{ "id": "7337f341-2648-495b-a9e2-fd4ac702871f", "created_at": "2026-04-06T00:12:48.780977Z", "updated_at": "2026-04-10T03:38:19.596419Z", "deleted_at": null, "sha1_hash": "47b4760a8c97074eb2b62bcfcaf0ea544cb1cd53", "title": "Establishing the TigerRAT and TigerDownloader malware families | Threatray", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3492154, "plain_text": "Establishing the TigerRAT and TigerDownloader malware families |\r\nThreatray\r\nArchived: 2026-04-05 13:55:48 UTC\r\nExecutive Summary\r\nRecent research by Malwarebytes (April 2021), Kaspersky (June 2021) and the Korean CERT (September 2021), reports\r\nabout attacks on South Korean entities, employing new techniques and malware not previously identified.\r\nThe initial report by Malwarebytes attributes the attack to the Lazarus group. Kaspersky refines the attribution to the\r\nAndariel APT, a subgroup of Lazarus. Korea CERT (KrCERT) reports a new attack and calls the malware tools seen in this\r\nattack TigerDownloader and TigerRAT. The KrCERT report provides a thorough and detailed, indicator-based analysis of\r\nthe relationship between their malware samples and those previously analyzed by Kaspersky and Malwarebytes. They also\r\nemploy a proprietary attribution technology to further relate the attacks.\r\nIn this report, we focus on the malware tooling from the previously reported attacks. We provide new evidence to attribute\r\nthese tools to the same downloader and RAT families. We will refer to these families as TigerDownloader and TigerRAT\r\nrespectively. We’ve chosen these names in recognition of KrCERT’s important work where the names were first introduced\r\nto refer to the malware tools they studied in that same work.\r\nWe systematically study code reuse as well as functional commonalities between all the samples used in different stages of\r\nthe previously reported attacks (i.e., packers, downloaders, and RAT payloads). We have also found that while the tools fall\r\ninto the mentioned families, there are different variants of the tools which have been deployed in the reported attacks. For\r\nthe RAT payloads, we have found three versions with distinct capabilities. For the downloaders we have found two versions,\r\none with and the other without persistence capabilities.\r\nApart from these findings, we contribute novel insights and speculations to the existing body of knowledge toward a clearer\r\nmapping of the techniques and tools used by this threat actor. Finally, we are making our unpacking and config extraction\r\nscripts as well as raw data available to the community (https://github.com/threatray/tigerrat) to facilitate further research and\r\ndefense capabilities.\r\nIntroduction\r\nWhat is the Andariel APT group?\r\nAndariel group is a state-sponsored threat actor. It is a subgroup of the Lazarus cybercrime group, considered one of the\r\nmost sophisticated North Korean threat actors to which threat researchers have attributed many attacks from 2009 to 2021.\r\nThe Andariel group is mostly targeting South Korean entities focusing mainly on financial gain and cyber espionage. This\r\ngroup is known to employ custom tools and new techniques to increase the effectiveness of its attacks.\r\nPrevious research\r\nApril 19, 2021: Malwarebytes has reported a recent attack targeting South Korea using a malicious Word document. The\r\nMalwarebytes report describes the attack and attributes it to the Lazarus group. Malwarebytes discovered a novel\r\ndownloader component used in the attack. – https://blog.malwarebytes.com/threat-intelligence/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/\r\nJune 15, 2021: Kaspersky released a blog post about the same attack, mentioning the Malwarebytes report, saying they\r\ndetected the Word document in April. Kaspersky refines the attribution to the Andariel APT group, a subgroup of Lazarus.\r\n Kaspersky’s analysis is based on operational similarities found between the current and past attacks of the Andariel APT\r\ngroup. They also identify novel downloaders and RAT payloads. In addition, they find a new ransomware deployed by the\r\nRAT. – https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/\r\nSeptember, 2021: KrCERT reports on an operation they call “ByteTiger”, a campaign targeting South Korean entities which\r\nthey have attributed to the Andariel APT group. This report analyses in detail a multistage attack with two unknown pieces\r\nof code which they call TigerDownloader and TigerRAT. They link the new attack to the samples previously disclosed by\r\nMalwarebytes and Kaspersky using some proprietary tooling. Linkage is apparently done through similarities / re-use of\r\ncode, rich headers, section hashes and C2 infrastructure, yet no further details are shared in the report.\r\n https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277\u0026attach_file_id=EpF3277.pdf\r\nThe attack chains in all the reported cases have some structural similarities (see Figure 1). In all three reports a downloader\r\nmalware has been observed. Kaspersky and KrCERT have additionally seen a third-stage RAT components. Concerning the\r\naccess methods, malicious documents have been used in the cases reported by Malwarebytes and Kaspersky, whereas a\r\ncompromised website was used in the KrCERT case.\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 1 of 15\n\nFigure 1: Similarities and differences between the attack chains reported by Malwarebytes, Kaspersky and KrCERT.\r\nPacker analysis\r\nIn this section we will first establish that the packed binaries share common code that originates from the unpacking\r\nalgorithm. Then we show that there is a common packing scheme underlying all the packed samples at our disposal. Our\r\nfindings thus provide strong evidence that the binaries are related by the same packer. Should the packer be under exclusive\r\ncontrol of the attacker (which we don’t know) then our findings would allow attribution of all the binaries to the same actor.\r\nShared code in packed samples\r\nTo quickly understand if the packed samples are related, we performed an automated code reuse analysis at the function\r\nlevel. The results forming that analysis are shown in Figure 2. In the table, the numbers in the “function reuse” column\r\nmeasure the number of samples in which a function occurs. As an example, the function at the address 0x140002b70 (first\r\nrow) appears in 27 out of 27 the packed samples. That is, this is a function that occurs in all packed samples.\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 2 of 15\n\nFigure 2: Function reuse across the 27 packed binaries which we have analyzed.\r\nThere are several other functions (i.e., 0x140001bf0, 0x140002030, 0x140002860) that appear in 27 or 26 samples. From\r\nthe table, we can establish that the packed samples are clearly related. All of them have two functions in common and there\r\nare various subsets of the samples that feature substantial code reuse.\r\nIn a nutshell, the automated function reuse analysis gives us a quick understanding about the relations of the packed\r\nsamples. As we shall see next, it also directs our manual analysis efforts.\r\nBased on the analysis, we suspected that the samples share a few functions for the effective unpacking, while some of the\r\nremaining functions are used to avoid detections by antivirus, Yara and related pattern-based detection technologies. We then\r\ntook a closer look at these stable functions and could confirm that they do, indeed, contain packing functionality. The results\r\nof this analysis are shown in Figure 3.\r\nPACKED HASH FUNCTION ADDRESS FUNCTION REUSE FUNCTIONALITY\r\n0996a8e5ec1a41645309… 140002b70 (27/27) map_decrypted_payload()\r\n0996a8e5ec1a41645309… 140001bf0 (27/27) anti_analysis_check()\r\n0996a8e5ec1a41645309… 140002030 (26/27) do_unpacking()\r\n0996a8e5ec1a41645309… 140002860 (26/27) dynamic_winapi_resolution()\r\n0996a8e5ec1a41645309… 140002360 (12/27) main_program()\r\n0996a8e5ec1a41645309… 140002a30 (14/27) relocate_mapped_payload()\r\nFigure 3: Functionality found in the most stable functions.\r\nWe could also confirm the presence of junk code to avoid detection technologies. Figure 4 shows the same function\r\ndecrypt_payload() in two different samples. We can see junk functions like GetFontUnicodeRanges(), GetSysColorBrush()\r\nand CreateBitMap() which are called but whose return values are not being used. In the figure, the effective unpacking code,\r\nwhich in this case is the XOR decryption algorithm, is contained within the green boxes shown.\r\nWe have found this junk-code strategy in all the packed code and throughout many functions.\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 3 of 15\n\nFigure 4: Junk code in packer code to avoid anti-virus and Yara detections.\r\nIn summary, we have seen so far that the packed samples are related by a common packer code. The code-wise differences\r\nbetween the packed samples is mainly due to the presence of junk code.\r\nCommon packing scheme\r\nThe packer is a simple loader, which decrypts and maps the payload into memory. The decryption scheme is a simple XOR\r\nusing a 16-byte key. This has been established in previous research.\r\nAdditionally, we found that all packer variants follow the same common packing scheme, whereas the variants of the\r\nscheme are determined by two parameters. One parameter is whether or not the packed payload is Base64 encoded, the other\r\nis where the packed payload is stored within a PE file.\r\nThe variations concerning encoding of the payload are illustrated in Figure 5.\r\nFigure 6: Variations of packed code locations in a PE file. Left to right, packed code in PE overlay, in the PE resource\r\nsection, or in a dedicated PE section which is named OTC in this example.\r\nFor the third variant using a dedicated section, we observed the following section names: “KDATA,” “OTC,” “OTS,”\r\n“OTT,” and “data.” We could not identify the significance, if any, underlying these names.\r\nOur findings are summarized in Figure 7, which shows the packing scheme common to all packed downloader and RAT\r\nvariants we analyzed.\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 4 of 15\n\nFigure 7: Packing scheme common to all samples.\r\nMalware families and variants\r\nIn this section, we will establish through code reuse analysis that all the unpacked binaries fall into a downloader or RAT\r\nfamily. We are calling these families the TigerDownloader and TigerRAT malware family. These names were introduced in\r\nthe KrCERT report to refer to the downloader and RAT components in their investigation.\r\nTo get a quick understanding of the unpacked binaries, we have performed a combined cluster and code-reuse analysis. This\r\nanalysis allows us to automatically identify malware families and malware variants within a family. The goal of this analysis\r\nis to gain a quick understanding of the relationship between binaries and to direct analysts to the relevant samples for further\r\nmanual analysis to eventually understand the attacker’s tooling and capabilities.\r\nThe results of the cluster and code-reuse analysis are shown in Figure 8. The figure confirms that the unpacked binaries\r\neither fall into the TigerDownloader (blue) or TigerRAT (orange) family. Moreover, we see that each family has three\r\nvariants (shown as large circles). We have used a cluster threshold of 97.5%, meaning that binaries which are at least 97.5%\r\nsimilar fall into the same cluster. The clusters in the graph consist of the so-called “cluster representatives” (large circles)\r\nand samples (small circles) directly connected to a cluster representative. The underlying idea is that the samples within a\r\ncluster are essentially identical and thus well represented by the cluster representative.\r\nFigure 8: Cluster and code-reuse analysis of the unpacked samples with their abbreviated hashes.\r\nWe note that the choice of the cluster threshold has an obvious impact on the variants:  A high threshold will reveal minor\r\nand more variants, while a low one reveals fewer and only major variants.\r\nWe draw the following conclusions from the graphs:\r\nThere is no code reuse between the TigerDownloader and the TigerRAT family. We recall from the packer analysis\r\nthat although the families are code-wise distinct, they are packed using the same packing scheme.\r\nWithin the downloader family, there are three variants: one x86 and two x64 variants. The two x64 variants are very\r\nclosely related (i.e., 97% code reuse) and thus are likely variants with minor differences.\r\nWithin the RAT family, we have a similar situation with three variants: one x86 and two x64. However, the two x64\r\nvariants only share 55% of their code and thus seem to be substantial RAT variants.\r\nThe relations between the x64 and x86 binaries are lower, which is expected due to compiler and CPU architecture\r\ndifferences, but relevant code reuse can still be found.\r\nThe table in Figure 9 shows the detailed composition of the clusters from the previous graphs. We also notice that some\r\n(hash-wise) unique packed samples result in (hash-wise) identical unpacked sample, reducing the effective diversity of the\r\nsamples under consideration.\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 5 of 15\n\nFigure 9: Detailed cluster information.\r\nIn the following sections we will analyze the downloader and RAT variants in more detail, limiting our analysis to the\r\ncluster representatives. This ability to reduce analysis to cluster representatives is key for the directed and efficient analysis\r\nand tracking of malware variants. The choice of cluster representatives and their names used in the following analysis are\r\nshown in Figure 10.\r\nCLUSTER STAGE\r\nSAMPLE\r\nNAME\r\nHASH\r\n0\r\nRAT (x64)\r\n3\r\nrd\r\n stage\r\nRAT-Kaspersky-x64\r\nbbddcb280af742ce10842b18b9d7120632cc042a8fe42eed90fc4bc94f2d71ac\r\n1\r\nRAT (x64)\r\n3\r\nrd\r\n stage\r\nRAT-KrCERT-x64\r\n32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c\r\n2\r\nDownloader\r\n(x64) 2nd\r\nstage\r\nDownloader-Malwarebytes-x64\r\n1177105e51fa02f9977bd435f9066123ace32b991ed54912ece8f3d4fbeeade4\r\n3\r\nDownloader\r\n(x64) 2nd\r\nstage\r\nDownloader-Kaspersky-x64\r\n588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc\r\n4\r\nDownloader\r\n(x86) 2nd\r\nstage\r\nDownloader-Kaspersky-x86\r\n49a13bf0aa53990771b7b7a7ab31d6805ed1b547e7d9f114e8e26a98f6fbee28\r\n5\r\nRAT (x86)\r\n3\r\nrd\r\n stage\r\nRAT-Kaspersky-x86\r\n464eaa82103f6f479e0d62dd48d2dab8ece300458136c03165d20915ee658067\r\nFigure 10: Cluster representatives used in the subsequent analysis.\r\nTigerDownloader variants\r\nIn this section, we take a closer look at the two downloader variants:  Downloader-Malwarebytes-x64 and Downloader-Kaspersky-x64. From the cluster and code reuse analysis (see Figure 8) we know that they share 97% of code and thus are\r\nminor variants of the TigerDownloader family.\r\nUsing the binary diffing capabilities of our analysis toolchain, we see in Figure 11 that the samples are largely made up of\r\nthe same functions, except for one unique function (the one with the address 0x140001230) in the Kaspersky (Downloader-Kaspersky-x64) sample.\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 6 of 15\n\nFigure 11: Function level diff between Downloader-Kaspersky-x64 and Downloader-Malwarebytes-x64.\r\nAnalyzing the downloader sample from Kaspersky (see Figure 12), we see that the unknown function (0x140001230) is\r\ncalled from the main function of the downloader.\r\nFigure 12: Left, Downloader-Kaspersky-x64; right, Downloader-Malwarebytes-x64.\r\nIt turns out that this function is used to achieve persistence. The technique being used is straightforward and consists of\r\ncreating a link in the current user startup folder to make sure that the downloader is started upon reboot of a victim machine\r\n(see Figures 13 and 14).\r\nFigure 13: Function which creates a shortcut for persistence.\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 7 of 15\n\nFigure 14: Shortcut to persistent executable.\r\nFinally, we note that we haven’t found any persistence techniques in the Downloader-Malwarebytes-x64 sample. The reason\r\nis likely to minimize indicators being left on victim machines.\r\nPossible connections to the KrCERT TigerDownloader\r\nUnfortunately, the downloader sample (f0ff67d4d34fe34d52a44b3515c44950) from the KrCERT report is not available\r\npublicly, thus we could not include it into our analysis. To nevertheless examine possible relations between KrCERT and the\r\nMalwarebytes and Kaspersky downloaders, we attempted to connect them purely based on the artifacts and behaviors\r\npublicly reported by KrCERT.\r\nLet’s start with a negative result. KrCERT reports a couple of C2 commands which they have found in their downloader (see\r\nFigure 15). We couldn’t find any of the “Tiger10X” identifiers in the downloaders at our disposal. Neither were we able to\r\nfind any other identifiers which could be possible C2 commands.\r\nIDENTIFIER ACTION\r\nTiger101 Send victim info\r\nTiger102 Receive command\r\nTiger103 File upload\r\nFigure 15: TigerDownloader C2 commands reported by KrCERT.\r\nOn the other hand, we have found various aspects reported by KrCERT that are also present in the other downloaders:\r\nThe packer in the KrCERT reports fits into the packer scheme which we have established above.\r\nKrCERT reports that the communication is encoded using Base64, which we have also observed in our samples.\r\nThe 3rd stages (RATs) which are downloaded by the 2nd stages (downloaders) all belong to the same TigerRAT\r\nfamily (as we shall establish in the following section).\r\nIn a nutshell, the observations above suggest that the KrCERT Downloader might be related to the downloaders observed by\r\nMalwarebytes and Kaspersky. However, this is speculative because we lack hard evidence since we don’t have access to the\r\nKrCERT sample.\r\nTigerRAT variants\r\nWe recall from the code reuse and cluster analysis (see Figure 8) that we could connect all RATs to the same TigerRAT\r\nfamily through code-reuse analysis. We have also seen that there are RAT variants that differ more substantially than the\r\ndownloader variants. For instance, the variants RAT-Kaspersky-x64 and RAT-KrCERT-x64 share only about 50% of their\r\ncode.\r\nIn this section, we take a closer look at the RAT variants. We present strong new evidence on the functional and design\r\nlevels that further attributes the RAT variants at our disposal to the same TigerRAT malware family. We also show that\r\nvariants mainly differ in terms of the C2 commands they implement.\r\nFor this analysis, we’ll focus on the representatives RAT-Kaspersky-x64, RAT-KrCERT-x64 and RAT-Kaspersky-x86 which\r\nwe established earlier (see Figure 10).\r\nCommands and capabilities per variant\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 8 of 15\n\nLet’s look at the C2 commands which we have found in the different variants. Figure 16 shows all the C2 commands that we\r\nhave observed in at least one of the three RAT variants. The absence of the commands with the ids 0x08 and 0x09 lead us to\r\nspeculate that there are yet unknown samples in the wild which do include these commands.\r\nCOMMAND ID\r\nSelfDelete 0x01\r\nSystemInfo 0x02\r\nShell 0x03\r\nFileManager 0x04\r\nKeylogger 0x05\r\nSocksTunnel 0x06\r\nScreenCapture 0x07\r\nPortForwarder 0x0a\r\nFigure 16: Summary of all C2 commands which are available in at least one of the three RAT variants.\r\nNext, we’re looking at the C2 commands which are supported by the different variants (see Figure 17).\r\nRAT VARIANTS COMMANDS\r\nRAT-Kaspersky-x86\r\nFileManager, ScreenCapture, SelfDelete, Shell\r\nRAT-Kaspersky-x64\r\nFileManager, Keylogger, ScreenCapture, SelfDelete, Shell, SocksTunnel, SystemInfo\r\nRAT-KrCERT-x64\r\nFileManager, Keylogger, PortForwarder, ScreenCapture, SelfDelete, Shell, SocksTunnel,\r\nSystemInfo\r\nFigure 17: C2 commands found in the different RAT variants.\r\nWe see that the three variants which we have automatically identified using cluster analysis are indeed three functionally\r\ndistinct variants. Apart from these variations in C2 capabilities, the core code of the variants is largely identical. Thus, it is\r\nessentially the C2 commands that define the three variants. We also observe that the four commands “FileManager,”\r\n“ScreenCapture,” “SelfDelete” and “Shell” are common to all variants.\r\nA common interface for C2 commands\r\nWe have found an interface that is common to all three variants, as follows:\r\nstruct t_Module_GenericCommandInterface\r\n{\r\nt_GenericCommand *Command;\r\n_DWORD id; // Command id\r\nt_MainStructure *MainStructure;\r\n_BYTE unk_data[0x10];\r\n_BYTE initialized;\r\n};\r\nstruct t_GenericCommand\r\n{\r\nvoid (*init)(t_Module_GenericCommandInterface *a1);\r\nvoid (*execute)(t_Module_GenericCommandInterface *a1);\r\nvoid (*enable)(t_Module_GenericCommandInterface *a1);\r\nvoid (*disable)(t_Module_GenericCommandInterface *a1);\r\nvoid *enabled;\r\n};\r\nThe interface provides an abstraction that is implemented by all C2 commands found in the RATs. This common interface\r\nestablishes a strong relation between the variants within their core C2 functionalities.\r\nNew C2 protocol variant in RAT-KrCERT-x64\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 9 of 15\n\nThe C2 protocol is essentially identical across all variants. The exception is a minor protocol change which we spotted in the\r\nRAT-KrCERT-x64 variant. The change concerns the registration of the malware with the C2 and consists of an extra check\r\nlocated in the TCP module, which is responsible for all communication with the C2:\r\nstruct t_TCP\r\n{\r\nvoid (*constructor)(t_Module_TCP *a1);\r\nvoid (*set_cncs)(t_Module_TCP *a1);\r\nvoid (*connect_to_cnc)(t_Module_TCP *a1);\r\nvoid (*check_response_from_cnc)(t_Module_TCP *a1);\r\nvoid (*listen_to_new_commands)(t_Module_TCP *a1);\r\nvoid (*close_socket)(t_Module_TCP *a1);\r\nvoid (*send_data)(t_Module_TCP *a1, t_EncData *a2, int a3);\r\nvoid (*process_recv_command)(t_Module_TCP *a1);\r\nvoid (*enable_commands)(t_Module_TCP *a1);\r\nvoid *var_1;\r\n};\r\nstruct t_TCP_Variant_KrCERT-x64\r\n{\r\nvoid (*constructor)(t_Module_TCP *a1);\r\nvoid (*set_cncs)(t_Module_TCP *a1);\r\nvoid (*connect_to_cnc)(t_Module_TCP *a1);\r\nvoid (*check_response_from_cnc)(t_Module_TCP *a1);\r\nvoid (*new_check_from_cnc_response)(t_Module_TCP *a1); // new in RAT-KrCERT-x64 variant\r\nvoid (*listen_to_new_commands)(t_Module_TCP *a1);\r\nvoid (*close_socket)(t_Module_TCP *a1);\r\nvoid (*send_data)(t_Module_TCP *a1, t_EncData *a2, int a3);\r\nvoid (*process_recv_command)(t_Module_TCP *a1);\r\nvoid (*enable_commands)(t_Module_TCP *a1);\r\nvoid *var_1;\r\n};\r\nIn Figure 18, the red rectangle contains the new protocol check which was added to the RAT-KrCERT-x64 variant.\r\nFigure 18: Left, other variants; right, RAT-KrCERT-x64 variant.\r\nThe new function essentially sends a 17-byte length chunk to the C2. We have not analyzed what data is sent, but it looks\r\nlike it could be related to a bot identifier or something similar. Once the data is sent, it checks that the C2 returns the string\r\n“n0gyPPx” (see Figure 19).\r\nFigure 19: C2 protocol check for “n0gyPPx.”\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 10 of 15\n\nIn addition to this protocol change, we have also observed a change in the HTTP header that is sent at the beginning of the\r\ncommunication in the very first request by the RAT-KrCERT-x64 variant (see Figure 20).\r\nRAT VARIANT HTTP HEADER\r\nRAT-KrCERT-x64 HTTP 1.1 /index.php?member=sbi2009 SSL3.3.7\r\nRAT-KrCERT-x64, RAT-Kaspersky-x86 HTTP 1.1 /member.php SSL3.4\r\nFigure 20: HTTP header variants.\r\nBased on this protocol analysis, we believe that RAT-KrCERT-x64 is a slightly newer version of the RAT which is at the\r\nsame time clearly related to the other versions.\r\nConclusions\r\nOur analysis revealed new evidence and insights enabling us to attribute the previously reported Andariel APT binaries by\r\nMalwarebytes, Kaspersky and KrCERT to two new malware families. We call these the TigerDownloader and TigerRAT\r\nfamilies, using names originally introduced by KrCERT. We have also seen that all the binaries are related by the same\r\npacking scheme. Our results are based on both automated code-reuse analysis and manual analysis of the malware tooling\r\nreported in the previous reports.\r\nTo facilitate further research and defense capabilities, we are sharing our unpacking and config-extraction scripts as well as\r\ndata with the community (https://github.com/threatray/tigerrat).\r\nThe analysis in this report is based on the malware samples at our disposal at the time of writing. During our analysis, we\r\nfound indicators suggesting that additional, not yet publicly known, variants may exist. Since threat analysis and attribution\r\nis data driven and evolving work, additional samples may complete our current findings or lead to new findings.  We invite\r\nyou to contact us with additional information, particularly if you can share suspected or confirmed TigerDownloader or\r\nTigerRAT binaries.\r\nAppendix\r\nAlleged compilation datesWe have looked at the compilation timestamps of the packed samples and concluded that they are\r\nrandomly chosen.  For instance, some timestamps are in the future (e.g., “2024/06/09”) and others many years in the past\r\n(e.g., “1996/10/17”).\r\nOn the other hand, we have found that the compilation dates of the unpacked samples appear reasonable and likely\r\ncorrespond to the effective compilation dates. In fact, the unpacked compilation timestamp is always before the first seen\r\ndate. In many cases, it is 1 to 2 days before the first seen date which makes sense due to the time delay between the\r\ninfection/detection and reporting/submission to platforms like VirusTotal. Also, none of the dates are in the future or\r\nunrealistically old. While these still could be false flags, it is reasonable to assume that the compilation dates of the\r\nunpacked samples correspond to their effective production date. We also see that most of the 3rd stage (TigerRAT) samples\r\nwere detected before the 2nd stage (TigerDownloader) samples. This could indicate that until a host becomes infected by the\r\n3rd stage, the 2nd stage samples are not detected. It could also be due to the fact that 2nd stage samples are stealthier and\r\nhave fewer features/functions.  The raw data is shown in the table below.\r\nPACKED HASH UNPACKED HASH\r\nf4765f7b089d99b1cdcebf3ad7ba7e3e23ce411deab29b7afd782b23352e698f 5c2f339362d0cd8e5a8e3105c9c56971087bea2701ea3b7324771b0ea2\r\ned5fbefd61a72ec9f8a5ebd7fa7bcd632ec55f04bdd4a4e24686edccb0268e05 1177105e51fa02f9977bd435f9066123ace32b991ed54912ece8f3d4fbe\r\n008e906f2727d502f130a549eeebfda23362e24b2f1ac6e2c198ea82acc8a06a 1177105e51fa02f9977bd435f9066123ace32b991ed54912ece8f3d4fbe\r\nb59e8f44822ad6bc3b4067bfdfd1ad286b8ba76c1a3faff82a3feb7bdf96b9c5 63bae252d796bc9ac331fdc13744a72bd85d1065ef41a884dc11c6245e\r\n6310cd9f8b6ae1fdc1b55fe190026a119f7ea526cd3fc22a215bda51c9c28214 63bae252d796bc9ac331fdc13744a72bd85d1065ef41a884dc11c6245e\r\n350082b3f14e130c6337ef88d46d54d353ca6785508264112dfbd20ce4e47b98 63bae252d796bc9ac331fdc13744a72bd85d1065ef41a884dc11c6245e\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 11 of 15\n\nf40d387631ddb0db70128e72239d0cae7a22b2135c0ec0d540e018aa727d4c8e 588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96\r\n0996a8e5ec1a41645309e2ca395d3a6b766a7c52784c974c776f258c1b25a76c 588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96\r\n4da0ac4c3f47f69c992abb5d6e9803348bf9f3c6028a7214dcabec9a2e729b99 588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96\r\nab194f2bad37bffd32fae9833dafaa04c79c9e117d86aa46432eadef64a43ad6 49a13bf0aa53990771b7b7a7ab31d6805ed1b547e7d9f114e8e26a98f6\r\n4d03a981bed15a3bd91f36972d7391b39791c582bb2959a9be154a74bd64db31 4aadf767491077ab83c6436cf108b014fc0bf8c3bd01cc6087a0f2b8056\r\n1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392 f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7\r\nd231f3b6d6e4c56cb7f149cbc0178f7b80448c24f14dced5a864015512b0ba1f ed11e94fd9aa3c7d4dd0b4345c106631fe52929c6e26a0daec2ed7d22e4\r\nda787cf1f4fd829dd4a7637bec392438b793c5f9c920560197545d20b58691af fec82f2542d7f82e9fce3e16bfa4024f253adee7121973bd9d67a3c7944\r\n69bac736f42e37302db7eca68b6fc138c3aa9a5c902c149e46cce8b42b172603 8b3c8046fa776b70821b7e50baa772a395d3d245c10bdaa4b6171e0c5c\r\nb0d6aee39e988196fdc821895a1f1aa63d1c032ea880c26a15c857068f34bfd9 bbddcb280af742ce10842b18b9d7120632cc042a8fe42eed90fc4bc94f2\r\n0e447797aa20bff416073281adb09b73c15433ab855b5cdb2d883f8c2af9c414 bbddcb280af742ce10842b18b9d7120632cc042a8fe42eed90fc4bc94f2\r\nf13aff9e1192c081c012f974b29bf60487385eed644d506d7f82b3538c2b035f bbddcb280af742ce10842b18b9d7120632cc042a8fe42eed90fc4bc94f2\r\n9137e886e414b12581852b96a1d90ee875053f16b79be57694df9f93f3ead506 bbddcb280af742ce10842b18b9d7120632cc042a8fe42eed90fc4bc94f2\r\nd26987b705f537b10a11fb9913d0acc0218a0c0ae5f27e6f821d6d987b1cd4c7 bbddcb280af742ce10842b18b9d7120632cc042a8fe42eed90fc4bc94f2\r\n– 868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2\r\n87f389d8f3a63f0879aa9d9dfbbd2b2c9cf678b871b704a01b39e1eaa234020c 464eaa82103f6f479e0d62dd48d2dab8ece300458136c03165d20915ee\r\n2f53109e01c431c1c1acec667adee07cf907cdc4d36429022f915654c9b7113b 464eaa82103f6f479e0d62dd48d2dab8ece300458136c03165d20915ee\r\nebe4befd2a7f941baa65248d5dea09de809e638ec8e8caffae322aa3b6863c1c 464eaa82103f6f479e0d62dd48d2dab8ece300458136c03165d20915ee\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 12 of 15\n\n1892b72c053ab48edae8305ef449f2b5391921efea8b1d7c37d6d29f59edc92e 464eaa82103f6f479e0d62dd48d2dab8ece300458136c03165d20915ee\r\ne83f5e0a51845d7078a3aca8ca7a5b786e8bdf284efd3e08b3472dbf3e098930 464eaa82103f6f479e0d62dd48d2dab8ece300458136c03165d20915ee\r\nd0fa0bfef8b199a42f4f33145274576e5a7edeb5522fb342af41fdc16e9021e2 464eaa82103f6f479e0d62dd48d2dab8ece300458136c03165d20915ee\r\nf62adc678eaadc019277640e6695143a45336c2f91019f5d9308812db1d07285 464eaa82103f6f479e0d62dd48d2dab8ece300458136c03165d20915ee\r\n0dc3f66f4af3250f56a32f8e1b9e772c514f74718358d19c195e3950d370ea01 464eaa82103f6f479e0d62dd48d2dab8ece300458136c03165d20915ee\r\n7d7dc8125a26d9515d90a66bfd20d609820197c879030cb932d39b1c2998e9d4 464eaa82103f6f479e0d62dd48d2dab8ece300458136c03165d20915ee\r\nExtracted C2s\r\nAnother indicator to group these samples could be the C2 used by each sample. To do so, we created a config extractor for\r\nthese samples. The following table shows the C2s for each sample. The 2nd stage samples use a domain whereas the 3rd\r\nstage samples directly use an IP address.\r\nNOTE: In the configuration of the 3rd stage there are 4 hardcoded IPs. In almost all cases, three of them are the same IP\r\nwhich belong to the C2. The remaining IP is empty in some cases, and in others it looks like a network mask (e.g. 1.0.0.0,\r\n2.0.0.1, 4.0.0.0, 16.0.0.0). We omitted these in the following table. You can find the “raw” configuration\r\nhere:https://github.com/threatray/tigerrat/blob/main/iocs/payload_configs.csv\r\nUNPACKED HASH ARCH. STAGE VARIANT C2\r\nf32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c x64\r\nRAT (3rd\r\nstage)\r\nRAT-KrCERT-x64\r\n(TigerRAT)\r\n52.202.193.124\r\ned11e94fd9aa3c7d4dd0b4345c106631fe52929c6e26a0daec2ed7d22e47ada0 x64\r\nRAT (3rd\r\nstage)\r\nRAT-KrCERT-x64\r\n(TigerRAT)\r\n185.208.158.208\r\nfec82f2542d7f82e9fce3e16bfa4024f253adee7121973bd9d67a3c79441b83c x64\r\nRAT (3rd\r\nstage)\r\nRAT-KrCERT-x64\r\n(TigerRAT)\r\n185.208.158.208\r\n4aadf767491077ab83c6436cf108b014fc0bf8c3bd01cc6087a0f2b80564bc08 x64\r\nRAT (3rd\r\nstage)\r\nRAT-Kaspersky-x64\r\n(TigerRAT)\r\n10.101.30.127\r\n8b3c8046fa776b70821b7e50baa772a395d3d245c10bdaa4b6171e0c5ce3f717 x64\r\nRAT (3rd\r\nstage)\r\nRAT-Kaspersky-x64\r\n(TigerRAT)\r\n23.229.111.197\r\nbbddcb280af742ce10842b18b9d7120632cc042a8fe42eed90fc4bc94f2d71ac x64\r\nRAT (3rd\r\nstage)\r\nRAT-Kaspersky-x64\r\n(TigerRAT)\r\n45.58.112.77\r\n868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf x64\r\nRAT (3rd\r\nstage)\r\nRAT-Kaspersky-x64\r\n(TigerRAT)\r\n45.58.112.77\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 13 of 15\n\n464eaa82103f6f479e0d62dd48d2dab8ece300458136c03165d20915ee658067 x86\r\nRAT (3rd\r\nstage)\r\nRAT-Kaspersky-x86\r\n(TigerRAT)\r\n23.229.111.197\r\n5c2f339362d0cd8e5a8e3105c9c56971087bea2701ea3b7324771b0ea2c26c6c x64\r\nDownloader\r\n(2nd stage)\r\nDownloader-Kaspersky-x64\r\nhxxp://mail.sisnet.co.kr/\r\nhxxp://mail.neocyon.com\r\n1177105e51fa02f9977bd435f9066123ace32b991ed54912ece8f3d4fbeeade4 x64\r\nDownloader\r\n(2nd stage)\r\nDownloader-Kaspersky-x64\r\nhxxp://www.jinjinpig.co\r\nhxxp://mail.namusoft.kr\r\n63bae252d796bc9ac331fdc13744a72bd85d1065ef41a884dc11c6245ea933e2 x64\r\nDownloader\r\n(2nd stage)\r\nDownloader-Malwarebytes-x64\r\nhxxp://snum.or.kr/skin_i\r\nhxxp://www.ddjm.co.kr/\r\n588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc x64\r\nDownloader\r\n(2nd stage)\r\nDownloader-Kaspersky-x64\r\n(Persistence)\r\nhxxp://www.jinjinpig.co\r\nhxxp://mail.namusoft.kr\r\n49a13bf0aa53990771b7b7a7ab31d6805ed1b547e7d9f114e8e26a98f6fbee28 x86\r\nDownloader\r\n(2nd stage)\r\nDownloader-Kaspersky-x86\r\nhxxp://www.conkorea.co\r\nhxxp://www.allamwith.c\r\nMITRE ATT\u0026CK Mapping\r\nThe table below shows the MITRE ATT\u0026CK Mapping after combining all these attacks/campaigns from previous reports\r\nand our analysis.\r\nTECHNIQUE TACTIC TECHNIQUE NAME\r\nT1584.006 Resource Development Compromise Infrastructure: Web Services\r\nT1583.003 Resource Development Acquire Infrastructure: Virtual Private Server\r\nT1566.001 Initial Access Phishing: Spearphishing Attachment\r\nT1189 Initial Access Drive-by Compromise\r\nT1204.002 Execution User Execution: Malicious File\r\nT1059.007 Execution Command and Scripting Interpreter: JavaScript\r\nT1036.005 Defense Evasion Masquerading: Match Legitimate Name or Location\r\nT1027.003 Defense Evasion Obfuscated Files or Information: Steganography\r\nT1497.001 Defense Evasion Virtualization/Sandbox Evasion: System Checks\r\nT1049 Discovery System Network Connections Discovery\r\nT1057 Discovery Process Discovery\r\nT1113 Collection Screen Capture\r\nT1056.001 Collection Input Capture: Keylogging\r\nT1071.001 Command and Control Application Layer Protocol: Web Protocols\r\nT1095 Command and Control Non-Application Layer Protocol\r\nT1573.001 Command and Control Encrypted Channel: Symmetric Cryptography\r\nT1041 Exfiltration Exfiltration Over C2 Channel\r\nT1486 Impact Data Encrypted for Impact\r\nAbout Threatray\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 14 of 15\n\nThreatray is a novel malware analysis and intelligence platform. We support all key malware defense use cases, including\r\nidentification / detection, hunting, response, and analysis. Threatray helps security teams of all skill levels to effectively\r\nidentify and analyze ongoing and past compromises.\r\nAt the core of Threatray are highly scalable code similarity search algorithms that find code reuse between a new and\r\nmillions of known samples in seconds. Our core search algorithms do not make use of traditional byte pattern matches and\r\nare thus highly resilient to code mutations.\r\nOur user facing features are based on the core search technology. They include best of class threat family identification and\r\ndetection, easy to use real-time retro-hunting and retro-detection, cluster analysis to quickly find relevant IOCs, and low-level multi-binary analysis capabilities. Some of our binary analysis capabilities have been used for the research presented in\r\nthis report.\r\nContact us at https://threatray.com/contact-us or https://twitter.com/threatray\r\nSource: https://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nhttps://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families" ], "report_names": [ "establishing-the-tigerrat-and-tigerdownloader-malware-families" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434368, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/47b4760a8c97074eb2b62bcfcaf0ea544cb1cd53.pdf", "text": "https://archive.orkl.eu/47b4760a8c97074eb2b62bcfcaf0ea544cb1cd53.txt", "img": "https://archive.orkl.eu/47b4760a8c97074eb2b62bcfcaf0ea544cb1cd53.jpg" } }