{ "id": "be9c9881-b259-40d4-a8ec-1db0b659c73c", "created_at": "2026-04-06T00:14:55.663618Z", "updated_at": "2026-04-10T03:37:40.698653Z", "deleted_at": null, "sha1_hash": "450a7d52ef6edeb76b2dbfe87643722676c0d05d", "title": "How a Fake Podcast Invite Delivers BlackSmith Malware | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1020838, "plain_text": "How a Fake Podcast Invite Delivers BlackSmith Malware |\r\nProofpoint US\r\nPublished: 2024-08-15 · Archived: 2026-04-05 13:00:17 UTC\r\nAugust 20, 2024 Joshua Miller, Georgi Mladenov, Andrew Northern, Greg Lesnewich and the Proofpoint Threat\r\nResearch Team\r\nKey findings \r\nProofpoint identified Iranian threat actor TA453 targeting a prominent religious figure with a fake podcast\r\ninterview invitation.  \r\nThe initial interaction attempted to lure the target to engage with a benign email to build conversation and\r\ntrust to then subsequently click on a follow-up malicious link. \r\nThe attack chain attempted to deliver a new malware toolkit called BlackSmith, which delivered a\r\nPowerShell trojan dubbed AnvilEcho by Proofpoint.  \r\nThe malware, which uses encryption and network communication techniques similar to previously\r\nobserved TA453 samples, is designed to enable intelligence gathering and exfiltration. \r\nAnvilEcho contains all of TA453’s previously identified malware capabilities in a single PowerShell script\r\nrather than the modular approach previously observed.  \r\nOverview \r\nStarting 22 July 2024, TA453 contacted multiple email addresses for a prominent Jewish figure while pretending\r\nto be the Research Director for the Institute for the Study of War (ISW). The lure purported to invite the target to\r\nbe a guest on a podcast hosted by ISW. After receiving a response from the target (outside of Proofpoint\r\nvisibility), TA453 replied with a DocSend URL. The DocSend URL was password protected and led to a text file\r\nthat contained a URL to the legitimate ISW Podcast being impersonated by TA453. It is likely that TA453 was\r\nattempting to normalize the target clicking a link and entering a password so the target would do the same when\r\nthey delivered malware. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering\r\nPage 1 of 10\n\nInitial July 2024 approach from TA453. \r\nDocSend contents containing the podcast themed text.  \r\nProofpoint first observed TA453 spoofing the Institute for the Study of War (ISW) in phishing campaigns\r\ntargeting other organizations starting in February 2024, almost immediately after registering the domain in late\r\nJanuary 2024. The theme of spoofing is consistent with broader TA453 phishing activity reported by Google\r\nThreat Intelligence Group in August 2024 \r\nTA453 initially sent the fake podcast invitation to the religious figure at multiple email accounts, specifically both\r\nthe target’s organizational email address along with their personal email address. Phishing multiple email\r\naddresses associated with a target has been observed by a number of state aligned threats, including TA427. \r\nhttps://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering\r\nPage 2 of 10\n\nTA453 continued to establish their legitimacy by sending emails from understandingthewar[.]org and including a\r\nTA453 controlled Hotmail account in the email signature.  \r\nAfter another reply from the target, TA453 replied with a GoogleDrive URL leading to a ZIP archive named\r\n“Podcast Plan-2024.zip”. The ZIP contained an LNK titled “Podcast Plan 2024.lnk”. The LNK delivered the\r\nBlackSmith toolset which eventually loaded TA453’s AnvilEcho Powershell Trojan.  \r\nFake podcast invitation containing a malicious URL. \r\nMalware analysis \r\nOld habits die screaming, and TA453 sticks to its habits. Our analysis of the malware from this TA453 campaign\r\ndemonstrates the developers working for TA453 have not given up on using modular PowerShell backdoors. They\r\ncontinue to attempt to evade detections by convoluting the infection chain in order to limit and avoid detection\r\nopportunities while collecting intelligence. The toolset observed in this infection chain is likely the successor of\r\nGorjolEcho/PowerStar, TAMECURL, MischiefTut, and CharmPower. The first TA453 backdoor was detected by\r\nProofpoint in Fall 2021. Rather than deploy each Powershell module separately, TA453 attempts to bundle the\r\nentire framework into a single large PowerShell script dubbed AnvilEcho by Proofpoint.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering\r\nPage 3 of 10\n\nTimeline of TA453 malware.  \r\nInfection chain \r\nThe LNK is used to smuggle additional files. It hides behind a decoy PDF as an overlay and extracts the contents\r\nof the ZIP folder to %TEMP%. The ZIP folder contains Beautifull.jpg, mary.dll, qemus (the encrypted AnvilEcho\r\nPowerShell script), soshi.dll, and toni.dll. A PDB path of E:\\FinalStealer\\blacksmith\\blacksmith\\ indicates the\r\ndevelopers referred to the multi-component toolset written in C++ as “BlackSmith\". This name was previously\r\nused by the TA453 POWERLESS browser stealer module as reported by Volexity . The browser stealer module is\r\none of the capabilities included in the final stage of BlackSmith malware toolset.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering\r\nPage 4 of 10\n\nPDF displayed to the user to obfuscate BlackSmith installation. \r\nBlackSmith uses soshi.dll file as an installer, creating C:\\Users\\Public\\Public Library and then copying mary.dll,\r\nqemus, and toni.dll. If qemus or toni.dll are not available, soshi.dll will download them from d75[.]site, a TA453\r\ncontrolled storage site. The installer then extracts a file hidden with steganography as a base64 string inside\r\nBeautifull.jpg, a PNG file. Again, if the PNG file is not found in the working directory, it’s downloaded from\r\nd75[.]site. After mary.dll is copied to the install folder, the installer registers toni.dll as a service for persistence.  \r\nStage 2, toni.dll, is heavily obfuscated and starts by looking for antivirus installed on the system. If antivirus\r\nsoftware is detected, the malware will rewrite the entry point of amsi.AmsiScanBuffer to force AmsiScanBuffer to\r\nreturn an Invalid Argument error when called. The same bypass is done for ntdll.EtwEventWrite. The stager then\r\nbase64 decodes and AES/ECB decrypts qemus and launches videogui.exe, the PowerShell loader previously\r\nhidden in the PNG.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering\r\nPage 5 of 10\n\nThe next stage, the loader, loads the final stage, AnvilEcho. AnvilEcho is a PowerShell trojan that contains\r\nextensive functionality, including capabilities that expand on previous TA453 malware samples. TA453\r\ndevelopers attempted to bundle the previous capabilities of TA453 malware into a single PowerShell script.\r\nPreviously, TA453 used individual scripts for each function of the malware, typically VBS or PowerShell scripts.\r\nLike NokNok, AnvilEcho repeatedly uses the same encryption and network communication functions across\r\ncapabilities. Our analysis identified this AnvilEcho sample as version 3.2.3.   \r\nAnvilEcho starts by using System.Net.ServicePointManager to write TrustAllCertsPolicy, to bypass SSL\r\nCertificate Validation by forcing a system to accept all SSL/TLS certificates without validating them. Additionally,\r\nit extends the browser timeout, possibly to avoid disruption to long term command and control (C2) capabilities.   \r\nAnvilEcho uses deepspaceocean[.]info for C2 throughout the script. It checks for a previously generated\r\nMachineID in $env:PUBLIC\\qwer.txt. The MachineID is computed in an unnecessarily complicated manner. If\r\nthe MachineID does not already exist, AnvilEcho creates two random 32-character length alphanumeric strings\r\nand concatenates them. Afterwards, it takes that value and calculates the SHA256 hash of it before 16 characters\r\nfrom the hash are further concatenated with the original rand. This is then written to qwer.txt as a MachineID.  \r\nAnvilEcho consists of multiple functions, many of which are either similar to or improved on previously reported\r\nTA453 malware modules. The beginning of the script sets up a series of functions to encrypt, encode and exfiltrate\r\ninformation. These functions include Send-ReqPacket, FromEncrypt, From-Save, Encode, ToEncrypt, and Get-Rand.  The design of using the same network communication and encryption functions across multiple modules is\r\nsimilar to what our analysis revealed in TA453’s NokNok malware.  Overall, AnvilEcho capabilities indicate a\r\nclear focus on intelligence collection and exfiltration.  \r\nThe roughly 2200 lines of AnvilEcho PowerShell end with the two higher level functions of Redo-It and Do-It.  \r\nRedo-It overview \r\nThe Redo-It function serves as orchestration and management for all of the PowerShell in AnvilEcho. It processes\r\ncommands from $Global:sacpath. In the analyzed sample, this is \\Temp\\stc. Additionally, Redo-It also handles key\r\nencryption. The first time Redo-It is run, it uses WMI to conduct system reconnaissance, looking to gather\r\nantivirus information, Operating System information, Public IP Address, InstallationPath, Manufacturer,\r\nComputerName, and UserName. That information is then encrypted and sent to the TA453-controlled\r\ninfrastructure. Designed to run continuously, Redo-It periodically fetches commands from the remote server,\r\ndecrypts them, and executes them via Do-It.  \r\nDo-It overview \r\nBased on the command received, Do-It executes different sections of code called out earlier in the PowerShell.  \r\nCommand  Function  Notes \r\nhttps://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering\r\nPage 6 of 10\n\nF_upload  First-Check  Network Connectivity \r\nfile_list  File-Handle  Looks for specified Path \r\nshot  shotthis \r\nUses bitmap to screenshot, then converts to PNG which is then base64\r\nencoded. Capability for multiple screens \r\nsound  Get-Sound \r\nReads the contents of Applause.wav and then encodes them in base64 for\r\nexfiltration.  \r\nBrowser \r\nGet-WebInfo \r\nklg  Get-Stream  Allows for download of remote files, in a loop \r\nDownload \r\nGet-From-Net \r\nUpload  Send-to-Net \r\nPossible support for FTP and Dropbox uploading.  \r\nOptional Parameters including password, chunking size and token \r\nupdate \r\nConfig-Update \r\nOf note, additional troubleshooting functionality is included in AnvilEcho.  The actor attempted to include\r\nIntelliSense, a code compilation aid, possibly in order to minimize detection opportunities from typos. In some\r\ncases, Sysinternals handl64 is downloaded if the actor is unable to access certain directories for over 20 seconds. \r\nAdditionally, the script has code for downloading WinRAR and 7zip, similar to what was reported by Volexity. In\r\nthis sample, it has been commented out of functionality. Finally, Send-Reqpacket is used for error handling in Do-It.  \r\nIn addition to the network communication capabilities, AnvilEcho also includes code suggesting the actors have\r\nused both FTP and Dropbox for exfiltration in the past. This would be consistent with what Proofpoint previously\r\nobserved along with third party industry reporting \r\nhttps://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering\r\nPage 7 of 10\n\nTA453 used mary.dll as a helper very similar to toni.dll. It contained a single function called exFunc. This\r\nfunction allows for AES decryption followed by running the decrypted payloads in memory. The AES key is\r\nhardcoded. \r\nNetwork analysis \r\nAs our analysis has demonstrated, d75[.]site is used for C2 by BlackSmith. This domain was reported as a URL\r\nshortener controlled by APT42 by Google Threat Intelligence Group in May 2024. It is cohosted on\r\n54.39.143[.]117 with dropzilla.theworkpc[.]com, a suspected TA453 controlled host. TA453 previously utilized\r\nsubdomains of theworkpc[.]com in previously reported campaigns from mid-2023.  \r\nAdditionally, the AnvilEcho C2 server deepspaceocean[.]info, hosted on 54.39.143[.]120 bears similarities to\r\nhistorical TA453 infrastructure, including using OVH and .info TLD.  \r\nAttribution  \r\nThese efforts likely support intelligence collection in support of Iranian government interests. While Proofpoint\r\nanalysts cannot link TA453 directly to individual members of the Islamic Revolutionary Guard Corps (IRGC),\r\nProofpoint does continue to assess that TA453 operates in support of the IRGC, specifically the IRGC Intelligence\r\nOrganization (IRGC-IO). This assessment is based on a variety of evidence, including overlaps in unit numbering\r\nbetween Charming Kitten reports and IRGC units as identified by PWC, the US Department of Justice indictment\r\nof Monica Witt along with IRGC-affiliated actors, and analysis of TA453 targeting compared to reported IRGC-IO\r\npriorities. The IRGC, specifically the IRGC Intelligence Organization, collects intelligence and conducts\r\noperations in support of a variety of assigned responsibilities. This directive has led to targeting a series of\r\ndiplomatic and political entities, ranging from embassies in Tehran to US political campaigns.  \r\nProofpoint currently views TA453 as overlapping with Microsoft’s Mint Sandstorm (formerly PHOSPHORUS)\r\nand roughly equivalent to Mandiant’s APT42 and PWC’s Yellow Garuda, all of which can generally be considered\r\nCharming Kitten.  \r\nWhy it matters  \r\nTA453 uses many different social engineering techniques to try and convince targets to engage with malicious\r\ncontent. Like multi-persona impersonation,  sending legitimate links to a target and referencing a real podcast\r\nfrom the spoofed organization can build user trust . When a threat actor builds a connection with a target over time\r\nbefore delivering the malicious payload, it increases the likelihood of exploitation.   \r\nWith BlackSmith, TA453 has created a sophisticated intelligence collection toolkit and streamlined its malware\r\nfunctions from a disparate set of individual scripts into a full-service PowerShell trojan. \r\nEmerging Threats signatures \r\n2055244 - ET PHISHING TA453 Domain in DNS Lookup (deepspaceocean .info) \r\n2055245 - ET PHISHING TA453 Domain in TLS SNI (deepspaceocean .info) \r\nhttps://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering\r\nPage 8 of 10\n\n2055246 - ET PHISHING TA453 Domain in DNS Lookup (d75 .site) (phishing.rules) \r\n2055247 - ET PHISHING TA453 Domain in TLS SNI (d75 .site) (phishing.rules) \r\nIndicators of compromise \r\nIndicator  Description \r\nFirst\r\nObserved \r\n5dca88f08b586a51677ff6d900234a1568f4474bbbfef258d59d73ca4532dcaf \r\nSHA256 \r\n.LNK \r\n2024-05-\r\n08 \r\n5aee738121093866404827e1db43c8e1a7882291afedfe90314ec90b198afb36 \r\nSHA256 \r\nPodcast Plan\r\n2024.zip \r\n2024-05-\r\n08 \r\ndc5c963f1428db051ff7aa4d43967a4087f9540a9d331dea616ca5013c6d67ce  SHA256 PDF \r\n2024-05-\r\n08\r\ndcb072061defd12f12deb659c66f40473a76d51c911040b8109ba32bb36504e3  Beautifull.jpg \r\n2024-05-\r\n08 \r\n574fc53ba2e9684938d87fc486392568f8db0b92fb15028e441ffe26c920b4c5  mary.dll \r\n2022-02-\r\n18 \r\n8a47fd166059e7e3c0c1740ea8997205f9e12fc87b1ffe064d0ed4b0bf7c2ce1 \r\nqemus\r\n(AnvilEcho) \r\n2024-05-\r\n08 \r\nd033db88065bd4f548ed13287021ac899d8c3215ebc46fdd33f46a671bba731c  soshi.dll \r\n2024-05-\r\n08 \r\n258d9d67e14506b70359daabebd41978c7699d6ce75533955736cdd2b8192c1a  toni.dll \r\n2024-05-\r\n08 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering\r\nPage 9 of 10\n\nunderstandingthewar[.]org  Lure Domain \r\n2024-02-\r\n01 \r\nd75[.]site  Storage/Stager \r\n2024-03-\r\n04 \r\ndeepspaceocean[.]info  C2 \r\n2024-02-\r\n22 \r\nSource: https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering\r\nhttps://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering" ], "report_names": [ "best-laid-plans-ta453-targets-religious-figure-fake-podcast-invite-delivering" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434495, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/450a7d52ef6edeb76b2dbfe87643722676c0d05d.pdf", "text": "https://archive.orkl.eu/450a7d52ef6edeb76b2dbfe87643722676c0d05d.txt", "img": "https://archive.orkl.eu/450a7d52ef6edeb76b2dbfe87643722676c0d05d.jpg" } }