{
	"id": "2cb8af9a-cbe6-404a-8bd0-1d111d459d9b",
	"created_at": "2026-04-06T00:08:34.378894Z",
	"updated_at": "2026-04-10T13:12:31.710166Z",
	"deleted_at": null,
	"sha1_hash": "59ff75a5a991916b36aec3c63d46cc9cb2e9f6e0",
	"title": "AllaKore (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64322,
	"plain_text": "AllaKore (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-02 12:28:34 UTC\r\nAllaKore\r\nAllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of\r\ndevelopment. It implements the RFB protocol which uses frame buffers and thus is able to send back only the\r\nchanges of screen frames to the controller, speeding up the transport and visualization control.\r\nReferences\r\n2025-08-11 ⋅ cocomelonc ⋅\r\nMalware development trick 49: abusing Azure DevOps REST API for covert data channels. Simple C\r\nexamples.\r\nAllaKore\r\n2025-07-18 ⋅ Arctic Wolf ⋅ Arctic Wolf Labs Team\r\nGreedy Sponge Targets Mexico with AllaKore RAT and SystemBC\r\nAllaKore SystemBC\r\n2024-07-25 ⋅ Seqrite ⋅ Sathwik Ram Prakki\r\nUmbrella of Pakistani Threats: Converging Tactics of Cyber-operations Targeting India\r\nDISGOMOJI Poseidon Action RAT AllaKore ReverseRAT\r\n2024-05-28 ⋅ HarfangLab ⋅ HarfangLab CTR\r\nAllaSenha: AllaKore variant leverages Azure cloud C2 to steal banking details in Latin America\r\nAllaKore AllaSenha\r\n2024-04-24 ⋅ Seqrite ⋅ Sathwik Ram Prakki\r\nPakistani APTs Escalate Attacks on Indian Gov. Seqrite Labs Unveils Threats and Connections\r\nAllaKore Crimson RAT\r\n2023-11-06 ⋅ Seqrite ⋅ Sathwik Ram Prakki\r\nSideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT\r\nAction RAT AllaKore\r\n2023-04-19 ⋅ Team Cymru ⋅ S2 Research Team\r\nAllaKore(d) the SideCopy Train\r\nAllaKore\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.allakore\r\nPage 1 of 3\n\n2023-01-01 ⋅ ThreatMon ⋅ Seyit Sigirci (@h3xecute), ThreatMon Malware Research Team\r\nThe Anatomy of a Sidecopy Attack: From RAR Exploits to AllaKore RAT\r\nAllaKore\r\n2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT\r\nAPT attacks on industrial organizations in H1 2021\r\n8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad\r\nZebrocy\r\n2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil\r\nInSideCopy: How this APT continues to evolve its arsenal (Network IOCs)\r\nAllaKore Lilith NjRAT\r\n2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil\r\nInSideCopy: How this APT continues to evolve its arsenal (IOCs)\r\nAllaKore Lilith NjRAT\r\n2021-07-07 ⋅ Talos ⋅ Asheer Malhotra, Justin Thattil\r\nInSideCopy: How this APT continues to evolve its arsenal\r\nAllaKore Lilith NjRAT\r\n2021-07-07 ⋅ Talos Intelligence ⋅ Asheer Malhotra, Justin Thattil\r\nInSideCopy: How this APT continues to evolve its arsenal\r\nAllaKore NjRAT SideCopy\r\n2021-07-02 ⋅ Cisco ⋅ Asheer Malhotra, Justin Thattil\r\nInSideCopy: How this APT continues to evolve its arsenal\r\nAllaKore CetaRAT Lilith NjRAT ReverseRAT\r\n2020-09-23 ⋅ Seqrite ⋅ Goutam Tripathy, Kalpesh Mantri, Pawan CHaudhari\r\nOperation SideCopy: An insight into Transparent Tribe’s sub-division which has been incorrectly attributed for\r\nyears\r\nCACTUSTORCH AllaKore\r\n2019-12-31 ⋅ Twitter (@_re_fox) ⋅ _re_fox\r\nTweet on AllaKore indicators\r\nAllaKore\r\n2019-07-08 ⋅ Medium Sebdraven ⋅ Sébastien Larinier\r\nCopy cat of APT Sidewinder ?\r\nAllaKore SideCopy\r\n2015-10-19 ⋅ Github (Anderson-D) ⋅ Anderson D\r\nGithub Repository for AllaKore\r\nAllaKore\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.allakore\r\nPage 2 of 3\n\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.allakore\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore"
	],
	"report_names": [
		"win.allakore"
	],
	"threat_actors": [
		{
			"id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc",
			"created_at": "2022-10-27T08:27:12.955905Z",
			"updated_at": "2026-04-10T02:00:05.376527Z",
			"deleted_at": null,
			"main_name": "SideCopy",
			"aliases": [
				"SideCopy"
			],
			"source_name": "MITRE:SideCopy",
			"tools": [
				"AuTo Stealer",
				"Action RAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "fce5181c-7aab-400f-bd03-9db9e791da04",
			"created_at": "2022-10-25T15:50:23.759799Z",
			"updated_at": "2026-04-10T02:00:05.3002Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"Transparent Tribe",
				"COPPER FIELDSTONE",
				"APT36",
				"Mythic Leopard",
				"ProjectM"
			],
			"source_name": "MITRE:Transparent Tribe",
			"tools": [
				"DarkComet",
				"ObliqueRAT",
				"njRAT",
				"Peppy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e",
			"created_at": "2023-01-06T13:46:39.080551Z",
			"updated_at": "2026-04-10T02:00:03.206572Z",
			"deleted_at": null,
			"main_name": "RAZOR TIGER",
			"aliases": [
				"APT-C-17",
				"T-APT-04",
				"SideWinder"
			],
			"source_name": "MISPGALAXY:RAZOR TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00",
			"created_at": "2023-01-06T13:46:39.30167Z",
			"updated_at": "2026-04-10T02:00:03.280161Z",
			"deleted_at": null,
			"main_name": "SideCopy",
			"aliases": [],
			"source_name": "MISPGALAXY:SideCopy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b584b10a-7d54-4d05-9e21-b223563df7b8",
			"created_at": "2022-10-25T16:07:24.181589Z",
			"updated_at": "2026-04-10T02:00:04.892659Z",
			"deleted_at": null,
			"main_name": "SideCopy",
			"aliases": [
				"G1008",
				"Mocking Draco",
				"TAG-140",
				"UNC2269",
				"White Dev 55"
			],
			"source_name": "ETDA:SideCopy",
			"tools": [
				"ActionRAT",
				"AllaKore",
				"Allakore RAT",
				"AresRAT",
				"Bladabindi",
				"CetaRAT",
				"DetaRAT",
				"EpicenterRAT",
				"Jorik",
				"Lilith",
				"Lilith RAT",
				"MargulasRAT",
				"ReverseRAT",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6b9fc913-06c6-4432-8c58-86a3ac614564",
			"created_at": "2022-10-25T16:07:24.185236Z",
			"updated_at": "2026-04-10T02:00:04.893541Z",
			"deleted_at": null,
			"main_name": "SideWinder",
			"aliases": [
				"APT-C-17",
				"APT-Q-39",
				"BabyElephant",
				"G0121",
				"GroupA21",
				"HN2",
				"Hardcore Nationalist",
				"Rattlesnake",
				"Razor Tiger",
				"SideWinder",
				"T-APT-04"
			],
			"source_name": "ETDA:SideWinder",
			"tools": [
				"BroStealer",
				"Capriccio RAT",
				"callCam"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "abb24b7b-6baa-4070-9a2b-aa59091097d1",
			"created_at": "2022-10-25T16:07:24.339942Z",
			"updated_at": "2026-04-10T02:00:04.944806Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"APT 36",
				"APT-C-56",
				"Copper Fieldstone",
				"Earth Karkaddan",
				"G0134",
				"Green Havildar",
				"Mythic Leopard",
				"Opaque Draco",
				"Operation C-Major",
				"Operation Honey Trap",
				"Operation Transparent Tribe",
				"ProjectM",
				"STEPPY-KAVACH",
				"Storm-0156",
				"TEMP.Lapis",
				"Transparent Tribe"
			],
			"source_name": "ETDA:Transparent Tribe",
			"tools": [
				"Amphibeon",
				"Android RAT",
				"Bezigate",
				"Bladabindi",
				"Bozok",
				"Bozok RAT",
				"BreachRAT",
				"Breut",
				"CapraRAT",
				"CinaRAT",
				"Crimson RAT",
				"DarkComet",
				"DarkKomet",
				"ElizaRAT",
				"FYNLOS",
				"Fynloski",
				"Jorik",
				"Krademok",
				"Limepad",
				"Luminosity RAT",
				"LuminosityLink",
				"MSIL",
				"MSIL/Crimson",
				"Mobzsar",
				"MumbaiDown",
				"Oblique RAT",
				"ObliqueRAT",
				"Peppy RAT",
				"Peppy Trojan",
				"Quasar RAT",
				"QuasarRAT",
				"SEEDOOR",
				"Scarimson",
				"SilentCMD",
				"Stealth Mango",
				"UPDATESEE",
				"USBWorm",
				"Waizsar RAT",
				"Yggdrasil",
				"beendoor",
				"klovbot",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c68fa27f-e8d9-4932-856b-467ccfe39997",
			"created_at": "2023-01-06T13:46:38.450585Z",
			"updated_at": "2026-04-10T02:00:02.980334Z",
			"deleted_at": null,
			"main_name": "Operation C-Major",
			"aliases": [
				"APT36",
				"APT 36",
				"TMP.Lapis",
				"COPPER FIELDSTONE",
				"Storm-0156",
				"Transparent Tribe",
				"ProjectM",
				"Green Havildar",
				"Earth Karkaddan",
				"C-Major",
				"Mythic Leopard"
			],
			"source_name": "MISPGALAXY:Operation C-Major",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "173f1641-36e3-4bce-9834-c5372468b4f7",
			"created_at": "2022-10-25T15:50:23.349637Z",
			"updated_at": "2026-04-10T02:00:05.3486Z",
			"deleted_at": null,
			"main_name": "Sidewinder",
			"aliases": [
				"Sidewinder",
				"T-APT-04"
			],
			"source_name": "MITRE:Sidewinder",
			"tools": [
				"Koadic"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434114,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/59ff75a5a991916b36aec3c63d46cc9cb2e9f6e0.pdf",
		"text": "https://archive.orkl.eu/59ff75a5a991916b36aec3c63d46cc9cb2e9f6e0.txt",
		"img": "https://archive.orkl.eu/59ff75a5a991916b36aec3c63d46cc9cb2e9f6e0.jpg"
	}
}