{
	"id": "d7d89bec-0c18-4b4c-b59a-598286ea5979",
	"created_at": "2026-04-06T03:36:51.379333Z",
	"updated_at": "2026-04-10T13:12:49.955786Z",
	"deleted_at": null,
	"sha1_hash": "6ac1a1ffa58d5996976af1211c3a62a563b705e2",
	"title": "Black-T: New Cryptojacking Variant from TeamTNT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 395394,
	"plain_text": "Black-T: New Cryptojacking Variant from TeamTNT\r\nBy Nathaniel Quist\r\nPublished: 2020-10-05 · Archived: 2026-04-06 03:25:03 UTC\r\nExecutive Summary\r\nUnit 42 researchers discovered a new variant of cryptojacking malware named Black-T, authored by TeamTNT, a group\r\nknown to target AWS credential files on compromised cloud systems and mine for Monero (XMR). Black-T follows the\r\ntraditional TeamTNT tactics, techniques and procedures (TTPs) of targeting exposed Docker daemon APIs and performing\r\nscanning and cryptojacking operations on vulnerable systems of affected organizations. However, code within the Black-T\r\nmalware sample gives evidence of a shift in TTPs for TeamTNT operations.\r\nOf these new TTPs, most notable are the targeting and stopping of previously unknown cryptojacking worms (i.e. the Crux\r\nworm, ntpd miner, and a redis-backup miner). Also, TeamTNT has been implementing the use of memory password scraping\r\noperations via mimipy and mimipenguins, which are *NIX equivalents to the commonly used Windows-specific memory\r\npassword scraper functionality of Mimikatz. Mimikatz is a tool capable of scraping plaintext passwords from Windows OS\r\nsystems, and also has the capability to perform pass-the-hash and pass-the-token operations, allowing attackers to hijack\r\nuser sessions. Any identified passwords which were obtained through mimipenguins are then exfiltrated to a TeamTNT\r\ncommand and control (C2) node. This is the first time TeamTNT actors have been witnessed including this type of post-exploitation operation in their TTPs.\r\nThe Black-T tool also has the capability to use three different network scanning tools to identify additional exposed Docker\r\ndaemon APIs, within the local network of the compromised system and across any number of publicly accessible networks,\r\nto extend their cryptojacking operations. Both masscan and pnscan have been used before by TeamTNT actors. However,\r\nthe addition of zgrab, a GoLang network scanner, marks the first time that a GoLang tool has been witnessed incorporated\r\ninto TeamTNT’s TTPs. There was also an update to the masscan network scanner operation to include searching for TCP\r\nport 5555. While the exact purpose regarding adding port 5555 to the scanner is unknown, there have been documented\r\ncases where XMR cryptojacking is occurring on Android-based devices. This could indicate a new unknown target set for\r\nexpanding TeamTNT cryptojacking operations. However, there is little evidence to support TeamTNT targeting Android\r\ndevices.\r\nUnit 42 researchers have discovered several German-language phrases inserted into multiple TeamTNT scripts, Black-T\r\nincluded. The very first line within the script following an ASCII art banner reads: verbose mode ist nur für euch 😉 damit\r\nihr was zum gucken habt in der sandbox :-* which translates to “verbose mode is only for you 😉 so that you have\r\nsomething to watch in the sandbox.” There have been several other cases where German phrases have been used within\r\nTeamTNT scripts.\r\nPalo Alto Networks Prisma Cloud can assist in securing cloud deployments against the threats posed by TeamTNT, by\r\nguiding organizations to better detect vulnerabilities or misconfigurations in cloud environment settings and infrastructure as\r\ncode (IaC) templates prior to deploying production systems. Additionally, by installing the latest apps and threat definitions\r\non Palo Alto Networks Next-Generation Firewall, network connections to known XMR public mining pools, or to malicious\r\ndomains and IPs, can be prevented before the environment is compromised.\r\nBlack-T Dissection\r\nhttps://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/\r\nPage 1 of 10\n\nThe Black-T script is downloaded from the TeamTNT domain, hxxps://teamtnt[.]red/BLACK-T/SetUpTheBLACK-T, to the\r\ncompromised cloud system that maintained an exposed Docker daemon API. Once downloaded to the compromised system,\r\nthe script will perform the following actions.\r\nFigure 1. TeamTNT’s Black-T ASCII banner.\r\nFirst, there is a display of an ASCII art banner declaring that this variant is version 1 (see Figure 1). Then, the script\r\nperforms a clean and system prep operation, in which the script will remove known cryptojacking malware already in place\r\non the compromised system. Black-T specifically targets Kinsing malware, a competing cryptojacking process family. It is\r\nalso important to note that TeamTNT authors have copied several pieces of malware code, both within previous TeamTNT\r\ntools as well as within this Black-T tool, to augment their own cryptojacking malware. Specifically, this copied code allows\r\nfor the removal and evasion of Aliyun and Tencent cloud security software, and adds AWS credential-stealing features and\r\nmasscan scanning functionality.\r\nDisable Active XMR Miners\r\nUnit 42 researchers also found evidence that the TeamTNT authors are now targeting other potential competing\r\ncryptojacking malware families, outside of the previously mentioned kinsing cryptojacking process. These competing\r\ncryptojacking processes include kswapd0, ntpd miner, redis-backup miner, auditd miner, migration miner, and finally, the\r\nCrux worm (see Figure 2) as well as the Crux worm miner (see Figure 3). With the inclusion of these potential cryptojacking\r\nprocesses found within the Black-T malware, it would appear that these cryptojacking processes are known to the TeamTNT\r\nauthors as competing for cloud processing resources. This would also indicate there are several cryptojacking processes\r\ncurrently unknown to defense teams and efforts should be taken to identify and build mitigation rules for these currently\r\nunknown cryptojacking processes. There is an XMR public mining pool called cruxpool[.]com. However, no additional\r\ninformation is currently available to support if the Crux worm uses the public mining pool cruxpool, or if this is simply a\r\nclever naming convention used by cryptojacking operators.\r\nFollowing the cleaning of any known cryptojacking processes, the Black-T malware will also perform a cleaning operation\r\nfor any known xmrig process currently running on the compromised system. XMRig is a popular open-source process,\r\nwhich facilitates the computational operations needed to mine the XMR cryptocurrency.\r\nhttps://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/\r\nPage 2 of 10\n\nFigure 2. Crux worm process removal.\r\nFigure 3. Crux worm mining process removal.\r\nOf note, TeamTNT makes use of customized processes within their scripts. These custom processes represent traditional\r\n*NIX processes, but have the prefix “tnt” added to the process name. For example, tntrecht is a customized process that is\r\nloaded into /usr/local/bin/tntrecht on the compromised system and is likely used to hijack and modify the permissions of\r\nlegitimate *NIX processes to be used for TeamTNT operations. The modified legitimate processes are subsequently renamed\r\nwith the “tnt” prefix – for instance, tntwget and tntcurl.\r\nSystem Setup\r\nFollowing the cleanup of the compromised system, the script will further set up the system environment by setting Path\r\nVariables: PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin, naming 8.8.4.4 and 8.8.8.8 as new DNS servers, and finally,\r\nflushing all established IP table rules using the command iptables -F.\r\nThe script will then check to see which *NIX package manager is installed on the compromised system: Advanced Package\r\nTool (APT), Yellowdog Updater, Modified (YUM) or Alpine Linux package manager (APK). Regardless of the package\r\nmanager type identified, the script will install masscan, along with libpcap to perform network packet traffic listening,\r\npnscan (a network scanning tool, although within the current sample, pnscan functionality has been commented out), zgrab\r\n(a GoLang tool built for zmap), Docker and jq (a flexible command-line JSON processor). See the setup image in Figure 4.\r\nFigure 4. APT package manager setup.\r\nUnit 42 researchers believe that TeamTNT actors are planning on building more sophisticated cryptojacking features into\r\ntheir tool sets – specifically for identifying vulnerable systems within various cloud environments. Never before has\r\nhttps://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/\r\nPage 3 of 10\n\nTeamTNT been known to use the network scanner software zmap. But TeamTNT is not only using zmap, they are using the\r\nlittle-known zgrab, which is a GoLang tool used to capture address banners. It is currently unclear how TeamTNT actors\r\nwill use this data, but it is highly likely the actors are giving zgrab a trial run to test the scanner’s functionality for their\r\noperations, and may make adjustments accordingly. This idea is supported by the zgrab GitHub page, which states that,\r\n“zgrab tends to be very unstable, API's may break at any time, so be sure to vendor zgrab.” It is further supported by the fact\r\nthat during the time of writing this blog, zmap had deprecated the original zgrab tool, which was used in Black-T, and has\r\nreplaced it with a new version of zgrab, called zgrab2.\r\nUnit 42 researchers do know that TeamTNT actors are placing a great deal of importance on scanning capabilities within the\r\nBlack-T tool, as there are currently three different scanners built into this tool (masscan, pscan and zgrab).\r\nDownload Toolsets\r\nThe Black-T variant downloads two files, which execute directly into bash: hxxps://teamtnt[.]red/BLACK-T/beta and\r\nhxxps://teamtnt[.]red/BLACK-T/setup/bd.\r\nBeta\r\nBeta is used to make a new directory /.../ where the following files are compressed into two tar files named root.tar.gz:\r\n/root/.bash_history\r\n/root/.ssh/\r\n/etc/hosts\r\n/root/.docker/\r\n/root/.aws/\r\n/root/*.sh\r\n/home/*/.bash_history\r\n/home/*/.ssh/\r\n/home/*/*.sh\r\nAnd, cron.tar.gz:\r\n/etc/cron*/\r\n/var/spool/cron/\r\nThese two files, upon compression, are then sent to the URL hxxps://teamtnt[.]red/only_for_stats/dup.php. It is important to\r\nnote that TeamTNT actors are still targeting AWS credential and configuration files located on compromised AWS cloud\r\nsystems. If compromised systems do contain AWS credentials, the TeamTNT actors could attempt to use these AWS\r\ncredentials to expand their cryptojacking operations within the compromised system’s AWS environment. By using the AWS\r\ncredentials obtained from the exposed and compromised Docker daemon system, TeamTNT actors could use this system as\r\na pivot point to gain access to additional cloud systems and resources that use the same AWS credentials and which are\r\nhosted within the system’s larger AWS environment.\r\nThe beta script then downloads the file hxxps://teamtnt[.]red/x/pw, and also downloads the hxxps://teamtnt[.]red/BLACK-T/setup/bd, which is a duplicate from the Black-T download.\r\nFinally, the beta script will set the service token for monitoring XMR mining operations. This token is set as\r\nabyofigfefda6c3itn9f3zkrmjfays31, and it will redownload the Black-T script, hxxps://teamtnt[.]red/BLACK-https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/\r\nPage 4 of 10\n\nT/SetUpTheBLACK-T. This is likely done as a means of redundancy to provide actors with different types of operations to\r\nlaunch following the exploitation of a system.\r\npw\r\nThe script pw is very intriguing, as it performs post-exploitation operations of password scraping using mimipy and\r\nmimipenquin, which are *NIX tools adapted for use from the Windows tool Mimikatz. Upon uncovering any passwords\r\nresiding in memory within the compromised system, the passwords are written to the file /var/tmp/.../output.txt, which is\r\nthen uploaded to hxxps://teamtnt[.]red/only_for_stats/dup.php. See Figure 5.\r\nFigure 5. Memory password scraping and exfil.\r\nbd\r\nThe script bd is used to download the XMR mining software relevant to the given compromised system. These downloaded\r\nfiles and the SHA256 values for the mining software have been reported on before during an operation targeting Weave\r\nScope deployments.\r\nFigure 6. Downloaded mining software.\r\nUnit 42 researchers downloaded each of the software samples and believe these samples to be the same style of samples that\r\nhave been previously reported (see Table 1).\r\nName SHA-256 Hash\r\nNote/VirusTotal\r\nFindings\r\nbioset a5dd446b2a7b8cfd6b6fd4047cc2fddfcea3a4865d8069dcd661e422046de2a1 Possibly corrupted\r\nkube a506c6cf25de202e6b2bf60fe0236911a6ff8aa33f12a78edad9165ab0851caf\r\nVT = 33/60\r\nkube.jpg\r\ntshd a5e6b084cdabe9a4557b5ff8b2313db6c3bb4ba424d107474024030115eeaa0f\r\nPossibly Corrupt\r\nVT = 1/60\r\nhttps://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/\r\nPage 5 of 10\n\ndocker-update\r\n139f393594aabb20543543bd7d3192422b886f58e04a910637b41f14d0cad375\r\nVT = 35/60\r\ndefault.jpg\r\nTable 1. TeamTNT XMR mining software.\r\nXMR Miner Setup\r\nThe Black-T script then downloads the known XMR miner software sbin_u, (SHA256:\r\nfae2f1399282508a4f01579ad617d9db939d0117e3b2fcfcc48ae4bef59540d9). This type of mining software has been linked\r\nbefore to TeamTNT. VirusTotal currently only lists the malware as an 8/62, but does label it as an Executable Linkable\r\nFormat (ELF) CoinMiner (see Figure 7), mining software which operates on *NIX platform systems.\r\nFigure 7. VirusTotal metadata of the file sbin_u\r\nFinally, Black-T configures the XMR mining software to use the following XMR wallet address:\r\n84xqqFNopNcG7T5AcVyv7LVyrBfQyTVGxMFEL2gsxQ92eNfu6xddkWabA3yKCJmfdaA9jEiCyFqfffKp1nQkgeq2Uu2dhB8.\r\nFigure 8 shows that as of the time of this writing, only five workers were reported producing 8.2 KH/s, which is down from\r\na maximum of 25.05 KH/s on September 26, 2020. This particular XMR wallet has only managed to gather roughly US$10\r\nas of September 29, 2020, likely due to the fact that this is a very new variant of cryptojacking software and hasn’t had much\r\ntime to spread.\r\nFigure 8. MoneroOcean results for the Black-T XMR wallet address.\r\nWorm Functionality\r\nTeamTNT has long maintained its usage of worm-like techniques and has used masscan or pnscan to discover vulnerable\r\nsystems. Black-T is no exception. However, there is a subtle difference between previously reported TeamTNT masscan\r\noperations and those present within Black-T. Specifically, in Black-T, we see the addition of a new scanning port, TCP 5555\r\nhttps://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/\r\nPage 6 of 10\n\n(see Figure 9). While the exact purpose of adding port 5555 to the scanner is unknown, there have been documented cases\r\nwhere XMR cryptojacking is occurring on Android-based devices. This could indicate a new unknown target set for\r\nexpanding TeamTNT cryptojacking operations. However, there is little evidence to support TeamTNT targeting Android\r\ndevices.\r\nFigure 9. TeamTNT masscan scanning operations.\r\nAdditionally, Black-T also performs scanning operations on a random CIDR 8 network range as it searches for exposed\r\nDocker API instances. This is also a new finding related to TeamTNT TTPs (see Figure 10). By expanding the scanning\r\nrange of Black-T, TeamTNT actors are greatly expanding the scope of their targeting operations. Instead of only scanning\r\nthe local network range of a compromised system, Black-T will begin scanning an entire CIDR 8 network range at random.\r\nFor example, if Black-T selects 134.0.0.0/8, any address between 134.0.0.0 and 134.255.255.255 which contains an exposed\r\nDocker daemon API will be targeted and Black-T will attempt to exploit that system. Given enough time, every publicly\r\navailable IP address will be scanned for an exposed Docker daemon API system. This has the potential to greatly increase\r\nthe number of compromised systems owned by TeamTNT actors.\r\nhttps://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/\r\nPage 7 of 10\n\nFigure 10. Random Docker API scanning operation.\r\nConclusion\r\nTeamTNT is a cloud-focused cryptojacking group which targets exposed Docker daemon APIs. Upon successful\r\nidentification and exploitation of the Docker daemon API, TeamTNT will drop the new cryptojacking variant Black-T. This\r\nvariant installs up to three different types of network scanners (masscan, pnscan and zgrab), which are used to scan for\r\nadditional exposed Docker daemon APIs. Black-T will also perform memory scraping operations following the successful\r\nexploitation of the cloud system. This is performed via mimipy and mimipenguins scripts, which are downloaded to the\r\ncompromised system. Any identified passwords are then exfiltrated to a TeamTNT C2 node. Similar to the stolen AWS\r\ncredentials also captured by the TeamTNT actors, these credentials are likely to be used for additional operations targeted\r\nagainst the organization managing the compromised Docker API.\r\nIn order to protect cloud systems from TeamTNT’s Black-T cryptojacking malware, organizations should perform the\r\nfollowing actions:\r\nEnsure that cloud environments are not exposing Docker daemon APIs or any other network service, which\r\ninadvertently exposes sensitive internal network services.\r\nLeverage Palo Alto Networks Prisma Cloud to secure cloud deployments.\r\nInstall the latest apps and threat definitions on the Palo Alto Networks Next-Generation Firewall.\r\nIndicators of Compromise\r\nURLs\r\nhxxps://teamtnt[.]red\r\nhxxps://teamtnt[.]red/BLACK-T/beta\r\nhxxps://teamtnt[.]red/BLACK-T/CleanUpThisBox\r\nhxxps://teamtnt[.]red/BLACK-T/setup/bd\r\nhxxps://teamtnt[.]red/BLACK-T/setup/docker-update\r\nhxxps://teamtnt[.]red/BLACK-T/setup/hole\r\nhxxps://teamtnt[.]red/BLACK-T/setup/kube\r\nhxxps://teamtnt[.]red/BLACK-T/setup/tshd\r\nhxxps://teamtnt[.]red/BLACK-T/SetUpTheBLACK-T\r\nhxxps://teamtnt[.]red/BLACK-T/SystemMod\r\nhxxps://teamtnt[.]red/ip_log/getip[.]php\r\nhxxps://teamtnt[.]red/only_for_stats/dup[.]php\r\nhxxps://teamtnt[.]red/x/getpwds[.]tar[.]gz\r\nhxxps://teamtnt[.]red/x/pw\r\nhttps://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/\r\nPage 8 of 10\n\nhxxps://iplogger[.]org/blahblahblah\r\nMonero Mining Pool\r\nMoneroOcean[.]stream\r\nSHA-256 Hashes\r\nBlack-T related hashes\r\nSHA-256 Hash Filename\r\n90c74c9ff4c502e155d2dc72f3f6c3f512d354d71b5c480c89b6c1b1852bcb1f bd.bin\r\n1cf803a8dd2a41c4b976106b0ceb2376f46bafddeafbcef6ff0c312fc78e09da beta.bin\r\na5dd446b2a7b8cfd6b6fd4047cc2fddfcea3a4865d8069dcd661e422046de2a1 bioset.bin\r\n9f8cb3f25a8b321b86ee52c16b03b3118f3b157b33e29899d265da3433a02c79 SetUpTheBLACK-T.bin\r\n6c16473060ffd9e215ee8fc82ff430384a8b99ea85000486f363e9bff062898d cleanupthisbox.bin\r\n139f393594aabb20543543bd7d3192422b886f58e04a910637b41f14d0cad375 docker-update.bin\r\n5b417032a80ddf4d9132a3d7d97027eeb08d9b94b89f5128863930c1967c84c4 getpwds.tar.gz\r\ne92b19f535fa57574401b6cdbf511a234a0b19335bd2ad6751839c718dc68e4d gimmecredz.sh\r\na506c6cf25de202e6b2bf60fe0236911a6ff8aa33f12a78edad9165ab0851caf kube.bin\r\nc0069aab1125a8ac1b9207e56371e86693b26b0dcab1630f337be55929b36a2a pw.bin\r\nfae2f1399282508a4f01579ad617d9db939d0117e3b2fcfcc48ae4bef59540d9 sbin_u\r\n84fabfbbd134bbeeb5481a96b023f44a671382349e5b39928baf0e80e28fd599 setup_moneroocean_miner.bin\r\n06e9cb770c61279e91adb5723f297d472a42568936199aef9251a27568fd119f systemmod.bin\r\na5e6b084cdabe9a4557b5ff8b2313db6c3bb4ba424d107474024030115eeaa0f tshd.bin\r\nMimipy and Mimipenguin Related Hashes\r\nSHA-256 Hash Filename\r\n79b478d9453cb18d2baf4387b65dc01b6a4f66a620fa6348fa8dbb8549a04a20 mimipenguin.py\r\n3acfe74cd2567e9cc60cb09bc4d0497b81161075510dd75ef8363f72c49e1789 mimipenguin.sh\r\n73a956f40d51da737a74c8ad4ecbfab12350621ffc167b5c278cd33ce9e0e0f0 mimipy.py\r\nb9b3a97ed5c335b61f2cc9783cb8f24c9cff741d020b850502542dbd81c2c2df pack.py\r\n1f09ccae15d8d452bde39f7ada9660df3cf0598137c5ac7a47027d8b9107415d pupyimporter.py\r\n023283c035a98fcb0b4d32bc103a44df5844c5e41c82261e0d029180cde58835 dbg.h\r\nhttps://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/\r\nPage 9 of 10\n\na0d4cbbb61e3b900a990a2b06282989c70d5d7cb93052ad7ec04dcd64701d929 max.h\r\n6cbf056fe35f1a809b8e8a2a5fc1f808bb4366e6e1ca2767fb82832d60c9ecf8 scanner.h\r\n9469e2937be4cf37e443ba263ffc1ee9aa1cf6b6a839ad60e3ecfe3e9e1bc24e targets.h\r\n9703cd1d00bf6f55b5becb1dd87ffcbd98b2ac791c152f7adcb728c5512df5e2 users.h\r\n88226956193afb5e5250639bd62305afde125a658b7e924ce5a5845d08f7de08 mimipenguin.c\r\n54d7524c73edbd9fe3cfa962656db23d6a2d8e4ebc6a58b116b3b78d732acfdf scanner.c\r\nac54934dd9b3b55296baf3e4d1aec959f540bed71d02a6f624edab281a719bdf targets.c\r\n00f116b831f720b62acf3a2d0db2a870b6ae114c4f9b3b517362a49c42c5a6f3 users.c\r\nMonero Wallet\r\n84xqqFNopNcG7T5AcVyv7LVyrBfQyTVGxMFEL2gsxQ92eNfu6xddkWabA3yKCJmfdaA9jEiCyFqfffKp1nQkgeq2Uu2dhB8\r\nSource: https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/\r\nhttps://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/"
	],
	"report_names": [
		"black-t-cryptojacking-variant"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f809bfcb-b200-4988-80a8-be78ef6a52ef",
			"created_at": "2023-01-06T13:46:39.186988Z",
			"updated_at": "2026-04-10T02:00:03.240002Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"Adept Libra"
			],
			"source_name": "MISPGALAXY:TeamTNT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4",
			"created_at": "2022-10-25T15:50:23.334495Z",
			"updated_at": "2026-04-10T02:00:05.264841Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"TeamTNT"
			],
			"source_name": "MITRE:TeamTNT",
			"tools": [
				"Peirates",
				"MimiPenguin",
				"LaZagne",
				"Hildegard"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3",
			"created_at": "2023-01-06T13:46:39.390649Z",
			"updated_at": "2026-04-10T02:00:03.311299Z",
			"deleted_at": null,
			"main_name": "Kinsing",
			"aliases": [
				"Money Libra"
			],
			"source_name": "MISPGALAXY:Kinsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775446611,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6ac1a1ffa58d5996976af1211c3a62a563b705e2.pdf",
		"text": "https://archive.orkl.eu/6ac1a1ffa58d5996976af1211c3a62a563b705e2.txt",
		"img": "https://archive.orkl.eu/6ac1a1ffa58d5996976af1211c3a62a563b705e2.jpg"
	}
}