{ "id": "46fb2b5f-8d1d-4b0b-bdce-1b42c16e2700", "created_at": "2026-04-06T00:10:58.695377Z", "updated_at": "2026-04-10T13:12:06.519515Z", "deleted_at": null, "sha1_hash": "510c442441cf5af8e18767e5585810c1c2dc82a4", "title": "Notorious Cybercriminals Evil Corp Actually Russian Spies? - Trulysuper", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82665, "plain_text": "Notorious Cybercriminals Evil Corp Actually Russian Spies? -\r\nTrulysuper\r\nBy siteadmin\r\nPublished: 2021-05-05 · Archived: 2026-04-05 15:15:58 UTC\r\nPart 1 – The Ransomware Attack and Takeover\r\nIn October 2020, the Russian-based threat actor known as “Evil Corp” conducted a ransomware attack against a\r\nmajor corporation. The attack vector to gain initial access was a drive-by compromise: a legitimate website was\r\ncompromised and visitors to the website were prompted to download a fake Chrome update; a ZIP file, containing\r\na JavaScript file.\r\nThe actual script was not recovered, but based on the information found, Truesec established that it is highly likely\r\nthat it was part of the SocGholish framework. The threat actor behind SocGholish is known to leverage\r\ncompromised websites to distribute malware via fake browser updates. The following figure illustrates an example\r\nof this attack.\r\nRansomware Evilcorp Russian Intelligence | Sample of the SocGholish fake Browser update\r\nFigure 1: Sample of the SocGholish fake Browser update\r\nDouble-clicking the JavaScript file triggered the Windows Scripting Host engine to run the script, which in turn\r\nwould start a backdoor giving the threat actor remote control of the infected computer.\r\nThe initial backdoor was used five minutes later to deploy the second stage tool: Cobalt Strike. The Cobalt Strike\r\nbeacon was embedded into a C# project file and executed with the Microsoft utility MsBuild.exe. An example of\r\nthe execution is the following:\r\nRansomware Evilcorp Russian Intelligence | MsBuild.exe used to inject shellcode launching\r\nCobalt Strike beacon\r\nThe csproj file defined a build task that was executed during the build process. This injected the Cobalt Strike\r\nbeacon in memory. The beacon used covert communication channels with a technique called Domain Fronting.\r\nThis leveraged the legitimate Content Delivery Networks at msn.com, lastpass.com, and adobe.com, to proxy the\r\ntraffic to the threat actor infrastructure in the backend.\r\nRansomware Evilcorp Russian Intelligence | Domain Fronting used for Cobalt Strike C2\r\ncommunications\r\nFigure 2: Cobalt Strike C2 using Domain Fronting.\r\nThis level of sophistication makes network-based detection challenging, as the visible communication is directed\r\nto legitimate CDN’s. The use of MsBuild.exe and the csproj file is also a method to evade certain host-based\r\ndetection techniques. The Cobalt Strike Beacon also mimics a jquery request.\r\nhttps://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies\r\nPage 1 of 7\n\nRansomware Evilcorp Russian Intelligence | Cobalt Strike Beacon\r\nFigure 3: Cobalt Strike Beacon\r\nCobalt Strike also downloaded an additional payload using the .NET webclient function downloadstring.\r\nRansomware Evilcorp Russian Intelligence | Powershell command executed by threat actor\r\nFigure 4: Powershell command executed by threat actor.\r\nThe payload was downloaded from the URL http[:]//roofingspecialists[.]info/file. The payload is a PowerShell\r\nscript defining a function called getsystemtime, which is also invoked by the dropper. The getsystemtime function\r\ncontains a base64 encoded .NET assembly that is loaded into memory.\r\nRansomware Evilcorp Russian Intelligence | Second stage payload loaded into memory\r\nFigure 5: Second stage payload loaded into memory\r\nThe decoded assembly contained shellcode and .NET code to inject it into a process. An excerpt from the\r\ndecompiled assembly can be seen in the figure below.\r\nRansomware Evilcorp Russian Intelligence | Decompiled assembly loaded in memory\r\nFigure 6: Decompiled assembly loaded in memory.\r\nThe shellcode loaded by the above assembly does not execute anything directly but rather loads selected libraries\r\nand defines additional attack code to the Cobalt Strike session on the victim machine.\r\nSeven minutes after the Cobalt Strike malware was deployed on the compromised client computer (Patient Zero),\r\nthe threat actor began network discovery activities and escalation attempts and achieved full infrastructure\r\ncompromise within four hours from the initial breach. The threat actor leveraged common vulnerabilities such as\r\npasswords exposed on network shares and exploiting unpatched systems.\r\nIt is noteworthy that manual operations probably began just minutes after the initial compromise. This is\r\nremarkable, considering that the attack vector was a drive-by attack, which essentially means that the threat actor\r\nmust have been continuously monitoring their C2 servers for new victims and immediately begun manual\r\noperations after they were alerted to a new victim.\r\nReconnaissance and Ransomware Deployment\r\nWhile the escalation in Active Directory only took a few hours, the internal reconnaissance and data discovery\r\nbegan around a week after the initial compromise and went on for nearly three weeks. During the first week the\r\nthreat actor searched through many profiles and pushed Cobalt Strike onto additional servers. They also used\r\nInternet Explorer on compromised servers to access additional internal systems.\r\nDuring the last two weeks, the threat actor focused the reconnaissance on methodically gathering data from\r\nnetwork shares, user profiles, browser history of IT admins, cloud-based mailboxes, and eventually identified\r\ncredentials and locations of the cloud-based backups in use which were then deleted.\r\nMoreover, the cloud solution in use for central management of endpoint protection software was also accessed and\r\nused to uninstall security software from all systems. The level of determination and methodology to identify\r\nhttps://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies\r\nPage 2 of 7\n\ninformation such as backup solutions and security software platforms represents a high level of sophistication.\r\nAlmost a month after the initial compromise, the final stage of the attack began, when the threat actor deployed\r\nthe “Wasted Locker” ransomware on all systems, using remote WMI commands and the Microsoft tool PsExec.\r\nDuring the encryption phase the threat actor actively searched for encrypted files, likely to ensure encryption had\r\nsucceeded.\r\nRansomware Evilcorp Russian Intelligence | Example command, confirming encryption from\r\nWasted Locker ransomware worked\r\nFigure 7: Example command, confirming encryption worked.\r\nThe attack kill chain is illustrated below.\r\nRansomware Evilcorp Russian Intelligence | Wasted Locker ransomware attack kill-chain\r\nFigure 8: KillChain\r\nPart 2 – Ties to an Espionage Campaign\r\nA Friendly Warning\r\nIn April 2021, almost six months after the ransomware attack, the victim organization contacted Truesec because\r\nof a mail received from a government cyber defense organization. The mail was flagged TLP:Amber, so we\r\ncannot share it, but the essence of the mail was that they were warned that their system may be under the control\r\nor impacted by a cyber event. The mail included information about the initial compromise and then referred to the\r\nreport by PRODAFT about the SilverFish cyberespionage group for details.\r\nTruesec could quickly confirm that the cyber event referred to in the warning was the initial compromise that\r\nTruesec had found to be the start of the Wasted Locker ransomware attack. We could also determine that the\r\nCobalt Strike beacon used in the attack was in fact the same Cobalt Strike beacon found in the PRODAFT report\r\nsince it was using the same domains and Domain Fronting technique described in the report. The domain used to\r\ndownload the PowerShell script getsystemtime also appeared in the report from PRODAFT.\r\nIt appears that the threat actor behind the Wasted Locker ransomware attack was identical to the SilverFish actor,\r\nbut SilverFish was reported as a cyberespionage group that had used the SolarWinds breach to gain access. The\r\nTruesec Threat Intelligence Unit then decided it was time to dig a little deeper into the matter.\r\nTimelines\r\nTo better understand the chain of events, we started to construct a timeline. Immediately we noticed that there\r\nwere several reports that the threat actor behind Wasted Locker were no longer distributing this ransomware but\r\nhad instead switched to another ransomware called Hades. The first instance of the Hades ransomware attack was\r\nreported on 17 December 2020. This is important because in their report PRODAFT says they began after the\r\nSolarWinds breach was exposed in December, when Wasted Locker was no longer active.\r\nWe could also indirectly confirm the link between the Wasted Locker and Hades ourselves, as one of the threat\r\nactor IP addresses, 185[.]82.127.86, was used in the Wasted Locker attack in October 2020 and was later reported\r\nhttps://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies\r\nPage 3 of 7\n\nto be a Hades C2 in January 2021.\r\nOf all the IOCs that Truesec had found in the Wasted Locker ransomware attack in October 2020, the domains had\r\nappeared in a big cyberespionage campaign a month later, while at least one of the IP addresses had been reused in\r\na Hades ransomware attack.\r\nThe PRODAFT report lists many interesting facts about the threat actor named SilverFish, which seems to be a\r\nvery sophisticated and organized group. They had teams of hackers working shifts, day and night. This certainly\r\nfits with our findings regarding the Wasted Locker attack in October. Only a group working continuously in shifts\r\nwould be capable of reacting this fast to the successful drive-by attack.\r\nNevertheless, the PRODAFT report only mentions the SolarWinds breach as the attack vector that SilverFish\r\nused. Nowhere do they mention drive-by attacks like the SocGholish framework Truesec observed being the\r\ninitial attack vector for the Wasted Locker attack.\r\nIt appears as if the same threat actor used their infrastructure for Wasted Locker attacks in October 2020, only to\r\nshift their operation to run an espionage campaign stealing data from victims of the SolarWinds breach in January\r\n2021. So, what happened in between those two dates?\r\nGoing back to the timeline for the SolarWinds breach, the most important date was the 13th of December, the day\r\nthe SolarWinds breach was publicized. This means that just four days after the SolarWinds breach was made\r\npublic, the threat actor behind the Wasted Locker ransomware stopped using their ransomware and instead\r\nswitched to the new Hades ransomware.\r\nOne purpose of the SilverFish threat actor seems to have been to save as much as possible of the access obtained\r\nby the SolarWinds breach once it was outed in the media. To do so they used an existing infrastructure. An\r\ninfrastructure that until then had been used to conduct ransomware operations with the Wasted Locker\r\nransomware.\r\nRansomware Evilcorp Russian Intelligence | Timelines for Wasted Locker and SolarWinds\r\ncampaigns\r\nFigure 9: Timelines for Wasted Locker and SolarWinds campaigns\r\nIn fact, the timelines of Wasted Locker and the SolarWinds breach had one more congruency. The first known\r\ninstance when the threat actor behind the SolarWinds breach pushed the Sunburst malware was in February 2020.\r\nAt the same time, the threat actor behind Wasted Locker ceased operations in the end of February 2020, probably\r\nto prepare to release the new Wasted Locker ransomware.\r\nAn Elusive Threat Actor\r\nThe threat actor behind the Wasted Locker ransomware attacks is generally believed to be the infamous “Evil\r\nCorp” group. Evil Corp has for many years been a pioneer in financial cybercrime. Their BitPaymer ransomware\r\nwas one of the first truly successful ransomware operations that pioneered the “Big Game Hunting” attacks\r\nagainst large corporate networks earning millions of USD in ransom money.\r\nhttps://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies\r\nPage 4 of 7\n\nTruesec has already exposed the special status that organized cybercrime seems to have in Russia as long as they\r\nplay by the unwritten rules. Rules that include staying on the good side of the powerful Russian security service,\r\nFSB. In fact, the alleged leader of Evil Corp, Maxim Yakubets is married to the daughter of an ex-FSB colonel\r\nwith ties to an FSB Special Forces unit and clandestine assassination attacks.\r\nRansomware Evilcorp Russian Intelligence | Maxim Yakubets\r\nImage: Maxim Yakubets\r\nThe US Government has blamed the Russian Intelligence Agency SVR for the SolarWinds breach. The size and\r\nthe scope of the SolarWinds breach makes it difficult to believe that anything less than a state sponsored\r\nintelligence organization was behind the operation. While there is no proof that SilverFish is part of the same\r\norganization as the threat actor responsible for the SolarWinds breach, it seems they are a Russian cyberespionage\r\ngroup that tries to exploit the success of the SolarWinds breach.\r\nWho is this threat actor then? Is it a highly sophisticated cybercrime group that conducts cyberespionage for\r\nprofit, presumably selling the stolen data to the Russian government, or is it even a cyberespionage group that\r\nruns a ransomware operation as a smoke screen to cover their true purpose?\r\nPart 3 – Conclusions\r\nFollow the Money!\r\nThe threat actor Truesec observed in the Wasted Locker attack certainly appeared to be very sophisticated. There\r\nis, however, one important area in which this threat actor does not seem to be very sophisticated – scaring the\r\nvictims into paying the ransom.\r\nIn 2020, virtually all major ransomware groups added data leak sites to their arsenal of pressure to their victims. In\r\naddition to encrypting the victim’s data, they threaten to leak sensitive corporate data publicly, hurting their\r\nbusiness and possibly making them liable to GDPR fines in addition to the cost of disrupted services. In 2021,\r\nsome groups are expanding their threats to include DDoS attacks and threatening phone calls.\r\nBy comparison, the threat actor behind Wasted Locker and Hades does not seem to have spent much innovation on\r\nterrorizing their victims into paying the ransom, beyond the initial ransomware. By the fall of 2020, Wasted\r\nLocker appears to be almost the only major ransomware group that did not operate a data leak site.\r\nThe first report about Wasted Locker’s successor Hades, even mentions that victims of Hades had trouble\r\ncontacting the threat actor to pay the ransom. For such a sophisticated cybercrime group, it seems almost\r\namateurish to mess up the most important part of the whole operation, the payment!\r\nMaskirovka\r\nIf the threat actor behind the Wasted Locker ransomware is in fact identical to SilverFish, we then have a highly\r\nsophisticated threat actor who displays a very high level of skill in almost every aspect of their cyberattacks,\r\nincluding a highly organized cyberespionage campaign. The only exception appears to be the step where they\r\nensure they get paid from their ransomware victims. It is as if the threat actor values stealth more than big money.\r\nhttps://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies\r\nPage 5 of 7\n\nThere is speculation that Evil Corp is keeping such a low profile because their leaders have been sanctioned by\r\nOFAC in 2019. This is a possible explanation for the threat actor’s behaviour, but this does not explain the\r\nconnections to SilverFish and the SolarWinds breach.\r\nThere is also a possibility that Wasted Locker and SilverFish were run independently. Theoretically, Russian\r\nIntelligence could have leaned on the threat actor running Wasted Locker to let them take over part of their\r\ninfrastructure to cover their tracks once the backlash of the exposure of the SolarWinds breach became apparent. It\r\nwould even explain the apparent chaos when they suddenly shifted to the Hades ransomware.\r\nThere are, however, so many similarities in TTPs between the Wasted Locker attack that Truesec investigated, and\r\nthe threat actor described in the PRODAFT report. It is possible that the entire Wasted Locker/Hades ransomware\r\ncampaigns have been run as just a “maskirovka”, the Russian word for deception, to hide a cyberespionage\r\ncampaign. The reason why they seem to be careless about extracting the ransom could simply be that it is not\r\nimportant to them. They just need to keep up the appearance.\r\nThe threat actor that Truesec observed conducting the Wasted Locker ransomware attack spent a long time\r\nsystematically searching the compromised systems but stole very little data. It is possible they initially searched\r\nfor valuable data to steal, and only after they determined the organization had no espionage value, decided to\r\ndeploy the ransomware. If so, perhaps some of the victims in the SilverFish campaign were in fact infected by\r\nSocGholish, but never received the Wasted Locker ransomware, because they were deemed too important as\r\nespionage victims.\r\nEnd Note – The New Russia\r\nWhile researching this report, we came across an article about Maksim Yakubets, the alleged leader of Evil Corp,\r\nthat included the sentence “In April 2018, Yakubets was in the process of obtaining a license to work with\r\nclassified Russian information from the Russian spy agency, the FSB – the Federal Security Service of the Russian\r\nFederation.”\r\nRussia is notorious for blurring lines and purposefully operating on the borders between war and peace to achieve\r\ntheir ends through “hybrid-warfare.” Russian oligarchs blur the lines between public and private, as they own\r\nprivate mercenary groups that support Russian foreign objectives, while providing deniability to the Russian\r\ngovernment.\r\nPerhaps the threat actor behind both Wasted Locker and SilverFish is the latest iteration of Evil Corp after all?\r\nPerhaps Evil Corp has now morphed into a mercenary espionage organization controlled by Russian Intelligence\r\nbut hiding behind the façade of a cybercrime ring, blurring the lines between crime and espionage. If so, it would\r\nlikely mean that this group uses the ransom money paid by victims to finance their espionage operations.\r\nAPPENDIX – Indicators of Compromise\r\nCDN endpoint for Domain Fronting to C2 Server\r\ntwimg-us.azureedge[.]net *\r\nhttps://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies\r\nPage 6 of 7\n\nCDN Domains\r\ncdn.auditor.adobe[.]com *\r\nimages.adsyndication.msn[.]com\r\nlp-cdn.lastpass[.]com\r\nPost-Exploitation Domains\r\nroofingspecialists[.]info/file *\r\nPost-Exploitation IP Addresses\r\n185[.]82.127.86\r\n66[.]58.201.137\r\n* = Found in both Wasted Locker attack and PRODAFT report.\r\nSource: https://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies\r\nhttps://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies" ], "report_names": [ "are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "821d8858-a784-4ab2-9ecb-56c7afeed7d7", "created_at": "2023-11-21T02:00:07.403629Z", "updated_at": "2026-04-10T02:00:03.479942Z", "deleted_at": null, "main_name": "SilverFish", "aliases": [], "source_name": "MISPGALAXY:SilverFish", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434258, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/510c442441cf5af8e18767e5585810c1c2dc82a4.pdf", "text": "https://archive.orkl.eu/510c442441cf5af8e18767e5585810c1c2dc82a4.txt", "img": "https://archive.orkl.eu/510c442441cf5af8e18767e5585810c1c2dc82a4.jpg" } }