{ "id": "797773b1-cb22-4fa5-8118-c99a250f99af", "created_at": "2026-04-06T00:20:17.132085Z", "updated_at": "2026-04-10T03:35:17.316612Z", "deleted_at": null, "sha1_hash": "5edbbfe2cd0cb0c9032ae27976efcae7601cd3a0", "title": "Have Your Cake and Eat it Too? An Overview of UNC2891 | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 290898, "plain_text": "Have Your Cake and Eat it Too? An Overview of UNC2891 | Mandiant\r\nBy Mandiant\r\nPublished: 2022-03-16 · Archived: 2026-04-05 12:50:03 UTC\r\nWritten by: Mathew Potaczek, Takahiro Sugiyama, Logeswaran Nadarajan, Yu Nakamura, Josh Homan, Martin Co, Sylvain\r\nHirsch\r\nThe Mandiant Advanced Practices team previously published a threat research blog post that provided an overview of\r\nUNC1945 operations where the actor compromised managed services providers to gain access to targets in the financial and\r\nprofessional consulting industries.\r\nSince that time, Mandiant has investigated and attributed several intrusions to a threat cluster we believe has a nexus to this\r\nactor, currently being tracked as UNC2891. Through these investigations, Mandiant has discovered additional techniques,\r\nmalware, and utilities being used by UNC2891 alongside those previously observed in use by UNC1945. Despite having\r\nidentified significant overlaps between these threat clusters, Mandiant has not determined they are attributable to the same\r\nactor.\r\nUNC2891 intrusions appear to be financially motivated and in some cases spanned several years through which the\r\nactor had remained largely undetected.\r\nUNC2891 demonstrated fluency and expertise in Unix and Linux environments, mostly through the targeting of\r\nOracle Solaris based systems with TINYSHELL and SLAPSTICK backdoors.\r\nMandiant observed UNC2891 operate with a high degree of OPSEC and leverage both public and private malware,\r\nutilities, and scripts to remove evidence and hinder response efforts.\r\nMandiant discovered a previously unknown rootkit for Oracle Solaris systems that UNC2891 used to remain hidden\r\nin victim networks, we have named this CAKETAP.\r\nOne Variant of CAKETAP manipulated messages transiting a victims Automatic Teller Machine (ATM) switching\r\nnetwork. It is believed this was leveraged as part of a larger operation to perform unauthorized cash withdrawals at\r\nseveral banks using fraudulent bank cards.\r\nExtensive Use of SLAPSTICK and TINYSHELL Backdoors\r\nLike past UNC1945 intrusions, Mandiant observed UNC2891 make extensive use of the Pluggable Authentication Module\r\n(PAM) based backdoor we track as SLAPSTICK to aid with credential harvesting, and to provide backdoor access to\r\ncompromised machines in victim networks. As detailed in our previous blog post, SLAPSTICK provides persistent\r\nbackdoor access to infected systems with a hard-coded magical password, it also logs authentication attempts and\r\ncorresponding passwords in an encrypted log file. Although this is expected to have tremendously assisted UNC2891 with\r\ncredential harvesting and lateral movement activities, it also provided valuable information to Mandiant Incident\r\nResponders. Although SLAPSTICK log files were often timestomped, Mandiant was able to decode them and trace some of\r\nthe actor’s lateral movement activities through the usage of the backdoor provided magical password.\r\nFigure 1: Example SLAPSTICK decoded log (fabricated)\r\nAlongside SLAPSTICK, UNC2891 often installed a custom variant of the publicly available TINYSHELL backdoor.\r\nUNC2891 TINYSHELL backdoors leveraged an external encrypted configuration file and some variants included additional\r\nfunctionality, such as the ability to communicate via a HTTP proxy with basic authentication. In line with the group’s\r\nfamiliarity with Unix and Linux based systems, UNC2891 often named and configured their TINYSHELL backdoors with\r\nvalues that masqueraded as legitimate services that might be overlooked by investigators, such as systemd (SYSTEMD),\r\nname service cache daemon (NCSD), and the Linux at daemon (ATD).\r\nTINYSHELL Backdoor File Paths TINYSHELL Configuration File Paths\r\n/usr/lib/libhelpx.so.1\r\n/usr/lib/systemd/systemd-helper\r\n/usr/lib/libatdcf.so\r\n/usr/lib/libnscd.so.1\r\nhttps://www.mandiant.com/resources/unc2891-overview\r\nPage 1 of 8\n\n/usr/sbin/nscd /usr/lib/libsystemdcf.so\r\n/var/ntp/ntpstats/1\r\nTable 1: Observed TINYSHELL file paths\r\nExample Decoded configuration\r\npm_systemd_mag \u003c32-character string\u003e\r\nsystemd_nme\r\npm_systemd_adr\r\npm_systemd_prt \u003c443 or 53\u003e\r\npm_systemd_tme 300\r\nsystemd_non1 none\r\nsystemd_non2 none\r\nsystemd_non3 none\r\nsystemd_non4 none\r\nTable 2: Example decoded TINYSHELL configuration (systemd variant)\r\nIn the case of the systemd variant, UNC2891 also leveraged systemd service unit files for persistence of the TINYSHELL\r\nbackdoor.\r\n/usr/lib/systemd/system/systemd-helper.service\r\n[Unit]\r\nDescription=Rebuild Hardware Database\r\n[Service]\r\nType=forking\r\nExecStart=/lib/systemd/systemd-helper\r\n[Install]\r\nWantedBy=multi-user.target\r\nTable 3: Service unit file used for TINYSHELL persistence\r\nBased on analyzed configurations, UNC2891 had configured TINYSHELL backdoors in a multi-hop structure that\r\nleveraged several compromised internal servers for command and control. In one case, Mandiant found evidence that\r\nsuggests the actor had chained different TINYSHELL variants together to obtain remote access to a server inside a network\r\nsegment with network restrictions.\r\nTo keep their network of TINYSHELL connections hidden, UNC2891 had installed and configured a rootkit to filter out\r\nthese connections from network connection related APIs (keep reading for details on the CAKETAP rootkit). UNC2891\r\nconfigured remotely accessible systems with TINYSHELL backdoors that used dynamic DNS domains for their external\r\ncommand and control channel. These domains were created per-host and were not used more than once, the subdomains\r\nsometimes resembled the hostname of the compromised machine. Mandiant was unable to collect passive DNS data for\r\nthese dynamic DNS domains, suggesting that UNC2891 had likely enabled IP resolution for short periods of time when\r\naccess to the network was required. At one victim, these TINYSHELL backdoors were configured to perform\r\ncommunications using TCP over port 53 and 443, likely as a mechanism to bypass outbound network protections, blend in\r\nwith existing traffic, and evade detection.\r\nhttps://www.mandiant.com/resources/unc2891-overview\r\nPage 2 of 8\n\nFigure 2: Example of TINYSHELL command and control used by UNC2891\r\nSTEELHOUND, STEELCORGI and Environment Variable Keying\r\nUNC2891 often made use of the STEELCORGI in-memory dropper which decrypts its embedded payloads by deriving a\r\nChaCha20 key from the value of an environment variable obtained at runtime. In many cases, Mandiant was unable to\r\nrecover the requisite environment variables to decrypt the embedded payloads. However, in the limited samples we were\r\nable to decrypt, UNC2891 had deployed different versions of an extensive toolkit which appears to be developed under the\r\nname SUN4ME. SUN4ME contains tools for network reconnaissance, host enumeration, exploitation of known\r\nvulnerabilities, log wiping, file operations, as well as common shell utilities. Yoroi has previously published information\r\nabout this toolkit following our previous blog post on UNC1945’s usage of STEELCORGI.\r\nMandiant discovered UNC2891 leveraging a similar in-memory dropper that also used environment variables to decrypt its\r\nembedded payload but instead relied on RC4 encryption, we have named this STEELHOUND. In addition to functioning as\r\ndropper for an embedded payload, STEELHOUND is also able to encrypt new payloads by encrypting a target binary and\r\nwriting it to disk along with a copy of itself and an end-of-file configuration.\r\nWINGHOOK and WINGCRACK\r\nDuring these investigations, Mandiant also discovered a family of keylogger malware we have named WINGHOOK and\r\nWINGCRACK.\r\nWINGHOOK is a keylogger for Linux and Unix based operating systems. It is packaged as a shared library (SO file)\r\nthat hooks the read and fgets functions, which are two common functions used for processing user input. The\r\ncaptured data is stored in an encoded format in the directory /var/tmp/ with a filename that begins with .zmanDw.\r\nWINGCRACK is a utility that can decode and display the content of files containing encoded keylog data from\r\nWINGHOOK. The malware author appears to refer to these encoded files as “schwing” files.\r\nUtilities Observed\r\nMandiant previously observed UNC1945 use a large amount of different public and private tools during their intrusions, and\r\nthis was also true for UNC2891. Mandiant discovered additional utilities that were leveraged by UNC2891:\r\nBINBASH is a simple ELF utility that executes a shell after setting the group ID and user ID to either \"root\" or\r\nspecified values. BINBASH appears to be a compilation of the source code.\r\nWIPERIGHT is an ELF utility that clears specific log entries on Linux and Unix based systems. It can remove entries\r\nassociated with a given user in the lastlog, utmp/utmpx, wtmp/wtmpx, and pacct logs. It appears to have originated\r\nhttps://www.mandiant.com/resources/unc2891-overview\r\nPage 3 of 8\n\nfrom available source code, and possibly a more recent version.\r\nMIGLOGCLEANER is another ELF utility that wipes logs or remove certain strings from logs on Linux and Unix\r\nbased systems. It is publicly available on GitHub.\r\nWhilst seemingly uncommon amongst threat actors, UNC2891 frequently used the uuencoding scheme to encode and\r\ndecode files, such as malware binaries or files containing output from extensive host enumeration scripts. The actor often\r\nleveraged simple Perl wrapper scripts that performed uuencoding and uudecoding functions.\r\nCAKETAP\r\nCAKETAP is a kernel module rootkit that UNC2891 deployed on key server infrastructure running Oracle Solaris.\r\nCAKETAP can hide network connections, processes, and files. During initialization, it removes itself from the loaded\r\nmodules list and updates the last_module_id with the previously loaded module to hide its presence.\r\nA hook is installed into the function ipcl_get_next_conn, as well as several functions in the ip module. This enables\r\nCAKETAP to filter out any connections that match an actor-configured IP address or port (local or remote).\r\nOne way to identify CAKETAP running on a Solaris system is to check for the presence of this hook. The following shows\r\nan example command to identify a hooked ipcl_get_next_conn function (Note: The mdb command may require special\r\npermissions on the system):\r\nroot@solaris:~# echo 'ipcl_get_next_conn::dis -n 0 ; ::quit' | mdb -k\r\nThe output in a clean SPARC Solaris system would look similar to the following:\r\nipcl_get_next_conn: save %sp, -0xb0, %sp\r\nA hooked function would begin with the sethi instruction as follows (the constant 0x11971c00 will change from instance to\r\ninstance depending on where CAKETAP is loaded):\r\nipcl_get_next_conn: sethi %hi(0x11971c00), %g1\r\nAdditional hooks are installed into the mkdirat (make directory at) and getdents64 (get directory entries) system calls.\r\nCAKETAP uses the mkdirat hook to receive commands from paths containing the signal string. Commands include\r\nconfiguring network filters, display or update its configuration, and to unhide itself. The getdents64 hook enables\r\nCAKETAP to hide files or directories on the file system containing the secret signal string. Table 4 contains the signal\r\nstrings for the CAKETAP hooks.\r\nSecret Usage\r\n.caahGss187 mkdirat hook signal string\r\n.zaahGss187 getdents64 hook signal string\r\nTable 4: Observed secrets for CAKETAP hooks\r\nThe mkdirat hook enabled UNC2891 to control and configure CAKETAP through existing backdoor access to compromised\r\nservers by issuing shell commands that leverage these system calls (e.g. mkdir for mkdirat). A single character appended to\r\nthe signal string indicated which command was to be executed. The following commands were observed:\r\nCommand Function\r\nEmpty Add the CAKETAP module back to loaded modules list\r\nM Change the signal string for the getdents64 hook\r\nI Add a network filter (format p)\r\ni Remove a network filter\r\nP Set the current thread TTY to not be filtered by the getdents64 hook\r\np Set all TTYs to be filtered by the getdents64 hook\r\nS Displays the current configuration\r\nTable 5: Observed CAKETAP commands\r\nhttps://www.mandiant.com/resources/unc2891-overview\r\nPage 4 of 8\n\nFor example, to configure a new network filter and display the current configuration, the following commands might be\r\nused:\r\nmkdir /some/path/.caahGss187I192.168.1.10p80 - Add network filter for 192.168.1.10:80\r\nmkdir /some/path/.caahGss187S - Display current configuration\r\nThe hook installed into getdents64 filtered output to hide presence of the signal string in directory contents.\r\nMandiant observed UNC2891 load CAKETAP with the module name ipstat from attacker created directories that often\r\nresided somewhere inside the /var directory tree.\r\nCAKETAP Unauthorized Transactions\r\nMemory forensics from one victim’s ATM switch server revealed a variant of CAKETAP with additional network hooking\r\nfunctionality that intercepted specific messages relating to card and pin verification. Evidence suggests that this variant of\r\nCAKETAP was used as part of an operation to perform unauthorized transactions using fraudulent bank cards.\r\nThis CAKETAP variant targeted specific messages destined for the Payment Hardware Security Module (HSM). This\r\nadditional network hooking performed several functions:\r\n1. Manipulation of card verification messages:\r\nCAKETAP altered the mode of certain outgoing messages to disable card verification. This resulted in the HSM not\r\nperforming the proper card verification and instead generating a valid response. Fraudulent bank cards generated\r\nverification messages using a custom algorithm using the Primary Account Number (PAN) and other parameters\r\nwhich served as a “marker” for CAKETAP. CAKETAP examined outgoing messages and if it matched the algorithm,\r\nCAKETAP identified the card as fraudulent and stored the PAN in memory to use in the following step.\r\n2. Replay of PIN verification messages:\r\nCAKETAP examined outgoing PIN verification messages that matched certain conditions and identified those with a\r\nPrimary Account Number (PAN) that reflected a fraudulent card. If the message was not for a fraudulent card, it\r\nwould save the message internally and send it unmodified, as to not interrupt legitimate ATM PIN verifications.\r\nHowever, if it was for a fraudulent card, CAKETAP would instead replace the message content with data from a\r\npreviously saved message. This was effectively a replay attack that resulted in a bypass of PIN verification for\r\nfraudulent cards.\r\nBased on Mandiant’s investigation findings, we believe that CAKETAP was leveraged by UNC2891 as part of a larger\r\noperation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at\r\nseveral banks.\r\nConclusion\r\nUNC2891 maintains a high level of OPSEC and employs several techniques to evade detection. The actor uses their skill\r\nand experience to take full advantage of the decreased visibility and security measures that are often present in Unix and\r\nLinux environments. Mandiant expects that UNC2891 will continue to capitalize on this and perform similar operations for\r\nfinancial gain that target mission critical systems running these operating systems.\r\nWhile some of the overlaps between UNC2891 and UNC1945 are notable, it is not conclusive enough to attribute the\r\nintrusions to a single threat group. For example, it is possible that significant portions of UNC2891 and UNC1945 activity\r\nare carried out by an entity that is a common resource to multiple threat actors, which could explain the perceived difference\r\nin intrusion objectives—a common malware developer or an intrusion partner, for example. Regardless, Mandiant is\r\nreleasing this information on the actor to raise awareness of the fraudulent activity and aid defenders in uncovering further\r\nUNC2891 operations.\r\nYARA\r\nThe following YARA rules are not intended to be used on production systems or to inform blocking rules without first being\r\nvalidated through an organization's own internal testing processes to ensure appropriate performance and limit the risk of\r\nfalse positives. These rules are intended to serve as a starting point for hunting efforts to identify samples, however, they\r\nmay need adjustment over time if the malware family changes.\r\nrule TINYSHELL\r\n{\r\nmeta:\r\nauthor = \"Mandiant \"\r\nstrings:\r\n$sb1 = { C6 00 48 C6 4? ?? 49 C6 4? ?? 49 C6 4? ?? 4C C6 4? ?? 53 C6 4? ?? 45 C6 4? ?? 54 C6 4? ?? 3D C6 4? ?? 46 C6 4? ??\r\n$sb2 = { C6 00 54 C6 4? ?? 4D C6 4? ?? 45 C6 4? ?? 3D C6 4? ?? 52 }\r\n$ss1 = \"fork\" ascii fullword wide\r\n$ss2 = \"socket\" ascii fullword wide\r\nhttps://www.mandiant.com/resources/unc2891-overview\r\nPage 5 of 8\n\n$ss3 = \"bind\" ascii fullword wide\r\n$ss4 = \"listen\" ascii fullword wide\r\n$ss5 = \"accept\" ascii fullword wide\r\n$ss6 = \"alarm\" ascii fullword wide\r\n$ss7 = \"shutdown\" ascii fullword wide\r\n$ss8 = \"creat\" ascii fullword wide\r\n$ss9 = \"write\" ascii fullword wide\r\n$ss10 = \"open\" ascii fullword wide\r\n$ss11 = \"read\" ascii fullword wide\r\n$ss12 = \"execl\" ascii fullword wide\r\n$ss13 = \"gethostbyname\" ascii fullword wide\r\n$ss14 = \"connect\" ascii fullword wide\r\ncondition:\r\nuint32(0) == 0x464c457f and 1 of ($sb*) and 10 of ($ss*)\r\n}\r\nrule TINYSHELL_SPARC\r\n{\r\nmeta:\r\nauthor = \"Mandiant\"\r\nstrings:\r\n$sb_xor_1 = { DA 0A 80 0C 82 18 40 0D C2 2A 00 0B 96 02 E0 01 98 03 20 01 82 1B 20 04 80 A0 00 01 82 60 20 00 98 0B 00 01\r\n$sb_xor_2 = { C6 4A 00 00 80 A0 E0 00 02 40 00 0B C8 0A 00 00 85 38 60 00 C4 09 40 02 84 18 80 04 C4 2A 00 00 82 00 60 01\r\ncondition:\r\nuint32(0) == 0x464C457F and (uint16(0x10) \u0026 0x0200 == 0x0200) and (uint16(0x12) \u0026 0x0200 == 0x0200) and 1 of them\r\n}\r\nrule SLAPSTICK\r\n{\r\nmeta:\r\nauthor = \"Mandiant \"\r\nstrings:\r\n$ss1 = \"%Y %b %d %H:%M:%S \\x00\"\r\n$ss2 = \"%-23s %-23s %-23s\\x00\"\r\n$ss3 = \"%-23s %-23s %-23s %-23s %-23s %s\\x0a\\x00\"\r\ncondition:\r\n(uint32(0) == 0x464c457f) and all of them\r\n}\r\nrule STEELCORGI\r\n{\r\n meta:\r\n author = \"Mandiant \"\r\n strings:\r\n $s1 = \"\\x00\\xff/\\xffp\\xffr\\xffo\\xffc\\xff/\\xffs\\xffe\\xffl\\xfff\\xff/\\xffe\\xffx\\xffe\\x00\"\r\n $s2 = \"\\x00\\xff/\\xffv\\xffa\\xffr\\xff/\\xffl\\xffi\\xffb\\xff/\\xffd\\xffb\\xffu\\xffs\\xff/\\xffm\\xffa\\xffc\\xffh\\xffi\\xffn\\xf\r\n $sb1 = { FE 1B 7A DE 23 D1 E9 A1 1D 7F 9E C1 FD A4 }\r\n $sb2 = { 3B 8D 4F 45 7C 4F 6A 6C D8 2F 1F B2 19 C4 45 6A 6A\r\n condition:\r\n (uint32(0) == 0x464c457f) and all of them\r\n}\r\nIndicators of Compromise\r\nMalware\r\nFamily\r\nMD5 SHA1 SHA256\r\nSTEELCORGI e5791e4d2b479ff1dfee983ca6221a53 e55514b83135c5804786fa6056c88988ea70e360 95964d669250f0ed161409b93f7a131bfa03e\r\nSTEELCORGI 0845835e18a3ed4057498250d30a11b1 c28366c3f29226cb2677d391d41e83f9c690caf7 7d587a5f6f36a74dcfbcbaecb2b0547fdf1ec\r\nSTEELCORGI d985de52b69b60aa08893185029bcb31 a3e75e2f700e449ebb62962b28b7c230790dc25d cd06246aff527263e409dd779b517157882a1\r\nhttps://www.mandiant.com/resources/unc2891-overview\r\nPage 6 of 8\n\nTINYSHELL 4ff6647c44b0417c80974b806b1fbcc3 fa36f10407ed5a6858bd1475d88dd35927492f52 55397addbea8e5efb8e6493f3bd1e99f9742f\r\nTINYSHELL 13f6601567523e6a37f131ef2ac4390b 4228d71c042d08840089895bfa6bd594b5299a89 24f459a2752175449939037d6a1da09cac0e4\r\nTINYSHELL 4e9967558cd042cac8b12f378db14259 018bfe5b9f34108424dd63365a14ab005e249fdd 5f46a25473b9dda834519093c66cced0e3630\r\nSTEELHOUND a4617c9a4bde94e867f063c28d763766 097d3a15510c48cdb738344bdf00082e546827e8 161a2832baba6ff6f9f1b52ed8facfa1197cf\r\nMITRE ATT\u0026CK\r\nDiscovery:\r\nT1016:System Network Configuration Discovery\r\nT1018:Remote System Discovery\r\nT1049:System Network Connections Discovery\r\nT1082:System Information Discovery\r\nT1083:File and Directory Discovery\r\nT1135:Network Share Discovery\r\nLateral Movement:\r\nT1021:Remote Services\r\nT1021.004:SSH\r\nCredential Access:\r\nT1003:OS Credential Dumping\r\nT1003.008:/etc/passwd and /etc/shadow\r\nT1110:Brute Force\r\nT1110.001:Password Guessing\r\nT1552:Unsecured Credentials\r\nT1552.003:Bash History\r\nT1552.004:Private Keys\r\nT1556.003:Pluggable Authentication Modules\r\nCommand and Control:\r\nT1090:Proxy\r\nT1095:Non-Application Layer Protocol\r\nT1105:Ingress Tool Transfer\r\nT1572:Protocol Tunneling\r\nT1573.001:Symmetric Cryptography\r\nExecution:\r\nT1053.001:At (Linux)\r\nT1059:Command and Scripting Interpreter\r\nT1059.004:Unix Shell\r\nCollection:\r\nT1056.001:Keylogging\r\nT1560:Archive Collected Data\r\nT1560.001:Archive via Utility\r\nT1560.002:Archive via Library\r\nDefense Evasion:\r\nT1014:Rootkit\r\nT1027:Obfuscated Files or Information\r\nT1070:Indicator Removal on Host\r\nT1070.002:Clear Linux or Mac System Logs\r\nT1070.004:File Deletion\r\nT1070.006:Timestomp\r\nT1140:Deobfuscate/Decode Files or Information\r\nT1480.001:Environmental Keying\r\nT1548.001:Setuid and Setgid\r\nT1620:Reflective Code Loading\r\nPersistence:\r\nT1543.002:Systemd Service\r\nT1547.006:Kernel Modules and Extensions\r\nPosted in\r\nhttps://www.mandiant.com/resources/unc2891-overview\r\nPage 7 of 8\n\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/unc2891-overview\r\nhttps://www.mandiant.com/resources/unc2891-overview\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.mandiant.com/resources/unc2891-overview" ], "report_names": [ "unc2891-overview" ], "threat_actors": [ { "id": "8b0219d5-cb32-4702-a4d6-7de8beb9b7a8", "created_at": "2022-10-25T16:07:24.364598Z", "updated_at": "2026-04-10T02:00:04.955871Z", "deleted_at": null, "main_name": "UNC2891", "aliases": [], "source_name": "ETDA:UNC2891", "tools": [ "BINBASH", "CAKETAP", "MIGLOGCLEANER", "SLAPSTICK", "STEELCORGI", "STEELHOUND", "SUN4ME", "Tiny SHell", "WINGCRACK", "WINGHOOK", "WIPERIGHT", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434817, "ts_updated_at": 1775792117, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5edbbfe2cd0cb0c9032ae27976efcae7601cd3a0.pdf", "text": "https://archive.orkl.eu/5edbbfe2cd0cb0c9032ae27976efcae7601cd3a0.txt", "img": "https://archive.orkl.eu/5edbbfe2cd0cb0c9032ae27976efcae7601cd3a0.jpg" } }