{ "id": "47f309da-d737-4e05-a810-10d61f5dbafe", "created_at": "2026-04-06T01:29:25.406612Z", "updated_at": "2026-04-10T03:24:23.458224Z", "deleted_at": null, "sha1_hash": "4bee8c11a5708d97ef59c1da0efc457564bbeca7", "title": "Bazar, No Ryuk?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2921646, "plain_text": "Bazar, No Ryuk?\r\nBy editor\r\nPublished: 2021-01-31 · Archived: 2026-04-06 00:23:44 UTC\r\nIntro\r\nIn the fall of 2020, Bazar came to prominence when several campaigns delivered Ryuk ransomware. While Bazar appeared\r\nto drop-off in December, new campaigns have sprung up recently, using similar TTP’s.\r\nIn this case, we will describe how the threat actor went from a DocuSign themed, malicious document, to domain wide\r\ncompromise, using Bazar aka KEGTAP and Cobalt Strike.\r\nCase Summary\r\nThis investigation began as many do, with a malicious document delivered via email. The email and accompanying Excel\r\nfile purported to be a DocuSign request, which entices the user to enable macros. This lead to Bazar being dropped on the\r\nsystem, which created a run key for persistence.\r\nOn the first day, after the initial activity, nothing else was seen. On the second day, we observed DNS requests to .bazar\r\ndomain names (the hallmark of the Bazar malware family). The malware also executed some basic nltest domain discovery,\r\nand a short ping to a Cobalt Strike server, but no additional activity was observed.\r\nOn the third day, more communication was observed between the Bazar and Cobalt Strike infrastructure, but again, no\r\ndownloads or follow-on activity was observed.\r\nOn the fourth day, Bazar pulled down a Cobalt Strike Beacon in the form of a DLL, which was executed via rundll32 and\r\ninjected into various system processes. One of those processes injected into, was dllhost, which then ran various\r\nPowerSploit commands for discovery activity and dumped credentials from lsass. Shortly thereafter, the threat actors began\r\nmoving laterally using multiple techniques, such as:\r\nPass the Hash\r\nSMB executable transfer and exec\r\nRDP\r\nRemote service execution\r\nThe threat actors then continued pivoting and collecting more information about the environment. About an hour after\r\nbeginning their lateral movement, they had compromised a domain controller. On that domain controller, they executed\r\nAdFind, and then dropped a custom PowerShell script named Get-DataInfo.ps1. This script looks for all active machines and\r\nqueries installed software, i.e., backup software, security software, etc. We first saw this script about a year ago when threat\r\nactors deployed Ryuk ransomware across a domain. Other public data has also linked this TTP to Ryuk threat actors.\r\nHowever, in this case, about 15 minutes after running the script, the threat actor dropped their access and left the\r\nenvironment. We do not know what caused them to leave, but we have some ideas. Based on the TTP’s of this intrusion, we\r\nassess, with medium to high confidence, that Ryuk would have been the likely ransomware deployed. Total time in the\r\nenvironment was around 4 days.\r\nWe recently started offering intel feeds based on different command and control infrastructure such as Cobalt Strike, Qbot,\r\nTrickbot, PoshC2, PS Empire, etc. and this feed would have alerted on the Cobalt Strike C2 in this case. If you’re interested\r\nin pricing or interested in a trial please use Contact Us to get in touch.\r\nTimeline\r\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 1 of 15\n\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 2 of 15\n\nMITRE ATT\u0026CK\r\nInitial Access\r\nInitial access to the environment was via a malicious email that entices a user to download an Excel document with macros\r\nusing a DocuSign social engineering theme.\r\nExecution\r\nThe Excel document required the user to enable content to execute. The embedded macro in the file was using an Excel 4.0\r\nmacro, which at time of execution had a detection rate of 1/63 in Virustotal.\r\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 3 of 15\n\nUpon execution of the macro the file reached out to:\r\nhttps://juiceandfilm[.]com/salman/qqum.php\r\nAs seen in the contents of the macro below:\r\nFrom there a file was written:\r\nC:\\Users\\USER\\Downloads\\ResizeFormToFit.exe\r\nFrom here the executable then proceeds to create a new file and execute it via cmd.\r\nFour days post initial access, a Cobalt Strike Beacon was executed via rundll32 and cmd.\r\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 4 of 15\n\nPersistence\r\nImmediately following the execution of M1E1626.exe, a persistence mechanism was created for the file using a run key.\r\nThis file was found to be a BazarBackdoor sample.\r\nPrivilege Escalation\r\nThe use of the Cobalt Strike’s piped privilege escalation (Get-System) was used several times during the intrusion.\r\ncmd.exe /c echo a3fed5b3a32 \u003e \\\\.\\pipe\\3406c2\r\nDefense Evasion\r\nAfter loading the Cobalt Strike DLL, there was an almost instant injection by the process into the Werfault process.\r\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 5 of 15\n\nWe also see the Cobalt Strike Beacon running in the dllhost.exe process, loading PowerShell to perform PowerSploit\r\ncommands in the discovery section.\r\nAdditionally via the use of YARA inspection we found Cobalt Strike running or injected into processes across the\r\nenvironment.\r\nProcessName, Pid, Yara Rule, Host\r\n\"powershell.exe\",4008,\"win_cobalt_strike_auto\",\"Endpoint2\"\r\n\"winlogon.exe\",532,\"win_cobalt_strike_auto\",\"Server1\"\r\n\"powershell.exe\",1340,\"win_cobalt_strike_auto\",\"Server1\"\r\n\"rundll32.exe\",564,\"win_cobalt_strike_auto\",\"Server8\"\r\n\"rundll32.exe\",3880,\"win_cobalt_strike_auto\",\"Server4\"\r\n\"powershell.exe\",2536,\"win_cobalt_strike_auto\",\"Server5\"\r\n\"rundll32.exe\",3580,\"win_cobalt_strike_auto\",\"Server6\"\r\n\"rundll32.exe\",3792,\"win_cobalt_strike_auto\",\"Server2\"\r\n\"rundll32.exe\",3708,\"win_cobalt_strike_auto\",\"Server3\"\r\n\"rundll32.exe\",3368,\"win_cobalt_strike_auto\",\"Server3\"\r\n\"rundll32.exe\",1700,\"win_cobalt_strike_auto\",\"Server10\"\r\n\"powershell.exe\",2692,\"win_cobalt_strike_auto\",\"Server7\"\r\n\"sihost.exe\",5064,\"win_cobalt_strike_auto\",\"Endpoint1\"\r\n\"taskhostw.exe\",664,\"win_cobalt_strike_auto\",\"Endpoint1\"\r\n\"explorer.exe\",5424,\"win_cobalt_strike_auto\",\"Endpoint1\"\r\n\"rundll32.exe\",7692,\"win_cobalt_strike_auto\",\"Endpoint1\"\r\n\"rundll32.exe\",2660,\"win_cobalt_strike_auto\",\"Server9\"\r\nCredential Access\r\nLsass was dumped using Cobalt Strike on multiple occasions. We were not able to recover any proof other than parent/child\r\nprocesses.\r\nDiscovery\r\nA day after initial access, Bazar initiated some discovery activity using Nltest:\r\ncmd.exe /c nltest /domain_trusts /all_trusts\r\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 6 of 15\n\nOn the forth day, a Cobalt Strike Beacon was executed and then the following discovery commands were executed.\r\nC:\\Windows\\system32\\cmd.exe /C net group \"enterprise admins\" /domain\r\nC:\\Windows\\system32\\cmd.exe /C net group \"domain admins\" /domain\r\nOn the initial beachhead host, we also saw the Cobalt Strike Beacon initiate the following PowerShell discovery using\r\nPowersploit:\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:35806/'); Find-LocalAdminAccess\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:35585/'); Get-NetComputer -ping -operatingsyst\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:23163/'); Get-NetSubnet\r\nAfter beginning lateral movement, the threat actors used the following Window’s utilities for system profiling:\r\nC:\\Windows\\system32\\cmd.exe /C systeminfo\r\nC:\\Windows\\system32\\cmd.exe /C ping HOST\r\nOnce the threat actors had access to a domain controller, they ran the following PowerShell discovery:\r\nRaw:\r\nSQBtAHAAbwByAHQALQBNAG8AZAB1AGwAZQAgAEEAYwB0AGkAdgBlAEQAaQByAGUAYwB0AG8AcgB5ADsAIABHAGUAdAAtAEEARABDAG8AbQBwAH\r\nDecoded:\r\nImport-Module ActiveDirectory; Get-ADComputer -Filter {enabled -eq $true} -properties *|select DNSHostName, IP\r\nAfter running that, the threat actors used nltest again to confirm domain trusts:\r\nC:\\Windows\\system32\\cmd.exe /C nltest /domain_trusts /all_trusts\r\nThe local time was also queried on the domain controller:\r\nC:\\Windows\\system32\\cmd.exe /C time\r\nAdFind was executed using adf.bat:\r\nC:\\Windows\\system32\\cmd.exe /C C:\\Windows\\Temp\\adf\\adf.bat\r\nadfind.exe -f \"(objectcategory=person)\"\r\nadfind.exe -f \"objectcategory=computer\"\r\nadfind.exe -f \"(objectcategory=organizationalUnit)\"\r\nadfind.exe -sc trustdmp\r\nadfind.exe -subnets -f (objectCategory=subnet)\r\nadfind.exe -f \"(objectcategory=group)\"\r\nadfind.exe -gcb -sc trustdmp\r\nFinally, the following collection of files were dropped on the domain controller:\r\nC:\\Users\\USER\\Desktop\\info\\7z.exe\r\nC:\\Users\\USER\\Desktop\\info\\comps.txt\r\nC:\\Users\\USER\\Desktop\\info\\Get-DataInfo.ps1\r\nC:\\Users\\USER\\Desktop\\info\\netscan.exe\r\nC:\\Users\\USER\\Desktop\\info\\start.bat\r\nstart.bat was executed with the following:\r\nC:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\USER\\Desktop\\info\\start.bat\"\"\r\nThis script contents show it to be a wrapper for the PowerShell script Get-DataInfo.ps1\r\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 7 of 15\n\nThe contents of Get-DataInfo.ps1 show a detailed information collector to provide the threat actor with very specific details\r\nof the environment. This includes things like disk size, connectivity,  antivirus software, and backup software. The Ryuk\r\ngroup has used this script for at least a year as we’ve seen them use it multiple times.\r\nThis script and files are available @ https://thedfirreport.com/services/\r\nLateral Movement\r\nThe threat actors deployed several types of lateral movements over the course of the intrusion.\r\nThe first observed method was the use of a remote service using PowerShell which injected into winlogon.\r\nThe threat actors also leveraged SMB to send Cobalt Strike Beacon executables to $ADMIN shares and again execute them\r\non the remote systems via a service. SMB Beacon as its called in Cobalt Strike.\r\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 8 of 15\n\nPass the Hash was also used by the attackers while pivoting through the environment.\r\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 9 of 15\n\nRDP was also leveraged by the attacker via their Cobalt Strike Beacons.\r\nCommand and Control\r\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 10 of 15\n\nBazar:\r\nCommunication over DNS to .bazar domains.\r\nCobalt Strike:\r\nBeacon Configuration:\r\nOther Observed Cobalt Strike IP’s:\r\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 11 of 15\n\n52.37.54.140\r\n52.90.110.55\r\n52.91.20.198\r\n54.151.74.109\r\n54.184.178.68\r\n54.193.45.225\r\n54.202.186.121\r\n208.100.26.238\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3s: e35df3e00ca4ef31d42b34bebaa2f86e\r\nExfiltration\r\nWe did not witness exfiltration in the clear during this case but we have recently become aware of Ryuk threat actors\r\nexfiltrating information over the Cobalt Strike C2 channel.\r\nImpact\r\nAfter finishing discovery, the threat actors disconnected from the network dropping both Bazar and Cobalt Strike. We\r\nbelieve the next phase of this attack would have been domain wide ransomware.\r\nEnjoy our report? Please consider donating $1 or more using Patreon. Thank you for your support!\r\nWe also have pcaps, memory captures, scripts, executables, and Kape packages available here.\r\nIOCs\r\nIf you would like access to our internal MISP and/or threat feeds please see here.\r\nhttps://misppriv.circl.lu/events/view/82052 @ https://otx.alienvault.com/pulse/601746492be20820e1cb57c0\r\nNetwork\r\nhttps://juiceandfilm.com/salman/qqum.php\r\n195.123.222.23\r\n52.37.54.140\r\n52.90.110.55\r\n52.91.20.198\r\n54.151.74.109\r\n54.184.178.68\r\n54.193.45.225\r\n54.202.186.121\r\n208.100.26.238\r\n195.123.222.23\r\nEndpoint\r\nrequest_form_1609982042.xlsm\r\nd50d1513573da2dcfb6b4bbc8d1a87c0\r\n5e272afe665f15e0421ec71d926f0c08a734d3a9\r\n571c32689719ba00f0d60918ae70a8edc185435ce3201413c75da1dbd269f88c\r\nM1E1626.exe\r\n8a528ec7943727678bac5b9f1b74627a\r\n05cbef6bd0992e3532a3c597957f821140b61b94\r\nd362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38\r\nstart.bat\r\n0ab5c442d5a202c213f8a2fe2151fc3f\r\na780085d758aa47bddd1e088390b3bcc0a3efc2e\r\n63de40c7382bbfe7639f51262544a3a62d0270d259e3423e24415c370dd77a60\r\nGet-DataInfo.ps1\r\n8ea370c4c13ee94dcb827530d4cc807c\r\naff6138088d5646748eeaa8a7ede1ff812c82c04\r\n6f5f3c8aa308819337a2f69d453ab2f6252491aa0ccc94a8364d0c3c10533173\r\nnetscan.exe\r\n16ef238bc49b230b9f17c5eadb7ca100\r\na5c1e4203c740093c5184faf023911d8f12df96c\r\nce6fc6cca035914a28bbc453ee3e8ef2b16a79afc01d8cb079c70c7aee0e693f\r\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 12 of 15\n\nDetections\r\nNetwork\r\nET INFO Observed DNS Query for EmerDNS TLD (.bazar)\r\nET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)\r\nETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)\r\nSigma\r\nhttps://github.com/Neo23x0/sigma/blob/c56cd2dfff6343f3694ef4fd606a305415599737/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_\r\nhttps://github.com/Neo23x0/sigma/blob/126a17a27696ee6aaaf50f8673a659124e260143/rules/windows/process_creation/win_susp_adfind.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml\r\nhttps://github.com/Neo23x0/sigma/blob/084cd39505861188d9d8f2d5c0f2835e4f750a3f/rules/windows/process_creation/win_malware_trickbot_recon_ac\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_commands_recon_activity.yml\r\nhttps://github.com/Neo23x0/sigma/blob/c56cd2dfff6343f3694ef4fd606a305415599737/rules/windows/builtin/win_overpass_the_hash.yml\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2021-01-25\r\nIdentifier: Case 1013\r\nReference: https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule bazar_start_bat {\r\nmeta:\r\ndescription = \"files - file start.bat\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-01-25\"\r\nhash1 = \"63de40c7382bbfe7639f51262544a3a62d0270d259e3423e24415c370dd77a60\"\r\nstrings:\r\n$x1 = \"powershell.exe Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force\" fullword ascii\r\n$x2 = \"powershell.exe -executionpolicy remotesigned -File .\\\\Get-DataInfo.ps1 %1)\" fullword ascii\r\n$x3 = \"powershell.exe -executionpolicy remotesigned -File .\\\\Get-DataInfo.ps1 %method\" fullword ascii\r\n$s4 = \"set /p method=\\\"Press Enter for collect [all]: \\\"\" fullword ascii\r\n$s5 = \"echo \\\"all ping disk soft noping nocompress\\\"\" fullword ascii\r\n$s6 = \"echo \\\"Please select a type of info collected:\\\"\" fullword ascii\r\n$s7 = \"@echo on\" fullword ascii /* Goodware String - occured 1 times */\r\n$s8 = \"color 07\" fullword ascii\r\n$s9 = \"pushd %~dp0\" fullword ascii /* Goodware String - occured 1 times */\r\n$s10 = \"color 70\" fullword ascii\r\n$s11 = \"IF \\\"%1\\\"==\\\"\\\" (\" fullword ascii\r\n$s12 = \"IF NOT \\\"%1\\\"==\\\"\\\" (\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x6540 and filesize \u003c 1KB and\r\n1 of ($x*) and all of them\r\n}\r\nrule bazar_M1E1626 {\r\nmeta:\r\ndescription = \"files - file M1E1626.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-01-25\"\r\nhash1 = \"d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38\"\r\nstrings:\r\n$s1 = \"ResizeFormToFit.EXE\" fullword wide\r\n$s2 = \"C:\\\\Windows\\\\explorer.exe\" fullword ascii\r\n$s3 = \"bhart@pinpub.com\" fullword wide\r\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 13 of 15\n\n$s4 = \"constructor or from DllMain.\" fullword ascii\n$s5 = \"dgsvhwe\" fullword ascii\n$s6 = \"ResizeFormToFit.Document\" fullword wide\n$s7 = \"ResizeFormToFit Version 1.0\" fullword wide\n$s8 = \"This is a dummy form view for illustration of how to size the child frame window of the form to fit thi\n$s9 = \"GSTEAQR\" fullword ascii\n$s10 = \"HTBNMRRTNSHNH\" fullword ascii\n$s11 = \"RCWZCSJXRRNBL\" fullword ascii\n$s12 = \"JFCNZXHXPTCT\" fullword ascii\n$s13 = \"BLNEJPFAWFPU\" fullword ascii\n$s14 = \"BREUORYYPKS\" fullword ascii\n$s15 = \"UCWOJTPGLBZTI\" fullword ascii\n$s16 = \"DZVVFAVZVWMVS\" fullword ascii\n$s17 = \"MNKRAMLGWUX\" fullword ascii\n$s18 = \"WHVMUKGVCHCT\" fullword ascii\n$s19 = \"\\\\W\\\\TQPNIQWNZN\" fullword ascii\n$s20 = \"ResizeFormToFit3\" fullword wide\ncondition:\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\n( pe.imphash() == \"578738b5c4621e1bf95fce0a570a7cfc\" or 8 of them )\n}\nrule bazar_files_netscan {\nmeta:\ndescription = \"files - file netscan.exe\"\nauthor = \"The DFIR Report\"\nreference = \"https://thedfirreport.com/\"\ndate = \"2021-01-25\"\nhash1 = \"ce6fc6cca035914a28bbc453ee3e8ef2b16a79afc01d8cb079c70c7aee0e693f\"\nstrings:\n$s1 = \"TREMOTECOMMONFORM\" fullword wide\n$s2 = \"ELHEADERRIGHTBMP\" fullword wide\n$s3 = \"ELHEADERDESCBMP\" fullword wide\n$s4 = \"ELHEADERLEFTBMP\" fullword wide\n$s5 = \"ELHEADERASCBMP\" fullword wide\n$s6 = \"ELHEADERPOINTBMP\" fullword wide\n$s7 = \"A free multithreaded IP, SNMP, NetBIOS scanner.\" fullword ascii\n$s8 = \"GGG`BBB\" fullword ascii /* reversed goodware string 'BBB`GGG' */\n$s9 = \"name=\\\"SoftPerfect Network Scanner\\\"/\u003e\" fullword ascii\n$s10 = \"SoftPerfect Network Scanner\" fullword wide\n$s11 = \"TREMOTESERVICEEDITFORM\" fullword wide\n$s12 = \"TUSERPROMPTFORM\" fullword wide\n$s13 = \"TREMOTEWMIFORM\" fullword wide\n$s14 = \"TPUBLICIPFORM\" fullword wide\n$s15 = \"TREMOTESERVICESFORM\" fullword wide\n$s16 = \"TREMOTEWMIEDITFORM\" fullword wide\n$s17 = \"TREMOTEFILEEDITFORM\" fullword wide\n$s18 = \"TREMOTEREGISTRYFORM\" fullword wide\n$s19 = \"TPASTEIPADDRESSFORM\" fullword wide\n$s20 = \"TREMOTEREGISTRYEDITFORM\" fullword wide\ncondition:\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\n( pe.imphash() == \"e9d20acdeaa8947f562cf14d3976522e\" or 8 of them )\n}\nMITRE\nSpearphishing Link – T1566.002\nUser Execution – T1204\nCommand-Line Interface – T1059\nDomain Trust Discovery – T1482\nPass the Hash – T1550.002\nRemote Desktop Protocol – T1021.001\nSMB/Windows Admin Shares – T1021.002\nDomain Account – T1087.002\nDomain Groups – T1069.002\nSystem Information Discovery – T1082\nSystem Time Discovery – T1124\nSecurity Software Discovery – T1518.001\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\nPage 14 of 15\n\nSoftware Discovery – T1518\r\nRundll32 – T1218.011\r\nDNS – T1071.004\r\nCommonly Used Port – T1043\r\nService Execution – T1569.002\r\nPowerShell – T1059.001\r\nRegistry Run Keys / Startup Folder – T1547.001\r\nInternal case #1013\r\nSource: https://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nhttps://thedfirreport.com/2021/01/31/bazar-no-ryuk/\r\nPage 15 of 15\n\n https://thedfirreport.com/2021/01/31/bazar-no-ryuk/ \nRDP was also leveraged by the attacker via their Cobalt Strike Beacons.\nCommand and Control \n Page 10 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thedfirreport.com/2021/01/31/bazar-no-ryuk/" ], "report_names": [ "bazar-no-ryuk" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775438965, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4bee8c11a5708d97ef59c1da0efc457564bbeca7.pdf", "text": "https://archive.orkl.eu/4bee8c11a5708d97ef59c1da0efc457564bbeca7.txt", "img": "https://archive.orkl.eu/4bee8c11a5708d97ef59c1da0efc457564bbeca7.jpg" } }