{ "id": "43726828-0909-4df9-ab81-adc75dfa52dd", "created_at": "2026-04-06T00:13:08.872184Z", "updated_at": "2026-04-10T03:38:19.655026Z", "deleted_at": null, "sha1_hash": "4e6532ff082baa3efd5a4c63a732228e3ef4e80c", "title": "APT Trends report Q2 2017", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1067222, "plain_text": "APT Trends report Q2 2017\r\nBy GReAT\r\nPublished: 2017-08-08 · Archived: 2026-04-05 17:24:20 UTC\r\nIntroduction\r\nSince 2014, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has been providing threat intelligence\r\nreports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting\r\nservice. Prior to the new service offering, GReAT published research online for the general public in an effort to\r\nhelp combat the ever-increasing threat from nation-state and other advanced actors.  Since we began offering a\r\nthreat intelligence service, all deep technical details on advanced campaigns are first pushed to our subscriber\r\nbase. At the same time, to remain true to our efforts to help make the internet safer, important incidents, such as\r\nWannaCry or Petya are covered in both private and public reports.\r\nKaspersky’s Private Threat Intelligence Portal (TIP)\r\nIn Q1 of 2017 we published our first APT Trends report, highlighting our top research findings over the last few\r\nmonths. We will continue to publish quarterly reports as a representative snapshot of what has been offered in\r\ngreater detail in our private reports in order to highlight significant events and findings we feel most users should\r\nbe aware of.  If you would like to learn more about our intelligence reports or request more information for a\r\nspecific report, readers are encouraged to contact: intelreports@kaspersky.com.\r\nhttps://securelist.com/apt-trends-report-q2-2017/79332/\r\nPage 1 of 7\n\nRussian-Speaking Actors\r\nThe second quarter of 2017 has seen multiple incidents involving Russian-speaking threat actors. Topping the list\r\nof ‘attention grabbers’ were the Sofacy and Turla threat actors.\r\nMarch and April started off with a bang, with the discovery of three zero-day exploits being used in-the-wild by\r\nSofacy and Turla: two of these targeted Microsoft Office’s Encapsulated PostScript (EPS) and the third being a\r\nMicrosoft Windows Local Privilege Escalation (LPE).  Sofacy was discovered utilizing both CVE-2017-0262 (an\r\nEPS vulnerability) and CVE-2017-0263 (LPE) over the Easter holiday, targeting a swath of users throughout\r\nEurope.  Prior to this attack, Turla was also discovered using CVE-2017-0261 (a different EPS vulnerability). \r\nNeither actor appeared to deviate from their usual payload repertoire, with Sofacy dropping their typical\r\nGAMEFISH payload and Turla utilizing what we refer to as ICEDCOFFEE (a.k.a. Shirime).  Targeting for these\r\nattacks was also directly within the normal wheelhouse for both actors, focusing mainly on foreign ministries,\r\ngovernments, and other government-affiliated organizations.\r\nGReAT produced additional reports on Sofacy and Turla beyond those mentioned above.  In April, we notified\r\ncustomers of two new experimental macro techniques utilized by Sofacy.  These techniques, while not particularly\r\nsophisticated, caught our attention as they had not been seen before in-the-wild.  The first technique involved\r\nusing the built-in ‘certutil’ utility in Microsoft Windows to extract a hardcoded payload within a macro. The\r\nsecond technique involved embedding Base64-encoded payloads within the EXIF metadata of the malicious\r\ndocuments.  While the targeting for this new set of activity was again fairly standard, we discovered some\r\nnoteworthy targeting against a French political party member prior to the 2017 elections.  Moving into May and\r\nJune, we wrote two additional reports of interest involving these two actors: the first was an update on the long\r\nrunning “Mosquito Turla” campaign showing the usage of fake Adobe Flash installers and continued targeting of\r\nforeign Ministries. The other documented yet another update on Sofacy’s unique Delphi payload we call\r\n‘Zebrocy’.\r\nJune saw the massive outbreak of a piece of malware dubbed “ExPetr”.  While initial assessments presumed that\r\nthis was yet another ransomware attack a la WannaCry, a deeper assessment by GReAT places the initial intent as\r\nconstituting an operation destructive in nature.  We were also able to confidently identify the initial distribution of\r\nthe malware, as well as indicate a low confidence assessment that the attacks may share traits with the\r\nBlackEnergy actors. \r\nhttps://securelist.com/apt-trends-report-q2-2017/79332/\r\nPage 2 of 7\n\nBelow is a summary of report titles produced for the Eastern European region only.  As stated above, if you would\r\nlike to learn more about our threat intelligence products or request more information on a specific report, please\r\ndirect inquiries to intelreports@kaspersky.com.\r\n1. 1 Sofacy Dabbling in New Macro Techniques\r\n2. 2 Sofacy Using Two Zero Days in Recent Targeted Attacks – early warning\r\n3. 3 Turla EPS Zero Day – early warning\r\n4. 4 Mosquito Turla Targets Foreign Affairs Globally\r\n5. 5 Update on Zebrocy Activity June 2017\r\n6. 6 ExPetr motivation and attribution – Early alert\r\n7. 7 BlackBox ATM attacks using SDC bus injection\r\nEnglish-Speaking Actors\r\nEnglish-speaking actors are always particularly fascinating due to their history of complex tooling and campaigns.\r\nActors like Regin and Project Sauron have proven fascinating examples of new techniques leveraged in long-lasting, hard to catch campaigns and as such make ideal subjects for further research. Not to be outdone, Equation\r\nand the Lamberts were the subjects of our most recent investigations.\r\nContinuing our practice of conducting malware paleontology while integrating new discoveries, we published a\r\nreport on EQUATIONVECTOR, an Equation backdoor first used as early as 2006. This backdoor is a fascinating\r\npassive-active shellcode staging implant. It’s one of the earliest noted instances of a NObody But US (‘NOBUS’)\r\nbackdoor for staging further attacks. Despite its age, the EQUATIONVECTOR backdoor (identified as\r\n‘PeddleCheap’ in the latest ShadowBrokers disclosures) incorporates many advanced techniques for prolonged\r\nstealthy operations in victim networks, allowing the Equation operators to deliver further payloads without\r\narousing suspicion. The report tracks the development of these tools through subsequent iterations year-by-year.\r\nhttps://securelist.com/apt-trends-report-q2-2017/79332/\r\nPage 3 of 7\n\nOur tracking of the Lamberts toolkit continues with the publication of the Gray Lambert report in June, the most\r\nadvanced Lambert known to date. This too is a NOBUS backdoor, a passive implant operating strictly in user-land. The intricate usefulness of Gray Lambert lies in its ability to orchestrate multiple sniffer victims on a\r\nnetwork via broadcast, multicast, and unicast commands, allowing the operators to employ surgical precision in\r\nnetworks with many infected machines. The sniffers double as next-stage payload delivery mechanisms for an\r\ninfected network. A notable feature of the Lambert campaigns is the level of precision with which targets are\r\nchosen; Gray Lambert’s victimology is primarily focused on strategic verticals in Asia and Middle East. During\r\nthis investigation, GReAT researchers have also discovered two additional Lambert families (Red Lambert and\r\nBrown Lambert) currently under investigation for Q3.  Below is a list of report titles for reference:\r\n1. 1 EQUATIONVECTOR – A Generational Breakdown of the PeddleCheap Multifunctional Backdoor\r\n2. 2 The Gray Lambert – A Leap in Sophistication to User-land NOBUS Passive Implants\r\nKorean-speaking Actors\r\nOur researchers focusing on attacks with a Korean nexus also had a very busy quarter, producing seven reports on\r\nthe Lazarus group and WannaCry attacks.  Most of the reports on Lazarus directly involved a sub-group we refer\r\nto as BlueNoroff.  They are the arm that focuses mainly on financial gain, targeting banks, ATMs, and other\r\n“money-makers”.  We revealed to customers a previously unknown piece of malware dubbed ‘Manuscrypt’ used\r\nby Lazarus to target not only diplomatic targets in South Korea, but also people using virtual currency and\r\nelectronic payment sites. Most recently, ‘Manuscrypt’ has become the primary backdoor used by the BlueNoroff\r\nsub-group to target financial institutions.\r\nWannaCry also created quite a stir in the second quarter, with our analysts producing three reports and multiple\r\nblog posts on this emerging threat.  What proved most interesting to us, was the probable linkage to Lazarus group\r\nas the source of the attacks, as well as the origins of the malware.  GReAT researchers were able to trace back\r\nsome of its earliest usage and show that before the ‘EternalBlue’ exploit was added to version 2, WannaCry v1\r\nwas used in spearphishing attacks months prior.  Here is a listing of our reports from Q2 on actors with a Korean\r\nnexus:\r\n1. 1 Manuscrypt – malware family distributed by Lazarus\r\n2. 2 Lazarus actor targets carders\r\n3. 3 Lazarus-linked ATM Malware On the Loose In South Korea\r\n4. 4 Lazarus targets electronic currency operators\r\n5. 5 WannaCry – major ransomware attack hitting businesses worldwide – early alert\r\n6. 6 WannaCry possibly tied to the Lazarus APT Group\r\n7. 7 The First WannaCry Spearphish and Module Distribution\r\nMiddle Eastern Actors\r\nWhile there wasn’t much high-end activity involving Middle Eastern actors, we did produce two reports revolving\r\naround the use of a zero-day exploit (CVE-2017-0199).  The most notable involved an actor we refer to as\r\nBlackOasis and their usage of the exploit in-the-wild prior to its discovery.  We have previously reported on\r\nBlackOasis using other zero-days in the past; CVE-2016-4117 in May 2016, CVE-2016-0984 in June 2015, and\r\nhttps://securelist.com/apt-trends-report-q2-2017/79332/\r\nPage 4 of 7\n\nCVE-2015-5119 in June 2015.  It is believed that BlackOasis is a customer of Gamma Group and utilizes the\r\npopular ‘lawful surveillance’ kit FinSpy.  Other than the usage of the exploit, this report was significant because it\r\nalso showed one of the earliest known uses of a new version of FinSpy, which is still being analyzed by our\r\nresearchers.\r\nAfter the discovery of CVE-2017-0199, a plethora of threat actors also began to leverage this exploit in their\r\nattacks.  We reported to customers on the usage of this exploit by a well-known Middle Eastern actor dubbed\r\n‘OilRig’.  OilRig has actively targeted many organizations in Israel with the exploit via spearphishes appearing to\r\noriginate from well-known doctors within Ben Gurion University.  While their execution was less than stellar, it\r\nhighlighted the widespread usage of this exploit shortly after its discovery.\r\n1. 1 OilRig exploiting CVE-2017-0199 in new campaign\r\n2. 2 BlackOasis using Ole2Link zero day exploit in the wild\r\nChinese-Speaking Actors\r\nOn the Chinese speaking front, we felt it necessary to produce two reports to our customers.  While Chinese\r\nspeaking actors are active on a daily basis, not much has changed and we prefer to avoid producing reports on ‘yet\r\nanother instance of APTxx’ for the sake of padding our numbers.  Instead we try to focus on new and exciting\r\ncampaigns that warrant special attention.\r\nOne of those reports detailed a new finding regarding a fileless version of the well-known ‘HiKit’ malware\r\ndubbed ‘Hias’.  We have reported on Hias in the past, and one of our researchers was finally able to discover the\r\npersistence mechanism used, which also allowed us to tie the activity to an actor we call ‘CloudComputating’.\r\nAnother report detailed a new campaign we referred to as ‘IndigoZebra’.  This campaign was targeting former\r\nSoviet Republics with a wide swath of malware including Meterpreter, Poison Ivy, xDown, and a previously\r\nunknown malware called ‘xCaon’.  This campaign shares ties with other well-known Chinese-speaking actors, but\r\nno definitive attribution has been made at this time.\r\n1. 1 Updated technical analysis of Hias RAT\r\n2. 2 IndigoZebra – Intelligence preparation to high-level summits in Middle Asia\r\nBest of the rest\r\nSometimes we find new and exciting campaigns or entirely new threat actors to report to our subscribers without\r\nbeing able to make an immediate or definitive determination on regional provenance.  Several reports fell into this\r\ncategory in the last quarter.  ChasingAdder is a report describing a new persistence technique that hijacked a\r\nlegitimate WMI DLL for the purposes of loading a malicious payload. This activity targeted high-profile\r\ndiplomatic, military, and research organizations beginning in the fall of 2016, but to date we have not been able to\r\npinpoint the specific actor responsible.\r\nDemsty is a new piece of MacOS malware that is targeting University researchers in Hong Kong, among others. \r\nAt the time of writing, we have a low confidence assessment that the campaign was conducted by Chinese-speaking actors, and thus categorize this as ‘Unknown’ until greater evidence comes to light.\r\nhttps://securelist.com/apt-trends-report-q2-2017/79332/\r\nPage 5 of 7\n\nDuring Q2, the mischievous ShadowBrokers also continued their regular activities dumping multiple tools and\r\ndocumentation allegedly stolen from Equation Group. In April, the ShadowBrokers released another dump of\r\ninformation detailing the alleged targeting of SWIFT service bureaus and other banks by Equation Group.  Since\r\nsome of our customers are financial entities, we found it necessary to evaluate the data and provide an expert’s\r\nopinion on the validity of the dump.\r\nReports in the ‘unknown’ category:\r\n1. 1 ShadowBrokers’ Lost in translation leak – SWIFT attacks analysis\r\n2. 2 ChasingAdder – WMI DLL Hijacking Trojan Targeting High Profile Victims\r\n3. 3 University Researchers Located in Hong Kong Targeted with Demsty\r\nPredictions\r\nBased on the trends we’ve seen over the last three months, as well as foreseeable geopolitical events, we have\r\nlisted a few predictions for the upcoming quarter (Q3). As always, this isn’t an exact science and some cases won’t\r\ncome to fruition. Analyzing current and future events and combining those with the motivations of known active\r\nactors can help organizations prepare for likely forthcoming activity:\r\n1. 1 Misinformation campaigns will remain a threat to countries with upcoming elections, specifically\r\nGermany and Norway, as they have been previous targets for Eastern European based actors.\r\n2. 2 ‘Lawful Surveillance’ tools will continue to be utilized by governments that don’t have well-established\r\nCyber Operations capabilities, mainly based out of the Middle East. Companies such as Gamma Group,\r\nHacking Team, and NSO will continue to offer new zero-day exploits to those customers. As prices\r\nincrease and exchanges thrive, new organizations and marketplaces will continue popping up.\r\n3. 3 Destructive malware disguised as ransomware will continue to be a problem. In the last quarter we’ve\r\nseen two instances of this, and with the continued release of tools / exploits from dumps like Vault7 and\r\nShadowBrokers, this is going to be a new alarming trend to deal with.\r\n4. 4 In China, the past months have been marked by the dwindling economic growth, rising tensions with\r\nNorth Korea and the US, and increased exchanges between South Korean / Japanese / American\r\norganizations. In addition to these, the 19th Party Congress is set to be held in the fall of 2017 and\r\naccording to multiple public predictions, it is likely that some major changes will happen in the leadership.\r\nIt’s possible that these events will have wide regional influences that could affect the way that threat actors\r\noperate in Asia, both in terms of targeting and TTPs.\r\n5. 5 Targeting energy-related companies and organizations will be on the rise. Countries such as Norway may\r\nbe a top target moving forward given their control on oil and gas in the region in the buildup to an election.\r\nSaudi Arabia will also top the charts for potential targeting as they have in years past.\r\n6. 6 Lower-tier threat actors continue to increase cyber-espionage efforts and capabilities both in complexity\r\nand size. Expect more activity with varied technical capabilities coming from lesser known or previously\r\nunseen actors.\r\nHow to keep yourself protected\r\nhttps://securelist.com/apt-trends-report-q2-2017/79332/\r\nPage 6 of 7\n\nOne of the biggest problems when it comes to leveraging threat intelligence is judging the quality of the data and\r\nhow it can be used for defense. For instance, we may observe an increase in the number of fileless attacks or\r\nattacks in which all IOCs are unique or specific per victim. In such situations, having not only host-based IOCs,\r\nbut also network IOCs and Yara rules that can help identify malware in all cases is very important.\r\nAnother problem comes from the fact that many threat intelligence providers have a limited world view and their\r\ndata covers only a small set of threats. It’s easy for an enterprise to fall into the trap of thinking that ‘actor X’ is\r\nnot something they need to worry because their focus has been only certain countries or certain industry sectors;\r\nonly to discover later that their ignorance left them blind to those attacks.\r\nAs shown by many incidents, but especially by WannaCry and ExPetr’s EternalBlue-based spreading subroutines,\r\nvulnerabilities remain a key approach to infecting systems. Therefore timely patching is of utmost importance –\r\nwhich, being one of the most tedious IT maintenance tasks, works much better with good automation. Kaspersky\r\nEndpoint Security for Business Advanced and Kaspersky Total Security include Vulnerability \u0026 Patch\r\nmanagement components, offering convenient tools for making patching much easier, and much less time-consuming for IT staff.\r\nGiven the above, it is highly recommended that prevention (such as endpoint protection) along with advanced\r\ndetection capabilities, such as a solution that can detect all types of anomalies and scrutinize suspicious files at a\r\ndeeper level, be present on users’ systems. The Kaspersky Anti Targeted Attack solution (KATA) matches events\r\ncoming from different infrastructure levels, discerns anomalies and aggregates them into incidents, while also\r\nstudying related artifacts in a safe environment of a sandbox. As with most Kaspersky products, KATA is powered\r\nby HuMachine Intelligence, which is backed by on premise and in lab-running machine learning processes\r\ncoupled with real-time analyst expertise and our understanding of threat intelligence big data.\r\nThe best way to prevent attackers from finding and leveraging security holes, is to eliminate the holes altogether,\r\nincluding those involving improper system configurations or errors in proprietary applications. For this,\r\nKaspersky Penetration Testing and Application Security Assessment services can become a convenient and highly\r\neffective solution, providing not only data on found vulnerabilities, but also advising on how to fix it, further\r\nstrengthening corporate security.\r\nhttps://www.youtube.com/watch?v=JS4tbSWQb90\u0026width=640\u0026height=360\r\nSource: https://securelist.com/apt-trends-report-q2-2017/79332/\r\nhttps://securelist.com/apt-trends-report-q2-2017/79332/\r\nPage 7 of 7\n\naround the use BlackOasis of a zero-day and their usage exploit (CVE-2017-0199). of the exploit in-the-wild The prior to most notable involved its discovery. We an actor have previously we refer to reported as on\nBlackOasis using other zero-days in the past; CVe-2016-4117 in May 2016, CVe-2016-0984 in June 2015, and\n Page 4 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "MITRE" ], "references": [ "https://securelist.com/apt-trends-report-q2-2017/79332/" ], "report_names": [ "79332" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "10ad5c1d-5030-4300-be4e-6d24b40a6330", "created_at": "2022-10-25T16:07:23.400966Z", "updated_at": "2026-04-10T02:00:04.581114Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "G0063" ], "source_name": "ETDA:BlackOasis", "tools": [ "FinFisher", "FinFisher RAT", "FinSpy", "Wingbird" ], "source_id": "ETDA", "reports": null }, { "id": "62f2206e-d8c6-49bb-86fc-63118ac2bf40", "created_at": "2022-10-25T16:07:23.725942Z", "updated_at": "2026-04-10T02:00:04.728159Z", "deleted_at": null, "main_name": "IndigoZebra", "aliases": [ "G0136" ], "source_name": "ETDA:IndigoZebra", "tools": [ "Dropbox" ], "source_id": "ETDA", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde", "created_at": "2023-01-06T13:46:38.472883Z", "updated_at": "2026-04-10T02:00:02.989134Z", "deleted_at": null, "main_name": "ProjectSauron", "aliases": [ "Sauron", "Project Sauron", "G0041" ], "source_name": "MISPGALAXY:ProjectSauron", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5200f27d-0d0a-49e9-a9de-9612971126c2", "created_at": "2023-01-06T13:46:38.959648Z", "updated_at": "2026-04-10T02:00:03.163547Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "G0063" ], "source_name": "MISPGALAXY:BlackOasis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1ba9c064-34d2-48b5-a08c-04d241b00ebe", "created_at": "2022-10-25T15:50:23.734241Z", "updated_at": "2026-04-10T02:00:05.404606Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "BlackOasis" ], "source_name": "MITRE:BlackOasis", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "abb4a645-181b-4237-825f-447ac9b0c16d", "created_at": "2022-10-25T15:50:23.764656Z", "updated_at": "2026-04-10T02:00:05.40558Z", "deleted_at": null, "main_name": "IndigoZebra", "aliases": [ "IndigoZebra" ], "source_name": "MITRE:IndigoZebra", "tools": [ "xCaon", "BoxCaon", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f33ce87f-9514-447c-aba2-ff3e4e9e5b71", "created_at": "2023-11-07T02:00:07.097748Z", "updated_at": "2026-04-10T02:00:03.406698Z", "deleted_at": null, "main_name": "IndigoZebra", "aliases": [], "source_name": "MISPGALAXY:IndigoZebra", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434388, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e6532ff082baa3efd5a4c63a732228e3ef4e80c.pdf", "text": "https://archive.orkl.eu/4e6532ff082baa3efd5a4c63a732228e3ef4e80c.txt", "img": "https://archive.orkl.eu/4e6532ff082baa3efd5a4c63a732228e3ef4e80c.jpg" } }