{ "id": "ac927387-b887-41a6-8f55-c0d6d92f743b", "created_at": "2026-04-06T00:17:03.528383Z", "updated_at": "2026-04-10T03:38:19.551367Z", "deleted_at": null, "sha1_hash": "4f65766971783a003cb99ae7fea4c2e7d093b390", "title": "VMConnect supply chain attack continues, evidence points to North Korea | ReversingLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1946162, "plain_text": "VMConnect supply chain attack continues, evidence points to\r\nNorth Korea | ReversingLabs\r\nBy Karlo Zanki, Reverse Engineer at ReversingLabsKarlo Zanki\r\nPublished: 2023-08-31 · Archived: 2026-04-05 19:58:19 UTC\r\nThreat ResearchAugust 31, 2023\r\nReversingLabs researchers discovered more packages that are part of the\r\npreviously identified VMConnect campaign, as well as evidence linking the\r\ncampaign to North Korea's Lazarus Group.\r\nIn early August, ReversingLabs identified a malicious supply chain campaign that the research team dubbed\r\n“VMConnect.” That campaign consisted of two dozen malicious Python packages posted to the Python Package\r\nIndex (PyPI) open-source repository. The packages mimicked popular open-source Python tools, including\r\nvConnector, a wrapper module for pyVmomi VMware vSphere bindings; eth-tester, a collection of tools for testing\r\nEthereum-based applications; and databases, a tool that gives asynchronous support for a range of databases.\r\nThe research team has continued monitoring PyPI and now has identified three more malicious Python packages\r\nthat are believed to be a continuation of the VMConnect campaign: tablediter, request-plus, and requestspro. As\r\nhappened with the ReversingLabs team's earlier VMConnect research, the team was unable to obtain copies of the\r\nStage 2 malware used in this campaign. However, an analysis of the malicious packages used and their decrypted\r\npayloads reveals links to previous campaigns attributed to Labyrinth Chollima, an offshoot of Lazarus Group, a\r\nNorth Korean state-sponsored threat group.\r\nhttps://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues\r\nPage 1 of 8\n\nHere is our analysis of VMConnect campaign, including some of the steps that malicious actors took to avoid\r\ndetection. We include a review of the similarities between this latest tranche of malicious Python packages and the\r\nearlier VMConnect packages, and we discuss the possible links to earlier software supply chain campaigns\r\nattributed to North Korean threat actors.\r\nDiscussion\r\nMost of the malicious actors pushing malicious open-source packages that ReversingLabs has observed in recent\r\nyears employed some form of mimicry as part of their attack plan. That includes so-called typosquatting attacks in\r\nwhich malicious packages are given names and descriptions that closely resemble the names of legitimate open-source packages. The hope is that busy developers will enter a typo when they search for the packages and then\r\ninstall the malicious package without looking closely to spot the subtle differences.\r\nOther malicious payloads pose as new open-source modules that offer desired functionality while hiding malicious\r\ncomponents such as backdoors and information-stealing features that developers are likely to miss.\r\nWe see all of these techniques used with this new group of malicious Python packages.\r\nTablediter: A (not so) prettytable\r\nThe tablediter (pronounced “table editor”) Python package is a good example of the ways that malicious actors\r\npush their code to legitimate applications. Our researchers discovered this package in mid-August after noticing\r\nthat it was mimicking prettytable, a popular Python tool that developers use for printing tables in an attractive\r\nASCII format. Prettytable has more than 9 million monthly downloads, which makes it a highly attractive target\r\nfor malicious actors.\r\nFunctionally, tablediter is very similar to previously discovered malicious packages in the VMConnect campaign.\r\nHowever, there are some significant differences introduced in this package that make it harder to detect than\r\nprevious packages. The biggest difference is that the malicious functionality within the package is not executed\r\nwhen the package is installed. Rather, it is triggered when the package gets used in a project. To accomplish this,\r\nthe malicious actors responsible for creating tablediter did not have the malicious functionality executed through\r\nthe __init__.py file, which executes automatically when new packages are imported to a project.\r\nInstead, the malicious code was added to a function called add_row, which is a part of the tablediter class defined\r\nin the tablediter.py file. That could be called during testing of the application on a developer’s workstation or\r\nduring execution by a user working with published software that has incorporated the malicious tablediter\r\ndependency.\r\n(As for why the attackers used the add_row function to deliver the malicious code: A review of the documentation\r\nfor prettytable, which tablediter is mimicking, shows that the add_row function is the most-used function in the\r\nprettytable package and the first code sample highlighted in the documentation that explains how to implement\r\nprettytable.)\r\nFigure 1: Malicious code added to add_row function inside the tablediter.py file\r\nhttps://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues\r\nPage 2 of 8\n\nWhen executed, the code invokes a method from a file, bounding.py, that is located in the edt subdirectory. The\r\ninvoked method then receives a parameter that represents a XOR key used to decrypt the content of a long, hex-encoded string enclosed in the package.\r\nFigure 2: Decryption function from the bounding.py file\r\nAfter that hex-encoded string is decrypted, it reveals a template URL that is modified to use the Internet address of\r\nthe attackers’ command-and-control (C2) server. Specifically, the hex-encoded template contains a placeholder for\r\nthe C2 server and malicious functionality. The code responsible for decoding that hex code (Figure 2) contains the\r\nreal C2 address, which overwrites the placeholder value in the hex string. The decoded hex string (Figure 3)\r\nincludes a placeholder for the C2 domain (ADDR) and for the infected machine (paperpin3902) in\r\ncommunication with the C2 infrastructure. That value gets replaced with a string constructed of the \u003cfirst letter of\r\nthe platform\u003e_\u003clogin name of the user\u003e_\u003crandom 6-character string\u003e). Finally, the decrypted code gets executed.\r\nResearch team analysis revealed that the functionality of this decrypted code is almost identical to that extracted\r\nfrom the VMConnect package we wrote about in early August. As observed at the time, that package contained a\r\nBase64 string containing an endless execution loop. When that Base64 string was decoded and executed, it\r\ncontacted the C2 server and attempted to download another Base64-encoded string with additional commands.\r\nWhen successful, that code was executed and the loop repeated, with the malicious C2 server polled by the\r\ninfected host for new commands after a preconfigured sleep period.\r\nFigure 3: Content of the decrypted payload string\r\nThe main differences in the code executed from tablediter and the malware from the VMConnect package is that\r\nthe former uses a combination of XOR encryption and hex encoding instead of the Base64 encoding used by\r\nVMConnect. The tablediter package also does away with the execute-upon-install functionality, which is the most\r\nencountered execution method for the malware observed in PyPI packages.\r\nThe decision not to execute malware automatically upon the installation of the tablediter package is almost\r\ncertainly an effort by the attackers to avoid detection by traditional security monitoring tools that rely on dynamic\r\nanalysis. Waiting until the designated package is imported and its functions called by the compromised application\r\nis a way to avoid one form of common behavior-based detection and raise the bar for would-be defenders.\r\nResearchers observed malware design elements similar to what has been seen in previous research. For example,\r\nSentinelSneak, an imposter SentinelOne PyPI package exposed in December 2022, was also designed so that the\r\nmalware waited for a malicious function to be called on programmatically before it was activated.\r\nFor organizations that are looking only for “the usual suspects,” this approach of lying low is often a sufficient\r\nruse to avoid detection. In contrast, ReversingLabs Software Supply Chain Security platform is capable of\r\nextracting a wide range of behavior indicators during static analysis, allowing the team to detect this type of threat\r\nbefore a malicious package is imported to a legitimate application.\r\nRequests denied: Request-plus and requestspro\r\nIn addition to the tablediter package, ReversingLabs researchers discovered two other malicious packages that\r\ntargeted a hyper-popular Python package: the requests HTTP library on PyPI.\r\nhttps://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues\r\nPage 3 of 8\n\nRequests is a standard HTTP library with thousands of monthly downloads and more than 2.3 million\r\ndependencies. The malicious packages we detected use names that are close cousins to the legitimate package:\r\nrequest-plus and requestspro. As with the tablediter package, these packages were constructed with special care to\r\navoid detection both before and after installation.\r\nThe evasion techniques employed by the malicious actors behind this campaign include typosquatting and other\r\nmeans of impersonation. For example, attackers copied the description of the requests package on PyPI and pasted\r\nit into the description for the phony packages, updating the package name across the documentation references.\r\nBeyond that, the attackers exactly reproduced the files found within the legitimate requests package in their\r\nimposter packages, with no new files added as compared to the legitimate requests package.\r\nThe only modifications made to the malicious packages were found in the __init__.py file, which was modified to\r\ninclude a few lines of code responsible for launching a thread that executes a function from the cookies.py file.\r\nIn addition, the cookies.py file was modified to contain several malicious functions. Those include functions to\r\ncollect information about the infected machine and send it to a URL referencing the C2 server in the form of a\r\nPOST HTTP request. The response from the server is a token that gets sent back to a different URL on the same\r\nC2 server, this time in the form of a GET HTTP request.\r\nFigure 4: Code responsible for communication with C2 server\r\nThe received response by the infected host is a double-encrypted (Base64 and XOR) Python module with\r\naccompanying execution parameters, including another download URL.\r\nFigure 5: Code responsible for decryption of the received payload\r\nThe team believes the module gets executed after decoding and then downloads the next stage of the malware. As\r\nwas the case in the earlier iteration of the VMConnect campaign, the C2 server associated with the campaign did\r\nnot provide additional commands by default, but rather waited for a suitable target, making it difficult to assess the\r\nfull scope of the campaign.\r\nA Lazarus connection?\r\nIn an effort to better understand the origins of the VMConnect campaign, the ReversingLabs research team\r\nanalyzed the malware samples discovered as part of this extended VMConnect campaign with the goal of linking\r\nthis campaign to other known malware campaigns. In the process, the team identified clues that point in the\r\ndirection of Lazarus Group, the North Korean advanced persistent threat (APT) group that has been linked to a\r\nnumber of sophisticated campaigns.\r\nBy experimenting with some threat hunting YARA rules based on the samples collected in the latest campaign, for\r\nexample, our researchers discovered a package, py_QRcode, that contains a builder.py file with malicious\r\nfunctionality that is very similar to that found in the VMConnect package.\r\nFigures 6 and 7 show highlighted similarities in the code responsible for decryption of payload, which, in both\r\ncases, is executed with a call to subprocess the Popen function.\r\nhttps://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues\r\nPage 4 of 8\n\nFigure 6: Code responsible for payload decoding and execution from VMConnect package\r\nFigure 7: Code responsible for payload decryption and execution from py_QRcode package\r\nAmong the similarities worth noting are:\r\n• Functionality related to the adaptation of file paths based on the architecture, which is determined with the call\r\nto platform.system() function in both cases (refer to the blue boxes)\r\n• Use of a variable containing B64-encoded text to identify a next level payload (refer to the yellow boxes)\r\n• The code responsible for B64 decoding the payload and writing it to a local file (refer to the green boxes)\r\n• Creation of a process based on the determined platform via a call to platform.system() with similar branching\r\nand creation flags (refer to the red boxes)\r\nMore similarities appear when looking at the contents of the decrypted payloads (Figures 8 and 9). Here, nearly\r\nidentical functionality in both payloads that periodically poll the C2 server for instructions can be observed. In\r\nboth cases, this happens via an endless loop with 60-second sleep periods between the polls. And, in both cases,\r\nthe received instructions are Base64-encoded strings representing a series of Python commands that are executed\r\nafter decoding.\r\nFigure 8: Code responsible for C2 server polling in payload from VMConnect package\r\nFigure 9: Code responsible for C2 server polling in payload from py_QRcode package\r\nFurther investigation revealed that the discovered py_QRcode package had already been described in a report\r\npublished in July, 2023 by Japan’s Computer Emergency Response Team Coordination Center (JPCERT/CC). The\r\nJPCERT report describes discovering malware samples targeting Windows, macOS, and Linux environments with\r\ninstalled Python and Node.js runtimes.\r\nThe report said the starting point of these malware infections on Windows machines was the execution of the\r\nmentioned py_QRcode package. However, neither ReversingLabs research nor the research conducted by\r\nJPCERT/CC was able to find any evidence of that package ever being published to the PyPI repository. That\r\nleaves in question how the malware was distributed to victims.\r\nThe JPCERT research identified PythonHTTPBackdoor as a possible Stage 2 malware sample downloaded as part\r\nof this campaign. In the macOS environment, JokerSpy was the detected Stage 2 malware.\r\nFinally, the JPCERT analysis references research published by SentinelOne that talks about QRLog — Java\r\nmalware with functionality that is identical to that found in the py_QRcode package. That includes code that\r\ndetermines the host device’s operating system and then decodes a large base64 string that is written out to a\r\ntemporary directory. That code then gets executed. Of note: The same www.git-hub[.]me C2 domain is also found\r\nin both the QRLog and py_QRcode malware samples.\r\nAs for attribution, ReversingLabs is unable to definitively attribute this campaign to any specific threat actor.\r\nHowever, Mauro Eldritch, the researcher who initially discovered the malicious QRLog package, shared his\r\nfindings with the cybersecurity firm Crowdstrike. Analysts at Crowdstrike attributed the malware to Labyrinth\r\nChollima, a subgroup within the Lazarus Group, a North Korean state-sponsored threat group, with a high degree\r\nof confidence.\r\nhttps://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues\r\nPage 5 of 8\n\nA similar attribution was made by the JPCERT/CC, which linked the attack it uncovered to DangerousPassword,\r\nanother subsidiary of the Lazarus Group.\r\nBased on those attributions and the described code similarities between the packages discovered in the\r\nVMConnect campaign and the campaign described in the research published by JPCERT/CC, the ReversingLabs\r\nresearch team has reached the conclusion that the same threat actor is behind both attacks and, therefore, that the\r\nVMConnect malicious campaign activity can be linked to the North Korean state-sponsored Lazarus Group.\r\nConclusion\r\nReversingLabs discovered three additional malicious packages with links to the VMConnect software supply\r\nchain campaign: request-plus, requestspro, and tablediter. The team provides evidence that the VMConnect\r\nmalicious software supply chain campaign that the team discovered in July and disclosed in early August is\r\nongoing. As part of that, threat actors continue to use the Python Package Index (PyPI) repository as a distribution\r\npoint for their malware. This is just another in a line of malicious attacks targeting users of the PyPI repository,\r\nincluding the recent campaign connected with the JumpCloud incident.\r\nAs with prior software supply chain campaigns, including IconBurst, SentinelSneak, and others, the malicious\r\nactors behind VMConnect took steps to disguise their malicious payloads and make their published packages look\r\ntrustworthy, despite the existence of malicious functionality. Those efforts include standard practices such as\r\ntyposquatting on the names of popular open-source packages and appropriating package descriptions and other\r\nmetadata to confuse developers.\r\nLinks to the VMConnect campaign are also supported by deep similarities in the code used in the three newly\r\ndiscovered malicious packages, as well as shared C2 infrastructure.\r\nIn the latest tranche of packages, the malicious actors also took steps to avoid detection by dynamic application\r\nsecurity testing (DAST) tools. They did so by designing packages to execute their malicious payloads only after\r\nthey had been imported to and called on by legitimate applications rather than immediately upon installation of the\r\npackage — a technique ReversingLabs previously observed in the SentinelSneak campaign.\r\nThe revelations about the ongoing VMConnect campaign are a reminder that organizations need to improve their\r\ncyber defensive capabilities to encompass the full range of possible threats and attacks — including software\r\nsupply chain attacks. That requires firms to invest both the effort and resources needed to detect and prevent\r\nsupply chain attacks before they cause material damage to their business.\r\nThat means investing more heavily in training and awareness campaigns that ensure developers will not fall for\r\ntyposquatting and other impersonation attacks. It also highlights the need for tools and processes to ensure that\r\nany open-source or proprietary code is evaluated for the presence of suspicious or malicious indicators, including\r\nhidden (obfuscated) functionality, unexplained communications with third-party infrastructure, and more.\r\nIndicators of Compromise (IOCs)\r\nCommand and control (C2) domains and IP address:\r\npackages-api.test\r\nhttps://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues\r\nPage 6 of 8\n\ntableditermanaging.pro\r\n45.61.136.133\r\nPyPI packages:\r\npackage_name version SHA1\r\nrequest-plus 2.31.0 321363f11464208ee24e56a700ad5d26154df4bd\r\nrequestspro 2.2 5e026885bcf4b67993aefa4e992153f6d81c11da\r\nrequestspro 2.3 049cc8d88a086c8fc69b51d76b6c0c4c2a66fa08\r\nrequestspro 2.4 bbb1e2ac1d243b8db922a23821de570702140145\r\nrequestspro 2.5 fdea182ffe7c04c28f28f88ceb9624732bb36bdc\r\nrequestspro 2.6 e3545b2c53c2cb8f012f0badc1bf452badfee341\r\ntablediter 3.8.0 859f5b0af717fca9f890dcba0b87ac63be469033\r\ntablediter 3.8.0 e063b210b50ca1426da45afa430d87c53b2ef5d2\r\ntablediter 3.8.1 39e9859f0cf85a0c8361e042e8316d4e185d1cfb\r\ntablediter 3.8.1 b1880340818a1feda156abd272255bcc018f8bef\r\ntablediter 3.8.3 2c72edf29d5bca22525d612c94f1ee323c47be0c\r\ntablediter 3.8.3 9b8eefa1d7ee348c2b1b4c350028df5c2707c3d8\r\nhttps://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues\r\nPage 7 of 8\n\ntablediter 3.8.5 aeeb445216a205abd770546dfa8d03f8b94515a1\r\ntablediter 3.8.5 89c05ecd388c5f168704c5a8e1d37f72a7f0f0f4\r\nSource: https://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues\r\nhttps://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues" ], "report_names": [ "vmconnect-supply-chain-campaign-continues" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434623, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4f65766971783a003cb99ae7fea4c2e7d093b390.pdf", "text": "https://archive.orkl.eu/4f65766971783a003cb99ae7fea4c2e7d093b390.txt", "img": "https://archive.orkl.eu/4f65766971783a003cb99ae7fea4c2e7d093b390.jpg" } }