{ "id": "fb0f609e-3a3f-4192-af69-e8a620e8f112", "created_at": "2026-04-06T00:14:09.904226Z", "updated_at": "2026-04-10T03:33:16.718867Z", "deleted_at": null, "sha1_hash": "64f8f92df7af946ff4ef6a99de9624f1581f1ca6", "title": "Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10384237, "plain_text": "Hancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool\r\nBy Brad Duncan\r\nPublished: 2021-04-01 · Archived: 2026-04-05 15:43:24 UTC\r\nExecutive Summary\r\nHancitor is an information stealer and malware downloader used by a threat actor designated as MAN1,\r\nMoskalvzapoe or TA511. In a threat brief from 2018, we noted Hancitor was relatively unsophisticated, but it\r\nwould remain a threat for years to come. Approximately three years later, Hancitor remains a threat and has\r\nevolved to use tools like Cobalt Strike. In recent months, this actor began using a network ping tool to help\r\nenumerate the Active Directory (AD) environment of infected hosts. This blog illustrates how the threat actor\r\nbehind Hancitor uses the network ping tool, so security professionals can better identify and block its use.\r\nAs early as October 2020, Hancitor began utilizing Cobalt Strike and some of these infections utilized a network\r\nping tool to enumerate the infected host’s internal network. Normal ping activity is low to nonexistent within a\r\nLocal Area Network (LAN), but this ping tool generates approximately 1.5 GB of Internet Control Message\r\nProtocol (ICMP) traffic as it pings more than 17 million IP addresses of internal, non-routable IPv4 address space.\r\nTo understand how this ping tool is used, we must first understand the chain of events for current Hancitor\r\nactivity. This blog reviews examples of recent Hancitor infections within AD environments. This blog also\r\ncontains relatively new indicators noted from this threat actor as of February 2021, and it provides five examples\r\nof the associated network ping tool seen in December 2020 and January 2021.\r\nPalo Alto Networks Next-Generation Firewall customers are protected from this threat with a Threat Prevention\r\nsecurity subscription.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise described in this\r\nreport, with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy\r\nprotections to their customers and to systematically disrupt malicious cyber actors.\r\nChain of Events for Recent Hancitor Infections\r\nSince Nov. 5, 2020, the actor pushing Hancitor has displayed consistent patterns of infection activity. See Figure 1\r\nfor a flow chart showing the chain of events.\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 1 of 15\n\nFigure 1. Hancitor chain of events.\r\nThe chain of events for recent Hancitor infections is:\r\nEmail with link to a malicious page hosted on Google Drive.\r\nLink from a Google Drive page to a URL that returns a malicious Word document.\r\nEnable macros (per instructions in Word document text).\r\nHancitor DLL is dropped and run using rundll32.exe.\r\nHancitor generates command and control (C2) traffic.\r\nHancitor C2 most often leads to Ficker Stealer malware.\r\nHancitor C2 leads to Cobalt Strike activity in AD environments.\r\nHancitor-related Cobalt Strike activity can send other files, such as a network ping tool or malware based\r\non the NetSupport Manager Remote Access Tool (RAT).\r\nIn rare cases, we have also seen a Hancitor infection follow-up with Send-Safe spambot malware that\r\nturned an infected host into a spambot pushing more Hancitor-based malspam.\r\nAfter a three-month absence, Hancitor activity resumed on Oct. 20, 2020. By Nov. 5, 2020, this campaign settled\r\ninto the infection chain of events shown above.\r\nFirst Stage: Distributing Malicious Word Documents\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 2 of 15\n\nHancitor has historically sent emails spoofing different types of organizations that send notices, faxes or invoices.\r\nEmails spoofing DocSign have been reported as early as October 2017, but the group behind Hancitor began more\r\nfrequent use of DocuSign templates starting in October 2019. Currently, most waves of emails pushing Hancitor\r\nhave used a DocuSign theme, and the average wave of Hancitor malspam looks like this one reported on Jan. 12,\r\n2021.\r\nDocuSign-spoofed emails are not new, nor are they limited to Hancitor. DocuSign is well aware of this activity.\r\nThe company provides guidance on this issue and a channel to report malicious messages spoofing their brand.\r\nThese DocuSign-themed messages have links to malicious Google Drive pages established through fraudulent or\r\npossibly compromised Google accounts. Cloud-based collaborative services such as Microsoft’s OneDrive and\r\nGoogle Drive are frequently abused by threat actors to distribute malware.\r\nGoogle Drive links from emails pushing Hancitor start with https://docs.google.com/document/d/e/2PACX- and\r\nend with /pub. This URL pattern has also been noted pushing other families of malware.\r\nTo get a better idea of these URLs, examples from a wave of Hancitor emails on February 8th, 2021, are shown\r\nbelow in Table 1. Google was notified of these links, and they have been taken offline.\r\nhxxps://docs.google[.]com/document/d/e/2PACX-1vTetOTfCnHAXiwwNOrfJjR8lPTgu3dVzKEVWld1-\r\nHNkRCpwTqpqD4PnGuTjRjI_kxIxR8_azAcQS1US/pub\r\nhxxps://docs.google[.]com/document/d/e/2PACX-1vQeUQCdriz9ZT5dR7Byyfi4r-Y6FsHucjRbzvYLtWNmDGKfcqKyp9l4-EAFFYXHxbAWrAR-CI25e8cZ/pub\r\nhxxps://docs.google[.]com/document/d/e/2PACX-1vSPBGA3_D8dfupT021GG4VGB9a06Nm3viKAia4F2XWrjT7mhPyB0L1rKruj7DsB86Z38-\r\nEaxidoXIr8/pub\r\nhxxps://docs.google[.]com/document/d/e/2PACX-1vShVIbeSUL9R_h5qZXdp_2SBm-uFVKFJcwpC4_0T2r436SQr7IPyy2cB6kHqiLC6TNsQQQiwUS_kmdY/pub\r\nhxxps://docs.google[.]com/document/d/e/2PACX-1vQc8XwAxOetaoxILZsGLJgCCF2I39s_vgDHTpTDy4v9Nmh8nlZNhbCjqa8u01xY2ckettVxUsrjlSLf/pub\r\nhxxps://docs.google[.]com/document/d/e/2PACX-1vTC5fAO7oEHK0vOKF93EqsLSkV0kiR4ppTG1tqAPXb4sXjYzYhVBOwlG-9F-6kxbhNeC8C9lRs5YsQD/pub\r\nhxxps://docs.google[.]com/document/d/e/2PACX-1vTxPV1p44-UfCkOfGWWMP3RZk-5LCvmqlOW78f1oiU4TOLOibyGjHUKkWNDLjCnMae4-0vBNwMZ8oKv/pub\r\nTable 1. Seven examples of malicious Google Drive links from DocuSign-themed emails pushing Hancitor on Feb. 8, 2021.\r\nA recent example from an email is shown below in Figure 2.\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 3 of 15\n\nFigure 2. Example of a fake DocuSign email pushing Hancitor from Feb. 2, 2021.\r\nOf note, any Google Drive URL that starts with https://docs.google.com/document/d/e/2PACX- and ends with\r\n/pub is not inherently malicious. However, they are definitely suspicious when found in unsolicited emails.\r\nThese Google Drive URLs display a web page with a link to download a Word document. Figure 3 shows an\r\nexample of these malicious pages using Google Drive.\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 4 of 15\n\nFigure 3. Google Drive link from fake DocuSign email on Feb. 2, 2021, shown in a web browser.\r\nThese pages link to malicious URLs using Google with various parameters, including the actual destination URL.\r\nIn Figure 3 above, a link from a Google Drive page, obtained from a fake DocuSign email on Feb. 2, 2021, starts\r\ninnocently enough with https://www.google.com/. However, after clicking the link, the web browser loads\r\nhxxp://ajlbulicidate[.]pt/squriming.php which is actually a malicious URL. Figure 4 shows the page from\r\najlbulicidate[.]pt as it is initially loaded.\r\nFigure 4. Web browser immediately after clicking link from the Google Drive page.\r\nThe page from ajlbulicidate[.]pt contained a script with base64 text to create a malicious Word document. This\r\nscript causes a browser to offer the malicious Word document for download, then it redirects to a DocuSign page\r\nas shown in Figures 5 and 6.\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 5 of 15\n\nFigure 5. Base64 text representing malicious Word document in script from web page hosted at\r\najlbulicidate[.]pt.\r\nFigure 6. Script offers to save malicious Word document, then redirects to a DocuSign URL.\r\nThe page at hxxp://ajlbulicidate[.]pt/squriming.php briefly appears before offering the Word document for\r\ndownload and redirecting to a DocuSign URL. Potential victims might only notice the DocuSign page and Word\r\ndocument. See Figure 7 for an example. This technique could lead potential victims to believe the Word document\r\nis a legitimate file sent by DocuSign.\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 6 of 15\n\nFigure 7. Web browser a few seconds after clicking link in malicious Google Drive page from\r\nFigure 3.\r\nWord documents originating from these DocuSign-themed messages use the template shown below in Figure 8.\r\nFigure 8. Malicious Word document with macro for Hancitor based on DocuSign-themed malspam.\r\nDocuSign is not the only theme and template used to push Hancitor. For example, on Feb. 9, 2021, malspam using\r\na different email and document template pushed Hancitor malware. Except for the different templates, the\r\ninfection process remained the same.\r\nAppendix A lists 127 samples of SHA256 hashes for Word documents with macros for Hancitor from Nov. 5,\r\n2020, through Feb. 25, 2021.\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 7 of 15\n\nSecond Stage: Hancitor Infects Victim\r\nWhen macros are enabled for these malicious Word documents, the macro code drops and runs a malicious DLL\r\nfile for Hancitor. The DLL file is contained within the macro code. In January and February 2021, these Hancitor\r\nDLLs were saved to one of two locations, as shown in Table 2.\r\nC:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Templates\\W0rd.dll\r\nC:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Templates\\Static.dll\r\nC:\\Users\\[username]\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\W0rd.dll\r\nTable 2. Location of Hancitor DLL files.\r\nFigure 9 shows one of the Hancitor DLL files from an infected host on Feb. 2, 2021.\r\nFigure 9. Hancitor DLL from an infected Windows host on Feb. 2, 2021.\r\nThese Hancitor DLL files are run with rundll32.exe. An example from Feb. 2, 2021, revealed by Process Hacker,\r\nis shown below in Figure 10.\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 8 of 15\n\nFigure 10. Process for Hancitor DLL shown in Process Hacker.\r\nNetwork traffic caused by Hancitor starts with an IP address check by the infected Windows host. This IP address\r\ncheck goes to a legitimate service at api.ipify.org. The IP check is immediately followed by C2 traffic, as shown in\r\na Wireshark column display below in Figure 11.\r\nFigure 11. Wireshark column display showing IP address check and Hancitor C2 URLs.\r\nFrom November 2020 through February 2021, Hancitor C2 traffic consisted of HTTP POST requests ending with\r\n/8/forum.php. Posted data includes the public IP address of the infected Windows host, the host name and user\r\naccount name. Posted data also includes the version of Windows and domain information if the infected host is\r\npart of an AD environment. Finally, posted data also contains a Globally Unique Identifier (GUID) for the infected\r\nhost and a build number for the Hancitor malware sample. See Figure 12 below for an example of recent Hancitor\r\nC2 traffic.\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 9 of 15\n\nFigure 12. TCP stream from an example of Hancitor C2 traffic.\r\nAppendix B lists 63 SHA256 hashes for samples of Hancitor DLL files from Nov. 5, 2020, through Feb. 25, 2021.\r\nThird Stage: Hancitor Retrieves Follow-Up Malware\r\nAfter Hancitor establishes C2 traffic, it retrieves follow-up malware. Each day, follow-up malware items for\r\nHancitor are hosted on the same domain. For example, on Feb. 2, 2021, follow-up malware for Hancitor was\r\nhosted at bobcvatofredding[.]com. Table 3 shows a few recent examples of URLs for follow-up malware by\r\nHancitor.\r\nDate URL Follow-Up Malware\r\n2021-01-19 hxxp://alumaicelodges[.]com/1901.bin Cobalt Strike\r\n2021-01-19 hxxp://alumaicelodges[.]com/1901s.bin Cobalt Strike\r\n2021-01-19 hxxp://alumaicelodges[.]com/fls.exe Ficker Stealer\r\n2021-01-20 hxxp://ferguslawn[.]com/2001.bin Cobalt Strike\r\n2021-01-20 hxxp://ferguslawn[.]com/2001s.bin Cobalt Strike\r\n2021-01-20 hxxp://ferguslawn[.]com/6fokjewkj.exe Ficker Stealer\r\n2021-01-27 hxxp://onlybamboofabrics[.]com/2701.bin Cobalt Strike\r\n2021-01-27 hxxp://onlybamboofabrics[.]com/27012.bin Cobalt Strike\r\n2021-01-27 hxxp://onlybamboofabrics[.]com/6gdwwv.exe Ficker Stealer\r\n2021-02-02 hxxp://bobcatofredding[.]com/0102.bin Cobalt Strike\r\n2021-02-02 hxxp://bobcatofredding[.]com/0102s.bin Cobalt Strike\r\n2021-02-02 hxxp://bobcatofredding[.]com/6lavfdk.exe Ficker Stealer\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 10 of 15\n\n2021-02-10 hxxp://backupez[.]com/0902.bin Cobalt Strike\r\n2021-02-10 hxxp://backupez[.]com/0902s.bin Cobalt Strike\r\n2021-02-10 hxxp://backupez[.]com/6yudfgh.exe Ficker Stealer\r\n2021-02-10 hxxp://backupez[.]com/47.exe Send-Safe spambot malware\r\nTable 3. Examples of URLs for follow-up malware seen from recent Hancitor infections.\r\nHancitor will only send Cobalt Strike when it infects a host in an AD environment. It will not send Cobalt Strike if\r\nthe computer is a standalone host like a home computer. Hancitor generally sends Ficker Stealer for any host it\r\ninfects.\r\nPost-infection traffic is the easiest way to identify follow-up malware from a Hancitor infection. Ficker Stealer\r\ncauses different traffic than Cobalt Strike. Figure 13 shows traffic from an infection on Feb. 2, 2021, and it\r\nhighlights items related to Ficker Stealer.\r\nFigure 13. Traffic from a Hancitor infection, highlighting items related to Ficker Stealer.\r\nAppendix D contains information on the Ficker Stealer malware samples associated with Hancitor from October\r\n2020-March 2021.\r\nFigure 14 below shows the same traffic, but it highlights items related to Cobalt Strike.\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 11 of 15\n\nFigure 14. Same traffic from a Hancitor infection, highlighting items related to Cobalt Strike.\r\nFicker Stealer and Cobalt Strike do not leave any artifacts saved to disk on an infected host. Ficker Stealer is a\r\n\"smash and grab\" style of malware designed to exfiltrate data, and it does not remain on an infected host. Cobalt\r\nStrike is resident in system memory, and it did not survive a reboot in our test environment.\r\nFinal Stage: Cobalt Strike Sends Malware\r\nCobalt Strike is used by the threat actor behind Hancitor to send follow-up malware. A Hancitor infection on Feb.\r\n2, 2021, revealed NetSupport Manager RAT was sent after Cobalt Strike activity started.\r\nAnother file that appeared on Hancitor-infected hosts after Cobalt Strike started was a Windows EXE file for a\r\nnetwork ping tool.\r\nThis EXE file started appearing as early as Dec. 15, 2020, and we noted various file hashes through at least Jan.\r\n25, 2021. The network ping tool was always saved to the same directory as the Hancitor Word document.\r\nFigure 15 shows an example of the tool seen on Jan. 13, 2021, after a Hancitor Word document was saved to the\r\ninfected user’s Documents folder.\r\nFigure 15. An example of the network ping tool from a Hancitor infection with Cobalt Strike on Jan.\r\n13, 2021.\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 12 of 15\n\nAs seen in Figure 15, the EXE file was named xx.exe. A week later on Jan. 20, a new sample of the same tool was\r\nnamed netpingall.exe, as shown in Figure 16.\r\nFigure 16. An example of the network ping tool from a Hancitor with Cobalt Strike infection on Jan.\r\n20, 2021.\r\nTimestamps from the Jan. 20, 2021, infection show the following:\r\n0120_203089882.doc – Word doc with macros for Hancitor – 16:27 UTC\r\nnetpingall.exe – Network ping tool seen after Cobalt Strike - 17:19 UTC\r\nresult.txt – Results of the network ping tool scan – 18:18 UTC\r\nAn EXE for the network ping tool appeared approximately 52 minutes after the Word document for Hancitor was\r\nsaved to disk. Approximately 59 minutes after the network ping tool appeared, the results of the scan were saved\r\nto a text file named result.txt.\r\nThis ping tool is designed to find any other active hosts within an AD environment. The tool generates\r\napproximately 1.5 GB of ICMP ping traffic over the network as it pings more than 17 million IP addresses of\r\ninternal, non-routable IPv4 address space.\r\nNormally, ping traffic to internal, non-routable IPv4 addresses is almost nonexistent in an AD environment. Ping\r\ntraffic within internal IP address space should be limited to the LAN. For example, a LAN environment for\r\n172.16.1.0/24 consists of 254 internal IP addresses that a host might ping within this network. We would not\r\nnormally see ping traffic to other non-routable IPv4 space outside of those 254 IP addresses.\r\nWe tested samples of this ping tool in various sizes of LAN environments, and it consistently generates 1.5 GB of\r\nICMP ping traffic to more than 17 million non-routable IPv4 addresses.\r\nThis is exceedingly noisy traffic. Furthermore, Hancitor has demonstrated a noticeable lack of stealth in deploying\r\nand using this ping tool. Such an unusual EXE file is easy to notice, especially when the results of its scan are\r\nsaved as a text file in the same directory.\r\nFor Hancitor infections involving this ping tool, the associated files were never deleted after saving the results to\r\nresult.txt, so any forensic investigation would quickly find this tool. The 1.5 GB of ICMP traffic should be very\r\nnoticeable.\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 13 of 15\n\nThe ping tool generates ICMP ping traffic, first hitting all IP addresses in the 192.168.0.0/16 block. then it does\r\nthe 172.16.0.0/12 block, and it finishes with the 10.0.0.0/8 block.\r\nFigure 17. An example of the start of ICMP traffic from one of the network ping tool samples.\r\nSince Jan. 25, 2021, we have not discovered any new ping tool samples from Hancitor infections with Cobalt\r\nStrike. Why can we no longer find it? Perhaps the threat actor behind Hancitor realized how suspicious this\r\nactivity is and stopped using it.\r\nAppendix C lists information for five samples of the network ping tool discovered from Hancitor infections with\r\nCobalt Strike that appeared in December 2020 and January 2021.\r\nConclusion\r\nPost-infection activity from Hancitor malware has settled into noticeable patterns. These patterns include the use\r\nof Cobalt Strike for a Hancitor infection within an AD environment. In some cases, follow-up malware sent\r\nthrough Cobalt Strike may include a network ping tool that generates an abnormally large amount of ICMP traffic\r\nas it pings over 17 million internal IPv4 addresses.\r\nOrganizations with decent spam filtering, proper system administration and up-to-date Windows hosts have a\r\nmuch lower risk of infection from Hancitor and its post-infection activity. Palo Alto Networks Next-Generation\r\nFirewall customers are further protected from this threat with a Threat Prevention security subscription.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise described in this\r\nreport, with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy\r\nprotections to their customers and to systematically disrupt malicious cyber actors. For more information on the\r\nCyber Threat Alliance, visit www.cyberthreatalliance.org.\r\nIndicators of Compromise\r\nAppendix A\r\nSHA256 hashes for 127 samples of Word documents with macros for Hancitor from Nov. 5, 2020, through Feb.\r\n25, 2021. Information is available in this GitHub repository.\r\nAppendix B\r\nSHA256 hashes for 63 examples of Hancitor DLL files from Nov. 5, 2020, through Feb. 25, 2021. Information is\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 14 of 15\n\navailable in this GitHub repository.\r\nAppendix C\r\nInformation for five samples of the network ping tool seen from Hancitor infections using Cobalt Strike from\r\nDecember 2020-January 2021. Information is available in this GitHub repository.\r\nAppendix D\r\nInformation for three samples of Ficker Stealer malware associated with Hancitor infections from October 2020\r\nthrough March 2021. Information is available in this GitHub repository.\r\nAppendix E\r\nInformation for a sample Send-Safe spambot malware associated with a Hancitor infection from February 2021.\r\nInformation is available in this GitHub repository.\r\nSource: https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nhttps://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/\r\nPage 15 of 15\n\n https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/ \nFigure 2. Example of a fake DocuSign email pushing Hancitor from Feb. 2, 2021. \nOf note, any Google Drive URL that starts with https://docs.google.com/document/d/e/2PACX- and ends with\n/pub is not inherently malicious. However, they are definitely suspicious when found in unsolicited emails.\nThese Google Drive URLs display a web page with a link to download a Word document. Figure 3 shows an\nexample of these malicious pages using Google Drive. \n Page 4 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/" ], "report_names": [ "hancitor-infections-cobalt-strike" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "1f6ae238-765f-4495-9d54-6a7883d7a319", "created_at": "2022-10-25T16:07:24.573456Z", "updated_at": "2026-04-10T02:00:05.037738Z", "deleted_at": null, "main_name": "TA511", "aliases": [ "MAN1", "Moskalvzapoe" ], "source_name": "ETDA:TA511", "tools": [ "Agentemis", "Chanitor", "Cobalt Strike", "CobaltStrike", "Ficker Stealer", "Hancitor", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "542cf9d0-9c68-428c-aff8-81b6f59dc985", "created_at": "2023-02-15T02:01:49.554105Z", "updated_at": "2026-04-10T02:00:03.347115Z", "deleted_at": null, "main_name": "Moskalvzapoe", "aliases": [ "MAN1", "TA511" ], "source_name": "MISPGALAXY:Moskalvzapoe", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434449, "ts_updated_at": 1775791996, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/64f8f92df7af946ff4ef6a99de9624f1581f1ca6.pdf", "text": "https://archive.orkl.eu/64f8f92df7af946ff4ef6a99de9624f1581f1ca6.txt", "img": "https://archive.orkl.eu/64f8f92df7af946ff4ef6a99de9624f1581f1ca6.jpg" } }