{ "id": "0e8162e0-ceeb-4966-ae32-0094a7ea5ccf", "created_at": "2026-04-06T00:19:39.930653Z", "updated_at": "2026-04-10T03:38:01.835715Z", "deleted_at": null, "sha1_hash": "625e91c4829e13a66b3d2a68a473523c96cba565", "title": "Risky Biz News: US takes down RT's Twitter bot farm", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 986372, "plain_text": "Risky Biz News: US takes down RT's Twitter bot farm\r\nBy Catalin Cimpanu\r\nPublished: 2024-07-10 · Archived: 2026-04-02 11:24:14 UTC\r\nThis newsletter is brought to you by Devicie. You can subscribe to an audio version of this newsletter as a\r\npodcast by searching for \"Risky Business News\" in your podcatcher or subscribing via this RSS feed. On Apple\r\nPodcasts:\r\nRisky Business News: Risky Biz News: US takes down RT’s Twitter bot farm on Apple Podcasts\r\nShow Risky Business News, Ep Risky Biz News: US takes down RT’s Twitter bot farm - 9 July\r\n2024\r\nApple Podcasts\r\nThe US Department of Justice has taken down a Twitter botnet operated by Russian news organization RT that\r\nwas used to spread Kremlin propaganda on a large scale across Europe and the US.\r\nAccording to court documents, the botnet consisted of at least 968 accounts and was operated by an editor-in-chief\r\nfrom RT's Moscow headquarters.\r\nhttps://news.risky.biz/risky-biz-news-us-takes-down-rts-twitter-bot-farm/\r\nPage 1 of 10\n\nThe botnet was established in early 2022, shortly after Russia's invasion of Ukraine, and its main role was to\r\nspread disinformation and favorable Russian narratives about the war.\r\nAccording to a technical report [PDF] published by the FBI, RT used an AI tool named Meliorator to build and\r\ncontrol the botnet's behavior.\r\nThis tool consists of two main components—Brigadir (frontend) and Taras (backend). From the FBI report:\r\n\"Brigadir serves as the primary end user interface of Meliorator and functions as the administrator\r\npanel. Brigadir serves as the graphical user interface for the Taras application and includes tabs for\r\n“souls,” false identities that would create the basis for the bots, and “thoughts,” which are the\r\nautomated scenarios or actions that could be implemented on behalf of the bots, such as sharing\r\ncontent to social media in the future.\"\r\nhttps://news.risky.biz/risky-biz-news-us-takes-down-rts-twitter-bot-farm/\r\nPage 2 of 10\n\nThe botnet allowed operators to create fake online persons, register a Twitter account on their behalf, bypass\r\nTwitter verifications using an on-board email server, and configure campaigns on certain topics and with\r\nautomated replies.\r\nThe bots were configured to take the identities of local citizens but would often post Russian propaganda and\r\ndisinformation.\r\nRT and its ilk used Meliorator to spread propaganda targeting audiences in the US, Poland, Germany, the\r\nNetherlands, Spain, Ukraine, and Israel.\r\nThe FBI says the tool was designed for use on Twitter, but it could have been easily adapted to other social\r\nnetworks as well.\r\nThe DOJ says it discovered the botnet after identifying Meliorator control panels operating on two domains, on\r\nmlrtr[.]com and otanmailp[.]com, both of which were registered with identities linked to the (yet unnamed) RT\r\nMoscow editor-in-chief.\r\nThe Justice Department says the narratives would often come from a private intelligence organization (PIO)\r\ncontrolled by a Russian FSB officer that was established with the approval and financial support of the\r\nPresidential Administration of Russia.\r\nBoth the RT editor-in-chief and the FSB officer had direct access to the Meliorator control panels, per the DOJ.\r\nThe DOJ praised Twitter (now X, but we're not calling it that since nobody calls it that) for its voluntary takedown\r\nof all bot accounts.\r\nBreaches, hacks, and security incidents\r\nEvolve hack update: American bank Evolve has posted an update on its recent breach and says that hackers have\r\nstolen the data of 7.6 million of its customers.\r\nHeritage Foundation hack: Hacktivist group SiegedSec claims to have breached American right-wing think tank\r\nthe Heritage Foundation. The organization is known for Project 2025, an authoritarian Christian nationalist plan to\r\nreform the US government. SiegedSec claims it has access to passwords, email inboxes, and the names of all the\r\nFoundation's members. The group has leaked some of the data and claims its hack is a response to the\r\norganization's anti-LGBTQ agenda.\r\nTurkey DDoS attacks: Two hacktivist groups, LulzSec Black and Moroccan Soldiers, have launched DDoS\r\nattacks against Turkish organizations for the country's mistreatment of Syrians. [Additional coverage in\r\nDailyDarkWeb]\r\nFujitsu breach: Fujitsu has confirmed that customer data was stolen in a data breach it initially reported in March\r\nthis year.\r\nGeneral tech and privacy\r\nhttps://news.risky.biz/risky-biz-news-us-takes-down-rts-twitter-bot-farm/\r\nPage 3 of 10\n\nFirefox on Windows 7: Mozilla says it will extend support for Firefox on Windows 7. No new end-of-support\r\nwas announced, but Mozilla was initially scheduled to drop Windows 7 support in September.\r\nNotepad updates: Microsoft is rolling out support for spellcheck and autocorrect for the Notepad app on\r\nWindows 11, 40 years after the app's launch. [Additional coverage in The Verge]\r\nMicrosoft China blocks Android: Microsoft has mandated that all Chinese employees must use iPhones starting\r\nthis September. The decision comes as the Google Play Store is blocked in China and employees can only install\r\nthe Microsoft Authenticator app via the App Store. [Additional coverage in BGR]\r\nFirefox 128: Mozilla has released Firefox 128. New features and security fixes are included. The biggest feature\r\nchange in this release is the ability to translate pieces of text and a revamped UI for clearing cookies and past data.\r\nGovernment, politics, and policy\r\nCNMF's death: The Record's Martin Matishak looks at how Cyber Command is phasing out a CNMF project that\r\nshared malware samples on VirusTotal. The CNMF is now primarily focused on Under Assessment, a project\r\nbetween CyberCom and private security firms to share info about emerging threats via private channels like Slack\r\nand Microsoft Teams. [This item has been edited post-publication due to an erroneous description.]\r\nAU assessment: The Australian government will run a stocktake of all its internet-facing systems and services by\r\nJune next year. Government agencies will have to scan and determine what equipment and software they have\r\nexposed on the internet and from what software vendor or contractor. The end goal is to create a security risk\r\nmanagement plan for all internet-facing systems or services. [Additional coverage in itNews]\r\nRussian oppression database: The Russian government has built a database of all citizens who have fled the\r\ncountry after its invasion of Ukraine. The database is very likely being used for oppression purposes. The Kremlin\r\npreviously used a leaked database of Navalny donors to fire government employees and detain individuals on\r\ncharges of supporting terrorism. [Additional coverage in The Agency]\r\nRussian censorship: Apple has removed 25 VPN apps from the Russian version of its App Store following a\r\nrequest from the country's telecommunications watchdog. The move comes after the Roskomnadzor has tried and\r\nfailed to block VPN protocols at the network level for almost two years. Demand for VPN services soared in\r\nRussia after the country's invasion of Ukraine. [Additional coverage in TechCrunch]\r\nIn this Risky Business News sponsor interview, Catalin Cimpanu talks with Devicie Technical Product Manager\r\nTom Plant on the upcoming Windows 10 end-of-support and the looming Great Windows 11 Migration.\r\nhttps://news.risky.biz/risky-biz-news-us-takes-down-rts-twitter-bot-farm/\r\nPage 4 of 10\n\nRisky Business News: Sponsored: Devicie on the Great Windows 11 Enterprise Migration on Apple\r\nPodcasts\r\nShow Risky Business News, Ep Sponsored: Devicie on the Great Windows 11 Enterprise Migration\r\n- 7 July 2024\r\nApple Podcasts\r\nCybercrime and threat intel\r\nVasyGrek: Russian security firm FACCT has linked a malware developer known as Mr.Burns to a 38-year-old\r\nUkrainian national. FACCT claims Andrey R. from the city of Ternopil has been involved in cybercrime since\r\n2010 and is the author and seller of the Burns remote access trojan. The company says the BurnsRAT is a tool\r\ncommonly used by VasyGrek, a cybercrime group that has been attacking Russian companies since at least 2020.\r\nCrypto-drainers: If you're still confused about crypto-drainers and what they are (phishing kits specialized in\r\ntargeting and automatically emptying crypto-wallets), then Cisco Talos has you covered.\r\nThreat/trend reports: Cloudflare and Orange have recently published reports covering infosec industry threats\r\nand trends.\r\nMalware technical reports\r\nDoNeX ransomware: Security firm Avast has been secretly working with law enforcement authorities to provide\r\nfree decrypters for victims of the DoNeX ransomware gang. Avast says it built the decrypter in March after its\r\nresearchers found a flaw in the ransomware's cryptographic scheme. The company revealed its decrypter after\r\nhttps://news.risky.biz/risky-biz-news-us-takes-down-rts-twitter-bot-farm/\r\nPage 5 of 10\n\ndetails of the same flaw were disclosed at a recent security conference. The decrypter works on users infected by\r\nthe DoNeX ransomware, as well as previous versions known as DarkRace and Muse.\r\nCoyote: BlackBerry has published a report on Coyote, a new banking trojan spotted earlier this year that primarily\r\ntargets Brazilian financial institutions.\r\nSilverFox: KnownSec404 has published a report on SilverFox, a Windows trojan primarily active in China. The\r\nChinese security firm appears to believe the trojan is the work of an APT group that's trying to hide its espionage\r\nactivities behind a cybercrime operation. It doesn't expand on the subject.\r\nKematian-Stealer: CyFirma has discovered a new infostealer named Kematian-Stealer that is available as a free\r\ntool on GitHub and has been recently seen in the wild.\r\nBrought to you by Devicie. Be the first to hear about Devicie for MSP, the Intune hyper automation and\r\nmanagement platform for modern device management at scale. Visit devicie.com/MSP\r\nAPTs, cyber-espionage, and info-ops\r\nAPT40: Australia's cybersecurity agency has published a report and IOCs from two recent APT40 intrusions. The\r\nreport marks the first time Australia has led the publishing and exposing of a Chinese APT's ops as part of a joint\r\neffort with other agencies abroad.\r\n\"The activity and techniques overlaps with the groups tracked as Advanced Persistent Threat (APT) 40,\r\nKryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting. This\r\ngroup has previously been reported as being based in Haikou, Hainan Province, PRC and receiving\r\ntasking from the PRC MSS, Hainan State Security Department.\"\r\nCloudSorcerer: Kaspersky has discovered a new APT group targeting Russian government entities. The new\r\nCloudSorcerer group has been active since May this year. Its main tool is a sophisticated toolkit designed to\r\ncontrol malware implants and exfil data via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure.\r\nKaspersky did not link the group to any state. Proofpoint says it spotted the same group also targeting US think\r\ntanks.\r\nLifting Zmiy: Rostelecom's security team has discovered a new APT group that is breaching companies via\r\nindustrial PLCs. Named Lifting Zmiy, the group's first attacks were traced back to October of last year. The group\r\ntargeted PLCs from Russian company Tech-Automatics usually used with elevators and which were still using\r\nhttps://news.risky.biz/risky-biz-news-us-takes-down-rts-twitter-bot-farm/\r\nPage 6 of 10\n\ntheir default passwords. Rostelecom has linked the group to intrusions at a Russian government contractor, two\r\ntelecom operators, and an IT company. The company says the group collected and exfiltrated data and then\r\ndestroyed the victim's infrastructure. Rostelecom says Lifting Zmiy uses Starlink infrastructure for attacks and\r\nappears to operate out of Ukraine.\r\nKimsuky: Japan's CERT team has published a report looking at Kimsuky operations targeting Japanese\r\norganizations.\r\nDPRK npm malware: DevSecOps company Phylum has found another malicious JS library published on the\r\nnpm portal by North Korean hackers. This one tried to pass as call-bind is a legitimate npm package with over\r\n2,000 downstream dependents and over 45 million weekly downloads.\r\nHouthi cyber ops, part I: Hackers linked with Houthi rebels have used spyware to target militaries across the\r\nMiddle East since 2019. The attacks used a novel spyware strain named GuardZoo to collect photos and\r\ndocuments from infected devices. Targets included militaries in seven Middle East countries, such as Saudi\r\nArabia, Oman, and Egypt. Security firm Lookout spotted the infections after it discovered a GuardZoo command\r\nand control server exposed online.\r\nHouthi cyber ops, part II: On the same note, another Houthi-linked cyber group named OilAlpha has continued\r\nto use malicious mobile apps to target humanitarian and human rights organizations operating in Yemen. This is a\r\ncontinuation of a campaign that was first spotted last year.\r\nVulnerabilities, security research, and bug bounty\r\nPatch Tuesday: Yesterday was the July 2024 Patch Tuesday. We had security updates from Adobe, Microsoft,\r\nFirefox, Cisco, Fortinet, SAP, Citrix [1, 2], Kubernetes, Schneider Electric, Siemens, and Zoom. The Android\r\nProject, VMWare, Elastic, Splunk, Apache HTTPD, and Mastodon released security updates last week as well.\r\nThis month, Microsoft patched 142 vulnerabilities, including two zero-days. They include:\r\nCVE-2024-38080 — Windows Hyper-V Elevation of Privilege Vulnerability.\r\nCVE-2024-38112 — Windows MSHTML Platform Spoofing Vulnerability.\r\nNew Adobe Reader zero-day: Adobe is scheduled to release a patch for an Adobe Reader zero-day in August\r\nduring its regular Patch Tuesday security updates. The zero-day was discovered [archived] by security researcher\r\nHaifei Li while scanning public PDF files for potential exploit code. Li says the exploit is unfinished and doesn't\r\ndeliver a final payload.\r\nGhostscript exploitation: Threat actors are now exploiting a recently disclosed Ghostscript RCE (CVE-2024-\r\n29510) in the wild.\r\nWhatsUp Gold RCE: Security researchers from the Summoning Team have published details and a PoC for an\r\nunauth RCE in the Progress Software WhatsUp Gold network monitoring solution. The bug is tracked as CVE-2024-4885. [h/t ScreamingGoat]\r\nSplunk PoC: Security researcher Mohamed Nabil Ali has published a PoC for CVE-2024-36991, a path traversal\r\nin the Splunk SIEM.\r\nhttps://news.risky.biz/risky-biz-news-us-takes-down-rts-twitter-bot-farm/\r\nPage 7 of 10\n\nBlast-RADIUS attack: A team of academics has developed a new attack that breaks the RADIUS authentication\r\nand authorization protocol. The new attack is named Blast-RADIUS and allows threat actors to convert failed\r\nauthentication attempts into successful logins and access protected resources. The attack leverages a novel MD5\r\ncollision technique and requires a MitM position between RADIUS clients and servers. The RADIUS protocol\r\nwas developed in the 1990s and is still in use today for protecting networking devices, mobile networks, and\r\nindustrial equipment.\r\nInfosec industry\r\nNew tool—Incidental: A cool infosec project that has gone open-source recently is Incidental, a platform for\r\nmanaging your incidents within Slack. Still in early stages of development, though.\r\nNew tool—View8: Check Point has open-sourced View8, a static analysis tool designed to decompile serialized\r\nV8 bytecode objects (JSC files) into high-level readable code.\r\nNew tool—Flow Analyzer: Microsoft's Manuel Berrueta has open-sourced Flow Analyzer, a tool for helping in\r\nlow level understanding and testing of OAuth 2.0 Grants/Flows.\r\nNew tool—Atom Ducky: Polish security researcher Flock4h has released  Atom Ducky, a tool designed to work\r\nas a wirelessly operated Rubber Ducky, personal authenticator, and casual keyboard.\r\nNew tool—MailGoose: CERT-PL has open-sourced MailGoose, a tool that allows server admins to check\r\nwhether their SPF, DMARC, and DKIM configuration is set up correctly.\r\nhttps://news.risky.biz/risky-biz-news-us-takes-down-rts-twitter-bot-farm/\r\nPage 8 of 10\n\nBSidesSF 2024 videos: Talks from the BSides San Francisco 2024 security conference, which took place in May,\r\nare now available on YouTube.\r\nhttps://news.risky.biz/risky-biz-news-us-takes-down-rts-twitter-bot-farm/\r\nPage 9 of 10\n\nRisky Business Podcasts\r\nIn this edition of Between Two Nerds, Tom Uren and The Grugq talk about how bureaucracies should deal with\r\noutstandingly talented individuals.\r\nIn this podcast, Tom Uren and Patrick Gray talk about how South Korean internet regulations inadvertently\r\nencouraged a large ISP to hack their own customers to cut down on torrent traffic.\r\nAbhishek Agrawal is the CEO and co-founder of Material Security, an email security company that locks down\r\ncloud email archives. Attackers have been raiding mailspools since hacking has existed, and with those mailspools\r\nnow in the cloud with services like o365 and Google Workspace, guess where the attackers are going?\r\nSource: https://news.risky.biz/risky-biz-news-us-takes-down-rts-twitter-bot-farm/\r\nhttps://news.risky.biz/risky-biz-news-us-takes-down-rts-twitter-bot-farm/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://news.risky.biz/risky-biz-news-us-takes-down-rts-twitter-bot-farm/" ], "report_names": [ "risky-biz-news-us-takes-down-rts-twitter-bot-farm" ], "threat_actors": [ { "id": "ca3acede-fb02-418a-8f2b-a73d8c89eda7", "created_at": "2023-06-23T02:04:34.425347Z", "updated_at": "2026-04-10T02:00:04.787571Z", "deleted_at": null, "main_name": "OilAlpha", "aliases": [ "TAG-41", "TAG-62" ], "source_name": "ETDA:OilAlpha", "tools": [ "Bladabindi", "CypherRat", "Jorik", "SpyMax", "SpyNote", "SpyNote RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "fad4b64a-4447-459c-b6b4-f50040008d5a", "created_at": "2024-07-21T02:00:04.74537Z", "updated_at": "2026-04-10T02:00:03.674212Z", "deleted_at": null, "main_name": "Lifting Zmiy", "aliases": [], "source_name": "MISPGALAXY:Lifting Zmiy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "c29ed071-678d-4023-a954-7138fb534056", "created_at": "2023-11-05T02:00:08.079228Z", "updated_at": "2026-04-10T02:00:03.39948Z", "deleted_at": null, "main_name": "SiegedSec", "aliases": [], "source_name": "MISPGALAXY:SiegedSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d1a4f32-cc52-4ee8-acab-993cfa2ef5ad", "created_at": "2024-07-09T02:00:04.425917Z", "updated_at": "2026-04-10T02:00:03.67013Z", "deleted_at": null, "main_name": "CloudSorcerer", "aliases": [], "source_name": "MISPGALAXY:CloudSorcerer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b1db2dce-5a2b-4fc4-85c2-d184acc956a0", "created_at": "2024-08-28T02:02:09.272572Z", "updated_at": "2026-04-10T02:00:04.622449Z", "deleted_at": null, "main_name": "CloudSorcerer", "aliases": [ "Operation EastWind" ], "source_name": "ETDA:CloudSorcerer", "tools": [ "GrewApacha", "PlugY", "The CloudSorcerer" ], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "32880ad2-6e13-4687-91fb-75ae015bf3eb", "created_at": "2024-11-03T02:00:03.637196Z", "updated_at": "2026-04-10T02:00:03.73291Z", "deleted_at": null, "main_name": "LulzSec Black", "aliases": [], "source_name": "MISPGALAXY:LulzSec Black", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "9802c44a-36d9-4e1e-9f37-76b89b3b61b0", "created_at": "2023-11-07T02:00:07.10244Z", "updated_at": "2026-04-10T02:00:03.408827Z", "deleted_at": null, "main_name": "OilAlpha", "aliases": [], "source_name": "MISPGALAXY:OilAlpha", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434779, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/625e91c4829e13a66b3d2a68a473523c96cba565.pdf", "text": "https://archive.orkl.eu/625e91c4829e13a66b3d2a68a473523c96cba565.txt", "img": "https://archive.orkl.eu/625e91c4829e13a66b3d2a68a473523c96cba565.jpg" } }