{ "id": "768f167c-704e-493a-b104-b0bc5e33aaf4", "created_at": "2026-04-06T01:28:59.339262Z", "updated_at": "2026-04-10T03:37:40.65688Z", "deleted_at": null, "sha1_hash": "59674d9150ba310750b78f25fc56bdcad71fc87a", "title": "Agent Tesla (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 324788, "plain_text": "Agent Tesla (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-06 00:54:37 UTC\r\nA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log\r\nkeystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has\r\nthe capability to send information back to its C\u0026C via HTTP(S), SMTP, FTP, or towards a Telegram channel.\r\n2026-02-25 ⋅ FortiGuard Labs ⋅ Ariel Davidpur\r\nUnmasking Agent Tesla: A Deep Dive into a Multi-Stage Campaign\r\nAgent Tesla 2025-11-02 ⋅ Symantec ⋅ Broadcom, Symantec\r\nMulti-Stage In-Memory Agent Tesla Campaign Targets LATAM\r\nAgent Tesla 2024-10-16 ⋅ BitSight ⋅ André Tavares\r\nExfiltration over Telegram Bots: Skidding Infostealer Logs\r\n404 Keylogger Agent Tesla 2024-08-01 ⋅ Idan Malihi\r\nDissecting Agent Tesla: Unveiling Threat Vectors and Defense Mechanisms\r\nAgent Tesla 2024-06-06 ⋅ Medium b.magnezi ⋅ 0xMrMagnezi\r\nAgent Tesla Analysis\r\nAgent Tesla 2024-05-14 ⋅ Check Point Research ⋅ Antonis Terefos, Tera0017\r\nFoxit PDF “Flawed Design” Exploitation\r\nRafel RAT Agent Tesla AsyncRAT DCRat DONOT Nanocore RAT NjRAT Pony Remcos Venom RAT XWorm\r\n2024-05-06 ⋅ Cyber-Forensics ⋅ Cyber-Forensics\r\nAgent Tesla Malware Analysis\r\nAgent Tesla 2024-04-15 ⋅ Positive Technologies ⋅ Aleksandr Badaev, Kseniya Naumova\r\nSteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world\r\nLokiBot 404 Keylogger Agent Tesla CloudEyE Formbook Remcos XWorm 2024-04-02 ⋅ Check Point Research ⋅ Antonis\r\nTerefos, Raman Ladutska\r\nAgent Tesla Targeting United States \u0026 Australia: Revealing the Attackers' Identities\r\nAgent Tesla Bignosa 2024-03-26 ⋅ EchoCTI ⋅ Bilal BAKARTEPE, bixploit\r\nAgent Tesla Technical Analysis Report\r\nAgent Tesla 2024-03-01 ⋅ Ryan Weil ⋅ Ryan Weil\r\nAgent Tesla Analysis [Part 2: Deobfuscation]\r\nAgent Tesla 2024-03-01 ⋅ Logpoint ⋅ Nischal khadgi\r\nA Comprehensive Overview on Stealer Malware Families\r\nAgent Tesla Formbook RedLine Stealer Remcos Vidar 2024-02-28 ⋅ Security Intelligence ⋅ Golo Mühr, Ole Villadsen\r\nX-Force data reveals top spam trends, campaigns and senior superlatives in 2023\r\n404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot\r\nQakBot Remcos 2024-02-16 ⋅ Medium b.magnezi ⋅ 0xMrMagnezi\r\nMalware Analysis — AgentTesla\r\nAgent Tesla 2024-02-06 ⋅ Medium osamaellahi ⋅ Osama Ellahi\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\r\nPage 1 of 9\n\nUnfolding Agent Tesla: The Art of Credentials Harvesting.\r\nAgent Tesla 2024-02-02 ⋅ Stairwell ⋅ Threat Research at Stairwell\r\nProactive response: AnyDesk, any breach\r\nAgent Tesla 2024-01-09 ⋅ BitSight ⋅ André Tavares\r\nData Insights on AgentTesla and OriginLogger Victims\r\nAgent Tesla OriginLogger 2024-01-08 ⋅ YouTube (Embee Research) ⋅ Embee_research\r\nJavascript Malware Analysis - Decoding an AgentTesla Loader\r\nAgent Tesla 2023-12-20 ⋅ ropgadget.com ⋅ Jeff White\r\nThe Origin of OriginLogger \u0026 Agent Tesla\r\nAgent Tesla OriginLogger 2023-10-12 ⋅ Cluster25 ⋅ Cluster25 Threat Intel Team\r\nCVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting\r\nOperations\r\nAgent Tesla Crimson RAT Nanocore RAT SmokeLoader 2023-10-01 ⋅ Infinitum IT ⋅ Kerime Gencay\r\nAgent Tesla Technical Analysis Report (Paywall)\r\nAgent Tesla 2023-09-29 ⋅ Intrinsec ⋅ CTI Intrinsec, Intrinsec\r\nOngoing threats targeting the energy industry\r\nAgent Tesla CloudEyE 2023-08-29 ⋅ Viuleeenz ⋅ Alessandro Strino\r\nAgent Tesla - Building an effective decryptor\r\nAgent Tesla 2023-05-07 ⋅ Twitter (@embee_research) ⋅ Matthew\r\nAgentTesla - Full Loader Analysis - Resolving API Hashes Using Conditional Breakpoints\r\nAgent Tesla 2023-04-16 ⋅ OALabs ⋅ Sergei Frankoff\r\nXORStringsNet\r\nAgent Tesla RedLine Stealer 2023-04-10 ⋅ Check Point ⋅ Check Point\r\nMarch 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious\r\nOneNote Files\r\nAgent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee 2023-04-07 ⋅ Elastic ⋅ Salim\r\nBitam\r\nAttack chain leads to XWORM and AGENTTESLA\r\nAgent Tesla XWorm 2023-03-30 ⋅ loginsoft ⋅ Saharsh Agrawal\r\nFrom Innocence to Malice: The OneNote Malware Campaign Uncovered\r\nAgent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT RedLine\r\nStealer XWorm 2023-03-23 ⋅ Logpoint ⋅ Anish Bogati\r\nEmerging Threats: AgentTesla – A Review and Detection Strategies\r\nAgent Tesla 2023-03-16 ⋅ Trend Micro ⋅ Cedric Pernet, Jaromír Hořejší, Loseway Lu\r\nIPFS: A New Data Frontier or a New Cybercriminal Hideout?\r\nAgent Tesla Formbook RedLine Stealer Remcos 2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein\r\nFollowing the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware\r\nAgent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer\r\n(PWS) Maze NetWire RC Remcos REvil TrickBot 2023-01-16 ⋅ Difesa \u0026 Sicurezza ⋅ Francesco Bussoletti\r\nCybercrime, RFQ from Turkey carries AgentTesla and zgRAT\r\nAgent Tesla zgRAT 2022-12-18 ⋅ SANS ISC ⋅ Guy Bruneau\r\nInfostealer Malware with Double Extension\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\r\nPage 2 of 9\n\nAgent Tesla 2022-11-21 ⋅ Malwarebytes ⋅ Malwarebytes\r\n2022-11-21 Threat Intel Report\r\n404 Keylogger Agent Tesla Formbook Hive Remcos 2022-11-16 ⋅ splunk ⋅ Splunk Threat Research Team\r\nInside the Mind of a ‘Rat’ - Agent Tesla Detection and Analysis\r\nAgent Tesla 2022-11-09 ⋅ Cisco Talos ⋅ Edmund Brumaghin\r\nThreat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns\r\nAgent Tesla 2022-09-23 ⋅ Kaspersky ⋅ Artem Ushkov, Roman Dedenok\r\nMass email campaign with a pinch of targeted spam\r\nAgent Tesla 2022-09-15 ⋅ Sekoia ⋅ Threat \u0026 Detection Research Team\r\nPrivateLoader: the loader of the prevalent ruzki PPI service\r\nAgent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT\r\nNymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP\r\nVidar YTStealer 2022-09-13 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White\r\nOriginLogger: A Look at Agent Tesla’s Successor\r\nAgent Tesla OriginLogger 2022-08-29 ⋅ ⋅ 360 netlab ⋅ wanghao\r\nPureCrypter Loader continues to be active and has spread to more than 10 other families\r\n404 Keylogger Agent Tesla AsyncRAT Formbook RedLine Stealer 2022-08-29 ⋅ 360 netlab ⋅ wanghao\r\nPureCrypter is busy pumping out various malicious malware families\r\nAgent Tesla PureCrypter RedLine Stealer 2022-08-17 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nDarkTortilla Malware Analysis\r\nAgent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer 2022-07-30 ⋅ cocomelonc\r\nMalware AV evasion - part 8. Encode payload via Z85\r\nAgent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector 2022-07-20 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nCyberattack on State Organizations of Ukraine using the topic OK \"South\" and the malicious program AgentTesla\r\n(CERT-UA#4987)\r\nAgent Tesla 2022-07-12 ⋅ Team Cymru ⋅ Kyle Krejci\r\nAn Analysis of Infrastructure linked to the Hagga Threat Actor\r\nAgent Tesla 2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\n.NET Stubs: Sowing the Seeds of Discord\r\nAgent Tesla Quasar RAT WhisperGate 2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\n.NET Stubs: Sowing the Seeds of Discord (PureCrypter)\r\nAberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer\r\nFormbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine\r\nStealer WhisperGate 2022-05-12 ⋅ Palo Alto Networks Unit 42 ⋅ Tyler Halfpop\r\nHarmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla\r\nAgent Tesla 2022-05-05 ⋅ Malwarebytes Labs ⋅ Threat Intelligence Team\r\nNigerian Tesla: 419 scammer gone malware distributor unmasked\r\nAgent Tesla 2022-04-20 ⋅ cocomelonc ⋅ cocomelonc\r\nMalware development: persistence - part 1. Registry run keys. C++ example.\r\nAgent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky 2022-04-15 ⋅\r\nCenter for Internet Security ⋅ CIS\r\nTop 10 Malware March 2022\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\r\nPage 3 of 9\n\nMirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus 2022-04-12 ⋅ Check Point ⋅ Check\r\nPoint Research\r\nMarch 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance\r\nAlien FluBot Agent Tesla Emotet 2022-03-31 ⋅ APNIC ⋅ Debashis Pal\r\nHow to: Detect and prevent common data exfiltration attacks\r\nAgent Tesla DNSMessenger PingBack Rising Sun 2022-03-26 ⋅ forensicitguy ⋅ Tony Lambert\r\nAn AgentTesla Sample Using VBA Macros and Certutil\r\nAgent Tesla 2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP)\r\nWho is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22\r\nXloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper\r\nIsaacWiper MicroBackdoor Pandora RAT 2022-03-07 ⋅ Fortinet ⋅ Fred Gutierrez, James Slaughter, Val Saengphaibul\r\nFake Purchase Order Used to Deliver Agent Tesla\r\nAgent Tesla 2022-03-07 ⋅ ⋅ LAC WATCH ⋅ Cyber Emergency Center\r\nI CAN'T HEAR YOU NOW! INTERNAL BEHAVIOR OF INFORMATION-STEALING MALWARE AND\r\nJSOC DETECTION TRENDS\r\nXloader Agent Tesla Formbook Loki Password Stealer (PWS) 2022-03-04 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nRussia-Ukraine war exploited as lure for malware distribution\r\nAgent Tesla Remcos 2022-03-04 ⋅ Bitdefender ⋅ Alina Bizga\r\nBitdefender Labs Sees Increased Malicious and Scam Activity Exploiting the War in Ukraine\r\nAgent Tesla Remcos 2022-02-23 ⋅ ⋅ Weixin ⋅ 360 Threat Intelligence Center\r\nAPT-C-58 (Gorgon Group) attack warning\r\nAgent Tesla 2022-02-06 ⋅ forensicitguy ⋅ Tony Lambert\r\nAgentTesla From RTF Exploitation to .NET Tradecraft\r\nAgent Tesla 2022-02-02 ⋅ Qualys ⋅ Ghanshyam More\r\nCatching the RAT called Agent Tesla\r\nAgent Tesla 2022-01-25 ⋅ Palo Alto Networks Unit 42 ⋅ Yaron Samuel\r\nWeaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies\r\nAgent Tesla 2022-01-24 ⋅ Proofpoint ⋅ Proofpoint\r\nDTPacker – a .NET Packer with a Curious Password\r\nAgent Tesla TA2536 2022-01-24 ⋅ Netskope ⋅ Ghanashyam Satpathy, Gustavo Palazolo\r\nInfected PowerPoint Files Using Cloud Services to Deliver Multiple Malware\r\nAgent Tesla 2022-01-21 ⋅ MalGamy ⋅ Gameel Ali\r\nDeep Analysis Agent Tesla Malware\r\nAgent Tesla 2022-01-12 ⋅ Guillaume Orlando\r\n2021 Gorgon Group APT Operation\r\nAgent Tesla 2022-01-12 ⋅ MalGamy\r\nDeep analysis agent tesla malware\r\nAgent Tesla 2022-01-12 ⋅ Guillaume Orlando\r\nMalware Analysis - AgentTesla v3\r\nAgent Tesla 2022-01-03 ⋅ forensicitguy ⋅ Tony Lambert\r\nA Tale of Two Dropper Scripts for Agent Tesla\r\nAgent Tesla 2021-12-31 ⋅ InfoSec Handlers Diary Blog ⋅ Jan Kopriva\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\r\nPage 4 of 9\n\nDo you want your Agent Tesla in the 300 MB or 8 kB package?\r\nAgent Tesla 2021-12-30 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nAgent Tesla Updates SMTP Data Exfiltration Technique\r\nAgent Tesla 2021-12-20 ⋅ InfoSec Handlers Diary Blog ⋅ Alef Nula, Jan Kopriva\r\nPowerPoint attachments, Agent Tesla and code reuse in malware\r\nAgent Tesla 2021-12-17 ⋅ Yoroi ⋅ Carmelo Ragusa, Luca Mella, Luigi Martire\r\nServerless InfoStealer delivered in Est European Countries\r\nAgent Tesla 2021-12-08 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal\r\nFull malware analysis Work-Flow of AgentTesla Malware\r\nAgent Tesla 2021-12-06 ⋅ MalwareBookReports ⋅ muzi\r\nAGENT TESLAGGAH\r\nAgent Tesla 2021-12-02 ⋅ ⋅ AhnLab ⋅ ASEC Analysis Team\r\nSpreading AgentTesla through more sophisticated malicious PPT\r\nAgent Tesla 2021-11-22 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal\r\nPowershell and DnSpy tricks in .NET reversing – AgentTesla [Part1]\r\nAgent Tesla 2021-11-22 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal\r\nPowershell and DnSpy tricks in .NET reversing – AgentTesla [Part2]\r\nAgent Tesla 2021-11-16 ⋅ Yoroi ⋅ Carmelo Ragusa, Luca Mella, Luigi Martire\r\nOffice Documents: May the XLL technique change the threat Landscape in 2022?\r\nAgent Tesla Dridex Formbook 2021-11-12 ⋅ Living Code ⋅ Dominik Degroot\r\nAgentTesla dropped via NSIS installer\r\nAgent Tesla 2021-11-02 ⋅ InQuest ⋅ Dmitry Melikov\r\nAdults Only Malware Lures\r\nAgent Tesla 2021-10-06 ⋅ zimperium ⋅ Jordan Herman\r\nMalware Distribution with Mana Tools\r\nAgent Tesla Azorult 2021-09-15 ⋅ Telsy ⋅ Telsy\r\nREMCOS and Agent Tesla loaded into memory with Rezer0 loader\r\nAgent Tesla Remcos 2021-09-08 ⋅ Juniper ⋅ Paul Kimayong\r\nAggah Malware Campaign Expands to Zendesk and GitHub to Host Its Malware\r\nAgent Tesla 2021-07-28 ⋅ RiskIQ ⋅ Jennifer Grob, Jordan Herman\r\nUse of XAMPP Web Component to Identify Agent Tesla Infrastructure\r\nAgent Tesla 2021-07-24 ⋅ InfoSec Handlers Diary Blog ⋅ Xavier Mertens\r\nAgent.Tesla Dropped via a .daa Image and Talking to Telegram\r\nAgent Tesla 2021-07-12 ⋅ IBM ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password\r\nStealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos 2021-07-12 ⋅ Cipher Tech\r\nSolutions ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password\r\nStealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos 2021-06-29 ⋅ Yoroi ⋅ Luca\r\nMella, Luigi Martire\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\r\nPage 5 of 9\n\nThe \"WayBack” Campaign: a Large Scale Operation Hiding in Plain Sight\r\nAgent Tesla Cobian RAT Oski Stealer 2021-06-24 ⋅ Trustwave ⋅ Diana Lopera\r\nYet Another Archive Format Smuggling Malware\r\nAgent Tesla 2021-06-24 ⋅ Blackberry ⋅ The BlackBerry Research and Intelligence Team\r\nThreat Thursday: Agent Tesla Infostealer\r\nAgent Tesla 2021-06-11 ⋅ ⋅ NSFOCUS ⋅ Fuying Laboratory\r\nNigerian Hacker Organization SWEED is Distributing Phishing Documents Targeting the Logistics Industry\r\nAgent Tesla 2021-06-04 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nPhishing Malware Hijacks Bitcoin Addresses and Delivers New Agent Tesla Variant\r\nAgent Tesla 2021-06-02 ⋅ Sophos ⋅ Sean Gallagher\r\nAMSI bypasses remain tricks of the malware trade\r\nAgent Tesla Cobalt Strike Meterpreter 2021-05-18 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani\r\nMalware Analysis: Agent Tesla Part 1/2 Extraction of final payload from dropper.\r\nAgent Tesla 2021-05-11 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence\r\nTweet on Snip3 crypter delivering AsyncRAT or AgentTesla\r\nAgent Tesla AsyncRAT 2021-05-11 ⋅ VMRay ⋅ Mateusz Lukaszewski, VMRay Labs Team\r\nThreat Bulletin: Exploring the Differences and Similarities of Agent Tesla v2 \u0026 v3\r\nAgent Tesla 2021-05-07 ⋅ Morphisec ⋅ Nadav Lorber\r\nRevealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader\r\nAgent Tesla AsyncRAT NetWire RC Revenge RAT 2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Manohar Ghule, Mohd Sadique\r\nCatching RATs Over Custom Protocols Analysis of top non-HTTP/S threats\r\nAgent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT\r\nRemcos 2021-04-21 ⋅ SophosLabs Uncut ⋅ Anand Aijan, Andrew Brandt, Markel Picado, Michael Wood, Sean Gallagher, Sivagnanam\r\nGn, Suriya Natarajan\r\nNearly half of malware now use TLS to conceal communications\r\nAgent Tesla Cobalt Strike Dridex SystemBC 2021-04-04 ⋅ menshaway blogspot ⋅ Mahmoud Morsy\r\nTechnical report of AgentTesla\r\nAgent Tesla 2021-03-17 ⋅ HP ⋅ HP Bromium\r\nThreat Insights Report Q4-2020\r\nAgent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader 2021-02-28 ⋅ PWC UK ⋅ PWC UK\r\nCyber Threats 2020: A Year in Retrospect\r\nelf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot\r\nBazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx\r\nFunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk\r\nStoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess\r\nWinnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception\r\nFramework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team 2021-02-25 ⋅ Minerva ⋅ Minerva Labs\r\nPreventing AgentTelsa Infiltration\r\nAgent Tesla 2021-02-12 ⋅ Trustwave ⋅ Diana Lopera, Rodel Mendrez\r\nThe Many Roads Leading To Agent Tesla\r\nAgent Tesla 2021-02-12 ⋅ InfoSec Handlers Diary Blog ⋅ Xavier Mertens\r\nAgentTesla Dropped Through Automatic Click in Microsoft Help File\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\r\nPage 6 of 9\n\nAgent Tesla 2021-02-11 ⋅ InfoSec Handlers Diary Blog ⋅ Jan Kopriva\r\nAgent Tesla hidden in a historical anti-malware tool\r\nAgent Tesla 2021-01-21 ⋅ DENEXUS ⋅ Markel Picado\r\nSpear Phishing Targeting ICS Supply Chain - Analysis\r\nAgent Tesla 2021-01-11 ⋅ ESET Research ⋅ Matías Porolli\r\nOperation Spalax: Targeted malware attacks in Colombia\r\nAgent Tesla AsyncRAT NjRAT Remcos 2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli\r\nCommand and Control Traffic Patterns\r\nostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID\r\nISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot 2021-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nThreat Profile: GOLD GALLEON\r\nAgent Tesla HawkEye Keylogger Pony GOLD GALLEON 2020-12-21 ⋅ Cisco Talos ⋅ JON MUNSHAW\r\n2020: The year in malware\r\nWolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT\r\nNanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader 2020-12-18 ⋅ Trend Micro ⋅\r\nJunestherry Salvador, Matthew Camacho, Raphael Centeno\r\nNegasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware\r\nAgent Tesla Dharma 2020-12-15 ⋅ Cofense ⋅ Aaron Riley\r\nStrategic Analysis: Agent Tesla Expands Targeting and Networking Capabilities\r\nAgent Tesla 2020-12-10 ⋅ US-CERT ⋅ FBI, MS-ISAC, US-CERT\r\nAlert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data\r\nPerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim\r\nREvil Ryuk Zeus 2020-12-07 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team\r\nCommodity .NET Packers use Embedded Images to Hide Payloads\r\nAgent Tesla Loki Password Stealer (PWS) Remcos 2020-12-04 ⋅ Inde ⋅ Chris Campbell\r\nInside a .NET Stealer: AgentTesla\r\nAgent Tesla 2020-12-03 ⋅ Telsy ⋅ Telsy Research Team\r\nWhen a false flagdoesn’t work: Exploring the digital-crimeunderground at campaign preparation stage\r\nAgent Tesla 2020-11-27 ⋅ HP ⋅ Alex Holland\r\nAggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer\r\nAgent Tesla 2020-11-18 ⋅ Sophos ⋅ Sophos\r\nSOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world\r\nAgent Tesla Dridex TrickBot Zloader 2020-11-18 ⋅ G Data ⋅ G-Data\r\nBusiness as usual: Criminal Activities in Times of a Global Pandemic\r\nAgent Tesla Nanocore RAT NetWire RC Remcos 2020-11-05 ⋅ Morphisec ⋅ Michael Gorelik\r\nAgent Tesla: A Day in a Life of IR\r\nAgent Tesla 2020-10-16 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab\r\nVBA Purging Malspam Campaigns\r\nAgent Tesla Formbook 2020-10-05 ⋅ Juniper ⋅ Paul Kimayong\r\nNew pastebin-like service used in multiple malware campaigns\r\nAgent Tesla LimeRAT RedLine Stealer 2020-09-03 ⋅ Medium mariohenkel ⋅ Mario Henkel\r\nDecrypting AgentTesla strings and config\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\r\nPage 7 of 9\n\nAgent Tesla 2020-08-27 ⋅ MalWatch ⋅ MalWatch\r\nWin.Trojan.AgentTesla - Malware analysis \u0026 threat intelligence report\r\nAgent Tesla 2020-08-26 ⋅ Lab52 ⋅ Jagaimo Kawaii\r\nA twisted malware infection chain\r\nAgent Tesla Loki Password Stealer (PWS) 2020-08-10 ⋅ SentinelOne ⋅ Jim Walter\r\nAgent Tesla | Old RAT Uses New Tricks to Stay on Top\r\nAgent Tesla 2020-08-10 ⋅ Seqrite ⋅ Pavankumar Chaudhari\r\nGorgon APT targeting MSME sector in India\r\nAgent Tesla 2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2020\r\nAdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer\r\nLoki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos\r\nZloader 2020-06-02 ⋅ Lastline Labs ⋅ James Haughom, Stefano Ortolani\r\nEvolution of Excel 4.0 Macro Weaponization\r\nAgent Tesla DanaBot ISFB TrickBot Zloader 2020-05-23 ⋅ InfoSec Handlers Diary Blog ⋅ Xavier Mertens\r\nAgentTesla Delivered via a Malicious PowerPoint Add-In\r\nAgent Tesla 2020-05-22 ⋅ Yoroi ⋅ Antonio Pirozzi, Giacomo d'Onofrio, Luca Mella, Luigi Martire\r\nCyber-Criminal espionage Operation insists on Italian Manufacturing\r\nAgent Tesla 2020-05-14 ⋅ SophosLabs ⋅ Markel Picado\r\nRATicate: an attacker’s waves of information-stealing malware\r\nAgent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos 2020-04-\r\n16 ⋅ Malwarebytes ⋅ Hossein Jazi\r\nNew AgentTesla variant steals WiFi credentials\r\nAgent Tesla 2020-04-15 ⋅ Suraj Malhotra\r\nHow Analysing an AgentTesla Could Lead To Attackers Inbox - Part II\r\nAgent Tesla 2020-04-14 ⋅ Palo Alto Networks Unit 42 ⋅ Adrian McCabe, Juan Cortes, Vicky Ray\r\nMalicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing\r\nCampaigns\r\nAgent Tesla EDA2 2020-04-13 ⋅ Suraj Malhotra\r\nHow Analysing an AgentTesla Could Lead To Attackers Inbox - Part I\r\nAgent Tesla 2020-04-05 ⋅ MalwrAnalysis ⋅ Anurag\r\nTrojan Agent Tesla – Malware Analysis\r\nAgent Tesla 2020-03-24 ⋅ RiskIQ ⋅ Wes Smiley\r\nExploring Agent Tesla Infrastructure\r\nAgent Tesla 2020-03-18 ⋅ Proofpoint ⋅ Axel F, Sam Scholten\r\nCoronavirus Threat Landscape Update\r\nAgent Tesla Get2 ISFB Remcos 2020-02-26 ⋅ MalwareLab.pl ⋅ Maciej Kotowicz\r\n(Ab)using bash-fu to analyze recent Aggah sample\r\nAgent Tesla 2020-02-02 ⋅ Sophos Labs ⋅ Markel Picado, Sean Gallagher\r\nAgent Tesla amps up information stealing attacks\r\nAgent Tesla 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nGOLD GALLEON\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\r\nPage 8 of 9\n\nAgent Tesla HawkEye Keylogger Pony Predator The Thief 2019-09-26 ⋅ Proofpoint ⋅ Bryan Campbell, Jeremy Hedges,\r\nProofpoint Threat Insight Team\r\nNew WhiteShadow downloader uses Microsoft SQL to retrieve malware\r\nWhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos 2019-07-\r\n15 ⋅ Cisco Talos ⋅ Edmund Brumaghin\r\nSWEED: Exposing years of Agent Tesla campaigns\r\nAgent Tesla Formbook Loki Password Stealer (PWS) SWEED 2019-07-01 ⋅ Talos Intelligence ⋅ Holger Unterbrink\r\nRATs and stealers rush through “Heaven’s Gate” with new loader\r\nAgent Tesla HawkEye Keylogger Remcos 2018-04-18 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nGOLD GALLEON: How a Nigerian Cyber Crew Plunders the Shipping Industry\r\nAgent Tesla HawkEye Keylogger Pony GOLD GALLEON 2018-04-05 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nAnalysis of New Agent Tesla Spyware Variant\r\nAgent Tesla 2018-01-12 ⋅ Stormshield ⋅ Rémi Jullian\r\nAnalyzing an Agent Tesla campaign: from a word document to the attacker credentials\r\nAgent Tesla 2017-09-25 ⋅ Palo Alto Networks Unit 42 ⋅ Jeff White\r\nAnalyzing the Various Layers of AgentTesla’s Packing\r\nAgent Tesla 2017-06-28 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nIn-Depth Analysis of A New Variant of .NET Malware AgentTesla\r\nAgent Tesla 2016-08-01 ⋅ Zscaler ⋅ Deepen Desai\r\nAgent Tesla Keylogger delivered using cybersquatting\r\nAgent Tesla\r\n[TLP:WHITE] win_agent_tesla_w0 (20190731 | No description)\r\n[TLP:WHITE] win_agent_tesla_w1 (20200506 | Detect Agent Tesla based on common .NET code sequences)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla" ], "report_names": [ "win.agent_tesla" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "64d750e4-67db-4461-bae2-6e75bfced852", "created_at": "2022-10-25T16:07:24.01415Z", "updated_at": "2026-04-10T02:00:04.839502Z", "deleted_at": null, "main_name": "Operation Spalax", "aliases": [], "source_name": "ETDA:Operation Spalax", "tools": [ "AsyncRAT", "Bladabindi", "Jorik", "Remcos", "RemcosRAT", "Remvio", "Socmer", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "316b23b5-e097-4dc6-8b1c-d096860c6c16", "created_at": "2022-10-25T16:07:24.290801Z", "updated_at": "2026-04-10T02:00:04.924688Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "ETDA:TA558", "tools": [ "AZORult", "AsyncRAT", "Bladabindi", "ExtRat", "Jorik", "Loda", "Loda RAT", "LodaRAT", "Nymeria", "PuffStealer", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Rultazo", "Socmer", "Vengeance Justice Worm", "Vjw0rm", "Xtreme RAT", "XtremeRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "fe3d8dee-3bee-42e6-8f16-b6628b6189ae", "created_at": "2023-01-06T13:46:39.039285Z", "updated_at": "2026-04-10T02:00:03.193589Z", "deleted_at": null, "main_name": "SWEED", "aliases": [], "source_name": "MISPGALAXY:SWEED", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "0d07b30c-4393-4071-82fb-22f51f7749e0", "created_at": "2022-10-25T16:07:24.097096Z", "updated_at": "2026-04-10T02:00:04.865146Z", "deleted_at": null, "main_name": "RATicate", "aliases": [], "source_name": "ETDA:RATicate", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "BetaBot", "BlackRAT", "BlackRemote", "Bladabindi", "CloudEyE", "ForeIT", "Formbook", "GuLoader", "Jorik", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NSIS", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neurevt", "Nullsoft Scriptable Install System", "Origin Logger", "Recam", "Remcos", "RemcosRAT", "Remvio", "Socmer", "ZPAQ", "njRAT", "vbdropper", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "f2c53785-fb8b-460d-ba73-7fbfba36f0f5", "created_at": "2022-10-25T16:07:24.247949Z", "updated_at": "2026-04-10T02:00:04.911034Z", "deleted_at": null, "main_name": "Sweed", "aliases": [], "source_name": "ETDA:Sweed", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "ForeIT", "Formbook", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "Negasteal", "Origin Logger", "RDP", "Remote Desktop Protocol", "ZPAQ", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "733eb70c-e636-4d55-be1d-6ff0f7084027", "created_at": "2024-04-19T02:00:03.619798Z", "updated_at": "2026-04-10T02:00:03.613351Z", "deleted_at": null, "main_name": "Bignosa", "aliases": [], "source_name": "MISPGALAXY:Bignosa", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "3f53ecb7-e228-471d-8f85-0b2ba110ab4b", "created_at": "2023-01-06T13:46:39.181151Z", "updated_at": "2026-04-10T02:00:03.237995Z", "deleted_at": null, "main_name": "Red Charon", "aliases": [], "source_name": "MISPGALAXY:Red Charon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c2879cb2-72cc-473a-aab9-024050f5dde9", "created_at": "2024-06-19T02:03:08.055587Z", "updated_at": "2026-04-10T02:00:03.687839Z", "deleted_at": null, "main_name": "GOLD GALLEON", "aliases": [ "" ], "source_name": "Secureworks:GOLD GALLEON", "tools": [ "AgentTesla", "HawkEye", "Pony", "Predator Pain" ], "source_id": "Secureworks", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "73287b62-af12-4c8b-98db-c6ba386cbb28", "created_at": "2023-01-06T13:46:39.257688Z", "updated_at": "2026-04-10T02:00:03.263658Z", "deleted_at": null, "main_name": "GOLD GALLEON", "aliases": [], "source_name": "MISPGALAXY:GOLD GALLEON", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "5fba09c3-73cc-4898-9b82-e73b012016c6", "created_at": "2025-08-07T02:03:24.578591Z", "updated_at": "2026-04-10T02:00:03.767329Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "Secureworks:BRONZE EDGEWOOD", "tools": [ "Chinoxy", "Cobalt Strike", "FunnyDream", "Md_client", "Nishang Post Exploitation Framework", "PCShare", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d2dad33f-6218-477c-9388-3d5228d7562f", "created_at": "2023-02-15T02:01:49.573579Z", "updated_at": "2026-04-10T02:00:03.352638Z", "deleted_at": null, "main_name": "TA2536", "aliases": [], "source_name": "MISPGALAXY:TA2536", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "cf91b389-9602-45c0-8d6b-c61d14800f54", "created_at": "2023-01-06T13:46:39.448277Z", "updated_at": "2026-04-10T02:00:03.332604Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "MISPGALAXY:TA558", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f72bb9d8-ff75-444f-8fb7-1e8e113cef73", "created_at": "2023-01-06T13:46:39.401929Z", "updated_at": "2026-04-10T02:00:03.314524Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "MISPGALAXY:BRONZE EDGEWOOD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438939, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/59674d9150ba310750b78f25fc56bdcad71fc87a.pdf", "text": "https://archive.orkl.eu/59674d9150ba310750b78f25fc56bdcad71fc87a.txt", "img": "https://archive.orkl.eu/59674d9150ba310750b78f25fc56bdcad71fc87a.jpg" } }