{ "id": "a6a9117d-0bc5-4231-87bf-592d2effce85", "created_at": "2026-04-06T00:11:21.852398Z", "updated_at": "2026-04-10T03:37:23.917815Z", "deleted_at": null, "sha1_hash": "68e3f16574629728a13c5f2bfd255bbdd2bd26ef", "title": "tweets/2020-09-07-Dridex-IOCs.txt at master · pan-unit42/tweets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 79420, "plain_text": "tweets/2020-09-07-Dridex-IOCs.txt at master · pan-unit42/tweets\r\nBy brad-duncan\r\nArchived: 2026-04-05 17:11:17 UTC\r\nThis repository was archived by the owner on Oct 13, 2025. It is now read-only.\r\nNotifications\r\nFork 21\r\nStar 130\r\nCode\r\nIssues\r\nPull requests 2\r\nActions\r\nProjects\r\nSecurity and quality\r\nInsights\r\nFiles\r\n2020-08-20-Emotet-infection-with-Qakbot.pcap.zip\r\n2020-08-20-IOCs-for-Emotet-infection-with-Qakbot.txt\r\n2020-08-24-Trickbot-gtag-ono66-IOCs.txt\r\n2020-08-25-IOCs-for-Emotet-with-Trickbot.txt\r\n2020-09-01-raccoon-stealer-IOCs.txt\r\n2020-09-07-Dridex-IOCs.txt\r\n2020-09-21-Dridex-IOCs.txt\r\n2020-09-28-Qakbot-IOCs.txt\r\n2020-10-01-Formbook-IOCs.txt\r\n2020-10-05-AZORult-IOCs.txt\r\n2020-10-26-Emotet-epoch-2-with-Trickbot-gtag-mor137-IOCs.txt\r\n2020-11-05-Hancitor-IOCs.txt\r\nhttps://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt\r\nPage 1 of 8\n\n2020-11-16-Cobalt-Strike-IOCs.txt\r\n2020-11-23-SmokeLoader-Dridex-and-webshell-IOCs.txt\r\n2020-11-23-SmokeLoader-and-Dridex-infection-with-webshell.pcap.zip\r\n2020-12-02-Astaroth-IOCs.txt\r\n2020-12-02-Astaroth-email-and-malware.zip\r\n2020-12-10-IOCs-from-Ursnif-infection-with-Delf-variant.txt\r\n2020-12-10-Ursnif-infection-with-Delf-variant.pcap.zip\r\n2020-12-11-Zepplin-ransomware-note.txt\r\n2020-12-14-IOCs-from-Qakbot-activity.txt\r\n2021-01-05-Emotet-and-Trickbot-IOCs.txt\r\n2021-01-06-SystemBC-domain-list.txt\r\n2021-01-08-IOCs-from-Ave-Maria-RAT.txt\r\n2021-01-11-IOCs-for-Dridex-traffic-with-webshell.txt\r\n2021-01-20-IOCs-from-Emotet-epoch1-infection.txt\r\n2021-02-01-TA551-IOCs-for-Qakbot.txt\r\n2021-02-08-tech-zupport-scam-audio.mp3\r\n2021-02-22-IOCs-from-Guildma-infection.txt\r\n2021-03-01-IcedID-IOCs.txt\r\n2021-03-08-IOCs-from-Banload-infection.txt\r\n2021-03-15-IcedID-IOCs.txt\r\n2021-03-15-IcedID-infection-traffic.pcap.zip\r\n2021-03-15-IcedID-malware-and-artifacts.zip\r\n2021-03-15-malspam-pushing-IcedID.eml.zip\r\n2021-03-22-Dridex-malspam-10-examples.zip\r\n2021-03-22-Dridex-malware-and-artifacts.zip\r\n2021-03-22-IOCs-from-Dridex-infection.txt\r\nhttps://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt\r\nPage 2 of 8\n\n2021-03-24-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt\r\n2021-03-24-IcedID-malware-and-artifacts.zip\r\n2021-04-12-IcedID-IOCs.txt\r\n2021-04-12-IcedID-malware-and-artifacts.zip\r\n2021-04-15-IOCs-for-AsyncRAT-activity.txt\r\n2021-04-26-IcedID-with-Cobalt-Strike-IOCs.txt\r\n2021-04-26-IcedID-with-Cobalt-Strike-malware-and-artifacts.zip\r\n2021-04-26-IcedID-with-Cobalt-Strike-traffic.pcap.zip\r\n2021-05-10-IOCs-for-TA551-pushing-IcedID.txt\r\n2021-05-10-TA551-IcedID-malware-and-artifacts.zip\r\n2021-05-17-TA551-IOCs-for-IcedID.txt\r\n2021-05-17-TA551-IcedID-malware-and-artifacts.zip\r\n2021-06-21-TA551-IOCs-for-Ursnif.txt\r\n2021-06-28-TA551-IOCs-for-Trickbot.txt\r\n2021-07-12-Hancitor-IOCs.txt\r\n2021-07-20-IOCs-for-BazarLoader-and-Trickbot.txt\r\n2021-07-26-Trickbot-gtag-rob112.txt\r\n2021-07-29-IOCs-for-BazarLoader-CobaltStrike-PrintNightmare.txt\r\n2021-08-09-BazarLoader-and-Cobalt-Strike-IOCs.txt\r\n2021-08-18-phishing-example.txt\r\n2021-08-26-IOCs-for-DDoS-themed-BazarLoader-infection.txt\r\n2021-09-08-IOCs-for-Hancitor-with-Cobalt-Strike.txt\r\n2021-09-13-IOCs-for-TA551-Trickbot-with-Cobalt-Strike-and-DarkVNC.txt\r\n2021-09-20-IOCs-for-Squirrelwaffle-Loader-with-Cobalt-Strike.txt\r\nhttps://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt\r\nPage 3 of 8\n\n2021-09-29-TA551-BazarLoader-with-Cobalt-Strike-IOCs.txt\r\n2021-10-07-Qakbot-obama111-and-Cobalt-Strike-IOCs.txt\r\n2021-10-07-Qakbot-obama111-and-Cobalt-Strike-malware-and-artifacts.zip\r\n2021-10-18-IOCs-for-TR-based-Qakbot-with-Cobalt-Strike.txt\r\n2021-11-03-TA551-BazarLoader-info.txt\r\n2021-11-04-IOCs-for-TR-Qakbot-with-Cobalt-Strike.txt\r\n2021-11-05-TA551-IOCs.txt\r\n2021-11-15-IOCs-for-Matanbuchus-Qakbot-CobaltStrike-and-spambot-activity.txt\r\n2021-11-22-IOCs-for-Contact-Forms-campaign-activity.txt\r\n2021-12-07-IOCs-for-Qakbot-and-Matanbuchus-activity.txt\r\n2021-12-10-IOCs-for-TA551-IcedID-infection-with-Cobalt-Strike-and-DarkVNC.txt\r\n2022-01-04-IOCs-from-Remcos-RAT-infection.txt\r\n2022-01-05-IOCs-for-TA551-IcedID-with-Cobalt-Strike.txt\r\n2022-01-12-IOCs-for-IcedID-with-Cobalt-Strike-and-DarkVNC.txt\r\n2022-01-17-IOCs-for-Astaroth-Guildma-infection.txt\r\n2022-01-27-IOCs-for-Contact-Forms-IcedID-with-Cobalt-Strike.txt\r\n2022-02-07-IOCs-for-BazarLoader-with-Cobalt-Strike.txt\r\n2022-02-10-IOCs-for-Emotet-epoch5-infection-with-Cobalt-Strike.txt\r\n2022-02-17-IOCs-for-Bazil-targeted-malware-infection.txt\r\n2022-02-22-Emotet-epoch4-IOCs.txt\r\n2022-02-22-Emotet-epoch5-IOCs.txt\r\n2022-03-01-IOCs-for-Emotet-epoch4-with-Cobalt-Strike.txt\r\n2022-03-03-IOCs-for-Bazil-targeted-malware-infection.txt\r\n2022-03-03-IOCs-for-Emotet-epoch4-with-Cobalt-Strike.txt\r\n2022-03-14-IOCs-from-Emotet-epoch5-with-Cobalt-Strike.txt\r\n2022-03-21-IOCs-for-Cobalt-Strike-from-IcedID-infection.txt\r\nhttps://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt\r\nPage 4 of 8\n\n2022-03-29-IOCs-for-Emotet-and-Cobalt-Strike.txt\r\n2022-04-05-IOCs-for-Bumblebee-and-Cobalt-Strike.txt\r\n2022-04-12-IOCs-for-SpringShell-exploitation-by-Enemybot.txt\r\n2022-04-14-IOCs-for-aa-Qakbot-with-Cobalt-Strike.txt\r\n2022-04-19-IOCS-for-infection-from-Brazil-malspam.txt\r\n2022-04-25-IOCs-for-Emotet-epoch4.txt\r\n2022-05-03-IOCs-for-Contact-Forms-Bumblebee-and-Cobalt-Strike.txt\r\n2022-05-10-IOCs-for-Contact-Forms-IcedID-with-Cobalt-Strike.txt\r\n2022-05-15-Deadbolt-Ransomware.md\r\n2022-05-17-IOCS-for-aa-distribution-Qakbot-with-Cobalt-Strike.txt\r\n2022-05-23-IOCs-for-IcedID-and-DarkVNC.txt\r\n2022-06-07-IOCs-for-Emotet-with-Cobalt-Strike.txt\r\n2022-06-09-IOCs-from-TA578-Bumblebee-with-Cobalt-Strike.txt\r\n2022-06-14-IOCs-from-TA578-Bumblebee-with-Cobalt-Strike.txt\r\n2022-06-17-IOCs-for-Matanbuchus-with-Cobalt-Strike.txt\r\n2022-06-21-IOCs-for-AA-distribution-Qakbot-with-DarkVNC-and-Cobalt-Strike.txt\r\n2022-06-28-IOCs-for-TA578-IcedID-Cobalt-Strike-and-DarkVNC.txt\r\n2022-07-06-IOCs-for-TA578-contact-forms-IcedID-with-DarkVNC-and-Cobalt-Strike.txt\r\n2022-07-21-IOCs-for-IcedID-with-DarkVNC-and-Cobalt-Strike.txt\r\n2022-07-25-IOCs-for-IcedID-with-Cobalt-Strike.txt\r\n2022-08-03-IOCs-for-IcedID-and-Cobalt-Strike.txt\r\n2022-08-08-IOCs-for-IcedID-and-Cobalt-Strike.txt\r\n2022-08-10-IOCs-for-IcedID-and-Cobalt-Strike.txt\r\n2022-08-15-IOCs-for-Monster-Libra-SVCready.txt\r\n2022-08-29-IOCs-for-Monster-Libra-TA551-IcedID-with-Cobalt-Stike.txt\r\n2022-09-13-IOCs-for-Qakbot.txt\r\nhttps://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt\r\nPage 5 of 8\n\n2022-09-21-IOCs-for-Astaroth-Guildma-infection.txt\r\n2022-09-29-IOCs-for-Obama207-Qakbot-and-Cobalt-Strike.txt\r\n2022-10-04-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt\r\n2022-10-10-IOCs-for-Cobalt-Strike-from-Qakbot-infection.txt\r\n2022-10-17-IOCs-for-IcedID-with-Cobalt-Strike.txt\r\n2022-10-31-IOCs-for-IcedID-with-DarkVNC-and-Cobalt-Strike.txt\r\n2022-11-03-IOCs-for-Emotet-with-IcedID.txt\r\n2022-11-07-IOCs-for-Emotet-infection-with-IcedID-and-Bumblebee.txt\r\n2022-11-28-IOCs-for-BB08-Qakbot-with-Cobalt-Strike.txt\r\n2022-12-07-IOCs-for-Bumblebee-infection-with-Cobalt-Strike.txt\r\n2022-12-09-IOCs-for-HTML-smuggling-to-ISO-files-for-Cobalt-Strike.txt\r\n2022-12-20-IOCs-for-IcedID-infection-with-Cobalt-Strike.txt\r\n2022-12-28-IOCs-for-NetSupport-RAT-infection.txt\r\n2022-12-29-IOCs-for-malware-from-fake-Adobe-Reader-page.txt\r\n2023-01-05-IOCs-from-Agent-Tesla-variant-infection.txt\r\n2023-01-12-IOCs-from-IcedID-and-Cobalt-Strike-infection.txt\r\n2023-01-16-IOCs-for-malware-from-fake-7zip-page.txt\r\n2023-01-23-IOCs-for-Google-ad-for-possible-TA505-activity.txt\r\n2023-01-31-BB12-Qakbot-infection-IOCs.txt\r\n2023-02-07-IOCs-for-probable-Matanbuchus-activity.txt\r\n2023-02-08-IOCs-for-Cobalt-Strike-from-IcedID.txt\r\n2023-02-13-IOCs-for-IcedID-infection-from-fake-Microsoft-Teams-page.txt\r\n2023-02-24-IOCs-for-IcedID-infection-with-BackConnect-and-Cobalt-Strike.txt\r\n2023-03-06-IOCs-for-Gozi-infection.txt\r\n2023-03-07-IOCs-for-Emotet-activity.txt\r\n2023-03-10-IOCs-for-CloakedUrsa-APT29-Activity.txt\r\nhttps://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt\r\nPage 6 of 8\n\n2023-03-16-IOCs-for-Emotet-E5-activity.txt\r\n2023-03-22-some-IOCs-for-Emotet-E4-activity.txt\r\n2023-04-05-IOCs-for-STRRAT-activity.txt\r\n2023-04-13-IOCs-for-MetaStealer-infection.txt\r\n2023-05-02-IOCs-for-obama259-Qakbot.txt\r\n2023-05-10-IOCs-for-IcedID-with-BackConnect-and-Keyhole-VNC-and-Cobalt-Strike.txt\r\n2023-05-10-IOCs-for-obama262-Qakbot-with-DarkCat-VNC-and-Cobalt-Strike.txt\r\n2023-05-17-IOCs-for-Pikabot-with-Cobalt-Strike.txt\r\n2023-05-22-IOCs-for-Pikabot-infection-with-Cobalt-Strike.txt\r\n2023-05-23-IOCs-for-Pikabot-with-Cobalt-Strike.txt\r\n2023-06-28-IOCs-for-IcedID-activity.txt\r\n2023-07-12-IOCs-from-Gozi-infection-with-Cobalt-Strike.txt\r\n2023-08-03-IOCs-for-malicious-ad-to-Danabot.txt\r\n2023-08-09-IOCs-from-IcedID-infection.txt\r\n2023-08-10-moved-to-new-Github-repository.txt\r\nLatest commit\r\n135 lines (113 loc) · 6.54 KB\r\nBreadcrumbs\r\n1. tweets\r\n2020-09-07-Dridex-IOCs.txt\r\nFile metadata and controls\r\n135 lines (113 loc) · 6.54 KB\r\nhttps://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt\r\nPage 7 of 8\n\nSource: https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt\r\nhttps://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt" ], "report_names": [ "2020-09-07-Dridex-IOCs.txt" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62585174-b1f8-47b1-9165-19b594160b01", "created_at": "2023-01-06T13:46:39.369991Z", "updated_at": "2026-04-10T02:00:03.304964Z", "deleted_at": null, "main_name": "TA578", "aliases": [], "source_name": "MISPGALAXY:TA578", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0", "created_at": "2024-11-01T02:00:52.694476Z", "updated_at": "2026-04-10T02:00:05.410572Z", "deleted_at": null, "main_name": "TA578", "aliases": [ "TA578" ], "source_name": "MITRE:TA578", "tools": [ "Latrodectus", "IcedID" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "d9b39228-0d9d-4c1e-8e39-2de986120060", "created_at": "2023-01-06T13:46:39.293127Z", "updated_at": "2026-04-10T02:00:03.277123Z", "deleted_at": null, "main_name": "BelialDemon", "aliases": [ "Matanbuchus" ], "source_name": "MISPGALAXY:BelialDemon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434281, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/68e3f16574629728a13c5f2bfd255bbdd2bd26ef.pdf", "text": "https://archive.orkl.eu/68e3f16574629728a13c5f2bfd255bbdd2bd26ef.txt", "img": "https://archive.orkl.eu/68e3f16574629728a13c5f2bfd255bbdd2bd26ef.jpg" } }