{ "id": "a8b1b3ca-a895-44a1-8ea3-be5ab8fe3787", "created_at": "2026-04-06T00:17:23.764726Z", "updated_at": "2026-04-10T03:37:32.551703Z", "deleted_at": null, "sha1_hash": "66605d02630dbb5c210fcd3cebecab6dadb33165", "title": "DarkHalo after SolarWinds: the Tomiris connection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 420524, "plain_text": "DarkHalo after SolarWinds: the Tomiris connection\r\nBy Ivan Kwiatkowski\r\nPublished: 2021-09-29 · Archived: 2026-04-05 13:54:58 UTC\r\nBackground\r\nIn December 2020, news of the SolarWinds incident took the world by storm. While supply-chain attacks were\r\nalready a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to\r\nthe extreme carefulness of the attackers and the high-profile nature of their victims. It is believed that when\r\nFireEye discovered the first traces of the campaign, the threat actor (DarkHalo aka Nobelium) had already been\r\nworking on it for over a year. Evidence gathered so far indicates that DarkHalo spent six months inside OrionIT’s\r\nnetworks to perfect their attack and make sure that their tampering of the build chain wouldn’t cause any adverse\r\neffects.\r\nThe first malicious update was pushed to SolarWinds users in March 2020, and it contained a malware named\r\nSunburst. We can only assume that DarkHalo leveraged this access to collect intelligence until the day they were\r\ndiscovered. The following timeline sums up the different steps of the campaign:\r\nKaspersky’s GReAT team also investigated this supply-chain attack, and released two blog posts about it:\r\nIn December 2020, we analyzed the DNS-based protocol of the malicious implant and determined it leaked\r\nthe identity of the victims selected for further exploitation by DarkHalo.\r\nhttps://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/\r\nPage 1 of 6\n\nOne month later, we discovered interesting similarities between Sunburst and Kazuar, another malware\r\nfamily linked to Turla by Palo Alto.\r\nIn March 2021, FireEye and Microsoft released additional information about the second-stage malware used\r\nduring the campaign, Sunshuttle (aka GoldMax). Later in May 2021, Microsoft also attributed spear-phishing\r\ncampaign impersonating a US-based organization to Nobelium. But by then the trail had already gone cold:\r\nDarkHalo had long since ceased operations, and no subsequent attacks were ever linked to them.\r\nDNS hijacking\r\nLater this year, in June, our internal systems found traces of a successful DNS hijacking affecting several\r\ngovernment zones of a CIS member state. These incidents occurred during short periods in December 2020 and\r\nJanuary 2021 and allowed the malicious threat actor to redirect traffic from government mail servers to machines\r\nthey controlled.\r\nZone Period during which the authoritative servers were malicious Hijacked domains\r\nmfa.***\r\nDecember 22-23, 2020 and\r\nJanuary 13-14, 2021\r\nmail.mfa.***\r\nkk.mfa.***\r\ninvest.*** December 28, 2020 to January 13, 2021 mail.invest.***\r\nfiu.*** December 29, 2020 to January 14, 2021\r\nmx1.fiu.***\r\nmail.fiu.***\r\ninfocom.*** January 13-14, 2021 mail.infocom.***\r\nDuring these time frames, the authoritative DNS servers for the zones above were switched to attacker-controlled\r\nresolvers. These hijacks were for the most part relatively brief and appear to have primarily targeted the mail\r\nservers of the affected organizations. We do not know how the threat actor was able to achieve this, but we assume\r\nthey somehow obtained credentials to the control panel of the registrar used by the victims.\r\nWhile the malicious redirections were active, visitors were directed to webmail login pages that mimicked the\r\noriginal ones. Due to the fact that the attackers controlled the various domain names they were hijacking, they\r\nwere able to obtain legitimate SSL certificates from Let’s Encrypt for all these fake pages, making it very difficult\r\nfor non-educated visitors to notice the attack – after all, they were connecting to the usual URL and landed on a\r\nsecure page.\r\nhttps://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/\r\nPage 2 of 6\n\nMalicious webmail login page set up by the attackers\r\nIn all likelihood, any credentials typed in such webpages were harvested by the attackers and reused in subsequent\r\nstages of the attack. In some cases, they also added a message on the page to trick the user into installing a\r\nmalicious “security update”. In the screenshot above, the text reads: “to continue working with the email service,\r\nyou need to install a security update: download the update”.\r\nThe link leads to an executable file which is a downloader for a previously unknown malware family that we now\r\nknow as Tomiris.\r\nTomiris\r\nTomiris is a backdoor written in Go whose role is to continuously query its C2 server for executables to download\r\nand execute on the victim system. Before performing any operations, it sleeps for at least nine minutes in a\r\npossible attempt to defeat sandbox-based analysis systems. It establishes persistence with scheduled tasks by\r\ncreating and running a batch file containing the following command:\r\nSCHTASKS /CREATE /SC DAILY /TN StartDVL /TR \"[path to self]\" /ST 10:00\r\nhttps://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/\r\nPage 3 of 6\n\nThe C2 server address is not embedded directly inside Tomiris: instead, it connects to a signalization server that\r\nprovides the URL and port to which the backdoor should connect. Then Tomiris sends GET requests to that URL\r\nuntil the C2 server responds with a JSON object of the following structure:\r\n{\"filename\": \"[filename]\", \"args\": \"[arguments]\", \"file\": \"[base64-encoded executable]\"}\r\nThis object describes an executable that is dropped on the victim machine and run with the provided arguments.\r\nThis feature and the fact that Tomiris has no capability beyond downloading more tools indicates there are\r\nadditional pieces to this toolset, but unfortunately we have so far been unable to recover them.\r\nWe also identified a Tomiris variant (internally named “SBZ”, MD5 51AA89452A9E57F646AB64BE6217788E)\r\nwhich acts as a filestealer, and uploads any recent file matching a hardcoded set of extensions (.doc, .docx, .pdf,\r\n.rar, etc.) to the C2.\r\nFinally, some small clues found during this investigation indicate with low confidence that the authors of Tomiris\r\ncould be Russian-speaking.\r\nThe Tomiris connection\r\nWhile analyzing Tomiris, we noticed a number of similarities with the Sunshuttle malware discussed above:\r\nBoth malware families were developed in Go, with optional UPX packing.\r\nThe same separator (“|”) is used in the configuration file to separate elements.\r\nIn the two families, the same encryption/obfuscation scheme is used to encode configuration files and\r\ncommunicate with the C2 server.\r\nAccording to Microsoft’s report, Sunshuttle relied on scheduled tasks for persistence as well.\r\nBoth families comparably rely on randomness:\r\nSunshuttle randomizes its referrer and decoy URLs used to generate benign traffic. It also sleeps 5-\r\n10 seconds (by default) between each request.\r\nTomiris adds a random delay (0-2 seconds or 0-30 seconds depending on the context) to the base\r\ntime it sleeps at various times during the execution. It also contains a list of target folders to drop\r\ndownloaded executables, from which the program chooses at random.\r\nTomiris and Sunshuttle both gratuitously reseed the RNG with the output of Now() before each call.\r\nBoth malware families regularly sleep during their execution to avoid generating too much network\r\nactivity.\r\nThe general workflow of the two programs, in particular the way features are distributed into functions,\r\nfeel similar enough that this analyst feels they could be indicative of shared development practices. An\r\nexample of this is how the main loop of the program is transferred to a new goroutine when the preparation\r\nsteps are complete, while the main thread remains mostly inactive forever.\r\nEnglish mistakes were found in both the Tomiris (“isRunned”) and Sunshuttle (“EXECED” instead of\r\n“executed”) strings.\r\nhttps://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/\r\nPage 4 of 6\n\nNone of these items, taken individually, is enough to link Tomiris and Sunshuttle with sufficient confidence. We\r\nfreely admit that a number of these data points could be accidental, but still feel that taken together they at least\r\nsuggest the possibility of common authorship or shared development practices.\r\nA final piece of circumstantial evidence we would like to present is the discovery that other machines in a network\r\ninfected with Tomiris were infected with the Kazuar backdoor. Unfortunately, the available data doesn’t allow us\r\nto determine whether one of the malicious programs leads to the deployment of the other, or if they originate from\r\ntwo independent incidents.\r\nThe next diagram sums up the weak links we were able to uncover between the three malware families mentioned\r\nin this article:\r\nIn the end, a number of clues hint at links between Sunburst, Kazuar and Tomiris, but it feel like we’re still\r\nmissing one piece of evidence that would allow us to attribute them all to a single threat actor. We would like to\r\nconclude this segment by addressing the possibility of a false flag attack: it could be argued that due to the high-profile nature of Sunshuttle, other threat actors could have purposefully tried to reproduce its design in order to\r\nmislead analysts. The earliest Tomiris sample we are aware of appeared in February 2021, one month before\r\nSunshuttle was revealed to the world. While it is possible that other APTs were aware of the existence of this tool\r\nat this time, we feel it is unlikely they would try to imitate it before it was even disclosed. A much likelier (but yet\r\nunconfirmed) hypothesis is that Sunshuttle’s authors started developing Tomiris around December 2020 when the\r\nSolarWinds operation was discovered, as a replacement for their burned toolset.\r\nConclusions\r\nIf our guess that Tomiris and Sunshuttle are connected is correct, it would shed new light on the way threat actors\r\nrebuild capacities after being caught. We would like to encourage the threat intelligence community to reproduce\r\nthis research, and provide second opinions about the similarities we discovered between Sunshuttle and Tomiris.\r\nIn order to bootstrap efforts, Kaspersky is pleased to announce a free update to our Targeted Malware Reverse\r\nhttps://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/\r\nPage 5 of 6\n\nEngineering class, featuring a whole new track dedicated to reverse engineering Go malware and using Sunshuttle\r\nas an example. The first two parts are also available on YouTube:\r\nhttps://youtu.be/_cL-OwU9pFQ\r\nhttps://youtu.be/YRqTrq11ebg\r\nFor more information about Tomiris, subscribe to our private reporting services: intelreports@kaspersky.com\r\nIndicators of compromise\r\nTomiris Downloader\r\n109106feea31a3a6f534c7d923f2d9f7\r\n7f8593f741e29a2a2a61e947694445f438b33380\r\n8900cf88a91fa4fbe871385c8747c7097537f1b5f4a003418d84c01dc383dd75\r\nfd59dd7bb54210a99c1ed677bbfc03a8\r\n292c3602eb0213c9a0123fdaae522830de3fad95\r\nc9db4f661a86286ad47ad92dfb544b702dca8ffe1641e276b42bec4cde7ba9b4\r\nTomiris\r\n6b567779bbc95b9e151c6a6132606dfe\r\na0de69ab52dc997ff19a18b7a6827e2beeac63bc\r\n80721e6b2d6168cf17b41d2f1ab0f1e6e3bf4db585754109f3b7ff9931ae9e5b\r\nTomiris staging server\r\n51.195.68[.]217\r\nTomiris signalization server\r\nupdate.softhouse[.]store\r\nTomiris C2\r\n185.193.127[.]92\r\n185.193.126[.]172\r\nTomiris build path\r\nC:/Projects/go/src/Tomiris/main.go\r\nSource: https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/\r\nhttps://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "MITRE", "ETDA" ], "references": [ "https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" ], "report_names": [ "104311" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "493c47f7-b265-4b10-95de-d86af942c543", "created_at": "2023-04-27T02:04:45.385041Z", "updated_at": "2026-04-10T02:00:04.939878Z", "deleted_at": null, "main_name": "Tomiris", "aliases": [], "source_name": "ETDA:Tomiris", "tools": [ "JLOGRAB", "JLORAT", "Kapushka", "KopiLuwak", "Meterpreter", "QUIETCANARY", "RATel", "RocketMan", "Roopy", "Telemiris", "Tomiris", "Topinambour", "Tunnus", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434643, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/66605d02630dbb5c210fcd3cebecab6dadb33165.pdf", "text": "https://archive.orkl.eu/66605d02630dbb5c210fcd3cebecab6dadb33165.txt", "img": "https://archive.orkl.eu/66605d02630dbb5c210fcd3cebecab6dadb33165.jpg" } }