{
	"id": "95cb0765-7f7d-4ef5-a6ec-2cc54f947569",
	"created_at": "2026-04-06T00:20:10.484796Z",
	"updated_at": "2026-04-10T13:12:05.195481Z",
	"deleted_at": null,
	"sha1_hash": "63c62490178f8132edad7f598ca3ed960a38c0b6",
	"title": "Warning: Newly Discovered APT Attacker AtlasCross Exploits Red Cross Blood Drive Phishing for Cyberattack - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1214346,
	"plain_text": "Warning: Newly Discovered APT Attacker AtlasCross Exploits Red\r\nCross Blood Drive Phishing for Cyberattack - NSFOCUS, Inc., a global\r\nnetwork and cyber security leader, protects enterprises and carriers from\r\nadvanced cyber attacks.\r\nBy NSFOCUS\r\nPublished: 2023-09-25 · Archived: 2026-04-05 17:07:52 UTC\r\nI. Abstract\r\nNSFOCUS Security Labs recently discovered a new attack process based on phishing documents in their daily threat-hunting operations. Delving deeper into this finding through extensive research, they confirmed two new Trojan horse\r\nprograms and many rare attack techniques and tactics.\r\nNSFOCUS Security Labs believes that this new attack process comes from a new APT attacker, who has a high technical\r\nlevel and cautious attack attitude. The phishing attack activity captured this time is part of the attacker’s targeted strike on\r\nspecific targets and is its main means to achieve in-domain penetration.\r\nNSFOCUS Security Labs named the attacker AtlasCross and the new Trojan programs DangerAds and AtlasAgent,\r\nrespectively.\r\nThis report will describe in detail the attack process, attack techniques and attack tools used by this new type of attacker.\r\nII. Introduction to AtlasCross\r\nAfter an in-depth study of the attack process, NSFOCUS Security Labs found that this APT attacker is quite different from\r\nknown attacker characteristics in terms of execution flow, attack technology stack, attack tools, implementation details,\r\nattack objectives, behavior tendency and other main attribution indicators. The technical level and cautious attitude shown\r\nby this attacker during this activity are also worthy of attention.\r\nTherefore, NSFOCUS Security Labs identified the orchestrator of this event as a new attacker and named it AtlasCross.\r\nNSFOCUS Security Labs validated the high-level threat attributes of AtlasCross in terms of development technology and\r\nattack strategy through an in-depth analysis of its attack metrics. At this current stage, AtlasCross has a relatively limited\r\nscope of activity, primarily focusing on targeted attacks against specific hosts within a network domain. However, the attack\r\nprocesses they employ are highly robust and mature. NSFOCUS Security Labs deduce that this attacker is highly likely to\r\ndeploy this attack process into larger-scale network attack operations.\r\nThe organizational origin of the AtlasCross attacker cannot be determined.\r\nIII. Decoy information\r\nAt this event, AtlasCross designed a decoy document titled “Blood Drive September 2023.docm” with the United States Red\r\nCross blood donation information as its topic.\r\nAfter the bait document is opened, a prompt message, as shown below, will be displayed by default, requiring the victim to\r\nenable the word editing function:\r\nhttp://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/\r\nPage 1 of 11\n\nFigure 1 Prompt content displayed in decoy document\r\nIf the victim follows the prompt to enable macro functionality, the decoy document will display the hidden content. The\r\nhidden content is a promotional file of the United States Red Cross blood donation, as shown below.\r\nFigure 2 Spoofing content in the decoy document\r\nCombined with the attacker’s design in the subsequent attack stage (see the Attack Process section for details), it can be\r\ninferred that this activity is a targeted cyberattack against people related to the Red Cross.\r\nIV. Attack Process\r\nThe process of this attack can be divided into three parts: decoy document phase, loader phase and Trojan horse phase. The\r\noverall attack process is shown in the following figure.\r\nFigure 3 Overview of the main attack process for this activity\r\nPhase 1: Decoy document\r\nThe first phase of the attack flow is performed by malicious macrocode contained in the decoy document. The main\r\nfunctions of this malicious macro include releasing payload, setting scheduled tasks and uploading basic information of the\r\nvictim host.\r\nhttp://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/\r\nPage 2 of 11\n\nA malicious macro document will extract the value of an attribute named “Hyperlink Base” in the document, free it to a\r\nfolder with random number names under the %APPDATA%\\Microsoft\\Word\\ path and save it as a file named\r\n“KB4495667.zip”. The malicious document then uses the items method to extract the contents of a zip file containing a file\r\nnamed “KB4495667.pkg” into the same directory.\r\nFigure 4 Extraction method of zip built-in file in malicious macro document code\r\nThe macro code then sets up a scheduled task called “Microsoft Office Updates”, which will be executed daily for 3 days\r\nafter setting up.\r\nThe scheduled task calls the component InstallUtil.exe of windows .net, using the /? parameter to call the help of the above\r\n“KB4495667.pkg” file to realize over-protection and hidden execution of the malicious program.\r\nFigure 5 Scheduled tasks set by the malicious macro document\r\nThe malicious macro document then initiates a communication to the specific network location\r\nhttp://data.vectorse.com/target, sending an ID consisting of native information, presuming that this behavior is used by\r\nattackers to count victims.\r\nFigure 6 Traffic generated in sending malicious macro files\r\nThe trace revealed that the website data.vectorse.com was a subdomain of Vector Structural Engineering, an engineering\r\ncompany based in the United States and likely controlled by AtlasCross.\r\nPhase 2: Loader\r\nThe program named KB4495667.pkg released by the above malicious macro code is the main malware in the second part of\r\nthis attack flow. To facilitate subsequent tracking, NSFOCUS Security Labs named this malicious program DangerAds\r\nbased on the string information it carries.\r\nThis program is a loader Trojan, whose main function is to detect the host environment and execute a built-in shellcode in its\r\nown process. The shellcode is used to load the final payload of the third stage.\r\nIt is worth noting that the Trojan will execute malicious code only when it detects that the user name or local domain name\r\nof the victim host contains a specific string. This design indicates that the attacker uses this attack process for intra-domain\r\npenetration after successfully intruding into the target network.\r\nFor details about the analysis of DangerAds Trojan horse, see the VI. Trojan Analysis section.\r\nPhase 3: Final load\r\nThe above loader Trojan will eventually load an x86 or x64 version of the DLL program in memory, which is the final\r\npayload of this attack flow. NSFOCUS Security Labs named the program AtlasAgent based on its PDB information.\r\nThe main function of AtlasAgent is to obtain host information, execute shellcode, download and execute.\r\nhttp://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/\r\nPage 3 of 11\n\nFor details about the AtlasAgent Trojan horse, see the VI. Trojan Analysis section.\r\nV. Technical and Tactical Analysis\r\nNSFOCUS Security Labs found that AtlasCross used many attack strategies throughout the activity, mainly focused on\r\ndefense evasion and also involved resource development, persistence and other stages, reflecting their clear awareness of\r\ncounteracting defense.\r\n1. Resource Development: Access to Infrastructure\r\nThe analysis shows that AtlasCross has controlled a large number of public network hosts by exploiting vulnerabilities and\r\ntransformed them into statistical servers or CnC servers used in this activity before designing the attack process.\r\nThe compromised hosts used by AtlasCross have obvious commonalities, including the use of OpenSSH version 7.4 and\r\nnginx version 1.20.1, and both are configured with WordPress site building services containing plug-in packages. Such\r\nconfiguration can be affected by multiple vulnerabilities, and AtlasCross is likely to take over these hosts in batches through\r\nsuch vulnerabilities.\r\nIn this attack activity, AtlasCross put in 12 different compromised servers, all from the United States and belonging to\r\nAmazon cloud hosts. This way of accumulating network resources effectively reduces the exposure risk of AtlasCross in\r\nattack activities. Since most of such compromised hosts have no malicious behavior records, they easily bypass various\r\nblacklist-based defense schemes and have high effectiveness and reliability.\r\n2. Persistence: Scheduled Tasks\r\nAtlasCross uses scheduled tasks to complete persistence in this attack process. Note the attacker’s strategy when configuring\r\npersistence.\r\nFirst, this scheduled task uses the component InstallUril.exe of Windows to load malicious DLL programs, which can well\r\nbypass endpoint detection and response software; second, this scheduled task uses /? parameter to call the Help of the\r\nmalicious DLL program. This design avoids the main export function of malicious DLL program from being exposed, and\r\nalso prevents some dynamic detection products from forcibly starting the malicious code of DLL program by enumerating\r\nexport functions, thus reducing the exposure probability of the malicious program.\r\n3. Defensive Evasion\r\nProcess injection\r\nAtlasAgent programs made by AtlasCross support multiple injection methods. AtlasAgent implements an injection method\r\nbased on kernel-layer functions, which can inject shellcode into existing or new threads of other processes.\r\nThe injection code of AtlasAgent does not call any API functions at the user layer, but directly uses kernel APIs such as\r\nNtAllocateVirtualMemory, NtWriteVirtualMemory and NtCreateThreadEx. In this way, the hooks of AV/EDR on user-layer\r\nAPI functions such as VirtualAllocEx, WriteProcessMemory and CreateRemoteThread can be bypassed to improve the\r\nantivirus effect.\r\nThe AtlasAgent program can inject shellcode into the thread of the selected process itself or a newly created thread of the\r\nprocess according to the process selected by the attacker. This injection method will not add additional threads to the threads\r\nof the injection process itself, which is more invisible and less likely to be discovered by security tools.\r\nReflective loading\r\nWhen making the DangerAds Loader Trojan, AtlasCross uses the open-source solution sRDI\r\n(https://github.com/monoxgas/sRDI/blob/master/shellcodeRDI/shellcodeRDI.c)) to build shellcode parts. This scheme\r\ncompletes the operation of reflexively loading DLL programs and reduces the probability of exposure caused by additional\r\nfile operations and process operations.\r\nhttp://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/\r\nPage 4 of 11\n\nFigure 7 sRDI code in DangerAds\r\nAPI confusion\r\nThe AtlasAgent program made by AtlasCross encrypts sensitive APIs in two encryption ways to increase the difficulty of\r\nsample analysis and reduce the risk of being detected by security tools such as sandbox.\r\nMethod 1: Use the LoadLibrary function to load the corresponding DLL and compare it with the function name after Hash\r\n(different from method 2 in this case), so as to obtain the function address, which can effectively prevent anti-virus software\r\nor sandbox static detection and increase the difficulty for analysts to find key functions.\r\nMethod 2: Determine the DLL to be loaded according to the name of the DLL after XOR. Find the export table information\r\nof parsing DLL file through PEB, and calculate the address of Nt series API by adding offset to the exported Zw series API.\r\nThis scheme does not use API in the export process, and does not directly call the location of kernel function when\r\nexecuting functions, which has a strong defense evasion against anti-virus and endpoint detection and response systems.\r\n Because the author modified the seed value of this Hash algorithm, the corresponding value of the generated function name\r\nHash cannot be searched from the network, which further improves the difficulty of analysis.\r\nSee the VI. Trojan Analysis section for a detailed analysis of this API obfuscation logic.\r\nAnti-virtualization and anti-sandbox\r\nThe DangerAds Loader Trojan used by AtlasCross will only start when a correct username or local domain name is detected.\r\nThis logic can effectively prevent itself from running in a virtualized environment.\r\n4. Command Control: Backup Channel\r\nThe AtlasAgent program made by AtlasCross has a standby CnC mechanism, which can traverse a CnC list to obtain the\r\nCnC address that can communicate correctly. In particular, the AtlasAgent Trojan has up to 11 standby CnC addresses,\r\nwhich are all high-value public websites invaded and hijacked by AtlasCross through network attacks.\r\nIn previous analysis, few attackers will invest such large-scale network resources in a Trojan program. This characteristic of\r\nthe AtlasAgent Trojan indicates that the attacker has high requirements for the normal operation of the CnC servers, further\r\nconfirming the targeted strike and advanced threat nature of this activity.\r\nVI. Trojan Analysis\r\n1. DangerAds\r\nThis is a loader Trojan used by AtlasCross in this activity. Its main function is to detect the host environment and execute a\r\nbuilt-in shellcode in its own process, and then the shellcode loads and runs subsequent Trojan programs.\r\nDangerAds writes major malicious code to the .NET dll program’s HelpText method, so it starts when an external program\r\ninvokes Help from that dll program. It should be noted that the user name and local domain name of the host will be\r\ncollected before the main malicious functions of DangerAds are executed, and subsequent codes will be executed only when\r\none of these two names contains the keyword “danger” or “ads-wcf”. Therefore, it can be judged that this attack is a targeted\r\nattack against the domain or user name containing “ads-wcf”.\r\nThe main body of DangerAds malicious code will determine the number of program version bits and selectively decrypt and\r\nexecute an x86 or x64 shellcode. DangerAds uses multi-byte XOR for decryption, while shellcode is loaded directly in the\r\nprocess.\r\nhttp://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/\r\nPage 5 of 11\n\nFigure 8 DangerAds shellcode execution logic\r\nIn the shellcode stage, DangerAds uses a set of open-source scheme sRDI\r\n(https://github.com/monoxgas/sRDI/blob/master/shellcodeRDI/shellcodeRDI.c)) to load and execute DLL programs. The\r\nshellcode finally loads the attached DLL program at its tail and calls the export function EnumWinEvent.\r\nThe DLL program loaded by this shellcode is the AtlasAgent Trojan developed by AtlasCross.\r\n2. AtlasAgent\r\nAtlasAgent used in this attack activity is Trojan horse program developed by AtlasCross. The main functions of the Trojan\r\nare to obtain host information, process information, prevent opening of multi-programs, inject specified shellcode and\r\ndownload files from CnC servers. The Trojan communicates with the CnC through HTTP protocol, encrypts communication\r\ndata using Base64 encoding after RC4 encryption, and encrypts key APIs using two encryption methods at the same time.\r\n(1) Basic Function Analysis\r\na) Execution process\r\nThe AtlasAgent Trojan is a DLL program written in C++. After the Trojan is loaded, it detects whether there is a mutex\r\nnamed EnumSvc to prevent the opening of multi-programs.\r\nFigure 9 Create mutex to prevent opening of multi-programs  \r\nThen, the AtlasAgent will decrypt the CnC domain name and connect to the CnC, encrypt the obtained computing system\r\ninformation and send it to the control terminal as an online package.\r\nFinally, AtlasAgent will wait for instructions from the server and execute the function corresponding to the instructions.\r\nb) Main functions\r\nObtain system information\r\nThe Trojan will obtain the system and computer information, including Guid number of the computer, local computer name,\r\nadapter information of the local computer, local IP address, local network card information, operating system digits, version\r\ninformation of the currently running operating system, and process ID. It will also divide the data with a “|” symbol, encrypt\r\nthe information as an online package, and send it to the server.\r\nhttp://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/\r\nPage 6 of 11\n\nFigure 10 Partial code for obtaining system information\r\nShellcode operation\r\nThe program receives instructions from the control terminal and executes shellcode running operations through the data\r\ngiven in the instructions. The Trojan supports the following shellcode injection or running modes:\r\n(a) Inject shellcode into the newly created thread in the specified process to run;\r\n(b) Inject shellcode into existing threads in the specified process to run;\r\n(c) Execute shellcode in the main thread of Trojan itself;\r\n(d) Execute shellcode in a new thread within the Trojan’s own process;\r\nThe process of injecting the Trojan into the thread in the specified process is as follows: traversing to the thread in the\r\nprocess with the process ID, obtaining the thread handle through the NtOpenThread function, allocating virtual memory\r\nspace for the code to be injected in the target process through the NtAllocateVirtualMemory function, writing the injected\r\ncode into the memory and modifying the attributes of the memory page, and finally, invoking the NtResumeThread function\r\nand restoring the thread of the target process.\r\nFigure 11 Inject shellcode into the specified process using kernel-layer functions\r\nThis method does not create new threads and is not easily discovered by system security policies.\r\nhttp://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/\r\nPage 7 of 11\n\nFigure 12 Inject shellcode into the specified process\r\nIf the Trojan encounters an error during injection, it will return different error codes to CnC according to the location of the\r\nerror. It can be inferred that the Trojan is actively adjusting and improving the functions of the injection part.\r\nc) API encryption\r\nIn addition to dynamically loading windows API addresses with GetProcAddress, this Trojan also uses two Hash-based API\r\ndynamic acquisition methods to increase the difficulty of sandbox and analyst analysis.\r\nMethod 1:\r\nThe Trojan uses LoadLibrary to load the specified DLL, and then finds the function address corresponding to the function\r\nname by comparing it with Hash:\r\nFigure 13 Match Hash value and load DLL to get function address\r\nMethod 2:\r\nThe Trojan first iterates through the PEB to find ntdll.dll and resolves the function name, RVA, and address.\r\nThen the Trojan loop parses the first 500 derived functions in ntdll.dll, and stores the parsed function name (Hash), RVA,\r\nfunction address and other information into the structure array.\r\nFinally, the Trojan obtains the address and RVA of the corresponding API by querying the specific Hash value of the\r\nstructure array, and then calls the API.\r\nAtlasCross referred to existing code implementation when designing the API encryption mode, but they adjusted the Hash\r\ngeneration function in the Trojan, thus generating a brand-new set of Hash values and reducing the risk of being detected.\r\nhttp://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/\r\nPage 8 of 11\n\nFigure 14 Function address resolving function in method 2\r\nd) Key string encryption method\r\nThe sensitive string in the Trojan is encrypted by the author and stored in a program code segment. When the program\r\nexecutes the string position, it uses an encryption function to decrypt the string. The encryption and decryption logic is a\r\nsingle-byte XOR.\r\nFigure 15 Decrypt string function\r\n(2) Network Analysis\r\nAfter the program runs, it will decrypt the encrypted data written in the code segment through the decryption function in the\r\nTrojan horse program.\r\nAfter the data is decrypted, it is a CnC domain name list. The Trojan will sequentially obtain the domain names in the CnC\r\nlist and try to connect until successful communication.\r\nFigure 16 Decrypt CnC list\r\nThen, the Trojan acquires computer system information and encrypts the acquired information through RC4 for Base64\r\nencoding.\r\nDuring Base64 transcoding, the Trojan replaces some characters by escaping “+” to “~”, and “/” to “_”.\r\nThe Trojan then builds the go-live message and sends it to the CnC.\r\nhttp://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/\r\nPage 9 of 11\n\nFigure 17 Upload online package\r\nThe example of online package sending data is as follows:\r\norderinfo=gr~pCy7a8DFMfx~gLCF7dOie07F85lvKTXxrzxXFF~IB_uK_h0zEN7IeQEo2FnT4ZQMxuwhwZAD3O9ae29uiGvZhI9CevVg_F~BcP4P4~_\r\nExamples of raw data for online packages are as follows:\r\naQ0TGubLVS c29aceaa-xxxx-xxx2-8b67-6e6aa4497df7 (GUID)|WIN-ULABCDE9CJ|Intel(R) PRO/1000 MT Network\r\nConnection: 192.168.80.150;|x86|6.10 (System Version)|1 (Permission Escalation Success or Failure)|1.26 (Presumed\r\nVersion of the Trojan)|1|3980 (Process ID)\r\n1.26 is a character string hard-coded in the program, which is guessed to be the Trojan version information.\r\nFinally, the Trojan receives the data returned by the CnC, decrypts and performs the functions specified in the command.\r\nFigure 18 Receive CnC message\r\n(3) CMD Command Function\r\nThe AtlasAgent Trojan supports the following CMD instructions. The malicious functions supported by the Trojan include\r\nfile operation, process operation, shellcode injection and reverse shell.\r\nTable 1 CMD instructions supported by AtlasAgent Trojan\r\nCMD Instructions Function\r\n0x0 Obtain computer system information\r\n0x1 Reverse Shell\r\n0x2 Obtain data from CnC and store it in the specified file\r\n0x3 It is guessed to be the field for debugging\r\n0x4 Pause the program for a period of time using the Sleep function\r\n0x5 Obtain process information\r\n0x6 Inject shellcode into a new thread of the specified process\r\n0x7 This parameter function is to be implemented.\r\n0x8 Run shellcode directly; or create a thread to run shellcode in this process\r\n0x9 No function, Break out of circulation\r\n0xB Injects shellcode or command into a thread in the specified process\r\n0xC Create a mutex\r\n0x63 Exit cycle\r\nVII. Conclusion\r\nThe new attacker AtlasCross discovered by NSFOCUS Security Labs is a very cautious hacker organization with strong\r\nprocess and tool development capabilities.\r\nhttp://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/\r\nPage 10 of 11\n\nOn the one hand, this attacker can actively absorb various hacker technologies and integrate them into its own technology\r\nstack and tool development process; on the other hand, it has chosen the most conservative route in environmental detection,\r\nexecution strategy, network facility selection, etc., reducing its exposure risks at the expense of efficiency. In addition, the\r\nresidual debug code in AtlasCross self-developed Trojan can also prove that this attacker is still improving the attack\r\nprocess.\r\nThese characteristics reflect the high-level threat nature of this attacker, who may continue to organize other cyberattack\r\nactivities against key targets after this attack.\r\nNSFOCUS Security Labs will keep track of subsequent attacks that may be launched by AtlasCross in the future.\r\nVIII. IoCs\r\nThreat IoC Implication\r\n7195d7e4926a0a85fbe81e40ab7c0ca4 Phishing Document\r\nf8bafe2ce6f11a32109abbab1c42e2cf DangerAds Trojan\r\nca48431273dfcd2bd025e55f2de30635 AtlasAgent Trojan\r\nba85467ceff628be8b4f0e2da2a5990c AtlasAgent Trojan\r\ndata.vectorse.com\r\nRegistration address of phishing\r\ndocument\r\nactivequest.goautodial.com AtlasAgent CnC\r\nops-ca.mioying.com AtlasAgent CnC\r\napp.basekwt.com AtlasAgent CnC\r\nsecure.poliigon.com AtlasAgent CnC\r\nengage.adaptqe.com AtlasAgent CnC\r\nchat.thedresscodeapp.com AtlasAgent CnC\r\nsuperapi-staging.mlmprotec.com AtlasAgent CnC\r\nsearch.allaccountingcareers.com AtlasAgent CnC\r\norder.staging.photobookworldwide.com AtlasAgent CnC\r\ncrm.cardabel.com AtlasAgent CnC\r\npublic.pusulait.com AtlasAgent CnC\r\n5haFDov20qfZnyAw4QrtSgAATN7uEkVF(UTF-8) RC4 key\r\nC:\\Users\\invokeops\\Documents\\Code\\\r\natlasagent\\x64\\Release\\AtlasDLL.pdb\r\nPDB path\r\nSource: http://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/\r\nhttp://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://nsfocusglobal.com/warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack/"
	],
	"report_names": [
		"warning-newly-discovered-apt-attacker-atlascross-exploits-red-cross-blood-drive-phishing-for-cyberattack"
	],
	"threat_actors": [
		{
			"id": "6ef06641-1478-4225-93a5-4f2c3bc04f76",
			"created_at": "2023-10-12T02:00:07.12827Z",
			"updated_at": "2026-04-10T02:00:03.376016Z",
			"deleted_at": null,
			"main_name": "AtlasCross",
			"aliases": [],
			"source_name": "MISPGALAXY:AtlasCross",
			"tools": [
				"DangerAds",
				"AtlasAgent"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "886f8261-e6e3-49c2-a89b-f3a333e28dd5",
			"created_at": "2023-10-14T02:03:14.040846Z",
			"updated_at": "2026-04-10T02:00:04.566889Z",
			"deleted_at": null,
			"main_name": "AtlasCross",
			"aliases": [],
			"source_name": "ETDA:AtlasCross",
			"tools": [
				"AtlasAgent",
				"DangerAds"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434810,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63c62490178f8132edad7f598ca3ed960a38c0b6.pdf",
		"text": "https://archive.orkl.eu/63c62490178f8132edad7f598ca3ed960a38c0b6.txt",
		"img": "https://archive.orkl.eu/63c62490178f8132edad7f598ca3ed960a38c0b6.jpg"
	}
}