{ "id": "5983c836-095b-488d-8318-3d7149df9b86", "created_at": "2026-04-06T00:14:36.758274Z", "updated_at": "2026-04-10T03:38:20.238492Z", "deleted_at": null, "sha1_hash": "64f7251cf4166c72fd95bee0cbaef4a1a4b7d5bb", "title": "APT trends report Q1 2020", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63443, "plain_text": "APT trends report Q1 2020\r\nBy GReAT\r\nPublished: 2020-04-30 · Archived: 2026-04-02 10:44:28 UTC\r\nFor more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing\r\nquarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat\r\nintelligence research and provide a representative snapshot of what we have published and discussed in greater\r\ndetail in our private APT reports. They are designed to highlight the significant events and findings that we feel\r\npeople should be aware of.\r\nThis is our latest installment, focusing on activities that we observed during Q1 2020.\r\nReaders who would like to learn more about our intelligence reports or request more information on a specific\r\nreport are encouraged to contact ‘intelreports@kaspersky.com’.\r\nGiven the exceptional situation the world is living in because of the COVID-19 pandemia, it is mandatory we to\r\nstart with a summary of how APT groups have been abusing this topic for different types of attacks.\r\nCOVID-19 APT activity\r\nSince the World Health Organization (WHO) declared the COVID-19 a pandemic, this topic has received\r\nincreased attention from different attackers. Many of the phishing scams we’ve seen have been launched by\r\ncybercriminals trying to cash-in on people’s fears about the virus.  However, the list of attackers also includes APT\r\nthreat actors such as Kimsuky, APT27, Lazarus or ViciousPanda who, according to OSINT, have used COVID-19-\r\nthemed lures to target their victims. We recently discovered a suspicious infrastructure that could have been used\r\nto target health and humanitarian organizations, including the WHO. Even though the infrastructure cannot be\r\nattributed to any particular actor at the moment, and was registered before the COVID-19 crisis in June 2019,\r\naccording to some private sources it might be related to the DarkHotel actor. However, we cannot confirm this\r\ninformation at the moment. Interestingly, some groups have used the current situation to try to soften their\r\nreputation by declaring that they would not target health organizations during the crisis.\r\nThere are different publications reporting activity related to other APT actors using this lure, but in general, we do\r\nnot believe this implies a meaningful change in terms of TTPs other than using a trendy topic for luring victims.\r\nWe are closely monitoring the situation.\r\nIn January 2020, we discovered a watering-hole utilizing a full remote iOS exploit chain. This site appears to have\r\nbeen designed to target users in Hong Kong, based on the content of the landing page. While the exploits currently\r\nbeing used are known, the actor responsible is actively modifying the exploit kit to target more iOS versions and\r\ndevices. We observed the latest modifications on February 7. The project is broader than we initially thought,\r\nsupporting an Android implant, and probably supporting implants for Windows, Linux, and MacOS. For the time\r\nbeing, we are calling this APT group TwoSail Junk. We believe this is a Chinese-speaking group; it maintains\r\ninfrastructure mostly within Hong Kong, along with a couple of hosts located in Singapore and Shanghai. TwoSail\r\nhttps://securelist.com/apt-trends-report-q1-2020/96826/\r\nPage 1 of 6\n\nJunk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new\r\ntopic threads ofтtheir own. To date, dozens of visits were recorded from within Hong Kong, with a couple\r\nfrom Macau. The technical details around the functionality of the iOS implant, called LightSpy, and related\r\ninfrastructure, reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively\r\nfunctional iOS surveillance framework.\r\nRussian-speaking activity\r\nIn January, a couple of recently compiled SPLM/XAgent modules were detected in an Eastern European telecoms\r\ncompany. The initial point of entry is unknown, as is their lateral movement within this organization. It has\r\nbecome rare to identify SPLM infections, compared to past levels of Sofacy activity, so it seems that portions of\r\nthis network may have been infected for some time. In addition to these SPLM modules, Sofacy also deployed\r\n.NET XTUNNEL variants and their loaders. These 20KB XTUNNEL samples themselves seem minimal in\r\ncomparison to past XTUNNEL samples, which weighed in at 1-2MB. This shift to C# by the long-standing Sofacy\r\nXTunnel codebase reminds us of Zebrocy’s practice of re-coding and innovating long-used modules in multiple\r\nlanguages.\r\nGamaredon, a well-known APT group that has been active since at least 2013, has traditionally focused on\r\nUkrainian entities. In recent months we have observed a campaign, made up of different waves, that has also been\r\nreported by multiple researchers on different social networks. The attackers sent malicious documents with remote\r\ntemplate injection, resulting in a multi-level infection scheme to deploy a malicious loader that periodically\r\ncontacts a remote C2 to download additional samples. Based on past research, we know that the Gamaredon’s\r\ntoolkit includes many different malware artefacts, developed to achieve different goals. These include scanning\r\ndrives for specific system files, capturing screenshots, executing remote commands, downloading additional files\r\nand managing the remote machine with programs such as UltraVNC. In this case, we observed an interesting new\r\nsecond stage payload that includes spreading capabilities, that we call “Aversome infector”. This malware seems\r\nto have been developed to maintain a strong persistence in the target network and to move laterally by infecting\r\nMicrosoft Word and Excel documents on external drives.\r\nChinese-speaking activity\r\nCactusPete is a Chinese-speaking cyber-espionage group active since at least 2012 characterized by medium-level\r\ntechnical capabilities. Historically, this threat actor has targeted organizations within a limited range of countries –\r\nSouth Korea, Japan, the US and Taiwan. At the end of 2019 the group seemed to shift towards a heavier focus on\r\nMongolian and Russian organizations. CactusPete offensive activity against the Russian defense industry and\r\nMongolian government appears to be mostly delineated from its Russian-Mongolian commercial and border\r\nrelationships. However, one bait exploit document dropping its Flapjack backdoor (tmplogon.exe, primarily\r\nfocused on new Russian targets) is authored in Mongolian. The group’s broadening of techniques, exploit re-purposing, targeting shift and possible expansion suggests changes in the group’s resources and operations.\r\nRancor is a group that has been publicly reported since 2018, with connections to DragonOK. This actor\r\ntraditionally had a focus on Southeast Asian targets, namely Cambodia, Vietnam and Singapore. We noted several\r\nupdates to the group’s activity in the last few months, namely the discovery of a new variant of the Dudell\r\nmalware that we are calling ExDudell, a new tool for bypassing UAC (User Account Control), and new\r\nhttps://securelist.com/apt-trends-report-q1-2020/96826/\r\nPage 2 of 6\n\ninfrastructure utilized in the attacks. Apart from this, we have also identified that the initial lure documents that\r\nwere previously sent via mail, are now found in the Telegram Desktop directory, suggesting the group is possibly\r\nmaking a shift in its initial delivery method.\r\nIn 2019, we detected activity by an unknown actor at the time deploying watering holes on websites representing\r\nTibetan interests, fooling victims into installing fake Adobe Flash updates hosted on a GitHub repository.\r\nKaspersky thwarted the attack by coordinating a takedown of this repository with GitHub. After a brief period of\r\ninactivity, we detected a new round of watering holes featuring a renewed toolset. We decided to call the group\r\nbehind this activity Holy Water.\r\nThe threat actor’s unsophisticated but creative toolset has been evolving a lot since the inception date, may still be\r\nin development, and leverages Sojson obfuscation, NSIS installer, Python, open-source code, GitHub distribution,\r\nGo language, as well as Google Drive-based C2 channels.\r\nMiddle East\r\nWe recently detected a new, ongoing data exfiltration campaign targeting victims in Turkey that started in\r\nFebruary 2020. While StrongPity’s TTPs in terms of targeting, infrastructure and infection vector haven’t\r\nchanged, we observed a somewhat peculiar change in the documents they attempt to exfiltrate. In this campaign,\r\nStrongPity updated its latest signature backdoor, named StrongPity2, and added more files to exfiltrate to its list of\r\ncommon Office and PDF documents, including Dagesh Pro Word Processor files used for Hebrew dotting,\r\nRiverCAD files used for river flow and bridge modelling, plain-text files, archives as well as GPG encrypted files\r\nand PGP keys.\r\nIn March, we discovered a targeted campaign to distribute Milum, a Trojan designed to gain remote control of\r\ndevices in target organizations, some of which operate in the industrial sector. The first signs of this operation,\r\nwhich we have dubbed WildPressure, can be traced back to August 2019; still, the campaign remains active. The\r\nMilum samples we have seen so far do not share any code similarities with any known APT campaigns. The\r\nmalware provides attackers with remote control over infected devices, allows downloading and executing\r\ncommands, collecting and exfiltrating information and installing upgrades in the malware.\r\nIn late December 2019, Kaspersky Threat Attribution Engine detected a new variant of the Zerocleare wiper that\r\nhad possibly been used in targeted attacks on energy sector targets in Saudi Arabia. This quarter, we identified a\r\nnew variant of this wiper, called Dustman. It is similar to Zerocleare in terms of wiping and distribution, but\r\nchanges in variables and technical names suggest this might have been in readiness for a new wave of attacks\r\nspecifically targeting Saudi Arabia’s energy sector, based on messages embedded in the malware and the mutex\r\ncreated by it. The PDB file of the Dustman wiper suggested that this destructive code was the release edition and\r\nwas ready for deployment in a target network. These changes coincided with the New Year holidays, during which\r\nmany employees take time off to celebrate. Shamoon was delivered with similar timing in 2012 during Ramadan\r\ncelebrations.\r\nSouthеast Asia and Korean Peninsula\r\nhttps://securelist.com/apt-trends-report-q1-2020/96826/\r\nPage 3 of 6\n\nA Lazarus campaign outlined by the Italian security company Telsy in November 2019 allowed us to find a\r\nconnection to previous activity from the group targeting cryptocurrency businesses. The malware mentioned on\r\nTelsy’s blog is a first stage downloader that has been observed since mid-2018. We found that the second stage\r\nmalware is a variant of Manuscrypt, uniquely attributed to Lazarus, deploying two types of payloads. The first is a\r\nmanipulated Ultra VNC program, and the second is a multi-stage backdoor. This type of multi-stage infection\r\nprocedure is typical of the Lazarus group’s malware, especially when using the Manuscrypt variant. In this\r\ncampaign, our telemetry indicates that the Lazarus group attacked cryptocurrency businesses in Cyprus, the US,\r\nTaiwan and Hong Kong, and the campaign extended until the beginning of 2020.\r\nKimsuky, an actor we have been tracking since 2013, was especially active during 2019. In December, Microsoft\r\ntook down 50 domains used by the group and filed a lawsuit against the attackers in a Virginia court. However, the\r\ngroup has continued its activity without significant changes. We recently discovered a new campaign where the\r\nactor used a decoy image themed around New Year’s greetings that delivers its old downloader with a new\r\nevolved next-stage payload designed to steal information that uses a new encryption method.\r\nAt the end of January, we stumbled upon a malicious script exploiting an Internet Explorer vulnerability, CVE-2019-1367. After closely examining the payload and finding connections with previous activity, we concluded that\r\nDarkHotel was behind this campaign, probably in progress since 2018. The campaign saw DarkHotel utilize a\r\nmulti-stage binary infection phase using home-brewed malware. The initial infection creates a downloader which\r\nfetches another downloader to collect system information and fetch the final backdoor only for high-value victims.\r\nDarkHotel used a unique combination of TTPs in this campaign. The threat actor used diverse infrastructure to\r\nhost malware and to control infected victims, including a compromised web server, a commercial hosting service,\r\na free hosting service and a free source code tracking system. We were able to confirm targeted companies in\r\nSouth Korea and Japan in this campaign.\r\nIn March, researchers from Google revealed that a group of hackers used five zero-days to target North Koreans\r\nand North Korean-focused professionals in 2019. The group exploited flaws in Internet Explorer, Chrome, and\r\nWindows with phishing emails that carried malicious attachments or links to malicious sites, as well as watering-hole attacks. We were able to match two of the vulnerabilities – one in IE and one in Windows – to DarkHotel.\r\nFunnyDream is a campaign that started in mid-2018, targeting high-profile entities in Malaysia, Taiwan and the\r\nPhilippines, with the majority of victims in Vietnam. Our analysis revealed that it’s part of a wider campaign that\r\nstretches back a few years and targets governments, and specifically foreign organizations, of countries in\r\nSoutheast Asia. The attacker’s backdoor downloads and uploads files from/to a C2, executes commands and runs\r\nnew processes in the victim. It also collects information about other hosts on the network and is delivered to new\r\nhosts through remote execution utilities. The attacker also used an RTL backdoor and Chinoxy backdoor. The C2\r\ninfrastructure has been active since mid-2018 and domains show an overlap with the FFRAT malware family. In a\r\nnumber of cases, indications suggest the backdoor was delivered via a previous long-term compromise. The\r\ncampaign is still active.\r\nOperation AppleJeus was one of the more notable campaigns of Lazarus, and the first time the actor targeted\r\nmacOS targets. Our January follow-up research revealed significant changes to the group’s attack methodology:\r\nhomemade macOS malware and an authentication mechanism to carefully deliver the next-stage payload, as well\r\nas loading the next-stage payload without touching the disk. To attack Windows victims, the group has elaborated\r\nhttps://securelist.com/apt-trends-report-q1-2020/96826/\r\nPage 4 of 6\n\na multi-stage infection procedure and significantly changed the final payload. We believe that Lazarus has been\r\nmore careful in its attacks since the release of Operation AppleJeus and has employed a number of methods to\r\navoid detection. We identified several victims in the UK, Poland, Russia and China. Moreover, we were able to\r\nconfirm that several of the victims are linked to cryptocurrency organizations.\r\nRoaming Mantis is a financially motivated actor first reported in 2017, when it used SMS to distribute its malware\r\nto Android devices based in South Korea. Since then, the scope of the group’s activities has widened considerably,\r\nsupporting 27 languages, targeting iOS as well as Android, and even mining cryptocurrency. The actor also added\r\nnew malware families, including Fakecop and Wroba.j to its arsenal, and is still active using ‘SMiShing‘ for\r\nAndroid malware distribution. In a recent campaign it distributed malicious APKs masquerading as popular\r\ncouriers and customized for the targeted countries, including Japan, Taiwan, South Korea and Russia.\r\nOther interesting discoveries\r\nTransparentTribe started using a new module named USBWorm at the beginning of 2019, as well as improving its\r\ncustom .NET tool named CrimsonRAT. Based on our telemetry, USBWorm was used to infect thousands of\r\nvictims, most of them located in Afghanistan and India, providing the attacker with the ability to download and\r\nexecute arbitrary files, spread to removable devices and steal files of interest from infected hosts even those\r\ndisconnected from the internet. As we previously reported, this group mainly focuses on military targets, which\r\nare usually compromised with Office documents armed with malicious VBA and open-source malware like Peppy\r\nRAT and CrimsonRAT. In its new campaign, which is still active, we noticed the group’s focus shift more towards\r\ntargeting entities located in Afghanistan in addition to India. Transparent Tribe has also developed a new implant\r\ndesigned to infect Android devices, a modified version of the AhMyth Android RAT which is open source\r\nmalware available on GitHub.\r\nDuring the last months of 2019, we observed an ongoing campaign conducted by Fishing Elephant. The group\r\ncontinues to use both Heroku and Dropbox in order to deliver its tool of choice, AresRAT. We discovered that the\r\nactor incorporated a new technique into its operations that is meant to hinder manual and automatic analysis –\r\ngeo-fencing and hiding executables within certificate files. During our research, we also detected a change in\r\nvictimology that may reflect the current interests of the threat actor: the group is targeting government and\r\ndiplomatic entities in Turkey, Pakistan, Bangladesh, Ukraine and China.\r\nFinal thoughts\r\nWhile the threat landscape isn’t always full of “groundbreaking” events, when we cast our eyes back over the\r\nactivities of APT threat actors, there are always interesting developments.  Our regular quarterly reviews are\r\nintended to highlight the key developments.\r\nThese are some of the main trends that we’ve seen this year so far.\r\nIt’s clear from the activities of various APT groups, including CactusPete, LightSpy, Rancor, Holy Water,\r\nTwoSail Junk and others that geo-politics continues to be an important driver of APT activity. This was\r\nalso underlined this quarter by the UK National Cyber Security Centre laying responsibility for disruptive\r\nattacks on Georgia at the feet of Russia’s military intelligence service, indictments in the US of two\r\nhttps://securelist.com/apt-trends-report-q1-2020/96826/\r\nPage 5 of 6\n\nChinese nationals for laundering $100 million in cryptocurrency on behalf of North Korea and the alleged\r\n‘catfishing’ of IDF soldiers by Hamas.\r\nFinancial gain remains a motive for some threat actors, as evidenced by the activities of Lazarus and\r\nRoaming Mantis.\r\nSoutheast Asia is the most active region in terms of APT activities, including established actors such as\r\nLazarus, DarkHotel and Kimsuky, and newer groups such as Cloud Snooper and Fishing Elephant.\r\nAPT threat actors such as CactusPete, TwoSail Junk, FunnyDream, DarkHotel continue to exploit software\r\nvulnerabilities.\r\nAPT threat actors continue to include mobile implants in their arsenal.\r\nAPT threat actors such as (but not limited to) Kimsuky, Hades and DarkHotel, as well as opportunistic\r\ncriminals, are exploiting the COVID-19 pandemic.\r\nAll in all, we see the continuous growth of activity in Asia and how some of the actors we called newcomers are\r\nnow well established. On the other hand, the more traditional advanced actors seem to be more and more selective\r\nin their operations, probably following a change of paradigm. The use of mobile platforms for infections and the\r\ndistribution of malware is on the rise. Every actor seems to have some artefacts for these platforms and in some\r\ncampaigns they are the main target.\r\nCOVID-19 is clearly top of everyone’s minds at the moment and APT threat actors have also been seeking to\r\nexploit this topic in spear-phishing campaigns.  We do not believe this represents a meaningful change in terms of\r\nTTPs: they’re simply using it as a newsworthy topic to lure their victims. However, we are closely monitoring the\r\nsituation.\r\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it\r\nshould be borne in mind that, while we strive to continually improve, there is always the possibility that other\r\nsophisticated attacks may fly under our radar.\r\nSource: https://securelist.com/apt-trends-report-q1-2020/96826/\r\nhttps://securelist.com/apt-trends-report-q1-2020/96826/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/apt-trends-report-q1-2020/96826/" ], "report_names": [ "96826" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "ee5490f7-ac43-4908-85c4-a5f6fa5a1c51", "created_at": "2022-10-25T16:07:23.642491Z", "updated_at": "2026-04-10T02:00:04.69794Z", "deleted_at": null, "main_name": "Fishing Elephant", "aliases": [], "source_name": "ETDA:Fishing Elephant", "tools": [ "AresRAT" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "5ffe400c-6025-44c2-9aa1-7c34a7a192b0", "created_at": "2023-01-06T13:46:38.469688Z", "updated_at": "2026-04-10T02:00:02.987949Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Moafee", "BRONZE OVERBROOK", "G0017", "G0002", "Shallow Taurus" ], "source_name": "MISPGALAXY:DragonOK", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "7ebda3c6-1789-4d84-97cf-47fb18a0cb28", "created_at": "2022-10-25T15:50:23.78829Z", "updated_at": "2026-04-10T02:00:05.415039Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "DragonOK" ], "source_name": "MITRE:DragonOK", "tools": [ "PoisonIvy", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ef437d-e8fa-4250-9a99-89a403035ad2", "created_at": "2022-10-25T16:07:24.406019Z", "updated_at": "2026-04-10T02:00:04.977275Z", "deleted_at": null, "main_name": "WildPressure", "aliases": [ "WilePressure" ], "source_name": "ETDA:WildPressure", "tools": [ "Milum" ], "source_id": "ETDA", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "e8aee970-e31e-489f-81c2-c23cd52e255c", "created_at": "2023-01-06T13:46:38.763687Z", "updated_at": "2026-04-10T02:00:03.092181Z", "deleted_at": null, "main_name": "RANCOR", "aliases": [ "Rancor Group", "G0075", "Rancor Taurus", "Rancor group", "Rancor" ], "source_name": "MISPGALAXY:RANCOR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "c94cb0e9-6fa9-47e9-a286-c9c9c9b23f4a", "created_at": "2023-01-06T13:46:38.823793Z", "updated_at": "2026-04-10T02:00:03.113045Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group" ], "source_name": "MISPGALAXY:Roaming Mantis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "6d11e45c-4e31-4997-88f5-295b2564cfc6", "created_at": "2022-10-25T15:50:23.794721Z", "updated_at": "2026-04-10T02:00:05.358892Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "Rancor" ], "source_name": "MITRE:Rancor", "tools": [ "DDKONG", "PLAINTEE", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "84f7f3ff-feef-4966-963b-523c828773d2", "created_at": "2024-02-06T02:00:04.131601Z", "updated_at": "2026-04-10T02:00:03.575609Z", "deleted_at": null, "main_name": "Fishing Elephant", "aliases": [ "Outrider Tiger" ], "source_name": "MISPGALAXY:Fishing Elephant", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3703894e-cf68-4c1e-a71a-e8fd2ef76747", "created_at": "2023-11-08T02:00:07.166789Z", "updated_at": "2026-04-10T02:00:03.432192Z", "deleted_at": null, "main_name": "TwoSail Junk", "aliases": [ "Operation Poisoned News" ], "source_name": "MISPGALAXY:TwoSail Junk", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "340d1673-0678-4e1f-8b75-30da2f65cc80", "created_at": "2022-10-25T16:07:23.552036Z", "updated_at": "2026-04-10T02:00:04.653109Z", "deleted_at": null, "main_name": "DragonOK", "aliases": [ "Bronze Overbrook", "G0017", "Shallow Taurus" ], "source_name": "ETDA:DragonOK", "tools": [ "Agent.dhwf", "CT", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "FF-RAT", "FormerFirstRAT", "Gen:Trojan.Heur.PT", "HTran", "HUC Packet Transmit Tool", "HelloBridge", "IsSpace", "KHRAT", "Kaba", "Korplug", "Mongall", "NFlog", "NewCT", "NfLog RAT", "PlugX", "Poison Ivy", "Rambo", "RedDelta", "SPIVY", "Sogu", "SysGet", "TIGERPLUG", "TVT", "Thoper", "TidePool", "Xamtrav", "brebsd", "ffrat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "741d58a1-0fc0-41a8-9681-106a06c07e61", "created_at": "2022-10-25T16:07:23.983046Z", "updated_at": "2026-04-10T02:00:04.822372Z", "deleted_at": null, "main_name": "Operation Poisoned News", "aliases": [ "Operation Poisoned News", "TwoSail Junk" ], "source_name": "ETDA:Operation Poisoned News", "tools": [ "dmsSpy", "lightSpy" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9bc28d0-ce98-4991-84ae-5036e5f9d4e3", "created_at": "2022-10-25T16:07:24.546437Z", "updated_at": "2026-04-10T02:00:05.029564Z", "deleted_at": null, "main_name": "Roaming Mantis", "aliases": [ "Roaming Mantis Group", "Shaoye" ], "source_name": "ETDA:Roaming Mantis", "tools": [ "MoqHao", "Roaming Mantis", "SmsSpy", "Wroba", "XLoader" ], "source_id": "ETDA", "reports": null }, { "id": "3c652e4b-2f17-4e18-bd05-af12c27e76fb", "created_at": "2023-11-30T02:00:07.302263Z", "updated_at": "2026-04-10T02:00:03.485667Z", "deleted_at": null, "main_name": "WildPressure", "aliases": [], "source_name": "MISPGALAXY:WildPressure", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "416f8374-2b06-47e4-ba91-929b3f85d9bf", "created_at": "2022-10-25T16:07:24.093951Z", "updated_at": "2026-04-10T02:00:04.864244Z", "deleted_at": null, "main_name": "Rancor", "aliases": [ "G0075", "Rancor Group", "Rancor Taurus" ], "source_name": "ETDA:Rancor", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agentemis", "Cobalt Strike", "CobaltStrike", "DDKONG", "Derusbi", "Dudell", "ExDudell", "KHRAT", "PLAINTEE", "RoyalRoad", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434476, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/64f7251cf4166c72fd95bee0cbaef4a1a4b7d5bb.pdf", "text": "https://archive.orkl.eu/64f7251cf4166c72fd95bee0cbaef4a1a4b7d5bb.txt", "img": "https://archive.orkl.eu/64f7251cf4166c72fd95bee0cbaef4a1a4b7d5bb.jpg" } }