{
	"id": "37e142ae-1173-461e-8414-f3bdb41b64de",
	"created_at": "2026-04-06T00:19:07.446985Z",
	"updated_at": "2026-04-10T03:32:43.546018Z",
	"deleted_at": null,
	"sha1_hash": "5f2522de50ab5b5dc036429950c2fc97b8f7f682",
	"title": "PoshC2 (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 32445,
	"plain_text": "PoshC2 (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:05:15 UTC\r\nPoshC2\r\nActor(s): APT33\r\nPoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and\r\nlateral movement.\r\nPoshC2 is primarily written in Python3 and follows a modular format to enable users to add their own modules\r\nand tools, allowing an extendible and flexible C2 framework. Out-of-the-box PoshC2 comes PowerShell/C# and\r\nPython3 implants with payloads written in PowerShell v2 and v4, C++ and C# source code, a variety of\r\nexecutables, DLLs and raw shellcode in addition to a Python3 payload. These enable C2 functionality on a wide\r\nrange of devices and operating systems, including Windows, *nix and OSX.\r\nReferences\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2"
	],
	"report_names": [
		"win.poshc2"
	],
	"threat_actors": [
		{
			"id": "a63c994f-d7d6-4850-a881-730635798b90",
			"created_at": "2025-08-07T02:03:24.788883Z",
			"updated_at": "2026-04-10T02:00:03.785146Z",
			"deleted_at": null,
			"main_name": "COBALT TRINITY",
			"aliases": [
				"APT33 ",
				"Elfin ",
				"HOLMIUM ",
				"MAGNALIUM ",
				"Peach Sandstorm ",
				"Refined Kitten ",
				"TA451 "
			],
			"source_name": "Secureworks:COBALT TRINITY",
			"tools": [
				"AutoCore",
				"Cadlotcorg",
				"Dello RAT",
				"FalseFont",
				"Imminent Monitor",
				"KDALogger",
				"Koadic",
				"NanoCore",
				"NetWire",
				"POWERTON",
				"PoshC2",
				"Poylog",
				"PupyRAT",
				"Schoolbag"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e5ff825b-0456-4013-b90a-971b93def74a",
			"created_at": "2022-10-25T15:50:23.824058Z",
			"updated_at": "2026-04-10T02:00:05.377261Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"APT33",
				"HOLMIUM",
				"Elfin",
				"Peach Sandstorm"
			],
			"source_name": "MITRE:APT33",
			"tools": [
				"PowerSploit",
				"AutoIt backdoor",
				"PoshC2",
				"Mimikatz",
				"NanoCore",
				"DEADWOOD",
				"StoneDrill",
				"POWERTON",
				"LaZagne",
				"TURNEDUP",
				"NETWIRE",
				"Pupy",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f",
			"created_at": "2023-01-06T13:46:38.367369Z",
			"updated_at": "2026-04-10T02:00:02.945356Z",
			"deleted_at": null,
			"main_name": "APT33",
			"aliases": [
				"Elfin",
				"MAGNALLIUM",
				"HOLMIUM",
				"COBALT TRINITY",
				"G0064",
				"ATK35",
				"Peach Sandstorm",
				"TA451",
				"APT 33",
				"Refined Kitten"
			],
			"source_name": "MISPGALAXY:APT33",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434747,
	"ts_updated_at": 1775791963,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f2522de50ab5b5dc036429950c2fc97b8f7f682.pdf",
		"text": "https://archive.orkl.eu/5f2522de50ab5b5dc036429950c2fc97b8f7f682.txt",
		"img": "https://archive.orkl.eu/5f2522de50ab5b5dc036429950c2fc97b8f7f682.jpg"
	}
}