{ "id": "55cb029d-5609-4573-8d0e-ef2a1e0d08d4", "created_at": "2026-04-06T00:09:52.321439Z", "updated_at": "2026-04-10T13:12:27.316844Z", "deleted_at": null, "sha1_hash": "51f45b358cab528e61d25c71609b8d457165c79c", "title": "HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3447405, "plain_text": "HermeticWiper | New Destructive Malware Used In Cyber Attacks on\r\nUkraine\r\nBy Juan Andrés Guerrero-Saade\r\nPublished: 2022-02-23 · Archived: 2026-04-05 14:01:10 UTC\r\nThis post was updated Feb 28th 2022 to include new IOCs and the PartyTicket ‘decoy ransomware’.\r\nExecutive Summary\r\nOn February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in\r\nUkrainian organizations.\r\nOur analysis shows a signed driver is being used to deploy a wiper that targets Windows devices, manipulating the\r\nMBR resulting in subsequent boot failure.\r\nThis blog includes the technical details of the wiper, dubbed HermeticWiper, and includes IOCs to allow\r\norganizations to stay protected from this attack.\r\nThis sample is actively being used against Ukrainian organizations, and this blog will be updated as more information\r\nbecomes available.\r\nWe also analyze a ‘ransomware’, called PartyTicket, reportedly used as a decoy during wiping operations.\r\nSentinelOne customers are protected from this threat, no action is needed.\r\nBackground\r\nOn February 23rd, our friends at Symantec and ESET research tweeted hashes associated with a wiper attack in Ukraine,\r\nincluding one which is not publicly available as of this writing.\r\nWe started analyzing this new wiper malware, calling it ‘HermeticWiper’ in reference to the digital certificate used to sign\r\nthe sample. The digital certificate is issued under the company name ‘Hermetica Digital Ltd’ and valid as of April 2021. At\r\nthis time, we haven’t seen any legitimate files signed with this certificate. It’s possible that the attackers used a shell\r\ncompany or appropriated a defunct company to issue this digital certificate.\r\nhttps://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\r\nPage 1 of 9\n\nHermeticWiper Digital Signature\r\nThis is an early effort to analyze the first available sample of HermeticWiper. We recognize that the situation on the ground\r\nin Ukraine is evolving rapidly and hope that we can contribute our small part to the collective analysis effort.\r\nTechnical Analysis\r\nAt first glance, HermeticWiper appears to be a custom-written application with very few standard functions. The malware\r\nsample is 114KBs in size and roughly 70% of that is composed of resources. The developers are using a tried and tested\r\ntechnique of wiper malware, abusing a benign partition management driver, in order to carry out the more damaging\r\ncomponents of their attacks. Both the Lazarus Group (Destover) and APT33 (Shamoon) took advantage of Eldos Rawdisk in\r\norder to get direct userland access to the filesystem without calling Windows APIs. HermeticWiper uses a similar technique\r\nby abusing a different driver, empntdrv.sys .\r\nHermeticWiper resources containing EaseUS Partition Manager drivers\r\nThe copies of the driver are ms-compressed resources. The malware deploys one of these depending on the OS version,\r\nbitness, and SysWow64 redirection.\r\nhttps://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\r\nPage 2 of 9\n\nEaseUS driver resource selection\r\nThe benign EaseUS driver is abused to do a fair share of the heavy-lifting when it comes to accessing Physical Drives\r\ndirectly as well as getting partition information. This adds to the difficulty of analyzing HermeticWiper, as a lot of\r\nfunctionality is deferred to DeviceIoControl calls with specific IOCTLs.\r\nMBR and Partition Corruption\r\nHermeticWiper enumerates a range of Physical Drives multiple times, from 0-100. For each Physical Drive, the\r\n\\\\.\\EPMNTDRV\\ device is called for a device number.\r\nThe malware then focuses on corrupting the first 512 bytes, the Master Boot Record (MBR) for every Physical Drive. While\r\nthat should be enough for the device not to boot again, HermeticWiper proceeds to enumerate the partitions for all possible\r\ndrives.\r\nThey then differentiate between FAT and NTFS partitions. In the case of a FAT partition, the malware calls the same ‘bit\r\nfiddler’ to corrupt the partition. For NTFS, the HermeticWiper parses the Master File Table before calling this same bit\r\nfiddling function again.\r\nMFT parsing and bit fiddling calls\r\nWe euphemistically refer to the bit fiddling function in the interest of brevity. Looking through it, we see calls to Windows\r\nAPIs to acquire a cryptographic context provider and generate random bytes. It’s likely this is being used for an inlined\r\ncrypto implementation and byte overwriting, but the mechanism isn’t entirely clear at this time.\r\nhttps://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\r\nPage 3 of 9\n\nFurther functionality refers to interesting MFT fields ( $bitmap , $logfile ) and NTFS streams ( $DATA , $I30 ,\r\n$INDEX_ALLOCATION ). The malware also enumerates common folders (‘My Documents’, ‘Desktop’, ‘AppData’), makes\r\nreferences to the registry (‘ntuser’), and Windows Event Logs ( \"\\\\\\\\?\\\\C:\\\\Windows\\\\System32\\\\winevt\\\\Logs\" ). Our\r\nanalysis is ongoing to determine how this functionality is being used, but it is clear that having already corrupted the MBR\r\nand partitions for all drives, the victim system should be inoperable by this point of the execution.\r\nAlong the way, HermeticWiper’s more mundane operations provide us with further IOCs to monitor for. These include the\r\nmomentary creation of the abused driver as well as a system service. It also modifies several registry keys, including setting\r\nthe SYSTEM\\CurrentControlSet\\Control\\CrashControl CrashDumpEnabled key to 0, effectively disabling crash dumps\r\nbefore the abused driver’s execution starts.\r\nDisabling CrashDumps via the registry\r\nFinally, the malware waits on sleeping threads before initiating a system shutdown, finalizing the malware’s devastating\r\neffect.\r\nA Decoy Ransomware – PartyTicket\r\nOn February 24th, 2022, Symantec researchers pointed to a new Go ransomware being used as a decoy alongside the\r\ndeployment of HermeticWiper. During our analysis we decided to name it PartyTicket based on some of the strings used by\r\nthe malware developers:\r\nThe idea of using a ransomware as a decoy for a wiper is counterintuitive. In particular, a ransomware as poorly coded as\r\nPartyTicket is more likely to tie up resources during the execution of an otherwise efficient wiper.\r\nAs often happens to amateur Go developers, the malware has poor control over its concurrent threads and the commands it\r\nattempts to run. This leads to hundreds of threads and events spawned in our consoles. That is to say, it’s a very loud and\r\nineffective ransomware that should fire alerts left and right.\r\nThe folder organization and function naming conventions within the binary show the developer’s intent for taunting the U.S.\r\nGovernment and the Biden administration.\r\nProject folders and function names referring to the Biden Administration\r\nSimilar taunting can be found in the ransom note after execution:\r\nhttps://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\r\nPage 4 of 9\n\nIn trying to understand the execution flow of PartyTicket, we see the 403forBiden.wHiteHousE.primaryElectionProcess()\r\nfunction recursively enumerating folders:\r\nPartyTicket looping over non-system folders\r\nThe resulting number of folders will be used as an upperbound for concurrent threads, a mistake by the Go devs as that\r\neffectively ties up all of the system’s resources. While the files found are all queued into a channel for the threads to\r\nreference.\r\nhttps://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\r\nPage 5 of 9\n\nPartyTicket generating concurrent threads\r\nThe function indirectly called for each thread is main.subscribeNewPartyMember() . It in turn takes a filename, makes a\r\ncopy with a \u003cUUID\u003e.exe name and deletes the original file. Then we expect a second loop to relieve that queue of files and\r\nrun each through a standard Go AES crypto implementation. However, execution is unlikely to get this far with the current\r\ndesign of PartyTicket.\r\n(Thanks to Joakim Kennedy (Intezer) for pointing out this indirect call)\r\nCrypto routine for files queued in the ‘salary’ channel\r\nOverall our analysis of PartyTicket indicates it to be a rather simple, poorly coded, and loud malware. Its possible role as a\r\ndecoy ransomware deployed alongside HermeticWiper is more likely to be effective for its accidental hogging of the victim\r\norganization’s system resources rather than the encryption of files itself. IOCs and Yara rules have been added below.\r\nConclusion\r\nAfter a week of defacements and increasing DDoS attacks, the proliferation of sabotage operations through wiper malware\r\nis an expected and regrettable escalation. At this time, we have a very small sliver of aperture into the attacks in Ukraine and\r\nsubsequent spillover into neighboring countries and allies. If there’s a silver lining to such a difficult situation, it’s seeing the\r\nopen collaboration between threat intel research teams, independent researchers, and journalists looking to get the story\r\nstraight. Our thanks to the researchers at Symantec, ESET, Stairwell, and RedCanary among others who’ve contributed\r\nsamples, time, and expertise.\r\nSentinelOne Customers Protected\r\nhttps://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\r\nPage 6 of 9\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nIndicators of Compromise\r\n(Updated February 28th, 2022)\r\nms-compressed resources SHA1\r\nRCDATA_DRV_X64 5ceebaf1cbb0c10b95f7edd458804a646c6f215e\r\nRCDATA_DRV_X86 0231721ef4e4519ec776ff7d1f25c937545ce9f4\r\nRCDATA_DRV_XP_X64 9c2e465e8dfdfc1c0c472e0a34a7614d796294af\r\nRCDATA_DRV_XP_X86 ee764632adedf6bb4cf4075a20b4f6a79b8f94c0\r\nHermeticWiper SHA1\r\nWin32 EXE 0d8cc992f279ec45e8b8dfd05a700ff1f0437f29\r\nWin32 EXE 61b25d11392172e587d8da3045812a66c3385451\r\nWin32 EXE 912342f1c840a42f6b74132f8a7c4ffe7d40fb77\r\nWin32 EXE 9518e4ae0862ae871cf9fb634b50b07c66a2c379\r\nWin32 EXE d9a3596af0463797df4ff25b7999184946e3bfa2\r\nPartyTicket SHA-1\r\nWin32 EXE f32d791ec9e6385a91b45942c230f52aff1626df\r\nYARA Rules\r\n(https://github.com/SentineLabs/Yara/blob/main/APT_RU_SunFlowerSeed.yar)\r\nhttps://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\r\nPage 7 of 9\n\nimport \"pe\"\r\nrule MAL_HERMETIC_WIPER {\r\n meta:\r\n desc = \"Hermetic Wiper - broad hunting rule\"\r\n author = \"Hegel @ SentinelLabs\"\r\n version = \"1.0\"\r\n last_modified = \"02.23.2022\"\r\n hash = \"1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\"\r\n reference = \"https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\"\r\n strings:\r\n $string1 = \"DRV_XP_X64\" wide ascii nocase\r\n $string2 = \"EPMNTDRV\\\\%u\" wide ascii nocase\r\n $string3 = \"PhysicalDrive%u\" wide ascii nocase\r\n $cert1 = \"Hermetica Digital Ltd\" wide ascii nocase\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n all of them\r\n}\r\nrule MAL_PARTY_TICKET {\r\n meta:\r\n desc = \"PartyTicket / HermeticRansom Golang Ransomware - associated with HermeticWiper campaign\"\r\n author = \"Hegel @ SentinelLabs\"\r\n version = \"1.0\"\r\n last_modified = \"02.24.2022\"\r\n hash = \"4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382\"\r\n reference = \"https://twitter.com/juanandres_gs/status/1496930731351805953\"\r\n strings:\r\n $string1 = \"/403forBiden/\" wide ascii nocase\r\n $string2 = \"/wHiteHousE/\" wide ascii\r\n $string3 = \"vote_result.\" wide ascii\r\n $string4 = \"partyTicket.\" wide ascii\r\n $buildid1 = \"Go build ID: \\\"qb0H7AdWAYDzfMA1J80B/nJ9FF8fupJl4qnE4WvA5/PWkwEJfKUrRbYN59_Jba/2o0VIyvqINF\r\n $project1 = \"C:/projects/403forBiden/wHiteHousE/\" wide ascii\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n (2 of ($string*) or\r\n any of ($buildid*) or\r\n any of ($project*))\r\n}\r\nrule MAL_COMPROMISED_HERMETICA_CERT {\r\n meta:\r\n desc = \"Hermetica Cert - broad hunting rule based on the certificate used in HermeticWiper and HermeticW\r\n author = \"Hegel @ SentinelLabs\"\r\n version = \"1.0\"\r\n last_modified = \"03.01.2022\"\r\n hash = \"1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\"\r\n reference = \"https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\"\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n for any i in (0 .. pe.number_of_signatures) : (\r\n pe.signatures[i].issuer contains \"DigiCert EV Code Signing CA\" and\r\n pe.signatures[i].serial == \"0c:48:73:28:73:ac:8c:ce:ba:f8:f0:e1:e8:32:9c:ec\"\r\n )\r\nhttps://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\r\nPage 8 of 9\n\n}\r\nrule MAL_ISSAC_WIPER {\r\n meta:\r\n desc = \"Issac Wiper - broad hunting rule\"\r\n author = \"Hegel @ SentinelLabs\"\r\n version = \"1.0\"\r\n last_modified = \"03.01.2022\"\r\n hash = \"13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033\"\r\n reference = \"https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-uk\r\n strings:\r\n $name1 = \"Cleaner.dll\" wide ascii\r\n $name2 = \"cl.exe\" wide ascii nocase\r\n $name3 = \"cl64.dll\" wide ascii nocase\r\n $name4 = \"cld.dll\" wide ascii nocase\r\n $name5 = \"cll.dll\" wide ascii nocase\r\n $name6 = \"Cleaner.exe\" wide ascii\r\n $export = \"_Start@4\" wide ascii\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n (any of ($name*) and $export)\r\n}\r\nrule MAL_HERMETIC_WIZARD {\r\n meta:\r\n desc = \"HermeticWizard hunting rule\"\r\n author = \"Hegel @ SentinelLabs\"\r\n version = \"1.0\"\r\n last_modified = \"03.01.2022\"\r\n reference = \"https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-uk\r\n strings:\r\n $name1 = \"Wizard.dll\" wide ascii\r\n $name2 = \"romance.dll\" wide ascii\r\n $name3 = \"exec_32.dll\" wide ascii\r\n $function1 = \"DNSGetCacheDataTable\" wide ascii\r\n $function2 = \"GetIpNetTable\" wide ascii\r\n $function3 = \"WNetOpenEnumW\" wide ascii\r\n $function4 = \"NetServerEnum\" wide ascii\r\n $function5 = \"GetTcpTable\" wide ascii\r\n $function6 = \"GetAdaptersAddresses\" wide ascii\r\n $function7 = \"GetEnvironmentStrings\" wide ascii\r\n $ip_anchor1 = \"192.168.255.255\" wide ascii\r\n condition:\r\n uint16(0) == 0x5A4D and\r\n (any of ($function*) and any of ($name*) and $ip_anchor1)\r\n}\r\nSentinelOne STAR Rules\r\nEventType = \"Process Creation\" AND TgtProcPublisher = \"HERMETICA DIGITAL LTD\" AND\r\n( SrcProcSignedStatus = \"signed\" AND IndicatorPersistenceCount = \"2\" AND RegistryValue = \"4\" AND RegistryKeyP\r\nSource: https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\r\nhttps://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/" ], "report_names": [ "hermetic-wiper-ukraine-under-attack" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434192, "ts_updated_at": 1775826747, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/51f45b358cab528e61d25c71609b8d457165c79c.pdf", "text": "https://archive.orkl.eu/51f45b358cab528e61d25c71609b8d457165c79c.txt", "img": "https://archive.orkl.eu/51f45b358cab528e61d25c71609b8d457165c79c.jpg" } }