{ "id": "7b986022-452f-4a75-a56b-68d8bc3fa78d", "created_at": "2026-04-06T00:07:18.684849Z", "updated_at": "2026-04-10T03:35:58.992975Z", "deleted_at": null, "sha1_hash": "5cd3deb8992432bc27210edabd43edc6b0cec749", "title": "TA2101 Plays Government Imposter to Distribute Malware | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2116609, "plain_text": "TA2101 Plays Government Imposter to Distribute Malware |\r\nProofpoint US\r\nBy November 14, 2019 Bryan Campbell and the Proofpoint Threat Insight Team\r\nPublished: 2019-11-14 · Archived: 2026-04-05 15:35:37 UTC\r\nOverview\r\nProofpoint researchers recently detected campaigns from a relatively new actor, tracked internally as\r\nTA2101, targeting German companies and organizations to deliver and install backdoor malware.\r\nThe actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry\r\nof Finance, with lookalike domains, verbiage, and stolen branding in the emails.\r\nFor their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is\r\ngenerally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar\r\npenetration testing tool.\r\nThe product describes itself as “adversary simulation software designed to execute targeted attacks and emulate\r\nthe post-exploitation actions of advanced threat actors,” and is intended for use by organizations to secure their\r\nenvironments. However, despite its extensive legitimate use as a simulation tool, various actors have deployed and\r\nexecuted campaigns using it as actual malware, including Cobalt Group, APT32, and APT19.\r\nProofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social\r\nengineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and\r\nimpersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor\r\ntargeting organizations in the United States using the IcedID banking Trojan while impersonating the United\r\nStates Postal Service (USPS)\r\nCampaigns\r\nBetween October 16 and November 12, 2019, Proofpoint researchers observed the actor sending malicious email\r\nmessages to organizations in Germany, Italy, and the United States, targeting no particular vertical but with\r\nrecipients that were heavily weighted towards business and IT services, manufacturing, and healthcare.\r\nOctober 16 and 23, 2019\r\nOn October 16 and 23, Proofpoint researchers observed hundreds of emails attempting to deliver malicious\r\nMicrosoft Word attachments with German lures impersonating the Bundeszentralamt fur Steuern, the German\r\nFederal Ministry of Finance. Of particular note is the use of stolen branding as well as the use of lookalike .icu\r\ndomains used for the sender email address in order to craft effective lures.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nPage 1 of 13\n\nThe lure states that a 2019 tax refund is due (“Benachrichtigung über die Steuerrückerstattung”) based on prior\r\nreturns in the amount of several hundred euros (€694.00 in the observed sample) and that the recipient should\r\nsubmit a refund request (using an attached Microsoft Word document form) within three days for processing. The\r\nemails, as part of a low-volume campaign, were targeted primarily at IT services companies.\r\nFigure 1: Email lure sent on October 23, purporting to be from the German Federal Ministry of Finance,\r\nnotifying the recipient of a tax refund, with a malicious Microsoft Word attachment.\r\nThe Microsoft Word attachment, when opened, executes a Microsoft Office macro that, in turn, executes a\r\nPowerShell script, which downloads and installs the Maze ransomware payload onto the victim’s system.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nPage 2 of 13\n\nFigure 2: A German-language malicious Microsoft Word Attachment that — if the user enables macros —\r\nexecutes a Microsoft Office macro that in turn runs a PowerShell script that downloads Cobalt Strike.\r\nOctober 29, 2019\r\nOn October 29, Proofpoint researchers observed dozens of emails attempting to deliver malicious Microsoft Word\r\nattachments with Italian lures impersonating the Agenzia Entrate, the Italian Ministry of Taxation. As with the\r\ninitially observed German campaign, the actor has used stolen branding as well as lookalike.icu domains used for\r\nthe sender email address in order to craft effective lures.\r\nThe lure appears to be a notification of law enforcement activities (“aggiornamento: attivita di contrasto\r\nall'evasione”) and states that the recipient should open and read the enclosed document in order to avoid further\r\ntax assessment and penalties.\r\nThe emails, as part of a low-volume campaign across multiple verticals, were targeted primarily at manufacturing\r\ncompanies and used an infection chain of Microsoft Office macros into a PowerShell script, which ultimately\r\ndownloads and installs Maze ransomware.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nPage 3 of 13\n\nFigure 3: The email lure sent to Italian organizations is a notification of law enforcement activities, urging the\r\nrecipient to open and read the enclosed document in order to avoid further tax assessment and penalties.\r\nThe malicious document purports to be an RSA SecurID key used by the Italian Ministry of Taxation.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nPage 4 of 13\n\nFigure 4: A Microsoft Word attachment in the Italian language, when opened and the user enables macros,\r\nexecutes a Microsoft Office macro that runs a PowerShell script, which in turn downloads and installs the Maze\r\nransomware payload onto the victim’s system.\r\nNovember 6, 2019\r\nOn November 6, 2019, Proofpoint researchers observed hundreds of emails attempting to deliver malicious\r\nMicrosoft Word attachments with German lures, again impersonating the German Federal Ministry of Finance. As\r\nwith the previous two campaigns, the actor used stolen branding as well as the use of lookalike .icu domains used\r\nfor the sender email address in order to craft effective lures. The malicious document purports to be an RSA\r\nSecurID key used by the German Ministry of Finance.\r\nThe emails, as part of a low-volume campaign, were targeted primarily at business and IT services companies and\r\nused the same infection chain outlined for previous campaigns.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nPage 5 of 13\n\nFigure 5: A German-language Microsoft Word attachment which, when opened and the user enables macros,\r\nexecutes a Microsoft Office macro that runs a PowerShell script, which in turn downloads and installs the Maze\r\nransomware payload onto the victim’s system.\r\nOpening the Microsoft Word Document and enabling macros installs Maze ransomware on the user’s system,\r\nencrypting all of their files, and saves a ransom note resembling the following in TXT format in every directory.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nPage 6 of 13\n\nFigure 6: Example ransom notice stored on a victim’s system after their files have been encrypted by Maze\r\nransomware.\r\nNovember 7, 2019\r\nOn November 7, 2019, Proofpoint researchers observed hundreds of emails attempting to deliver malicious\r\nMicrosoft Word attachments with German lures, this time impersonating a German internet service provider, 1\u00261\r\nInternet AG.\r\nAs with the November 6 campaigns, the actor employed the use of lookalike .icu domains used for the sender\r\nemail address in order to craft effective lures. The campaign was accompanied by a malicious Microsoft Word\r\nattachment with a purported RSA SecurID key, similarly-formatted to the one used in the November 6 campaign.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nPage 7 of 13\n\nFigure 7: A German-language Microsoft Word attachment which, when opened and the user enables macros,\r\nexecutes a Microsoft Office macro that launches a PowerShell script, in turn, which downloads and installs the\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nPage 8 of 13\n\nMaze ransomware payload onto the victim’s system.\r\nThe emails, as part of a low-volume campaign, were targeted primarily at business and IT services companies,\r\nusing the same infection chain.\r\nNovember 12, 2019\r\nOn November 12, 2019, Proofpoint researchers observed thousands of emails attempting to deliver malicious\r\nMicrosoft Word attachments with English lures, this time impersonating the United States Postal Service (USPS)\r\nand distributing the IcedID banking Trojan.\r\nThe campaign differed from previous European campaigns in that the actor chose a .com lookalike, uspsdelivery-service.com instead of a .icu domain. The campaign was accompanied by a malicious Microsoft Word attachment\r\nwith a purported RSA SecurID key, similarly-formatted to the one used in the previous campaigns.\r\nFigure 8: An English-language Microsoft Word attachment which, when opened and the user enables macros,\r\nexecutes a Microsoft Office macro that launches a PowerShell script, which in turn downloads and installs the\r\nIcedID payload onto the victim’s system.\r\nThe emails, as part of a medium-volume campaign, were targeted heavily at the Healthcare vertical, using the\r\nsame infection chain.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nPage 9 of 13\n\nDomain and URL Analysis\r\nProofpoint researchers have observed a consistent set of TTPs (Tactics, Techniques, and Procedures) that allows\r\nattribution of these campaigns to a single actor with high confidence. These include the use of .icu domains, as\r\nwell as identical email addresses for the Start of Authority (SOA) resource records stored for the DNS entries for\r\nthe domains used in these campaigns.\r\nAdditionally, Proofpoint researchers have observed that the canonical URLs used by this actor are formatted in a\r\nrepeatable fashion with word_/.tmp in the string with slight variations made over time (included in the IOC\r\nsection below.) Proofpoint researchers suspect that the word_/.tmp usage might be linked to previous campaigns\r\nthat were spotted earlier by the infosec community in 2019.\r\nThe connection between gladkoff1991@yandex.ru extends beyond the more recent Cobalt Strike campaigns,\r\nwith references to SOA records from September 2019 “eFax” themed Buran Ransomware campaigns.\r\nGerman Cobalt Strike/German Tax Office spoof (October 23)\r\nLure email address: antwortensienicht@bzst-informieren.icu\r\nSOA: gladkoff1991@yandex.ru\r\nItalian Maze Campaign/Italian Ministry of Taxation spoof (October 29)\r\nLure email address: info@agenziaentrate.icu\r\nSOA: gladkoff1991@yandex.ru\r\nProofpoint researchers have also determined that the IP address 91.218.114[.]37 is present in all Maze\r\nRansomware downloads initiated by this actor.\r\nGerman Maze Campaign/German Tax Office spoof (November 6)\r\nThis campaign uses an identical lure that was observed on October 23, including the same \"RSA Key\" malicious\r\nMicrosoft Word attachment. It is also where we observed the second use of  word_/.tmp variation on the URL.\r\nGerman Maze Campaign/German ISP spoof (November 7)\r\nThis campaign, distributing Maze ransomware, impersonates a German internet service provider (1\u00261 Internet\r\nAG) and uses a nearly identical malicious Word Document with an \"RSA Key\" lure that was observed in the\r\nNovember 6 German Tax Office campaign and the October 23 German campaign using Cobalt Strike.\r\nLure email address: antwortensienicht@bzstinform.icu\r\nSOA: gladkoff1991@yandex.ru, which matches the October 23 Cobalt Strike campaign.\r\nUS IcedID Campaign / USPS Spoof (November 12)\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nPage 10 of 13\n\nOn November 12, Proofpoint researchers observed a campaign utilizing a USPS themed lure delivering the IcedID\r\nTrojan. While a .icu domain was not used in this campaign, instead choosing a different look-alike domain,\r\nuspsdelivery-service[.]com, these malicious documents used similar “RSA” style lures observed in the previous\r\nCobalt Strike and Maze Ransomware campaigns, and added further evidence to support the theory that the same\r\nactor/group is behind the distribution of those malware families.\r\nThe SOA for uspsdelivery-service[.]com is gladkoff1991@yandex.ru which matches previous campaigns.\r\nConclusion\r\nAs detailed in Proofpoint’s April 2019 Threat Insight post, Tax-themed Email Campaigns Target 2019 Filers,\r\nfinance-related lures have been used seasonally with upticks in tax-related malware and phishing campaigns\r\nleading up to the annual tax filing deadlines in different geographies. In 2017, these campaigns focused on\r\nphishing and increasingly sophisticated social engineering, as well as banking Trojans and ransomware. In 2018,\r\nProofpoint researchers continued to observe sophisticated email campaigns that featured urgent tax-themed lures\r\nand convincing spoofs of IRS branding in the United States.\r\nWith these new campaigns launched in Germany and Italy utilizing similar urgent tax-assessment and refund\r\nlures, Proofpoint researchers have now observed similar spoofs in Europe distributing backdoor Trojans such as\r\nCobalt Strike as well as Maze ransomware. These email spoofs are notable for using convincing stolen branding\r\nand lookalike domains of European taxation agencies and other public-facing entities such as Internet service\r\nproviders. Most recently, the actor has attacked US organizations spoofing the United States Postal Service. The\r\nincreasing sophistication of these lures mirrors improved social engineering and a focus on effectiveness over\r\nquantity appearing in many campaigns globally across the email threat landscape.\r\nReferences\r\n[1] https://www.bromium.com/buran-ransomware-targets-german-organisations-through-malicious-spam-campaign/\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n44991186a56b0d86581f2b9cc915e3af426a322d5c4f43a984e6ea38b81b7bed SHA256 Document\r\ncfd8e3a47036c4eeeb318117c0c23e126aea95d1774dae37d5b6c3de02bdfc2a SHA256 Document\r\n9f2139cc7c3fad7f133c26015ed3310981de26d7f1481355806f430f9c97e639 SHA256 Document\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nPage 11 of 13\n\n5f1e512d9ab9b915b1fc925f546ed559cbfa49df53229e2f954a1416cf6f5ee4 SHA256 Document\r\n97043f23defd510607ff43201bb03b9916a23bd71b5bdf97db357e5026732506 SHA256 Document\r\nd617fd4b2d0824e1a7eb9693c6ec6e71447d501d24653a8e99face12136491a8 SHA256 Document\r\n7e3ab96d2628e0a9970802b47d0356dc9b99994d7f98492d4e70a5384891695a SHA256 Document\r\nantowortensienicht@bzst-infomieren[.]icu Domain\r\nSpoofed\r\nsending\r\ndomain\r\ninfo@agenziaentrate[.]icu Domain\r\nSpoofed\r\nsending\r\ndomain\r\nantwortensienicht@bzstinform[.]icu Domain\r\nSpoofed\r\nsending\r\ndomain\r\nuspsdelivery-service[.[com Domain\r\nSpoofed\r\nsending\r\ndomain\r\nhxxp://198.50.168.67/wordpack.tmp Payload Cobalt Strike\r\nhxxp://conbase.top/sys.bat Payload Cobalt Strike\r\nhxxp://104.168.198.208/wordupd.tmp Payload\r\nMaze\r\nRansomware\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nPage 12 of 13\n\nhxxp://104.168.215.54/wordupd.tmp Payload\r\nMaze\r\nRansomware\r\nhxxp://104.168.174.32/wordupd_3.0.1.tmp Payload\r\nMaze\r\nRansomware\r\nhxxp://192.119.68.225/wordupd1.tmp Payload\r\nBuran\r\nRansomware\r\nhxxp://108.174.199.10/wordupd3.tmp Payload\r\nBuran\r\nRansomware\r\nhxxp://54.39.233.175/wupd19823.tmp Payload\r\nBuran\r\nRansomware\r\nhxxp://54.39.233.131/word1.tmp Payload\r\nBuran\r\nRansomware\r\nhxxp://104.168.198.230/wordupd.tmp Payload IcedID\r\nET and ETPRO Suricata/Snort Signatures\r\nETPRO TROJAN W32.HTTP.Stager Checkin M1\r\nET TROJAN Possible Maze Ransomware Activity\r\nET TROJAN Observed Buran Ransomware UA (BURAN)\r\nET TROJAN Buran Ransomware Activity M2\r\nET TROJAN Buran Ransomware Activity M1\r\nSource: https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nhttps://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us\r\nPage 13 of 13\n\n https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us \nFigure 5: A German-language Microsoft Word attachment which, when opened and the user enables macros, \nexecutes a Microsoft Office macro that runs a PowerShell script, which in turn downloads and installs the Maze\nransomware payload onto the victim’s system. \nOpening the Microsoft Word Document and enabling macros installs Maze ransomware on the user’s system,\nencrypting all of their files, and saves a ransom note resembling the following in TXT format in every directory.\n Page 6 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us" ], "report_names": [ "ta2101-plays-government-imposter-distribute-malware-german-italian-and-us" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434038, "ts_updated_at": 1775792158, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5cd3deb8992432bc27210edabd43edc6b0cec749.pdf", "text": "https://archive.orkl.eu/5cd3deb8992432bc27210edabd43edc6b0cec749.txt", "img": "https://archive.orkl.eu/5cd3deb8992432bc27210edabd43edc6b0cec749.jpg" } }