{ "id": "7c30c5d7-e4f0-4327-b544-cee04d01690b", "created_at": "2026-04-06T00:15:27.075083Z", "updated_at": "2026-04-10T13:12:23.419424Z", "deleted_at": null, "sha1_hash": "50b6c3798345940feb3c4b11c76c6ebe4ef9ead7", "title": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1337884, "plain_text": "Why Are You Texting Me? UNC3944 Leverages SMS Phishing\r\nCampaigns for SIM Swapping, Ransomware, Extortion, and\r\nNotoriety\r\nBy Mandiant\r\nPublished: 2023-09-14 · Archived: 2026-04-05 14:01:49 UTC\r\nWritten by: Mandiant Intelligence\r\nUNC3944 is a financially motivated threat cluster that has persistently used phone-based social engineering and\r\nSMS phishing campaigns (smishing) to obtain credentials to gain and escalate access to victim organizations. At\r\nleast some UNC3944 threat actors appear to operate in underground communities, such as Telegram and\r\nunderground forums, which they may leverage to acquire tools, services, and/or other support to augment their\r\noperations. This activity overlaps with activity that has been reported in open sources as \"0ktapus,\" \"Scatter\r\nSwine,\" and \"Scattered Spider.\" Since 2022 and through early 2023, UNC3944 appeared to focus on accessing\r\ncredentials or systems used to enable SIM swapping attacks, likely in support of secondary criminal operations\r\noccurring outside of victim environments. However, in mid-2023, UNC3944 began to shift to deploying\r\nransomware in victim environments, signaling an expansion in the group's monetization strategies. These changes\r\nin their end goals signal that the industries targeted by UNC3944 will continue to expand; Mandiant has already\r\ndirectly observed their targeting broaden beyond telecommunication and business process outsourcer (BPO)\r\ncompanies to a wide range of industries including hospitality, retail, media and entertainment, and financial\r\nservices.\r\nUNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes\r\nand they appear to understand Western business practices, possibly due to the geographical composition of the\r\ngroup. UNC3944 has also consistently relied on publicly available tools and legitimate software in combination\r\nwith malware available for purchase on underground forums. The following examples represent some of the more\r\nnotable tactics, techniques, and procedures (TTPs) that have been observed during UNC3944 operations.\r\nUNC3944 relies heavily on social engineering to obtain initial access to its victims. They frequently use\r\nSMS phishing campaigns and calls to victim help desks to attempt to obtain password resets or multifactor\r\nbypass codes.\r\nThe threat actors used commercial residential proxy services to access their victims from the same local\r\narea to fly under the radar of security monitoring tools.\r\nThe threat actors consistently use legitimate software, including a variety of remote access tools the actors\r\nhave downloaded from the vendor websites.\r\nThe threat actors operate with an extremely high operational tempo, accessing critical systems and\r\nexfiltrating large volumes of data over a course of a few days. The tempo and volume of systems\r\nUNC3944 accesses can overwhelm security response teams.\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 1 of 14\n\nOnce obtaining a foothold, UNC3944 often spends significant time searching through internal\r\ndocumentation, resources, and internal chat logs to surface information that could help facilitate escalating\r\nprivileges and maintaining presence within victim environments.\r\nUNC3944 often achieves privilege escalation by targeting password managers or privileged access\r\nmanagement systems.\r\nUNC3944 often creates unmanaged virtual machines inside victims' own environments, from which it\r\nlaunches attacks. In some cases, they’ve created Internet accessible virtual machines in a victim’s cloud\r\nenvironment.\r\nWhen deploying ransomware, the threat actors appear to specifically target business-critical virtual\r\nmachines and other systems, likely in an attempt to maximize impact to the victim.\r\nThe threat actors engage in aggressive communications with victims, such as leaving threatening notes\r\nwithin a text file on a system, contacting executives via text messages and emails, and infiltrating\r\ncommunication channels being used by victims to respond to incidents.\r\nTactics, Techniques, and Procedures\r\nThe following sections organize UNC3944's TTPs by the stages of the Mandiant attack lifecycle model and focus\r\non activity observed during UNC3944 intrusions in 2023.\r\nFigure 1: UNC3944 attack lifecycle\r\nSmishing for Creds\r\nA hallmark of UNC3944 incidents is the use of smishing messages sent to employees of targeted organizations for\r\nstealing valid credentials. In the majority of cases where we identified the initial access vector, UNC3944 obtained\r\naccess to the victim environment after a successful smishing attack. After obtaining credentials, the threat actors\r\nhave also impersonated employees on calls to victim organizations' service desks in an attempt to obtain multi\r\nfactor authentication (MFA) codes and/or password resets. During these calls, the threat actor provided\r\nverification information requested by the help desk employees, including usernames, employee IDs, and other\r\ntypes of personally identifiable information (PII) associated with employees. Notably, the threat actors often asked\r\nthe service desk support to repeat the question and paused for significant lengths before answering, likely due to\r\nthe threat actor looking through notes or attempting to search for the answer to the question posed. In one incident,\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 2 of 14\n\nUNC3944 social engineered the IT help desk to get the MFA token reset for account credentials that may have\r\nbeen exposed on a laptop used by an IT outsourcing company contracted by the victim organization. Mandiant\r\ndetermined that RECORDSTEALER credential theft malware was installed on this laptop through a fake software\r\ndownload only a few weeks prior. UNC3944 typically uses stolen credentials to then establish a foothold on\r\nvictim environments.\r\nUNC3944 phishing pages are designed to appear as if they belong to the targeted organization and frequently use\r\nsingle sign on (SSO) or service desk lures. The registered domains typically include both the victim organization\r\nname in combination with \"-sso\" or \"-servicenow\" in the domain. Based on analysis of suspected UNC3944\r\nphishing domains, it is plausible that the threat actors have, in some cases, used access to victim environments to\r\nobtain information about internal systems and leveraged that information to facilitate more tailored phishing\r\ncampaigns. For example, in some cases the threat actors appeared to create new phishing domains that included\r\nthe names of internal systems.\r\nPhishing Kits Associated with UNC3944 Activity\r\nMandiant has identified at least three phishing kits that have been used to facilitate UNC3944 campaigns.\r\n1. Between late 2021 and mid-2022, UNC3944 campaigns involved the use of a phishing kit we have dubbed\r\nEIGHTBAIT (Figure 2). This phishing kit is designed to send captured credentials to an actor-controlled\r\nTelegram channel. Additionally, EIGHTBAIT can deploy AnyDesk to a victim's system, indicating this kit\r\nwas developed with the intent of targeting non-mobile systems and not expressly designed for smishing\r\ncampaigns.\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 3 of 14\n\nFigure 2: Sample EIGHTBAIT phishing page\r\n2. Starting in Q3 2022, we observed UNC3944 credential phishing campaigns that leveraged a new phishing kit\r\nthat appears to have been built using a webpage copied from a targeted organization (Figure 3). This kit uses a\r\ngeneric authentication theme and is built using a scraped copy of a target organization's authentication page.\r\nNotably, this kit has been used in some of the recent intrusions that led to extortion attempts.\r\nFigure 3: Sample phishing page from kit 2\r\n3. In mid-2023 we identified a third phishing kit that has been used in parallel with the second phishing kit (Figure\r\n4). This kit has significant visual and structural similarities to the second phishing kit, and the websites they\r\npresent are nearly identical. Despite these similarities, minor changes to the kit's code suggest that the theme used\r\nby the second kit was probably retrofitted into a new tool.\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 4 of 14\n\nFigure 4: Sample phishing page from kit 3\r\nWhen There’s Nowhere to Go but Up\r\nUNC3944 doesn’t rely exclusively on smishing and social engineering to obtain the privileged access required to\r\nmeet their objectives. Mandiant has observed UNC3944 use publicly available credential theft tools and expend\r\nsignificant effort searching through internal systems to identify ways to obtain privileged credentials. In one\r\nincident UNC3944 was able to export the data from the victim's HashiCorp Vault by using a copy of the Vault\r\nclient, which the threat actors downloaded from the official HashiCorp site. They successfully exported the\r\ncredentials from the HashiCorp Vault and authenticated to a file server with a domain admin account. In another\r\nincident UNC3944 installed a PowerShell module for the CyberArk API, enabling them to dump credentials from\r\nthe vault server. UNC3944 has attempted to identify credentials stored in internal GitHub repositories using\r\npublicly available tools such as Trufflehog and GitGuardian. On one occasion, UNC3944 executed the open-source tool MicroBurst against a victim Azure tenant using privileged credentials. The primary function of\r\nMicroBurst is to identify Azure credentials and secrets.\r\nWe have observed evidence suggesting that UNC3944 may use various infostealers to support their operations.\r\nFor example, the threat actors used a PowerShell script to download the ULTRAKNOT credential stealer (aka\r\nMeduza stealer) staged on the victim's AWS bucket. We have also observed the threat actors download or stage\r\ndata miners such as VIDAR and ATOMIC.\r\nThe Call is Coming From Outside the House\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 5 of 14\n\nA common hallmark of UNC3944 intrusions has been their creative, persistent, and increasingly effective\r\ntargeting of victims’ cloud resources. This strategy allows the threat actors to establish a foothold for their later\r\noperations, perform network and directory reconnaissance, and to access many sensitive systems and data stores\r\nwhile having minimal interaction with what some organizations would traditionally consider their internal\r\ncorporate network.\r\nUNC3944 is particularly adept at using privileged access to cloud environments to establish persistent access to\r\nvictim environments. The persistence techniques can be difficult to monitor for and detect, especially in large\r\nmulti-cloud environments. UNC3944 has added rogue federated identity providers to victims' Microsoft Entra\r\nenvironment (formerly Azure Active Directory), which allowed them to execute golden SAML attacks. The threat\r\nactor could then authenticate to resources protected by Entra ID as any user in the organization without knowledge\r\nof their password or possession of their MFA device. In multiple incidents the threat actors have created Azure\r\nVirtual Machines and assigned them public IP addresses. These threat actor-created Virtual Machines do not have\r\nthe organization’s mandated security and logging software installed on them, providing the threat actors with\r\nunmonitored access to a trusted system inside of the organization’s network which they then use to progress their\r\nintrusion.\r\nThe threat actors have also used their access to victim organization cloud resources to host malicious utilities and\r\nrun them across systems in the network. In one incident, the threat actors hosted malicious utilities on an Amazon\r\nWeb Service (AWS) S3 bucket owned by the organization and used an Intune PowerShell orchestration to\r\ndownload the utilities from inside the victim environment. The scripts were configured to disable firewall rules\r\nand several Windows Defender protections, such as Microsoft Defender ATP, prior to retrieving and executing an\r\nALPHV ransomware payload.\r\nUNC3944 has also found use of some of the more niche features and applications within Azure to move laterally\r\nand conduct data theft. On multiple occasions UNC3944 has moved laterally within an organization's Azure\r\nenvironment using the Special Administration Console to connect to virtual machines via serial console. Mandiant\r\nhas observed the threat actors use Azure Data Factory to modify existing pipelines to steal data that is stored in\r\nvarious integrated platforms such as data warehouses, storage blobs, and SQL databases. Specifically, they have\r\ncreated pipeline jobs that run \"activities\" to export data from those data sources to an attacker-controlled SFTP\r\nserver. The use of data factories provided the threat actors with a stable and high-bandwidth platform to copy large\r\nvolumes of data.\r\nOutlook and Implications\r\nUNC3944 is an evolving threat that has continued to broaden its skills and tactics in order to successfully\r\ndiversify its monetization strategies. We expect that these threat actors will continue to improve their tradecraft\r\nover time and may leverage underground communities for support to increase the efficacy of their operations. The\r\nthreat actors have successfully relied on social engineering schemes to obtain initial accesses, whether in the form\r\nof SMS phishing campaigns or by calling victim organizations' help desks to reset passwords and MFA.\r\nUNC3944's initial successes likely emboldened it to expand its TTPs to more disruptive and profitable attacks,\r\nincluding ransomware and extortion. It is plausible that these threat actors may use other ransomware brands\r\nand/or and incorporate additional monetization strategies to maximize their profits in the future. We anticipate that\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 6 of 14\n\nintrusions related to UNC3944 will continue to involve diverse tools, techniques, and monetization tactics as the\r\nactors identify new partners and switch between different communities.\r\nMitigations\r\nFor organizations that are utilizing Entra ID (formerly Microsoft Azure Active Directory), the following\r\nrecommendations have proven effective in mitigating against common UNC3944 TTPs such as MFA abuse and\r\nunauthorized use of privileged accounts within the Microsoft cloud environment:\r\n1. Enforce Microsoft Authenticator with number matching and remove SMS as an MFA verification option.\r\nRemove SMS as a MFA verification option by clearing the checkbox for “Text message to phone”\r\nin the multi-factor authentication service settings dialog.\r\nTo restrict MFA to only utilize Microsoft Authenticator with number matching, organizations will need to\r\nensure they are at least in the “Migration In Progress” stage for leveraging authentication methods and then\r\nappropriately configure the Microsoft Authenticator authentication method.\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 7 of 14\n\nConfigure Microsoft Authenticator to require number matching for push notifications.\r\nCreate a custom authentication strength that specifies ONLY “Password + Microsoft Authenticator (Push\r\nNotification).”\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 8 of 14\n\nCreate a new or edit an existing Conditional Access Policy to grant access only for the newly created\r\nauthentication strength.\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 9 of 14\n\nEnsure MFA and SSPR registration is secure by requiring the users to authenticate from a trusted network\r\nlocation and/or ensuring device compliance. Microsoft has documented how to accomplish this.\r\nBlock external access to Microsoft Azure and Microsoft 365 administration features by creating a\r\nConditional Access Policy that only allows access if users are authenticating from a trusted network\r\nlocation and/or ensuring device compliance. Read Microsoft's documentation for securing MFA and SSPR\r\nregistration as a template, except specify specific cloud apps instead of the User action. Add the following\r\ncloud apps to include: Microsoft Admin Portals (Preview), and Microsoft Azure Management. This can\r\nalso be leveraged to further secure other capabilities, such as restricting access to Graph Explorer and\r\nMicrosoft Graph PowerShell.\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 10 of 14\n\nBecause UNC3944 has proven to be very prolific in using social engineering techniques with victim’s help desk\r\norganizations, further securing the process of accomplishing password and/or MFA resets is imperative. An\r\nextremely effective technique that help desks should utilize prior to accomplishing password and/or MFA resets is\r\nto require video verification of the user via a video call. The help desk should verify the face of the user by\r\ncomparing it to an internal system such as an HR or security badge system where a photo of the user is stored.\r\nAdditionally, help desk personnel should ensure the user shows a form of identification on the video call, such as\r\nan identification badge, driver’s license, etc. This process can be further customized to meet specific needs of the\r\norganization.\r\nMandiant plans to release additional resources that dive further into detection mechanisms, containment and\r\neradication techniques, and additional hardening opportunities to further mitigate UNC3944 TTPs.\r\nAppendix: Common Phishing Domain Structures\r\nUNC3944 frequently hosts their phishing kit on domains with the following patterns.\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 11 of 14\n\n{}-sso.[com|net]\r\nsso-{}.[com|net]\r\n{}sso.com.[com|net]\r\n{}-help.com\r\n{}-helpdesk.com\r\n{}-servicedesk.com\r\n{}-servicenow.[com|net]\r\nservicenow-{}.com\r\n{}-internal.com\r\n{}-schedule.[ca|com]\r\nAppendix: Common Tools/Software\r\nUNC3944 frequently uses built-in tools/commands and downloads publicly available tools and software from\r\nvendor websites or GitHub repositories. The following table highlights tools of this nature that have been used by\r\nUNC3944.\r\nCommon Tools/Software Used by UNC3944\r\nData Exfiltration Tools\r\nDropBox\r\nfilezilla\r\nStorageExplorer\r\nWinrar\r\n7-Zip\r\nRclone\r\nMegaSync\r\nInternal Reconnaissance Tools\r\nADExplorer\r\nADRecon\r\nPingcastle\r\nMicroBurst\r\nAdvanced Port Scanner\r\nLateral Movement Tools\r\nCitrixReceiver\r\nCitrixWorkspaceApp\r\nmobaxterm\r\nngrok\r\nOpenSSH\r\nproxifier\r\nPuTTY / Plink\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 12 of 14\n\nsocat\r\nWstunnel\r\nRDP\r\nImpacket (wmiexec / smbexec)\r\nCloudflare Tunnel client\r\nChrome Remote Desktop\r\nPsExec\r\nSshimpanzee\r\nMaintain Access Tools\r\nAnydesk\r\nDWAgent\r\nFleetdeck\r\nLevel Remote Management\r\nParsec\r\nPulseway\r\nRemote Server Administration Tools (RSAT)\r\nRemotePC\r\nRustdesk\r\nScreenConnect\r\nSplashtop\r\nTailscale\r\nTeamViewer\r\nTightVNC\r\nTwingate\r\nN-Able\r\nOther Utilities\r\ndbeaver\r\nemeditor\r\ngit\r\nmongodb\r\nPostman\r\nIISCrypto\r\nZipExec\r\nmoonwalk\r\ncovermyass\r\nPrivilege Escalation Tools\r\nGitGuardian\r\ngosecretsdump\r\nHashiCorp Vault\r\nJecretz\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 13 of 14\n\npacu\r\nTrufflehog\r\nsecretsdump.py\r\nMimikatz\r\nScripting Tools\r\npython\r\nVmware-powercli\r\nWeb Browsers\r\nChrome Portable\r\nEdge\r\nFirefox Portable\r\nLibrefox\r\nUngoogled Chromium Portable\r\nCommon publicly available tools used by UNC3944\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nhttps://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware" ], "report_names": [ "unc3944-sms-phishing-sim-swapping-ransomware" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434527, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/50b6c3798345940feb3c4b11c76c6ebe4ef9ead7.pdf", "text": "https://archive.orkl.eu/50b6c3798345940feb3c4b11c76c6ebe4ef9ead7.txt", "img": "https://archive.orkl.eu/50b6c3798345940feb3c4b11c76c6ebe4ef9ead7.jpg" } }