{ "id": "197119e7-726b-4ac4-bc3c-03b3d22c7dc3", "created_at": "2026-04-06T00:06:12.217388Z", "updated_at": "2026-04-10T03:37:36.719592Z", "deleted_at": null, "sha1_hash": "49362eadda1471957aa9cacc4de5726de9eb4a4b", "title": "Threat Actor Activity Related to the Iran Conflict", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1756678, "plain_text": "Threat Actor Activity Related to the Iran Conflict\r\nBy by Nozomi Networks Labs | July 8, 2025\r\nArchived: 2026-04-05 13:44:19 UTC\r\nIn light of the most recent Iranian conflict, Nozomi Networks Labs has observed a 133% increase in cyberattacks\r\ncoming from well-known Iranian threat actor groups during May and June. From what Nozomi Networks Labs\r\nresearchers have observed so far, US companies appear to be the primary target as warned in a June 30th Fact\r\nSheet published by CISA and last week’s National Terrorism Advisory System Bulletin from the U.S. Department\r\nof Homeland Security.\r\nOur researchers observed MuddyWater, APT33, OilRig, CyberAv3ngers, FoxKitten and Homeland Justice\r\ntargeting Transportation and Manufacturing organizations. Industrial and critical infrastructure organizations in\r\nthe U.S. and abroad are urged to be vigilant and review their security posture. Nozomi Networks customers can\r\nreview their Nozomi Threat Intelligence for any signs of activity from these groups. If you subscribe to the\r\nNozomi Networks Threat Intelligence feed (including a separate Mandiant TI Expansion Pack) you’re covered, as\r\nsignatures have been in place for some time.  \r\nCurrent Cyber Threat Trends\r\nAs part of our daily operations, Nozomi Networks Labs researchers constantly track various threat actors,\r\nincluding nation-state groups. We receive anonymized telemetry from participating customers which allows us to\r\npublicly share current trends related to the attacks associated with these actors.  \r\nDuring May and June, we observed 28 attacks related to Iranian threat actors. Compared to the previous 2-month\r\nperiod, where we saw only 12, this represents a 133% increase in their activity.\r\nhttps://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict\r\nPage 1 of 6\n\nFigure 1. Nozomi Networks data shows a recent spike in attacks linked to Iranian actors in\r\ncomparison to March and April 2025.\r\nUnsurprisingly, the attacks targeted organizations in the US. The most active Iranian threat actor was\r\nMuddyWater, which we cover in more detail below. In the last two months, it attacked at least five different U.S.\r\ncompanies, mainly associated with Transportation and Manufacturing. It was followed by APT33, responsible for\r\nattacks against at least three different U.S. companies. Finally, we were able to see OilRig, CyberAv3ngers, Fox\r\nKitten and Homeland Justice associated with attacks against at least two different US companies each, again\r\nmainly belonging to the Transportation and Manufacturing sectors.\r\nAn interesting fact, this time CyberAv3ngers decided to re-use an IP address associated with their previous attack\r\nutilizing infamous OT-focused OrpaCrab aka IOCONTROL malware that was discovered in December last year.\r\nRegardless of whether the OT, IoT or IT domains are going to be targeted, Nozomi Networks Labs will continue\r\nto closely monitor all these actors, making sure our customers are protected.\r\nGlobal Threat Actor Activities\r\nBelow are images from the Nozomi Platform highlighting Iranian threat actor activity by country as reported in\r\nour Threat Intelligence services.\r\nMuddyWater\r\nMuddyWater (also known as SeedWorm) is a threat actor group originating from Iran. They have been active since\r\n2017, targeting primarily countries in the Middle East, specifically Saudi Arabia, Iraq, and Turkey. Their main\r\nfocus is on government entities, telecommunications, and the energy sectors.\r\nFigure 1 - Nozomi Threat Intelligence is tracking MuddyWater targeting organizations in these\r\ncountries.\r\nAPT33\r\nAPT33 (also known as Elfin) is a threat actor group believed to originate from Iran. They have been involved in\r\ncyber espionage activities targeting organizations in the aerospace, energy, and petrochemical sectors. APT33 was\r\nfirst observed in 2013 and has been active up to the present day, with a focus on stealing sensitive information to\r\nfurther Iranian national interests.\r\nhttps://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict\r\nPage 2 of 6\n\nFigure 2. Nozomi Threat Intelligence is tracking APT33 targeting organizations in these countries.\r\nOilRig\r\nOilRig (also known as APT34, Helix Kitten) is a threat actor originating from Iran. They have been active since at\r\nleast 2014, targeting primarily Middle Eastern countries such as Saudi Arabia, United Arab Emirates, and Qatar.\r\nTheir focus is on espionage and collecting sensitive information from government, financial, energy, and\r\ntelecommunications sectors. The group is known for using spear-phishing emails and custom malware tools to\r\nbreach their targets' networks.\r\nFigure 3. Nozomi Threat Intelligence is tracking OilRig targeting organizations in these countries.\r\nCyberAv3ngers\r\nCyberAv3ngers is an Iranian threat actor group known for its cyber-espionage and politically motivated\r\noperations, targeting critical infrastructure, government entities, and private organizations. The group is\r\ncharacterized by its sophisticated use of advanced persistent threat (APT) tactics, leveraging custom-built\r\nmalware, spear-phishing campaigns, and zero-day vulnerabilities to achieve its objectives. CyberAv3ngers\r\ntypically operates with a focus on Middle Eastern and Western nations, aligning its activities with Iranian\r\ngeopolitical goals.\r\nhttps://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict\r\nPage 3 of 6\n\nFigure 4. Nozomi Threat Intelligence is tracking Cyberv3ngers targeting organizations in the these\r\ncountries.\r\nFox Kitten\r\nFox Kitten (also known as Pioneer Kitten) is a highly sophisticated Iranian advanced persistent threat (APT)\r\ngroup, active since at least 2017. It is widely believed to be state-sponsored and operates as part of Iran’s broader\r\ncyber-espionage and sabotage apparatus. Fox Kitten is primarily focused on cyber-espionage, long-term access,\r\nand pre-positioning for potential disruptive or destructive cyber operations. It targets organizations that are\r\nstrategically valuable to Iranian geopolitical interests, especially in the Middle East and beyond.\r\nFigure 5. Nozomi Threat Intelligence is tracking Fox Kitten targeting organizations in these\r\ncountries.\r\nHomeland Justice\r\nHomeland Justice is a cyber threat actor group attributed to Iranian state-sponsored operations. It gained notoriety\r\nfor a series of disruptive cyberattacks targeting Albanian government infrastructure in 2022.\r\nhttps://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict\r\nPage 4 of 6\n\nFigure 6. Nozomi Threat Intelligence is tracking Homeland Justice targeting organizations in these\r\ncountries.\r\nNozomi Is Here to Help\r\nIn the modern world, global and regional conflicts are always accompanied by the increased activity of\r\ncyberthreat actors, sometimes playing a significant role in their outcomes. Tracking them daily in addition to\r\nexercising fundamental all-year-round due diligence is essential to stay on top of the game and making sure your\r\norganization has the best cybersecurity posture possible. At Nozomi Networks, we take these threats seriously. We\r\ntransform actionable intelligence into continuously updated detection logic, delivered daily to our customers\r\nthrough our dedicated Threat Intelligence subscription—including the TI Expansion Pack Powered by Mandiant—\r\nand our standalone Threat Intelligence Feed, which integrates seamlessly with any cybersecurity solution, even\r\nwithout our sensors.\r\nAs we continue our mission to safeguard critical infrastructure, we invite organizations worldwide to join us in the\r\nfight against cyberattacks by sharing insights that can help strengthen collective defenses for all.\r\nList of IoCs\r\n159.100.6[.]69\r\n169.150.227[.]230\r\n95.181.161[.]50\r\n164.132.237[.]65\r\n5.199.133[.]149\r\n104.200.128[.]71\r\n104.200.128[.]206\r\n31.192.105[.]28\r\n185.118.66[.]114\r\n194.187.249[.]102\r\n185.162.235[.]29\r\n144.202.84[.]43\r\n64.176.173[.]77\r\n64.176.172[.]101\r\n64.176.172[.]235\r\nhttps://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict\r\nPage 5 of 6\n\nSource: https://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict\r\nhttps://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict" ], "report_names": [ "threat-actor-activity-related-to-the-iran-conflict" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "5484a633-c850-4380-921b-72fce1a32e72", "created_at": "2024-01-18T02:02:34.026014Z", "updated_at": "2026-04-10T02:00:04.636248Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [], "source_name": "ETDA:CyberAv3ngers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "b125b5c1-1431-4880-9ab8-582a583811ea", "created_at": "2024-04-24T02:00:49.643067Z", "updated_at": "2026-04-10T02:00:05.421434Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [ "CyberAv3ngers", "Soldiers of Soloman" ], "source_name": "MITRE:CyberAv3ngers", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-10T02:00:03.509338Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433972, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/49362eadda1471957aa9cacc4de5726de9eb4a4b.pdf", "text": "https://archive.orkl.eu/49362eadda1471957aa9cacc4de5726de9eb4a4b.txt", "img": "https://archive.orkl.eu/49362eadda1471957aa9cacc4de5726de9eb4a4b.jpg" } }