{ "id": "ab12f752-579d-4c0b-9381-1420eb85af9a", "created_at": "2026-04-06T00:16:47.064623Z", "updated_at": "2026-04-10T03:38:19.839758Z", "deleted_at": null, "sha1_hash": "4a3d68b2168e4b8c06f3729a0824443dacf63cfd", "title": "Fake recruiter coding tests target devs with malicious Python packages | ReversingLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1997428, "plain_text": "Fake recruiter coding tests target devs with malicious Python\r\npackages | ReversingLabs\r\nBy Karlo Zanki, Reverse Engineer at ReversingLabsKarlo Zanki\r\nPublished: 2024-09-10 · Archived: 2026-04-05 17:37:37 UTC\r\nThreat ResearchSeptember 10, 2024\r\nRL found the VMConnect campaign continuing with malicious actors posing as\r\nrecruiters, using packages and the names of financial firms to lure developers.\r\nReversingLabs researchers have identified new, malicious software packages believe to be linked to a campaign,\r\nVMConnect, that our team first identified in August 2023 and which has ties to the North Korean hacking team\r\nLazarus Group. The new samples were tracked to GitHub projects that have been linked to previous, targeted\r\nattacks in which developers are lured using fake job interviews. Furthermore, information gathered from the\r\ndetected samples allowed us to identify one compromised developer and provided insights into an ongoing\r\ncampaign, with attackers posing as employees of major financial services firms.\r\nHere is a detailed account of our discovery of the latest, malicious campaign.\r\nHistory\r\nIn August 2023, ReversingLabs published two research posts describing the VMConnect campaign and its\r\nconnection to North Korea's Lazarus Group. The relation to the Lazarus Group was based on information gathered\r\nhttps://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages\r\nPage 1 of 6\n\nin research conducted by Japanese CERT. As the team wrote at the time: Malicious PyPI packages that were pretty\r\ngood imitations of popular, open source Python tools were discovered. Besides the functionality duplicated from\r\nthe legitimate tools, they contained malicious downloader functionality, well hidden in the code base. Code\r\nsimilarities between the discovered samples and those found and documented as part of research by Japan’s CERT\r\nsupported the attribution of the campaign to the North Korean APT Lazarus.\r\nJob interviews: A familiar attack vector\r\nThe Japan CERT research provided additional insights into the methods of delivering malware used by this threat\r\nactor. One method that was of particular interest was the delivery of malware as a Windows Help file (CHM)\r\nembedded in an archive and the use of LinkedIn accounts pretending to be job recruiters to seed the malware to\r\ntargeted individuals. This very same technique was described in research published by Palo Alto’s Unit 42. That\r\nreport noted malware authors also tried to convince their targets into downloading malicious NPM packages from\r\nGitHub repositories.\r\nIn a scan earlier this year, the RL research team observed similar behaviors in association with a different set of\r\npackages. Researchers also found evidence that malicious threat actors are targeting Python developers, in\r\naddition to targeting npm and Javascript developers, as seen in the earlier campaigns.\r\nSpotting the threat\r\nReversingLabs threat hunting workflows include the continuous monitoring of previously identified threats. RL\r\ntracks behavior indicators as well as YARA rules. One such threat hunting YARA rule created by Japan CERT and\r\nrelated to the VMConnect campaign looks for a specific, first stage Python downloader. In June 2024, this YARA\r\nrule got matched against several samples uploaded to our Spectra Intelligence platform, triggering a spectra\r\ndetection.\r\nOur Spectra Intelligence platform enables security- and threat hunting teams to pivot on threat samples in a very\r\nsimple way: identifying files and packages related to the sample you are looking at as quickly as possible. In\r\nSpectra Intelligence, this is easily done by looking at the Relationships tab (Figure 1) for a given file sample,\r\nwhich provides a list of parent- and container files from which the observed sample was extracted.\r\nThis analysis revealed that the direct parent of the detected, malicious files is a PythonPYC file, meaning that\r\nonce again the team encountered malware hidden in a compiled Python file, a story similar to campaigns\r\ndescribed in previous research posts in which the RL team described encountering malware hidden in compiled\r\nPython files.\r\nPractically, compiled PYC files are used in cases when the source code in a plaintext python file with the same\r\nname hasn't been modified since the date of the most recent version of the compiled file. In that case, the cached\r\ncompiled file is presumed to be identical to the non-compiled file and gets executed, resulting in faster execution.\r\nAs RL researchers mentioned in our earlier discussion, this feature poses a risk. First, it is more difficult to scan\r\ncompiled Python files than plaintext files, as they are packed into a binary format, making them unreadable\r\nwithout specialized tools.\r\nhttps://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages\r\nPage 2 of 6\n\nIn the case of the newly discovered packages, further inspection of the files revealed that the plaintext Python files\r\nwith the same names also contained the malicious code. However, the malicious project would function even if\r\nthese plaintext files weren’t shipped, as the malicious code would get executed from the cached, compiled PYC\r\nfile.\r\nThe lure: Developer coding tests\r\nPivoting again on the direct parent file and looking at its relationships to other files revealed links to several top-level open source containers. This gave us insight into the nature of this malicious campaign. Looking at their\r\ncontent shows that all of them represent coding skills tests linked to job interviews. For example, the team sees\r\narchives with names like Python_Skill_Assessment.zip and Python_Skill_Test.zip. This correlates with the fake job\r\ninterview attack seen in prior campaigns.\r\nThe content of nearly identical README files included with the packages provides more insight into what the\r\nvictim encountered. They contain instructions for the job candidates to find and fix a bug in a password manager\r\napplication, republishing their fix and taking screenshots to document their coding work.\r\nThe README files tell would-be candidates to make sure the project is running successfully on their system\r\nbefore making modifications. That instruction is intended to make sure that the malware execution is triggered\r\nregardless of whether the job candidate (aka “the target”) completes the assigned coding assignment.\r\nThe malware\r\nSpecifically, the malicious code our research team identified in this campaign was contained in altered pyperclip\r\nand pyrebase modules. The malicious code is present in both the __init__.py file and its corresponding compiled\r\nPython file (PYC) inside the __pycache__ directory of respective modules.\r\nThe code is implemented as a Base64 encoded string which hides downloader code. The malicious functionality in\r\nthis file is identical to that observed in the samples from earlier iterations of the VMConnect campaign. Once\r\nagain, RL researchers observed Base64 encoded malicious code making a HTTP POST request to the C2 server\r\nand executes Python commands received in the response.\r\nLoaded tests: How developers were targeted\r\nWhile pivoting on sample 6a8b8bbd83ea4cfeaadaf397700f75681aaddbea to view its parent relations, we came\r\nacross a related archive named Python_Skill_Test. As its name suggests, this package posed as a coding skills test\r\nfor the Python programming language. The Python_Skill_Test archive contains a README file with instructions\r\nfor the developer.\r\nSpecifically, the instructions set a timeframe for completing the assignment (finding a coding flaw in the package\r\nand fixing it). It is clearly intended to create a sense of urgency for the would-be job seeker, thus making it more\r\nlikely that he or she would execute the package without performing any type of security or even source code\r\nreview first. That ensures the malicious actors behind this campaign that the embedded malware would be\r\nexecuted on the developer’s system.\r\nhttps://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages\r\nPage 3 of 6\n\nEvidence of the who and how\r\nWhat made researching this campaign particularly interesting was the evidence we uncovered that identified likely\r\nvictims of the campaign. In most of our research, we aren’t able to determine how the victims got infected with\r\nthe malware they submit to us to analyze. That’s because our Spectra Intelligence product does not reside on users’\r\nendpoints and, therefore, cannot see the initial stages of an attack. In the case of this campaign, however, there\r\nwere artifacts in one of the solved coding tests submitted to the malicious actors that provided us with clues as to\r\nhow the attack was framed, and also helped us identify one of the victims.\r\nAttackers pose as financial services firms\r\nAs the Readme file shows, the malicious actors behind this campaign impersonated Capital One, a major U.S.\r\nfinancial services firm. Posing as financial services firms appears to be one of the characteristics of this campaign.\r\nFor example, another archive we analyzed was named RookeryCapital_PythonTest.zip, invoking the name of\r\nanother, less well-known financial services firm. There is no evidence linking any of these packages to code or\r\npackages belonging to these or other financial services firms, nor does it appear the firms in question were aware\r\nthat malicious actors were illegally using their names as part of their malicious campaigns.\r\nConfig file reveals targeted developer\r\nBeyond identifying the means by which developers were targeted, a malicious package we analyzed may have\r\nalso helped us identify one of the targeted developers. Specifically: when analyzing a .git folder present in one of\r\nthe detected archives, we discovered a config file that contained the url of the original GitHub repository where\r\nthe malware was hosted. That code repository has since been removed from GitHub.\r\nHowever, in addition to the config file, there was a logs directory which stored the changes made to refs in the\r\nrepository and contains several HEAD files. In one of these HEAD files, we discovered the full name and email of\r\nthe developer who cloned the repository and implemented the required feature, as required by the test.\r\nSearching open source information for the name led us to a GitHub profile of the developer. After establishing\r\ncontact with the developer, we confirmed that he had fallen victim to the malicious actor pretending to be a\r\nrecruiter from Capital One in January, 2024. In an email exchange with ReversingLabs, he revealed that he had\r\nbeen contacted from a LinkedIn profile and provided with a link to the GitHub repository as a “homework task.”\r\nThe developer was asked to “find the bug,” resolve it and push changes that addressed the bug. When the changes\r\nwere pushed, the fake recruiter asked him to send screenshots of the fixed bug — to make sure that developer\r\nexecuted the project on his machine.\r\nAn active threat?\r\nWhile these attacks date back more than six months, there is evidence that this campaign is ongoing. Specifically:\r\non July 31, RL came across a newly published GitHub repository named “testing” that was nearly identical to the\r\nearlier GitHub archives and contained the same malicious code.\r\nhttps://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages\r\nPage 4 of 6\n\nDigging deeper, there are some interesting coincidences associated with this newly discovered project and the\r\nolder testing archives, such as:\r\nThe account associated with the new GitHub project, ponpon262612, was created on January 19th 2024.\r\nThat’s the very same day the developer we emailed was compromised in the attack, according to the log\r\nfiles we analyzed.\r\nThe new GitHub account was dormant for months after it was created, but sprang to life, posting the new\r\n/testing project on July 31st, 2024 - the same day that ReversingLabs first established contact with the\r\ncompromised developer.\r\nIs this a coincidence? Probably not. The correlation between the new project being published to GitHub on the\r\nsame day that we reached out to one of the targeted developers regarding our discovery of the earlier, malicious\r\nGitHub archives may be a sign that the malicious actor still has access to the developer’s system and was privy to\r\nhis communications. Seeing that their malicious project had been exposed might have prompted the malicious\r\nactor to post a carbon copy of it under another name.\r\nAnother possibility is that the developer we exchanged emails with is actually linked to this campaign in some\r\nway, not simply a victim of it.\r\nRegardless, the new repository was reported to the GitHub security team and has been removed.. However, since\r\nthe entire campaign has been active since early 2023 and new malicious samples and projects still surface from\r\ntime to time, we believe it is safe to call this an “active campaign” and one that will likely remain active for some\r\ntime.\r\nConclusion\r\nOne obvious conclusion from our latest findings, and the previously documented VMConnect campaign is “this\r\nstory isn’t over.” Our research revealed continued malicious activity targeting developers working within sensitive\r\norganizations, with malicious Python packages that closely mirrored the kinds of threats documented in 2023 as\r\npart of the VMConnect campaign. As we noted, the details revealed by our analysis of the packages in question\r\nmake clear that malicious actors were targeting developers and looking to install malicious downloaders on\r\ndeveloper systems capable of fetching second and third stage malware such as backdoors and info stealers.\r\nJust like malicious attachments sent via email messages or web links, the developer “test” packages delivered via\r\nLinkedIn DMs likely provided a means of gaining a foothold on developer endpoints and, thereafter, exploit the\r\ndeveloper’s permissions to move laterally and exploit other, higher value IT assets.\r\nCampaigns such as this that leverage open source packages and platforms to target developers are a growing trend\r\namong sophisticated cyber criminal and nation-state groups. North Korea’s Lazarus Group, which is believed to\r\nbe behind this campaign, is a good indicator of how such threats are playing out. Lazarus is an advanced and very\r\nactive threat actor focused on financial gain and cryptocurrency theft to benefit the government of North Korea.\r\nThreat reports from other research groups show that Lazarus and other North Korean threat actors are using a wide\r\nspectrum of offensive means to achieve their goals, including targeting developers and development organizations\r\nto infiltrate sensitive networks.\r\nhttps://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages\r\nPage 5 of 6\n\nTo address this growing risk, organizations need to be on the lookout for such downloads while also educating\r\ntheir developers and other technical staff to be wary of any effort to trick them into downloading and executing\r\ncode from an unknown source on their system.\r\nSource: https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages\r\nhttps://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.reversinglabs.com/blog/fake-recruiter-coding-tests-target-devs-with-malicious-python-packages" ], "report_names": [ "fake-recruiter-coding-tests-target-devs-with-malicious-python-packages" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434607, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4a3d68b2168e4b8c06f3729a0824443dacf63cfd.pdf", "text": "https://archive.orkl.eu/4a3d68b2168e4b8c06f3729a0824443dacf63cfd.txt", "img": "https://archive.orkl.eu/4a3d68b2168e4b8c06f3729a0824443dacf63cfd.jpg" } }