{
	"id": "91e7b8af-7175-473a-b9e4-dbb42962798b",
	"created_at": "2026-04-06T00:10:52.729382Z",
	"updated_at": "2026-04-10T13:12:48.103241Z",
	"deleted_at": null,
	"sha1_hash": "4140ef3f589839a3a0a99d46599c44122f36ca0b",
	"title": "LIONTAIL (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 33564,
	"plain_text": "LIONTAIL (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 15:47:41 UTC\r\nwin.liontail (Back to overview)\r\nLIONTAIL\r\nActor(s): Scarred Manticore\r\nThere is no description at this point.\r\nReferences\r\n2023-10-31 ⋅ Check Point Research ⋅ Check Point Research\r\nFrom Albania to the Middle East: The Scarred Manticore is Listening\r\nTunna LIONTAIL Scarred Manticore\r\n2023-06-07 ⋅ darksys0x ⋅ darksys0x\r\nAnalysis and Reversing of srvnet2.sys\r\nLIONTAIL\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.liontail\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.liontail\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.liontail"
	],
	"report_names": [
		"win.liontail"
	],
	"threat_actors": [
		{
			"id": "9df96153-0450-4cbb-8a13-b737f16394ef",
			"created_at": "2023-11-03T02:00:07.788769Z",
			"updated_at": "2026-04-10T02:00:03.382078Z",
			"deleted_at": null,
			"main_name": "Scarred Manticore",
			"aliases": [],
			"source_name": "MISPGALAXY:Scarred Manticore",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b6436f7b-6012-4969-aed1-d440e2e8b238",
			"created_at": "2022-10-25T16:07:23.91517Z",
			"updated_at": "2026-04-10T02:00:04.788408Z",
			"deleted_at": null,
			"main_name": "OilRig",
			"aliases": [
				"APT 34",
				"ATK 40",
				"Chrysene",
				"Cobalt Gypsy",
				"Crambus",
				"DEV-0861",
				"EUROPIUM",
				"Earth Simnavaz",
				"Evasive Serpens",
				"G0049",
				"Hazel Sandstorm",
				"Helix Kitten",
				"IRN2",
				"ITG13",
				"Scarred Manticore",
				"Storm-0861",
				"TA452",
				"Twisted Kitten",
				"UNC1860",
				"Yellow Maero"
			],
			"source_name": "ETDA:OilRig",
			"tools": [
				"AMATIAS",
				"Agent Drable",
				"Agent Injector",
				"AgentDrable",
				"Alma Communicator",
				"BONDUPDATER",
				"CACTUSPIPE",
				"Clayslide",
				"CypherRat",
				"DNSExfitrator",
				"DNSpionage",
				"DROPSHOT",
				"DistTrack",
				"DropperBackdoor",
				"Fox Panel",
				"GREYSTUFF",
				"GoogleDrive RAT",
				"HighShell",
				"HyperShell",
				"ISMAgent",
				"ISMDoor",
				"ISMInjector",
				"Jason",
				"Karkoff",
				"LIONTAIL",
				"LOLBAS",
				"LOLBins",
				"LONGWATCH",
				"LaZagne",
				"Living off the Land",
				"MailDropper",
				"Mimikatz",
				"MrPerfectInstaller",
				"OILYFACE",
				"OopsIE",
				"POWBAT",
				"POWRUNER",
				"Plink",
				"Poison Frog",
				"PowerExchange",
				"PsList",
				"PuTTY Link",
				"QUADAGENT",
				"RDAT",
				"RGDoor",
				"SEASHARPEE",
				"Saitama",
				"Saitama Backdoor",
				"Shamoon",
				"SideTwist",
				"SpyNote",
				"SpyNote RAT",
				"StoneDrill",
				"TONEDEAF",
				"TONEDEAF 2.0",
				"ThreeDollars",
				"TwoFace",
				"VALUEVAULT",
				"Webmask",
				"WinRAR",
				"ZEROCLEAR",
				"ZeroCleare",
				"certutil",
				"certutil.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434252,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4140ef3f589839a3a0a99d46599c44122f36ca0b.pdf",
		"text": "https://archive.orkl.eu/4140ef3f589839a3a0a99d46599c44122f36ca0b.txt",
		"img": "https://archive.orkl.eu/4140ef3f589839a3a0a99d46599c44122f36ca0b.jpg"
	}
}