{ "id": "26eea914-7469-4656-b93e-9ca889d8cbd3", "created_at": "2026-04-06T00:09:09.127026Z", "updated_at": "2026-04-10T03:37:54.331269Z", "deleted_at": null, "sha1_hash": "436af4e7eecd2267f8eabe8460562ff0d6ee7fd1", "title": "What even is Winnti? - Risky Business Media", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60325, "plain_text": "What even is Winnti? - Risky Business Media\r\nBy Daniel Gordon\r\nArchived: 2026-04-05 18:05:17 UTC\r\nThanks largely to inconsistent methodologies, poor clustering, and lack of collaboration, the word ‘Winnti’ has\r\ngradually been rendered meaningless.\r\nWe first heard the word ‘Winnti’ used to describe some specific attributes or actions: a malware family, stolen\r\ncode signing certificates, rootkits, malware associated with suspected Chinese hacking, links to some specific\r\nChinese personas (using hacker handles that spoke Chinese and claimed to live in China), and some specific\r\ntargeting.\r\nSeven years and a dozen studies later, we ended up with a name linked to at least 15 other names, some of which\r\nare likely to be separate groups. We’re at the point where Winnti doesn’t clearly represent any particular targeting,\r\ntools or techniques and also may not represent a group of people anymore.\r\nIt’s worth exploring how we got to this point to avoid repeating the same mistakes.\r\nOrigins\r\nWinnti was named as a group in a 2013 blog by Kaspersky. The blog’s authors named the group based on a\r\nmalware family previously named by Symantec. This very quickly brings us to lesson one: it’s not advisable to\r\nname a group exclusively based on the malware family, especially when the name was coined by another\r\nresearcher.\r\nKaspersky’s research described intrusions going back to 2010, in which attackers targeted video game companies\r\nor used digital code signing certificates stolen from game companies.\r\nKaspersky listed some other notable characteristics in the campaigns it analysed, including unusual infrastructure\r\nDNS configurations, some relatively advanced rootkit malware, specific C2 choices and the use of characteristic\r\nChinese malware such as PlugX.\r\nKaspersky discovered activity that generated revenue via creation of in-game currency or theft of source code, as\r\nwell as targeting of specific ethnic groups that pointed to PRC sponsorship. Kaspersky researchers also picked up\r\non some terrible OPSEC that revealed Chinese personas, further substantiated when some of the same handles\r\nshowed up in a 2018 US Department of Justice indictment that pinned the theft of aerospace IP on the Jiangsu\r\nProvince Ministry of State Security.\r\nA year later FireEye published a report about how Chinese groups appeared to be sharing malware development,\r\ndigital code signing certificates, and infrastructure. The company referenced some of the stolen digital certificates\r\nfrom Kaspersky’s prior research but didn’t at this stage name Winnti as a group.\r\nhttps://risky.biz/whatiswinnti/\r\nPage 1 of 4\n\nBy mid-2015, Kaspersky linked Winnti malware to other research on the Axiom Group (which may or may not be\r\nthe same group). Axiom had been tied to a lot of intrusions, but most critically, its fingerprints were identified in\r\nthe CCleaner, Netsarang, and ASUS software supply chain attacks. Kaspersky used similarities between malware\r\nused in these attacks and those previously attributed to ‘Winnti’ to illustrate that the latter was targeting a broader\r\nset of organisations than gaming companies. While these findings were important, attribution based on malware\r\nsimilarity alone is risky, especially when there is an existing body of research about malware being shared among\r\ndifferent groups.\r\nIn 2016, Symantec published a blog about digital signing certificate abuse that is pertinent to the Winnti story. It\r\nreferenced Kaspersky’s earlier findings but didn’t name it, describing it only as “a third party vendor”. Here’s\r\nanother lesson: in any other field of research you would credit primary sources, even if you don’t especially like\r\nthem. It puts recognition where it’s due, fosters collaboration and reduces the risk of “semantic drift” – where over\r\ntime the definition of something loses connection to its original meaning.\r\nTo their credit, Symantec researchers tried to correct the course a little on their previous work - using the blog post\r\nto differentiate a group it referred to as Blackfly from the malware family Winnti. Unfortunately, Symantec’s more\r\ncautious approach to naming conventions never caught on elsewhere.\r\nNot content to let a chance pass by to participate in the Winnti goat rodeo, Cylance posted a blog in 2016 about\r\nPassCV activity (“PassCV” is a name coined by Blue Coat) and linked this activity to Winnti based on stolen code\r\nsigning certificates. The post is light on malware analysis but mentions the use of several remote access trojans,\r\nZXShell and Gh0st, in passing. Gh0st RAT has been used by multiple Chinese and North Korean groups. ZXShell\r\nwas a RAT commonly associated with Group72, which on the one hand also seems to correspond to\r\nAxiom/Winnti activity, but on the other, appears tied to APT27/Emissary Panda.\r\nWith the benefit of time on its side, Microsoft came up with the most sane approach, breaking down the groups\r\nusing Winnti malware into BARIUM and LEAD. BARIUM targets “electronic gaming, multimedia, and internet\r\ncontent industries” as well as the occasional tech company, while LEAD is responsible for industrial espionage\r\nagainst manufacturing, pharmaceutical, engineering companies and academia. The tradecraft of the two groups\r\ncould be distinguished at this point: BARIUM would attempt to establish rapport via social media and made use\r\nof malicious office macros, compiled HTML (.chm) files or shortcut (.lnk) files as first stages, while LEAD\r\ntended to just email the Winnti install package to victims or brute force credentials on a server and copy down the\r\nWinnti malware.\r\nBut in an April 2017 blog, Trend Micro bound the activity together again, describing “Winnti” as a criminal group\r\nthat made fake antivirus engines in 2007 and shifted focus to hacking video game companies in 2009. Trend made\r\nthese conclusions based on domain name registrations. This is another dangerous assumption.\r\nProtectWise’ 401 Threat Research Group posted a couple of blogs about the “Winnti group”a few months later in\r\nJuly 2017, revealing the group’s use of open source tools including Metasploit, BeEF, and Cobalt Strike. Both\r\nblogs were later updated to make clear that they were talking specifically about the LEAD group labeled by\r\nMicrosoft. The 401TRG reports included some side-eye inducing conclusions. First, they included high\r\nconfidence attribution to China. “High confidence” is usually reserved for governments that watch events happen\r\nover hacked closed circuit TVs - whereas these reports predated any indictments. Second, the researchers didn’t\r\nhttps://risky.biz/whatiswinnti/\r\nPage 2 of 4\n\nprovide a full explanation of how they were able to attribute activity to Winnti other than via stolen signing\r\ncertificates. They did, on the positive side, show evidence of research - including a blog that summarises the\r\npublic research various parties had done on the group so far.\r\nIn 2019, ESET attributed a software supply chain attack via Thai video games and a gaming platform to a group\r\ncalled “Winnti”, as well as compromises of universities in Hong Kong. In a 2019 summary of all of this activity,\r\nESET concluded that Axiom Group and “Winnti” are synonymous.\r\nThat same year – five years after its blog about supply chain overlap between Chinese groups – FireEye\r\ndesignated APT41 to be a China-based actor group responsible for a subset of “Winnti” activity. APT41 was\r\ndescribed as a “dual espionage and cyber crime operation”, conducting everything from espionage, targeting of\r\nactivists, financially-motivated activity, and both the ASUS and Netsarang supply chain attacks. FireEye leaned on\r\nanalysis of the operatives’ working hours to speculate that it was a group of state-sponsored contractors that also\r\ndo side-gigs to make more money. FireEye bundled in to that designation previous activity it identified under the\r\nname GREF and the use of stolen digital signing certificates, and mentioned that APT41 shared malware with\r\nseven other suspected Chinese groups, including China Chopper and Sogu. It didn’t link it to APT27/Emissary\r\nPanda activity.\r\nIn 2020, Cylance, now owned by Blackberry, updated the public on its view – describing activity that used a\r\nLinux rootkit and shared links to Android malware.This time around the Cylance analysis put more effort into\r\ndifferentiating activity based on targeting, while acknowledging the malware was being shared between various\r\ngroups.\r\nThis year, FireEye also published a blog concluding that APT41 went after many different kinds of victims using\r\nCitrix, Cisco and Zoho ManageEngine vulnerabilities. It again mentioned the use of open source tools and living\r\noff the land techniques such as Metasploit, BITSjobs, and Cobalt Strike.\r\nWe continue to see the name ‘Winnti’ routinely mentioned in numerous news reports. But what even is Winnti at\r\nthis point?\r\nWhat have we learned from “Winnti”?\r\nThe name ‘Winnti’ has been diluted to the point where it’s no longer useful. I understand the benefits of using\r\nthreat intelligence reporting as a form of marketing, but it’s still research, and should be treated accordingly.\r\nWhen relating activity to an existing group, talk to the originator about their understanding to avoid hijacking the\r\nname.\r\nWhen your cluster diverges from the originator’s, use your own group name and explain how and why it diverges.\r\nGreat reports often express confidence levels, talk about why links are significant, and show how different data\r\ncan lead to different analysis. Using your own group name can also help keep other researchers from dumping\r\ntheir analysis, good or bad, into your activity bucket without you having a say in the matter. We should prioritise\r\nthe quality of our research over the clicks and hype from using a recognisable group name.\r\nDon’t be afraid to make updates to published research or retract them under extreme circumstances. It’s better to\r\nhave integrity and temporary embarrassment than have your organisation’s name be associated with bad\r\nhttps://risky.biz/whatiswinnti/\r\nPage 3 of 4\n\nattribution for eternity.\r\nI’ve made all the mistakes. And I’ve learned from them. Admitting to and learning from mistakes is part of the\r\njourney to good analysis. Sometimes good research requires asking other researchers for explanations or\r\ncollaborating.\r\nResearchers should lean on better-defined actor names like LEAD and BARIUM or stick to names of their own\r\ndevising to avoid creating more confusion. And in case I’ve left any room for doubt about what we should do with\r\nthe name ‘Winnti’, here’s my suggestion.\r\nDaniel Gordon is a CTI analyst in the defence sector.\r\nSource: https://risky.biz/whatiswinnti/\r\nhttps://risky.biz/whatiswinnti/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://risky.biz/whatiswinnti/" ], "report_names": [ "whatiswinnti" ], "threat_actors": [ { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "27b56f48-7905-4da8-8d87-cea10adb1c6b", "created_at": "2022-10-25T16:07:24.044105Z", "updated_at": "2026-04-10T02:00:04.848898Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "ETDA:PassCV", "tools": [ "Agentemis", "AngryRebel", "BleDoor", "Cobalt Strike", "CobaltStrike", "Excalibur", "Farfli", "Gh0st RAT", "Ghost RAT", "Kitkiot", "Moudour", "Mydoor", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "PCRat", "RbDoor", "Recam", "RibDoor", "Sabresac", "Sensocode", "Winnti", "ZXShell", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dda68b4f-a74a-42a0-b883-69c1dc1229a8", "created_at": "2023-01-06T13:46:38.528227Z", "updated_at": "2026-04-10T02:00:03.013713Z", "deleted_at": null, "main_name": "PassCV", "aliases": [], "source_name": "MISPGALAXY:PassCV", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434149, "ts_updated_at": 1775792274, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/436af4e7eecd2267f8eabe8460562ff0d6ee7fd1.pdf", "text": "https://archive.orkl.eu/436af4e7eecd2267f8eabe8460562ff0d6ee7fd1.txt", "img": "https://archive.orkl.eu/436af4e7eecd2267f8eabe8460562ff0d6ee7fd1.jpg" } }