{ "id": "f79a1fc5-2b8d-4b6d-b356-3b3601410d2d", "created_at": "2026-04-06T00:13:10.89208Z", "updated_at": "2026-04-10T03:38:20.791999Z", "deleted_at": null, "sha1_hash": "4ec3950a602f841650396e3a20ea2eb83f39b292", "title": "Lazarus Targets Chemical Sector", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61217, "plain_text": "Lazarus Targets Chemical Sector\r\nBy About the Author\r\nArchived: 2026-04-05 19:41:48 UTC\r\nSymantec, a division of Broadcom Software, has observed the North Korea-linked advanced persistent threat\r\n(APT) group known as Lazarus conducting an espionage campaign targeting organizations operating within the\r\nchemical sector. The campaign appears to be a continuation of Lazarus activity dubbed Operation Dream Job,\r\nwhich was first observed in August 2020. Symantec tracks this sub-set of Lazarus activity under the name\r\nPompilus.\r\nOperation Dream Job\r\nOperation Dream Job involves Lazarus using fake job offers as a means of luring victims into clicking on\r\nmalicious links or opening malicious attachments that eventually lead to the installation of malware used for\r\nespionage.\r\nPast Dream Job campaigns have targeted individuals in the defense, government, and engineering sectors in\r\nactivity observed in August 2020 and July 2021.\r\nRecently targeted sectors\r\nIn January 2022, Symantec detected attack activity on the networks of a number of organizations based in South\r\nKorea. The organizations were mainly in the chemical sector, with some being in the information technology (IT)\r\nsector. However, it is likely the IT targets were used as a means to gain access to chemical sector organizations.\r\nThere is sufficient evidence to suggest that this recent activity is a continuation of Operation Dream Job. That\r\nevidence includes file hashes, file names, and tools that were observed in previous Dream Job campaigns.\r\nA typical attack begins when a malicious HTM file is received, likely as a malicious link in an email or\r\ndownloaded from the web. The HTM file is copied to a DLL file called scskapplink.dll and injected into the\r\nlegitimate system management software INISAFE Web EX Client.\r\nThe scskapplink.dll file is typically a signed Trojanized tool with malicious exports added. The attackers have\r\nbeen observed using the following signatures: DOCTER USA, INC and \"A\" MEDICAL OFFICE, PLLC\r\nNext, scskapplink.dll downloads and executes an additional payload from a command-and-control (C\u0026C) server\r\nwith the URL parameter key/values \"prd_fld=racket\".\r\nThis step kicks off a chain of shellcode loaders that download and execute arbitrary commands from the attackers,\r\nas well as additional malware, which are usually executed from malicious exports added to Trojanized tools such\r\nas the Tukaani project LZMA Utils library (XZ Utils).\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical\r\nPage 1 of 7\n\nThe attackers move laterally on the network using Windows Management Instrumentation (WMI) and inject into\r\nMagicLine by DreamSecurity on other machines.\r\nIn some instances, the attackers were spotted dumping credentials from the registry, installing a BAT file in a\r\nlikely effort to gain persistence, and using a scheduled task configured to run as a specific user.\r\nThe attackers were also observed deploying post-compromise tools, including a tool used to take screenshots of\r\nweb pages viewed on the compromised machine at set intervals (SiteShoter). They were also seen using an IP\r\nlogging tool (IP Logger), a protocol used to turn computers on remotely (WakeOnLAN), a file and directory\r\ncopier (FastCopy), and the File Transfer Protocol (FTP) executed under the MagicLine process.\r\nCase study\r\nThe following is a case study detailing step-by-step attacker activity on an organization in the chemical sector.\r\nJanuary 17, 2022\r\n00:51 – A malicious HTM file is received:\r\ne31af5131a095fbc884c56068e19b0c98636d95f93c257a0c829ec3f3cc8e4ba -\r\ncsidl_profile\\appdata\\local\\microsoft\\windows\\inetcache\\ie\\3tygrjkm\\join_06[1].htm\r\nThe HTM file is copied to a DLL file:\r\nrundll32.exe CSIDL_PROFILE\\public\\scskapplink.dll,netsetcookie Cnusrmgr\r\nThis DLL file is injected into the legitimate system management software INISAFE Web EX Client. The file is a\r\nsigned Trojanized version of the ComparePlus plugin for Notepad++ with malicious exports added.\r\n01:02 – The file is run and downloads and executes a backdoor payload (final.cpl -\r\n5f20cc6a6a82b940670a0f89eda5d68f091073091394c362bfcaf52145b058db) from a command-and-control\r\n(C\u0026C) server with the URL parameter key/values \"prd_fld=racket\".\r\nThe file final.cpl is a Trojanized version of the Tukaani project LZMA Utils library (XZ Utils) with a malicious\r\nexport added (AppMgmt).\r\nThe malware connects to, downloads, decodes, and executes shellcode from the following remote location:\r\nhxxp[:]//happy[.]nanoace.co.kr/Content/rating/themes/krajee-fas/FrmAMEISMngWeb.asp\r\n01:04 – Another CPL file (61e305d6325b1ffb6de329f1eb5b3a6bcafa26c856861a8200d717df0dec48c4) is\r\nexecuted. This file, again, is a Trojanized version of LZMA Utils with a malicious added export.\r\n01:13 – The shellcode loader (final.cpl) is executed again several times.\r\n01:38 – Commands are executed to dump credentials from the SAM and SYSTEM registry hives.\r\nOver the next several hours, the attackers run unknown shellcode via final.cpl at various intervals, likely to collect\r\nthe dumped system hives, among other things.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical\r\nPage 2 of 7\n\n06:41 – The attackers create a scheduled task to ensure persistence between system reboots:\r\nschtasks /create /RU [REDACTED].help\\175287 /ST 15:42 /TR \"cmd.exe /c\r\nC:\\ProgramData\\Intel\\Intel.bat\" /tn arm /sc MINUTE\r\nThe scheduled task instructs the system to execute 'Intel.bat' as user ‘[REDACTED].help/175287’ starting at 15:42\r\nthen every minute under the scheduled task name ‘arm’. It's unclear if this was an account that was cracked via the\r\ndumped registry hives or an account the attackers were able to create with admin rights.\r\nThe attackers were also observed installing Cryptodome (PyCrypto fork) Python encryption modules via CPL\r\nfiles.\r\nA clean installation of BitDefender was also installed by the attackers. While unconfirmed, the threat actors may\r\nhave installed an older version of this software (from 2020) with a vulnerability that allowed attackers to run\r\narbitrary commands remotely.\r\nJanuary 18\r\n00:21 – The final.cpl file is executed again.\r\n00:49 – A new CPL file called wpm.cpl\r\n(942489ce7dce87f7888322a0e56b5e3c3b0130e11f57b3879fbefc48351a78f6) is executed.\r\nCSIDL_COMMON_APPDATA\\finaldata\\wpm.cpl Thumbs.ini 4 30\r\nThis file contains, and connects to, a list of IP addresses and records whether the connections were successful. \r\n01:11 – Again, the final.cpl shellcode loader is executed multiple times, executing some unknown shellcode. This\r\nactivity continued intermittently until 23:49.\r\n23:49 – The file name of the CPL file changes to 'ntuser.dat'. The file location and command-line arguments\r\nremain the same.\r\nJanuary 19\r\n00:24 – The CPL shellcode loader files (final.cpl and ntuser.dat) are executed multiple times.\r\n00:28 – The attackers create a scheduled task on another machine, likely to ensure persistence:\r\nschtasks /create /RU [REDACTED]\\i21076 /ST 09:28 /TR \"cmd.exe /c C:\\ProgramData\\Adobe\\arm.bat\"\r\n/tn arm /sc MINUTE\r\nThe command is used to schedule a task named 'arm' to run the file 'arm.bat' starting at at 09:28 then every minute\r\nafter that under the user account '[REDACTED]\\i21076'.\r\n00:29 – A file named arm.dat (48f3ead8477f3ef16da6b74dadc89661a231c82b96f3574c6b7ceb9c03468291) is\r\nexecuted with the following command line arguments:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical\r\nPage 3 of 7\n\nCSIDL_SYSTEM\\rundll32.exe CSIDL_COMMON_APPDATA\\adobe\\arm.dat,packageautoupdater\r\nLimitedSpatialExtent_U_f48182 -d 1440 -i 10 -q 8 -s 5\r\nThe arm.dat file is a tool used to take screenshots of web pages viewed on the compromised machine every 10\r\nseconds (SiteShoter), as determined by the command line arguments. The screenshots are saved in appdata\\local\r\nwith the date at the top of the file.\r\n06:50 – The shellcode loader (final.cpl) is executed several times.\r\n07:34 – A new CPL file named addins.cpl\r\n(5f20cc6a6a82b940670a0f89eda5d68f091073091394c362bfcaf52145b058db) is executed multiple times, which\r\nagain is another shellcode loader and has the same command line arguments as seen with final.cpl:\r\nCSIDL_SYSTEM\\rundll32.exe CSIDL_COMMON_APPDATA\\addins.cpl, AppMgmt EO6-CRY-LS2-\r\nTRK3\r\n07:39 – A scheduled task is created:\r\nsc create uso start= auto binPath= “cmd.exe /c start /b C:\\Programdata\\addins.bat” DisplayName= uso\r\nThe task is used to auto-start and execute addins.bat each time the system is booted. The task uses the service\r\nname 'uso' (a file name previously used in older Dream Job campaigns targeting security researchers).\r\nThe attacker runs addins.cpl again to run a command to start the service and then delete the service directly after:\r\nCSIDL_SYSTEM\\rundll32.exe CSIDL_COMMON_APPDATA\\addins.cpl, AppMgmt EO6-CRY-LS2-\r\nTRK3\r\nsc start uso (via cmd.exe)\r\nsc delete uso\r\nThe following commands were then executed to collect information pertaining to network configuration, current\r\nuser the attackers are logged in as, active users on the machine, available shared drives, and the contents of the\r\n'addins' directory.\r\nipconfig /all\r\nwhoami\r\nquery user\r\nnet use\r\ndir CSIDL_WINDOWS\\addins\r\n07:41 – The file addins.cpl is executed again multiple times before a scheduled task is created to run addins.bat\r\nagain, start the service, and immediately delete the service:\r\nsc create uso start= auto binPath= \"cmd.exe /c start /b C:\\Windows\\addins\\addins.bat\" DisplayName= uso\r\nsc start uso\r\nsc delete uso\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical\r\nPage 4 of 7\n\nJanuary 20\r\nThe attackers execute addins.cpl again with the same command line as before.\r\nNo further activity is observed.\r\nThe Lazarus group is likely targeting organizations in the chemical sector to obtain intellectual property to further\r\nNorth Korea’s own pursuits in this area. The group’s continuation of Operation Dream Job, as witnessed by\r\nSymantec and others, suggests that the operation is sufficiently successful. As such, organizations should ensure\r\nthey have adequate security in place and remain vigilant for attacks such as this.\r\nAs always, users should be wary of clicking links or downloading files even if they come from seemingly\r\ntrustworthy sources.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nSHA-256\r\n164f6a8f7d2035ea47514ea84294348e32c90d817724b80ad9cd3af6f93d83f8\r\n18686d04f22d3b593dd78078c9db0ac70f66c7138789ad38469ec13162b14cef\r\n1cb8ea3e959dee988272904dbb134dad93539f2c07f08e1d6e10e75a019b9976\r\n2dd29b36664b28803819054a59934f7a358a762068b18c744281e1589af00f1f\r\n32bfdf1744077c9365a811d66a6ea152831a60a4f94e671a83228016fc87615f\r\n35de8163c433e8d9bf6a0097a506e3abbb8308330d3c5d1dea6db71e1d225fc3\r\n4277fcaada4939b76a3df4515b7f74837bf8c4b75d4ff00f8d464169eede01e3\r\n4446efafb4b757f7fc20485198236bed787c67ceffc05f70cd798612424384ce\r\n48f3ead8477f3ef16da6b74dadc89661a231c82b96f3574c6b7ceb9c03468291\r\n4a2236596e92fa704d8550c56598855121430f96fe088712b043cba516f1c76c\r\n54029bd4fcc24551564942561a60b906bee136264f24f43775b7a8e15095a9e0\r\n56da872e8b0f145417defd4a37f357b2f73f244836ee30ac27af7591cda2d283\r\n5e7edc8f1c652f53a6d2eabfbd9252781598de91dbe59b7a74706f69eb52b287\r\n5f20cc6a6a82b940670a0f89eda5d68f091073091394c362bfcaf52145b058db\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical\r\nPage 5 of 7\n\n61e305d6325b1ffb6de329f1eb5b3a6bcafa26c856861a8200d717df0dec48c4\r\n67f1db122ad8f01e5faa60e2facf16c0752f6ab24b922f218efce19b0afaf607\r\n7491f298e27eb7ce7ebbf8821527667a88eecd5f3bc5b38cd5611f7ebefde21e\r\n79b7964bde948b70a7c3869d34fe5d5205e6259d77d9ac7451727d68a751aa7d\r\n7aa62af5a55022fd89b3f0c025ea508128a03aab5bc7f92787b30a3e9bc5c6e4\r\n8769912b9769b4c11aabc523a699d029917851822d4bc1cb6cc65b0c27d2b135\r\n8aace6989484b88abc7e3ec6f70b60d4554bf8ee0f1ccad15db84ad04c953c2d\r\n942489ce7dce87f7888322a0e56b5e3c3b0130e11f57b3879fbefc48351a78f6\r\na881c9f40c1a5be3919cafb2ebe2bb5b19e29f0f7b28186ee1f4b554d692e776\r\nbdb76c8d0afcd6b57c8f1fa644765b95375af2c3a844c286db7f60cf9ca1a22a\r\nd815fb8febaf113f3cec82f552dfec1f205071a0492f7e6a2657fa6b069648c6\r\ne1997d1c3d84c29e02b1b7b726a0d0f889a044d7cd339f4fb88194c2c0c6606d\r\ne31af5131a095fbc884c56068e19b0c98636d95f93c257a0c829ec3f3cc8e4ba\r\nef987baef9a1619454b14e1fec64283808d4e0ce16fb87d06049bfcf9cf56af3\r\nf29d386bdf77142cf2436797fba1f8b05fab5597218c2b77f57e46b8400eb9de\r\nf7359490d6c141ef7a9ee2c03dbbd6ce3069e926d83439e1f8a3dfb3a7c3dc94\r\nf8995634b102179a5d3356c6f353cb3a42283d9822e157502486262a3af4447e\r\nff167e09b3b7ad6ed1dead9ee5b4747dd308699a00905e86162d1ec1b61e0476\r\nNetwork\r\n52.79.118.195\r\n61.81.50.174\r\n[URL]/[FOLDER]/[FILENAME]asp?prd_fld=racket\r\nhappy.nanoace[.]co.kr\r\nhxxp://happy.nanoace[.]co.kr/Content/rating/themes/krajee-fas/FrmAMEISMngWeb.asp\r\nhxxps://mariamchurch[.]com/board/news/index.asp\r\nhxxps://www.aumentarelevisite[.]com/img/context/offline.php\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical\r\nPage 6 of 7\n\nmariamchurch.com\r\nwww.aumentarelevisite[.]com\r\nwww.juneprint[.]com\r\nwww.jungfrau[.]co.kr\r\nwww.ric-camid[.]re.kr\r\nFile names\r\naddins.cpl\r\ndolby.cpl\r\nezhelp.cpl\r\nfinal.cpl\r\nofficecert.ocx\r\nwpm.cpl\r\nServices\r\narm\r\nuso\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical" ], "report_names": [ "lazarus-dream-job-chemical" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434390, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4ec3950a602f841650396e3a20ea2eb83f39b292.pdf", "text": "https://archive.orkl.eu/4ec3950a602f841650396e3a20ea2eb83f39b292.txt", "img": "https://archive.orkl.eu/4ec3950a602f841650396e3a20ea2eb83f39b292.jpg" } }