{ "id": "344dfc5c-8875-4dfa-ad67-6ed3baac30c0", "created_at": "2026-04-06T00:18:48.651723Z", "updated_at": "2026-04-10T03:38:01.726844Z", "deleted_at": null, "sha1_hash": "421de2fc96be8d420e5b3057dc5767d807f355f1", "title": "Government-backed actors exploiting WinRAR vulnerability", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57115, "plain_text": "Government-backed actors exploiting WinRAR vulnerability\r\nBy Kate Morgan\r\nPublished: 2023-10-18 · Archived: 2026-04-02 12:01:41 UTC\r\nIn recent weeks, Google’s Threat Analysis Group’s (TAG) has observed multiple government-backed hacking\r\ngroups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular file archiver tool for\r\nWindows. Cybercrime groups began exploiting the vulnerability in early 2023, when the bug was still unknown to\r\ndefenders. A patch is now available, but many users still seem to be vulnerable. TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations.\r\nTo ensure protection, we urge organizations and users to keep software fully up-to-date and to install security\r\nupdates as soon as they become available. After a vulnerability has been patched, malicious actors will continue to\r\nrely on n-days and use slow patching rates to their advantage. We also recommend use of Google’s Safe Browsing\r\nand Gmail, which block files containing the exploit.\r\nPatch and proof-of-concept\r\nIn August 2023, RARLabs released an updated version of WinRAR that included fixes for several security-related\r\nbugs. One of those bugs, later assigned CVE-2023-38831, is a logical vulnerability within WinRAR causing\r\nextraneous temporary file expansion when processing crafted archives, combined with a quirk in the\r\nimplementation of Windows’ ShellExecute when attempting to open a file with an extension containing spaces.\r\nThe vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an\r\nordinary PNG file) within a ZIP archive.\r\nAs detailed in a blog post from Group-IB, the vulnerability had been exploited as 0-day by cybercrime actors in-the-wild since at least April 2023 for campaigns targeting financial traders to deliver various commodity malware\r\nfamilies. Hours after the blog post was released, proof of concepts and exploit generators were uploaded to public\r\nGitHub repositories. Shortly after that, TAG began to observe testing activity from both financially motivated and\r\nAPT actors experimenting with CVE-2023-38831.\r\nVulnerability\r\nConsider the following archive structure:\r\nWhen a user double-clicks on a benign “poc.png_” (underscore is used to indicate a space) from WinRAR’s user\r\ninterface, WinRAR prior to 6.23 will instead execute “poc.png_/poc.png_.cmd”.\r\nAfter a user double-clicks on a file, WinRAR attempts to determine which files need to be temporarily expanded\r\nby iterating through all archive entries. However, due to the way the matching is made, if a directory is found with\r\nthe same name as the selected entry, both the selected file and the files inside a matched directory are extracted to\r\nthe root of a random temporary directory.\r\nhttps://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/\r\nPage 1 of 4\n\nThe pseudocode below shows WinRAR’s extraction logic and whether an archive entry should to be extracted:\r\nWhen writing contents of the files, WinRAR performs path normalization that removes appended spaces, because\r\nWindows doesn’t allow files with trailing spaces.\r\nFinally, WinRAR calls ShellExecuteExW, passing the non-normalized path with a trailing space “%TEMP%\\\r\n{random_directory}\\poc.png_” to run the user-selected file. Internally, ShellExecute attempts to identify file\r\nextensions by calling “shell32!PathFindExtension” which fails because extensions with spaces are considered\r\ninvalid. Instead of bailing out, ShellExecute proceeds to call “shell32!ApplyDefaultExts” which iterates through\r\nall files in a directory, finding and executing the first file with an extension matching any of the hardcoded ones:\r\n“.pif, .com, .exe, .bat, .lnk, .cmd”.\r\nNote, that while most samples exploiting CVE-2023-3883 use an archive entry with a trailing space, it is not a\r\nrequirement, and a space in any position in the file extension is sufficient to trigger the bug (e.g. entry with\r\n“poc.invalid_ext” will also result in “shell32!ApplyDefaultExts” code path to be taken).\r\nThis quirk in ShellExecute, causing the default extension search logic to be applied when attempting to open a file\r\nwith an extension containing spaces is what causes “poc.png_.cmd” to be selected and inadvertently run, even\r\nthough it was not the file the user originally double-clicked on.\r\nCampaigns\r\nFROZENBARENTS impersonates Ukrainian drone training school to deliver Rhadamanthys\r\ninfostealer\r\nIn a blog post earlier this year, TAG reported on FROZENBARENTS (aka SANDWORM) targeting the energy\r\nsector and continuing hack \u0026 leak operations. The group, attributed to Russian Armed Forces’ Main Directorate of\r\nthe General Staff (GRU) Unit 74455, on September 6th launched an email campaign impersonating a Ukrainian\r\ndrone warfare training school.\r\nUsing a lure themed as an invitation to join the school, the email contained a link to an anonymous file-sharing\r\nservice, fex[.]net, which delivered a benign decoy PDF document with a drone operator training curriculum and a\r\nmalicious ZIP file exploiting CVE-2023-38831 titled “Навчальна-програма-Оператори.zip” (Training program\r\noperators).\r\n“Training of drone operators” decoy document from FROZENBARENTS campaign\r\nThe payload, found in “Навчальна-програма-Оператори.pdf /Навчальна-програма-Оператори.pdf_.bat” was a\r\npacked Rhadamanthys infostealer. Rhadamanthys is a commodity infostealer that is able to collect and exfiltrate\r\nbrowser credentials and session information among other things. It operates on a subscription-based model and\r\ncan be rented out for as low as $250 for 30 days. Usage of commercially available infostealers, that are typically\r\nemployed by cybercrime actors, is atypical of FROZENBARENTS.\r\nFROZENLAKE spear-phishing campaign targeting Ukrainian government organizations hosted\r\non API endpoint testing services\r\nhttps://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/\r\nPage 2 of 4\n\nOn September 4th, CERT-UA posted about FROZENLAKE (aka APT28), a group attributed to Russian GRU,\r\nusing CVE-2023-38831 to deliver malware targeting energy infrastructure. TAG observed that FROZENLAKE\r\nused a free hosting provider to serve CVE-2023-38831 to target users in Ukraine. The initial page redirected users\r\nto a mockbin site to perform browser checks and redirect to the next stage, which would ensure the visitor was\r\ncoming from an IPv4 address in Ukraine and would prompt the user to download a file containing a CVE-2023-\r\n38831 exploit. The decoy document was an event invitation from Razumkov Centre, a public policy think tank in\r\nUkraine.\r\nFROZENLAKE decoy document impersonating a Ukrainian public policy think tank\r\nFROZENLAKE using IRONJAW with reverse SSH shell\r\nA sample with a filename “IOC_09_11.rar”\r\n(072afea7cae714b44c24c16308da0ef0e5aab36b7a601b310d12f8b925f359e7) was uploaded to VirusTotal on\r\nSeptember 11th. The sample exploits CVE-2023-38831 to drop a BAT file which opens a decoy PDF file and\r\ncreates a reverse SSH shell to an attacker controlled IP address, and executes IRONJAW script using PowerShell.\r\nIRONJAW is a small PowerShell script that steals browser login data and local state directories, exfiltrating them\r\nto a C2 on “http://webhook[.]site/e2831741-d8c8-4971-9464-e52d34f9d611”. IRONJAW was first observed being\r\ndistributed by ISO files hosted on free hosting providers in late July through early August and attributed to\r\nFROZENLAKE. The additional delivery of IRONJAW via exploitation of CVE-2023-38831 and the reverse SSH\r\ntunnel were new additions to the typical FROZENLAKE toolkit.\r\nISLANDDREAMS delivering BOXRAT in campaign targeting Papua New Guinea\r\nTAG has also observed government-backed groups linked to China exploit CVE-2023-38831. In late August,\r\nISLANDDREAMS (aka APT40) launched a phishing campaign targeting Papua New Guinea. The phishing\r\nemails included a Dropbox link to a ZIP archive containing the CVE-2023-38831 exploit, a password-protected\r\ndecoy PDF, and an LNK file.\r\nDecoy PDF used in ISLANDDREAMS campaign\r\nThe next stage payload, ISLANDSTAGER, is either an XOR-encoded DLL found at a hardcoded offset inside of\r\nthe LNK, or downloaded from a hardcoded URL of a file-sharing service.\r\nISLANDSTAGER is then executed by starting a legit “ImagingDevices.exe” process which sideloads malicious\r\n“STI.dll” from “%ProgramData%\\Microsoft\\DeviceSync\\”. ISLANDSTAGER configures persistence by adding\r\n“ImagingDevices.exe” to “CurrentVersion\\Run” registry key. It then decodes several layers of shellcode, the last\r\nof which is generated using Donut, that loads and executes the final payload, BOXRAT, in-memory. BOXRAT is a\r\n.NET backdoor that uses Dropbox API as a C2 mechanism.\r\nConclusion\r\nThe widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly\r\neffective, despite a patch being available. Even the most sophisticated attackers will only do what is necessary to\r\naccomplish their goals. These recent campaigns exploiting the WinRAR bug underscore the importance of\r\nhttps://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/\r\nPage 3 of 4\n\npatching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date. TAG will continue to compile and share threat intelligence for the protection of online users and Google\r\nproducts, in the meantime, we encourage organizations and users to keep their software fully up-to-date.\r\nIndicators of compromise (IoCs)\r\nFROZENBARENTS\r\nhttps://fex[.]net/s/bttyrz4\r\nhttps://fex[.]net/s/59znp5b\r\nFROZENLAKE\r\n072afea7cae714b44c24c16308da0ef0e5aab36b7a601b310d12f8b925f359e7\r\n91dec1160f3185cec4cb70fee0037ce3a62497e830330e9ddc2898f45682f63a\r\n77cf5efde721c1ff598eeae5cb3d81015d45a74d9ed885ba48330f37673bc799\r\n216.66.35[.]145\r\nhttp://webhook[.]site/e2831741-d8c8-4971-9464-e52d34f9d611\r\nISLANDDREAMS\r\nhttps://filetransfer[.]io/data-package/DVagoJxL/download\r\nSource: https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/\r\nhttps://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "Malpedia" ], "references": [ "https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/" ], "report_names": [ "government-backed-actors-exploiting-winrar-vulnerability" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434728, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/421de2fc96be8d420e5b3057dc5767d807f355f1.pdf", "text": "https://archive.orkl.eu/421de2fc96be8d420e5b3057dc5767d807f355f1.txt", "img": "https://archive.orkl.eu/421de2fc96be8d420e5b3057dc5767d807f355f1.jpg" } }