{ "id": "eaedacf9-cde4-41ed-8118-8323a026c6e5", "created_at": "2026-04-06T00:17:16.977436Z", "updated_at": "2026-04-10T03:38:20.452492Z", "deleted_at": null, "sha1_hash": "46ee3edf6cffeecb97fdaa17f0fd0d3e741353d8", "title": "Threats to the Defense Industrial Base", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3823441, "plain_text": "Threats to the Defense Industrial Base\r\nBy Google Threat Intelligence Group\r\nPublished: 2026-02-10 · Archived: 2026-04-05 12:51:04 UTC\r\nIntroduction \r\nIn modern warfare, the front lines are no longer confined to the battlefield; they extend directly into the servers\r\nand supply chains of the industry that safeguards the nation. Today, the defense sector faces a relentless barrage of\r\ncyber operations conducted by state-sponsored actors and criminal groups alike. In recent years, Google Threat\r\nIntelligence Group (GTIG) has observed several distinct areas of focus in adversarial targeting of the defense\r\nindustrial base (DIB). While not exhaustive of all actors and means, some of the more prominent themes in the\r\nlandscape today include: \r\nConsistent effort has been dedicated to targeting defense entities fielding technologies on the battlefield in\r\nthe Russia-Ukraine War. As next-generation capabilities are being operationalized in this environment,\r\nRussia-nexus threat actors and hacktivists are seeking to compromise defense contractors alongside\r\nmilitary assets and systems, with a focus on organizations involved with unmanned aircraft systems (UAS).\r\nThis includes targeting defense companies directly, using themes mimicking their products and systems in\r\nintrusions against military organizations and personnel. \r\nAcross global defense and aerospace firms, the direct targeting of employees and exploitation of the\r\nhiring process has emerged as a key theme. From the North Korean IT worker threat, to the spoofing of\r\nrecruitment portals by Iranian espionage actors, to the direct targeting of defense contractors' personal\r\nemails, GTIG continues to observe a multifaceted threat landscape that centers around personnel, and often\r\nin a manner that evades traditional enterprise security visibility.    \r\nAmong state-sponsored cyber espionage intrusions over the last two years analysed by GTIG, threat\r\nactivity from China-nexus groups continues to represent by volume the most active threat to entities in\r\nthe defense industrial base. While these intrusions continue to leverage an array of tactics, campaigns from\r\nactors such as UNC3886 and UNC5221 highlight how the targeting of edge devices and appliances as a\r\nmeans of initial access has increased as a tactic by China-nexus threat actors, and poses a significant risk to\r\nthe defense and aerospace sector. In comparison to the Russia-nexus threats observed on the battlefield in\r\nUkraine, these could support more preparatory access or R\u0026D theft missions. \r\nLastly, contemporary national security strategy relies heavily on a secure supply chain. Since 2020,\r\nmanufacturing has been the most represented sector across data leak sites (DLS) that GTIG tracks\r\nassociated with ransomware and extortive activity. While dedicated defense and aerospace organizations\r\nrepresent a small fraction of similar activity, the broader manufacturing sector includes many companies\r\nthat provide dual-use components for defense applications, and this statistic highlights the cyber risk the\r\nindustrial base supply chain is exposed to. The ability to surge defense components in a wartime\r\nenvironment can be impacted, even when these intrusions are limited to IT networks. Additionally, the\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 1 of 23\n\nglobal resurgence of hacktivism, and actors carrying out hack and leak operations, DDoS attacks, or other\r\nforms of disruption, has impacted the defense industrial base. \r\nAcross these themes we see further areas of commonality. Many of the chief state-sponsors of cyber espionage\r\nand hacktivist actors have shown an interest in autonomous vehicles and drones, as these platforms play an\r\nincreasing role in modern warfare. Further, the “evasion of detection” trend first highlighted in the Mandiant M-Trends 2024 report continues, as actors focus on single endpoints and individuals, or carry out intrusions in a\r\nmanner that seeks to avoid endpoint detection and response (EDR) tools altogether. All of this contributes to a\r\ncontested and complex environment that challenges traditional detection strategies, requiring everyone from\r\nsecurity practitioners to policymakers to think creatively in countering these threats. \r\n1. Longstanding Russian Targeting of Critical and Emerging Defense Technologies in Ukraine\r\nand Beyond \r\nRussian espionage actors have demonstrated a longstanding interest in Western defense entities. While Russia's\r\nfull-scale invasion of Ukraine began in February 2022, the Russian government has long viewed the conflict as an\r\nextension of a broader campaign against Western encroachment into its sphere of influence, and has accordingly\r\ntargeted both Ukrainian and Western military and defense-related entities via kinetic and cyber operations. \r\nRussia's use of cyber operations in support of military objectives in the war against Ukraine and beyond is\r\nmultifaceted. On a tactical level, targeting has broadened to include individuals in addition to organizations in\r\norder to support frontline operations and beyond, likely due at least in part to the reliance on public and off-the-shelf technology rather than custom products. Russian threat actors have targeted secure messaging applications\r\nused by the Ukrainian military to communicate and orchestrate military operations, including via attempts to\r\nexfiltrate locally stored databases of these apps, such as from mobile devices captured during Russia's ongoing\r\ninvasion of Ukraine. This compromise of individuals' devices and accounts poses a challenge in various ways—\r\nfor example, such activity often occurs outside spaces that are traditionally monitored, meaning a lack of visibility\r\nfor defenders in monitoring or detecting such threats. GTIG has also identified attempts to compromise users of\r\nbattlefield management systems such as Delta and Kropyva, underscoring the critical role played by these systems\r\nin the orchestration of tactical efforts and dissemination of vital intelligence. \r\nMore broadly, Russian espionage activity has also encompassed the targeting of Ukrainian and Western companies\r\nsupporting Ukraine in the conflict or otherwise focused on developing and providing defensive capabilities for the\r\nWest. This has included the use of infrastructure and lures themed around military equipment manufacturers,\r\ndrone production and development, anti-drone defense systems, and surveillance systems, indicating the likely\r\ntargeting of organizations with a need for such technologies.\r\nAPT44 (Sandworm, FROZENBARENTS)\r\nAPT44, attributed by multiple governments to Unit 74455 within the Russian Armed Forces' Main Intelligence\r\nDirectorate (GRU), has attempted to exfiltrate information from Telegram and Signal encrypted messaging\r\napplications, likely via physical access to devices obtained during operations in Ukraine. While this activity\r\nextends back to at least 2023, we have continued to observe the group making these attempts. GTIG has also\r\nidentified APT44 leveraging WAVESIGN, a Windows Batch script responsible for decrypting and exfiltrating data\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 2 of 23\n\nfrom Signal Desktop. Multiple governments have also reported on APT44's use of INFAMOUSCHISEL, malware\r\ndesigned to collect information from Android devices including system device information, commercial\r\napplication information, and information from Ukrainian military apps. \r\nTEMP.Vermin\r\nTEMP.Vermin, an espionage actor whose activity Ukraine's Computer Emergency Response Team (CERT-UA)\r\nhas linked to security agencies of the so-called Luhansk People's Republic (LPR, also rendered as LNR), has\r\ndeployed malware including VERMONSTER, SPECTRUM (publicly reported as Spectr), and\r\nFIRMACHAGENT via the use of lure content themed around drone production and development, anti-drone\r\ndefense systems, and video surveillance security systems. Infrastructure leveraged by TEMP.Vermin includes\r\ndomains masquerading as Telegram and involve broad aerospace themes including a domain that may be a\r\nmasquerade of an Indian aerospace company focused on advanced drone technology.\r\nFigure 1: Lure document used by TEMP.Vermin\r\nUNC5125\r\nUNC5125 has conducted highly targeted campaigns focusing on frontline drone units. Its collection efforts have\r\nincluded the use of a questionnaire hosted on Google Forms to conduct reconnaissance against prospective drone\r\noperators; the questionnaire purports to originate from Dronarium, a drone training academy, and solicits personal\r\ninformation from targets, notably including military unit information, telephone numbers, and preferred mobile\r\nmessaging apps. UNC5125 has also conducted malware delivery operations via these messaging apps. In one\r\ninstance, the cluster delivered the MESSYFORK backdoor (publicly reported as COOKBOX) to an UAV operator\r\nin Ukraine.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 3 of 23\n\nFigure 2: UNC5125 Google Forms questionnaire purporting to originate from Dronarium drone training academy\r\nWe also identified suspected UNC5125 activity leveraging Android malware we track as GREYBATTLE, which\r\nwas delivered via a website spoofing a Ukrainian military artificial intelligence company. GREYBATTLE, a\r\ncustomized variant of the Hydra banking trojan, is designed to extract credentials and data from compromised\r\ndevices.\r\nNote: Android users with Google Play Protect enabled are protected against the aforementioned malware, and all\r\nknown versions of the malicious apps identified throughout this report.\r\nUNC5792\r\nSince at least 2024, GTIG has identified this Russian espionage cluster exploiting secure messaging apps,\r\ntargeting primarily Ukrainian military and government entities in addition to individuals and organizations in\r\nMoldova, Georgia, France, and the US. Notably, UNC5792 has compromised Signal accounts via the device-linking feature. Specifically, UNC5792 sent its targets altered \"group invite\" pages that redirected to malicious\r\nURLs crafted to link an actor-controlled device to the victim's Signal accounts allowing the threat actor to see\r\nvictims’ message in real time. The cluster has also leveraged WhatsApp phishing pages and other domains\r\nmasquerading as Ukrainian defense manufacturing and defense technology companies.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 4 of 23\n\nUNC4221\r\nUNC4221, another suspected Russian espionage actor active since at least March 2022, has targeted secure\r\nmessaging apps used by Ukrainian military personnel via tactics similar to those of UNC5792. For example, the\r\ncluster leveraged fake Signal group invites that redirect to a website crafted to elicit users to link their account to\r\nan actor-controlled Signal instance. UNC4221 has also leveraged WhatsApp phishing pages intended to collect\r\ngeolocation data from targeted devices.\r\nUNC4221 has targeted mobile applications used by the Ukrainian military in multiple instances, such as by\r\nleveraging Signal phishing kits masquerading as Kropyva, a tactical battlefield app used by the Armed Forces of\r\nUkraine for a variety of combat functions including artillery guidance. Other Signal phishing domains used by\r\nUNC4221 masqueraded as a streaming service for UAVs used by the Ukrainian military. The cluster also\r\nleveraged the STALECOOKIE Android malware, which was designed to masquerade as an application for Delta,\r\na situational awareness and battlefield management platform used by the Ukrainian military, to steal browser\r\ncookies.\r\nUNC4221 has also conducted malware delivery operations targeting both Android and Windows devices. In one\r\ninstance, the actor leveraged the \"ClickFix\" social engineering technique, which lured the target into copying and\r\nrunning malicious PowerShell commands via instructions referencing a Ukrainian defense manufacturer, in a\r\nlikely attempt to deliver the TINYWHALE downloader. TINYWHALE in turn led to the download and execution\r\nof the MESHAGENT remote management software against a likely Ukrainian military entity.\r\nUNC5976\r\nStarting in January 2025, the suspected Russian espionage cluster UNC5976 conducted a phishing campaign\r\ndelivering malicious RDP connection files. These files were configured to communicate with actor-controlled\r\ndomains spoofing a Ukrainian telecommunications entity. Additional infrastructure likely used by UNC5976\r\nincluded hundreds of domains spoofing defense contractors including companies headquartered in the UK, the\r\nUS, Germany, France, Sweden, Norway, Ukraine, Turkey, and South Korea.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 5 of 23\n\nFigure 3: Identified UNC5976 credential harvesting infrastructure spoofing aerospace and defense firms\r\nWider UNC5976 phishing activity also included the use of drone-themed lure content, such as operational\r\ndocumentation for the ORLAN-15 UAV system, likely for credential harvesting efforts targeting webmail\r\ncredentials.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 6 of 23\n\nFigure 4: Repurposed PDF document used by UNC5976 purporting to be operational documentation for the\r\nORLAN-15 UAV system\r\nUNC6096\r\nIn February 2025, GTIG identified the suspected Russian espionage cluster UNC6096 conducting malware\r\ndelivery operations via WhatsApp Messenger using themes related to the Delta battlefield management platform.\r\nTo target Windows users, the cluster delivered an archive file containing a malicious LNK file leading to the\r\ndownload of a secondary payload. Android devices were targeted via malware we track as GALLGRAB, a\r\nmodified version of the publicly available \"Android Gallery Stealer\". GALLGRAB collects data that includes\r\nlocally stored files, contact information, and potentially encrypted user data from specialized battlefield\r\napplications.\r\nUNC5114\r\nIn October 2023, the suspected Russian espionage cluster UNC5114 delivered a variant of the publicly available\r\nAndroid malware CraxsRAT masquerading as an update for the Kropyva app, accompanied by a lure document\r\nmimicking official installation instructions.\r\nOvercoming Technical Limitations with LLMs\r\nGTIG has recently discovered a threat group suspected to be linked to Russian intelligence services which\r\nconducts phishing operations to deliver CANFAIL malware primarily against Ukrainian organizations. Although\r\nthe actor has targeted Ukrainian defense, military, government, and energy organizations within the Ukrainian\r\nregional and national governments, the group has also shown significant interest in aerospace organizations,\r\nmanufacturing companies with military and drone ties, nuclear and chemical research organizations, and\r\ninternational organizations involved in conflict monitoring and humanitarian aid in Ukraine. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 7 of 23\n\nDespite being less sophisticated and resourced than other Russian threat groups, this actor recently began to\r\novercome some technical limitations using LLMs. Through prompting, they conduct reconnaissance, create lures\r\nfor social engineering, and seek answers to basic technical questions for post-compromise activity and C2\r\ninfrastructure setup.  \r\nIn more recent phishing operations, the actor masqueraded as legitimate national and local Ukrainian energy\r\norganizations to target organizational and personal email accounts. They also imitated a Romanian energy\r\ncompany that works with customers in Ukraine, targeted a Romanian organization, and conducted reconnaissance\r\non Moldovan organizations. The group generates lists of email addresses to target based on specific regions and\r\nindustries discovered through their research. \r\nPhishing emails sent by the actor contain a lure that based on analysis appears to be LLM-generated, uses formal\r\nlanguage and a specific official template, and Google Drive links which host a RAR archive containing CANFAIL\r\nmalware, often disguised with a .pdf.js double extension. CANFAIL is obfuscated JavaScript which executes a\r\nPowerShell script to download and execute an additional stage, most commonly a memory-only PowerShell\r\ndropper. It additionally displays a fake “error” popup to the victim.\r\nThis group’s activity has been documented by SentinelLABS and the Digital Security Lab of Ukraine in an\r\nOctober 2025 blog post detailing the “PhantomCaptcha\" campaign, where the actor briefly used ClickFix in their\r\noperations.\r\nHacktivist Targeting of Military Drones \r\nA subset of pro-Russia hacktivist activity has focused on Ukraine’s use of drones on the battlefield. This likely\r\nreflects the critical role that drones have played in combat, as well as an attempt by pro-Russia hacktivist groups\r\nto claim to be influencing events on the ground. In late 2025, the pro-Russia hacktivist collective KillNet, for\r\nexample, dedicated significant threat activity to this. After announcing the collective’s revitalization in June, the\r\nfirst threat activity claimed by the group was an attack allegedly disabling Ukraine’s ability to monitor its airspace\r\nfor drone attacks. This focus continued throughout the year, culminating in a December announcement in which\r\nthe group claimed to create a multifunctional platform featuring the mapping of key infrastructure like Ukraine’s\r\ndrone production facilities based on compromised data. We further detail in the next section operations from pro-Russia hacktivists that have targeted defense sector employees.\r\n2. Employees in the Crosshairs: Targeting and Exploitation of Personnel and HR Processes in the\r\nDefense Sector\r\nThroughout 2025, adversaries of varying motivations have continued to target the \"human layer\" including within\r\nthe DIB. By exploiting professional networking platforms, recruitment processes, and personal communications,\r\nthreat actors attempt to bypass perimeter security controls to gain insider access or compromise personal devices.\r\nThis creates a challenge for enterprise security teams, where much of this activity may take place outside the\r\nvisibility of traditional security detections.\r\nNorth Korea’s Insider Threat and Revenue Generation\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 8 of 23\n\nSince at least 2019, the threat from the Democratic People’s Republic of Korea (DPRK) began evolving to\r\nincorporate internal infiltration via “IT workers” in addition to traditional network intrusion. This development,\r\ndriven by both espionage requirements and the regime’s need for revenue generation, continued throughout 2025\r\nwith recent operations incorporating new publicly available tools. In addition to public reporting, GTIG has also\r\nobserved evidence of IT workers applying to jobs at defense related organizations. \r\nIn June 2025, the US Department of Justice announced a disruption operation that included searches of 29\r\nlocations in 16 states suspected of being laptop farms and led to the arrest of a US facilitator and an\r\nindictment against eight international facilitators. According to the indictment, the accused successfully\r\ngained remote jobs at more than 100 US companies, including Fortune 500 companies. In one case, IT\r\nworkers reportedly stole sensitive data from a California-based defense contractor that was developing AI\r\ntechnology. \r\nIn 2025, a Maryland-based individual, Minh Phuong Ngoc Vong, was sentenced to 15 months in prison for\r\ntheir role in facilitating a DPRK ITW scheme. According to government documents, in coordination with a\r\nsuspected DPRK IT worker, Vong was hired by a Virginia-based company to perform remote software\r\ndevelopment work for a government contract that involved a US government entity's defense program. The\r\nsuspected DPRK IT worker used Vong’s credentials to log in and perform work under Vong’s identity, for\r\nwhich Vong was later paid, ultimately sending some of those funds overseas to the IT worker. \r\nThe Industrialization of Job Campaigns \r\nJob-themed campaigns have become a significant and persistent operational trend among cyber threat actors, who\r\nleverage employment-themed social engineering as a high-efficacy vector for both espionage and financial gain.\r\nThese operations exploit the trust inherent in the online job search, application, and interview processes,\r\nmasquerading malicious content as job postings, fake job offers, recruitment documents, and malicious resume-builder applications to trick high-value personnel into deploying malware or providing credentials. \r\nNorth Korean Cyber Operations Targeting Defense Sector Employees \r\nNorth Korean cyber espionage operations have targeted defense technologies and personnel using employment\r\nthemed social engineering. GTIG has directly observed campaigns conducted by APT45, APT43, and UNC2970\r\nspecifically target individuals at organizations within the defense industry.  \r\nGTIG identified a suspected APT45 operation leveraging the SMALLTIGER malware to reportedly target\r\nSouth Korean defense, semiconductor, and automotive manufacturing entities. Based on historical activity,\r\nwe suspect this activity is conducted at least in part to acquire intellectual property to support the North\r\nKorean regime in its research and development efforts in the targeted industries; South Korea's National\r\nIntelligence Service (NIS) has also reported on North Korean attempts to steal intellectual property toward\r\nthe aims of producing its own semiconductors for use in its weapons programs.\r\nGTIG identified suspected APT43 infrastructure mimicking German and U.S. defense-related entities,\r\nincluding a credential harvesting page and job-themed lure content used to deploy the THINWAVE\r\nbackdoor. Related infrastructure was also used by HANGMAN.V2, a backdoor used by APT43 and\r\nsuspected APT43 clusters.  \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 9 of 23\n\nUNC2970 has consistently focused on defense targeting and impersonating corporate recruiters in their\r\ncampaigns. The cluster has used Gemini to synthesize open-source intelligence (OSINT) and profile high-value targets to support campaign planning and reconnaissance. UNC2970’s target profiling included\r\nsearching for information on major cybersecurity and defense companies and mapping specific technical\r\njob roles and salary information. This reconnaissance activity is used to gather the necessary information to\r\ncreate tailored, high-fidelity phishing personas and identify potential targets for initial compromise.\r\nFigure 5: Content of a suspected APT43 phishing page\r\nIranian Threat Actors Use Recruitment-Themed Campaigns to Target Aerospace and Defense Employees\r\nGTIG has observed Iranian state-sponsored cyber actors consistently leverage employment opportunities and\r\nexploit trusted third-party relationships in operations targeting the defense and aerospace sector. Since at least\r\n2022, groups such as UNC1549 and UNC6446 have used spoofed job portals, fake job offer lures, as well as\r\nmalicious resume-builder applications for defense firms, some of which specialize in aviation, aerospace, and\r\nUAV technology, to trick users/personnel into executing malware or giving up credentials under the guise of\r\nlegitimate employment opportunities. \r\nGTIG has identified fake job descriptions, portals, and survey lures hosted on UNC1549 infrastructure\r\nmasquerading as aerospace, technology, and thermal imaging companies, including drone manufacturing\r\nentities, to likely target personnel interested in major defense contractors. Likely indicative of their\r\nintended targeting, in one campaign UNC1549 leveraged a spoofed domain for a drone-related conference\r\nin Asia. \r\nUNC1549 has additionally gained initial access to organizations in the defense and aerospace sector\r\nby exploiting trusted connections with third-party suppliers. The group leverages compromised\r\nthird-party accounts to exploit legitimate access pathways, often pivoting from service providers to\r\ntheir customers. Once access is gained, UNC1549 has focused on privilege escalation by targeting\r\nIT staff with malicious emails that mimic authentic processes to steal administrator credentials, or\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 10 of 23\n\nby exploiting less-secure third-party suppliers to breach the primary target’s infrastructure via\r\nlegitimate remote access services like Citrix and VMware. Post-compromise activities often include\r\ncredential theft using custom tools like CRASHPAD and RDP session hijacking to access active\r\nuser sessions. \r\nSince at least 2022, the Iranian-nexus threat actor UNC6446 has used resume builder and personality test\r\napplications to deliver custom malware primarily to targets in the aerospace and defense vertical across the US\r\nand Middle East. These applications provide a user interface - including one likely designed for employees of a\r\nUK-based multinational aerospace and defense company - while malware runs in the background to steal initial\r\nsystem reconnaissance data.\r\nFigure 6: Hiring-themed spear-phishing email sent by UNC1549\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 11 of 23\n\nFigure 7: UNC1549 fake job offer on behalf of DJI, a drone manufacturing company\r\nChina-Nexus Actor Targets Personal Emails of Defense Contractor Employees\r\nChina-nexus threat actor APT5 conducted two separate campaigns in mid to late 2024 and in May 2025 against\r\ncurrent and former employees of major aerospace and defense contractors. While employees at one of the\r\ncompanies received emails to their work email addresses, in both campaigns, the actor sent spearphishes to\r\nemployees’ personal email addresses. The lures were meticulously crafted to align with the targets' professional\r\nroles, geographical locations, and personal interests. Among the professional, industry, and training lures the actor\r\nleveraged included: \r\nInvitations to industry events, such as CANSEC (Canadian Association of Defence and Security\r\nIndustries), MilCIS (Military Communications and Information Systems), and SHRM (Society for Human\r\nResource Management). \r\n Red Cross training courses references.\r\nPhishing emails disguised as job offers.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 12 of 23\n\nAdditionally, the actor also leveraged hyper-specific and personal lures related to the locations and activities of\r\ntheir targetings, including: \r\nEmails referencing a \"Community service verification form\" from a local high school near one of the\r\ncontractor's headquarters.\r\nPhishing emails using \"Alumni tickets\" for a university minor league baseball team, targeting employees\r\nwho attended the university.\r\nEmails purporting to be \"open letters\" to Boy Scouts of America camp or troop leadership, targeting\r\nemployees known to be volunteers or parents.\r\nFake guides and registration information leveraging the 2024 election cycle for the state where the\r\nemployees lived.\r\nRU Hacktivists Targeting Personnel \r\nDoxxing remains a cornerstone of pro-Russia hacktivist threat activity, targeting both individuals within Ukraine’s\r\nmilitary and security services as well as foreign allies. Some groups have centered their operations on doxxing to\r\nuncover members across specific units/organizations, while others use doxxing to supplement more diverse\r\noperations.\r\nFor example, in 2025, the group Heaven of the Slavs (Original Russian: НЕБО СЛАВЯН) claimed to have\r\ndoxxed Ukrainian defense contractors and military officials; Beregini alleged to identify individuals who worked\r\nat Ukrainian defense contractors, including those that it claimed worked at Ukrainian naval drone manufacturers;\r\nand PalachPro claimed to have identified foreign fighters in Ukraine, and the group separately claimed to have\r\ncompromised the devices of Ukrainian soldiers. Further hacktivist activity against the defense sector is covered in\r\nthe last section of this report.\r\n3. Persistent Area of Focus For China-Nexus Cyber Espionage Actors \r\nThe defense industrial base has been an important target for China-nexus threat actors for as long as cyber\r\noperations have been used for espionage. One of the earliest observed compromises attributed to the Chinese\r\nmilitary’s APT1 group was a firm in the defense industrial sector in 2007. While historical campaigns by actors\r\nsuch as APT40 have at times shown hyper-specific focus in sub-sectors of defense, such as maritime related\r\ntechnologies, in general the areas of defense targeting from China-nexus groups has spanned all domains and\r\nsupply chain layers. Alongside this focus on defense systems and contractors, Chinese cyber espionage groups\r\nhave steadily improved their tradecraft over the past several years, increasing the risk to this sector. \r\nGTIG has observed more China-nexus cyber espionage missions directly targeting defense and aerospace industry\r\nthan from any other state-sponsored actors over the last two years. China-nexus espionage actors have used a\r\nbroad range of tactics in operations, but the hallmark of many operations has been their exploitation of edge\r\ndevices to gain initial access. We have also observed China-nexus threat groups leverage ORB networks for\r\nreconnaissance against defense industrial targets, which complicates detection and attribution.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 13 of 23\n\nFigure 8: Edge vs. not edge zero-days likely exploited by CN actors 2021 — September 2025\r\nDrawing from both direct observations and open-source research, GTIG assesses with high confidence that since\r\n2020, Chinese cyber espionage groups have exploited more than two dozen zero-day (0-day) vulnerabilities in\r\nedge devices (devices that are typically placed at the edge of a network and often do not support EDR monitoring,\r\nsuch as VPNs, routers, switches, and security appliances) from ten different vendors. This observed emphasis on\r\nexploiting 0-days in edge devices likely reflects an intentional strategy to benefit from the tactical advantages of\r\nreduced opportunities for detection and increased rates of successful compromises.\r\nWhile we have observed exploitation spread to multiple threat groups soon after disclosure, often the first Chinese\r\ncyber espionage activity sets we discover exploiting an edge device 0-day, such as UNC4841, UNC3886, and\r\nUNC5221, demonstrate extensive efforts to obfuscate their activity in order to maintain long-term access to\r\ntargeted environments. Notably, in recent years, both UNC3886 and UNC5221 operations have directly impacted\r\nthe defense sector, among other industries. \r\nUNC3886 is one of the most capable and prolific China-nexus threat groups GTIG has observed in recent\r\nyears. While UNC3886 has targeted multiple sectors, their early operations in 2022 had a distinct focus on\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 14 of 23\n\naerospace and defense entities. We have observed UNC3886 employ 17 distinct malware families in\r\noperations against DIB targets. Beyond aerospace and defense targets, UNC3886 campaigns have been\r\nobserved impacting the telecommunications and technology sectors in the US and Asia.   \r\nUNC5221 is a sophisticated, suspected China-nexus cyber espionage actor characterized by its focus on\r\nexploiting edge infrastructure to penetrate high-value strategic targets. The actor demonstrates a distinct\r\noperational preference for compromising perimeter devices—such as VPN appliances and firewalls—to\r\nbypass traditional endpoint detection, subsequently establishing persistent access to conduct long-term\r\nintelligence collection. Their observed targeting profile is highly selective, prioritizing entities that serve as\r\n\"force multipliers\" for intelligence gathering, such as managed service providers (MSPs), law firms, and\r\ncentral nodes in the global technology supply chain. The BRICKSTORM malware campaign uncovered in\r\n2025, which we suspect was conducted by UNC5221, was notable for its stealth, with an average dwell\r\ntime of 393 days. Organizations that were impacted spanned multiple sectors but included aerospace and\r\ndefense. \r\nIn addition to these two groups, GTIG has analysed other China-nexus groups impacting the defense sector in\r\nrecent years. \r\nUNC3236 Observed Targeting U.S. Military and Logistics Portal\r\nIn 2024, GTIG observed reconnaissance activity associated with UNC3236 (linked to Volt Typhoon) against\r\npublicly hosted login portals of North American military and defense contractors, and U.S. and Canadian\r\ngovernment domains related to North American infrastructure. The activity leveraged the ARCMAZE obfuscation\r\nnetwork to obfuscate its origin. Netflow analysis revealed communication with SOHO routers outside the\r\nARCMAZE network, suggesting an additional hop point to hinder tracking. Targeted entities included a Drupal\r\nweb login portal used by defense contractors involved in U.S. military infrastructure projects. \r\nUNC6508 Search Terms Indicate Interest in Defense Contractors and Military Platforms\r\nIn late 2023, China-nexus threat cluster UNC6508 targeted a US-based research institution through a multi-stage\r\nattack that leveraged an initial REDCap exploit and custom malware named INFINITERED. This malware is\r\nembedded within a trojanized version of a legitimate REDCap system file and functions as a recursive dropper. It\r\nis capable of enabling persistent remote access and credential theft after intercepting the application's software\r\nupgrade process to inject malicious code into the next version's core files. \r\nThe actor used the REDCap system access to collect credentials to access the victim’s email platform filtering\r\nrules to collect information related to US national security and foreign policy (Figure 10). GTIG assesses with low\r\nconfidence that the actors likely sought to fulfill a set of intelligence collection requirements, though the nature\r\nand intended focus of the collection effort are unknown.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 15 of 23\n\nFigure 9: Categories of UNC6508 email forwarding triggers\r\nBy August 2025, the actors leveraged credentials obtained via INFINITERED to access the institution's\r\nenvironment with legitimate, compromised administrator credentials. They abused the tenant compliance rules to\r\ndynamically reroute messages based on a combination of keywords and or recipients. The actors modified an\r\nemail rule to BCC an actor-controlled email address if any of 150 regex-defined search terms or email addresses\r\nappeared in email bodies or subjects, thereby facilitating data exfiltration by forwarding any email that contained\r\nat least one of the terms related to US national security, military equipment and operations, foreign policy, and\r\nmedical research, among others. About a third of the keywords referenced a military system or a defense\r\ncontractor, with a notable amount related to UAS or counter-UAS systems.\r\n4. Hack, Leak, and Disruption of the Manufacturing Supply Chain\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 16 of 23\n\nExtortion operations continue to represent the most impactful cyber crime threat globally, due to the prevalence of\r\nthe activity, the potential for disrupting business operations, and the public disclosure of sensitive data such as\r\npersonally identifiable information (PII), intellectual property, and legal documents. Similarly, hack-and-leak\r\noperations conducted by geopolitically and ideologically motivated hacktivist groups may also result in the public\r\ndisclosure of sensitive data. These data breaches can represent a risk to defense contractors via loss of intellectual\r\nproperty, to their employees due to the potential use of PII for targeting data, and to the defense agencies they\r\nsupport. Less frequently, both financially and ideologically motivated threat actors may conduct significant\r\ndisruptive operations, such as the deployment of ransomware on operational technology (OT) systems or\r\ndistributed-denial-of-service (DDoS) attacks.\r\nCyber Crime Activity Impacting the Defense Industrial Base and Broader Manufacturing and Industrial\r\nSupply Chain\r\nWhile dedicated aerospace \u0026 defense organizations represent only about 1% of victims listed on data leak sites\r\n(DLS) in 2025, manufacturing organizations, many of which directly or indirectly support defense contracts, have\r\nconsistently represented the largest share of DLS listings by count (Figure 11). This broader manufacturing sector\r\nincludes companies that may provide dual-use components for defense applications. For example, a significant\r\n2025 ransomware incident affecting a UK automotive manufacturer, who also produces military vehicles,\r\ndisrupted production for weeks and reportedly affected more than 5,000 additional organizations. This highlights\r\nthe cyber risk to the broader industrial supply chain supporting the defense capacity of a nation, including the\r\nability to surge defense components in a wartime environment can be impacted, even when these intrusions are\r\nlimited to IT networks.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 17 of 23\n\nFigure 10: Percent of DLS victims in the manufacturing industry by quarter\r\nThreat actors also regularly share and/or advertise illicit access to or stolen data from aerospace and defense sector\r\norganizations. For example, the persona “miyako,” who has been active on multiple underground forums based on\r\nthe use of the same username and Session ID, has advertised access to multiple, unnamed, defense contractors\r\nover time (Figure 11). While defense contractors are likely not attractive targets for many cyber criminals, given\r\nthat these organizations typically maintain a strong security posture, a small subset of financially motivated actors\r\nmay disproportionately target the industry due to dual motivations, such as a desire for notoriety or ideological\r\nmotivations. For example, the BreachForums actor “USDoD” regularly shared or advertised access to data\r\nclaimed to have been stolen from prominent defense-related organizations. In a bizarre 2023 interview, USDoD\r\nclaimed the threat was misdirection and that they were actually targeting a consulting firm, NATO, CEPOL,\r\nEuropol, and Interpol. USDoD further indicated that they had a personal vendetta and were not motivated by\r\npolitics. In October 2024, Brazilian authorities arrested an individual accused of being USDoD.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 18 of 23\n\nFigure 11: Advertisement for “US Navy / USAF / USDoD Engineering Contractor”\r\nHacktivist Operations Targeting the Defense Industrial Base\r\nPro-Russia and pro-Iran hacktivism operations at times extend beyond simple nuisance-level attacks to high-impact operations, including data leaks and operational disruptions. Unlike financially motivated activity, these\r\ncampaigns prioritize the exposure of sensitive military schematics and personal personnel data—often through\r\n\"hack-and-leak\" tactics—in an attempt to erode public trust, intimidate defense officials, and influence\r\ngeopolitical developments on the ground. Robust geopolitically motivated hacktivist activity works not only to\r\nadvance state interests but also can serve to complicate attribution of threat activity from state-backed actors,\r\nwhich are known to leverage hacktivist tactics for their own ends.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 19 of 23\n\nFigure 12: Notable 2025 hacktivist claims allegedly involving the defense industrial base\r\nPro-Russia Hacktivism Activity\r\nPro-Russia hacktivist actors have collectively dedicated a notable portion of their threat activity to targeting\r\nentities associated with Ukraine’s and Western countries’ militaries and in their defense sectors. As we have\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 20 of 23\n\npreviously reported, GTIG observed a revival and intensification of activity within the pro-Russia hacktivist\r\necosystem in response to the launch of Russia’s full-scale invasion of Ukraine in February 2022. The vast majority\r\nof pro-Russia hacktivist activity that we have subsequently tracked has likewise appeared intended to advance\r\nRussia’s interests in the war. As with the targeting of other high-profile organizations, at least some of this activity\r\nappeared primarily intended to generate media attention. However, a review of the related threat activity observed\r\nin 2025 also suggest that actors targeting military/defense sectors had more diverse objectives, including seeding\r\ninfluence narratives, monetizing claimed access, and influencing developments on the ground. Some observed\r\nattack/targeting trends over the last year include the following:\r\nDDoS Attacks: Multiple pro-Russia hacktivist groups have claimed distributed denial-of-service (DDoS)\r\nattacks targeting government and private organizations involved in defense. This includes multiple such\r\nattacks claimed by the group NoName057(16), which has prolifically leveraged DDoS attacks to attack a\r\nrange of targets. While this often may be more nuisance-level activity, it demonstrates at the most basic\r\nlevel how defense sector targeting is a part of hacktivist threat activity that is broadly oriented toward\r\ntargeting entities in countries that support Ukraine. \r\nNetwork Intrusion: In limited instances, pro-Russia groups claimed intrusion activity targeting private\r\ndefense-sector organizations. Often this was in support of hack and leak operations. For example, in\r\nNovember 2025, the group PalachPro claimed to have targeted multiple Italian defense companies, alleging\r\nthat they exfiltrated sensitive data from their networks—in at least one instance, PalachPro claimed it\r\nwould sell this data; that same month, the group Infrastructure Destruction Squad claimed to have launched\r\nan unsuccessful attack targeting a major US arms producer.  \r\nDocument Leaks: A continuous stream of claimed or otherwise implied hack and leak operations has\r\ntargeted the Ukrainian military and the government and private organizations that support Ukraine.\r\nBeregini and JokerDNR (aka JokerDPR) are two notable pro-Russia groups engaged in this activity, both\r\nof which regularly disseminate documents that they claim are related to the administration of Ukraine’s\r\nmilitary, coordination with Ukraine’s foreign partners, and foreign weapons systems supplied to Ukraine.\r\nGTIG cannot confirm the potential validity of all the disseminated documents, though in at least some\r\ninstances the sensitive nature of the documents appears to be overstated. \r\nOften, Beregini and JokerDNR leverage this activity to promote anti-Ukraine narratives, including\r\nthose that appear intended to reduce domestic confidence in the Ukrainian government by alleging\r\nthings like corruption and government scandals, or that Ukraine is being supplied with inferior\r\nequipment. \r\nPro-Iran Hacktivism Activity\r\nPro-Iran hacktivist threat activity targeting the defense sector has intensified significantly following the onset of\r\nthe Israel-Hamas conflict in October 2023. These operations are characterized by a shift from nuisance-level\r\ndisruptive attacks to sophisticated \"hack-and-leak\" campaigns, supply chain compromises, and aggressive\r\npsychological warfare targeting military personnel. Threat actors such as Handala Hack, Cyber Toufan, and the\r\nCyber Isnaad Front have prioritized the Israeli defense industrial base—compromising manufacturers, logistics\r\nproviders, and technology firms to expose sensitive schematics, personnel data, and military contracts. The\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 21 of 23\n\nobjective of these campaigns is not merely disruption but the degradation of Israel’s national security apparatus\r\nthrough the exposure of military capabilities, the intimidation of defense sector employees via \"doxxing,\" and the\r\nerosion of public trust in the security establishment. \r\nThe pro-Iran persona Handala Hack, which GTIG has observed publicize threat activity associated with\r\nUNC5203, has consistently targeted both the Israeli Government, as well as its supporting military-industrial complex. Threat activity attributed to the persona has primarily consisted of hack-and-leak\r\noperations, but has increasingly incorporated doxxing and tactics designed to promote fear, uncertainty, and\r\ndoubt (FUD). \r\nOn the two-year anniversary of al-Aqsa Flood, the day which Hamas-led militants attacked Israel,\r\nHandala launched “Handala RedWanted,” an actor-controlled website supporting a concerted\r\ndoxxing/intimidation campaign targeting members of Israel’s Armed Forces, its intelligence and\r\nnational security apparatus, and both individuals and organizations the group claims to comprise\r\nIsrael’s military-industrial complex. \r\nFollowing the announcement of RedWanted, the persona has recently signaled an expansion of its\r\noperations vis-a-vis the launch of “Handala Alert.” Significant in terms of a potential expansion in\r\nthe group’s external targeting calculus, which has long prioritized Israel, is a renewed effort by\r\nHandala to “support anti-regime activities abroad.” \r\nOngoing campaigns such as those attributed to the Pro-Iran personas Cyber Toufan (UNC5318) and الجبهة\r\nالسيربانية اإلسناد) Cyber Isnaad Front) are additionally demonstrative of the broader ecosystem’s longstanding\r\nprioritization of the defense sector. \r\nLeveraging a newly-established leak channel on Telegram (ILDefenseLeaks), Cyber Toufan has\r\npublicized a number of operations targeting Israel’s military-industrial sector, most of which the\r\ngroup claims to have been the result of a supply chain compromise resulting from its breach of\r\nnetwork infrastructure associated with an Israeli defense contractor. According to Cyber Toufan,\r\naccess to this contractor resulted in the compromise of at least 17 additional Israeli defense\r\ncontractor organizations.\r\nWhile these activities have prioritized the targeting of Israel specifically, claimed operations have in\r\nlimited instances impacted other countries. For example, recent threat activity publicized by Cyber\r\nIsnaad Front also surrounding the alleged compromise of the aforementioned Israeli defense\r\ncontractor leaked information involving reported plans by the Australian Defense Force to purchase\r\nSpike NLOS anti-tank missiles from Israel. \r\nConclusion \r\nGiven global efforts to increase defense investment and develop new technologies the security of the defense\r\nsector is more important to national security than ever. Actors supporting nation state objectives have interest in\r\nthe production of new and emerging defense technologies, their capabilities, the end customers purchasing them,\r\nand potential methods for countering these systems. Financially motivated actors carry out extortion against this\r\nsector and the broader manufacturing base like many of the other verticals they target for monetary gain. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 22 of 23\n\nWhile specific risks vary by geographic footprint and sub-sector specialization, the broader trend is clear: the\r\ndefense industrial base is under a state of constant, multi-vector siege. The campaigns against defense contractors\r\nin Ukraine, threats to or exploitation of defense personnel, the persistent volume of intrusions by China-nexus\r\nactors, and the hack, leak, and disruption of the manufacturing base are some of the leading threats to this industry\r\ntoday. To maintain a competitive advantage, organizations must move beyond reactive postures. By integrating\r\nthese intelligence trends into proactive threat hunting and resilient architecture, the defense sector can ensure that\r\nthe systems protecting the nation are not compromised before they ever reach the field.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base" ], "report_names": [ "threats-to-defense-industrial-base" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2c3c22a-b3db-4d4a-9a5a-76bfe6171843", "created_at": "2023-11-21T02:00:07.315543Z", "updated_at": "2026-04-10T02:00:03.461446Z", "deleted_at": null, "main_name": "UNC4841", "aliases": [ "SLIME57" ], "source_name": "MISPGALAXY:UNC4841", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "80edca9f-dcd6-491e-92f3-87ad1f575631", "created_at": "2023-10-14T02:03:14.694988Z", "updated_at": "2026-04-10T02:00:05.021046Z", "deleted_at": null, "main_name": "NetSec", "aliases": [ "NetSec", "Operation Data Breach", "ScarFace_TheOne", "USDoD" ], "source_name": "ETDA:NetSec", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "13bedce4-3115-4563-afd5-068e3930e68e", "created_at": "2023-01-06T13:46:38.623775Z", "updated_at": "2026-04-10T02:00:03.042652Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "KEYHOLE PANDA", "BRONZE FLEETWOOD", "TEMP.Bottle", "Mulberry Typhoon", "Poisoned Flight" ], "source_name": "MISPGALAXY:APT5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0f91a2f-ae05-4658-a6df-14938355eecb", "created_at": "2024-03-02T02:00:03.833721Z", "updated_at": "2026-04-10T02:00:03.598612Z", "deleted_at": null, "main_name": "UNC1549", "aliases": [ "Nimbus Manticore" ], "source_name": "MISPGALAXY:UNC1549", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-10T02:00:03.715945Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "82a51997-1402-41c3-86df-6f9e522b2ba8", "created_at": "2024-04-27T02:00:03.554045Z", "updated_at": "2026-04-10T02:00:03.63698Z", "deleted_at": null, "main_name": "USDoD", "aliases": [], "source_name": "MISPGALAXY:USDoD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88bd3777-de28-4ed2-a994-e38275333256", "created_at": "2024-07-28T02:00:04.697991Z", "updated_at": "2026-04-10T02:00:03.683368Z", "deleted_at": null, "main_name": "APT45", "aliases": [], "source_name": "MISPGALAXY:APT45", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df8987a-27fc-45c5-83b0-20dceb8288af", "created_at": "2025-10-29T02:00:51.836932Z", "updated_at": "2026-04-10T02:00:05.253487Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "UNC3886" ], "source_name": "MITRE:UNC3886", "tools": [ "MOPSLED", "VIRTUALPIE", "CASTLETAP", "THINCRUST", "VIRTUALPITA", "RIFLESPINE" ], "source_id": "MITRE", "reports": null }, { "id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d", "created_at": "2024-08-28T02:02:09.711951Z", "updated_at": "2026-04-10T02:00:04.957678Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "Fire Ant" ], "source_name": "ETDA:UNC3886", "tools": [ "BOLDMOVE", "CASTLETAP", "LOOKOVER", "MOPSLED", "RIFLESPINE", "TABLEFLIP", "THINCRUST", "Tiny SHell", "VIRTUALGATE", "VIRTUALPIE", "VIRTUALPITA", "VIRTUALSHINE", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55", "created_at": "2024-04-24T02:00:49.599348Z", "updated_at": "2026-04-10T02:00:05.303948Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "APT5", "Mulberry Typhoon", "BRONZE FLEETWOOD", "Keyhole Panda", "UNC2630" ], "source_name": "MITRE:APT5", "tools": [ "Tasklist", "PoisonIvy", "RAPIDPULSE", "PcShare", "Mimikatz", "SLOWPULSE", "SLIGHTPULSE", "Skeleton Key", "gh0st RAT", "PULSECHECK", "netstat" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37", "created_at": "2023-11-04T02:00:07.663664Z", "updated_at": "2026-04-10T02:00:03.385989Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [], "source_name": "MISPGALAXY:UNC3886", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "786139da-4139-49d0-9685-e249c5f89f25", "created_at": "2024-12-30T02:01:48.731055Z", "updated_at": "2026-04-10T02:00:04.763086Z", "deleted_at": null, "main_name": "TA455", "aliases": [ "Bohrium", "DEV-0056", "Operation Iranian Dream Job", "Smoke Sandstorm", "TA455", "UNC1549", "Yellow Dev 13" ], "source_name": "ETDA:TA455", "tools": [ "LIGHTRAIL", "MINIBIKE", "SlugResin", "SnailResin" ], "source_id": "ETDA", "reports": null }, { "id": "a7ff9823-17a0-4fcd-955e-ade8164bd827", "created_at": "2024-12-21T02:00:02.861322Z", "updated_at": "2026-04-10T02:00:03.7962Z", "deleted_at": null, "main_name": "UAC-0185", "aliases": [ "UNC4221" ], "source_name": "MISPGALAXY:UAC-0185", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "31da1b1f-743b-40ef-bd17-1e07c5500392", "created_at": "2024-06-19T02:00:04.382822Z", "updated_at": "2026-04-10T02:00:03.655982Z", "deleted_at": null, "main_name": "UAC-0020", "aliases": [ "SickSync", "Vermin" ], "source_name": "MISPGALAXY:UAC-0020", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "2d52f649-28b3-4ae9-9ef9-49d1bc85cf7a", "created_at": "2024-01-09T02:00:04.211752Z", "updated_at": "2026-04-10T02:00:03.514428Z", "deleted_at": null, "main_name": "Cyber Toufan", "aliases": [], "source_name": "MISPGALAXY:Cyber Toufan", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "7a2dd0e8-beea-415c-b90d-4df9da8358ae", "created_at": "2024-09-20T02:00:04.575485Z", "updated_at": "2026-04-10T02:00:03.695726Z", "deleted_at": null, "main_name": "UNC2970", "aliases": [], "source_name": "MISPGALAXY:UNC2970", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0dc20eeb-81e3-48ef-9a12-7b38fdcf07b1", "created_at": "2025-09-20T02:04:46.693616Z", "updated_at": "2026-04-10T02:00:03.735806Z", "deleted_at": null, "main_name": "COBALT SMOKEY", "aliases": [ "Nimbus Manticore ", "Smoke Sandstorm ", "Subtle Snail ", "TA455 ", "UNC1549 " ], "source_name": "Secureworks:COBALT SMOKEY", "tools": [ "LIGHTRAIL", "MINIBIKE", "MINIBUS" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "b05a0147-3a98-44d3-9b42-90d43f626a8b", "created_at": "2023-01-06T13:46:39.467088Z", "updated_at": "2026-04-10T02:00:03.33882Z", "deleted_at": null, "main_name": "NoName057(16)", "aliases": [ "NoName057", "NoName05716", "05716nnm", "Nnm05716" ], "source_name": "MISPGALAXY:NoName057(16)", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0cfbbc-2acf-4cc8-afe1-1859679c522c", "created_at": "2022-10-25T16:07:24.373716Z", "updated_at": "2026-04-10T02:00:04.963615Z", "deleted_at": null, "main_name": "Vendetta", "aliases": [ "TA2719" ], "source_name": "ETDA:Vendetta", "tools": [ "AsyncRAT", "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "ReZer0", "Remcos", "RemcosRAT", "Remvio", "RoboSki", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "47a8f6c7-5b29-4892-8f47-1d46be71714f", "created_at": "2025-08-07T02:03:24.599925Z", "updated_at": "2026-04-10T02:00:03.720795Z", "deleted_at": null, "main_name": "BRONZE FLEETWOOD", "aliases": [ "APT5 ", "DPD ", "Keyhole Panda ", "Mulberry Typhoon ", "Poisoned Flight ", "TG-2754 " ], "source_name": "Secureworks:BRONZE FLEETWOOD", "tools": [ "Binanen", "Comfoo", "Gh0st RAT", "Isastart", "Leouncia", "Marade", "OrcaRAT", "PCShare", "Protux", "Skeleton Key", "SlyPidgin", "VinSelf" ], "source_id": "Secureworks", "reports": null }, { "id": "1103f128-3e5f-40bc-9aa1-4c68c699bd24", "created_at": "2026-03-24T02:00:04.636396Z", "updated_at": "2026-04-10T02:00:03.991696Z", "deleted_at": null, "main_name": "Infrastructure Destruction Squad", "aliases": [ "Dark Engine" ], "source_name": "MISPGALAXY:Infrastructure Destruction Squad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434636, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/46ee3edf6cffeecb97fdaa17f0fd0d3e741353d8.pdf", "text": "https://archive.orkl.eu/46ee3edf6cffeecb97fdaa17f0fd0d3e741353d8.txt", "img": "https://archive.orkl.eu/46ee3edf6cffeecb97fdaa17f0fd0d3e741353d8.jpg" } }