{ "id": "f31ee66c-aa0d-4940-8848-f908b600796c", "created_at": "2026-04-06T00:11:20.227736Z", "updated_at": "2026-04-10T03:37:32.456926Z", "deleted_at": null, "sha1_hash": "53b2b846070b388eab9c55729d4b17ad3dbb18a6", "title": "Midnight Blizzard: Guidance for responders on nation-state attack | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 90667, "plain_text": "Midnight Blizzard: Guidance for responders on nation-state attack\r\n| Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-01-26 · Archived: 2026-04-05 17:02:57 UTC\r\nThe Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and\r\nimmediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny\r\nthe threat actor further access. The Microsoft Threat Intelligence investigation identified the threat actor as\r\nMidnight Blizzard, the Russian state-sponsored actor also known as NOBELIUM. The latest information from the\r\nMicrosoft Security and Response Center (MSRC) is posted here.\r\nAs stated in the MSRC blog, given the reality of threat actors that are well resourced and funded by nation states,\r\nwe are shifting the balance we need to strike between security and business risk – the traditional sort of calculus is\r\nsimply no longer sufficient. For Microsoft, this incident has highlighted the urgent need to move even faster.\r\nIf the same team were to deploy the legacy tenant today, mandatory Microsoft policy and workflows would ensure\r\nMFA and our active protections are enabled to comply with current policies and guidance, resulting in better\r\nprotection against these sorts of attacks.\r\nMicrosoft was able to identify these attacks in log data by reviewing Exchange Web Services (EWS) activity and\r\nusing our audit logging features, combined with our extensive knowledge of Midnight Blizzard. In this blog, we\r\nprovide more details on Midnight Blizzard, our preliminary and ongoing analysis of the techniques they used, and\r\nhow you may use this information pragmatically to protect, detect, and respond to similar threats in your own\r\nenvironment.\r\nUsing the information gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence\r\nhas identified that the same actor has been targeting other organizations and, as part of our usual notification\r\nprocesses, we have begun notifying these targeted organizations.\r\nIt’s important to note that this investigation is still ongoing, and we will continue to provide details as appropriate.\r\nMidnight Blizzard\r\nMidnight Blizzard (also known as NOBELIUM) is a Russia-based threat actor attributed by the US and UK\r\ngovernments as the Foreign Intelligence Service of the Russian Federation, also known as the SVR. This threat\r\nactor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and\r\nIT service providers, primarily in the US and Europe. Their focus is to collect intelligence through longstanding\r\nand dedicated espionage of foreign interests that can be traced to early 2018. Their operations often involve\r\ncompromise of valid accounts and, in some highly targeted cases, advanced techniques to compromise\r\nauthentication mechanisms within an organization to expand access and evade detection.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/\r\nPage 1 of 6\n\nMidnight Blizzard is consistent and persistent in their operational targeting, and their objectives rarely change.\r\nMidnight Blizzard’s espionage and intelligence gathering activities leverage a variety of initial access, lateral\r\nmovement, and persistence techniques to collect information in support of Russian foreign policy interests. They\r\nutilize diverse initial access methods ranging from stolen credentials to supply chain attacks, exploitation of on-premises environments to laterally move to the cloud, and exploitation of service providers’ trust chain to gain\r\naccess to downstream customers. Midnight Blizzard is also adept at identifying and abusing OAuth applications to\r\nmove laterally across cloud environments and for post-compromise activity, such as email collection. OAuth is an\r\nopen standard for token-based authentication and authorization that enables applications to get access to data and\r\nresources based on permissions set by a user.\r\nMidnight Blizzard is tracked by partner security vendors as APT29, UNC2452, and Cozy Bear.\r\nMidnight Blizzard observed activity and techniques\r\nInitial access through password spray\r\nMidnight Blizzard utilized password spray attacks that successfully compromised a legacy, non-production test\r\ntenant account that did not have multifactor authentication (MFA) enabled. In a password-spray attack, the\r\nadversary attempts to sign into a large volume of accounts using a small subset of the most popular or most likely\r\npasswords. In this observed Midnight Blizzard activity, the actor tailored their password spray attacks to a limited\r\nnumber of accounts, using a low number of attempts to evade detection and avoid account blocks based on the\r\nvolume of failures. In addition, as we explain in more detail below, the threat actor further reduced the likelihood\r\nof discovery by launching these attacks from a distributed residential proxy infrastructure. These evasion\r\ntechniques helped ensure the actor obfuscated their activity and could persist the attack over time until successful.\r\nMalicious use of OAuth applications\r\nThreat actors like Midnight Blizzard compromise user accounts to create, modify, and grant high permissions to\r\nOAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also enables threat actors\r\nto maintain access to applications, even if they lose access to the initially compromised account. Midnight\r\nBlizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had\r\nelevated access to the Microsoft corporate environment. The actor created additional malicious OAuth\r\napplications. They created a new user account to grant consent in the Microsoft corporate environment to the actor\r\ncontrolled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant\r\nthem the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes.\r\nCollection via Exchange Web Services\r\nMidnight Blizzard leveraged these malicious OAuth applications to authenticate to Microsoft Exchange Online\r\nand target Microsoft corporate email accounts.\r\nUse of residential proxy infrastructure\r\nAs part of their multiple attempts to obfuscate the source of their attack, Midnight Blizzard used residential proxy\r\nnetworks, routing their traffic through a vast number of IP addresses that are also used by legitimate users, to\r\ninteract with the compromised tenant and, subsequently, with Exchange Online. While not a new technique,\r\nhttps://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/\r\nPage 2 of 6\n\nMidnight Blizzard’s use of residential proxies to obfuscate connections makes traditional indicators of\r\ncompromise (IOC)-based detection infeasible due to the high changeover rate of IP addresses.\r\nDefense and protection guidance\r\nDue to the heavy use of proxy infrastructure with a high changeover rate, searching for traditional IOCs, such as\r\ninfrastructure IP addresses, is not sufficient to detect this type of Midnight Blizzard activity. Instead, Microsoft\r\nrecommends the following guidance to detect and help reduce the risk of this type of threat:\r\nDefend against malicious OAuth applications\r\nAudit the current privilege level of all identities, users, service principals, and Microsoft Graph Data\r\nConnect applications (use the Microsoft Graph Data Connect authorization portal), to understand which\r\nidentities are highly privileged. Privilege should be scrutinized more closely if it belongs to an unknown\r\nidentity, is attached to identities that are no longer in use, or is not fit for purpose. Identities can often be\r\ngranted privilege over and above what is required. Defenders should pay attention to apps with app-only\r\npermissions as those apps may have over-privileged access. Additional guidance for investigating\r\ncompromised and malicious applications.\r\nAudit identities that hold ApplicationImpersonation privileges in Exchange Online.\r\nApplicationImpersonation allows a caller, such as a service principal, to impersonate a user and perform\r\nthe same operations that the user themselves could perform. Impersonation privileges like this can be\r\nconfigured for services that interact with a mailbox on a user’s behalf, such as video conferencing or CRM\r\nsystems. If misconfigured, or not scoped appropriately, these identities can have broad access to all\r\nmailboxes in an environment. Permissions can be reviewed in the Exchange Online Admin Center, or via\r\nPowerShell:\r\nGet-ManagementRoleAssignment -Role ApplicationImpersonation -GetEffectiveUsers\r\nIdentify malicious OAuth apps using anomaly detection policies. Detect malicious OAuth apps that make\r\nsensitive Exchange Online administrative activities through App governance. Investigate and remediate\r\nany risky OAuth apps.\r\nImplement conditional access app control for users connecting from unmanaged devices.\r\nMidnight Blizzard has also been known to abuse OAuth applications in past attacks against other\r\norganizations using the EWS.AccessAsUser.All Microsoft Graph API role or the Exchange Online\r\nApplicationImpersonation role to enable access to email. Defenders should review any applications that\r\nhold EWS.AccessAsUser.All and EWS.full_access_as_app permissions and understand whether they are\r\nstill required in your tenant. If they are no longer required, they should be removed.\r\nIf you require applications to access mailboxes, granular and scalable access can be implemented using\r\nrole-based access control for applications in Exchange Online. This access model ensures applications are\r\nonly granted to the specific mailboxes required.\r\nProtect against password spray attacks\r\nEliminate insecure passwords.\r\nEducate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/\r\nPage 3 of 6\n\nReset account passwords for any accounts targeted during a password spray attack. If a targeted account\r\nhad system-level permissions, further investigation may be warranted.\r\nDetect, investigate, and remediate identity-based attacks using solutions like Microsoft Entra ID Protection.\r\nInvestigate compromised accounts using Microsoft Purview Audit (Premium).\r\nEnforce on-premises Microsoft Entra Password Protection for Microsoft Active Directory Domain\r\nServices.\r\nUse risk detections for user sign-ins to trigger multifactor authentication or password changes.\r\nInvestigate any possible password spray activity using the password spray investigation playbook.\r\nDetection and hunting guidance\r\nBy reviewing Exchange Web Services (EWS) activity, combined with our extensive knowledge of Midnight\r\nBlizzard, we were able to identify these attacks in log data. We are sharing some of the same hunting\r\nmethodologies here to help other defenders detect and investigate similar attack tactics and techniques, if\r\nleveraged against their organizations. The audit logging that Microsoft investigators used to discover this activity\r\nwas also made available to a broader set of Microsoft customers last year.\r\nIdentity alerts and protection\r\nMicrosoft Entra ID Protection has several relevant detections that help organizations identify these techniques or\r\nadditional activity that may indicate anomalous activity that needs to be investigated. The use of residential proxy\r\nnetwork infrastructure by threat actors is generally more likely to generate Microsoft Entra ID Protection alerts\r\ndue to inconsistencies in patterns of user behavior compared to legitimate activity (such as location, diversity of IP\r\naddresses, etc.) that may be beyond the control of the threat actor.\r\nThe following Microsoft Entra ID Protection alerts can help indicate threat activity associated with this attack:\r\nUnfamiliar sign-in properties – This alert flags sign-ins from networks, devices, and locations that are\r\nunfamiliar to the user.\r\nPassword spray – A password spray attack is where multiple usernames are attacked using common\r\npasswords in a unified brute force manner to gain unauthorized access. This risk detection is triggered\r\nwhen a password spray attack has been successfully performed. For example, the attacker has successfully\r\nauthenticated in the detected instance.\r\nThreat intelligence – This alert indicates user activity that is unusual for the user or consistent with known\r\nattack patterns. This detection is based on Microsoft’s internal and external threat intelligence sources.\r\nSuspicious sign-ins (workload identities) – This alert indicates sign-in properties or patterns that are\r\nunusual for the related service principal.\r\nXDR and SIEM alerts and protection\r\nOnce an actor decides to use OAuth applications in their attack, a variety of follow-on activities can be identified\r\nin alerts to help organizations identify and investigate suspicious activity.\r\nThe following built-in Microsoft Defender for Cloud Apps alerts are automatically triggered and can help indicate\r\nassociated threat activity:\r\nhttps://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/\r\nPage 4 of 6\n\nApp with application-only permissions accessing numerous emails – A multi-tenant cloud app with\r\napplication-only permissions showed a significant increase in calls to the Exchange Web Services API\r\nspecific to email enumeration and collection. The app might be involved in accessing and retrieving\r\nsensitive email data.\r\nIncrease in app API calls to EWS after a credential update – This detection generates alerts for non-Microsoft OAuth apps where the app shows a significant increase in calls to Exchange Web Services API\r\nwithin a few days after its certificates/secrets are updated or new credentials are added.\r\nIncrease in app API calls to EWS – This detection generates alerts for non-Microsoft OAuth apps that\r\nexhibit a significant increase in calls to the Exchange Web Serves  API. This app might be involved in data\r\nexfiltration or other attempts to access and retrieve data.\r\nApp metadata associated with suspicious mal-related activity – This detection generates alerts for non-Microsoft OAuth apps with metadata, such as name, URL, or publisher, that had previously been observed\r\nin apps with suspicious mail-related activity. This app might be part of an attack campaign and might be\r\ninvolved in exfiltration of sensitive information.\r\nSuspicious user created an OAuth app that accessed mailbox items – A user that previously signed on\r\nto a medium- or high-risk session created an OAuth application that was used to access a mailbox using\r\nsync operation or multiple email messages using bind operation. An attacker might have compromised a\r\nuser account to gain access to organizational resources for further attacks.\r\nThe following Microsoft Defender XDR alert can indicate associated activity:\r\nSuspicious user created an OAuth app that accessed mailbox items – A user who previously signed in\r\nto a medium- or high-risk session created an OAuth application that was used to access a mailbox using\r\nsync operation or multiple email messages using bind operation. An attacker might have compromised a\r\nuser account to gain access to organizational resources for further attacks.\r\nFebruary 5, 2024 update: A query that was not working for all customers has been removed.\r\nMicrosoft Defender XDR customers can run the following query to find related activity in their networks:\r\nFind MailItemsAccessed or SaaS actions performed by a labeled password spray IP\r\nCloudAppEvents\r\n| where Timestamp between (startTime .. endTime)\r\n| where isnotempty(IPTags) and not(IPTags has_any('Azure','Internal Network IP','branch office'))\r\n| where IPTags has_any (\"Brute force attacker\", \"Password spray attacker\", \"malicious\", \"Possible\r\nHackers\")\r\nMicrosoft Sentinel customers can use the following analytic rules to find related activity in their network.\r\nPassword spray attempts – This query helps identify evidence of password spray activity against Microsoft\r\nEntra ID applications.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/\r\nPage 5 of 6\n\nOAuth application being granted full_access_as_app permission – This detection looks for the\r\nfull_access_as_app permission being granted to an OAuth application with Admin Consent. This\r\npermission provides access to Exchange mailboxes via the EWS API and could be exploited to access\r\nsensitive data. The application granted this permission should be reviewed to ensure that it is necessary for\r\nthe application’s function.\r\nAddition of services principal/user with elevated permissions – This rule looks for a service principal being\r\ngranted permissions that could be used to add a Microsoft Entra ID object or user account to an Admin\r\ndirectory role.\r\nOffline access via OAuth for previously unknown Azure application – This rule alerts when a user consents\r\nto provide a previously unknown Azure application with offline access via OAuth. Offline access will\r\nprovide the Azure app with access to the resources without requiring two-factor authentication. Consent to\r\napplications with offline access should generally be rare.\r\nMicrosoft Sentinel customers can also use this hunting query:\r\nOAuth apps reading mail both via GraphAPI and directly – This query returns OAuth Applications that\r\naccess mail both directly and via Graph, allowing review of whether such dual access methods follow\r\nexpected user patterns.\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nMicrosoft customers can use the following reports in Microsoft Defender Threat Intelligence to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports\r\nprovide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to\r\nassociated threats found in customer environments:\r\nMidnight Blizzard\r\nMidnight Blizzard credential attacks\r\nThreat overview: Cloud identity abuse\r\nTechniques profile: Password spray attacks\r\nFebruary 13, 2024 minor update: Updated guidance in “Defend against malicious OAuth applications”\r\nsection with clearer wording and links to additional resources.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/" ], "report_names": [ "midnight-blizzard-guidance-for-responders-on-nation-state-attack" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434280, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/53b2b846070b388eab9c55729d4b17ad3dbb18a6.pdf", "text": "https://archive.orkl.eu/53b2b846070b388eab9c55729d4b17ad3dbb18a6.txt", "img": "https://archive.orkl.eu/53b2b846070b388eab9c55729d4b17ad3dbb18a6.jpg" } }