{ "id": "8a14115f-10c8-4b2e-85f2-4f23c29a2241", "created_at": "2026-04-06T00:18:37.624751Z", "updated_at": "2026-04-10T03:37:04.299149Z", "deleted_at": null, "sha1_hash": "4c183440aac6d77e3b52826ae2d5985d60d647cb", "title": "Formbook (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 195473, "plain_text": "Formbook (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 17:14:17 UTC\r\nFormbook\r\naka: win.xloader\r\nActor(s): SWEED, Cobalt\r\nVTCollection     URLhaus        \r\nFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was\r\ninitially called \"Babushka Crypter\" by Insidemalware.\r\nReferences\r\n2026-01-13 ⋅ SecurityLiterate ⋅\r\nDeceiving the Deceivers: A Review of Deception Pro\r\nFormbook\r\n2025-11-26 ⋅ Intrinsec ⋅ CTI Intrinsec, David Sardinha\r\nTrouble in the air: A spree of campaigns targeting the aerospace industry in Russia\r\nDarkWatchman CloudEyE Formbook PhantomCore Remcos\r\n2025-05-27 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nInfostealer Malware FormBook Spread via Phishing Campaign – Part II\r\nFormbook\r\n2025-04-22 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nInfostealer Malware FormBook Spread via Phishing Campaign – Part I\r\nFormbook\r\n2024-12-11 ⋅ Sublime ⋅ Sublime Security\r\nXloader deep dive: Link-based malware delivery via SharePoint impersonation\r\nXloader Formbook\r\n2024-11-13 ⋅ TEHTRIS ⋅ TEHTRIS\r\nCracking Formbook malware: Blind deobfuscation and quick response techniques\r\nFormbook\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.formbook\r\nPage 1 of 8\n\n2024-06-15 ⋅ Medium b.magnezi ⋅ 0xMrMagnezi\r\nMalware Analysis FormBook\r\nFormbook\r\n2024-04-15 ⋅ Positive Technologies ⋅ Aleksandr Badaev, Kseniya Naumova\r\nSteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world\r\nLokiBot 404 Keylogger Agent Tesla CloudEyE Formbook Remcos XWorm\r\n2024-03-01 ⋅ Logpoint ⋅ Nischal khadgi\r\nA Comprehensive Overview on Stealer Malware Families\r\nAgent Tesla Formbook RedLine Stealer Remcos Vidar\r\n2024-02-28 ⋅ Security Intelligence ⋅ Golo Mühr, Ole Villadsen\r\nX-Force data reveals top spam trends, campaigns and senior superlatives in 2023\r\n404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot\r\nQakBot Remcos\r\n2024-01-24 ⋅ Medium shaddy43 ⋅ Shayan Ahmed Khan\r\nLayers of Deception: Analyzing the Complex Stages of XLoader 4.3 Malware Evolution\r\nXloader Formbook\r\n2023-07-06 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien\r\n[QuickNote] Examining Formbook Campaign via Phishing Emails\r\nFormbook\r\n2023-06-30 ⋅ Github (itaymigdal) ⋅ Itay Migdal\r\nFormbook unpacking\r\nFormbook\r\n2023-06-05 ⋅ Malware Traffic Analysis ⋅ Brad Duncan\r\n30 DAYS OF FORMBOOK: DAY 1, MONDAY 2023-06-05\r\nFormbook\r\n2023-04-10 ⋅ Check Point ⋅ Check Point\r\nMarch 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute\r\nMalicious OneNote Files\r\nAgent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee\r\n2023-03-30 ⋅ Zscaler ⋅ Brett Stone-Gross, Javier Vicente, Nikolaos Pantazopoulos\r\nTechnical Analysis of Xloader’s Code Obfuscation in Version 4.3\r\nFormbook\r\n2023-03-30 ⋅ loginsoft ⋅ Saharsh Agrawal\r\nFrom Innocence to Malice: The OneNote Malware Campaign Uncovered\r\nAgent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT\r\nRedLine Stealer XWorm\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.formbook\r\nPage 2 of 8\n\n2023-03-16 ⋅ Trend Micro ⋅ Cedric Pernet, Jaromír Hořejší, Loseway Lu\r\nIPFS: A New Data Frontier or a New Cybercriminal Hideout?\r\nAgent Tesla Formbook RedLine Stealer Remcos\r\n2023-02-28 ⋅ ANY.RUN ⋅ ANY.RUN\r\nXLoader/FormBook: Encryption Analysis and Malware Decryption\r\nFormbook\r\n2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein\r\nFollowing the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware\r\nAgent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer\r\n(PWS) Maze NetWire RC Remcos REvil TrickBot\r\n2023-01-24 ⋅ Trellix ⋅ Daksh Kapur, John Fokker, Robert Venal, Tomer Shloman\r\nCyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity\r\nAndromeda Formbook Houdini Remcos\r\n2022-12-08 ⋅ Trustwave ⋅ Diana Lopera, Phil Hay, Rodel Mendrez\r\nTrojanized OneNote Document Leads to Formbook Malware\r\nFormbook\r\n2022-11-21 ⋅ Malwarebytes ⋅ Malwarebytes\r\n2022-11-21 Threat Intel Report\r\n404 Keylogger Agent Tesla Formbook Hive Remcos\r\n2022-10-05 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nExcel Document Delivers Multiple Malware by Exploiting CVE-2017-11882 – Part II\r\nFormbook RedLine Stealer\r\n2022-09-19 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nExcel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I\r\nFormbook RedLine Stealer\r\n2022-08-29 ⋅ ⋅ 360 netlab ⋅ wanghao\r\nPureCrypter Loader continues to be active and has spread to more than 10 other families\r\n404 Keylogger Agent Tesla AsyncRAT Formbook RedLine Stealer\r\n2022-08-04 ⋅ ConnectWise ⋅ Stu Gonzalez\r\nFormbook and Remcos Backdoor RAT by ConnectWise CRU\r\nFormbook Remcos\r\n2022-07-25 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nMass distribution of desktops (Formbook, Snake Keylogger) and use of Malware RelicRace/RelicSource as a\r\nmeans of delivery (CERT-UA#5056)\r\n404 Keylogger Formbook RelicRace\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.formbook\r\nPage 3 of 8\n\n2022-07-12 ⋅ Cyren ⋅ Kervin Alintanahin\r\nExample Analysis of Multi-Component Malware\r\nEmotet Formbook\r\n2022-07-01 ⋅ cyble ⋅ Cyble\r\nXloader Returns With New Infection Technique\r\nFormbook\r\n2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\n.NET Stubs: Sowing the Seeds of Discord (PureCrypter)\r\nAberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer\r\nFormbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine\r\nStealer WhisperGate\r\n2022-03-11 ⋅ Netskope ⋅ Gustavo Palazolo\r\nNew Formbook Campaign Delivered Through Phishing Emails\r\nFormbook\r\n2022-03-07 ⋅ ⋅ LAC WATCH ⋅ Cyber Emergency Center\r\nI CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND\r\nJSOC DETECTION TRENDS\r\nXloader Agent Tesla Formbook Loki Password Stealer (PWS)\r\n2022-02-28 ⋅ AhnLab ⋅ ASEC Analysis Team\r\nChange in Distribution Method of Malware Disguised as Estimate (VBS Script)\r\nFormbook\r\n2022-02-11 ⋅ forensicitguy ⋅ Tony Lambert\r\nXLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets\r\nFormbook\r\n2022-01-21 ⋅ Zscaler ⋅ Brett Stone-Gross, Javier Vicente\r\nAnalysis of Xloader’s C2 Network Encryption\r\nXloader Formbook\r\n2022-01-18 ⋅ Elastic ⋅ Andrew Pease, Daniel Stepanic, Derek Ditch, Seth Goodwin\r\nFORMBOOK Adopts CAB-less Approach\r\nFormbook\r\n2021-11-23 ⋅ HP ⋅ Patrick Schläpfer\r\nRATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild\r\nAdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos\r\n2021-11-16 ⋅ Yoroi ⋅ Carmelo Ragusa, Luca Mella, Luigi Martire\r\nOffice Documents: May the XLL technique change the threat Landscape in 2022?\r\nAgent Tesla Dridex Formbook\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.formbook\r\nPage 4 of 8\n\n2021-09-30 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nThreat Thursday: xLoader Infostealer\r\nXloader Formbook\r\n2021-09-29 ⋅ Trend Micro ⋅ Aliakbar Zahravi, Kamlapati Choubey, Peter Girnus, William Gamazo Sanchez\r\nFormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal\r\nFormbook\r\n2021-07-21 ⋅ Quick Heal ⋅ Rumana Siddiqui\r\nFormBook Malware Returns: New Variant Uses Steganography and In-Memory Loading of multiple stages to\r\nsteal data\r\nFormbook\r\n2021-07-12 ⋅ Cipher Tech Solutions ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki\r\nPassword Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos\r\n2021-07-12 ⋅ IBM ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki\r\nPassword Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos\r\n2021-04-22 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nDeep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part II\r\nFormbook\r\n2021-04-12 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nDeep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part I\r\nFormbook\r\n2021-03-17 ⋅ HP ⋅ HP Bromium\r\nThreat Insights Report Q4-2020\r\nAgent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader\r\n2021-03-11 ⋅ YouTube ( Malware_Analyzing_\u0026_RE_Tips_Tricks) ⋅ Jiří Vinopal\r\nFormbook Reversing - Part1 [Formbook .NET loader/injector analyzing, decrypting, unpacking, patching]\r\nFormbook\r\n2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli\r\nCommand and Control Traffic Patterns\r\nostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID\r\nISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot\r\n2020-11-19 ⋅ SANS ISC InfoSec Forums ⋅ Xavier Mertens\r\nPowerShell Dropper Delivering Formbook\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.formbook\r\nPage 5 of 8\n\nFormbook\r\n2020-11-05 ⋅ tccontre Blog ⋅ tcontre\r\nInteresting FormBook Crypter - unconventional way to store encrypted data\r\nFormbook\r\n2020-10-16 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab\r\nVBA Purging Malspam Campaigns\r\nAgent Tesla Formbook\r\n2020-07-29 ⋅ ESET Research ⋅ welivesecurity\r\nTHREAT REPORT Q2 2020\r\nDEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB\r\nLocker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze\r\nMicrocin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor\r\n2020-07-22 ⋅ S2W LAB Inc. ⋅ S2W LAB INTELLIGENCE TEAM\r\n'FormBook Tracker' unveiled on the Dark Web\r\nFormbook\r\n2020-05-31 ⋅ Malwarebytes ⋅ hasherezade\r\nRevisiting the NSIS-based crypter\r\nFormbook\r\n2020-05-14 ⋅ SophosLabs ⋅ Markel Picado\r\nRATicate: an attacker’s waves of information-stealing malware\r\nAgent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos\r\n2020-04-01 ⋅ Cisco ⋅ Andrea Kaiser, Shyam Sundar Ramaswami\r\nNavigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors\r\nAzorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot\r\n2020-03-24 ⋅ Avira ⋅ Avira Protection Labs\r\nA new technique to analyze FormBook malware infections\r\nFormbook\r\n2020-01-19 ⋅ 360 ⋅ kate\r\nBayWorld event, Cyber Attack Against Foreign Trade Industry\r\nAzorult Formbook Nanocore RAT Revenge RAT\r\n2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko\r\nCyber Threat Landscape in Japan – Revealing Threat in the Shadow\r\nCerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password\r\nStealer (PWS) PandaBanker PLEAD POISONPLUG TrickBot BlackTech\r\n2019-09-26 ⋅ Proofpoint ⋅ Bryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team\r\nNew WhiteShadow downloader uses Microsoft SQL to retrieve malware\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.formbook\r\nPage 6 of 8\n\nWhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos\r\n2019-07-15 ⋅ Cisco Talos ⋅ Edmund Brumaghin\r\nSWEED: Exposing years of Agent Tesla campaigns\r\nAgent Tesla Formbook Loki Password Stealer (PWS) SWEED\r\n2019-06-12 ⋅ Cyberbit ⋅ Hod Gavriel\r\nFormbook Research Hints Large Data Theft Attack Brewing\r\nFormbook\r\n2019-05-02 ⋅ Usual Suspect RE ⋅ Johann Aydinbas\r\nFormBook - Hiding in plain sight\r\nFormbook\r\n2019-01-01 ⋅ Virus Bulletin ⋅ Gabriela Nicolao\r\nInside Formbook infostealer\r\nFormbook\r\n2018-12-05 ⋅ Botconf ⋅ Rémi Jullian\r\nFORMBOOK In-depth malware analysis\r\nFormbook\r\n2018-11-01 ⋅ Peerlyst ⋅ Sudhendu\r\nHow to Analyse FormBook - A New Malware-as-a-Service\r\nFormbook\r\n2018-10-16 ⋅ Peerlyst ⋅ Sudhendu\r\nHow to understand FormBook - A New Malware-as-a-Service\r\nFormbook\r\n2018-06-22 ⋅ InQuest ⋅ Aswanda\r\nFormBook stealer: Data theft made easy\r\nFormbook\r\n2018-06-20 ⋅ Cisco Talos ⋅ Paul Rascagnères, Warren Mercer\r\nMy Little FormBook\r\nFormbook\r\n2018-03-29 ⋅ Stormshield ⋅ Rémi Jullian\r\nIn-depth Formbook malware analysis – Obfuscation and process injection\r\nFormbook\r\n2018-01-29 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez\r\nLet's Learn: Dissecting FormBook Infostealer Malware: Crypter \u0026 \"RunLib.dll\"\r\nFormbook\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.formbook\r\nPage 7 of 8\n\n2017-10-05 ⋅ FireEye ⋅ Nart Villeneuve, Randi Eitzman, Sandor Nemes, Tyler Dean\r\nSignificant FormBook Distribution Campaigns Impacting the U.S. and South Korea\r\nFormbook\r\n2017-09-20 ⋅ NetScout ⋅ Dennis Schwarz\r\nThe Formidable FormBook Form Grabber\r\nFormbook\r\n2016-06-01 ⋅ Safety First Blog ⋅ SL4ID3R\r\nForm Grabber 2016 [Crome,FF,Opera,Thunderbird, Outlook IE Safari] Hack the world\r\nFormbook\r\nYara Rules\r\n[TLP:WHITE] win_formbook_auto (20251219 | Detects win.formbook.)\r\n[TLP:WHITE] win_formbook_w0   (20230118 | No description)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.formbook\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook" ], "report_names": [ "win.formbook" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "316b23b5-e097-4dc6-8b1c-d096860c6c16", "created_at": "2022-10-25T16:07:24.290801Z", "updated_at": "2026-04-10T02:00:04.924688Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "ETDA:TA558", "tools": [ "AZORult", "AsyncRAT", "Bladabindi", "ExtRat", "Jorik", "Loda", "Loda RAT", "LodaRAT", "Nymeria", "PuffStealer", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Rultazo", "Socmer", "Vengeance Justice Worm", "Vjw0rm", "Xtreme RAT", "XtremeRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fe3d8dee-3bee-42e6-8f16-b6628b6189ae", "created_at": "2023-01-06T13:46:39.039285Z", "updated_at": "2026-04-10T02:00:03.193589Z", "deleted_at": null, "main_name": "SWEED", "aliases": [], "source_name": "MISPGALAXY:SWEED", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "0d07b30c-4393-4071-82fb-22f51f7749e0", "created_at": "2022-10-25T16:07:24.097096Z", "updated_at": "2026-04-10T02:00:04.865146Z", "deleted_at": null, "main_name": "RATicate", "aliases": [], "source_name": "ETDA:RATicate", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "BetaBot", "BlackRAT", "BlackRemote", "Bladabindi", "CloudEyE", "ForeIT", "Formbook", "GuLoader", "Jorik", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NSIS", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neurevt", "Nullsoft Scriptable Install System", "Origin Logger", "Recam", "Remcos", "RemcosRAT", "Remvio", "Socmer", "ZPAQ", "njRAT", "vbdropper", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "f2c53785-fb8b-460d-ba73-7fbfba36f0f5", "created_at": "2022-10-25T16:07:24.247949Z", "updated_at": "2026-04-10T02:00:04.911034Z", "deleted_at": null, "main_name": "Sweed", "aliases": [], "source_name": "ETDA:Sweed", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "ForeIT", "Formbook", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "Negasteal", "Origin Logger", "RDP", "Remote Desktop Protocol", "ZPAQ", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "cf91b389-9602-45c0-8d6b-c61d14800f54", "created_at": "2023-01-06T13:46:39.448277Z", "updated_at": "2026-04-10T02:00:03.332604Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "MISPGALAXY:TA558", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434717, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4c183440aac6d77e3b52826ae2d5985d60d647cb.pdf", "text": "https://archive.orkl.eu/4c183440aac6d77e3b52826ae2d5985d60d647cb.txt", "img": "https://archive.orkl.eu/4c183440aac6d77e3b52826ae2d5985d60d647cb.jpg" } }