{ "id": "0f458ddb-d834-441f-ae71-f411cb72df25", "created_at": "2026-04-06T01:32:13.314098Z", "updated_at": "2026-04-10T13:12:30.353382Z", "deleted_at": null, "sha1_hash": "5a810064d278fa2fcf1e50c53dd082b6e1c9eba3", "title": "HIDDEN COBRA – FASTCash Campaign | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 83027, "plain_text": "HIDDEN COBRA – FASTCash Campaign | CISA\r\nPublished: 2018-12-21 · Archived: 2026-04-06 00:52:35 UTC\r\nSystems Affected\r\nRetail Payment Systems\r\nOverview\r\nThis joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security\r\n(DHS), the Department of the Treasury (Treasury), and the Federal Bureau of Investigation (FBI). Working with\r\nU.S. government partners, DHS, Treasury, and FBI identified malware and other indicators of compromise (IOCs)\r\nused by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme—referred to by\r\nthe U.S. Government as “FASTCash.” The U.S. Government refers to malicious cyber activity by the North\r\nKorean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit\r\nhttps://www.us-cert.gov/hiddencobra.\r\nFBI has high confidence that HIDDEN COBRA actors are using the IOCs listed in this report to maintain a\r\npresence on victims’ networks to enable network exploitation. DHS, FBI, and Treasury are distributing these IOCs\r\nto enable network defense and reduce exposure to North Korean government malicious cyber activity.\r\nThis TA also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and\r\ninformation on reporting incidents. If users or administrators detect activity associated with the malware families\r\nassociated with FASTCash, they should immediately flag it, report it to the DHS National Cybersecurity and\r\nCommunications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority\r\nfor enhanced mitigation.\r\nNCCIC conducted analysis on 10 malware samples related to this activity and produced a Malware Analysis\r\nReport (MAR). MAR-10201537, HIDDEN COBRA FASTCash-Related Malware, examines the tactics,\r\ntechniques, and procedures observed in the malware. Visit the MAR-10201537 page for the report and associated\r\nIOCs.\r\nSince at least late 2016, HIDDEN COBRA actors have used FASTCash tactics to target banks in Africa and Asia.\r\nAt the time of this TA’s publication, the U.S. Government has not confirmed any FASTCash incidents affecting\r\ninstitutions within the United States.\r\nFASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent\r\ntransactions. The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics\r\nto target retail payment systems vulnerable to remote exploitation.\r\nAccording to a trusted partner’s estimation, HIDDEN COBRA actors have stolen tens of millions of dollars. In\r\none incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located\r\nhttps://www.cisa.gov/uscert/ncas/alerts/TA18-275A\r\nPage 1 of 6\n\nin over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be\r\nsimultaneously withdrawn from ATMs in 23 different countries.  \r\nHIDDEN COBRA actors target the retail payment system infrastructure within banks to enable fraudulent ATM\r\ncash withdrawals across national borders. HIDDEN COBRA actors have configured and deployed malware on\r\ncompromised switch application servers in order to intercept and reply to financial request messages with\r\nfraudulent but legitimate-looking affirmative response messages. Although the infection vector is unknown, all of\r\nthe compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive\r\n(AIX) operating system versions beyond the end of their service pack support dates; there is no evidence\r\nHIDDEN COBRA actors successfully exploited the AIX operating system in these incidents.\r\nHIDDEN COBRA actors exploited the targeted systems by using their knowledge of International Standards\r\nOrganization (ISO) 8583—the standard for financial transaction messaging—and other tactics. HIDDEN COBRA\r\nactors most likely deployed ISO 8583 libraries on the targeted switch application servers. Malicious threat actors\r\nuse these libraries to help interpret financial request messages and properly construct fraudulent financial response\r\nmessages.\r\nFigure 1: Anatomy of a FASTCash scheme\r\nA review of log files showed HIDDEN COBRA actors making typos and actively correcting errors while\r\nconfiguring the targeted server for unauthorized activity. Based on analysis of the affected systems, analysts\r\nbelieve that malware—used by HIDDEN COBRA actors and explained in the Technical Details section below—\r\ninspected inbound financial request messages for specific primary account numbers (PANs). The malware\r\ngenerated fraudulent financial response messages only for the request messages that matched the expected PANs.\r\nMost accounts used to initiate the transactions had minimal account activity or zero balances.\r\nAnalysts believe HIDDEN COBRA actors blocked transaction messages to stop denial messages from leaving the\r\nswitch and used a GenerateResponse* function to approve the transactions. These response messages were\r\nlikely sent for specific PANs matched using CheckPan() verification (see figure 1 for additional details on\r\nCheckPan() ).\r\nTechnical Details\r\nHIDDEN COBRA actors used malicious Windows executable applications, command-line utility applications, and\r\nother files in the FASTCash campaign to perform transactions and interact with financial systems, including the\r\nswitch application server. The initial infection vector used to compromise victim networks is unknown; however,\r\nanalysts surmise HIDDEN COBRA actors used spear-phishing emails in targeted attacks against bank employees.\r\nHIDDEN COBRA actors likely used Windows-based malware to explore a bank’s network to identify the\r\npayment switch application server. Although these threat actors used different malware in each known incident,\r\nstatic analysis of malware samples indicates similarities in malware capabilities and functionalities.\r\nHIDDEN COBRA actors likely used legitimate credentials to move laterally through a bank’s network and to\r\nillicitly access the switch application server. This pattern suggests compromised systems within a bank’s network\r\nwere used to access and compromise the targeted payment switch application server.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/TA18-275A\r\nPage 2 of 6\n\nUpon successful compromise of a bank’s payment switch application server, HIDDEN COBRA actors likely\r\ninjected malicious code into legitimate processes—using command-line utility applications on the payment switch\r\napplication server—to enable fraudulent behavior by the system in response to what would otherwise be normal\r\npayment switch application server activity. NCCIC collaborated with Symantec cybersecurity researchers to\r\nprovide additional context on existing analysis [1] . Malware samples analyzed included malicious AIX\r\nexecutable files intended for a proprietary UNIX operating system developed by IBM. The AIX executable files\r\nwere designed to inject malicious code into a currently running process. Two of the AIX executable files are\r\nconfigured with an export function, which allows malicious applications to perform transactions on financial\r\nsystems using the ISO 8583 standard. See MAR-10201537 for details on the files used. Figure 1 depicts the\r\npattern of fraudulent behavior.\r\nDuring analysis of log files associated with known FASTCash incidents, analysts identified the following\r\ncommonalities:\r\nExecution of .so (shared object) commands using the following pattern: /tmp/.ICE-unix/e \u003cPID\u003e\r\n/tmp.ICE-unix/\u003cfilename\u003em.so \u003cargument\u003e\r\nThe process identifier, filename, and argument varied between targeted institutions. The tmp\r\ndirectory typically contains the X Window System session information.\r\nExecution of the .so command, which contained a similar, but slightly different, command: ./sun\r\n\u003cPID\u003e/tmp/.ICE-unix/engine.so \u003cargument\u003e\r\nThe file is named sun and runs out of the /tmp/.ICE-unix directory .\r\nAdditionally, both commands use either the inject (mode 0) or eject (mode 1) argument with the following\r\nISO 8583 libraries:\r\nm.so [with argument “0” or “1”]\r\nm1.so [with argument “0” or “1”]\r\nm2.so [with argument “0” or “1”]\r\nm3.so [with argument “0” or “1”]\r\nDetection and Response\r\nNCCIC recommends administrators review bash history logs of all users with root privileges. Administrators can\r\nfind commands entered by users in the bash history logs; these would indicate the execution of malicious code on\r\nthe switch application server. Administrators should log and monitor all commands.\r\nThe U.S. Government recommends that network administrators review MAR-10201537 for IOCs related to the\r\nHIDDEN COBRA FASTCash campaign, identify whether any of the provided IOCs fall within their\r\norganization’s network, and—if found—take necessary measures to remove the malware.\r\nImpact\r\nA successful network intrusion can have severe impacts, particularly if the compromise becomes public. Possible\r\nimpacts to the affected organization include\r\nhttps://www.cisa.gov/uscert/ncas/alerts/TA18-275A\r\nPage 3 of 6\n\nTemporary or permanent loss of sensitive or proprietary information,\r\nDisruption to regular operations,\r\nFinancial costs to restore systems and files, and\r\nPotential harm to an organization’s reputation.\r\nSolution\r\nMitigation Recommendations for Institutions with Retail Payment Systems\r\nRequire Chip and Personal Identification Number Cryptogram Validation\r\nImplement chip and Personal Identification Number (PIN) requirements for debit cards.\r\nValidate card-generated authorization request cryptograms.\r\nUse issuer-generated authorization response cryptograms for response messages.\r\nRequire card-generated authorization response cryptogram validation to verify legitimate response\r\nmessages. \r\nIsolate Payment System Infrastructure\r\nRequire two-factor authentication before any user can access the switch application server.\r\nVerify that perimeter security controls prevent internet hosts from accessing the private network\r\ninfrastructure servicing your payment switch application server.\r\nVerify that perimeter security controls prevent all hosts outside of authorized endpoints from accessing\r\nyour system.\r\nLogically Segregate Operating Environments\r\nUse firewalls to divide operating environments into enclaves.\r\nUse Access Control Lists (ACLs) to permit or deny specific traffic from flowing between those enclaves.\r\nGive special considerations to enclaves holding sensitive information (e.g., card management systems)\r\nfrom enclaves requiring internet connectivity (e.g., email).\r\nEncrypt Data in Transit\r\nSecure all links to payment system engines with a certificate-based mechanism, such as mutual transport\r\nlayer security, for all traffic external or internal to the organization.\r\nLimit the number of certificates used on the production server, and restrict access to those certificates.\r\nMonitor for Anomalous Behavior as Part of Layered Security\r\nConfigure the switch application server to log transactions. Routinely audit transactions and system logs.\r\nDevelop a baseline of expected software, users, and logons. Monitor switch application servers for unusual\r\nsoftware installations, updates, account changes, or other activity outside of expected behavior.\r\nDevelop a baseline of expected transaction participants, amounts, frequency, and timing. Monitor and flag\r\nanomalous transactions for suspected fraudulent activity.\r\nRecommendations for Organizations with ATM or Point-of-Sale Devices\r\nhttps://www.cisa.gov/uscert/ncas/alerts/TA18-275A\r\nPage 4 of 6\n\nImplement chip and PIN requirements for debit cards.\r\nRequire and verify message authentication codes on issuer financial request response messages.\r\nPerform authorization response cryptogram validation for Europay, Mastercard, and Visa transactions.\r\nMitigation Recommendations for All Organizations\r\nNCCIC encourages users and administrators to use the following best practices to strengthen the security posture\r\nof their organization’s systems:\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable file and printer sharing services. If these services are required, use strong passwords or Active\r\nDirectory authentication.\r\nRestrict users’ ability (i.e., permissions) to install and run unwanted software applications. Do not add users\r\nto the local administrators group unless required.\r\nEnforce a strong password policy and require regular password changes.\r\nExercise caution when opening email attachments, even if the attachment is expected and the sender\r\nappears to be known.\r\nEnable a personal firewall on organization workstations, and configure it to deny unsolicited connection\r\nrequests.\r\nDisable unnecessary services on organization workstations and servers.\r\nScan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type”\r\n(i.e., the extension matches the file header).\r\nMonitor users’ web browsing habits; restrict access to sites with content that could pose cybersecurity\r\nrisks.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).\r\nScan all software downloaded from the internet before executing.\r\nMaintain situational awareness of the latest cybersecurity threats.\r\nImplement appropriate ACLs.\r\nFor additional information on malware incident prevention and handling, see the National Institute of Standards\r\nand Technology (NIST) Special Publication (SP) 800-83: Guide to Malware Incident Prevention and Handling for\r\nDesktops and Laptops.[2]\r\nResponse to Unauthorized Network Access\r\nContact DHS or your local FBI office immediately. To report an intrusion and request resources for incident\r\nresponse or technical assistance, contact CISA Central at (SayCISA@cisa.dhs.gov or 1-844-Say-CISA), FBI\r\nthrough a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).\r\nReferences\r\n[1] Symantec: FASTCash: How the Lazarus Group is Emptying Millions from ATMs\r\nhttps://www.cisa.gov/uscert/ncas/alerts/TA18-275A\r\nPage 5 of 6\n\nRevisions\r\nOctober 2, 2018: Initial version|December 21, 2018: Added link to Symantec blog\r\nSource: https://www.cisa.gov/uscert/ncas/alerts/TA18-275A\r\nhttps://www.cisa.gov/uscert/ncas/alerts/TA18-275A\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.cisa.gov/uscert/ncas/alerts/TA18-275A" ], "report_names": [ "TA18-275A" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439133, "ts_updated_at": 1775826750, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5a810064d278fa2fcf1e50c53dd082b6e1c9eba3.pdf", "text": "https://archive.orkl.eu/5a810064d278fa2fcf1e50c53dd082b6e1c9eba3.txt", "img": "https://archive.orkl.eu/5a810064d278fa2fcf1e50c53dd082b6e1c9eba3.jpg" } }