{ "id": "7dba5bf7-d2fb-4fbe-b775-b9eaa32ff72e", "created_at": "2026-04-06T01:32:17.349738Z", "updated_at": "2026-04-10T03:38:20.669624Z", "deleted_at": null, "sha1_hash": "5a575e6b0c6ea55f080287e5278d9b413c651c37", "title": "Who wasn’t responsible for Olympic Destroyer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1042987, "plain_text": "Who wasn’t responsible for Olympic Destroyer\r\nArchived: 2026-04-06 01:10:27 UTC\r\nPaul Rascagnères \u0026 Warren Mercer\r\nCisco Talos, USA\r\nCopyright © 2018 Virus Bulletin\r\nTable of contents\r\nAbstract\r\nThis year’s Winter Olympic Games took place in Pyeongchang, South Korea. Several media outlets reported that\r\ntechnical issues – believed to be caused by a cyber attack – had occurred during the opening ceremony. In this\r\npaper we will present the malware that we have identified – with moderate confidence – as having been used in\r\nthe attack. First, we will describe the malware’s propagation techniques and its destructive capabilities. The\r\nsecond part of the paper will be about attribution and how, in this particular case, the attacker included several\r\nfalse flags in order to point to other well-known threat actors. We will conclude by opening a discussion about\r\nhow hard attribution can be, and presenting our view concerning the future of this discipline.\r\nIntroduction\r\nIn February 2018, the Olympic Games in Pyeongchang, South Korea were disrupted by a cyber attack.\r\nReportedly, the attack resulted in the official Olympic Games website being taken offline, meaning that spectators\r\ncould not print their tickets. Media reporting at the opening ceremony of the Games was also impaired due to the\r\nWi-Fi failing within the Olympic Media Centre. On 12 February, Talos published a blog post [1] detailing the\r\nfunctionality of the malware that we had identified with high confidence as having been used in the attack. We\r\nnamed the malware Olympic Destroyer.\r\nThis attack gained traction through the press, and several different media outlets published conflicting stories in\r\nrelation to attribution.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 1 of 17\n\nFigure 1: Different media outlets published conflicting stories in relation to attribution.\r\nIn the first part of this paper we will provide technical details of Olympic Destroyer, the wiper involved in the\r\ncase, and in the second part we will discuss the attribution. Indeed, the malware did not write itself, the incident\r\ndid not happen by accident, but who was responsible?\r\nPart one: technical analysis\r\nInitial sample\r\nThe initial sample (edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9) is a binary that,\r\nwhen executed, drops multiple files onto the victim host. These files are embedded as obfuscated resources within\r\nthe binary. The embedded files have randomly generated file names, however we found during our analysis that,\r\nwhen written to disk, the hashes of these files were the same on multiple instances. As a binary file, the initial\r\nsample could have been delivered in a multitude of ways – the most likely is via a spear phished email with\r\nOlympic Destroyer as a malicious attachment.\r\nTwo of the dropped files (the stealing modules) are executed with two arguments: 123 and a named pipe. The\r\nnamed pipe is used as a communication channel between the initial stage and the dropped executable. The same\r\ntechnique was used in BadRabbit and Nyetya.\r\nThe initial stage is responsible for propagation. Network discovery is performed using two techniques:\r\nChecking the ARP table with the Windows GetIPNetTable API\r\nUsing WMI (using WQL) with the request: SELECT ds_cn FROM ds_computer. This request attempts to\r\nlist all the systems within the current environment/directory.\r\nThe network propagation is performed using PsExec and WMI (via the Win32_Process class). Figure 2 shows the\r\ncode executed remotely.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 2 of 17\n\nFigure 2: Code executed remotely.\r\nThis code is responsible for leveraging cmd.exe to copy the initial stage to a remote system in\r\n%ProgramData%\\%COMPUTERNAME%.exe and executing it via a VBScript.\r\nLateral movement within an environment is achieved in a number of ways. Generally speaking, there will either\r\nbe one or more exploits used to allow remote code execution without credentials or we will see credentials/tokens\r\nbeing used within a piece of malware. These credentials/tokens may either already be known or they may be\r\nharvested during infection. With Olympic Destroyer we see the use of on-the-fly patching for credentials. Olympic\r\nDestroyer obtains these credentials from the infected systems, both previously compromised and currently\r\ncompromised, to hard code a set of credentials into the binary to allow lateral movement. The binary contains 32k\r\nbytes of space, located from offset 0x26F1A to offset 0x2EF1A, to allow for the patching of these credentials.\r\nTalos identified 44 unique credentials within the samples analysed relating to Olympic Destroyer.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 3 of 17\n\nFigure 3: Talos identified 44 unique credentials within the samples analysed.\r\nThe burning question is: how did Olympic Destroyer obtain those credentials? The embedded resources\r\nmentioned earlier contain a couple of different credential-stealing modules.\r\nCredential harvesting\r\nTo obtain the credentials Olympic Destroyer uses a browser stealer and a system stealer. This means that Olympic\r\nDestroyer attempts to harvest both from the browsers and from the operating system on the victim machine.\r\nOlympic Destroyer drops a browser credential stealer with the final payload embedded in an obfuscated resource.\r\nAs mentioned previously, the sample must have two arguments to be executed. The stealer supports Internet\r\nExplorer, Firefox and Chrome. The malware parses the registry and queries the sqlite file in order to retrieve\r\nstored credentials. SQLite is embedded in the sample.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 4 of 17\n\nFigure 4: SQLite is embedded in the sample.\r\nIn addition to the browser credential stealer, Olympic Destroyer drops and executes a system stealer. The system\r\nstealer attempts to obtain credentials from LSASS with a technique similar to that used by Mimikatz. Figure 5\r\nshows the output format parsed by the initial stage.\r\nFigure 5: Output format parsed by the initial stage.\r\nUsing these two methods the malware is able to obtain additional credentials to support further lateral movement\r\nwithin the environment.\r\nDestruction\r\nThe initial execution of the malware results in multiple files being written to disk, as discussed. Following this, the\r\nmalware begins its destruction element. By leveraging cmd.exe from the host the malware first deletes all possible\r\nshadow copies on the system using vssadmin:\r\nC:\\Windows\\system32\\cmd.exe /c c:\\Windows\\system32\\vssadmin.exe delete shadows /all /quiet\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 5 of 17\n\nNext, once again leveraging cmd.exe on the host, we see the author using wbadmin.exe. For those not familiar\r\nwith wbadmin, this is the replacement for ntbackup on modern operating systems:\r\nC:\\Windows\\system32\\cmd.exe /c wbadmin.exe delete catalog -quiet\r\nThis step is carried out to ensure that file recovery is not trivial – WBAdmin can be used to recover individual\r\nfiles, folders and even whole drives so this would be a very convenient tool for a sysadmin to use to aid recovery.\r\nThe next step the attacker takes in this destructive path is once again to leverage cmd.exe, but this time using\r\nbcdedit, a tool used for boot config data information, to ensure that the Windows recovery console does not\r\nattempt to repair anything on the host:\r\nC:\\Windows\\system32\\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures \u0026 bcdedi\r\nThe attacker has now attempted to make recovery extremely difficult for any impacted hosts. To further cover the\r\nmalware’s tracks and make analysis more difficult, the System \u0026 Security Windows event log is deleted:\r\nC:\\Windows\\system32\\cmd.exe /c wevtutil.exe cl System\r\nC:\\Windows\\system32\\cmd.exe /c wevtutil.exe cl Security\r\nWiping all available methods of recovery shows that this attacker had no intention of leaving the infected machine\r\nuseable. The purpose of this malware is to perform destruction of the host, leave the computer system offline, and\r\nwipe remote data. We can see these functions within the Olympic Destroyer sample in Figure 6.\r\nFigure 6: The purpose of this malware is to perform destruction of the host, leave the computer system offline, and\r\nwipe remote data.\r\nTo finish its destructive phase Olympic Destroyer then disables all available Windows services.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 6 of 17\n\nThe malware uses the ChangeServiceConfigW API to change the start type to 4 which means: ‘Disabled: Specifies\r\nthat the service should not be started’ (see Figure 7).\r\nFigure 7: The malware uses the\r\nChangeServiceConfigW API to change the start type to 4.\r\nAdditionally, the malware lists mapped file shares and for each share, it will wipe the writable files (using either\r\nuninitialized data or 0x00 depending on the file size). The purpose is to destroy the files as quickly as possible.\r\nWith this method, the malware can cause as much disruption in as little time as possible.\r\nFinally, after modifying all the system configuration, the destroyer shuts down the compromised system.\r\nLegitimate file\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 7 of 17\n\nOlympic Destroyer also drops the legitimate, digitally signed, PsExec file in order to perform lateral movement.\r\nThe use of this legitimate tool from Microsoft is an example of an attacker leveraging legitimate tools within their\r\narsenal. Using legitimate tools like PsExec will save the adversary time by eliminating the need to write their own\r\ntooling. A free alternative they can wrap up within their malware is a much easier option in this instance.\r\nGlobal workflow\r\nFigure 8 presents a summary of the global workflow of the malware, starting with the initial stage (Winlogon.exe)\r\nand the different modules.\r\nFigure 8: Summary of the global workflow.\r\nPart two: attribution, or who wasn’t responsible\r\nAttributing attacks to specific malware writers or threat actor groups is neither simple nor an exact science. Many\r\nparameters must be considered, analysed and compared with previous attacks in order to identify similarities. As\r\nwith any crime, cybercriminals have preferred techniques, and tend to leave behind traces, akin to digital\r\nfingerprints, which can be found and linked to other crimes.\r\nIn terms of cybersecurity incidents, analysts would look for similarities or attributes such as:\r\nTactics, techniques and procedures (TTPs) (how the attacker conducted the attack)\r\nVictimology (the profile of the victim)\r\nInfrastructure (the platforms used as part of the attack)\r\nIndicators of Compromise (IOCs) (identifiable artifacts left behind during an attack)\r\nMalware samples (the malware used as part of the attack)\r\nOne of the great things about software engineering is the ability to share code, to build applications on top of\r\nlibraries written by others, and to learn from the successes and failures of other software engineers. The same is\r\ntrue for threat actors. Two different threat actors may use code from the same source in their attacks, meaning that\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 8 of 17\n\ntheir attacks would display similarities, despite being conducted by different groups. Sometimes threat actors\r\nchoose to include features from another group in order to frustrate analysts and try to lead them to make a false\r\nattribution.\r\nIn the case of Olympic Destroyer, what is the evidence, and what conclusions can we draw regarding attribution?\r\nWithout contributions from traditional intelligence capacities, the available evidence linking the Olympic\r\nDestroyer malware to a specific threat actor group is contradictory, and does not allow for unambiguous\r\nattribution. The threat actor responsible for the attack has purposefully included evidence to frustrate analysts and\r\nlead researchers to false attribution flags. Attribution, while headline grabbing, is difficult. This must force one to\r\nquestion attribution that is purely software based.\r\nOlympic Destroyer lineup of suspects\r\nThe Lazarus group\r\nThe Lazarus group, also referred to as Group 77, is a sophisticated threat actor that has been associated with a\r\nnumber of attacks. Notably, a spinoff of Lazarus, referred to as the Bluenoroff group, has been identified as having\r\nconducted attacks against the SWIFT infrastructure in a bank located in Bangladesh.\r\nThe filename convention used in the SWIFT malware, as described by BAE Systems [2], was: evtdiag.exe,\r\nevtsys.exe and evtchk.bat.\r\nThe Olympic Destroyer malware checks for the existence of the following file: %programdata%\\evtchk.txt.\r\nThere is a clear similarity in the two cases. This is nowhere near proof, but it is a clue, albeit a weak one.\r\nFurther clues are found in similarities between Olympic Destroyer and the wiper malware associated with\r\nBluenoroff, again described by BAE Systems [3]. In the example shown in Figure 9, the Bluenoroff wiper is on the\r\nleft, and the Olympic Destroyer wiper on the right.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 9 of 17\n\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 10 of 17\n\nFigure 9: Left: Bluenoroff wiper; right: Olympic Destroyer wiper.\r\nClearly, the code is not identical, but the very specific logic of wiping only the first 0x1000 bytes of large files is\r\nidentical and unique to the two cases. This is stronger evidence than the file name check.\r\nHowever, both the file names used by Bluenoroff and the wiper function are documented and available to anyone.\r\nThe real culprits could have added the file name check and mimicked the wiper function simply in order to\r\nimplicate the Lazarus group and potentially distract from their true identity.\r\nOlympic Destroyer sample: 23e5bb2369080a47df8284e666cac7cafc207f3472474a9149f88c1a4fd7a9b0\r\nBluenoroff sample #1: ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283\r\nBluenoroff sample #2: 5b7c970fee7ebe08d50665f278d47d0e34c04acc19a91838de6a3fc63a8e5630\r\nKaspersky Lab identified [4] another link between Olympic Destroyer and samples used for the SWIFT attacks.\r\nThis link is located in the header of the samples. More specifically in the Rich header. Indeed, the Rich header of\r\nthe Olympic Destroyer sample and Bluenoroff sample #1 are identical. The checksum (and XOR key) located\r\nafter the ‘Rich’ magic value is exactly the same (see Figures 10 and 11).\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 11 of 17\n\nFigure 10: Olympic Destroyer. ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85.\r\nFigure 11: Bluenoroff. ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283.\r\nIf we look at the information stored in this header, we can see that the compiler is Visual Studio 2003. This\r\ninformation is true concerning the Bluenoroff sample, however if we look closely at the Olympic Destroyer\r\nsample, it’s wrong: based on Universal C Runtime (CRT) Olympic Destroyer was compiled with Visual Studio\r\n2010. The author simply copied and pasted the header from Bluenoroff to Olympic Destroyer. This action is\r\nstrange and extremely specific – an actor has gone out of their way to perform this action. The tools using code\r\nsimilarities generally ignore the Rich header and only work on the subsequent code.\r\nAPT3 \u0026 APT10\r\nIntezer Labs [5] identified code sharing between Olympic Destroyer and malware used in attacks attributed to the\r\nAPT3 and APT10 groups.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 12 of 17\n\nIntezer Labs discovered that Olympic Destroyer shares 18.5% of its code with a tool used by APT3 to steal\r\ncredentials from memory. Potentially, this is a very strong clue. However, the APT3 tool is, in turn, based on the\r\nopen-source tool Mimikatz. Since Mimikatz is available for download by anyone, it is entirely possible that the\r\nauthor of Olympic Destroyer used code derived from Mimikatz, knowing that it had been used by other malware\r\nwriters.\r\nIntezer Labs also spotted similarities in the function used by Olympic Destroyer to generate AES keys and that\r\nused by APT10. According to Intezer Labs, this particular function has only ever been used by APT10. Maybe the\r\nmalware writer has let slip a possible vital clue to their identity.\r\nNyetya\r\nThe use of code derived from Mimikatz to steal credentials was also seen in the Nyetya [6] (NotPetya) malware of\r\nJune 2017. Like Nyetya, Olympic Destroyer spread laterally by abusing the legitimate functions of PsExec and\r\nWMI. Like Nyetya, Olympic Destroyer uses a named pipe to send stolen credentials to the main module.\r\nUnlike Nyetya, Olympic Destroyer didn’t use the EternalBlue and EternalRomance exploits for propagation.\r\nHowever, the perpetrator has left artifacts within the Olympic Destroyer source code to insinuate the presence of\r\nSMB exploits.\r\nOlympic Destroyer includes the definition of these four structures, as shown in Figure 12, that can also be found\r\nin the public EternalBlue proof of concept [7], as shown in Figure 13.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 13 of 17\n\nFigure 12: Olympic Destroyer includes the definition of four structures that are also found in the EternalBlue\r\nproof of concept.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 14 of 17\n\nFigure 13:\r\nPublic EternalBlue proof of concept.\r\nThese structures are loaded during runtime, when Olympic Destroyer is executed, but remain unused. Clearly, the\r\nauthor knew of the EternalBlue PoC, but the reason why these structures are present is unclear. It’s likely the\r\nauthor wanted to lay a trap for security analysts to provoke a false attribution. Alternatively, we could be seeing\r\nthe traces of functionality which never made it into the final malware.\r\nConclusion\r\nAttribution is hard. Rarely do analysts reach the level of evidence that would lead to a conviction in a courtroom.\r\nMany were quick to jump to conclusions, and to attribute Olympic Destroyer to specific groups. However, the\r\nbasis for such accusations are frequently weak. Now that we are seeing malware authors placing multiple false\r\nflags in their code, attribution based on malware samples alone has become even more difficult.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 15 of 17\n\nFor the threat actors considered, and with the evidence which we have available, there is no clear smoking gun\r\nindicating a guilty party. Other security analysts and investigative bodies may have further evidence to which we\r\ndo not have access. Organizations with additional evidence, such as signal intelligence or human intelligence\r\nsources, which may provide significant clues to attribution, may be the least likely to share their insights so as not\r\nto betray the nature of their intelligence‑gathering operation.\r\nThe attack which we believe Olympic Destroyer to have been associated with was clearly an audacious one,\r\nalmost certainly conducted by a threat actor with a certain level of sophistication who did not believe that they\r\nwould easily be identified and held accountable.\r\nCode sharing between threat actors is to be expected. Open‑source tools are a useful source of functionality, and\r\nadopting techniques from successful attacks conducted by other groups is likely to be a source of misleading\r\nevidence leading to false attribution.\r\nEqually, we can expect sophisticated threat actors to take advantage of this, and to integrate ‘evidence’ into their\r\ncode that is designed to fool analysts, leading the analysts to attribute the attacks to other groups. It is likely that,\r\nthreat actors take pleasure in reading incorrect information published by security analysts. This could even be\r\ntaken to the extreme of a country denying an attack based upon evidence presented by an unwitting third party due\r\nto false attribution. Every time there is misattribution it gives adversaries something to hide behind. In this\r\nheightened era of fake news, attribution is a highly sensitive issue.\r\nAs their skills and techniques evolve, it is likely that we will see threat actors further adopting ruses to complicate\r\nand confuse the process of attribution. Attribution is already difficult. It is unlikely to become easier.\r\nReferences\r\n[1] Mercer, W.; Rascagneres, P. Olympic Destroyer Takes Aim At Winter Olympics. Talos Intelligence blog. 12\r\nFebruary 2018. https://blog.talosintelligence.com/2018/02/olympic-destroyer.html.\r\n[2] Shevchenko, S. Two bytes to $951M. BAE Systems Threat Research Blog. 25 April 2016.\r\nhttps://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html.\r\n[3] Shevchenko, S. Cyber heist attribution. BAE Systems Threat Research Blog. 13 May 2016.\r\nhttps://baesystemsai.blogspot.com/2016/05/cyber-heist-attribution.html.\r\n[4] The devil’s in the Rich header. Kaspersky Lab SecureList. 8 March 2018. https://securelist.com/the-devils-in-the-rich-header/84348/.\r\n[5] Rosenberg, J. 2018 Winter Cyber Olympics: Code Similarities with Cyber Attacks in Pyeongchang. Intezer\r\nBlog Cybersecurity DNA. 12 February 2018. http://www.intezer.com/2018-winter-cyber-olympics-code-similarities-cyber-attacks-pyeongchang/.\r\n[6] Chiu, A. New Ransomware Variant “Nyetya” Compromises Systems Worldwide. Talos Blog. 27 June 2017.\r\nhttps://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html.\r\n[7] GitHub. MS17-010/zzz_exploit.py. https://github.com/worawit/MS17-010/blob/master/zzz_exploit.py.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 16 of 17\n\nSource: https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nhttps://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/" ], "report_names": [ "vb2018-paper-who-wasnt-responsible-olympic-destroyer" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439137, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5a575e6b0c6ea55f080287e5278d9b413c651c37.pdf", "text": "https://archive.orkl.eu/5a575e6b0c6ea55f080287e5278d9b413c651c37.txt", "img": "https://archive.orkl.eu/5a575e6b0c6ea55f080287e5278d9b413c651c37.jpg" } }