{ "id": "67eee5d5-556a-44e2-9e13-f5b01fd4892a", "created_at": "2026-04-06T01:32:28.263667Z", "updated_at": "2026-04-10T13:11:24.008139Z", "deleted_at": null, "sha1_hash": "625431897c53431d06113a51de73c30aa9b02da4", "title": "Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1091891, "plain_text": "Financially Motivated Actors Are Expanding Access Into OT:\r\nAnalysis of Kill Lists That Include OT Processes Used With Seven\r\nMalware Families | Mandiant\r\nBy Mandiant\r\nPublished: 2020-07-15 · Archived: 2026-04-06 00:58:30 UTC\r\nWritten by: Nathan Brubaker, Daniel Kapellmann Zafra, Keith Lunden, Ken Proska, Corey Hildebrandt\r\nMandiant Threat Intelligence has researched and written extensively on the increasing financially motivated threat\r\nactivity directly impacting operational technology (OT) networks. Some of this research is available in our\r\nprevious blog posts on industrial post-compromise ransomware and FireEye's approach to OT security. While\r\nmost of the actors behind this activity likely do not differentiate between IT and OT or have a particular interest in\r\nOT assets, they are driven by the goal of making money and have demonstrated the skills needed to operate in\r\nthese networks. For example, the shift to post-compromise ransomware deployment highlights the actors’ ability\r\nto adapt to more complex environments.\r\nIn this blog post we look further into this trend by examining two different process kill lists containing OT\r\nprocesses which we have observed deployed alongside a variety of ransomware samples and families. We think it\r\nis likely that these lists were the result of coincidental asset scanning in victim organizations and not specific\r\ntargeting of OT. While this judgement may initially seem like good news to defenders, this activity still indicates\r\nthat multiple, very prolific, financially motivated threat actors are active inside organizations’ OT—based on the\r\ncontents of these process kill lists—with the intent of profiting from the ransom of stolen information and\r\ndisrupted services.\r\nTwo Unique Process Kill Lists Deployed Alongside Seven Ransomware Families Include OT Processes\r\nThreat actors often deploy process kill lists alongside or as part of ransomware to terminate anti-virus products,\r\nstop alternative detection mechanisms, and remove file locks to ensure critical data is encrypted. As a result, the\r\ndeployment of these lists increases the likelihood of a successful attack (MITRE ATT\u0026CK T1489). In post\r\ncompromise ransomware attacks, attackers regularly tailor the lists to include processes that are relevant to the\r\nvictim’s environment. By stopping these processes, the attacker makes sure to encrypt data from critical systems,\r\nwhich may remain unaffected if the process is currently in use. As the likelihood of crippling critical systems\r\nincreases, the target is more likely to suffer impacts on its physical production.\r\nFirst Process Kill List Has Been Leveraged By At Least Six Ransomware Families\r\nMandiant identified samples of at least six ransomware families (DoppelPaymer, LockerGoga, Maze,\r\nMegaCortex, Nefilim and SNAKEHOSE)—all of which have been associated with high-profile incidents\r\nimpacting industrial organizations over the past two years—that have leveraged a common process kill list\r\nhttps://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nPage 1 of 13\n\ncontaining 1,000+ processes. The list, which we briefly discussed in an earlier blog post from February 2020,\r\nincludes a couple dozen processes related to OT executables—mainly from General Electric Proficy, a suite used\r\nfor historians and human-machine interfaces (HMIs). We note, that while the inclusion of these processes in this\r\nkill list could result in limited loss of view of historical process data, it is not likely to directly impact the\r\noperator’s ability to control the physical process itself.\r\nFigure 1: Snippets from “kill.bat” deployed alongside LockerGoga (L) and MegaCortex process kill list (R)\r\nThe earliest iteration we identified of the shared kill list was a batch script deployed alongside LockerGoga (MD5:\r\n34187a34d0a3c5d63016c26346371b54) in January 2019 (Figure 1). Other iterations of the list we have observed\r\nare also hardcoded directly into the ransomware binaries. The different techniques used to deploy the process kill\r\nlist, the use of different malware families, and slight variations between each list iteration (mainly typos in the\r\nprocesses, e.g.: a2guard.exea2start.exe; nexe; proficyclient.exe) indicate that likely more than one actor had access\r\nto the true source of the process kill list. This source could be for example a post of processes shared on a dark\r\nweb forum, or an independent actor sharing the compiled list with other actors.\r\nWe think it is likely that the OT processes identified in this list simply represent the coincidental output of\r\nautomated process collection from victim environment(s) and not a targeted effort to impact OT. This is supported\r\nby the relatively limited and specific selection of OT-related processes, rather than a broader selection of many\r\nvendors and OT-related processes that would have been suggestive of targeted external research. Regardless, this\r\ndoes not downplay the significance of the inclusion of OT processes in the list, as it suggests that sophisticated\r\nfinancially motivated actors, such as FIN6, have had at least some visibility into a victim’s OT network. As a\r\nresult, the actors were able to tailor their malware to impact those systems, without the explicit intent to target OT\r\nassets.\r\nMost types of ransomware attacks in OT environments will result in the disruption of services and a temporary\r\nloss of view into current and historical process data. However, OT environments impacted by a ransomware that\r\nleverages this kill list and happen to be running one or more of the processes used by the initial victim(s)—and\r\nhttps://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nPage 2 of 13\n\ntherefore are included on the list—may face additional impacts. For example, historian databases would be more\r\nlikely to be encrypted, possibly resulting in loss of historical data. Other impacts could include gaps in the\r\ncollection of process data corresponding to the duration of the outage and temporary loss of access to licensing\r\nrights for critical services.\r\nSecond List Deployed Alongside CLOP Ransomware Sample Has a Higher Chance of Impacting OT Systems\r\nMandiant analyzed a second, entirely unrelated sample of ransomware (MD5:\r\n3b980d2af222ec909b948b6bbdd46319) from the CLOP family with a hardcoded list for enumeration and\r\ntermination of processes that includes a number of OT strings. The list contains over 1,425 processes, from which\r\nat least 150 belong to OT-related software suites (Figure 2 and Appendix).\r\nBased on our analysis, the CLOP malware family’s process kill list has grown over time possibly as more\r\nprocesses are scanned during different compromises. While we do not currently hold enough information to\r\ndescribe the exact mechanism used by the actor to grow the list, it appears to have resulted from actor\r\nreconnaissance across multiple victims. We have observed the threat actor employing process discovery\r\nprocedures, including running the tasklist utility. This indicates that the actor scanned for processes in at least one\r\nvictim’s OT network(s) before deploying the ransomware.\r\nFigure 2: Subset of processes in observed CLOP sample\r\nCLOP is also interesting as we have only observed a single unique and very prolific financially motivated threat\r\nactor leveraging the malware family. The group, who has been active since at least 2016 and potentially as early as\r\n2014, is known for operating large phishing campaigns to distribute malware and typically monetizes intrusions\r\nthrough ransomware deployment. As highlighted by their versatility and long history in financially motivated\r\nintrusions, the actor’s activity in OT networks is likely no more than an additional step in the process for\r\nmonetization. However, the financial motivations of the actor again do not imply low risk to OT. Instead, our\r\nanalysis of the CLOP sample’s kill list indicates that the included processes actually have greater potential to\r\ndisrupt OT systems than those included in the shared list described above.\r\nhttps://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nPage 3 of 13\n\nUnlike the first kill list, the CLOP sample includes a list of processes that, if stopped, may directly impact the\r\noperator’s ability to both visualize and control production. This is especially true in the case of some included\r\nprocesses that support HMI and PLC supervision. Some of the OT processes present in the CLOP sample are\r\nrelated to the following products:\r\nVendor Product Description\r\nSiemens SIMATIC WinCC\r\nSCADA system, common for process control and\r\nautomation.\r\nBeckhoff TwinCAT Software for PC-based process control and automation.\r\nNational Instruments\r\nData Acquisition\r\nSoftware (DAQ)\r\nSoftware used to acquire data from sensors and\r\nconditioning devices.\r\nKepware KEPServer EX\r\nSoftware platform that collects information from\r\nindustrial devices and sends the output to SCADA\r\napplications.\r\nOPC Unified\r\nArchitecture (OPC-UA)N/A\r\nCommunication protocol for data acquisition and\r\nexchange between industrial equipment and enterprise\r\nsystems.\r\nTable 1: Examples of products related to OT processes included in identified CLOP kill list\r\nWhile it is likely the physical processes this software controls would continue to operate even if the software\r\nprocesses were terminated unexpectedly, stopping the software processes included in the CLOP sample’s kill list\r\ncould result in the loss of view/control over those physical processes due to the inability of operators to interact\r\nwith the equipment. This can be caused not only by the ransomware’s disruption of intermediary systems, but also\r\nby the loss of access to relevant files on HMIs/EWS required for the operation of process control and monitoring\r\nsoftware–for example configurations or project files. This could prolong the mean time to recovery (MTTR) of\r\nimpacted environments without offline backups. In the CLOP sample list, we also identified specialized processes\r\nfor software application design and testing that may also become corrupted at the time of encryption.\r\nProcess Kill Lists Are Just An Observable Indicating Broader Financially Motivated Interest In OT\r\nFinancially motivated threat actors leverage a large variety of tactics and techniques to obtain data that they can\r\nlater use to generate profits. While financial actors have historically posed little to no threat to OT systems, the\r\nrecent uptick in ransomware and extortion incidents highlights that industrial operations are increasingly at risk.\r\nAlthough we have not observed any financially motivated actors explicitly targeting OT systems, our research into\r\nprocess kill lists deployed with or alongside ransomware samples shows that at least two sophisticated financial\r\nactors have expanded their access into OT networks during their regular intrusions.\r\nThis increasing exposure of OT to financially motivated threat activity is no surprise, given that TTPs used by\r\ncybercriminals increasingly resemble those employed by sophisticated actors. We have consistently conveyed this\r\nmessage since at least 2018, when we publicly discussed the commodity and custom IT tools leveraged by the\r\nhttps://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nPage 4 of 13\n\nTRITON attacker while traversing through its targets’ networks (Figure 3). The likelihood of financially motivated\r\nactors impacting OT while seeking to monetize intrusions will continue to rise for the following reasons:\r\nFigure 3: TTPs seen across both IT and OT incidents\r\nFinancially-motivated threat actors moving to a post-compromise ransomware model will continue to\r\nevolve and find ways to reach the most critical systems of organizations as part of their mission of\r\nmonetization. As these actors are mainly driven by profits, they are not likely to differentiate between IT\r\nand OT assets.\r\nOT organizations will continue to struggle to evolve at the same pace as cyber criminals. As a result, small\r\nweaknesses such as misconfigurations, exposed vulnerabilities or improper segmentation will be enough\r\nfor financial actors to gain access to networks in their attempts to profit from intrusions.\r\nAs the market for OT solutions continues to incorporate IT services and features into broadly adopted\r\nproducts, we expect the convergence of technologies to result in a broader attack surface for financial\r\nthreat actors to target.\r\nThe TTPs employed by both financial and sophisticated nation-state actors often rely on intermediary\r\nsystems as stepping stones through intrusions. As a result, the skills of both groups hold similar potential of\r\nreaching OT systems even when financial groups may only do so coincidentally or as part of their\r\nmonetization strategy.\r\nOutlook\r\nAs OT networks continue to become more accessible to threat actors of all motivations, security threats that have\r\nhistorically impacted primarily IT are becoming more commonplace. This normalization of OT as just another\r\nnetwork from the threat actor perspective is problematic for defenders for many of the reasons discussed above.\r\nThis recent threat activity should be taken as a wake-up call for two main reasons: the various security challenges\r\ncommonly faced by organizations to protect OT networks, and the significant consequences that may arise from\r\nhttps://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nPage 5 of 13\n\nsecurity compromises even when they are not explicitly designed to target production systems. Asset owners need\r\nto look at OT security with the mindset that it is not if you will have a breach, but when. This shift in thinking will\r\nallow defenders to better prepare to respond when an incident does happen, and can help reduce the impact of an\r\nincident by orders of magnitude.\r\nAppendix: Selection Of OT Processes From CLOP Kill List\r\nProcess Name Vendor\r\nACTLICENSESERVER.EXE Atlas Copco\r\nTCATSYSSRV.EXE Beckhoff\r\nTCEVENTLOGGER.EXE Beckhoff\r\nTCR.EXE Beckhoff\r\nALARMMANAGER.EXE GE\r\nS2.EXE Honeywell\r\nBR.ADI.DISPLAY.BRIGHTNESS.EXE B\u0026R\r\nBR.ADI.SERVICE.EXE B\u0026R\r\nBR.ADI.UPS.MANAGER.EXE B\u0026R\r\nBR.ADI.UPS.SERVICE.EXE B\u0026R\r\nBR.AS.UPGRADESERVICE.EXE B\u0026R\r\nBRAUTHORIZATIONSVC.EXE B\u0026R\r\nBRTOUCHSVC.EXE B\u0026R\r\nOPCROUTER4SERVICE.EXE Inray Industriesoftware\r\nOPCROUTERCONFIG.EXE Inray Industriesoftware\r\nSERVER_EVENTLOG.EXE Kepware\r\nSERVER_RUNTIME.EXE Kepware\r\nNICELABELAUTOMATIONSERVICE2017.EXE NiceLabel\r\nNICELABELPROXY.EXE NiceLabel\r\nNICELABELPROXYSERVICE2017.EXE NiceLabel\r\nAPPLICATIONWEBSERVER.EXE National Instruments\r\nhttps://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nPage 6 of 13\n\nCWDSS.EXE National Instruments\r\nNIAUTH_DAEMON.EXE National Instruments\r\nNIDEVMON.EXE National Instruments\r\nNIDISCSVC.EXE National Instruments\r\nNIDMSRV.EXE National Instruments\r\nNIERSERVER.EXE National Instruments\r\nNILXIDISCOVERY.EXE National Instruments\r\nNIMDNSRESPONDER.EXE National Instruments\r\nNIMXS.EXE National Instruments\r\nNIPXICMS.EXE National Instruments\r\nNIROCO.EXE National Instruments\r\nNISDS.EXE National Instruments\r\nNISVCLOC.EXE National Instruments\r\nNIWEBSERVICECONTAINER.EXE National Instruments\r\nSYSTEMWEBSERVER.EXE National Instruments\r\nOPC.UA.DISCOVERYSERVER.EXE OPC\r\nOPCUALDS.EXE OPC\r\nANAWIN.EXE AUTEM\r\nASM.EXE Possibly Siemens\r\nPARAMETRIC.EXE PTC\r\nQDAS_O-QIS.EXE Q-Das\r\nQDAS_PROCELLA.EXE Q-Das\r\nQDAS_QS-STAT.EXE Q-Das\r\nQDASIDI_SRV.EXE Q-Das\r\nSPCPROCESSLINK.EXE Q-Das\r\nTAGSRV.EXE\r\nRockwell Automation or\r\nNational Instruments\r\nhttps://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nPage 7 of 13\n\n_SIMPCMON.EXE Siemens\r\nALMPANELPLUGIN.EXE Siemens\r\nALMSRV64X.EXE Siemens\r\nALMSRVBUBBLE64X.EXE Siemens\r\nCC.TUNNELSERVICEHOST.EXE Siemens\r\nCCAEPROVIDER.EXE Siemens\r\nCCAGENT.EXE Siemens\r\nCCALGRTSERVER.EXE Siemens\r\nCCARCHIVEMANAGER.EXE Siemens\r\nCCCAPHSERVER.EXE Siemens\r\nCCCSIGRTSERVER.EXE Siemens\r\nCCDBUTILS.EXE Siemens\r\nCCDELTALOADER.EXE Siemens\r\nCCDMRUNTIMEPERSISTENCE.EXE Siemens\r\nCCECLIENT_X64.EXE Siemens\r\nCCECLIENT.EXE Siemens\r\nCCESERVER_X64.EXE Siemens\r\nCCESERVER.EXE Siemens\r\nCCKEYBOARDHOOK.EXE Siemens\r\nCCLICENSESERVICE.EXE Siemens\r\nCCNSINFO2PROVIDER.EXE Siemens\r\nCCPACKAGEMGR.EXE Siemens\r\nCCPERFMON.EXE Siemens\r\nCCPROFILESERVER.EXE Siemens\r\nCCPROJECTMGR.EXE Siemens\r\nCCPTMRTSERVER.EXE Siemens\r\nCCREDUNDANCYAGENT.EXE Siemens\r\nhttps://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nPage 8 of 13\n\nCCREMOTESERVICE.EXE Siemens\r\nCCRT2XML.EXE Siemens\r\nCCRTSLOADER_X64.EXE Siemens\r\nCCSSMRTSERVER.EXE Siemens\r\nCCSYSTEMDIAGNOSTICSHOST.EXE Siemens\r\nCCTEXTSERVER.EXE Siemens\r\nCCTLGSERVER.EXE Siemens\r\nCCTMTIMESYNC.EXE Siemens\r\nCCTMTIMESYNCSERVER.EXE Siemens\r\nCCUCSURROGATE.EXE Siemens\r\nCCWATCHOPC.EXE Siemens\r\nCCWRITEARCHIVESERVER.EXE Siemens\r\nDA2XML.EXE Siemens\r\nGSCRT.EXE Siemens\r\nHMIES.EXE Siemens\r\nHMIRTM.EXE Siemens\r\nHMISMARTSTART.EXE Siemens\r\nHMRT.EXE Siemens\r\nIPCSECCOM.EXE Siemens\r\nOPCUASERVERWINCC.EXE Siemens\r\nPASSDBRT.EXE Siemens\r\nPDLRT.EXE Siemens\r\nPMEXP.EXE Siemens\r\nPNIOMGR.EXE Siemens\r\nREDUNDANCYCONTROL.EXE Siemens\r\nREDUNDANCYSTATE.EXE Siemens\r\nS7ACMGRX.EXE Siemens\r\nhttps://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nPage 9 of 13\n\nS7AHHLPX.EXE Siemens\r\nS7ASYSVX.EXE Siemens\r\nS7EPASRV64X.EXE Siemens\r\nS7HSPSVX.EXE Siemens\r\nS7KAFAPX.EXE Siemens\r\nS7O.TUNNELSERVICEHOST.EXE Siemens\r\nS7OIEHSX64.EXE Siemens\r\nS7OPNDISCOVERYX64.EXE Siemens\r\nS7SYMAPX.EXE Siemens\r\nS7TGTOPX.EXE Siemens\r\nS7TRACESERVICE64X.EXE Siemens\r\nS7UBTOOX.EXE Siemens\r\nS7UBTSTX.EXE Siemens\r\nS7WNRMSX.EXE Siemens\r\nS7WNSMGX.EXE Siemens\r\nS7WNSMSX.EXE Siemens\r\nS7XUDIAX.EXE Siemens\r\nhttps://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nPage 10 of 13\n\nS7XUTAPX.EXE Siemens\r\nSCORECFG.EXE Siemens\r\nSCOREDP.EXE Siemens\r\nSCOREPNIO.EXE Siemens\r\nSCORES7.EXE Siemens\r\nSCORESR.EXE Siemens\r\nSCSDISTSERVICEX.EXE Siemens\r\nSCSFSX.EXE Siemens\r\nSCSMX.EXE Siemens\r\nSDIAGRT.EXE Siemens\r\nSIEMENS.INFORMATIONSERVER.DISCOVERSERVICEINSTALLER.EXE Siemens\r\nSIEMENS.INFORMATIONSERVER.ISREADY.PLUGINSERVICE.EXE Siemens\r\nSIEMENS.INFORMATIONSERVER.SCHEDULER.EXE Siemens\r\nSIM9SYNC.EXE Siemens\r\nSIMNETPNPMAN.EXE Siemens\r\nhttps://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nPage 11 of 13\n\nSMARTSERVER.EXE Siemens\r\nSSERVCFG.EXE Siemens\r\nTOUCHINPUTPC.EXE Siemens\r\nTRACECONCEPTX.EXE Siemens\r\nTRACESERVER.EXE Siemens\r\nUM.RIS.EXE Siemens\r\nUM.SSO.EXE Siemens\r\nWEBNAVIGATORRT.EXE Siemens\r\nWINCCEXPLORER.EXE Siemens\r\nCCDMRTCHANNELHOST.EXE Siemens\r\nANSYS.ACT.BROWSER.EXE Ansys\r\nANSYS.EXE Ansys\r\nANSYS192.EXE Ansys\r\nANSYSFWW.EXE Ansys\r\nANSYSLI_CLIENT.EXE Ansys\r\nhttps://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nPage 12 of 13\n\nANSYSLI_MONITOR.EXE Ansys\r\nANSYSLI_SERVER.EXE Ansys\r\nANSYSLMD.EXE Ansys\r\nANSYSWBU.EXE Ansys\r\nCONFIGSERVERI64.EXE Tani\r\nENGINELOGGERI64.EXE Tani\r\nPLCENGINEI64.EXE Tani\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nhttps://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/financially-motivated-actors-are-expanding-access-into-ot" ], "report_names": [ "financially-motivated-actors-are-expanding-access-into-ot" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439148, "ts_updated_at": 1775826684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/625431897c53431d06113a51de73c30aa9b02da4.pdf", "text": "https://archive.orkl.eu/625431897c53431d06113a51de73c30aa9b02da4.txt", "img": "https://archive.orkl.eu/625431897c53431d06113a51de73c30aa9b02da4.jpg" } }