{ "id": "331e0ef2-b301-4dca-935c-bf51517056fd", "created_at": "2026-04-06T00:11:07.272679Z", "updated_at": "2026-04-10T03:32:22.195744Z", "deleted_at": null, "sha1_hash": "541cc9ef5b89ba58c58280febae81b6cca08e61e", "title": "GHAMBAR (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38350, "plain_text": "GHAMBAR (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 14:36:23 UTC\r\nwin.ghambar (Back to overview)\r\nGHAMBAR\r\nAccording to Mandiant, GHAMBAR is a remote administration tool (RAT) that communicates with its C2 server\r\nusing SOAP requests over HTTP. Its capabilities include filesystem manipulation, file upload and download, shell\r\ncommand execution, keylogging, screen capture, clipboard monitoring, and additional plugin execution.\r\nReferences\r\n2022-12-12 ⋅ SOCRadar ⋅ SOCRadar\r\nDark Web Profile: APT42 – Iranian Cyber Espionage Group\r\nPINEFLOWER VINETHORN VBREVSHELL BROKEYOLK CHAIRSMACK DOSTEALER GHAMBAR\r\nSILENTUPLOADER TAG-56\r\n2022-09-07 ⋅ Mandiant ⋅ Mandiant Intelligence\r\nAPT42: Crooked Charms, Cons and Compromises\r\nPINEFLOWER VINETHORN VBREVSHELL BROKEYOLK DOSTEALER GHAMBAR\r\nSILENTUPLOADER\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.ghambar\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.ghambar\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.ghambar" ], "report_names": [ "win.ghambar" ], "threat_actors": [ { "id": "1d2ac189-a99e-4e16-84c0-e06df96e688c", "created_at": "2023-11-14T02:00:07.086528Z", "updated_at": "2026-04-10T02:00:03.446956Z", "deleted_at": null, "main_name": "TAG-56", "aliases": [], "source_name": "MISPGALAXY:TAG-56", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434267, "ts_updated_at": 1775791942, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/541cc9ef5b89ba58c58280febae81b6cca08e61e.pdf", "text": "https://archive.orkl.eu/541cc9ef5b89ba58c58280febae81b6cca08e61e.txt", "img": "https://archive.orkl.eu/541cc9ef5b89ba58c58280febae81b6cca08e61e.jpg" } }