{ "id": "41ae86a2-f6e7-4265-b82a-621f62ee2bb2", "created_at": "2026-04-06T00:12:55.282623Z", "updated_at": "2026-04-10T03:38:19.793805Z", "deleted_at": null, "sha1_hash": "5e8d7a9f4a108947290f0f5194623ffab4c2ff5b", "title": "Evolution of Lazarus ‘FudModule - no longer (stand)alone’", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 68381, "plain_text": "Evolution of Lazarus ‘FudModule - no longer (stand)alone’\r\nBy Luigino CamastraThreat Analysis Engineer at Gen\r\nArchived: 2026-04-05 19:41:40 UTC\r\nIn early June, we discovered a sample that was exploiting a new zero-day vulnerability within Winsock driver\r\n(CVE-2024-38193) to achieve local privilege escalation to deploy a new version of FudModule rootkit. We\r\ndetermined that the sample was part of a Lazarus Group operation that was targeting potentially sensitive\r\nindustries such as aerospace and cryptocurrency engineering to gain access to their corporate networks.\r\nCVE-2024-38193 is a use-after-free vulnerability in the AFD.sys driver which is responsible for kernel-mode\r\nsupport for the Windows socket (Winsock) interface used in network communication. This flaw allowed attackers\r\nto tamper with certain values in kernel structures, leading to read/write access which was leveraged by FudModule\r\nto execute a Direct Kernel Object Manipulation technique. This vulnerability is present on Windows 11 Version\r\n23H2 (and earlier) and Windows 10.\r\nThe FudModule itself has also undergone a significant evolution. In addition to its usual arsenal, it started to\r\ndisable crash dumps to further complicate any investigation. It is also more closely tied to the payload it aims to\r\nprotect, which it injects into a process secured by Protected Process Light. These extensive changes led us to a\r\ndecision to denote this version as FudModule v3.0.\r\nInitial access\r\nPrevious versions of FudModule (v2.0) were delivered by Kaolin RAT, utilizing another zero-day exploit (CVE-2024-21338) to gain read/write access to the kernel memory. Unfortunately, we’ve been unable to determine how\r\nCVE-2024-38193 was delivered, along with FudModule v3.0, to the victim’s device.\r\nOn August 19, 2024, Microsoft identified a North Korean threat actor exploiting a Chromium remote-code-execution (RCE) zero-day vulnerability (CVE-2024-7971) which was based on a type of confusion issue in the\r\nV8 JavaScript engine and WebAssembly engine. Microsoft noted that Citrine Sleet used Chromium exploit to\r\ndeploy a FudModule rootkit, nevertheless, they did not specify more technical details on the rootkit. The RCE\r\nvulnerability was used to deploy a shellcode containing another exploit (CVE-2024-38106) that was used to\r\nescape Chromium’s sandbox and deploy the downloaded FudModule rootkit into the memory. \r\nDue to the timing of this attack and a close presumed relation between Citrine Sleet and Lazarus group, we\r\npresume that the FudModule v3.0 and Winsocks exploit (CVE-2024-38193) may have been delivered in a very\r\nsimilar manner.\r\nFudModule Rootkit delivery\r\nIn the first version of the FudModule, referred to as FudModule v1.0, the attacker required the ability to modify\r\nkernel memory structures, potentially resulting in the deactivation of Windows monitoring features. To achieve\r\nhttps://www.gendigital.com/blog/news/innovation/lazarus-fudmodule-v3\r\nPage 1 of 4\n\nthis, they employed the Bring Your Own Vulnerable Driver (BYOVD) technique, a well-known method where\r\nattackers load a legitimate, signed, and vulnerable kernel driver to bypass the Driver Signature Enforcement\r\n(DSE) policy. The attacker then used this known vulnerability to obtain read/write access to the kernel space.\r\nThey accomplished this by loading vulnerable drivers such as dbutil_2_3.sys (Dell driver) and ene.sys (RGB\r\nlightning control driver), exploiting them using N-day vulnerabilities. This is a straightforward method, as there\r\nare numerous publicly available proof-of-concept exploits for various vulnerabilities. However, the downside is\r\nthat the attacker must drop the vulnerable driver onto the filesystem and load it with administrator privileges.\r\nThe second version of the FudModule, referred to as FudModule v2.0, was discovered by Gen. In this case, the\r\nattackers exploited a zero-day vulnerability (CVE-2024-21338) in the Windows’ appid.sys (Application\r\nIdentity driver). The key advantage of this choice is that this driver is already present on Windows 10 and\r\nWindows 11 by default, eliminating the need to drop “your” own vulnerable driver.\r\nHowever, a challenge with this approach is that the attacker needed administrator privileges to send the vulnerable\r\nIOCTL code ( 0x22A018 ) to the appid.sys driver. For more technical details about this exploit, see our previous\r\nblogpost on this vulnerability.\r\nIn this new instance, the attackers discovered a way to exploit a vulnerability in the default driver without\r\nrequiring administrator privileges to interact with it.  They identified a zero-day vulnerability in the AFD.sys\r\n(Winsocks driver) to achieve read/write (R/W) access in kernel space. After triggering the vulnerability in\r\nAFD.sys , the attackers first had to gain increment primitive, crafting a specific kernel address to achieve\r\ntemporary R/W primitive. With these temporary primitives, they were able to corrupt the PreviousMode field of\r\nthe current thread in the KTHREAD structure. By modifying the PreviousMode , they could bypass kernel mode\r\nchecks within system calls such as NtReadVirtualMemory or NtWriteVirtualMemory , and stealthily deploy\r\nFudModule v3.0.\r\nFudModule rootkit\r\nThe FudModule v1.0 was discovered by the ESET and AnhLab in September 2022. They described 7 techniques\r\nused to disarm security solutions and monitoring tools.In June of last year, our discovery of the FudModule 2.0\r\nlead to a sample featuring nine techniques, out of which four were new and three were improved, with another two\r\nremaining unchanged.\r\nIn FudModule 3.0, eight techniques from the previous version remain unchanged, and one technique was removed\r\nin favour of two new techniques. The unchanged functions, are:\r\nDisable a security solution ability to monitor registry operations\r\nDisable object callbacks routine which is which is used to execute a custom code response to thread,\r\nprocess, and desktop handle operations.\r\nDisable process, thread and image kernel callbacks\r\nDisabling all monitoring and antivirus file system minifilters\r\nDisable network traffic filtering (happens only if Kaspersky drivers are present and at the same time\r\nSymantec/Broadcom drivers are absent).\r\nhttps://www.gendigital.com/blog/news/innovation/lazarus-fudmodule-v3\r\nPage 2 of 4\n\nTwo approaches to Disabling all system loggers in a more generic way in Event Tracing for Windows\r\n(ETW)\r\nDisable monitoring of MsMpEng.exe process (Microsoft Defender) via handle table manipulation. For\r\nasdsvc.exe (AhnLab Smart Defense Service), the rootkit clears the _EPROCESS.Protection byte,\r\nreducing it to a standard, non-protected process after the modification.\r\nThe function responsible for disabling image verification callbacks is no longer present in FudModule v3.0. \r\nNow, we’ll dive into the two new techniques included in FudModule v3.0.\r\nDisabling crash dump\r\nIn FudModule v3.0 rootkit, disabling a crash dump is the first technique to be executed after a successful\r\nexploitation. Since FudModule v3.0 directly manipulates kernel structures, which could potentially cause a system\r\ncrash, it employs a method to prevent the creation of crash dump files. Crash dump files capture the system's\r\nmemory at the time of an error, including loaded drivers, running processes, and active kernel data. If a crash\r\ndump file caused by the rootkit were saved, it could provide leads to the exploit during the crash investigation,\r\nwhich could expose the zero-day before gaining foothold on the device.\r\nTo disable crash dump, the rootkit first locates the virtual address of the data sections of the crashdmp.sys driver\r\nand ntoskrnl.exe (kernel image) in memory. It then scans for pointer in the data section of ntoskrnl.exe ;\r\nmore specifically it is looking for a pointer pointing to the data section of crashdmp.sys which is a global\r\npointer named CrashdmpDumpBlock. It then zeroes out this pointer which effectively prevents the system from\r\ngenerating a crash dump.\r\nShellcode Injections\r\nThe second technique, shellcode injection, is rather peculiar in the sense that it makes a shift from FudModule\r\nv2.0 as a final payload to FudModule v3.0 used as a stager for another payload. The process involves two\r\nconsecutive shellcode injections into different processes: one into services.exe and the other into\r\nmsiexec.exe .\r\nInitially, memory pages are allocated within these processes, their permissions modified to allow execution, and\r\n_EPROCESS.MitigationFlags is cleared to avoid instability if the handle table manipulation goes awry.\r\nIn the case of services.exe injection, FudModule uses a non-protected process. This should protect it from\r\nacquiring a handle to processes protected by PPL (Protected Process Light) such as services.exe ,\r\nwininit.exe, or csrss.exe . Nevertheless, FudModule exploits the kernel Read/Write primitive to gain direct\r\naccess to the handle table. This way, it can craft a custom handle table entry, gaining control over both referenced\r\nobject and its access bits, effectively bypassing PPL. Then msiexec.exe process is spawned from within this\r\ncontext.\r\nPreviously in v2.0, FudModule used a dummy thread to insert an entry into the handle table and subsequently\r\nmodified the referenced object to target specific processes (in order to disable security solutions). In v3.0, a more\r\nsophisticated approach is used: FudModule uses NtDuplicateObject function to duplicate the current process\r\nhttps://www.gendigital.com/blog/news/innovation/lazarus-fudmodule-v3\r\nPage 3 of 4\n\nhandle, creating another entry in the handle table. This new entry points to the _OBJECT_HEADER of the target\r\n_EPROCESS – in our case services.exe .\r\nThe second injection, targeting the msiexec.exe spawned by the first injection, simply aims to decrypt and\r\nprepare a payload before executing it. This payload is passed as an argument by the initial 0-day containing\r\nshellcode.\r\nThis development marks an interesting shift in the FudModule's functionality. Instead of being the final payload\r\nby itself, it serves as a loader that abuses its access into PPL-protected processes to improve stealthiness of the\r\nfinal payload and hinder detection and tracing.\r\nConclusion\r\nThe Lazarus cybercriminal group, one of the long-standing APT (Advanced Persistent Threat) groups, has once\r\nagain surprised the cybersecurity community. Lazarus continues to aggressively utilize new zero-day\r\nvulnerabilities, targeting not just operating systems but also browsers to effectively deliver their payloads. This\r\ntime, they even went one step further by going from BYOVD to directly exploiting system drivers.\r\nSince the discovery of the FudModule, it has been clear that this rootkit is under active development. Its aim\r\nappears to be achieving long-term persistence and improved stealth capabilities to bypass built-in security features\r\nand evade detection from security vendors. Its latest evolution seems to shift its purpose from a standalone rootkit\r\nfor disarming security solutions to a more generic rootkit that also actively protects the associated payload.\r\nDespite our extensive research, we have not yet uncovered the exact method used to deliver the Local Privilege\r\nEscalation (LPE) exploit alongside the FudModule v3.0 rootkit. However, based on the research from Microsoft,\r\nwe now believe that the LPE exploit could have been delivered through a Remote Code Execution (RCE)\r\nvulnerability in Google Chrome.\r\nIndicators of Compromise (IoCs)\r\nA YARA rule for the FudModule v3.0 is available at github.com/avast/ioc\r\nSource: https://www.gendigital.com/blog/news/innovation/lazarus-fudmodule-v3\r\nhttps://www.gendigital.com/blog/news/innovation/lazarus-fudmodule-v3\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.gendigital.com/blog/news/innovation/lazarus-fudmodule-v3" ], "report_names": [ "lazarus-fudmodule-v3" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434375, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5e8d7a9f4a108947290f0f5194623ffab4c2ff5b.pdf", "text": "https://archive.orkl.eu/5e8d7a9f4a108947290f0f5194623ffab4c2ff5b.txt", "img": "https://archive.orkl.eu/5e8d7a9f4a108947290f0f5194623ffab4c2ff5b.jpg" } }