{ "id": "cd84aa0c-d8b8-4a55-9957-79fea49adac4", "created_at": "2026-04-06T00:15:54.716652Z", "updated_at": "2026-04-10T13:12:14.613272Z", "deleted_at": null, "sha1_hash": "3cc32494460630c192e446f0d71371e1844fa964", "title": "Catching fish in muddy waters | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 119498, "plain_text": "Anastasia Tikhonova\r\nGlobal Threat Research Lead\r\nNikita Rostovcev\r\nAPAC Technical Head - ASM, TI \u0026\r\nDRP\r\nCatching fish in muddy waters\r\nHow the hacker group MuddyWater attacked a Turkish manufacturer of military electronics\r\nMay 29, 2019 · min to read · Threat Intelligence\r\n← Blog\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 1 of 14\n\nAPT MuddyWater Threat Research Turkey\r\nIranian nation-state hackers are in trouble. Throughout the spring, unknown individuals published\r\n“secret leaks” on Telegram. They disclosed information about APT groups affiliated with the Iranian\r\ngovernment (OilRig and MuddyWater), including their tools, victims, and links. But the leaks didn’t\r\nreveal everything. In April, Group-IB specialists discovered a leak of email addresses belonging to\r\nthe Turkish corporation ASELSAN A.Ş, which produces tactical military radio stations and electronic\r\ndefense systems for the Turkish military forces. Anastasia Tikhonova, Head of Group-IB’s APT\r\nResearch Team, and Nikita Rostovtsev, Junior Analyst at Group-IB, examined the course of the\r\nattack on ASELSAN A.Ş and identified an alleged member of MuddyWater.\r\nTelegram leak\r\nThe “disclosure” of Iranian APT groups began with someone by the username Lab\r\nDookhteganreleasing the source code of six tools belonging to the group APT34 (aka OilRig and\r\nHelixKitten). The user disclosed the IP addresses and domains involved in the operations, as well as\r\ndata about 66 victims, including Etihad Airways and Emirates National Oil. Lab Dookhtegan also\r\nleaked information about the group’s past operations and employees of the Iranian Ministry of\r\nIntelligence and Security who were allegedly linked to the group’s operations. OilRig is an Iran-backed APT group that has been operating in the wild since 2014. The group targets government,\r\nfinancial and military organizations as well as energy and telecommunications companies in the\r\nMiddle East and China.\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 2 of 14\n\nAfter the OilRig exposure, the leaks continued. Information about the activities of another Iranian\r\nstate-sponsored group, MuddyWater, appeared on the dark web and Telegram. Unlike the first leaks,\r\nhowever, this time, the leaks contained not source codes but dumps, including screenshots of the\r\nsource codes, C\u0026C servers, and IP addresses of the victims. A hacker group called Green Leakers\r\nclaimed responsibility for the MuddyWater leak. The group owns several Telegram channels and\r\ndark web sites advertising and selling data related to MuddyWater operations.\r\nCyber spies from the Middle East\r\nMuddyWater is a hacker group that has been active in the Middle East since 2017. According\r\nto Group-IB experts, from February to April 2019, the hackers conducted a series of phishing\r\ncampaigns targeting government entities, educational organizations, and financial,\r\ntelecommunications, and defense companies in Turkey, Iran, Afghanistan, Iraq, and Azerbaijan.\r\nThe group used a proprietary PowerShell backdoor called POWERSTATS. The backdoor has the\r\nfollowing functionalities:\r\nThe group eventually made a mistake, and researchers from ReaQta were able to determine the\r\nthreat actors’ real IP address, which was located in Tehran. Based on the group’s targets and cyber\r\nespionage goals, ReaQta experts suggested that the group represented the interests of the Iranian\r\ngovernment.\r\nCollecting data about local and domain accounts, available file servers, internal and external IP\r\naddresses, and OS name and architecture;\r\nExecuting code remotely;\r\nUploading and downloads files via the C\u0026C server;\r\nDetecting debugging programs used to analyze malicious files;\r\nDisabling the attacked device if malware analysis tools are detected;\r\nDeleting files from local drives;\r\nTaking screenshots;\r\nDisabling Microsoft Office security features.\r\nIndicators of Attack arrow_drop_down\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 3 of 14\n\nTurkey at gunpoint\r\nOn April 10, 2019, Group-IB specialists discovered a leak of email addresses belonging to ASELSAN\r\nA.Ş, the largest defense electronics company in Turkey. Its product range includes radar and\r\nelectronic warfare, electro-optics, avionics, unmanned and air defense systems, as well as land,\r\nnaval, and weapon systems.\r\nWhile studying one of the new POWERSTATS samples, Group-IB experts established that\r\nMuddyWater used a license agreement between Koç Savunma (an information and defense\r\ntechnology solutions company) and Tubitak Bilgem (an R\u0026D institute in the field of software\r\ntechnologies) as bait. The document specified Tahir Taner Tımış as a contact person for Koç\r\nSavunma. This person was the Programs Manager at Koç Bilgi ve Savunma Teknolojileri A.Ş. from\r\nSeptember 2013 to December 2018. He later worked at ASELSAN A.Ş.\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 4 of 14\n\nAfter the activation of a malicious macro embedded in the above document, the POWERSTATS\r\nbackdoor is dropped to the victim’s computer.\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 5 of 14\n\nThe metadata of that decoy document (MD5:\r\n0638adf8fb4095d60fbef190a759aa9e) revealed\r\nthree additional samples containing identical values, including the timestamps, the username, and\r\nthe list of contained macros:\r\nOne of the discovered documents, named ListOfHackedEmails.doc, contained a list of 34 email\r\naddresses relating to the domain @aselsan.com.tr.\r\nGroup-IB specialists checked the email addresses across all the publicly available leaks and\r\nestablished that 28 of them had been compromised as part of previously discovered leaks.\r\nChecking the mix of available leaks helped identify about 400 unique login details associated with\r\nthis domain, including the passwords. It’s possible that the threat actor used the publicly available\r\ndata to target ASELSAN A.Ş.\r\nListOfHackedEmails.doc (eed599981c097944fa143e7d7f7e17b1)\r\nasd.doc (21aebece73549b3c4355a6060df410e9)\r\nF35-Specifications.doc (5c6148619abb10bb3789dcfb32f759a6)\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 6 of 14\n\nThe samples found contained a document called F35-Specifications.doc, which referred to the F-35 multi-functional fighter jet. The decoy document contained the specifications for the F-35,\r\nindicating the characteristics of the aircraft and its price. The subject of the decoy document relates\r\nto the US refusal to supply F-35s after Turkey purchased the Russian S-400 systems, which could\r\nlead to information about the F-35 Lightning II being transferred to Russia.\r\nAll the information obtained indicated that organizations in Turkey were the main target of the\r\nMuddyWater attacks.\r\nWho are Gladiyator_CRK and Nima Nikjoo?\r\nIn March 2019, malicious documents created by a Windows user Gladiyator_CRK were detected.\r\nThese documents also distributed POWERSTATS and communicated with a C\u0026C server\r\ngladiyator[.]tk.\r\nThis may be related to the fact that on March 14, 2019, the user Nima Nikjoo posted a tweet in\r\nwhich they tried to decode an obfuscated code related to MuddyWater. In the comments to the\r\ntweet, the researcher said that they could not share the indicators of compromise for the malware\r\nas the information was confidential. The tweet was deleted, but its traces remain on the web:\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 7 of 14\n\nNima Nikjoo owns the Gladiyator_CRK profile on the Iranian video hosting services dideo.ir and\r\nvideoi.ir. TThe user utilizes these two resources to demonstrate PoC exploits designed to disable\r\nantivirus tools by various vendors and bypass sandboxes. Nima Nikjoo claims to be a network\r\nsecurity specialist, a reverse engineer, and a malware analyst at MTN Irancell, an Iranian\r\ntelecommunications company.\r\nBelow is a screenshot of saved videos in Google search engine results:\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 8 of 14\n\nOn March 19, 2019, Nima Nikjoo changed his Twitter handle to “Malware Fighter” and removed\r\nposts and comments. All videos were also removed from the Gladiyator_CRK profile on dideo.ir, and\r\nthe YouTube profile was deleted. On April 16, 2019, however, the Twitter account was again renamed\r\n“Nima Nikjoo”.\r\nGroup-IB specialists established that Nima Nikjoo had already been mentioned in connection with\r\ncybercriminal activities. In August 2014, the Iran Khabarestan blog published information about\r\nindividuals linked with the Nasr Institute. One of FireEye’s investigations stated that the Nasr\r\nInstitute was an APT33 contractor and was also involved in DDoS attacks on US banks between\r\n2011 and 2013 as part of a campaign called Operation Ababil.\r\nThe same blog post mentioned Nima Nikju-Nikjoo, who had supposedly developed malware to spy\r\non Iranians. The post mentioned the developer’s email address: gladiyator_cracker@yahoo[.]com.\r\nBelow is a screenshot of information related to the Nasr Institute:\r\nTranslation of the highlighted text: Nima Nikio – Spyware developer – Email address:\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 9 of 14\n\nAs the screenshot shows, the email address is linked to the address used in the attacks and to the\r\nusers Gladiyator_CRK and Nima Nikjoo.\r\nIn addition, in 2017, researchers revealed that Nikjoo had carelessly mentioned Kavosh Security\r\nCenter in his resume. It has been reported that the Iranian state used Kavosh Security Center to\r\nfund nation-state hackers.\r\nInformation about the company at which Nima Nikjoo worked:\r\nThe LinkedIn profile of Nima Nikjoo lists Kavosh Security Center as his first place of work, where he\r\nworked between 2006 and 2014. He performed malware analysis, reverse engineering, and code\r\nobfuscation.\r\nInformation on LinkedIn about the company where Nima Nikjoo worked:\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 10 of 14\n\nMuddyWater and inflated self-esteem\r\nInterestingly, MuddyWater monitors all reports and messages about it published by\r\ncybersecurity experts. The group initially left false flags to throw researchers off their trail. For\r\nexample, the group’s first attacks misled experts, who discovered the use of DNS Messenger,\r\ncommonly associated with the group FIN7. In other attacks, MuddyWater inserted strings in Chinese\r\ninto the code.\r\nThe group also leaves messages for researchers. For example, they did not appreciate that\r\nKaspersky Lab placed MuddyWater in 3rd place in its threat ranking. At the time, someone\r\n(presumably a member of MuddyWater) uploaded to YouTube a PoC exploit that disabled Kaspersky\r\nanti-virus software. They also left a comment under the article.\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 11 of 14\n\nScreenshots of the video showing how to disable the Kaspersky Lab antivirus and the comment\r\nunder Kaspersky’s Security Bulletin can be found below:\r\nIt is still difficult to make an unambiguous conclusion about how and to what extent Nima Nikjoo\r\nwas involved in the MuddyWater attacks. Group-IB experts are considering two possibilities. The\r\nfirst one is that Nima Nikjoo could be a hacker from MuddyWater who was identified due to his\r\nnegligence and high online activity. The second possibility is that he was intentionally “outed” by\r\nother group members in order to divert suspicion from themselves. Group-IB experts will continue\r\nwith their investigation and report what they find.\r\nAs for the Iranian APTs, the series of leaks means that they are likely to face a serious\r\n“debriefing”. The hackers will be forced to change their tools, clean up any traces they have left,\r\nand find any “rats” among them. Experts had not ruled out that the groups would take a timeout,\r\nbut after a short break, the Iranian APT attacks resumed.\r\nTry Group-IB Threat Intelligence now\r\nDefeat threats efficiently and identify attackers proactively with a revolutionary cyber\r\nthreat intelligence platform by Group-IB\r\nRequest a demo\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 12 of 14\n\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 13 of 14\n\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/muddywater/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.group-ib.com/blog/muddywater/" ], "report_names": [ "muddywater" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434554, "ts_updated_at": 1775826734, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3cc32494460630c192e446f0d71371e1844fa964.pdf", "text": "https://archive.orkl.eu/3cc32494460630c192e446f0d71371e1844fa964.txt", "img": "https://archive.orkl.eu/3cc32494460630c192e446f0d71371e1844fa964.jpg" } }