{ "id": "c3870104-acf8-416c-b836-a603583fdb6f", "created_at": "2026-04-06T00:22:22.855047Z", "updated_at": "2026-04-10T03:37:33.064443Z", "deleted_at": null, "sha1_hash": "5659619b839797858dbb2db7245c62a46bd6897d", "title": "Monthly news - July 2023", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71493, "plain_text": "Monthly news - July 2023\r\nBy HeikeRitter\r\nPublished: 2023-06-30 · Archived: 2026-04-05 16:27:05 UTC\r\nBlog Post\r\nMicrosoft Defender XDR Blog\r\n8 MIN READ\r\nMicrosoft 365 Defender\r\nMonthly news\r\nJuly 2023 Edition\r\nThis is our monthly \"What's new\" blog post, summarizing product updates and various new assets we released\r\nover the past month across our Defender products. In this edition, we are looking at all the goodness from June\r\n2023.  \r\nLegend:\r\nProduct\r\nvideos\r\nWebcast\r\n(recordings)\r\nDocs on Microsoft Blogs on Microsoft\r\nGitHub External\r\nProduct\r\nimprovements\r\nPreviews /\r\nAnnouncements\r\nMicrosoft 365 Defender\r\nPrevent repeat attacks with threat-informed security posture recommendations. Microsoft 365\r\nDefender now makes it easy for security operations (SOC) teams to identify and prioritize the right\r\ncontrols with the general availability of threat-informed security posture recommendations.\r\nShare your feedback on Microsoft 365 Defender via the new feedback portal. We’re excited to\r\nannounce that Microsoft 365 Defender is now part of the new community feedback experience, and\r\nhttps://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740\r\nPage 1 of 6\n\nour customers now have a dedicated platform to submit their suggestions and feature requests for our\r\nsecurity products.\r\nNinja Show Season 4 recap! In this season we had a special mini-series on incident response, with\r\nlots of demos on how to investigate incidents following playbooks. Check out this summary and let us\r\nknow your favorite topic from this season or what you’re looking forward to next!\r\nMicrosoft Defender for Endpoint\r\nForcibly releasing devices from isolation is now available for public preview. This new capability\r\nallows you to forcibly release devices from isolation, when isolated devices become unresponsive. For\r\nmore information, see Take response actions on a device in Microsoft Defender for Endpoint.\r\nNew Monthly security summary. Gain insights into an organization’s security posture and\r\nperformance, as well as visualizing the team’s effort in managing the environment.\r\nMicrosoft Defender for Cloud Apps\r\nApp governance is now included as part of the Defender for Cloud Apps licenses and no longer\r\nrequires an add-on license. In the Microsoft 365 Defender portal, go to Settings \u003e Cloud apps \u003e App\r\ngovernance \u003e Service status to either enable app governance if available, or sign up for the waitlist.\r\nWebinar: App Governance Inclusion in Defender for Cloud Apps Overview. \r\nSafeguarding your OAuth apps with App Governance. Learn why App Governance is the essential\r\nlayer of defence to protect your Oauth apps. Learn how to enable it and start using in a couple of steps.\r\nDefender for Cloud Apps Operational Guide is ready to download for your SOC and security teams to\r\nhelp with planning and performing security activities. \r\nUpdate Defender for Cloud Apps IP addresses for reverse proxy infrastructure. We recently completed\r\ninfrastructure enhancements which resulted in new IPs that need to be added for Defender for Cloud\r\nApps proxy infrastructure. We recommend that customers review the network list for proxy and ensure\r\nthese have been updated in their environments.\r\nEnhanced hunting experience for OAuth app activities. \r\nhttps://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740\r\nPage 2 of 6\n\nApp governance now makes it easy for you to take hunting with app data to the next level by\r\nproviding deeper OAuth app insights, helping your SOC identify an app’s activities and the resources\r\nit has accessed.\r\nOAuth app insights include:\r\nOut-of-the-box queries that help to streamline the investigation\r\nVisibility into the data using the results view\r\nThe ability to include OAuth app data such as resource, app, user, and app activity details in\r\ncustom detections.\r\nFor more information, see Hunt for threats in app activities.\r\nApp hygiene update with Microsoft Entra. Starting June 1, 2023, management of unused apps, unused\r\ncredentials, and expiring credentials will only be available to app governance customers with\r\nMicrosoft Entra Workload Identities Premium. See Secure apps with app hygiene features and What\r\nare workload identities?.\r\nMicrosoft Defender for Identity\r\nAdvanced hunting with an enhanced IdentityInfo table. For tenants with Defender for Identity\r\ndeployed, the Microsoft 365 IdentityInfo advanced hunting table now includes more attributes per\r\nidentity, as well as identities detected by the Defender for Identity sensor from your on-premises\r\nenvironment. For more information, see the Microsoft 365 Defender advanced hunting documentation.\r\nWebinar recording: Become an Advisor to Our Product Engineering Team.\r\nThe Defender for Identity product engineering team is excited to share a program for customers to\r\nbecome trusted advisors and impact our feature planning. Engage directly with the engineering team,\r\nlearn what's coming, test out private previews, and share your experiences and recommendations.\r\nMicrosoft uses the program to put the customer at the center of product development and, ultimately,\r\nhelp us better secure your organization and your customers.  \r\nMicrosoft Defender for IoT\r\nOn June 1, 2023, Microsoft Defender for IoT moved to site-based licensing for organizations looking\r\nto protect their operation technology (OT) environments. The previous Azure consumption model for\r\nthis solution will no longer be available for purchase by new customers. Existing customers can\r\nchoose to transition to site-based licensing or remain on the consumption model.\r\nIoT devices and Linux-based systems targeted by OpenSSH trojan campaign. Microsoft has uncovered\r\nan attack leveraging custom and open-source tools to target internet-facing IoT devices and Linux-https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740\r\nPage 3 of 6\n\nbased systems. The attack involves deploying a patched version of OpenSSH on affected devices to\r\nallow root login and the hijack of SSH credentials.\r\nMicrosoft Defender for Business\r\nStreaming API for Defender for Business customers is now in public preview! We are delighted to\r\nannounce that Microsoft Defender for Business now supports streaming events through Advanced\r\nHunting! This means that Defender for Business customers can stream the data to Event Hubs, Azure,\r\nor local storage.\r\nBlogs on Microsoft Security\r\nDetecting and mitigating a multi-stage AiTM phishing and BEC campaign. Microsoft Defender\r\nExperts observed a multi-stage adversary-in-the-middle (AiTM) and business email compromise\r\n(BEC) attack targeting banking and financial services organizations over two days. This attack\r\noriginated from a compromised trusted vendor, involved AiTM and BEC attacks across multiple\r\nsupplier/partner organizations for financial fraud, and did not use a reverse proxy like typical AiTM\r\nattacks.\r\nCadet Blizzard emerges as a novel and distinct Russian threat actor. Microsoft attributes several\r\ncampaigns to a distinct Russian state-sponsored threat actor tracked as Cadet Blizzard (DEV-0586),\r\nincluding the WhisperGate destructive attack, Ukrainian website defacements, and the hack-and-leak\r\nfront “Free Civilian”.\r\nMicrosoft 365 Defender Threat Analytics reports (Portal access needed)\r\n \r\nDetecting and mitigating a multi-stage AiTM phishing and BEC campaign. In April 2023 Microsoft\r\nDefender Experts uncovered a multi-stage adversary-in-the-middle (AiTM) phishing and business\r\nemail compromise (BEC) attack against banking and financial services organizations. The attack\r\noriginated from a compromised trusted vendor and showcases the complexity of AiTM and BEC\r\nthreats which abuse trusted relationships between vendors, suppliers, and other partner organizations\r\nwith the intent of financial fraud.\r\n \r\nTechnique profile: Antivirus tampering. One of the first steps many attackers take after the initial\r\ncompromise of an organization is to identify and tamper with security solutions. By disabling or\r\notherwise tampering with defenses, attackers gain time to install malicious tools, exfiltrate data for\r\nespionage or extortion, and potentially launch destructive attacks like ransomware. \r\nhttps://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740\r\nPage 4 of 6\n\nVulnerability profile: MOVEit Transfer zero-day exploitation (CVE-2023-34362). On May 31, 2023,\r\nProgress Software Corporation disclosed a critical SQL injection vulnerability (CVE-2023-34362) in\r\ntheir MOVEit Transfer application that could lead to unauthenticated access to the underlying\r\ndatabase. Microsoft has observed active exploitation of the MOVEit Transfer vulnerabilities as early\r\nas May 27, 2023.\r\n \r\nMediaArena potentially unwanted application detection surge. Microsoft observed an increasing\r\nnumber of detections for a new family of unwanted applications named MediaArena, a highly\r\nprevalent family of browser modifier applications that bypass a browser's supported extensibility\r\nmodel to change Microsoft Edge's default search provider. \r\n \r\nActor profile: Lace Tempest ransomware and extortion group. Lace Tempest (DEV-0950) is a\r\ncybercriminal group known to conduct ransomware operations. They target organizations across a\r\ndiverse array of industries and have traditionally used phishing campaigns and exploited public-facing\r\nServ-U FTP server vulnerabilities to obtain initial access. Recently, Microsoft observed activity\r\noriginating from Raspberry Robin worm infections attributed to Lace Tempest. \r\n \r\nActivity Profile: Peach Sandstorm uses sophisticated TTPs in a new campaign. Microsoft observed a\r\nresurgence of activity attributed to Peach Sandstorm, an Iran-based nation state actor. While the\r\nmajority of activity Microsoft saw in this campaign can be characterized as reconnaissance, in March\r\n2023, Microsoft identified a successful intrusion where Peach Sandstorm used a GoldenSAML attack\r\nto ultimately exfiltrate data from a compromised organization.\r\n \r\nActor profile: Cadet Blizzard. Cadet Blizzard (DEV-0586) is a Russian GRU-sponsored threat group\r\nthat Microsoft began tracking following disruptive and destructive events occurring at multiple\r\ngovernment agencies in Ukraine in mid-January 2022. Primary targeted sectors include government\r\norganizations and information technology providers in Ukraine, although organizations in Europe and\r\nLatin America have also been targeted.\r\n \r\nActor profile: Storm-0288 leverages handoffs from multiple actors to deploy ransomware. Storm-0288 (DEV-0288) is a financially-motivated cybercrime group known to use the malware families\r\nPUNCHBUGGY, BadHatch, and White Rabbit, among others. Identified operations have focused on\r\npoint-of-sale compromise, data exfiltration, extortion, and ransomware deployment.\r\n \r\nActor profile: Storm-0396 operates LockBit ransomware as a service. Storm-0396 (DEV-0396) is a\r\ncybercriminal group known as the likely operators of LockBit ransomware as a service (RaaS). They\r\nmanage the LockBit RaaS offerings, including LockBit 2.0, LockBit Black (aka LockBit 3.0), the\r\nrecently discovered variant LockBit Green, and an ESXI variant to encrypt Linux servers. LockBit\r\nRaaS is one of the most prominent RaaS models and has historically impacted numerous\r\norganizations worldwide.\r\n  Activity profile: Storm-1359 launches distributed denial of service attacks. Microsoft has attributed\r\ndistributed denial of service (DDoS) attacks in early June 2023 to the threat actor tracked as Storm-1359. These attacks against multiple Microsoft cloud services, including Microsoft 365 and Azure,\r\nhttps://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740\r\nPage 5 of 6\n\nlikely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud\r\ninfrastructure, open proxies, and DDoS tools.\r\n \r\nActor profile: Storm-0201. Storm-0201 (DEV-0201) is a criminal group that focuses on the\r\ndevelopment and distribution of the Emotet malware. They are known to primarily target\r\norganizations in opportunistic email attacks worldwide, and prior Storm-0201 infections have led to\r\nransomware. Storm-0201 is tracked by other security companies as Mummy Spider and TA542.\r\n \r\nActivity profile: Midnight Blizzard credential attacks. Since at least March 2023, Microsoft Threat\r\nIntelligence detected an increase in credential attacks and initial access operations utilizing residential\r\nproxy services conducted by the threat actor that Microsoft tracks as Midnight Blizzard. The\r\ncredential attacks use a variety of password spray, brute force, and token theft techniques to gain\r\naccess to target environments.\r\n \r\nIoT devices and Linux-based systems targeted by OpenSSH trojan campaign. Microsoft researchers\r\nhave recently discovered an attack leveraging custom and open-source tools to target internet-facing\r\nLinux-based systems and IoT devices. The attack uses a patched version of OpenSSH to take control\r\nof impacted devices and install cryptomining malware.\r\n \r\nTool profile: Greatness adversary-in-the-middle phishing-as-a-service platform. Greatness is a\r\nphishing-as-a-service (PhaaS) platform with adversary-in-the-middle (AiTM) capabilities that has\r\nbeen active since mid-2022 and is attributed to the threat that Microsoft tracks as Storm-1295 (DEV-1295). \r\nUpdated Oct 29, 2024\r\nVersion 6.0\r\nEnjoying the article? Sign in to share your thoughts.\r\nSource: https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740\r\nhttps://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/monthly-news-july-2023/ba-p/3860740" ], "report_names": [ "3860740" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7", "created_at": "2023-11-14T02:00:07.071699Z", "updated_at": "2026-04-10T02:00:03.440831Z", "deleted_at": null, "main_name": "DEV-0950", "aliases": [ "Lace Tempest" ], "source_name": "MISPGALAXY:DEV-0950", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "cf33fe2d-c33d-4c96-a799-07bed1798684", "created_at": "2024-02-02T02:00:04.053437Z", "updated_at": "2026-04-10T02:00:03.543365Z", "deleted_at": null, "main_name": "Storm-1295", "aliases": [ "DEV-1295" ], "source_name": "MISPGALAXY:Storm-1295", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "fc80a724-e567-457c-82bb-70147435e129", "created_at": "2022-10-25T16:07:23.624289Z", "updated_at": "2026-04-10T02:00:04.691643Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK 113", "G0061", "Storm-0288", "Syssphinx" ], "source_name": "ETDA:FIN8", "tools": [ "ALPHV", "ALPHVM", "BadHatch", "BlackCat", "Noberus", "PSVC", "PUNCHTRACK", "PoSlurp", "Powersniff", "PunchBuggy", "Ragnar Loader", "Ragnar Locker", "RagnarLocker", "Sardonic", "ShellTea" ], "source_id": "ETDA", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434942, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5659619b839797858dbb2db7245c62a46bd6897d.pdf", "text": "https://archive.orkl.eu/5659619b839797858dbb2db7245c62a46bd6897d.txt", "img": "https://archive.orkl.eu/5659619b839797858dbb2db7245c62a46bd6897d.jpg" } }