{ "id": "919f0eca-b6e5-4259-b674-48867b3b7c99", "created_at": "2026-04-06T00:20:05.619271Z", "updated_at": "2026-04-10T13:13:02.110447Z", "deleted_at": null, "sha1_hash": "590c0d0cc9faf17bd33b139256b7ab3fb523f096", "title": "10 years of virtual dynamite: A high-level retrospective of ATM malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 902641, "plain_text": "10 years of virtual dynamite: A high-level retrospective of ATM\r\nmalware\r\nBy Vanja Svajcer\r\nPublished: 2019-05-30 · Archived: 2026-04-05 19:47:23 UTC\r\nThursday, May 30, 2019 10:19\r\nExecutive summary\r\nIt has been 10 years since the discovery of Skimer, the first malware specifically designed to attack automated\r\nteller machines (ATMs). At the time, the learning curve for understanding its functionality was rather steep and\r\nanalysis required specific knowledge of a manufacturer's ATM API functions and parameters, which were not\r\npublicly documented.\r\nBefore the discovery of Skimer, anti-malware researchers' considered ATMs secure machines containing\r\nproprietary hardware, running non-standard operating systems, and implementing a number of advanced\r\nprotection techniques designed to prevent attacks using malicious code. Researchers eventually discovered that the\r\nmost popular ATM manufacturers use a standard Windows operating system and add on some auxiliary devices,\r\nsuch as a safe and card reader.\r\nOver time, actors behind some of the newer ATM malware families such as GreenDispenser and Tyupkin realized\r\nthat there is a generic Windows extension for Financial Services API (CEN/XFS) that can be used to make\r\nmalware that runs independent of the underlying hardware platform, as long as the ATM manufacturer supports\r\nthe framework. This malware can trick the machines into dispensing cash, regardless of whether the attacker has a\r\nlegitimate bank card.\r\nATM malware has evolved to include a number of different families and different actors behind them, ranging\r\nfrom criminal groups to actors affiliated with nation states. The significance of ATM malware stems from the fact\r\nthat it can bring significant financial benefits to attackers and as a consequence cause a significant damage to\r\ntargeted banks, financial institutions and end users.\r\nNow that this type of malware has been around for more than 10 years, we wanted to round up the specific\r\nfamilies we've seen during that time and attempt to find out if the different families share any code.\r\nATM malware overview\r\nSignificance\r\nATM malware provided criminals with a subtler alternative to physically breaking into the safe built into the\r\nATM. Before the appearance of ATM malware, criminals typically had to employ traditional ways of robbing\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 1 of 18\n\nATMs, often pulling the physical device out of the ground or blowing it to pieces with dynamite. Obviously, these\r\nmethods would quickly draw the attention of law enforcement and passersby.\r\nOver the past 10 years, we have seen a steady increase in the number of ATM malware samples discovered. Still,\r\nthe number of discovered samples is very small compared to almost any other malware category.\r\nNumber of ATM malware samples discovered year over year based on the year of first submission to VirusTotal.\r\nAs a digital substitute for dynamite, ATM malware allows criminals to employ money mules and instruct them\r\nhow to dispense money from targeted ATMs. Typically, it happens by supplying a special authorisation code or\r\ncard created to authorise the transaction.\r\nBefore that, criminals had to infect the targeted ATM to install the code, which more often than not meant that\r\nthey had to physically open the device to access its optical media reading devices or USB ports.\r\nThere have been many reported attacks on various banking organizations throughout the world, but they seem to\r\nbe more prevalent in Latin America and Eastern Europe, where the ATM infrastructure is older and are not\r\nregularly updated with security software or tamper-proof sensors. The damage caused by ATM malware to banks\r\nand individuals is rarely disclosed but it likely reaches millions of dollars a year.\r\nATM malware affects banks and other financial institutions, as well as the reputation of ATM manufacturers and\r\nindividuals and companies whose account details are stolen in ATM malware attacks.\r\nClassification\r\nThere are several different ways we can classify ATM malware families. Based on its functionality, we can\r\nclassify ATM malware into virtual skimmers and cash dispensers. The purpose of skimmers is to steal card and\r\ntransaction details and individual PINs if the encryption keys used by pin pad are successfully retrieved.\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 2 of 18\n\nCash-dispensing malware uses functions to allow for so-called \"jackpotting\" of ATMs where money is dispensed\r\nby attackers without the authorisation from the bank. But there are malware families that can steal card details and\r\ndispense cash.\r\nAs far as the installation process is concerned, we again have two major groups. The first one requires the attacker\r\nto physically access the device. The second group assumes that the attacker installs malware indirectly, typically\r\nby compromising the internal network of the bank and then targeting ATMs using stolen credentials.\r\nThese types of malware will also either target specific models of ATMs, or will be more generic. Recently, ATM\r\nmalware typically deploys generic functions.\r\nThe most common framework is the CEN/XFS framework, which allows the developers of the ATM applications\r\nto compile and run their code regardless of the ATM model or the manufacturer but there are others, such as\r\nKalignite framework built on top of XFS.\r\nThe XFS API contains high-level functions for communicating with the various ATM modules such as the cash\r\ndispensing module (CDM), PIN pad (EPP4) or printer. The high-level functions are provided through a generic\r\nSDK, while the lower level functions, supplied through service providers, are developed by ATM manufacturers.\r\nThe architecture is quite similar to Win32 architecture where the developers use the high-level API to\r\ncommunicate with the OS kernel and various device drivers provided by the manufacturers of the individual\r\nhardware components.\r\nHigh-level CEN/XFS architecture.\r\nMost ATM samples require physical access to the targeted ATM. ATMs are not typically connected to the internet\r\nand communicate with bank's central systems through specialized lines. However, most of the ATMs are\r\nconnected to internal networks for their maintenance and administration so the second, smaller group of ATM\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 3 of 18\n\nmalware may be introduced by compromising the internal network first. This technique requires a higher level of\r\nsophistication but potentially brings higher returns if successful.\r\nSome generic hacking tools, such as Cobalt Strike, have reportedly been used for attacking ATMs and the\r\ntransaction systems. This method has been more commonly used by more advanced groups such as Carbanak,\r\nCobalt Gang and Lazarus (Group 77), whose Fastcash attack affects IBM AIX operating system, which is rarely\r\ntargeted by malware.\r\nNotable ATM malware families and their functionality\r\nOver the past 10 years, we have seen more than 30 different ATM malware families. In this section, we will\r\nbriefly describe some of the more notable ones.\r\nNumber of ATM malware samples per family.\r\nPloutus\r\nPloutus is the malware family with the largest number of discovered samples. The majority of them having been\r\nreported in Mexico. Ploutus is a standard ATM-dispensing malware. The attackers need to be able to access\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 4 of 18\n\nphysical ports or a CD-ROM drive to be able to boot from it and modify the ATM system image to install the\r\nmalware.\r\nAttackers allegedly used newer Ploutus variants to attack some U.S.-based ATMs. Ploutus.D communicates with\r\nthe ATM using the multi-vendor KAL Kalignite framework, which allows it to work with ATMs from different\r\nvendors with minimal changes to its code base.\r\nOne of the Ploutus variant's interface.\r\nSkimer\r\nSkimer is one of the first ATM attacks, and bears all of the features of well-developed malware. Skimer functions\r\nas a virtual skimming device that attempts to steal bank card numbers and details of the account and owner details\r\nstored on the magnetic stripe tracks 1 and 2. A recent review of its functionality also indicates that it may also\r\nattempt to steal users' PINs by retrieving the encrypted pin pad encryption keys from the system.\r\nApart from the virtual skimming function, Skimer acts as a backdoor to the ATM functionality for its operators —\r\nmoney mules employed to collect stolen data and dispense cash.\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 5 of 18\n\nMain code loop for servicing Skimer's operators with cash.\r\nIf the user knows the secret code to activate the backdoor, the malware displays a menu, which allows the operator\r\nto empty one of the four cash-dispensing modules (CDMs).\r\nThe code locking the dispenser module and dispensing cash.\r\nMost of the other ATM malware families follow a similar principle. The attackers need to be able to physically\r\naccess the ATM, which requires a key or drilling a hole to access specific ports or devices. Once the malware is\r\ndeployed, the money mules need a specific code to access the menu and dispense cash.\r\nTyupkin (Padpin)\r\nThe most interesting characteristic of Tyupkin is that it has the ability to limit its operation to specific hours and\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 6 of 18\n\ndays of the week. It was reported that some Tyupkin instances can only be used on Sundays and Mondays at night.\r\nTyupkin function for checking the hours of operation.\r\nBefore dispensing cash, Tyupkin disables any network connections, presumably to prevent administrators from\r\nshutting down the ATM if a suspicious activity is detected.\r\nSome members of Tyupkin family are developed using C# and the .NET framework and some using Microsoft\r\nVisual C++. The family uses XFS API to manage infected ATMs and dispense cash in multiple currencies.\r\nTyupkin has been active since 2014 and the associated gangs reportedly target Eastern European countries.\r\nAlice\r\nAlice follows a similar pattern to other ATM malware. It is installed by attackers and requires physical access to\r\nthe system. When the operator launches it, Alice displays a window requiring a PIN.\r\nFirst Alice screen.\r\nIf the code is correct, Alice will access the dispenser module and allow the operator to retrieve cash.\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 7 of 18\n\nMain Alice UI window.\r\nCutlet\r\nCutlet, or Cutlet Maker, has been sold as a do-it-yourself ATM malware kit on some underground markets since\r\n2016. The bundle contains detailed instructions in Russian and English on how to infect systems and how to\r\nacquire codes required to dispense cash.\r\nMain Cutlet Maker user interface.\r\nThe Cutlet manual details operational security practices required to avoid being caught by law enforcement\r\nofficers and shows where to drill holes in the ATM enclosure in order to access USB ports of a specific ATM\r\nmodel. The kit also contains a testing application named \"Stimulator\" for users to practice before they decide to\r\nconduct real attacks.\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 8 of 18\n\nCutlet follows a similar pattern to the previous ATM malware. The owner of the kit has the ability to generate\r\ncodes per ATM required for its operation.\r\nFastcash\r\nThe significance of Fastcash malware is its mode of operation and its targeting of IBM AIX operating system.\r\nFastcash consists of a process injector and shared objects presumably injected into the process space of\r\ncompromised bank payment authorization systems. The malware monitors ISO8583-based transactions using code\r\nfrom a fairly old open-source library for parsing ISO8583 packets.\r\nIf an ATM transaction contains the attackers' codes, the data will not be forwarded to the original payment\r\nauthorisation application and the transaction approval will be sent back to the target ATM system allowing\r\nattackers to dispense cash.\r\nThis mode of operation is similar to some rootkits, where malware attempts to hide its presence on the system by\r\nmodifying the responses sent back from the operating system to the application that attempts to list system objects\r\nsuch as files or processes. The returned list is usually modified to remove names of processes that belong to the\r\nmalware.\r\nFastcash has been attributed to the Lazarus Group and it is an example of a nation-state-related actor targeting\r\nfinancial systems for the attacker's financial benefit. Fastcash shows a level of sophistication and knowledge that\r\nis not seen in other, run-of-the-mill, ATM malware.\r\nCode sharing between families\r\nThanks to Xylitol and the ATM Cybercrime tracker, it was easy to retrieve a fairly complete ATM malware data\r\nset, with the addition of the few files connected with the Fastcash campaign.\r\nThe data set contains 121 files and it is well suited for analysis and clustering. Out of 121 files, there are 114 PE\r\nfiles and those were used for clustering using the static analysis techniques. Out of 114 PE files there were 37\r\npacked files which may not be suitable for static analysis techniques and 20 DLLs.\r\nWhile investigating various methods for clustering, we stumbled upon an interesting book, \"Malware Data\r\nScience\" by Joshua Saxe and Hillary Sanders. This book shows basic and more advanced methods for classifying\r\nand clustering malicious files and used some of the ideas to cluster our own set.\r\nIn our case, the clustering was conducted by extracting the following attributes of each sample:\r\nStrings extracted from the file\r\nDisassembled code from the entry point of the file\r\nFile entropy and the presence of a known packer\r\nImported or exported functions\r\nEmbedded resources\r\nAfter collecting the attributes from each sample, Jaccard distance is calculated for every pair of the files in the set.\r\nThe Jaccard index is a measure of similarity between two sets. The more similar the two samples are, the higher\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 9 of 18\n\ntheir Jaccard index will be. The index is a number between 0 and 1. For example, the Jaccard index of 0.5\r\nindicates 50 percent overlap between the two sets.\r\nClusters with Jaccard index threshold of 0.7.\r\nWe need to set the threshold required for two samples to be connected as a part of a single cluster. The higher the\r\nJaccard threshold we choose, the more related will be the members of the defined cluster. By varying the threshold\r\nwe come to the optimal value for our purpose. For example, for correct classification of samples we should choose\r\nthe value higher than 0.7, and for code sharing purposes, higher than 0.3.\r\nAs expected, the results show that as we lower the thresholds we see more clusters appear and some of the clusters\r\nshow overlap between distinct ATM malware families.\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 10 of 18\n\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 11 of 18\n\nClusters with Jaccard index threshold of 0.3.\r\nThe width of the lines in the graph show how strongly the files in the clusters are related. For example, we see that\r\nthe members of individual GreenDispenser, Tyupkin or DispCash clusters are very closely related, while mixed\r\nLigsterac/Skimer, Tyupkin/Dispcash and ATMtest/Helloworld clusters show weaker connections that likely\r\nindicate some overlap in the malware code.\r\nProtection and detection best practices\r\nWhen considering protection and detection of attacks with ATM malware, it is important to consider the physical\r\nsecurity of ATMs, the security of software running on the system and the security of any segment of the\r\norganization's network that communicates with ATMs.\r\nHere are 15 best practices that organizations should follow when considering protection of ATMs networks and\r\nsuccessful and timely detection of attacks when they happen.\r\nEnsure ATMs and all related systems run up-to-date software and the latest operating system versions with\r\nthe latest security patches applied.\r\nDisable Windows AutoPlay and configure BIOS to disable the ability to boot software from USB sticks\r\nand CD/DVD drives. Set strong BIOS password protection to prevent boot settings from being changed.\r\nDisable access to the Windows desktop at the ATM, ensure RDP sessions are secured with multiple\r\nauthentication factors such as Duo Authentication for Windows Logon and RDP.\r\nRemove any unused services and applications from the system to reduce the attack surface. Implement\r\nother measures to harden the underlying ATM operating system.\r\nMonitor the operation of ATMs, as well as their physical integrity. Look for unusual patterns of resets,\r\ncommunication failures and transaction volume.\r\nImplement strong encryption between the ATM and the host.\r\nEnsure access to the ATM cabinet is restricted to authorized persons and that such access is electronically\r\nlogged.\r\nPerform a security assessment of ATMs, including their physical locations and any networks connecting to\r\nthem.\r\nEnsure that firewalls and anti-malware protection are correctly configured.\r\nConfigure whitelisting solutions or operating system features to allow only known, trusted software to run.\r\nMake sure that whitelisting cannot be disabled without generating a remote log entry.\r\nPrevent unauthorized USB devices from being installed using a device control function.\r\nEducate employees about how they can avoid introducing malware into operational systems.\r\nMaintain a physically and logically segmented network environment throughout the organization using\r\nsegmentation technology such as Cisco TrustSec.\r\nEnsure visibility over network traffic to ATM systems and payment authorisation servers using technology\r\nthat enhance network visibility, such as Cisco Stealthwatch.\r\nMonitor threat intelligence feeds to learn about newly detected ATM malware threats.\r\nConclusion\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 12 of 18\n\nATM malware is a niche area attacks, but it potentially brings significant benefits to actors that successfully\r\nmanage to deploy it. Over 10 years since the discovery of the first specialized malicious code targeting the\r\nDiebold Agilis line of ATMs, we have seen over 30 other malware families with varying degrees of sophistication,\r\ncomplexity and success. Most of the successful attacks are reported in countries where the ATMs are older, such\r\nas some Latin American countries and Eastern Europe.\r\nWhile the majority of actors behind ATM malware seem to be less sophisticated criminal actors, the potential of\r\nbeing able to dispense large amounts of cash also attracts more sophisticated criminal groups such as Carbanak\r\nand Cobalt Gang, as well as some state-sponsored actors such as Lazarus.\r\nAlthough the number of known malware samples for ATMs has been very low there has been a steady increase in\r\nthe trendline for number of discovered samples year over year.\r\nFinancial organizations and banks have to be particularly vigilant when considering protection against malware\r\nfor ATMs and payment systems. Enterprises and individuals may also experience financial loss due to potential of\r\ntheir card details being used for illegal transactions after being skimmed by ATM malware. Best practices should\r\nbe followed to ensure the highest possible level of protection and organizations should invest into increasing user\r\nawareness about the dangers of ATM malware.\r\nCoverage\r\nAdditional ways our customers can detect and block these threats are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free\r\nhere.\r\nCisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 13 of 18\n\nNetwork Security appliances such asNext-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nSha256\r\nAlice\r\n04f25013eb088d5e8a6e55bdb005c464123e6605897bd80ac245ce7ca12a7a70\r\n23c50f1c37b7c55554c282ba1781e9d6279cbbd7bfc5f64772d2e7a8962ebe70\r\nb8063f1323a4ae8846163cc6e84a3b8a80463b25b9ff35d70a1c497509d48539\r\ndb1169df116fda46319c4b87607df7b6a5e80b48de5411d47684974ca22dd35a\r\ne3bf733cc85da7421522a0b1ff788d43bcacd02815a88d19426e80de564174b3\r\nATMii\r\n0ef71569308d44e89bde48096c67caf73ec177c1c970a2fd843fd3a094502d78\r\n5f5d483c1fcd1638b32d11183c5ed5fd36362fb12d62e1d9940b47906733d672\r\n7fac4b739c412b074ee13e181c0900a350b4df9499515febb75008e6955b9674\r\nd74cbd2e39dc0a00dc4c0fb0823c5a86455cdad2be48d32866165c9e5557c3e0\r\nDIAGK\r\n03bb8decefc540bff5b08425adddb404b345452c8adedee0c8af13572891865b\r\nCutlet\r\n05fae4bef32daf78a8fa42f8c25fdf481f13dfbbbd3048e5b89190822bc470cd\r\n4a340a0a95f2af5ab7f3bfe6f304154e617d0c47ce31ee8426c70b86e195320c\r\nc18b23cc493f89d73a2710ebb177d54beafe0edf0e17cc79e28d9efdfb69a630\r\nd1a0b2a251fa69818784e8937403c18f09b2c37eead80ba61a3edf4ac2b6b7ff\r\nd4a463c135d17239047ad4151ab2f2d084e223970e900904ecedabc0fd916545\r\nfe1634318e27e3af856506d49a54d1d12e1cf650cbc31eeb0c805949edc8fc85\r\nPiolin\r\n5f4215368817570e7a390c9f6e265a7db343c9664d22008d5971dac707751524\r\nPrilex\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 14 of 18\n\nd10a0e0621a164fad0d7f3690b5d63ecb9561e5ad30a66f353a98395b774384e\r\nWinPot\r\n0720db2469a61d41c1e67a8f32020927a32422a5d58067bb328a2ff407e14e98\r\n3f5ff48aa4dc2c1af3deeb33a9cc576616dad37156ae9182831b1b2a5ae4ae20\r\na5d0cd1bc33f44d25695ebd6530757180f4fc4d87a1658ee2f0d8fc42d09fb80\r\nc3a5c8e9195163cef8e0e70bd8f3d49c8048e37af7c969341e1753aee63df0ae\r\nd9c6515fd0fb3cd14b4bb4d11ecda78602d17f370780a4b9ee006a9830106213\r\nATMitch\r\n1065502d7171df7be3776b839410a227c540cd977e5e856bbbcd837b0872bdb6\r\nea5ebd1e5f98e10b1e7c834dd54707ad06772bccb4179cae7e50c7e6e772a1ab\r\nATMtest\r\n9f8a7828d833ed7f28f9f5ceaf1c073c6de0645172b8316d86edc16c84b61c4f\r\nATMWizX\r\n7bd2c97ac5027c360011dc5aa8f2371cd934f73e885e41f7e80152332b3af1db\r\na4b42f503090cd3cd53963ddaf0be3e4eeedbd81ff02664668e68612816e727f\r\nPloutus\r\n0106757fac9d10a8e2a22dce5337f404bfa1c44d3cc0c53af3c7539888bc4025\r\n04db39463012add2eece6dfe6f311ad46b76dae55460eea30dec02d3d3f1c00a\r\n0971c166826163093093fb199d883f2544055bdcfc671e7789bd5088992debe5\r\n0e37b8a6711a3118daa1ce2e2f22c09b3f3c6179155b98215a1d96a81c767889\r\n34acc4c0b61b5ce0b37c3589f97d1f23e6d84011a241e6f85683ee517ce786f1\r\n398e335f2d6379771d86d508a43c567b4156104f89161812005a6122e9c899be\r\n62b61f1d3f876300e8768b57d35c260cfc60b768a3e430725bd8d2f919619db2\r\n7fd109532f1e49cf074be541df38e0ce190497847fdb5588767ca35b9620a6c2\r\naee97881d3e45ba0cae91f471db78aded16bcff1468d9e66edf9d3c0223d238f\r\nc8d57b32ab86a3a97f89ae7f1044a63cca2b58f748bed250a1f9df5c50fc8fbb\r\nd93342bd12ef44d92bf58ed2f0f88443385a0192804a5d0976352484c0d37685\r\nd99339d3dc6891cdd832754c5739640c62cd229c84e04e9e3cad743c6f66b1b9\r\ne75e13d3b7a581014edcc2a397eaffbf91c3e5094d4afd81632d9ad872f935f4\r\nSuceful\r\nc7cb44e0b075cbc90a7c280ef8f1c69e8fe06e7dabce054b61b10c3105eda1c4\r\nd33d69b454efba519bffd3ba63c99ffce058e3105745f8a7ae699f72db1e70eb\r\nTyupkin\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 15 of 18\n\n16166533c69f2f04110e8b8e9cc45ed2aeaf7850fa68845c64d92ff907dd44f0\r\n3639e8cc463922b427ea20dce8f237c0c0e82aa51d2502c48662e60fb405f677\r\n639d2d926325275cb023014d0b446d03f1dcc8526bff1aa72373e27d78a6a674\r\n646433de5c56fdbc7e6e934a05e9e99012ef39a0ed6cc4bdb1d984cd4435379e\r\n6c59cd1e12bc1037031af48b934e9398fc85efb2a067d03b6a100dd8423e5d9b\r\n853fb4e85d8b0ad7c156ad6d3fc4b0340c8b29fa0548a3df758e7845ba8b23ae\r\n8bb5c766de0a73dc0eff7c9fce086565b6220465185e258c21c5b9dfb0bef51d\r\nb670fe2d803705f811b5a0c9e69ccfec3a6c3a31cfd42a30d9e8902af7b9ed80\r\nSkimerWC\r\ndff7ee95100ffaec5848a73a7b306eaaee94ae691dfccff9fe6ce0a8f3b82c56\r\ne267fb3044c31256f06dd712c7aeae97ad148fd3157995a7e536e5473c1a2bc0\r\ne78e6155b8dfd206ba5a5e7253409891bfed1b943d217e0fbc416a25fa761580\r\nATMitch.B\r\n66db5b6b5dc51de7e5380f214f703bdc69ab3c3bec7c3b67179940a06560f126\r\nATMripper\r\n21f3c0bf3fc05685ec5b7bf3c98103761894d7c6783c2c12afae958eb103598e\r\n22db6a994eb057715b499c5641cc608fb0380aeea25f78180436c35ecd81ce7d\r\n3d8c7fb9e55f96cf3073b321ee5e59ff2189d70b0662bc0b88990971bc8b73d8\r\n4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc\r\n64499b2584d239380ffecf07e94167e0414c4bb5438620659fe37d595ef3f361\r\ncc85e8ca86c787a1c031e67242e23f4ef503840739f9cdc7e18a48e4a6773b38\r\ne3a6970d66bc4687b21381353826fabd469007c869efc711fdd0e4711aa77ffc\r\nLigsterac\r\n1243c478a7145fa08a03200611fcf5fae9bb58039c5069ef93e150d53cf22524\r\n377f85562e9ec16cae8fed87e43b6dd230eaa6e1c8f2732f5096f1ec951f045a\r\naaeee605cb1850dd81da8990fe4115fe85e5d4eb84ddaf2fa8d0b21afdc2b293\r\nb361963fe11b149afc526a6e0656c08226f943bdba0f2c7c0a7640fba09afce8\r\ne130bc1603893155d87946a430b6d6ad167760cde24aa2834c61dd0eace30e8e\r\nNeoPocket\r\n85652bbd0379d73395102edc299c892f21a4bba3378aa3b0aaea9b1130022bdd\r\nAtmosphere\r\n26b2daa6fbf5ec13599d24e6819202ddb3f770428d732100be15c23be317bd47\r\n5c838658b25d44edab79a4bd2af7c56bef96768b93addbbaaaea36da604fca62\r\n956968e6f4bf611137ea0e747891ba8dc200ca809c252ef249294912fb3dbe3c\r\na6c33d7275c46397593f53ea136ea8669794f4d787044106594631c07a9ee71d\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 16 of 18\n\nd60126545fa68b14c36cd4cffa3f81ed487381482582acbba786fa88884f636b\r\neeb8390e885612e1f0b8f8922baa4ebc9ba420224b30370d08b45f3453949937\r\nATMSpitter\r\n4035d977202b44666885f9781ac8755c799350a03838ff782eb730c0d7069958\r\n85e5aacbc9113520d93f1d9d73193c3501ebab8032661052d9a66348e204cde6\r\n8770f760af320d30681a4eb4ded331eab2481f54c657aac607df8babe8c11a6b\r\nbf20c674a0533e7c0d825de097629a96cb42ae2d4840b07dd1168993d95163e8\r\nc5b43b02a62d424a4e8a63b23bef8b022c08a889a15a6ad7f5bf1fd4fe73291f\r\ne372631f96face11e803e812d9a77a25d0a81fa41e4ac362dc8aee5c8a021000\r\nf27e27244233f2bb5b02412d4b05315625928adaa340708e91d61ad3bce54bf6\r\nHelloWorld\r\n2de4a510ee303c04c8d7bd59b7987b22c3471c9f4ba69b5f83ba36de88b63a8d\r\n867991ade335186baa19a227e3a044c8321a6cef96c23c98eef21fe6b87edf6a\r\nf6609bb3c3197ace26ebdeb372ba657ac84b05a3e9e265b5211e1ea42da70dbe\r\nJava/Dispcash\r\n0149667c0f8cbfc216ef9d1f3154643cbbf6940e6f24a09c92a82dd7370a5027\r\nef407db8c79033027858364fd7a04eeb70cf37b7c3a10069a92bae96da88dfaa\r\nTrojan.Skimer\r\n2721a5a6478bfff2c5de0d105623ba5f411401bbd92bd3e2bee4c51c2d12f5a8\r\n4941331c64e0389d5ec966122ef71a99d8f9830f13e9afa758e03275f896c2eb\r\n5ab6358e1886655257c437ebad71b98a6575313b2f9327359661aac5d450c45a\r\n653701d02c5d8d39b3da9b0848d20921cd65ea28e77c8e9254e222601264bcc6\r\nd90257af70401984d5d41dd057114df88566d00329874ced3103a6f8cd1991e5\r\nGreenDispenser\r\n20a1490b666f8c75c47b682cf10a48b7b0278068cb260b14d8d0584ee6c006a5\r\n50db1f5e9692f217f356a592e413e6c9cb31105a94efc70a5ca1c2c73d95d572\r\n5a37be2d298145b766ba54616677d802cfabc62e3b9be2ffb6d4719d3f8143e9\r\n7544e7a798b791cb36caaa1860974f33d30bc4659ceab3063d1ab4fd71c8c7e0\r\n77850f738ba42fd9da299b2282314709ad8dc93623b318b116bfc25c5280c541\r\nb7e61f65e147885ec1fe6a787b62d9ee82d1f34f1c9ba8068d3570adca87c54f\r\nATM.DispCash.3\r\n622d7489208578eaaaae054a07e16b4b8c91a3fde6e61d082a09aee5a1b1f829\r\nb00cd2ca5247c93e3a40f73006051bbfada3b1bc73c4d44105384824bb60131d\r\nb66615b186bf7067cdb937220f86b1d9411351e0b06ee8d02cf6c5358348e884\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 17 of 18\n\n9feea4b7a5b438335353bb4eac82f8f2a16232a90b7cddbf77dc73dd451e9a6e\r\n6efedf9bde951ad6c3e240ec498767bb693ecc8fa62040e624c5a7fa21c5bdaa\r\nTrojan.Fastcash\r\nd465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee\r\nca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c\r\n10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba\r\n3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c\r\nSkimer\r\n34e7060e7a0c0ba24fcb55c641e5b586cef744e10ebd5a9f73ecd2ed2f4e9c1f\r\nb51973c530802ae19df8ac4d9643fc3317952242d9d42f951e094c72d730dd66\r\n359bb8596e4befafdaca706630bec598400694305622c116acdfa59074f1858e\r\nac8e8216e71e078198ef67d4cb48118767d0696610a02137492814422153d3c6\r\n7888e9a27b27f026f09997414504be5822f35b69ddec826eb2a56f6347e2d147\r\ncde6f7fb2fbdefffe22a012295ab157cffc07cab26ba0e34ced0bae484355187\r\nb39c5992c2cb70c76c82d6fba3cc0b7972c2f9b35227934b766e810f20a5f053\r\nWinPotv3\r\n009b677564b3ebb0831171edf3fb0deb0fa3b0010b74586e01d8df4af965ef3f\r\n1d6508cbe5f7ccaa991572f05aef52bab8a59851ca9a4367605a9637b10ae081\r\n20fb2edfcece271f87d006e263c4a6de48ed518901211a76dc38aac43e1b9d19\r\n6670ccc940cca6983340dbce1a9bbce7b49643ac924e18ca25def8b632b70720\r\n70cc5070ce058682c1d44cef887c0ec8a50dba6b717802c5a8f2c8f2ed377c13\r\n8d7f932d8236671018c5cd02781301134aa6df315253f7a56559350d2616ff8e\r\nb57bc410683aba4c211e407320e6b7746ce25e06d81ddf480711228efd921a6c\r\ne2c87bca353016aced41305ddd66ee7430bf61a20c0f4c8c0f0650f006f05160\r\nSource: https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nhttps://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html" ], "report_names": [ "10-years-of-virtual-dynamite.html" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "fdf8d396-bbe4-454c-970a-81c4c3093b27", "created_at": "2022-10-25T16:07:23.763387Z", "updated_at": "2026-04-10T02:00:04.742186Z", "deleted_at": null, "main_name": "BeagleBoyz", "aliases": [ "BeagleBoyz", "Operation FASTCash" ], "source_name": "ETDA:BeagleBoyz", "tools": [ "Cyruslish", "ECCENTRICBANDWAGON", "FASTCash", "NACHOCHEESE", "NachoCheese", "PSLogger", "TWOPENCE", "VIVACIOUSGIFT" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434805, "ts_updated_at": 1775826782, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/590c0d0cc9faf17bd33b139256b7ab3fb523f096.pdf", "text": "https://archive.orkl.eu/590c0d0cc9faf17bd33b139256b7ab3fb523f096.txt", "img": "https://archive.orkl.eu/590c0d0cc9faf17bd33b139256b7ab3fb523f096.jpg" } }