{ "id": "cba0f9b1-e355-4ebc-9709-58ca924bf137", "created_at": "2026-04-06T00:14:11.324502Z", "updated_at": "2026-04-10T03:37:51.364234Z", "deleted_at": null, "sha1_hash": "59d2688c5b2ef42b62922ccfc4b597e9cce7b1a2", "title": "SystemBC (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 151181, "plain_text": "SystemBC (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 13:06:27 UTC\r\nSystemBC is a multiplatform proxy malware active since August 2019. It creates SOCKS5 network tunnels in the\r\nvictim’s network and connects to its C2 server using a custom, RC4-encrypted protocol. It can also download and\r\nexecute additional malware, with payloads either written to disk or mapped into memory. The SystemBC kit,\r\nincluding the C2 panel, server, and malware executables, is sold in underground forums.\r\n2025-09-18 ⋅ Lumen ⋅\r\nSystemBC – Bringing the Noise\r\nSystemBC SystemBC 2025-07-18 ⋅ Arctic Wolf ⋅ Arctic Wolf Labs Team\r\nGreedy Sponge Targets Mexico with AllaKore RAT and SystemBC\r\nAllaKore SystemBC 2025-04-24 ⋅ Mandiant ⋅ Mandiant\r\nM-Trends 2025 Report\r\nAkira Black Basta LockBit SystemBC GootLoader LockBit WIREFIRE Akira Black Basta Cobalt Strike LockBit\r\nRansomHub SystemBC Pink Sandstorm 2025-01-27 ⋅ The DFIR Report ⋅ MittenSec, MyDFIR, r3nzsec\r\nCobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware\r\nGhostSocks LockBit SystemBC 2024-12-04 ⋅ Rapid7 ⋅ Tyler McGraw\r\nBlack Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware\r\nBlack Basta Cobalt Strike DarkGate SystemBC Zloader 2024-08-26 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBlackSuit Ransomware\r\nBlackSuit Cobalt Strike SystemBC 2024-08-12 ⋅ Rapid7 ⋅ Tyler McGraw\r\nOngoing Social Engineering Campaign Refreshes Payloads\r\nBlack Basta Cobalt Strike GhostSocks Lumma Stealer SystemBC 2024-07-29 ⋅ Mandiant ⋅ Ashley Pearson, Jake Nicastro,\r\nJoseph Pisano, Josh Murchie, Joshua Shilko, Raymond Leong\r\nUNC4393 Goes Gently into the SILENTNIGHT\r\nBlack Basta QakBot sRDI SystemBC Zloader UNC3973 UNC4393 2024-05-30 ⋅ Europol ⋅ Europol\r\nLargest ever operation against botnets hits dropper malware ecosystem\r\nBumbleBee IcedID SmokeLoader SystemBC TrickBot 2024-05-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nThreat actors misusing Quick Assist in social engineering attacks leading to ransomware\r\nBlack Basta Cobalt Strike QakBot SystemBC 2024-01-19 ⋅ Kroll ⋅ David Truman\r\nInside the SYSTEMBC Command-and-Control Server\r\nSystemBC 2023-11-12 ⋅ Github (vc0RExor) ⋅ Aaron Jornet\r\nThe Swiss Knife: SystemBC | Coroxy\r\nSystemBC 2023-10-12 ⋅ YouTube (FIRST) ⋅ Aditya K. Sood\r\n\"Compromising the Keys to the Kingdom\" - Exfiltrating Data to Own and Operate the Exploited Systems\r\nLoki RAT SystemBC 2023-09-12 ⋅ FIRSTCON ⋅ Aditya K. Sood\r\nCompromising the Keys to the Kingdom: Exfiltrating Data to Own and Operate the Exploited Systems (Slides)\r\nLoki RAT SystemBC 2023-09-12 ⋅ ⋅ ANSSI ⋅ ANSSI\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.systembc\r\nPage 1 of 4\n\nFIN12: A Cybercriminal Group with Multiple Ransomware\r\nBlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC\r\n2023-08-23 ⋅ Logpoint ⋅ Anish Bogati, Nischal khadgi\r\nDefending Against 8base: Uncovering Their Arsenal and Crafting Responses\r\n8Base Phobos SmokeLoader SystemBC 2023-08-10 ⋅ Kaspersky ⋅ Kurt Baumgartner\r\nFocus on DroxiDat/SystemBC\r\nSystemBC 2023-06-28 ⋅ vmware ⋅ Bria Beathley, Dana Behling, Deborah Snyder, Fae Carlisle\r\n8Base Ransomware: A Heavy Hitting Player\r\n8Base Phobos SmokeLoader SystemBC 2023-06-27 ⋅ SecurityIntelligence ⋅ Charlotte Hammond, Ole Villadsen\r\nThe Trickbot/Conti Crypters: Where Are They Now?\r\nBlack Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot 2023-06-22 ⋅ Reliaquest ⋅ Caroline\r\nFenstermacher\r\nGoot to Loot - How a Gootloader Infection Led to Credential Access\r\nGootLoader SystemBC 2023-05-15 ⋅ CrowdStrike ⋅ CrowdStrike\r\nHypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks\r\nBlackCat SystemBC 2023-04-19 ⋅ Symantec ⋅ Threat Hunter Team\r\nPlay Ransomware Group Using New Custom Data-Gathering Tools\r\nPLAY SystemBC 2023-04-18 ⋅ Mandiant ⋅ Mandiant\r\nM-Trends 2023\r\nQUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive\r\nINDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC\r\nWhisperGate 2023-03-30 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)\r\neSentire Threat Intelligence Malware Analysis: BatLoader\r\nBATLOADER Cobalt Strike ISFB SystemBC Vidar 2023-02-14 ⋅ Cybereason ⋅ Cybereason Incident Response (IR) team\r\nGootLoader - SEO Poisoning and Large Payloads Leading to Compromise\r\nGootLoader Cobalt Strike SystemBC 2023-02-09 ⋅ cyber.wtf blog ⋅ Hendrik Eckardt\r\nDefeating VMProtect’s Latest Tricks\r\nSystemBC 2023-01-23 ⋅ Kroll ⋅ Elio Biasiotto, Stephen Green\r\nBlack Basta – Technical Analysis\r\nBlack Basta Cobalt Strike MimiKatz QakBot SystemBC 2023-01-16 ⋅ Intrinsec ⋅ Intrinsec\r\nProxyNotShell – OWASSRF – Merry Xchange\r\nCobalt Strike SystemBC 2022-10-28 ⋅ velociraptor ⋅ Matt Green\r\nWindows.Carving.SystemBC - SystemBC RAT configuration Purser for Velociraptor\r\nSystemBC 2022-10-10 ⋅ RiskIQ ⋅ Microsoft Threat Intelligence Center (MSTIC)\r\nDEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns\r\nBlackCat Mount Locker SystemBC Zeppelin 2022-09-21 ⋅ BitSight ⋅ João Batista\r\nSystemBC: The Multipurpose Proxy Bot Still Breathes\r\nSystemBC 2022-09-06 ⋅ CISA ⋅ CISA, FBI, MS-ISAC, US-CERT\r\nAlert (AA22-249A) #StopRansomware: Vice Society\r\nCobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin 2022-08-30 ⋅ Cisco ⋅ Vanja Svajcer\r\nModernLoader delivers multiple stealers, cryptominers and RATs\r\nCoinminer DCRat ModernLoader RedLine Stealer SapphireMiner SystemBC 2022-06-01 ⋅ Elastic ⋅ Andrew Pease,\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.systembc\r\nPage 2 of 4\n\nDaniel Stepanic, Derek Ditch, Salim Bitam, Seth Goodwin\r\nCUBA Ransomware Campaign Analysis\r\nCobalt Strike Cuba Meterpreter MimiKatz SystemBC 2022-05-24 ⋅ BitSight ⋅ BitSight, João Batista, Pedro Umbelino\r\nEmotet Botnet Rises Again\r\nCobalt Strike Emotet QakBot SystemBC 2022-05-09 ⋅ Microsoft Security ⋅ Microsoft 365 Defender Threat Intelligence Team,\r\nMicrosoft Threat Intelligence Center\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nGriffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot 2022-05-09\r\n⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi\r\nHelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker\r\nPhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT 2022-04-12 ⋅\r\nAhnLab ⋅ ASEC Analysis Team\r\nSystemBC Being Used by Various Attackers\r\nEmotet SmokeLoader SystemBC 2022-03-04 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt\r\nSystemBC, PowerShell version\r\nSystemBC 2022-01-19 ⋅ Mandiant ⋅ Adrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter\r\nOne Source to Rule Them All: Chasing AVADDON Ransomware\r\nBlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX 2021-06-07 ⋅ Medium walmartglobaltech ⋅ Jason\r\nReaves, Joshua Platt\r\nInside the SystemBC Malware-As-A-Service\r\nRyuk SystemBC TrickBot 2021-05-19 ⋅ Intel 471 ⋅ Intel 471\r\nLook how many cybercriminals love Cobalt Strike\r\nBazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot 2021-05-10 ⋅ F-Secure ⋅ Callum\r\nRoxan, Sami Ruohonen\r\nPrelude to Ransomware: SystemBC\r\nSystemBC 2021-04-21 ⋅ SophosLabs Uncut ⋅ Anand Aijan, Andrew Brandt, Markel Picado, Michael Wood, Sean Gallagher,\r\nSivagnanam Gn, Suriya Natarajan\r\nNearly half of malware now use TLS to conceal communications\r\nAgent Tesla Cobalt Strike Dridex SystemBC 2021-04-01 ⋅ Reversing Labs ⋅ Robert Simmons\r\nCode Reuse Across Packers and DLL Loaders\r\nIcedID SystemBC 2021-02-25 ⋅ FireEye ⋅ Brendan McKeague, Bryce Abdo, Van Ta\r\nSo Unchill: Melting UNC2198 ICEDID to Ransomware Operations\r\nMOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC 2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nExcel spreadsheets push SystemBC malware\r\nCobalt Strike SystemBC 2020-12-16 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Sivagnanam Gn\r\nRansomware operators use SystemBC RAT as off-the-shelf Tor backdoor\r\nSystemBC 2020-10-14 ⋅ Sophos ⋅ Sean Gallagher\r\nThey’re back: inside a new Ryuk ransomware attack\r\nCobalt Strike Ryuk SystemBC 2019-07-31 ⋅ Proofpoint ⋅ Dennis Schwarz, Kade Harmon, Kafeine, Proofpoint Threat Insight Team\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.systembc\r\nPage 3 of 4\n\nSystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits\r\nSystemBC\r\n[TLP:WHITE] win_systembc_auto (20251219 | Detects win.systembc.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.systembc\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc" ], "report_names": [ "win.systembc" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "908cf62e-45cd-492b-bf12-d0902e12fece", "created_at": "2024-08-20T02:00:04.543947Z", "updated_at": "2026-04-10T02:00:03.68848Z", "deleted_at": null, "main_name": "UNC4393", "aliases": [ "Storm-1811", "CURLY SPIDER", "STAC5777" ], "source_name": "MISPGALAXY:UNC4393", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50fd5da4-c2f3-4a35-aebe-14f86fd567cb", "created_at": "2025-03-04T02:00:02.997969Z", "updated_at": "2026-04-10T02:00:03.813132Z", "deleted_at": null, "main_name": "UNC3973", "aliases": [], "source_name": "MISPGALAXY:UNC3973", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434451, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/59d2688c5b2ef42b62922ccfc4b597e9cce7b1a2.pdf", "text": "https://archive.orkl.eu/59d2688c5b2ef42b62922ccfc4b597e9cce7b1a2.txt", "img": "https://archive.orkl.eu/59d2688c5b2ef42b62922ccfc4b597e9cce7b1a2.jpg" } }