{ "id": "3e08d70c-66a1-4063-8c06-32f5df4c1ae6", "created_at": "2026-04-06T00:13:30.03451Z", "updated_at": "2026-04-10T13:12:08.852069Z", "deleted_at": null, "sha1_hash": "3c89ed263f8400e3af4233d8f9ff12f56a0075b6", "title": "An Update on Fake Updates: Two New Actors, and New Mac Malware | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3611674, "plain_text": "An Update on Fake Updates: Two New Actors, and New Mac\r\nMalware | Proofpoint US\r\nBy February 18, 2025 The Proofpoint Threat Research Team\r\nPublished: 2025-02-14 · Archived: 2026-04-05 17:13:45 UTC\r\nKey findings \r\nProofpoint identified and named two new cybercriminal threat actors operating components of web inject\r\ncampaigns, TA2726 and TA2727. \r\nProofpoint identified a new MacOS malware delivered via web inject campaigns that our researchers called\r\nFrigidStealer.  \r\nThe web inject campaign landscape is increasing, with a variety of copycat threat actors conducting similar\r\ncampaigns, which can make it difficult for analysts to track.  \r\nOverview \r\nThe malicious website injects threat landscape is incredibly dynamic with multiple threat actors leveraging this\r\nmalware delivery method. Typically, an attack chain will consist of three parts: the malicious injects served to\r\nwebsite visitors, which are often malicious JavaScript scripts; a traffic distribution service (TDS) responsible for\r\ndetermining what user gets which payload based on a variety of filtering options; and the ultimate payload that is\r\ndownloaded by the script. Sometimes each part of the attack chain is managed by the same threat actor, but\r\nfrequently the different parts of the chain may be managed by different threat actors.  \r\nHistorically, TA569 was the main distributor of web inject campaigns, with its SocGholish injects leading to\r\nmalware installation and follow-on ransomware attacks. This actor became almost synonymous with “fake\r\nupdates” within the security community. But beginning in 2023, multiple copycats emerged using the same web\r\ninject and traffic redirection techniques to deliver malware. The influx of multiple actors – some of which\r\ncollaborate with each other – paired with the fact that websites can be compromised by multiple injects at one\r\ntime, makes it difficult to distinctly track and categorize threat actors conducting these attacks. Proofpoint is\r\npublishing this report to help delineate two distinct sets of activity.  \r\nProofpoint researchers recently designated two new threat actors, TA2726 and TA2727. These are traffic sellers\r\nand malware distributors and have been observed in multiple web-based attack chains like compromised website\r\ncampaigns, including those using fake update themed lures. They are not email-based threat actors, and the\r\nactivity observed in email campaign data is related to legitimate, but compromised websites.  \r\nNotably, TA2727 was recently observed delivering a new information stealer for Mac computers alongside\r\nmalware for Windows and Android hosts. Proofpoint researchers dubbed this FrigidStealer. \r\nProofpoint is reassessing existing activity related to TA569 and previous reporting, and assesses with high\r\nconfidence TA2726 acts as a traffic distribution service (TDS) for TA569 and TA2727.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 1 of 14\n\nDefinitions\r\nSocGholish: Specific inject used by TA569 that will present as a fake update to the visitor. \r\nGholoader: The JavaScript-based loader that is served by SocGholish that can lead to follow-on malware\r\ninstallation. \r\nTDS: Traffic distribution system (TDS) (also sometimes known as a traffic delivery system) is a service for\r\ntracking and directing users to content on different websites. There are legitimate TDS services, but threat\r\nactors use and abuse them to direct people to malicious or compromised websites. \r\nKeitaro: A legitimate TDS that is regularly abused by threat actors, operated by a company of the same name. \r\nWeb injects: Malicious code injected into a legitimate website by a threat actor. Injects can lead to data theft or\r\nmalware installation, depending on actor objectives.  \r\nFake updates: Social engineering lures presented to a user that claim their browser needs to be updated. This\r\nlure theme is used by multiple different threat actors.    \r\nTA569: The threat actor associated with the SocGholish inject and Gholoader malware, uses fake update\r\nthemed lures. The actor can either inject their own code directly on compromised websites or use a TDS like\r\nTA2726 to serve their inject. \r\nTA2726: A malicious TDS operator that facilitates traffic distribution for other threat actors to enable malware\r\ndelivery. \r\nTA2727: A threat actor that uses fake update themed lures to distribute a variety of malware payloads. \r\nActor details: TA2726 \r\nTA2726 appears to be a traffic seller and operates a TDS that can serve other threat actors to facilitate their\r\nmalware distribution. The actor is possibly advertising traffic selling on cybercrime forums, however Proofpoint\r\nresearchers are unable to confirm this with high confidence. TA2726 is financially motivated and works with other\r\nfinancially motivated actors such as TA569 and TA2727. That is, this actor is most likely responsible for the\r\nwebserver or website compromises that lead to injects operated by other threat actors. \r\nProofpoint can confirm this threat actor has been active since at least September 2022. This actor, like other\r\ncompromised website threat actors, does not conduct email campaigns, and the activity observed in email is only\r\nincidental/collateral. That is, the compromised websites are shared legitimately in email messages, unbeknownst\r\nto the sender that they are compromised. \r\nSo far in 2025, Proofpoint has observed the use of TA2726 TDS to redirect traffic to TA569 (in North America)\r\nwhile redirecting most of other countries to TA2727 delivering Lumma Stealer (Windows), DeerStealer\r\n(Windows), FrigidStealer (Mac), or Marcher (Android). Proofpoint is able to identify TA2726 activity distinctly\r\nfrom other threat actors based on the actor’s infrastructure including the use of Keitaro and consistent domain\r\npatterns and IP addresses.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 2 of 14\n\nAnalyst Note: Retrospective analysis from January 2025 has led analysts to believe with high confidence the TDS\r\nactivity observed in previously reported SocGholish activity can be attributed to TA2726. Analysis of this threat\r\nactor and any historic activity associated with it is ongoing. \r\nExample TA2726 Injects on compromised websites: \r\nExample TA569 Response from TA2726: \r\nExample TA2727 Response from TA2726: \r\nActor details: TA2727 \r\nTA2727 is a cybercriminal group driven by financial motives and has been observed collaborating with other\r\nactors who share similar profit-oriented objectives. Proofpoint assesses with moderate confidence this actor\r\npurchases traffic on online forums to disseminate malware, which may be their own or that of their potential\r\nclients. \r\nProofpoint first designated TA2727 as a named threat actor in an early January 2025 campaign while investigating\r\na suspected TA569 attack chain that appeared to deliver different payloads based on recipients’ geography. In the\r\ncampaign, emails contained URLs linking to websites compromised with malicious JavaScript website injects.\r\nWhen a user visited a compromised website, TDS domains directed traffic to various actor-controlled domains to\r\ndeliver a malicious payload. Proofpoint researchers observed the attack chain serving a known SocGholish inject\r\nin the U.S. and Canada. (TA2726 was responsible for the TDS redirect leading to both the SocGholish inject and\r\nthe TA2727 inject, and this actor is described in a further section of this report.) \r\nResearchers observed the campaign deliver another unique fake update chain in France and the UK, with a\r\ndifferent payload based on the visitor’s user agent and browser. TA2727 was responsible for this part of the chain\r\noriginating in Europe and the subsequent payload download. Proofpoint is able to identify TA2727 traffic\r\ndistinctly from other web inject clusters based on their IP addresses and domain patterns. For example: \r\n        deski[.]fastcloudcdn[.]com \r\n        cloudfasterapp[.]com \r\n        fastcloudcdn[.]com \r\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 3 of 14\n\nIf a user visited a compromised website in France or the UK on a Windows computer using Microsoft Edge or\r\nGoogle Chrome, the website would redirect them to instructions on how the user needs to update their browser.\r\nWhen the “Update” button was clicked, an MSI file was downloaded and the webpage displayed instructions on\r\nhow to install the payload.  \r\nFake update displayed to the user (left) and subsequent instructions page once the payload was clicked (right).  \r\nThe MSI installed and executed the legitimate and signed application “Rene.E Facebook Widget”. However, one\r\nof the bundled DLLs was trojanized with DOILoader, which was side loaded upon execution. DOILoader then ran\r\nLumma Stealer, which was encoded in a bundled m4a file.  \r\nTraffic capture from a Windows device running Google Chrome. The site is redirected by TA2726\r\n(blackshelter[.]org) which serves the TA2727 script (via fastcloudcdn[.]com); which then displays the fake update\r\ndownload page leading to malware installation.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 4 of 14\n\nHowever, if a user was on an Android device, they would be given the same fake update redirect and download\r\ninstructions, but the payload would be the Marcher banking trojan. Marcher is an old banking trojan that has\r\ntargeted Android devices since 2013.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 5 of 14\n\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 6 of 14\n\nFake update on Android delivering Marcher.  \r\nProofpoint then identified another campaign at the end of January 2025 using the same tactics, techniques, and\r\nprocedures (TTPs) to deliver the same payloads. In that campaign, the TA2727 payloads included a new\r\ninformation stealer targeting MacOS. If a Mac user outside of North America visited the compromised website\r\nfrom a web browser, they were redirected to a fake update page that, if the Update button was clicked,\r\ndownloaded and installed an information stealer. Proofpoint researchers named this malware FrigidStealer.  \r\nFake update lure delivering FrigidStealer via Safari (left) and Chrome (right).  \r\nMacOS malware \r\nIf the user clicked on the “Update” button via a Mac computer, the TA2727 TDS downloaded a DMG file that the\r\nuser is encouraged to mount. The actor used filtering to determine what browser the recipient used and\r\ndownloaded the payload that aligned with their browser.   \r\nDMG file downloaded from the compromised website.  \r\nUpon opening the DMG, an icon was displayed depending on which browser they used upon interacting with the\r\nTDS, either Google Chrome or Safari. The DMG displayed these browser icons and instructions to run the\r\napplication by right clicking the icon and selecting Open from that menu. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 7 of 14\n\nMalicious “Google Chrome” updater.  \r\nRight clicking and selecting Open bypassed the MacOS security feature called Gatekeeper, which would\r\notherwise warn the user that the application is unsigned and untrusted. (This is a very common technique used by\r\nMac malware authors to effectively run malware on a host.) Clicking Open ran the embedded Mach-O executable,\r\nwhich led to the installation of FrigidStealer. The executable was written in Go, and was ad-hoc signed\r\n(effectively a self-signed binary). The executable was built with the WailsIO project, which renders content in the\r\nuser's browser. This adds to the social engineering of the victim, implying that the Chrome or Safari installer was\r\nlegitimate.   \r\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 8 of 14\n\nMalicious “Safari Updater” with the System Preferences prompt to enter the legitimate password to install the\r\nmalware.  \r\nUpon execution, FrigidStealer uses Apple script files and osascript to prompt the user to enter their password, and\r\nthen to gather data including browser cookies, files with extensions relevant to password material or\r\ncryptocurrency from the victim’s Desktop and Documents folders, and any Apple Notes the user has created.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 9 of 14\n\nThe osascript containing extensions and cookies to steal from a compromised user.  \r\nThat data is added to folders in the user’s home directory and then exfiltrated to C2, askforupdate[.]org.  \r\nMacOS information stealers are increasingly common. Actors are using web compromises to deliver malware\r\ntargeting both enterprise and consumer users. It is reasonable that such web injects will deliver malware\r\ncustomized to the recipient, including Mac users, which are still less common in enterprise environments than\r\nWindows.  \r\nBest practices \r\nThe activity detailed in this report can be hard for security teams to detect and prevent and may present difficulties\r\nwith communicating the threat to end users due to the social engineering techniques and website compromises\r\nused by the threat actor. The best mitigation is defense in depth. The following is recommended: \r\nHave network detections in place – including using the Emerging Threats ruleset – and use endpoint\r\nprotection. \r\nTrain users to identify the activity and report suspicious activity to their security teams. While the training\r\nis specific in nature, it can easily be integrated into an existing user training program.  \r\nA tool such as Proofpoint’s Browser Isolation can help prevent successful exploitation when compromised\r\nURLs are received via email and clicked on.  \r\nRestrict Windows users from downloading script files and opening them in anything but a text file. This\r\ncan be configured via Group Policy settings.  \r\nConclusion \r\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 10 of 14\n\nProofpoint continues to track a variety of web inject threat clusters, and the number of clusters conducting similar\r\nactivities continues to increase. The growing threat of web injects is likely due in part to organizations building\r\nstronger defenses against threats such as email-based malware delivery and edge device network exploitation,\r\nforcing threat actors to adapt.  \r\nThis attack chain is effective because it uses believable and customized social engineering techniques, and\r\norganizations may have less scrutiny focused on the security websites and web servers than other parts of the\r\norganization. Often, corporate website management may be outsourced to a third-party hosting provider.   \r\nUser training is one of the most important ways to prevent exploitation. \r\nExample Emerging Threats signatures \r\n2054863 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (blacksaltys .com) \r\n2054862 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (blacksaltys .com) \r\n2054718 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (packedbrick .com) \r\n2057111 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (promiseresolverdev .com) \r\n2057112 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (promiseresolverdev .com) \r\n2057144 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (objmapper .com) \r\n2057145 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (variablescopetool .com) \r\n2057146 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (objmapper .com) \r\n2057147 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (variablescopetool .com) \r\n2057152 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (loopconstruct .com) \r\n2057153 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (loopconstruct .com) \r\n2057447 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (leatherbook .org) \r\n2057448 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (leatherbook .org) \r\n2058047 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (blackshelter .org) \r\n2058048 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (blackshelter .org) \r\n2058147 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (groundrats .org) \r\n2058148 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (groundrats .org) \r\n2058328 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (foundedbrounded .org) \r\n2058329 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (foundedbrounded .org) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 11 of 14\n\n2059061 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (fetchdataajax .com) \r\n2059062 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (apistateupdater .com) \r\n2059063 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (hearforpower .org) \r\n2059064 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (goneflower .org) \r\n2059065 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (apivuecomponent .com) \r\n2059066 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (smthwentwrong .com) \r\n2059067 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (digdonger .org) \r\n2059068 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (modernkeys .org) \r\n2059069 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (blessedwirrow .org) \r\n2059070 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (fetchdataajax .com) \r\n2059071 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (apistateupdater .com) \r\n2059072 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (hearforpower .org) \r\n2059073 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (goneflower .org) \r\n2059074 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (apivuecomponent .com) \r\n2059075 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (smthwentwrong .com) \r\n2059076 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (digdonger .org) \r\n2059077 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (modernkeys .org) \r\n2059078 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (blessedwirrow .org) \r\n2055240 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (brickedpack .com) \r\n2055243 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (losttwister .com) \r\n2055241 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (losttwister .com) \r\n2055242 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (brickedpack .com) \r\n2059371 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (rednosehorse .com) \r\n2059372 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (rednosehorse .com) \r\nIndicators of compromise \r\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 12 of 14\n\nIndicator  Description \r\nFirst\r\nSeen \r\naskforupdate[.]org \r\nFrigidStealer\r\nC2 \r\n12\r\nDecember\r\n2024 \r\nrednosehorse[.]com  TA2726 TDS \r\n16\r\nJanuary\r\n2025 \r\nblackshelter[.]org  TA2726 TDS \r\n4\r\nDecember\r\n2024 \r\ndeski[.]fastcloudcdn[.]com \r\nServing\r\nTA2727 lure \r\n18\r\nDecember\r\n2024 \r\nslowlysmiling[.]fastcloudcdn[.]com \r\nServing\r\nTA2727 lure \r\n18\r\nDecember\r\n2024 \r\ne1202c017c76e06bfa201ad6eb824409c2529e887bdaf128fc364bdbc9e1e214 \r\nFrigidStealer\r\n(Safari\r\nThemed) \r\n20\r\nJanuary\r\n2025 \r\n274efb6bb2f95deb7c7f8192919bf690d69c3f3a441c81fe2a24284d5f274973 \r\nFrigid Stealer\r\n(Chrome\r\nThemed) \r\n19\r\nJanuary\r\n2025 \r\nca172f8d36326fc0b6adef9ea98784fd216c319754c5fc47aa91fce336c7d79a     \r\nMarcher\r\n(Android) \r\n8 January\r\n2025 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 13 of 14\n\nfbccc8952710a8a50655f4fe3a880c8373411b7ec40e54aabd7eaff3f1d0137b   \r\nDOILoader\r\ninto Lumma\r\nStealer \r\n29\r\nDecember\r\n2024 \r\nd34c95c0563c8a944a03ee1448f0084dfb94661c24e51c131541922ebd1a2c75 \r\nDOILoader\r\ninto\r\nDeerStealer \r\n29\r\nJanuary\r\n2025 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nhttps://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware\r\nPage 14 of 14\n\n https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware \nMalicious “Safari Updater” with the System Preferences prompt to enter the legitimate password to install the\nmalware. \nUpon execution, FrigidStealer uses Apple script files and osascript to prompt the user to enter their password, and\nthen to gather data including browser cookies, files with extensions relevant to password material or \ncryptocurrency from the victim’s Desktop and Documents folders, and any Apple Notes the user has created.\n Page 9 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware" ], "report_names": [ "update-fake-updates-two-new-actors-and-new-mac-malware" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ebc139d2-7450-46f5-a9e4-e7d561133fa5", "created_at": "2024-04-24T02:00:49.453475Z", "updated_at": "2026-04-10T02:00:05.321256Z", "deleted_at": null, "main_name": "Mustard Tempest", "aliases": [ "Mustard Tempest", "DEV-0206", "TA569", "GOLD PRELUDE", "UNC1543" ], "source_name": "MITRE:Mustard Tempest", "tools": [ "SocGholish", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "3bf456e4-84ee-48fd-b3ab-c10d54a48a34", "created_at": "2024-06-19T02:03:08.096988Z", "updated_at": "2026-04-10T02:00:03.82859Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "Mustard Tempest ", "TA569 ", "UNC1543 " ], "source_name": "Secureworks:GOLD PRELUDE", "tools": [ "SocGholish" ], "source_id": "Secureworks", "reports": null }, { "id": "544cac23-af15-4100-8f20-46c07962cbfa", "created_at": "2023-01-06T13:46:39.484133Z", "updated_at": "2026-04-10T02:00:03.34364Z", "deleted_at": null, "main_name": "GOLD PRELUDE", "aliases": [ "TA569", "UNC1543" ], "source_name": "MISPGALAXY:GOLD PRELUDE", "tools": [ "FakeUpdates", "FakeUpdate", "SocGholish" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434410, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3c89ed263f8400e3af4233d8f9ff12f56a0075b6.pdf", "text": "https://archive.orkl.eu/3c89ed263f8400e3af4233d8f9ff12f56a0075b6.txt", "img": "https://archive.orkl.eu/3c89ed263f8400e3af4233d8f9ff12f56a0075b6.jpg" } }