{ "id": "034fd30a-e522-4390-9bbb-f8a85153828f", "created_at": "2026-04-06T00:20:13.236333Z", "updated_at": "2026-04-10T13:11:19.769581Z", "deleted_at": null, "sha1_hash": "3e550c218ec73a994871b86c0e388a3a391409c9", "title": "Q4 2020 Threat Report | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 130617, "plain_text": "Q4 2020 Threat Report | Proofpoint US\r\nBy February 16, 2021 Proofpoint Threat Research Team\r\nPublished: 2021-02-12 · Archived: 2026-04-05 15:57:12 UTC\r\nIn today’s threat landscape, people are the new perimeter. Whether it’s malware, email fraud, cloud account\r\ntakeover or credential phishing, cyber attacks no longer focus on breaking through network controls and cracking\r\ntechnical flaws. Instead, they target users and exploit human nature.\r\nThat’s why people are at the center of our cybersecurity mission—and why user-activated attacks are the focus of\r\nthis report. Like most threat reports, this one highlights the latest quarter’s attack trends, campaigns and themes.\r\nBut it goes a step further, exploring how attackers target people and what you can do about it.\r\nOur goal in this report is twofold. First, we want to help demystify cybersecurity by shedding light on the people-centric nature of today’s threats. Second, and just as critical, we want to show how organizations can use this\r\ninsight better protect their greatest asset and today’s biggest risk: their people.\r\nThe report is a small slice of the insight we offer customers through the Proofpoint Nexus Threat Graph. Every\r\nday, we analyze billions of email messages, billions of URLs and attachments, tens of millions of cloud accounts\r\nand more—trillions of data points across all the digital channels that matter. Our global footprint and laser focus\r\non people-related cyber risk give us a unique view into today’s biggest cyber threats.\r\nExcept where noted, this report covers threats and threats observed directly by our global network of threat\r\nresearchers.\r\nTop attack techniques\r\nEmail is by far the biggest channel for cyber attacks. We saw a wide range of email attack techniques in the fourth\r\nquarter, but almost all of them included some form of social engineering.\r\nThe term “social engineering” can include any number of psychological techniques that trick people into doing\r\nsomething the attacker wants them to do. That may mean opening a malicious attachment, clicking on an unsafe\r\nURL, sending login credentials or sensitive information or even wiring money to the attacker.\r\nFigure 1 shows attacks that used social engineering in tandem with a technical exploit or technique. In many\r\ncases, social engineering is used to trick users into doing something directly—no malware needed. If listed as a\r\nseparate technique, social engineering would easily dominate the chart as a component in 99% of all attacks.\r\nWhen used with a technical exploit, social engineering might be something as simple as creating a hard-to-resist\r\nsubject line, spoofed email address. In other cases, it might be as involved as impersonating a trusted colleague to\r\nlure new victims.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes\r\nPage 1 of 9\n\nFigure 1 \r\nHere’s a summary of how these techniques work:\r\nOffice macros: Exploits flaws in a mini-programming language designed to help automate and extend\r\nMicrosoft Office features. Attackers use it to create embed malicious macros that infect users’ device when\r\nopened. Most attacks involve tricking the user into not just opening the document but enabling macros.\r\nMany recent attacks feature a new twist on a decades-old feature of Excel. These are often classified as\r\nExcel 4.0 (XL4) attacks.\r\nSandbox evasion: Modern threat-detection tools safely “detonate” unknown files within virtual machine\r\nsettings to see what they do when clicked or opened. Sandbox evasion techniques can prevent the malware\r\nfrom running or limit telltale behaviors in virtual environments to avoid being discovered. One of the big\r\nevasion techniques we saw in Q4 was using Windows’ Regsvr32 command line tool in a way that is not\r\ndetected within most sandboxes. (Regsrv32 was designed to help PC administrators, but it can be exploited\r\nto let attackers bypass Windows’ AppLocker security tool.)\r\nPowerShell: Exploits Windows’ built-in administration tool to infect victim’s PCs. These attacks usually\r\nstart with a phishing email that includes a URL that links to a page with embedded code that uses the\r\nPowerShell feature to take over the victim’s machine. These attacks are hard to detect because they use a\r\nhttps://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes\r\nPage 2 of 9\n\nlegitimate Windows feature and don’t start with a full malware file. The feature can also be used to\r\ndownload and run other malicious files from the internet.\r\nHTML: Web pages can include all kinds of code that exploits flaws in popular browsers and, on rare\r\noccasions, operating systems. These include legitimate but compromised websites and web-based ads.\r\nMost attacks that use this technique trick the victim into clicking an unsafe URL, but attackers can also\r\nsend HTML pages directly through email.\r\nThread hijacking: After taking over someone’s email account, the attacker contacts people the\r\ncompromised user knows, replying to past and ongoing email threads with a malicious email.\r\nPassword protected: Adding password protection to a malicious file can lock it away from many\r\nmalware-detection tools. The attacker gives human readers the password and tricks them into opening and\r\nunlocking the file.\r\nGeofencing: Limits malware behaviors to defined geographies using the infected device’s GPS and other\r\nlocation features. This technique is used to target attacks or evade detection tools.\r\nTop Threat Actors: \r\nAmong malicious emails we could tie to a known threat actor, more than 60% of the total volume we saw in Q4\r\ncame from just two attackers, which we have designated as TA544 and TA542 (also known as Emotet). Both\r\nattackers were also among the most prolific threat actors in Q3.\r\nNote: This charts highlights email attacks that we could confidently tie to a known threat actor. Determining who\r\nis behind an attack, a process known as attribution, is not always possible. The cyber criminal ecosystem is vast\r\nand highly fragmented. Unattributed attacks are not included in this chart to analyze and compare the biggest\r\nhttps://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes\r\nPage 3 of 9\n\nthreats.\r\nFigure 2\r\nWhat are ‘threat actors?’\r\nThreat actors is a term threat researchers use to describe an attacker or groups of attackers. They can include:\r\nState-sponsored attackers. Also known as advanced persistent threats (APTs), these attackers typically\r\nengage in espionage on behalf of a government. But attacks may also involve intellectual property theft,\r\noutright financial theft and attacks designed to disrupt or damage data and systems. Whatever approach\r\nthey take, they’re all meant to achieve a military or diplomatic goal.\r\nCyber criminal rings. These organized crime groups are usually in it for the money. In many cases, they\r\nwork like multilevel marketing franchises. An advanced threat actor creates the malware “product” and sets\r\nup the infrastructure as an easy-to-use package or service. Lower-level cyber criminals may rent the service\r\nfor their attacks, paying to use it for a set period of time or getting a cut for each successful compromise. In\r\nother cases, they act as distributors, sending out emails with the malware and earning a commission on\r\neach successful infection. Some researchers consider the most advanced cyber criminal groups to be APTs.\r\nHacktivists. This portmanteau of “hacking” and “activism” refers to attacks meant to make a political\r\nstatement or effect policy change. These attacks, though rare, typically expose secret information, disrupt\r\nhttps://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes\r\nPage 4 of 9\n\nperceived wrongdoing or embarrass foes. While their goals are different, they use many of the same tools\r\nand techniques as other types of attackers and can cause just as much harm.\r\nKnowing who is behind an attack—and what their motivations are—can be a critical part of defending against\r\nthem.\r\nTA542 and the demise of Emotet\r\nTA542  has become one of the most prolific in recent years due to massive campaigns that use a malware strain\r\ncalled Emotet. The group has targeted multiple industries around the world, sending hundreds of thousands—or\r\neven millions—of messages per day.\r\nDubbed “the world’s most dangerous malware,\"1Emotet is versatile and highly adaptable. It was first discovered\r\nin 2014 as a simple banking Trojan aimed at stealing account credentials. Since then, it has evolved into a highly\r\nversatile malware strain used for everything from stealing data to harvesting email to ransomware. Emotet has\r\nbeen used to target critical industries around the world, including banking, e‑commerce, healthcare, academia,\r\ngovernment and technology.\r\n2\r\nEmotet doesn’t just compromise the systems they infected. It also uses these compromised machines to launch\r\nnew attacks, absorbing them to a zombie-like network of more than a million similarly infected machines known\r\nas a botnet. Other cyber criminals can pay TA542 to use the botnet for all kinds of attacks—or could until just a\r\nfew weeks ago.\r\nThe takedown\r\nAuthorities said in late January that they had shut down Emotet’s infrastructure as part of a coordinated effort\r\nacross nine countries in North America and Europe.3 Law enforcement appears to have taken over all three of\r\nEmotet’s known botnet networks. Authorities plan to retool the botnets to remove its own malware from infected\r\nsystems.4\r\nWhat’s next?\r\nAt this stage, there’s no telling what Emotet takedown means over the long term. TA542 had remained active in\r\nthe days leading up to the shutdown, and efforts to disrupt large botnets in the past have had mixed results. We\r\ndon’t know how large the team was operating the Emotet botnet and whether all of its members were in the\r\nUkraine, where at least two of Emotet’s operators were arrested.5\r\nIf segments of the botnet and associated operators survive, Emotet’s source code may be retooled under a new\r\ninfrastructure and new moniker. Threat actors often build redundancy into their infrastructure, and their teams\r\noften live in countries beyond the reach of the law.\r\nTA544 goes on a financial cyber crime spree\r\nFirst documented in 2017, TA544 is part of a financial crime ring that has targeted a range of industries Japan and\r\nseveral European countries, with a heavy focus on manufacturing and tech firms. It is an affiliate that distributes\r\nhttps://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes\r\nPage 5 of 9\n\nseveral strains of malware, including Panda Banker and others.\r\nA large share of its attacks use a Trojan called Ursnif, but it’s not clear whether it controls Ursnif or is just one of\r\nthe groups using it. The malware stems from leaked source code and is used by many other threat actors.\r\nOne of TA544’s distinctive traits is how is uses steganography, hiding malicious code in seemingly benign images.\r\nTA573: a top-tier distributor with ties to Evil Corp\r\nLike other illicit markets, cyber crime is a loose, multilayered ecosystem that includes suppliers, distributors,\r\nmoney launderers and other specialties. TA573 operates as a malware “affiliate,” which sends malware someone\r\nelse has created.\r\nThink of affiliates as the last mile of the malware supply chain. They don’t write malware or run the infrastructure\r\nused to support attacks. Instead, they’re the malware distributor, selecting targets and crafting emails designed to\r\ntrick recipients into engaging with them. Cyber criminals’ business models vary, but affiliates typically get a\r\ncommission on every victim infected.\r\nTA573 is an affiliate distributor of Dridex, a malware strain that resurged in 2020 after a lying low through most\r\nof 2019. The malware itself is a creation of a Russian cyber crime group that calls itself Evil Corp,6 a longtime\r\nmenace that recently turned to ransomware.7 In June, U.S. authorities offered $5 million for information leading\r\nto the arrest of Evil Corp’s operators, the largest reward ever for a cyber criminal.\r\nTA800 holds healthcare data hostage\r\nThis attacker is an affiliate distributor of the The Trick, also known as Trickbot, and BazaLoader. (For more on\r\nhow affiliates work, see the description of TA573).\r\nTA800 has targeted a wide range of industries in North America, infecting victims with banking Trojans and\r\nmalware loaders (malware designed to download other malware onto a compromised device). Malicious emails\r\nhave often included recipients’ names, titles and employers along with phishing pages designed to look like the\r\ntargeted company. Lures have included hard-to-resist subjects such as related to payment, meetings, termination,\r\nbonuses and complaints in the subject line or body of the email.\r\nIn Q4, it was responsible for a wave attacks against the healthcare sector using a loader called BazaLoader.\r\nBazaLoader, under the control of a separate threat actor, subsequently installed a ransomware strain called Ryuk.\r\n(Some researchers believe BazaLoader was created by the same malware team behind The Trick—in part because\r\nboth malware strains infected victims with Ryuk.)\r\nRansomware encrypts data on infected devices, effectively locking victims out of their data and systems until they\r\npay the attacker to regain access.\r\nHealthcare organizations have become an especially enticing target for ransomware attacks. They are often not as\r\nwell protected as other sectors and the life-and-death nature of the business means they can afford little downtime.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes\r\nPage 6 of 9\n\nThree U.S. government agencies warned hospitals in October of an “increased and imminent” cyber crime threat\r\nthat included ransomware attacks.8\r\nTA574: a new entrant draws on legacy malware\r\nA relative newcomer, TA574 appears to be another affiliate focused on malware distribution. (For more on how\r\naffiliates work, see the description of TA544).\r\nTA574 has launched attacks against a wide range of industries, sending an updated version of 15-year-old banking\r\nTrojan called Zloader. It’s an offshoot of the infamous Zeus banking Trojan, which has been used to steal millions\r\nof dollars from victims’ banking accounts.\r\nThe group also uses Ostap, a malware downloader that uses JavaScript to hide itself from security sandbox\r\nanalysis tools (see the “Top Attack Techniques” section for more on sandbox evasion).\r\nAttribution: the known unknowns\r\nAs noted earlier in this section, Figure 1 includes only attacks that can be tied to a known threat actor. This focus\r\nis helpful but may make the universe of attackers seem more concentrated than it actually is.\r\nAs Figure 2 shows, nearly 90% of campaign-related email volume we saw in Q4 can’t be attributed to known\r\nattackers. (That figure is even higher for email that is not part of a campaign.)\r\n           Figure 3\r\nhttps://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes\r\nPage 7 of 9\n\nIt’s easy to see why. Would-be hackers with little technical skill can easily access the malware and infrastructure\r\nthey need for successful campaigns, greatly lowering barriers to entry. And as explained in the last section, many\r\nattacks don’t require these tools at all—just a keen understanding of human nature and a knack for persuasion.\r\n It’s a testament to the breadth and diversity of today’s threat landscape—and a reminder that organizations\r\nlooking to protect their users, data and systems must be prepared for anything.\r\nConclusion and Recommendations\r\nToday’s attacks target people, not infrastructure. That’s why you must take a people-centric approach to\r\ncybersecurity. That includes user-level visibility into vulnerability, attacks and privilege and tailored controls that\r\naccount for individual user risk.\r\nHere’s what we recommend as a starting point.\r\nTrain users to spot and report malicious email. Regular training and simulated attacks can stop many\r\nattacks and help identify people who are especially vulnerable. The best simulations mimic real-world\r\nattack techniques. Look for solutions that tie into real-world attack trends and the latest threat intelligence.\r\nAt the same time, assume that users will eventually click some threats. Attackers will always find new\r\nways to exploit human nature. Find a solution that spots and blocks inbound email threats targeting\r\nemployees before they reach the inbox. Invest in a solution can manage the entire spectrum of email\r\nthreats, not just malware-based threats. Some threats—including business email compromise (BEC) and\r\nother forms of email fraud—can be hard to detect with conventional security tools. Your solution should\r\nanalyze both external and internal email—attackers may use compromised accounts to trick users within\r\nthe same organization. Web isolation can be a critical safeguard for unknows and risky URLs.\r\nManage access to sensitive data and insider threats. A cloud access security broker can help secure\r\ncloud accounts and help you grant the right levels of access to users and third-party add-on apps based on\r\nthe risk factors that matter to you. Insider risk management platforms can help protect against insider\r\nthreats, including users compromised by external attacks\r\nPartner with a threat intelligence vendor. Focused, targeted attacks call for advanced threat intelligence.\r\nLeverage a solution that combines static and dynamic techniques at scale to detect new attack tools, tactics,\r\nand targets—and then learns from them.\r\n1 Europol. “World’s Most Dangerous Malware Emotet Disrupted Through Global Action.” January 2021.\r\n2 U.S. Department of Justice. “Emotet Botnet Disrupted in International Cyber Operation.” January 2021.\r\n3 Danny Palmer (ZDNet). “Emotet: The world's most dangerous malware botnet was just disrupted by a major\r\npolice operation.” January 2021.\r\n4 Catalin Cimpanu (ZDNet). “Authorities plan to mass-uninstall Emotet from infected hosts on April 25, 2021.”\r\nJanuary 2021.\r\n5 Andy Greenberg (Wired). “Cops Disrupt Emotet, the Internet's ‘Most Dangerous Malware.’” January 2021.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes\r\nPage 8 of 9\n\n6 Krebs on Security. “Inside ‘Evil Corp,’ a $100M Cybercrime Menace.” December 2019.\r\n7 BBC. “Russian hacker group Evil Corp targets US workers at home.” June 2020.\r\n8 Nationals Cyber Awareness System. “Alert (AA20-302A): Ransomware Activity Targeting the Healthcare and\r\nPublic Health Sector.” October 2020.\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes\r\nhttps://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes\r\nPage 9 of 9\n\n3 Danny Palmer police operation.” (ZDNet). “Emotet: January 2021. The world's most dangerous malware botnet was just disrupted by a major\n4 Catalin Cimpanu (ZDNet). “Authorities plan to mass-uninstall Emotet from infected hosts on April 25, 2021.”\nJanuary 2021. \n5 Andy Greenberg (Wired). “Cops Disrupt Emotet, the Internet's ‘Most Dangerous Malware.’” January 2021.\n Page 8 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes" ], "report_names": [ "q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes" ], "threat_actors": [ { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf32661e-7543-4b57-8665-7f8101a000e9", "created_at": "2023-01-06T13:46:39.322379Z", "updated_at": "2026-04-10T02:00:03.287241Z", "deleted_at": null, "main_name": "TA800", "aliases": [], "source_name": "MISPGALAXY:TA800", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4", "created_at": "2022-10-25T16:07:24.453427Z", "updated_at": "2026-04-10T02:00:04.997515Z", "deleted_at": null, "main_name": "Bamboo Spider", "aliases": [ "Bamboo Spider", "TA544" ], "source_name": "ETDA:Bamboo Spider", "tools": [ "AndroKINS", "Bebloh", "Chthonic", "DELoader", "Dofoil", "GozNym", "Gozi ISFB", "ISFB", "Nymaim", "PandaBanker", "Pandemyia", "Sharik", "Shiotob", "Smoke Loader", "SmokeLoader", "Terdot", "URLZone", "XSphinx", "ZLoader", "Zeus OpenSSL", "Zeus Panda", "Zeus Sphinx", "ZeusPanda", "nymain" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434813, "ts_updated_at": 1775826679, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3e550c218ec73a994871b86c0e388a3a391409c9.pdf", "text": "https://archive.orkl.eu/3e550c218ec73a994871b86c0e388a3a391409c9.txt", "img": "https://archive.orkl.eu/3e550c218ec73a994871b86c0e388a3a391409c9.jpg" } }