{ "id": "afd8a788-4da6-4b3d-a014-c0222f71e99d", "created_at": "2026-04-06T00:19:50.353008Z", "updated_at": "2026-04-10T03:37:04.154994Z", "deleted_at": null, "sha1_hash": "5b8cb7f9b2f54e602fe7f3243a21e710bc628227", "title": "Hunt.io Insights: Gamaredon’s Flux-Like Infrastructure and a Look at Recent ShadowPad Activity", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 12414274, "plain_text": "Hunt.io Insights: Gamaredon’s Flux-Like Infrastructure and a\r\nLook at Recent ShadowPad Activity\r\nPublished: 2025-04-08 · Archived: 2026-04-05 20:31:27 UTC\r\nAs part of our ongoing research into internet-facing infrastructure, Hunt.io regularly surfaces indicators tied to\r\nknown malware families, legitimate security testing tools, and state-linked threat activity. This visibility allows us\r\nto identify patterns in how attacker-controlled infrastructure is configured, rotated, and positioned in preparation\r\nfor-or in parallel with-operational use.\r\nIn this post, we share recent observations from two distinct infrastructure clusters linked to state-sponsored groups\r\nsuspected of operating out of Russia and China:\r\nA large number of domains using the .ru TLD registered through REGRU-RU associated with\r\nGamaredon, where flux-like DNS behavior has been seen over time.\r\nA group of servers linked through a shared TLS certificate, including one that was recently identified\r\ncommunicating with the ShadowPad backdoor. The infrastructure has several characteristics that overlap\r\nwith RedFoxtrot/Nomad Panda.\r\nUnderstanding how adversaries administer their malicious networks can be just as important as analyzing the\r\nmalware it supports. The following sections highlight what we've surfaced through internet-wide scanning.\r\nGamaredon: Flux-Like Infrastructure and Operational Patterns\r\nGamaredon, also tracked as Primitive Bear, is a Russian state-linked threat actor active since at least 2013. The\r\ngroup has primarily set its sights on the Ukrainian government and civil society organizations but has also\r\nattacked Western government entities, Africa, and NATO member states through phishing campaigns. Gamaredon\r\nhas also been reported using fast flux-style DNS behavior to obscure and maintain its infrastructure.\r\nUnderstanding Fast Flux\r\nFast flux is a DNS technique used to obscure the infrastructure behind a domain by rapidly rotating the associated\r\nIP addresses. Domain Generation Algorithms (DGAs) are often used alongside it, generating large numbers of\r\ndisposable domains to further complicate attribution and takedown.\r\nOne of the earliest examples of fast flux used in a malicious manner was by the Storm Worm botnet in 2007.\r\nTwo core implementations include:\r\nSingle Flux: a domain resolves to a changing set of IP addresses, while the nameservers remain static. This\r\nprovides operational control while allowing the backend infrastructure to shift rapidly.\r\nhttps://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad\r\nPage 1 of 10\n\nDouble Flux: both the domain's A records and its authoritative nameservers rotate frequently. This adds a\r\nsecond layer of indirection, making infrastructure takedown significantly harder.\r\nWhile similar DNS behaviors exist in legitimate technologies like CDNs and load balancing, their use in attacker\r\ninfrastructure often reflects different priorities-stealth, redundancy, and evasion.\r\nFor defenders, identifying these patterns through DNS anomaly detection, infrastructure clustering, and threat\r\nintelligence correlation can provide early visibility into domains likely to support phishing, malware staging, or\r\ncommand-and-control server activity.\r\nObserved Trends: Domain Usage, Hosting Trends, and DNS Behavior\r\nGamaredon continues to operate a wide infrastructure footprint, relying heavily on .ru domains registered through\r\nREGRU-RU. Between March 31 and April 7, Hunt.io scanners identified over 30 servers linked to the group.\r\nThe majority were hosted by DigitalOcean, with BL Networks making up a number of the IPs with resolving\r\ndomains. This reinforces previous reporting that the actors rely on VPS providers.\r\nFigure 1: Snapshot of IP addresses detected as being associated with Gamaredon in Hunt.\r\nhttps://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad\r\nPage 2 of 10\n\nIn addition to tracking domain and IP relationships-including registrar and nameserver data-Hunt also monitors a\r\nTLS certificate consistently reused across Gamaredon infrastructure.\r\nMany of the associated IPs briefly resolve to .ru domains, often for just a day, making the certificate an effective\r\npivot for identifying changes before new infrastructure becomes fully operational.\r\nAs an example of the anomalous DNS behavior we've observed, both innocentmillions[.]ru and langra[.]ru\r\ninitially resolved to 64.94.84[.]66. A dig query on the first domain returned two interesting details:\r\nThe TTL (time to live) was set to five seconds, indicating DNS records were designed to rapidly change.\r\nA new IP-64.7.199[.]19-began appearing in subsequent queries.\r\nFurther lookups to arbitrary subdomains that are not likely to exist (e.g., thisisonlyatest[.]innocentmillions[.]ru)\r\nreturned the same IP addresses, indicating the presence of wildcard A records.\r\nThis tactic allows operators to route traffic across subdomains without managing individual DNS entries, adding\r\nanother layer of evasion.\r\nFigure 2: Results of dig being run against the domain innocentmillions[.]ru .\r\nWhile the domains continued to point to ns1.reg[.]ru and ns2.reg[.]ru, the IP address gradually shifted. Over a\r\nspan of two days, we observed the below:\r\n64.94.85[.]18\r\nto 168.100.9[.]156 (as of April 7)\r\nhttps://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad\r\nPage 3 of 10\n\nFigure 3: Most recent results of dig as of Apr 7, 2025 .\r\nThis setup mirrors a low-frequency variant of single flux DNS. Unlike fast flux used in botnets, which cycles\r\nthrough large pools of IPs within minutes, Gamaredon appears to maintain a slower, more controlled cadence--\r\neither managed manually or via automation.\r\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), released a joint report discussing the threat\r\nfast flux DNS poses, as well as its malicious uses by cybercriminals and state-linked actors alike.\r\nAlthough the behavior above doesn't exhibit the high-volume churn of bot-driven flux networks, the short TTLs,\r\nstatic nameservers and reused infrastructure tactics form a consistent pattern, one that defenders can use to track\r\ndomains and servers in near real-time.\r\nServer Cluster Tied to ShadowPad Sample With RedFoxtrot Overlaps\r\nIt all started with a certificate.\r\nWhile searching for anomalous TLS certificates using HuntSQL™, our SQL-powered engine for threat\r\ninfrastructure discovery, we uncovered a group of servers sharing traits consistent with infrastructure previously\r\nattributed to the suspected Chinese APT group RedFoxtrot, as named by Recorded Future's Iniskt Group.\r\nThe certificate--which spoofs Microsft--was first seen in late 2024 according to our scan data. Using a\r\ncombination of certificate details and JA4X fingerprinting, we uncovered a set of servers hosted across known\r\nVPS providers like The Constant Company, XNNET, Akamai, and Digital Ocean.\r\nhttps://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad\r\nPage 4 of 10\n\nFigure 4: Results of our HuntSQL query for the suspicious TLS certificate.\r\nAs we are still tracking this set of servers, we will be withholding detailing specific queries. As we gain additional\r\ninsight into this activity, the data will be added to the Hunt app and available to users.\r\nDomain Characteristics\r\nThe domains make use of dynamic DNS services, including giize[.]com and kozow[.]com , which have a long\r\nhistory of being abused by both cybercriminal and state-linked actors for malicious operations.\r\nCurrent servers include domains that spoof Cloudflare and what appears to be a mail server for 'OPW'--a name\r\nthat may reference the Office of Public Works in Ireland, OPW Fueling Components, or an unrelated internal\r\nservice.\r\nSeparately, earlier domains impersonated entities such as Broadcom, an American semiconductor manufacturer, as\r\nwell as Indian telecom and government organizations.\r\nhttps://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad\r\nPage 5 of 10\n\nFigure 5: DDNS domains resolving to one of the IPs within the identified cluster.\r\nA complete list of domains and IP addresses can be found in the IOC section at the end of this post.\r\nShadowPad Link\r\nShadowPad is a modular backdoor selectively used in targeted espionage operations by Chinese state-linked threat\r\ngroups. Its appearance in an environment is often considered a high-confidence indicator of advanced persistent\r\nthreat activity.\r\nOne server in the group- 45.77.33[.]174 -resolves to a ShadowPad command-and-control domain,\r\nupdate.updatemic[.]com , which is contacted by a ZIP archive named Dvx.zip. The sample, detected by 25\r\nvendors on VirusTotal, includes several files, including a legitimate signed Windows executable vulnerable to\r\nDLL side-loading.\r\nhttps://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad\r\nPage 6 of 10\n\nFigure 6: VirusTotal results for the zip archive containing the ShadowPad backdoor.\r\nWithin the archive are the following files:\r\nmsimg32.dll -- The ShadowPad backdoor\r\nh.exe -- A legitimate NETGATE Amiti Antivirus binary, renamed and used for sideloading\r\nAk.bat -- A batch script that launches h.exe\r\nPackagec.ps1 -- A PowerShell script used for delivery\r\nDvx.zip is downloaded from a second IP, 149.28.137[.]179 , at the path /a/Dvx.zip , using the same\r\nPackagec.ps1 script. A single domain spoofing Cloudflare- static.developers-cloudfare[.]us -resolves to the\r\nserver. The script appearing across multiple delivery points suggests a modular approach, allowing the operator to\r\nrotate infrastructure while maintaining a consistent delivery mechanism.\r\nThe reuse of a spoofed TLS certificate, consistent naming patterns, and the presence of ShadowPad suggest an\r\nactor maintaining controlled access points across a small but deliberate infrastructure set. While the broader\r\npurpose remains unclear, the setup reflects a level of preparation aligned with targeted access operations.\r\nFinal thoughts\r\nThe infrastructure outlined in this post reflects how persistent, state-linked threat actors continue to administer and\r\nevolve their operational footprint. From Gamaredon's flux-like DNS activity to the reuse of ShadowPad-linked\r\ncertificates and staging scripts, each cluster provides a window into how adversaries prepare access points long\r\nbefore payloads are delivered.\r\nUnderstanding how threat actors shape and maintain their infrastructure offers defenders an opportunity to detect\r\nactivity earlier in the intrusion lifecycle. While payloads may change, the operational habits behind staging,\r\nhttps://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad\r\nPage 7 of 10\n\ndelivery, and control often remain consistent-and that's where long-term visibility matters most.\r\nGamaredon Network Observables and Indicators of Compromise (IOCs)\r\n*This list was compiled: Apr 7, 2025\r\nIP Address Domain(s) ASN Hosting Provider\r\n159.203.2[.]177 N/A DigitalOcean DigitalOcean\r\n157.230.152[.]7 N/A DigitalOcean DigitalOcean\r\n139.59.153[.]79 N/A DigitalOcean DigitalOcean\r\n206.189.135[.]34 N/A DigitalOcean DigitalOcean\r\n159.65.192[.]30 N/A DigitalOcean DigitalOcean\r\n64.94.84[.]66\r\nstudomed[.]ru\r\nvinnichich[.]ru\r\nwww[.]langra[.]ru\r\nmeuviresse[.]ru\r\nIafren[.]ru\r\nwww[.]neonation[.]ru\r\nbaklchug[.]ru\r\nrudanka[.]ru\r\nprostali[.]ru\r\ninnocentmillions[.]ru\r\nantitrots[.]ru\r\nBL Networks BL Networks\r\n64.227.72[.]253 N/A DigitalOcean DigitalOcean\r\n159.65.205[.]28 N/A DigitalOcean DigitalOcean\r\n139.68.15[.]131 N/A DigitalOcean DigitalOcean\r\n149.248.77[.]157 N/A BL Networks BL Networks\r\n139.59.13[.]239 N/A DigitalOcean DigitalOcean\r\n45.55.235[.]87 N/A DigitalOcean DigitalOcean\r\n142.93.145[.]206 N/A DigitalOcean DigitalOcean\r\n168.100.11[.]43 N/A BL Networks BL Networks\r\n159.203.17[.]42 N/A DigitalOcean DigitalOcean\r\n209.38.196[.]253 N/A DigitalOcean DigitalOcean\r\nhttps://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad\r\nPage 8 of 10\n\nIP Address Domain(s) ASN Hosting Provider\r\n216.245.184[.]160 N/A BL Networks BL Networks\r\n104.131.190[.]132 N/A DigitalOcean DigitalOcean\r\n134.209.244[.]43 N/A DigitalOcean DigitalOcean\r\n139.59.189[.]155 N/A DigitalOcean DigitalOcean\r\n168.100.11[.]116 N/A BL Networks BL Networks\r\n165.227.39[.]7 N/A DigitalOcean DigitalOcean\r\n139.59.95[.]111 N/A DigitalOcean DigitalOcean\r\n178.62.238[.]209 N/A DigitalOcean DigitalOcean\r\n64.94.85[.]230 N/A BL Networks BL Networks\r\n45.55.42[.]145 N/A DigitalOcean DigitalOcean\r\n167.99.90[.]162 N/A DigitalOcean DigitalOcean\r\n142.93.232[.]225 N/A DigitalOcean DigitalOcean\r\n68.183.201[.]96 N/A DigitalOcean DigitalOcean\r\n162.33.179[.]216 N/A BL Networks BL Networks\r\n46.101.240[.]172 N/A DigitalOcean DigitalOcean\r\n143.110.218[.]175 N/A DigitalOcean DigitalOcean\r\n45.61.139[.]116 N/A BL Networks BL Networks\r\n46.101.91[.]224 N/A DigitalOcean DigitalOcean\r\n206.189.29[.]231 N/A DigitalOcean DigitalOcean\r\n64.7.199[.]19 home1and[.]ru BL Networks BL Networks\r\n149.248.77[.]157\r\nwww[.]phlovel[.]ru\r\nchinosadame[.]ru\r\ntoretsky[.]ru\r\njedemdasseine[.]ru\r\nspanishsky[.]ru\r\nendless-bridge[.]ru\r\nwww[.]bakalchug[.]ru\r\nrookida[.]ru\r\nBL Networks BL Networks\r\nhttps://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad\r\nPage 9 of 10\n\nRedFoxtrot-Linked Network Observables and Indicators of Compromise (IOCs)\r\nIP Address Domain(s) ASN Hosting Provider\r\n45.77.33[.]174 update.updatemic[.]com The Constant Company The Constant Company\r\n64.227.185[.]216 N/A DigitalOcean DigitalOcean\r\n139.84.142[.]99 N/A The Constant Company The Constant Company\r\n172.236.187[.]135\r\nopwmail.kozow[.]com\r\nzngb.kozow[.]com\r\nAkamai Connected\r\nCloud\r\nAkamai Connected\r\nCloud\r\n172.235.10[.]252 gssllxqxqzyo.giize[.]com\r\nAkamai Connected\r\nCloud\r\nAkamai Connected\r\nCloud\r\n149.28.137[.]179\r\nstatic.developers-cloudfare[.]us\r\nThe Constant Company The Constant Company\r\nRedFoxtrot-Linked Host Observables and Indicators of Compromise (IOCs)\r\nFilename SHA-256\r\nDvx.zip 7ad3331be038b43c1a19066f1e4edbe85dfb08596d70774a5e15480394626d39\r\nAK.bat cf0403934749f9d6cbcc80e38d0fca87f7d9e519d9a9031b1797b5568a8e3534\r\nAmitiAntivirusSkin.exe\r\n(Legitimate file)\r\n200db5f89d58ce0060da0fac909162f66d9fa27dfe590e929ce9b42fd8d55ae3\r\nmsimg32.dll 8b557df773156a87f2fe6bf7bb1b10a690e650c08abb924181165ce82d3fc4af\r\nPackagec.ps1 a596d4a1ede0d022d77f0b03c723c7071ffec0e89b35f0d30fb9ff15feeb4969\r\nSource: https://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad\r\nhttps://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad\r\nPage 10 of 10\n\n https://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad \nIP Address Domain(s) ASN Hosting Provider\n216.245.184[.]160 N/A BL Networks BL Networks\n104.131.190[.]132 N/A DigitalOcean DigitalOcean\n134.209.244[.]43 N/A DigitalOcean DigitalOcean\n139.59.189[.]155 N/A DigitalOcean DigitalOcean\n168.100.11[.]116 N/A BL Networks BL Networks\n165.227.39[.]7 N/A DigitalOcean DigitalOcean\n139.59.95[.]111 N/A DigitalOcean DigitalOcean\n178.62.238[.]209 N/A DigitalOcean DigitalOcean\n64.94.85[.]230 N/A BL Networks BL Networks\n45.55.42[.]145 N/A DigitalOcean DigitalOcean\n167.99.90[.]162 N/A DigitalOcean DigitalOcean\n142.93.232[.]225 N/A DigitalOcean DigitalOcean\n68.183.201[.]96 N/A DigitalOcean DigitalOcean\n162.33.179[.]216 N/A BL Networks BL Networks\n46.101.240[.]172 N/A DigitalOcean DigitalOcean\n143.110.218[.]175 N/A DigitalOcean DigitalOcean\n45.61.139[.]116 N/A BL Networks BL Networks\n46.101.91[.]224 N/A DigitalOcean DigitalOcean\n206.189.29[.]231 N/A DigitalOcean DigitalOcean\n64.7.199[.]19 home1and[.]ru BL Networks BL Networks\n www[.]phlovel[.]ru \n chinosadame[.]ru \n toretsky[.]ru \n jedemdasseine[.]ru \n149.248.77[.]157 BL Networks BL Networks\n spanishsky[.]ru \n endless-bridge[.]ru \n www[.]bakalchug[.]ru \n rookida[.]ru \n Page 9 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad" ], "report_names": [ "state-sponsored-activity-gamaredon-shadowpad" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "c09dd7ba-3b6c-4a02-9ae6-949b0afc0b16", "created_at": "2023-01-06T13:46:38.907191Z", "updated_at": "2026-04-10T02:00:03.141637Z", "deleted_at": null, "main_name": "NOMAD PANDA", "aliases": [], "source_name": "MISPGALAXY:NOMAD PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbb1ee4e-bbe9-44de-8f46-8e7fec09f695", "created_at": "2022-10-25T16:07:24.120424Z", "updated_at": "2026-04-10T02:00:04.871598Z", "deleted_at": null, "main_name": "RedFoxtrot", "aliases": [ "Moshen Dragon", "Nomad Panda", "TEMP.Trident" ], "source_name": "ETDA:RedFoxtrot", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Fucobha", "GUNTERS", "Gen:Trojan.Heur.PT", "Icefog", "Impacket", "Kaba", "Korplug", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "Sogu", "TIGERPLUG", "TVT", "Thoper", "XShellGhost", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434790, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b8cb7f9b2f54e602fe7f3243a21e710bc628227.pdf", "text": "https://archive.orkl.eu/5b8cb7f9b2f54e602fe7f3243a21e710bc628227.txt", "img": "https://archive.orkl.eu/5b8cb7f9b2f54e602fe7f3243a21e710bc628227.jpg" } }