{ "id": "935f872b-a7e4-48ca-9e65-f5e0c3ae5f43", "created_at": "2026-04-06T00:14:43.43452Z", "updated_at": "2026-04-10T03:37:49.699649Z", "deleted_at": null, "sha1_hash": "49c50959e305e83920668b3ab3a8245d118ed79c", "title": "Anomali | AI Threat Intelligence \u0026 Agentic SOC Platform", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1050979, "plain_text": "Anomali | AI Threat Intelligence \u0026 Agentic SOC Platform\r\nArchived: 2026-04-05 19:52:55 UTC\r\nCentralize all security telemetry, enrich it with real-world threat intelligence, and partner with our specialized AI\r\nagents to automate detection, investigation, and response.\r\nTrusted partner of Fortune 500 Companies\r\nhttps://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 1 of 11\n\nLegacy SIEMs can’t keep up with today’s data volumes.\r\nStandalone intelligence feeds don’t operationalize.\r\nAutomation without context creates noise, not outcomes.\r\nhttps://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 2 of 11\n\nTell me about IP 118.248.255.174\r\nWhat are the top threats to my organization?\r\nhttps://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 3 of 11\n\nCl0p is a Ransomware-as-a-Service (RaaS) operation first observed in 2019, known for its advanced anti-analysis\r\nand anti-virtual machine detection capabilities. The group rose to prominence in Q2 2023 by automating the\r\nexploitation of file transfer vulnerabilities, including MOVEit Transfer and GoAnywhere MFT.  The group has\r\nbeen known to exploit zero-day vulnerabilities, such as the CVE-2023-34362 vulnerability in Progress Software's\r\nMOVEit Transfer solution. In this campaign, they used a SQL injection vulnerability to install a web shell called\r\nLEMURLOOT, enabling data theft from underlying databases.The IP address 118.248.255.174 is identified as a\r\nmalicious IP (mal_ip), an APT IP (apt_ip), and a scanning IP (scan_ip) with high confidence levels ranging from\r\n98 to 100. It has been tagged with various sources such as Mandiant, Anomali Adversary Intelligence, and\r\ncinsscore:ci-badguys OSINT. It is located in China and is part of the China Unicom Shandong province network.\r\nThe IP is associated with the threat actor APT28, known for state-sponsored activities and information theft. Tags\r\nrelated to APT28 include Fancy Bear and Iron Twilight.\r\nAnalysts pivot across years of data and intelligence in seconds.\r\nContext-driven prioritization reduces false positives and alert fatigue.\r\nThreat intel informs every stage of the SOC workflow, not just reports.\r\nEliminate SIEM tax and manual effort while scaling data retention.\r\nSecurity telemetry from across your environment flows into a single, high-performance data lake.\r\nThreatStream Next-Gen adds adversary and campaign context, turning raw signals into prioritized risk.\r\nAI-driven agents guide analysts and automate response, accelerating outcomes without sacrificing oversight.\r\nAn exceptional / state of art product with a great customer focused team to enable the organization improve its\r\ncyber posture proactively.\r\nExcellent TIP to concentrate \u0026 correlate Feeds from all kind of sources. Need to maturing in the capability to\r\nproduce reports and with Sighting.\r\nhttps://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 4 of 11\n\nAnomali provide a knowledge system that provides our organisation with a tool that helps us getting more insight\r\nand overview in the financial threat landscape, combined with extended connectivity possibilities related to\r\nexternal intelligence sources makes this a powerful tool.\r\nOnce products are deployed, the process runs smoothly. Produces huge numbers of Threat Intel, which were\r\nfiltered and customized to our requirements. Anomali support is outstanding, and dedicated to satisfy our\r\nrequirements.\r\nAnomali has been one of the only platforms we've seen that allows us to tag our own intelligence, apply\r\nconfidence ratings and collaborate with other intel sources to get a better picture of the attacker infrastructures, etc\r\nat a play in Cyber Attacks.\r\nFrom the moment we implemented Anomali we immediately felt like family. They supported us in the first steps\r\nwhen during our learning phase with the product and now they check in on a regular basis to ensure that we're\r\nusing the product to it's fullest extend and capabilities. Whenever we have a support issue, they are always\r\navailable to help and does it with an amazing attitude.\r\nhttps://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 5 of 11\n\nI could say these data set is designed for practitioner. 1. Input - All kind of (unstructured + structured) data could\r\nprocessed properly. 2. Output - The type of export also clearly organized. So It saves time to customized/beautify.\r\nFrom the moment we implemented Anomali we immediately felt like family. They supported us in the first steps\r\nwhen during our learning phase with the product and now they check in on a regular basis to ensure that we're\r\nusing the product to it's fullest extend and capabilities. Whenever we have a support issue, they are always\r\navailable to help and does it with an amazing attitude.\r\nAnomali has been one of the only platforms we've seen that allows us to tag our own intelligence, apply\r\nconfidence ratings and collaborate with other intel sources to get a better picture of the attacker infrastructures, etc\r\nat a play in Cyber Attacks.\r\nI could say these data set is designed for practitioner. 1. Input - All kind of (unstructured + structured) data could\r\nprocessed properly. 2. Output - The type of export also clearly organized. So It saves time to customized/beautify.\r\nAn exceptional / state of art product with a great customer focused team to enable the organization improve its\r\ncyber posture proactively.\r\nhttps://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 6 of 11\n\nAnomali provide a knowledge system that provides our organisation with a tool that helps us getting more insight\r\nand overview in the financial threat landscape, combined with extended connectivity possibilities related to\r\nexternal intelligence sources makes this a powerful tool.\r\nOnce products are deployed, the process runs smoothly. Produces huge numbers of Threat Intel, which were\r\nfiltered and customized to our requirements. Anomali support is outstanding, and dedicated to satisfy our\r\nrequirements.\r\nExcellent TIP to concentrate \u0026 correlate Feeds from all kind of sources. Need to maturing in the capability to\r\nproduce reports and with Sighting.\r\nHugh Njemanze and his team at Anomali have taken security analytics to a new peak and they continue to\r\nrelentlessly innovate. Moreover, we have used their platform to deliver business analytics. They have led the\r\nmarket in AI and ML, which has increased our productivity and our effectiveness with our management and\r\nboard. Using The Anomali Platform is a competitive advantage for us. Finally, when Anomali says they partner\r\nwith their customers, they mean it. Keep innovating!\r\n10x Banking, a financial services technology company with a mission to move banks from monolithic to next-generation core banking solutions delivered through the world’s most comprehensive and powerful cloud native\r\nSaaS bank operating system, uses Anomali ThreatStream and Lens to help operationalize threat intelligence for\r\ntheir security team.\r\nhttps://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 7 of 11\n\nAnomali uniquely innovates from our perspective as customers vs. the vendor or the analyst communities. They\r\nspeak business and have attended one of our board meetings. Their approach is the modern path of managing\r\nsecurity to drive business. They are all about use cases and automation. Not to mention the cost savings. They\r\nserve the who’s who globally in our sector.\r\nWhen I first met Anomali, I thought that they were a SIEM 3.0 with the best intelligence. I now think differently\r\nand am less focused on acronyms. As a CISO, I need to protect my organization and deliver shareholder value.\r\nAnomali is my partner.\r\nAs one of the prominent banks in the United Arab Emirates, we manage assets and transactions for thousands of\r\ncustomers. One of our main commitments to our customers is security and we achieve this through solid\r\npartnerships with industry experts such as Anomali. By bringing in industry experts, we expect to gain advanced\r\nlevels of security that will help us to further heighten our defenses and intercept any possible exploitation by\r\ncybercriminals.\r\nThe financial services industry continues to be among the most targeted in the world, with cybercriminals always\r\nattempting to make inroads directly through banks’ networks or by going after consumers directly. Anomali has\r\nproven its ability to deliver on the promise of advanced threat intelligence, which supports us in helping our users\r\nto remain secure and better prepared. By adding them to our lab environment, we are confident that defensive\r\ncapabilities will strengthen for all involved.\r\nWe leverage market-leading tools to give our company a competitive advantage and our 24/7 SOC a leg up on bad\r\nactors. With Anomali, we improve on both of these goals. By adding intelligence, we achieve a high level of\r\nhttps://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 8 of 11\n\ncertainty that enhances prioritization of the most serious threats our customers face, while improving our\r\nmitigation decisions.\r\nAll public organizations are targeted by nefarious actors with extreme frequency, Oklahoma is no exception. Since\r\nthe beginning of the current global health crisis, we’ve experienced a spike in related attacks. Anomali will show\r\nus who the attackers are, when they are coming after us, and provide context needed to prioritize and speed our\r\nresponse to the most serious threats we face.\r\nThe time it takes to analyze a threat has gone down from 30 minutes to just a few minutes, time that adds up over\r\nthe course of investigating many malicious IPs every week. There has been a substantial decrease in terms of\r\nmeantime-to- know.\r\nBefore Anomali, we had tons of information without context. We had to look through thousands of alerts quickly\r\njust to see what stood out and then react to those. Anomali enabled us to spend less time dealing with noise, and\r\nmore time focusing on critical issues.\r\nFrom the moment we implemented Anomali we immediately felt like family. They supported us in the first steps\r\nwhen during our learning phase with the product and now they check in on a regular basis to ensure that we're\r\nusing the product to it's fullest extend and capabilities. Whenever we have a support issue, they are always\r\navailable to help and does it with an amazing attitude.\r\nhttps://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 9 of 11\n\nAnomali has been one of the only platforms we've seen that allows us to tag our own intelligence, apply\r\nconfidence ratings and collaborate with other intel sources to get a better picture of the attacker infrastructures, etc\r\nat a play in Cyber Attacks.\r\nI could say these data set is designed for practitioner. 1. Input - All kind of (unstructured + structured) data could\r\nprocessed properly. 2. Output - The type of export also clearly organized. So It saves time to customized/beautify.\r\nAn exceptional / state of art product with a great customer focused team to enable the organization improve its\r\ncyber posture proactively.\r\nAnomali provide a knowledge system that provides our organisation with a tool that helps us getting more insight\r\nand overview in the financial threat landscape, combined with extended connectivity possibilities related to\r\nexternal intelligence sources makes this a powerful tool.\r\nOnce products are deployed, the process runs smoothly. Produces huge numbers of Threat Intel, which were\r\nfiltered and customized to our requirements. Anomali support is outstanding, and dedicated to satisfy our\r\nrequirements.\r\nhttps://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 10 of 11\n\nExcellent TIP to concentrate \u0026 correlate Feeds from all kind of sources. Need to maturing in the capability to\r\nproduce reports and with Sighting.\r\nSource: https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nhttps://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" ], "report_names": [ "evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" ], "threat_actors": [ { "id": "17b92337-ca5f-48bb-926b-c93b5e5678a4", "created_at": "2022-10-25T16:07:23.333316Z", "updated_at": "2026-04-10T02:00:04.546474Z", "deleted_at": null, "main_name": "APT 18", "aliases": [ "APT 18", "Dynamite Panda", "G0026", "Red Wraith", "SILVERVIPER", "Satin Typhoon", "Scandium", "TG-0416", "Wekby" ], "source_name": "ETDA:APT 18", "tools": [ "AngryRebel", "AtNow", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HttpBrowser RAT", "HttpDump", "Moudour", "Mydoor", "PCRat", "Pisloader", "QUICKBALL", "Roseam", "StickyFingers", "Token Control", "TokenControl", "hcdLoader" ], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434483, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/49c50959e305e83920668b3ab3a8245d118ed79c.pdf", "text": "https://archive.orkl.eu/49c50959e305e83920668b3ab3a8245d118ed79c.txt", "img": "https://archive.orkl.eu/49c50959e305e83920668b3ab3a8245d118ed79c.jpg" } }