{ "id": "96d67c2c-0e32-43ca-a0ca-c1d7836244b8", "created_at": "2026-04-06T00:13:37.358853Z", "updated_at": "2026-04-10T03:37:33.059903Z", "deleted_at": null, "sha1_hash": "51b792756bc5bb31e96423c265c3b4d8c92e7a63", "title": "The SolarWinds cyberattack: The hack, the victims, and what we know", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3682160, "plain_text": "The SolarWinds cyberattack: The hack, the victims, and what we know\r\nBy Lawrence Abrams\r\nPublished: 2020-12-19 · Archived: 2026-04-05 19:46:15 UTC\r\nSince the SolarWinds supply chain attack was disclosed in December, there has been a whirlwind of news, technical details,\r\nand analysis released about the hack.\r\nBecause the amount of information that was released in such a short time is definitely overwhelming, we have published this\r\nas a roundup of SolarWinds news.\r\nThe information is distilled into a format that will hopefully explain the attack, who its victims are, and what we know to\r\nthis point.\r\nhttps://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/\r\nPage 1 of 9\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/\r\nPage 2 of 9\n\nVisit Advertiser websiteGO TO PAGE\r\nThe SolarWinds supply chain attack\r\nWhile we learned of SolarWinds' attack on December 13th, the first disclosure of its consequence was made on December\r\n8th when leading cybersecurity firm FireEye revealed that it was hacked by a nation-state APT group. As part of this attack,\r\nthe threat actors stole Red Team assessment tools that FireEye uses to probe its customers' security.\r\nIt was not known how the hackers gained access to FireEye's network until Sunday, December 13th, 2020, when Microsoft,\r\nFireEye, SolarWinds, and the U.S. government issued a coordinated report that SolarWinds had been hacked by state-sponsored threat actors believed to be part of the Russian S.V.R.\r\nOne of SolarWinds' customers who was breached in this attack is FireEye.\r\nAs part of the attack, the threat actors gained access to the SolarWinds Orion build system and added a backdoor to the\r\nlegitimate SolarWinds.Orion.Core.BusinessLayer.dll DLL file. This DLL was then distributed to SolarWinds customers in a\r\nsupply chain attack via an automatic update platform used to push out new software updates.\r\nSolarWinds supply chain attack\r\nSource: Microsoft\r\nThis DLL backdoor is known as Sunburst (FireEye) or Solorigate (Microsoft, and is loaded by the\r\nSolarWinds.BusinessLayerHost.exe program. Once loaded, it will connect back to the remote command \u0026 control server at\r\na subdomain of avsvmcloud[.]com to receive \"jobs,\" or tasks, to execute on the infected computer.\r\nThe backdoor's command control server's DNS name is created utilizing a domain generation algorithm (DGA) to create an\r\nencoded subdomain of avsvmcloud[.]com. FireEye states that the subdomain is created by \"concatenating a victim userId\r\nwith a reversible encoding of the victims local machine domain name,\" and then hashed. For example, a subdomain used in\r\nthis attack is '1btcr12b62me0buden60ceudo1uv2f0i.appsync-api.us-east-2[.]avsvmcloud.com.'\r\nIt is unknown what tasks were executed, but it could be anything from giving remote access to the threat actors,\r\ndownloading and installing further malware, or stealing data.\r\nMicrosoft published a technical writeup on Friday for those interested in the technical aspects of the Sunburst backdoor.\r\nA report by Kim Zetter released Friday night indicates that the threat actors may have performed a dry run of the distribution\r\nmethod as early as October 2019. During this dry run, the DLL was distributed without the malicious Sunburst backdoor.\r\nhttps://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/\r\nPage 3 of 9\n\nAfter the threat actors began distributing the backdoor in March 2020, researchers believe that the attackers have been\r\nsilently sitting in some of the compromised networks for months while harvesting information or performing other malicious\r\nactivity.\r\nZetter's report stated that FireEye eventually detected they were hacked after the threat actors registered a device to the\r\ncompany's multi-factor authentication (MFA) system using stolen credentials. After the system alerted the employee and the\r\nsecurity team of this unknown device, FireEye realized that they had been compromised.\r\nAdditional malware discovered\r\nAfter performing investigations of SolarWinds supply chain victims, researchers have begun to get a better idea of the\r\ndifferent malware used in the attack.\r\nAccording to CrowdStrike, a malware named SunSpot was first executed in the SolarWinds network to monitor for and\r\nautomatically inject the Sunburst backdoor in the SolarWinds development builds. \r\nThe Sunburst backdoor would then be transferred to victims via automatic updates for the SolarWinds Orion platform. Once\r\nexecuted, it would routinely connect to a remote command and control server for commands to execute on the infected\r\ndevice.\r\nFireEye discovered that the Sunburst backdoor would drop a malware named Teardrop, which is a previously unknown\r\nmemory-only dropper and a post-exploitation tool used to deploy customized Cobalt Strike beacons.\r\nFinally, Symantec discovered the RainDrop malware, which was also used to deploy Cobalt Strike beacons on other hosts in\r\nan already compromised network.\r\nThe hackers behind the SolarWinds attack\r\nFireEye is currently tracking the threat actor behind this campaign as UNC2452, while Washington-based cybersecurity firm\r\nVolexity has linked this activity to a hacking group known under the Dark Halo moniker.\r\nVolexity says that Dark Halo actors have coordinated malicious campaigns between late 2019 and July 2020, targeting and\r\nsuccessfully compromising the same US-based think tank three times in a row.\r\n“In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to\r\nremain undetected for several years,” the company said.\r\nIn the second attack, after being cast out from the victim’s network, Dark Halo leveraged a newly disclosed Microsoft\r\nExchange server bug that helped them to circumvent Duo multi-factor authentication (MFA) defenses for unauthorized\r\nemail access via the Outlook Web App (OWA) service.\r\nDuring the third attack targeting the same think tank, the threat actor used the SolarWinds supply chain attack to deploy the\r\nsame backdoor Dark Halo used to breach FireEye's networks and several U.S. government agencies.\r\nUnconfirmed media reports have also cited sources linking the attacks to APT29 (aka Cozy Bear), a state-sponsored hacking\r\ngroup associated with the Russian Foreign Intelligence Service (SVR).\r\nResearchers, including FireEye, Microsoft, or Volexity, have not attributed these attacks to APT29 at this time.\r\nThe Russian Embassy in the USA reacted [1, 2] to these media reports saying that they were an “unfounded attempt of the\r\nU.S. media to blame Russia for hacker attacks on U.S. governmental bodies.”\r\n“Russia does not conduct offensive operations in the cyber domain,” the Embassy added.\r\nWhile Russia continues to deny these attacks, Secretary of State Mike Pompeo stated in an interview released Friday night\r\nthat it is “pretty clear” that Russia was behind that attack.\r\n“This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that\r\nengaged in this activity,” Pompeo told radio host Mark Levin.\r\nhttps://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/\r\nPage 4 of 9\n\nMicrosoft believes that the ultimate goal of these attacks was to gain access to victims' cloud assets after deploying the\r\nSunburst/Solorigate backdoor on their local networks.\r\nThe victims of the attack\r\nResearchers believe that the malicious DLL was pushed out to approximately 18,000 customers as part of this attack.\r\nThe threat actors, though, only targeted organizations that they perceived as 'high value,' so even though some of these\r\ncustomers may have received the DLL, it is unknown if they were actively targeted in further attacks.\r\nThe currently known list of organizations that were hit by the SolarWinds supply chain attack include:\r\nFireEye\r\nU.S. Department of the Treasury\r\nU.S. National Telecommunications and Information Administration (NTIA)\r\nU.S. Department of State\r\nThe National Institutes of Health (NIH) (Part of the U.S. Department of Health)\r\nU.S. Department of Homeland Security (DHS)\r\nU.S. Department of Energy (DOE)\r\nU.S. National Nuclear Security Administration (NNSA)\r\nSome US states (Specific states are undisclosed)\r\nMicrosoft\r\nCisco\r\nMicrosoft has also identified and notified more than 40 of its customers affected by this attack but has not disclosed their\r\nnames. They state that 80% of the victims were from the U.S., and 44% were in the IT sector.\r\nSunburst victims by sector\r\nBased on the decoding of subdomains generated by the malware domain generation algorithm (DGA), many well-known\r\ncompanies may disclose targeted attacks at a later date.\r\nhttps://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/\r\nPage 5 of 9\n\nDecoded backdoor command \u0026 control server subdomains\r\nSource: RedDrip Team\r\nWhat are security firms doing to protect victims\r\nSince the cyberattack has been disclosed, security firms have been adding the malicious Sunburst backdoor binaries to their\r\ndetections.\r\nWhile Microsoft was already detecting and alerting customers of malicious SolarWinds binaries, they were not quarantining\r\nthem out of concern it could affect an organization's network management services. On December 16th, at 8:00 AM PST,\r\nMicrosoft Defender began quarantining detected binaries even if the process is running.\r\nMicrosoft, FireEye, and GoDaddy also collaborated to create a kill switch for the Sunburst backdoor distributed in the\r\nSolarWinds hack.\r\nWhen the malicious binaries attempt to contact the command \u0026 control servers, they will perform DNS resolution to get the\r\nIP address. If this IP address is part of certain IP ranges, including ones owned by Microsoft, the backdoor will terminate and\r\nprevent itself from executing again.\r\nTo create the kill switch, GoDaddy created a wildcard DNS resolution so that any subdomain of avsvmcloud[.]com resolves\r\nto the IP address 20.140.0.1, which belongs to Microsoft and is on the malware's blocklist. This wildcard resolution is\r\nillustrated by a DNS lookup for a made-up subdomain, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/\r\nPage 6 of 9\n\nWildcard DNS resolution\r\nAs this IP address is part of the malware's blocklist, when it connects to any subdomain of avsvmcloud[.]com, it will unload\r\nand no longer execute.\r\nWhile this kill switch will disable Sunburst backdoor deployments connecting the command \u0026 control servers, FireEye has\r\nstated the threat actors may have deployed other backdoors.\r\n\"However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to\r\naccess to victim networks beyond the Sunburst backdoor. This killswitch will not remove the actor from victim networks\r\nwhere they have established other backdoors. However, it will make it more difficult to for the actor to leverage the\r\npreviously distributed versions of Sunburst,\" FireEye warned about the kill switch,\" FireEye told BleepingComputer in a\r\nstatement.\r\nHow to check if you were compromised\r\nIf you are a user of SolarWinds products, you should immediately consult their advisory and Frequently Asked Questions as\r\nit contains necessary information about upgrading to the latest 'clean' version of their software.\r\nMicrosoft has also published a list of nineteen malicious SolarWinds.Orion.Core.BusinessLayer.dll DLL files spotted in the\r\nwild.\r\nThis list, shown below, contains a file's SHA256 hash, the file version, and when it was first seen.\r\nSHA256 File Version Date first seen\r\ne0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d 2020.2.100.11713 February 2020\r\na58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2 2020.2.100.11784 March 2020\r\n32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 2019.4.5200.9083 March 2020\r\ndab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b 2020.2.100.12219 March 2020\r\neb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed 2020.2.100.11831 March 2020\r\nc09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 Not available March 2020\r\nffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8 2019.4.5200.9065 March 2020\r\nb8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f666 2019.4.5200.9068 March 2020\r\n20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9 2019.4.5200.9078 March 2020\r\n0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589 2019.4.5200.9078 March 2020\r\ncc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6 2019.4.5200.9083 March 2020\r\nac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c 2020.4.100.478 April 2020\r\n019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 2020.2.5200.12394 April 2020\r\nce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 2020.2.5300.12432 May 2020\r\n2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d 2019.4.5200.9078 May 2020\r\n92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690 2020.4.100.751 May 2020\r\na3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d Not available Not available\r\na25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc 2019.4.5200.8890 October 2019\r\nd3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af 2019.4.5200.8890 October 2019\r\nhttps://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/\r\nPage 7 of 9\n\nFinally, security researchers have released various tools that allow you to check if you were compromised or what\r\ncredentials were stored in your SolarWinds Orion installation.\r\nSolarFlare Release: Password Dumper for SolarWinds Orion\r\nSpearTip’s SolarWinds’ Orion Vulnerability Tool SunScreen – SPF 10\r\nThe source code for both projects is published to GitHub. You are strongly encouraged to review the source code, if\r\navailable, of any program you plan to run on your network.\r\nSecurity researcher Cory Kennedy has also released a python tool to help you find the Sunburst malware on your network.\r\nThis tool is called Sunburst hunter and can be downloaded from the project's GitHub page.\r\nSolarWinds Orion abused in other supply chain attacks\r\nDuring the investigation into the SolarWinds hack, Palo Alto Networks and Microsoft found an additional malware named\r\nSUPERNOVA distributed using the App_Web_logoimagehandler.ashx.b6031896.dll DLL file.\r\nThis malware is a backdoor that allowed the threat actors to send C# code that would be compiled and executed by the\r\nmalware.\r\nSUPERNOVA code\r\nThis malware is not believed to be related to the SolarWinds.Orion.Core.BusinessLayer.dll supply chain attack. It does,\r\nthough, indicate that the SolarWinds Orion platform was used in two different attacks, and possibly by different groups, to\r\ndistribute malware.\r\nLast week, SolarWinds released an update advisory that advises all Orion Platform customers to upgrade to the latest\r\nversions to be protected from not only the SUNBURST vulnerability but the SUPERNOVA malware as well.\r\nAdditional reporting by Sergiu Gatlan and Ionut Ilascu.\r\nUpdate 12/19/20: Added Cisco to the victim list.\r\nUpdate 12/27/20: Added information about second SUPERNOVA malware.\r\nUpdate 01/20/20: Added information about further malware\r\nhttps://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/\r\nPage 8 of 9\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/\r\nhttps://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/" ], "report_names": [ "the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434417, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/51b792756bc5bb31e96423c265c3b4d8c92e7a63.pdf", "text": "https://archive.orkl.eu/51b792756bc5bb31e96423c265c3b4d8c92e7a63.txt", "img": "https://archive.orkl.eu/51b792756bc5bb31e96423c265c3b4d8c92e7a63.jpg" } }