{
	"id": "ef2113dc-d5b8-4bc9-aeb9-9640f4a1991b",
	"created_at": "2026-04-06T02:11:01.919847Z",
	"updated_at": "2026-04-10T03:32:45.912718Z",
	"deleted_at": null,
	"sha1_hash": "41f7abba01e39b697cbc70a78907681cf5cf4e40",
	"title": "FluBot’s Authors Employ Creative and Sophisticated Techniques to Achieve Their Goals in Version 5.0 and Beyond",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 16980271,
	"plain_text": "FluBot’s Authors Employ Creative and Sophisticated Techniques\r\nto Achieve Their Goals in Version 5.0 and Beyond\r\nBy F5 LabsThreats\r\nArchived: 2026-04-06 01:35:14 UTC\r\nIntroduction\r\nIn early 2020, a new sophisticated malware for Android called FluBot began to appear. On infected devices, the\r\nmalware can take full remote control of the device; access victim’s contact lists; send, intercept, and hide SMS\r\nmessages; log the victim’s keystrokes; steal one-time passcodes; collect personal information; carry out overlay\r\nattacks and more. Originally, the malware authors mainly targeted Spanish banks but later expanded their targets\r\nto include Australian, German, Polish, and UK banks (HSBC, Santander, Lloyds, Halifax, and others).\r\nThe figure below shows an example of the command and control (C2) panel, which contains detailed statistics\r\nabout victims’ devices.\r\nHow FluBot Works\r\nFluBot spreads in several ways, often via SMS messages that include a link to track a parcel by a delivery\r\ncompany.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 1 of 29\n\nSometimes it looks like an SMS voicemail notification, as shown in the Virgin Mobile example below. To hear the\r\nmessage, the user must click an embedded link that goes to a malicious page found on vulnerable WordPress\r\nwebsites.\r\nIn other cases, the link goes to a lure page hosted on a compromised web server where the victim is prompted to\r\ninstall a malicious application on their mobile device.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 2 of 29\n\nFluBot’s Abuse of Android’s Accessibility Service\r\nFluBot isn’t the first Android malware to abuse Android's Accessibility Service. FluBot appears to have many\r\nof the main features of other contemporary Android banking malware:\r\nFull remote control of an Android device\r\nOverlay attacks against multiple bank applications to steal login credentials and credit card information\r\n(see overlay images below for HSBC and Halifax)\r\nSend/intercept/hide SMS messages and notifications\r\nEnabling key logging (screen text-grabbing) functionality\r\nAbility to steal one-time password codes\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 3 of 29\n\nFluBot overlays for HSBC and Halifax\r\nHow FluBot Infects Devices\r\nThe following example shows how FluBot can spread from one infected device to countless others using an initial\r\nvictim’s contact list.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 4 of 29\n\n1. The victim received an SMS message that includes a link to a malicious URL.\r\n2. The victim clicks the link and is prompted to install an app.\r\n3. The victim downloads and opens the malicious app that installs FluBot.\r\n4. FluBot accesses the victim’s contact list and uploads it to the C2 server.\r\n5. FluBot downloads a list of new contacts to target.\r\n6. FluBot sends SMS messages to the new list of target contacts, thus propagating FluBot.\r\nKey Points\r\nThis section includes details of the main functionality of FluBot and reviews some of the interesting commands\r\nFluBot uses in version 5.0 and version 4.9.\r\nStatic Analysis\r\nFluBot uses a number of sophisticated techniques to make it difficult for researchers and security solutions to\r\nachieve their goals.\r\nTo complicate static analysis, the malware implements many techniques, several of which are described next.\r\nString Encryption\r\nAny significant strings in the malware are encrypted using a custom encryption scheme. Each class contains a\r\nfunction named “ that is responsible for encrypting suspicious strings within the class. It uses XOR encryption and\r\nutilizes a pre-defined list of hex numbers that are unique to each class. This list contains the encrypted strings.\r\nThe first two arguments subtracted results in the length of the string; the first argument is the offset of the pre-defined list and arg6 is the XOR key. (A tool for extracting the strings can be downloaded here.)\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 5 of 29\n\nMultiDex\r\nIn Android there are limitation on DEX files. For example, you can’t reference more than 64KB of methods within\r\na single DEX file. To overcome this limitation, the developer can set the compiler to split the DEX file into\r\nsmaller DEX files and then use MultiDex to load those additional DEX files to the App.\r\nMultiDex is a popular and valid Android module that is used to support MultiDEX files.\r\nFluBot uses an implementation of MultiDex to hide its malicious code from static analyzers and reversers. It uses\r\na hard-coded configuration that contains the location of the encrypted dex, location of the decrypted dex, their\r\ncorresponding name, suffix, and folder, as well as a key for decryption represented as a string.\r\nAn encrypted DEX file is stored in the APK’s assets, decrypted, stored as a classes.dex file, archived in a Zip file,\r\nand loaded in runtime.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 6 of 29\n\nAfter loading the DEX file, the malware deletes it from the file system to avoid leaving artifacts. (On some\r\nvariants it does not get deleted.)\r\nDEX Decryption\r\nFluBot uses an encrypted dex file in the assets, which then gets decrypted and loaded to perform its malicious\r\nactivity. (An extractor tool can be downloaded here.) The encrypted file is a zlib-compressed, XOR-encrypted, and\r\nzlib-compressed again DEX file.\r\nTo decrypt the DEX file the malware does the following:\r\n1. Retrieves a decryption key from the config class. The decryption key is then split into bytes, and specific\r\nbytes are used during the decryption.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 7 of 29\n\n1. Reads the encrypted file in chunks of 8,192 bytes using InflaterInputStream to get the zlib-decompressed\r\ndata as first stage.\r\n3. A custom decryption is used on the first stage data using bitwise-operations.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 8 of 29\n\n4. After decryption, the data is a zlib-compressed data again. The malware uses InflaterOuputStream to\r\ndecompress (for a second time) and output the DEX file to the filesystem as a ZIP file using ZipOutputSteam (in\r\nchunks of 8,192 bytes).\r\n5. The decryption key, locations, and names are retrieved from a static config class. Its strings are encrypted with a\r\nsimple 0x6033 XOR.\r\nString Decryption\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 9 of 29\n\nDGA: Version 5.2\r\nIn version 5.2 a new command, UPDATE_ALT_SEED, is introduced. It enables the attackers to change the DGA\r\n(domain generation algorithms) seed remotely. Once such a command is dispatched, FluBot stores the updated\r\nseed inside the shared preferences under “g” key.\r\nThe added feature can be seen in this function which is responsible for domain generation:\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 10 of 29\n\nIn the new version, FluBot uses 30 TLDs compared to only 3 TLDs in earlier versions.\r\nDGA: Prior to Version 5.2\r\nFluBot uses Domain Generation Algorithm to find and communicate with the C2 server. The DGA seed is based\r\non the current month and year.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 11 of 29\n\nA domain list is then generated based on the DGA seed and one of three TLDs are appended: .ru, .su or .cn.\r\nFluBot tries to resolve the domains in the DGA domain list. If it successfully resolves one of them, it stores the\r\ndomain inside the shared preferences under “f” key.\r\nThe following function is responsible for domain generation:\r\nIt stores the resolved DGA domain in “f” key:\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 12 of 29\n\nGet Language and Set Texts, Toasts, and Phone Country Prefix Accordingly\r\nThe malware gets the victim’s region by the device’s language and sets the texts and toasts of the app accordingly.\r\nIt also sets the country phone prefixes for SMS propagation.\r\nIf the device’s language is from any of these countries, the application won’t open.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 13 of 29\n\nLanguage list:\r\nDNS Tunneling over HTTPS: Updated in Version 5.0\r\nIn version 4.9, FluBot resolved the IP addresses of DGAs and communicated directly with the server using\r\nHTTPS port 443. In FluBot version 5.0, the authors completely changed the way the malware communicates with\r\nthe C2 server. In version 5.0 (and on some late builds of version 4.9), it communicates with the C2 through DNS\r\nTunneling over HTTPS. Here’s how it works:\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 14 of 29\n\n1. The attacker sets a nameserver that will act as a C2 server and receive and send data through the DNS\r\nprotocol.\r\n2. FluBot uses DNS resolving providers such as Google, Cloudflare, and Alibaba to infiltrate and exfiltrate\r\nthe data to the C2 server.\r\n3. FluBot does not need to find the C2 IP address as it is not needed. The DNS provider will route the DNS\r\nrequest to the attacker’s nameserver and responds using a TXT DNS response.\r\n4. Every message is Base32-encoded and consists of:\r\nbot-id (random UUID)\r\nexternal device IP\r\nencrypted payload (see next bullet)\r\n5. The encrypted payload consists of:\r\n2 bytes – Size of header\r\nHeader - Base64-Encoded RSA-encrypted string contains:\r\nbot-id\r\nRC4 key\r\nRC4 encrypted payload (commands, logging, etc.)\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 15 of 29\n\n6. The Base32-encoded message is then split into chunks of 231-HostNameLength bytes and will be sent\r\nseparately to the DNS resolvers. Each request will split the base32-encoded data to subdomains of 63 bytes long.\r\nAn example of requests and responses from the C2 using DNS providers. This is an entire message sent in a\r\nfragmented-dotted-way.\r\nThe C2 Request:\r\n“fa9fc670” is the message ID\r\nFirst integer is the request number\r\nSecond integer states if it’s the last request for the message ID\r\nAll subdomains up until the hostname are the Base32 message\r\nC2 Response looks the same but without message ID:\r\nFirst integer is the request number\r\nSecond integer states if it’s the last response for the message ID\r\nThe rest is a Base64-encoded RC4-encrypted response\r\nTo decrypt a message, concatenate every base32-data, without dots, for a single message ID. The result will be\r\nbot-id (random UUID) + external device IP address in plain text and the encrypted payload.\r\nDNS Resolving over HTTPS: in Versions Prior to 5.0\r\nIn versions prior to 5.0, FluBot tries to resolve the generated DGA domains using a DNS-over-HTTPS technique.\r\nIt uses common APIs of Google, Cloudflare, and Alibaba.\r\nThe malware randomly picks one of the resolvers and retrieves the C2 IP address.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 16 of 29\n\nError Logging\r\nAny uncaught errors that occur in the application will be logged to the C2. The main purpose is to help the\r\nattackers fix and improve the malware’s code in later versions.\r\nEncrypted Communication via HTTP using RSA+RC4 Encryption\r\nIn versions previous to 5.0, communication with the C2 is encrypted with RSA + RC4.\r\nEach sent and received message starts with a header that contains bot id + RC4 key, which is then RSA-encrypted\r\nwith a hard-coded public key and Base64 encoded. Then the payload\\command is RC4-encrypted with the RC4\r\nkey in the header.\r\nThe C2 also responds with the same header that gets verified by the malware to make sure the C2 received the\r\nheader correctly and with the Base64-encoded RC4-encrypted command\\data.\r\nThe communication is done over HTTP and sent to http://{dga}/p.php.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 17 of 29\n\nShared Preferences\r\nFluBot stores its configuration in Shared Preferences. Keys d and e are new in version 5.0. Key g is in version 5.2.\r\nKey Description\r\na Bot ID\r\nb Default SMS package\r\nc Disable notification interception\r\nd Device’s external IP (new in version 5.0)\r\ne DNS Resolvers (new in version 5.0)\r\nf DGA Host\r\ng DGA Seed (new in version 5.2)\r\nPackageName.hashCode() Per-package inject payload\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 18 of 29\n\nFluBot Commands\r\nFluBot authors continue to use sophisticated commands as the malware evolves.\r\nUPDATE_DNS_SERVERS: New in Version 5.0\r\nA new command featured in version 5.0 allows FluBot to update DNS resolvers in the malware’s configuration.\r\nThe C2 communication in version 5.0 is done through a DNS-Tunneling-over-HTTPS technique. This feature\r\nenables the attacker to change its DNS resolvers once they put the attacker’s nameservers on the denylist.\r\nUPDATE_ALT_SEED\r\nNew in version 5.2, allows the attacker to update the DGA seed remotely.\r\nNOTIF_INT_TOGGLE - Notification Interception\r\nFluBot has abilities to log and intercept any notification the phone receives. This is primarily used to steal one-time passcodes and sensitive information.\r\nGET_SMS: Propagation Through SMS\r\nThis command retrieves a list of phone numbers and their corresponding lure messages for propagation purposes.\r\nIt will not send an SMS if the phone number is already in the victim’s contact list. It adds the phone number to the\r\nblocked contacts list along with the country prefix according to device’s locale. This will block any return calls or\r\nmessages from the phished victim.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 19 of 29\n\nGET_SMS: Propagation Through SMS, Version 5.2\r\nVersion 5.2 of FluBot allows sending longer SMS message using sendMultipartTextMessage along with\r\ndivideMessage functions.\r\nExample: send phishing SMS messages to phone numbers in the US (Smishing).\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 20 of 29\n\nRELOAD_INJECTS: Injections and Overlays\r\nFluBot sends the victim’s list of installed applications to the C2 with the GET_INJECTS_LIST command. The C2\r\nresponds with a list of applications that has a configured inject\\overlay (Read more about this technique).\r\nEvery application that a GET_INJECT command is sent to responds with the inject\\overlay content.\r\nVictim’s application list iteration:\r\nShow a WebView overlay if a package with configured inject is in the foreground:\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 21 of 29\n\nIn versions 5.0 and later, the injects are wrapped with \u003c--RF--\u003e.\r\nUPLOAD_SMS: SMS Logging\r\nFluBot iterates the victim’s SMS inbox and sends all information to C2 by dispatching a LOG,SMS_LIST\r\ncommand. This includes phone address, body, date and time of submission, type.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 22 of 29\n\nSMS_INT_TOGGLE: SMS Interception\r\nFluBot can intercept and hide new SMS messages. The main purpose of this feature is to hijack one-time\r\npasscodes sent to a victim’s phone.\r\nGET_CONTACTS: Contact List Logging\r\nFluBot iterates the victim’s contact list and sends all information to the C2. This includes names and phone\r\nnumbers.\r\nDISABLE_PLAY_PROTECT\r\nFluBot uses Android’s Accessibility Service to disable Google Play Protect, a safety check mechanism for\r\napplications installed on a device. The malware starts an intent by redirecting to the Google Play Protect settings\r\npage and then clicks on the necessary buttons to disable it.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 23 of 29\n\nRun USSD: Recharge Using Phone Call\r\nFluBot has capabilities of calling on demand. This enables the attacker to transfer funds by calling USSD services\r\nsuch as pay-through-phone.\r\nDisable Battery Optimization\r\nThis command is used to disable any forced app sleep in the background by Android so that FluBot stays active\r\nwhile the phone sleeps.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 24 of 29\n\nKeylogger/Screen Grabber\r\nThis command enables attackers to grab text on the screen (key logging) using Accessibility Service.\r\nUNINSTALL_APP\r\nFluBot has the ability to uninstall an app on demand. It sends an action.DELETE intent with the package name to\r\nuninstall. The intent will open the package installer package. The Accessibility Service waits for the package\r\ninstaller to be in foreground so it can click on the uninstall button.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 25 of 29\n\nOPEN_URL: Opens a URL on the Device\r\nFluBot can open a URL on demand by simply starting an action.VIEW intent. The C2 will send an OPEN_URL\r\ncommand with the URL to open in victim’s device. These URLs can be advertisements that pay the attacker, a\r\nwebsite with known XSS to steal user’s data, a WebView-based exploit, etc.\r\nSEND_SMS: Sends SMS Messages on Demand\r\nFluBot can get a list of SMS payloads and numbers from the user, transfers them to the C2, and then sends SMS\r\nmessages to new victims. This helps to further propagate the malware through spear-phishing attacks.\r\nCommand Handler\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 26 of 29\n\nThis function is responsible for dispatching the commands retrieved from the C2. The figure below shows the\r\nmain functionalities and capabilities of FluBot versions 4.9 through 5.2.\r\nCapabilities in FluBot versions 4.9, 5.0, 5.1, and 5.2\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 27 of 29\n\nCapabilities in Flubot version 5.0 and above\r\nCapabilities in FluBot version 5.2\r\nMitigating FluBot\r\nDavid Warburton, principal threat research evangelist with F5 Labs, offers the following suggestions for\r\nmitigating FluBot.\r\nPrevent\r\nFluBot relies on tricking the user into downloading a trojan hosted on an attacker-controlled server. Android\r\nphones will, by default, prevent installation from outside of the Google Play store, though attackers know this and\r\ncoach the victim into bypassing this restriction. A combined approach, using people and technology, should be\r\ntaken to mitigate installation of apps from untrusted sources.\r\nFirst, educate staff members and/or customers that they should rarely, if ever, install Android apps from outside of\r\nthe Google Play store. They should understand that any message asking them to bypass security for the benefit of\r\ninstalling an app should not be trusted.\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 28 of 29\n\nSecondly, if managed corporate mobile devices are in use by employees, consider mobile device management\r\n(MDM) solutions, which can lock down the ability to install apps from outside of the Google Play store.\r\nIt is worth noting that since FluBot is able to capture SMS messages and grab images from the screen, multifactor\r\nauthentication (MFA) solutions may not prevent the abuse of stolen credentials since one-time passwords can be\r\nstolen from the SMS message or viewed on the victim’s screen. MFA solutions which, instead, make use of push\r\nnotifications to approve login attempts may have some more success in preventing abuse but since FluBot is able\r\nto control an Android device using the Accessibility Service, this method may also be inadequate.\r\nDetect\r\nPreventing infection by this kind of trojan can be difficult, if not impossible, for non-corporate or unmanaged\r\ndevices. It’s therefore critical to be able to identify when stolen credentials are being used by fraudsters and,\r\nadditionally, detect when automated bots are launching attacks.\r\nModern application security solutions offer the ability to detect authentication abuse, including credential stuffing\r\n(/content/f5-labs-v2/en/archive-pages/education/what-is-credential-stuffing-.html) attacks. Unlike password brute\r\nforcing which can be trivial to mitigate, credential stuffing can be difficult to detect since malicious requests\r\nappear quite genuine in nature. Effective solutions should be able to match a supplied password against a list of\r\nknown stolen credentials and combine this with the ability to detect when requests come from a compromised\r\ndevices that may be part of a botnet.\r\nIdentify\r\nWith the ability to fully control the victim’s device and hide incoming SMS messages, it is essential that out-of-band methods are used to alert victims to activity on their account. Using, for example, email to alert the user of a\r\nnew login or suspicious transaction, may be the only way to reliably inform them of malicious activity on their\r\naccount.\r\nSource: https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goa\r\nls-in-version-50-and-beyond\r\nhttps://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond\r\nPage 29 of 29",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.f5.com/labs/articles/threat-intelligence/flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond"
	],
	"report_names": [
		"flubots-authors-employ-creative-and-sophisticated-techniques-to-achieve-their-goals-in-version-50-and-beyond"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441461,
	"ts_updated_at": 1775791965,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/41f7abba01e39b697cbc70a78907681cf5cf4e40.pdf",
		"text": "https://archive.orkl.eu/41f7abba01e39b697cbc70a78907681cf5cf4e40.txt",
		"img": "https://archive.orkl.eu/41f7abba01e39b697cbc70a78907681cf5cf4e40.jpg"
	}
}