condition:\r\n ((uint16(0) == 0x5A4D) or (uint16(0) == 0xCFD0)) and\r\n (($xaps) or (all of ($variant1*)) or (all of ($variant2*))\r\nor (6 of ($mix*)))\r\n}\r\nSource: https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bu\r\nndestag/\r\nhttps://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "Malpedia", "ETDA" ], "references": [ "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" ], "report_names": [ "digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434588, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3c6101ed1b12d624c93b7a2544ca511067d775b8.pdf", "text": "https://archive.orkl.eu/3c6101ed1b12d624c93b7a2544ca511067d775b8.txt", "img": "https://archive.orkl.eu/3c6101ed1b12d624c93b7a2544ca511067d775b8.jpg" } }