{
	"id": "b07c194f-259d-4226-92c9-00930997c08a",
	"created_at": "2026-04-06T00:18:13.369011Z",
	"updated_at": "2026-04-10T03:32:46.194868Z",
	"deleted_at": null,
	"sha1_hash": "48cdee8591ee296edb2f100da19e6981aeea04a0",
	"title": "MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4710873,
	"plain_text": "MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access\r\n| FortiGuard Labs\r\nBy Yurren Wan\r\nPublished: 2025-09-08 · Archived: 2026-04-05 16:30:58 UTC\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Any organization\r\nImpact: Attackers gain control of the infected systems\r\nSeverity level: High\r\nFortiGuard Labs recently discovered a phishing campaign that employs multiple advanced evasion techniques.\r\nThese include the use of an Easy Programming Language (EPL) to develop a staged payload, concealing\r\nmalicious operations and disabling security tools to prevent alert triggers, securing Command and Control (C2)\r\ncommunications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and\r\neven installing popular remote access tools to grant attackers complete control over the compromised system.\r\nFigure 1 shows the attack chain.\r\nFigure 1: Attack flow\r\nAlthough part of the attack flow and its C2 domains were mentioned in a 2020 public report as being associated\r\nwith a banking trojan, the malware has since evolved into a Remote Access Trojan (RAT) that we now call\r\nMostereRAT.\r\nInitial Access\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 1 of 23\n\nThis attack campaign begins with phishing emails designed to lure Japanese users into clicking on malicious links.\r\nThese emails are crafted to appear as if they come from legitimate sources, such as mimicking business inquiries,\r\nto deceive recipients into accessing an infected site, as illustrated in Figure 2.\r\nFigure 2: The phishing e-mail.\r\nThe malicious file downloads automatically upon accessing the webpage, with an option to manually click a\r\ndownload button as well.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 2 of 23\n\nFigure 3: The webpage for downloading the document.\r\nA Word document with an embedded archive is downloaded to the victim's computer. Instead of continuing to use\r\nJapanese for social engineering, the attackers present a single instruction. This instruction guides the victim to\r\nopen an embedded archive and run the only file it contains.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 3 of 23\n\nFigure 4: The Document contains only the instruction 'OpenTheDocument' and a ZIP archive.\r\ndocument.exe\r\nThis executable is based on the menu sample from the wxWidgets GitHub repository and is used to deploy the\r\nnecessary tools for the subsequent stage. The toolset is encrypted and bundled within the executable’s resources\r\nand includes images of a famous person, as shown in Figure 5.\r\nFigure 5: The executable embeds images of famous people along with encrypted data.\r\nThe data is decrypted using a simple SUB operation with the key value of ‘A’. All components associated with the\r\nremote monitoring and management (RMM) tools and the next-stage payload are placed within\r\nC:\\ProgramData\\Windows, as shown in Figure 6.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 4 of 23\n\nFigure 6: The malware components are located in the C:\\ProgramData\\Windows directory.\r\nIt advances to the next stage using CreateSvcRpc, a custom RPC client that directly communicates with the ntsvcs\r\nnamed pipe to interact with the Windows Service Control Manager (SCM), bypassing standard APIs such as\r\nOpenSCManager, CreateService, StartService, and others. The resulting service runs with SYSTEM-level\r\nprivileges.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 5 of 23\n\nFigure 7: RpcConnect in CreateSvcRpc routine.\r\n“WpnCoreSvc” is created with an automatic start type, ensuring it is loaded by the Service Control Manager\r\nduring system startup to execute the next stage via a Ruby script. Another created service, “WinSvc_”, is\r\nconfigured for demand start and initiates the next stage by directly invoking a Launcher provided by the attacker,\r\nas shown in Figures 8 and 9.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 6 of 23\n\nFigure 8: The created services.\r\nFigure 9: Executed command for two created services.\r\nBefore terminating, the program displays a fake message in Simplified Chinese stating that the system version is\r\nincompatible and instructing the user to run the program on another computer, thereby continuing its spread via\r\nsocial engineering.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 7 of 23\n\nFigure 10: Fake message.\r\nMalware Written in Easy Programming Language (EPL)\r\nEasy Programming Language (EPL) is a Simplified-Chinese-based programming language designed to be\r\nbeginner-friendly and easy to understand, especially for native Chinese speakers.\r\nkrnln.fnr serves as the EPL runtime library, providing core functions such as string handling, file operations,\r\nwindow management, and more.\r\nOne of the compilation options in EPL is 'Compile to EPK', which compiles the code into an .epk file. This file\r\nrequires an EPK launcher to invoke LoadEPKFromCmdLine in krnln.fnr for execution.\r\nThis stage involves an EPK launcher, a malicious EPK file named “svchost.exe,” and “svchost.db”. Execution\r\nstarts by obtaining command-line arguments and evaluating the parameters to decide which next-stage modules to\r\nload, as seen in Figure 11.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 8 of 23\n\nFigure 11: Parsing the Function ID in EPK.\r\nEach module is required to decrypt in a simple SUB operation with the key value of ‘A.’ The module is then\r\nloaded into memory and its exported function “getVersion” is called.\r\nModule 1 - maindll.db\r\nParameters channel-8df91be7c24”a” to channel-8df91be7c24”e” are processed by module “maindll.db” and used\r\nto determine which task should be executed. Each task may execute a single function or consist of multiple\r\nfunctions. These functionalities include:\r\nPersistence through repeated execution of malicious code\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 9 of 23\n\nThe XML file defining the scheduled jobs is loaded from resources. It registers the jobs\r\n'Microsoft\\Windows\\winrshost' and 'Microsoft\\Windows\\winresume', and creates a service named 'DnsNetwork'\r\nto launch a new instance with additional arguments. These instances are configured to run automatically—under\r\nthe SYSTEM account (SID: S-1-5-18) during system startup, and under the built-in Administrators group (SID: S-1-5-32-544) upon user logon, as shown in Figure 12.\r\nFigure 12: The created tasks in Task Scheduler.\r\nRun as TrustedInstaller\r\nThe malware can create a new instance with full elevated privileges by leveraging the TrustedInstaller account,\r\none of the most powerful in Windows.\r\nIt first enables SeDebugPrivilege and duplicates its own process token with elevated rights. Next, it locates and\r\nduplicates a SYSTEM process token, as shown in Figure 13, then starts the TrustedInstaller service and duplicates\r\nits token. Finally, it uses the TrustedInstaller token to launch a new process with full privileges. We noticed that\r\nthe code is taken from the NSudo project on GitHub.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 10 of 23\n\nFigure 13: Locating and duplicating a SYSTEM process token.\r\nInterfere with AV/EDR solutions\r\nThe malware contains two built-in lists: one for security product paths and another for security product names.\r\nSecurity product paths:\r\n360:\r\n“C:/Program Files/360/360Safe,”\r\n“C:/Program Files/360/360sd,”\r\n“C:/Program Files/360/360zip,”\r\n“C:/Program Files (x86)/360/360Safe,”\r\n“C:/Program Files (x86)/360/360sd,”\r\n“C:/Program Files (x86)/360/360zip,”\r\n“C:/ProgramData/360safe,”\r\n“C:/ProgramData/360SD”\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 11 of 23\n\nKingsoft:\r\n“C:/Program Files/kingsoft/kingsoft antivirus,”\r\n“C:/Program Files (x86)/kingsoft/kingsoft antivirus,”\r\n\"C:/ProgramData/kdata,”\r\n“C:/ProgramData/kdesk,”\r\n“C:/ProgramData/Kingsoft,”\r\n“C:/ProgramData/KRSHistory”\r\nTencent PC Manager:\r\n“C:/Program Files/Tencent/QQPCMgr,”\r\n\"C:/Program Files (x86)/Tencent/QQPCMgr,”\r\n“C:/ProgramData/Tencent/QQPCMgr”\r\nHuorong Security:\r\n“C:/Program Files/Huorong/Sysdiag,”\r\n“C:/Program Files (x86)/Huorong/Sysdiag,”\r\n“C:/ProgramData/Huorong/Sysdiag”\r\nWindows Defender:\r\n“C:/Program Files/Windows Defender,”\r\n“C:/Program Files (x86)/Windows Defender,”\r\n“C:/ProgramData/Microsoft/Windows Defender”\r\nESET:\r\n“C:/Program Files/ESET,”\r\n“C:/ProgramData/ESET”\r\nAvira:\r\n“C:/Program Files/Avira,”\r\n“C:/Program Files (x86)/Avira,”\r\n“C:/ProgramData/Avira”\r\nAvast:\r\n“C:/Program Files/Avast Software,”\r\n“C:/ProgramData/Avast Software”\r\nMalwarebytes:\r\n“C:/Program Files/Malwarebytes,”\r\n“C:/ProgramData/Malwarebytes”\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 12 of 23\n\nAVG:\r\n“C:/Program Files/AVG,”\r\n“C:/Program Files/Common Files/AVG,”\r\n“C:/ProgramData/AVG”\r\nOthers:\r\n“C:/Program Files (x86)/2345Soft/2345PCSafe,”\r\n“C:/Program Files (x86)/Lenovo/PCManager,”\r\n“C:/Program Files (x86)/Rising,”\r\n“C:/Program Files/Microsoft PC Manager,”\r\n“C:/Program Files/Common Files/AV”\r\nSecurity Product Names:\r\n\"360Safe,\" \"360sd,\" \"antivirus,\" \"QQPCMgr,\" \"Sysdiag,\" \"Defender,\" \"Kaspersky,\" \"ESET Security,\" \"Security,\"\r\n\"Avira,\" \"Avast,\" \"Malwarebytes,\" \"Antivirus,\" \"Bitdefender,\" \"Norton,\" \"Symantec,\" \"McAfee,\" \"2345PCSafe,\"\r\n\"PCManager,\" \"Rising,\" and \"Microsoft PC Manager.\"\r\nIt first checks whether a security solution is present by scanning for executable files within those paths. Then, it\r\ncompares these executables against the image file paths of running processes. If a match is found and the image\r\npath contains a known security product name, the malware blocks its traffic.\r\nThis traffic-blocking technique resembles that of the known red team tool 'EDRSilencer', which uses Windows\r\nFiltering Platform (WFP) filters at multiple stages of the network communication stack, effectively preventing it\r\nfrom connecting to its servers and from transmitting detection data, alerts, event logs, or other telemetry, as shown\r\nin Figure 14.\r\nFigure 14: Creates WFP filters to block their network traffic.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 13 of 23\n\nDisable Windows Security\r\nThe malware employs multiple techniques to disable Windows updates and security mechanisms. It terminates\r\nprocesses such as 'SecurityHealthService.exe' and 'SecurityHealthSystray.exe,' stops services including 'wuauserv,'\r\n'UsoSvc,' 'uhssvc,' and 'WaaSMedicSvc,' and deletes critical system files like\r\n'C:\\Windows\\System32\\WaaSMedicSvc.dll' and 'C:\\Windows\\System32\\wuaueng.dll.'\r\nFigure 15: Activities related to disabling Windows security features.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 14 of 23\n\nFigure 16: The registry script embedded in the resource.\r\nTo prevent these mechanisms from starting automatically, it removes scheduled tasks from specific task folders\r\nusing ITaskFolder::DeleteTask and ITaskFolder::DeleteFolder.\r\nUpgrade and launch a new program/module\r\nTwo threads are created to communicate with the command and control (C2) server over HTTP using ports 9001\r\nand 9002. The program also utilizes an RSA private key to decrypt the configuration file once it is available on the\r\nserver, signaling that a new version is ready for download.\r\nhttp://{C2 Domain}:9001/9001.conf\r\nhttp://{C2 Domain}:9002/9002.conf\r\nNext, it parses the configuration file, formatted in INI style, and compares the version number to determine if\r\ndownloading a new payload is necessary. The downloaded payload is verified using a SHA-256 hash before the\r\nnew version is executed. Port 9001 is responsible for the EXE payload, whereas port 9002 handles the EPK\r\npayload.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 15 of 23\n\nFigure 17: Strings utilized in the upgrade module.\r\nModule 2 - elsedll.db\r\nParameters channel-8df91be7c24”f” is processed by module “elsedll.db.” This module features complex remote\r\naccess capabilities, utilizing multiple threads to handle command and control operations, monitor foreground\r\nwindow activity associated with Qianniu - Alibaba's Seller Tool, log keystrokes, and send heartbeat signals.\r\nIt communicates with the Command and Control server using the same server list as Module 1, establishing a\r\nconnection over TCP port 8000. The communication is secured through mutual TLS (mTLS), utilizing an\r\nembedded client key, client certificate, and CA certificate to enforce mutual authentication and prevent\r\nimpersonation.\r\nThe C2 packet begins with a magic number 1234567890 (0x499602D2), followed by four bytes indicating the\r\npacket length and a command ID specifying the action to be performed. Supports up to 37 functions and can\r\ndeploy popular remote access tools on the victim's system to enable complete control, as if using the system\r\nnormally. The list below outlines commands with specific and evident functions.\r\nCommand\r\nID\r\nDetails\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 16 of 23\n\n0x7B98A2 Obtain the SHA-256 digest of a file.\r\n0x7B98A3 Appear to be retrieving the version information.\r\n0x7B98A4 Used for sending heartbeat signals.\r\n0x7B98A5 Collection of Victim Details.\r\n0x7B9905 Send and run an EPK file using EPK launcher.\r\n0x7B9907 Send and run a DLL file using rundll32.\r\n0x7B9908 Send and run an EXE file.\r\n0x7B990B Send and load a shellcode into memory for execution.\r\n0x7B990C Send and load an EXE into memory for execution.\r\n0x7B990D Download and run an EPK file using the launcher.\r\n0x7B9910 Download and run a DLL file using rundll32.\r\n0x7B9911 Download and run an EXE file.\r\n0x7B9937 Download and load shellcode into memory for execution.\r\n0x7B9938 Download and load an EXE into memory for execution.\r\n0x7B9969 Read the specific file located under the Database directory.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 17 of 23\n\n0x7B996A Write data into the specific file located under the Database directory.\r\n0x7B996B Delete the specific file located under the Database directory.\r\n0x7B996C Write data into 09.db located under the Database directory.\r\n0x7B997D Load the EXE payload from C2 and run it using Early Bird Injection.\r\n0x7B997E Download and inject an EXE into svchost.exe using Early Bird Injection.\r\n0x7B9EE1\r\nTerminate remote monitoring and management (RMM) tools. Load configuration from\r\nresources and launch TightVNC, Xray.\r\n0x7B9EE3 End the Xray and TightVNC applications.\r\n0x7B9EE4 Enables multiple session logins and applies RDP Wrapper as the RDP solution.\r\n0x7B9EE5 Revert RDP-related registry configurations\r\n0x7B9EE6\r\nCreate and add a user to the administrators group. Prevent the account “V” from appearing\r\non the Windows login interface.\r\n0x7B9EE7 Enable multiple session login\r\n0x7B9EE8 Disable multiple session login\r\n0x7B9EE9 Load configuration files from resources and launch AnyDesk.\r\n0x7B9EEA Conceal the AnyDesk application window\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 18 of 23\n\n0x7B9EEB Keep sending the message to turn off the monitor.\r\n0x7B9EEC Stop sending the message that turns off the monitor.\r\n0x7B9EED Launches a program in hidden mode.\r\n0x7B9EEE User Enumeration\r\n0x7B9F45 Create a screen capture.\r\nData collection\r\nThe command supports extracting file data generated by the program, including the created GUID, installation\r\ndate, and other related details. It also collects system information such as the computer name, Windows OS\r\nproduct details, system boot time, time since last user input, number of video capture drivers, and active user\r\naccounts. Additionally, it supports creating a screen capture.\r\nDownload and execute plugins\r\nAs shown in Table 1, module 2 employs a wide range of methods to download and execute payloads in various\r\nways. It can retrieve payloads from the current C2 connection or a specified URL using libcurl, supporting\r\nshellcode, EPK, DLL, and EXE formats.\r\nFor EXE payload, it can either be executed in-memory—such as through early bird injection—or written to disk\r\nand run as a standalone process. The DLL payload is typically saved to disk and executed via rundll32.exe, calling\r\nthe getVersion export function. The EPK payload is launched by the EPK Launcher, while the ShellCode payload\r\nis written to allocated memory and then executed.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 19 of 23\n\nFigure 18: The downloaded data is saved in the tmp folder with a filename generated from GetTickCount64.\r\nFile operation\r\nIn terms of file operations, the malware targets only files in the /database under the working directory and\r\nsupports read, write, and delete operations.\r\nAlso, the file ID is used to identify files within the folder, ranging from 1001 (0x3E9) to 1009 (0x3F1) and\r\ncorresponding to filenames 01.db through 09.db.\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 20 of 23\n\nFigure 19: Example showing how the file ID determines the target file for data writing.\r\nRemote access tools deployment\r\nThe program is capable of running remote access and proxy tools using its configuration file embedded within\r\nresources. During the attack, AnyDesk, Xray, and TigerVNC are utilized and configured to grant exclusive access\r\nto the attacker.\r\nThe command also supports third-party RDP tool ‘RDP Wrapper’ and configuration changes, allowing quick\r\nmodification of RDP settings—such as enabling or disabling multiple session logins via registry edits—and can\r\nrestore the original RDP settings in the registry.\r\nPersistence via a hidden account\r\nThe command for creating a new user can add an account to the administrators group with a non-expiring\r\npassword and hide it from the Windows login UI by modifying the registry path\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList, creating a\r\nREG_DWORD entry named after the username and setting its value to 0. However, in the code implementation,\r\nthe entry name is hardcoded as 'V' instead of using the actual username.\r\nFigure 20: Example of sending the command '0x7B9EE6' to create an account “hello”.\r\nConclusion\r\nThis attack campaign uses social engineering as its initial vector and propagation methods to facilitate the spread\r\nof the threat. Additionally, MostereRAT employs more advanced and sophisticated techniques, such as\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 21 of 23\n\nincorporating an EPL program as one stage of the campaign, hiding the service creation method, blocking AV\r\nsolution traffic, running as TrustedInstaller, using mTLS, and switching to legitimate remote access tools like\r\nAnyDesk, tightVNC, and RDP Wrapper to control the victim’s system.\r\nThese tactics significantly increase the difficulty of detection, prevention, and analysis. In addition to keeping\r\nyour solution updated, educating users about the dangers of social engineering remains essential.\r\nFortinet Protections\r\nThe malware described in this report are detected and blocked by FortiGuard Antivirus as:\r\nW32/Agent.MTR!tr\r\nW32/Agent.295C!tr\r\nW32/Agent.9C1D!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard Antivirus Service. The FortiGuard\r\nantivirus engine is part of each of those solutions. As a result, customers who have these products with up-to-date\r\nprotections are protected.\r\nThe FortiGuard CDR (content disarm and reconstruction) service can disarm the malicious macros within the\r\ndocument.\r\nWe also suggest that organizations take the free Fortinet Fortinet Certified Fundamentals (FCF) cybersecurity\r\ntraining. The training is designed to help users learn about today's threat landscape and introduces basic\r\ncybersecurity concepts and technology.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block malware attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact the Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nDomain:\r\nwww[.]efu66[.]com\r\nmostere[.]com\r\nhuanyu3333[.]com\r\nidkua93dkh9590764478t18822056bck[.]com\r\nosjfd923bk78735547771x3690026ddl[.]com\r\nzzzzzzz0379098305467195353458278[.]com\r\nxxxxxx25433693728080140850916444[.]com\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 22 of 23\n\nFile:\r\nd281e41521ea88f923cf11389943a046557a2d73c20d30b64e02af1c04c64ed1\r\n4e3cdeba19e5749aa88329bc3ac67acd777ea7925ba0825a421cada083706a4e\r\n546a3418a26f2a83a2619d6c808985c149a0a1e22656553ce8172ca15622fd9b\r\n3c621b0c91b758767f883cbd041c8ef701b9806a78f2ae1e08f932b43fb433bb\r\n926b2b9349dbd4704e117304c2f0edfd266e4c91fb9325ecb11ba83fe17bc383\r\nSource: https://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nhttps://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/mostererat-deployed-anydesk-tightvnc-for-covert-full-access"
	],
	"report_names": [
		"mostererat-deployed-anydesk-tightvnc-for-covert-full-access"
	],
	"threat_actors": [
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434693,
	"ts_updated_at": 1775791966,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/48cdee8591ee296edb2f100da19e6981aeea04a0.pdf",
		"text": "https://archive.orkl.eu/48cdee8591ee296edb2f100da19e6981aeea04a0.txt",
		"img": "https://archive.orkl.eu/48cdee8591ee296edb2f100da19e6981aeea04a0.jpg"
	}
}