{ "id": "b79843ab-61e4-445b-96dc-b13900605f4f", "created_at": "2026-04-06T00:20:12.341504Z", "updated_at": "2026-04-10T13:12:01.394819Z", "deleted_at": null, "sha1_hash": "6c10f1a3c3f3d335e88ac2e4def3e9938a23fed9", "title": "Dark Web Profile: APT42 - Iranian Cyber Espionage Group - SOCRadar® Cyber Intelligence Inc.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2022081, "plain_text": "Dark Web Profile: APT42 - Iranian Cyber Espionage Group -\r\nSOCRadar® Cyber Intelligence Inc.\r\nPublished: 2022-12-12 · Archived: 2026-04-02 10:44:19 UTC\r\n1. Home\r\n2. Blog\r\n3. Threat Actor Profiles\r\n4. Dark Web Profile: APT42 – Iranian Cyber Espionage Group\r\nBy SOCRadar Research\r\nAfter the Stuxnet occurred in 2010 on Iran’s nuclear program, Iran started to invest in and improve\r\nits cyberwarfare capabilities. From that turning point, Iranian hacker groups rose and became more dangerous for\r\nthe cyber world. Their danger is not just from destructive attacks; the Iranian cybercriminal groups use cyber\r\nespionage campaigns as much as cyberattacks. Major cyber espionage activities of Iran approximately started with\r\nMadi, -a spyware operated in 2012, targeting business executives working on critical infrastructure and Middle\r\nEastern government officials-. Following that, Iranian threat actors, specifically the groups counted as Advanced\r\nPersistent Threats (APT) such as APT35 and APT39 (Remix Kitten), became known in the world for their cyber\r\nespionage attacks. These attacks are meaningful to Iran because their primary goal is believed to improve Iran’s\r\nindustrial and military capabilities.\r\nOperation categories of APT42\r\nhttps://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/\r\nPage 1 of 9\n\nRecently, in July 2022, the Iranian threat actor APT42 conducted a cyber-attack against the Albanian government.\r\nIn September 2022, Mandiant released a report detailing the APT42 with at least 30 confirmed cyber espionage\r\noperations dating back to 2015. APT42 -also known as Crooked Charms and TA453– is a cyber espionage group\r\nlinked to Iran. The group is allegedly affiliated with the Islamic Revolutionary Guard Corps (IRGC) Intelligence\r\nOrganization (IRGC-IO) and operates behalf of them. The group seems mainly focused on spearphishing\r\nattacks, which is a type of phishing attack targeting individuals or organizations known as high-profile or in a\r\nspecific role—using impersonation to look like a trusted person during its attacks separates the group from other\r\nIranian APT groups.\r\nTargets of APT42\r\nAPT42 follows other Iranian state-sponsored cybercriminal groups’ targeting patterns. The group focuses on\r\nthe Middle East region. They mainly target individuals and organizations particularly interested in the Iranian\r\ngovernment or who have opposing ideas from Iran’s regime.\r\nAlso, the group is targeting a few specific sectors, as follows: \r\nCivil society and non-profit organizations,\r\nEducation,\r\nHealthcare,\r\nPharmaceuticals,\r\nManufacturing,\r\nMedia \r\nFrom 2015 until the present, APT42’s attacks have been observed in more than 15 countries, including the United\r\nStates, Australia, Germany, the United Kingdom, and so on.\r\nCountries affected by APT42 (Source: SOCRadar)\r\nThe group operates in three main categories:\r\n1. Credential Harvesting \r\nThe group uses spearphishing campaigns to steal Multi-Factor Authentication codes to bypass authentication and\r\ngain access to the networks, devices, and accounts of their victim’s colleagues. One example of this attack was\r\nobserved by Mandiant in February 2021, when APT42 targeted the email credentials of a senior Israeli\r\ngovernment official by mimicking the Gmail login page. \r\n2. Surveillance Operations \r\nGroup has been observed using Android malware designed to gather information -such as locations,\r\ncommunications, etc.- from Iranian dissidents and individuals interested in the Iranian government. In 2022, from\r\nJune to August, Mandiant observed that APT42 used PINEFLOWER malware to exfiltrate recorded calls, audio\r\nrecordings, images, and SMS inboxes from Iran-based people linked to universities, reformist political groups,\r\nand human rights activists.\r\nhttps://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/\r\nPage 2 of 9\n\nPINEFLOWER’s MD5 Hash search output on SOCRadar’s Threat Hunting page\r\n3. Malware Deployment \r\nAlthough APT42’s main objective is credential harvesting, the group also uses lightweight tools and\r\ncustom backdoors when its objective becomes wide-ranging. Mandiant observed in March 2022 that the APT42\r\nhad used POWERPOST, a custom reconnaissance tool built to collect data such as system information and local\r\naccount names on a local host. \r\nAPT42’s Connection with APT35\r\nSome sources consider APT42 as one of the names of another Iran state-sponsored cyber espionage group APT35.\r\nStill, many resources show they are separate groups and correlate with each other.\r\nMandiant considers both APT35 and APT42 to be IRGC-affiliated. The two groups differ regarding missions,\r\ncontracts, or contractors due to significant differences in their respective targeting patterns, tactics, techniques, and\r\nprocedures. In addition, their targeting separates into specific points. APT35 targets the U.S., Western Europe,\r\nand Middle Eastern military, diplomatic and government personnel and organizations, defense industry, and\r\ntelecommunications sectors. On the other hand, APT42 focuses on organizations and individuals interested in the\r\nIranian government and opponents of Iran. \r\nAPT42’s Connection with Nemesis Kitten\r\nNemesis Kitten -UNC2448 or DEV-0270- is an Iranian threat actor believed to belong to Phosphorus, same as\r\nAPT42. The group is known for its ransomware campaigns and network operations on behalf of the government\r\nof Iran.\r\nDiagram of Phosphorus and Charming Kitten (Source: Mandiant)\r\nNemesis Kitten is different from APT42 in its attacking style. During the initial access phase, Nemesis Kitten -or\r\nDEV-0270- typically exploits known Exchange and Fortinet vulnerabilities -e.g., CVE-2018-13379-. While\r\nNemesis Kitten uses exploits to access, APT42 -as observed- uses spearphishing attacks during its initial access\r\nphase. \r\nAccording to Mandiant, the APT42 and Nemesis Kitten have no relation technically, but allegedly, both may have\r\nties with IRGC-IO. \r\nAPT42’s Connection with TAG-56\r\nTAG-56 group, which is included in the report published by Recorded Future on November 29, 2022, has\r\ncommon points with the APT42 group: \r\nFrom the observed cases, the TAG-56 threat actor has been seen using fake registration pages, such as a\r\nfake Microsoft login page, to lure its victims. There are similar observations in some of the APT42’s\r\nattacks.\r\nhttps://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/\r\nPage 3 of 9\n\nSome of the domains used by the group (mailer-daemon[.]org, net, me, and live) stand out\r\nbecause mailerdaemon[.]me and mailer-daemon-message[.]co domains were observed in use before by\r\nthe Phosphorus group -in which APT42 believed to belong to the group-. \r\nTAG-56 spreads malicious links to its victims using spearphishing or directly sending via encrypted chat\r\nplatforms -such as WhatsApp or Telegram– by manipulating its victims using social engineering\r\ntechniques as other Iran-nexus threat actors as APT42 do. \r\nIn light of these common points, TAG-56 and the APT42 strongly overlap. \r\nNotable Operations of APT42\r\nMulti-Persona Impersonation (MPI)emails -\u003e The group uses a new phishing technique to dupe their victims.\r\nThey use multiple impersonated journalists’ profiles and create a realistic-looking fake mail thread. Then they add\r\nthe victim journalist or researcher to the thread and continue communicating about the topic.\r\nExample of MPI mail thread (Source: Proofpoint) \r\nAfter a while, one of the fake personas sends a file link that directs a forged Google Drive or OneDrive website\r\nto steal credentials or deliver a malicious file.\r\nAnother Example of APT42 delivering a malicious document via phishing mail (Source:\r\nProofpoint)\r\nMimicking login pages -\u003e APT42 has been observed many times mimicking Google, Yahoo!, and OneDrive’s\r\nlogin page for harvesting credentials. In this way, the group can steal the MFA codes of their victims to access the\r\naccount. \r\nFake Yahoo! Login page designed by APT42 (Source: Mandiant)\r\nList of the Malware Used by APT42\r\nBROKEYOLK GHAMBAR POWERPOST\r\nCHAIRSMACK MAGICDROP SILENTUPLOADER\r\nDOSTEALER PINEFLOWER TABBYCAT\r\nVINETHORN VBREVSHELL TAMECAT\r\nAttack Cycle of APT42\r\nAs mentioned, the group uses spearphishing, credential harvesting, and malware deployment for its operations’\r\nfirst phase. Besides these methods, APT42 has also been observed using MFA bypassing techniques for initial\r\naccess. \r\nOnce successfully accessed, the group registers its Authenticator to eliminate the MFA. Also, the group uses\r\nvarious malware -such as GHAMBAR, BROKEYOLK, PINEFLOWER, and so on- to establish its foothold. \r\nhttps://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/\r\nPage 4 of 9\n\nGHAMBAR: GHAMBAR is a remote administration tool (RAT) written in C#. It takes commands from\r\nthe C2 (Command and Control) server using SOAP (Simple Object Access Protocol) API requests over\r\nHTTP protocol and can-do file system manipulation, keylogging, screen capture, shell command,\r\nuploading and downloading a file, and plugin execution. (Appendix 1) \r\nBROKEYOLK: BROKEYOLK is a downloader malware developed with .Net that downloads and\r\nexecutes a file from a hard-coded C2 using SOAP API requests over HTTP protocol. (Appendix 2) \r\nPINEFLOWER: PINEFLOWER is an Android Malware with many functions, such as backdoor\r\nfunctionality, stealing system information, recording calls, and reading-sending SMS messages. Also,\r\nPINEFLOWER can collect location tracking data and download, delete, and upload files besides reading\r\nWi-Fi, Bluetooth, and mobile data connectivity states. (Appendix 3)\r\nAPT42’s Attack Lifecycle (Source: Mandiant)\r\nAPT42 usually begins another spearphishing attack using its victims’ compromised emails for the lateral\r\nmovement part of the path. And during this process cycle, APT42 uses custom malware -CHAIRSMACK and\r\nGHAMBAR- to maintain its presence and continue its operations, also gaining more information about its victim. \r\nConclusion\r\nIranian APT groups are one of the most dangerous threat actors in cyberspace. It is vital to stay more secure and\r\ndetect before it is too late when they access your organization’s infrastructure.\r\nThere are to-dos to consider based on Iranian APT groups’ activities: \r\nEvaluate and update your block list regularly. \r\nBack up your data and ensure it is encrypted. \r\nAudit user accounts and admin privileges regularly. \r\nImplement MFA when possible. \r\nMonitor remote access logs often. \r\nFollowing these steps will work for you and your organization, but more is needed. Cyber Threat Intelligence\r\n(CTI) services could be an excellent choice to stay safe and informed without being affected.\r\nSOCRadar has a Campaign panel that displays all observations about a specific event on a single page.\r\nSOCRadar’s Campaign page “Hackers Behind the Iran” (can be examined detailed from SOCRadar\r\nLabs’ Campaign panel.)\r\nAlso, SOCRadar has a panel that holds all Threat actors and Malware information that can be inspected detailed.\r\nSOCRadar’s Threat Actors Panel\r\nWhen it comes to APT42, the group is still a dangerous cyber espionage group. Because of the relations within\r\nIRGC, APT42 will continue targeting the organizations or individuals interested in the Iranian government.\r\nAccording to the latest analysis published by HRW (Human Rights Watch) on December 5, 2022, the group\r\nused the WhatsApp platform as a different medium in its recent attacks. These incidents indicate that the group\r\nhttps://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/\r\nPage 5 of 9\n\nhas chosen the channels they attack from among the current communication channels. \r\nAPT42 took the stage using spearphishing, so keep in mind these facts to be safe from spearphishing attacks by\r\nAPT42:\r\nThey do not use institutional email domains. \r\nFrom observed cases, they have seen replying to a blank email as a start of a campaign.\r\nThey ask to collaborate on research about issues relating to the Middle East. \r\nYou can analyze suspected emails using free SOC Tools on SOCRadar Labs.\r\nSOCRadar Labs’ SOC Tools Panel\r\nAppendix:\r\nAppendix 1. IOCs of GHAMBAR\r\nNames:\r\nPavilion.exe, \r\nMSPavilion.exe, \r\ntmpD9CB.exe, \r\nTmpd9cb.exe\r\nBasic Properties:\r\nMD5: 00b5d45433391146ce98cd70a91bef08\r\nSHA-1: 7649c554e87f6ea21ba86bb26ea39521d5d18151\r\nSHA-256: 2c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f\r\nFile type: Win32 EXE\r\nFile size: 246.10 KB (252005 bytes)\r\nIOCs of GHAMBAR:\r\nhxxp[:]//ipinfo[.]io/ip\r\nhxxp[:]//nvidia-update[.]com[:]5050/D6E90421-1C45-41A4-9250-3F18B9633CE\r\n319dc449-ada5-50f7-428e-957db6791668\r\nhxxp[:]//tempuri[.]org/INew/RegisterNewUser\r\nhxxp[:]//tempuri[.]org/ITargetUtils/ImOnline\r\nhxxp[:]//tempuri[.]org/INew/RegisterNewPlugin\r\nhxxp[:]//tempuri[.]org/ITargetUtils/SendKeyLog\r\nhxxp[:]//tempuri[.]org/IBuilder/AreYouAvaliable\r\nhxxp[:]//tempuri[.]org/IMonitoring/GetPluginsInfo\r\nhxxp[:]//tempuri[.]org/IMonitoring/GetTargetsInfo\r\nhxxp[:]//tempuri[.]org/ITargetUtils/RegisterTarget\r\nhxxp[:]//tempuri[.]org/ITargetUtils/SendScreenshot\r\nhttps://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/\r\nPage 6 of 9\n\nhxxp[:]//tempuri[.]org/ICcPluginUtils/InstallPlugin\r\nhxxp[:]//tempuri[.]org/IMonitoring/GetTargetKeylogs\r\nhxxp[:]//tempuri[.]org/IMonitoring/TargetPluginsInfo\r\nhxxp[:]//tempuri[.]org/ICcPluginUtils/UninstallPlugin\r\nAppendix 2. IOCs of BROKEYOLK\r\nNames:\r\ndiag[.]exe\r\n di2[.]exe\r\n 7a650d3b1e511a05_di2[.]exe\r\nBasic Properties:\r\nMD5: df02a8a7cb2afb80cc2b789d96f02715\r\nSHA-1: 03d7ffd758e98c9a2c8c4716c93f09687000e22e\r\nSHA-256: 7a650d3b1e511a05d0441484c7c7df59a63003ce77cd4eb7081323fd79d2b9a3\r\nFile type: Win32 EXE\r\nFile size: 38.00 KB (38912 bytes)\r\nIOCs of BROKEYOLK:\r\nhxxp[:]//tempuri[.]org/TU, \r\nhxxp[:]//tempuri[.]org/AbPidById, \r\nhxxp[:]//tempuri[.]org/Set2, \r\nhxxp[:]//tempuri[.]org/Set1,\r\nhxxp[:]//tempuri[.]org/IdCmOne,\r\nhxxp[:]//tempuri[.]org/CmSById,\r\nhxxp[:]//tempuri[.]org/HasF,\r\nhxxp[:]//tempuri[.]org/IdAbOne,\r\nhxxp[:]//tempuri[.]org/NameAbById,\r\nhxxp[:]//tempuri[.]org/AbByCount\r\nhxxp[:]//update-microsoft[.]bid/img/WebService[.]asmx\r\nhxxp[:]//update-driversonline[.]bid/img/WebService[.]asmx\r\ndns[.]msftncsi[.]com\r\nmsdl[.]microsoft[.]com -\u003e Request: GET\r\n/download/symbols/libcef.dll.pdb/FD4C20AFD16A4088AB999A485492C433b/libcef.dll.pd_ HTTP/1.1\r\nAppendix 3. IOCs of PINEFLOWER\r\nNames:\r\nUsers.apk, \r\n90e5fa3f382c5b15a85484c17c15338a6c8dbc2b0ca4fb73c521892bd853f226.bin, \r\nhttps://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/\r\nPage 7 of 9\n\nF3d25b1cedf39beee751eb9b2d8d2376.virus\r\nBasic Properties:\r\nMD5: f3d25b1cedf39beee751eb9b2d8d2376\r\nSHA-1: dbb64b0202bb4da6796279b5fa88262a6e31787e\r\nSHA-256: 90e5fa3f382c5b15a85484c17c15338a6c8dbc2b0ca4fb73c521892bd853f226\r\nFile type: Android\r\nFile size: 71.03 KB (72734 bytes)\r\nAndroid Info\r\nAndroid Type: APK\r\nPackage Name: com.google.android.services.control\r\nMain Activity: com.google.android.services.control.Main\r\nInternal Version: 1\r\nDisplayed Version: 1.0\r\nMinimum SDK Version: 10\r\nCertificate Subject:\r\nDistinguished Name: O:GoogleServices\r\nOrganization: GoogleServices\r\nPermissions:\r\nandroid.permission.CHANGE_NETWORK_STATE\r\nandroid.permission.PROCESS_OUTGOING_CALLS\r\nandroid.permission.ACCESS_COARSE_LOCATION\r\nandroid.permission.BLUETOOTH\r\nandroid.permission.INTERNET\r\nandroid.permission.BLUETOOTH_ADMIN\r\nandroid.permission.ACCESS_FINE_LOCATION\r\nandroid.permission.SEND_SMS\r\nandroid.permission.WRITE_SMS\r\nandroid.permission.READ_CALL_LOG\r\ncom.android.browser.permission.READ_HISTORY_BOOKMARKS\r\nandroid.permission.WRITE_EXTERNAL_STORAGE\r\nandroid.permission.RECORD_AUDIO\r\nandroid.permission.CALL_PHONE\r\nandroid.permission.READ_PHONE_STATE\r\nandroid.permission.READ_SMS\r\nandroid.permission.SYSTEM_ALERT_WINDOW\r\nandroid.permission.CAMERA\r\nandroid.permission.WAKE_LOCK\r\nhttps://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/\r\nPage 8 of 9\n\nandroid.permission.CHANGE_WIFI_STATE\r\nandroid.permission.RECEIVE_SMS\r\nandroid.permission.READ_CONTACTS\r\nandroid.permission.MODIFY_AUDIO_SETTINGS\r\nandroid.permission.ACCESS_WIFI_STATE\r\nandroid.permission.ACCESS_NETWORK_STATE\r\nandroid.permission.READ_EXTERNAL_STORAGE \r\nandroid.permission.RECEIVE_BOOT_COMPLETED\r\nActivities\r\ncom.google.android.services.control.Main\r\ncom.google.android.services.control.Home\r\nServices\r\ngs.g.CoreService\r\nIntent Filters By Action\r\nandroid.intent.action.MAIN\r\ncom.google.android.services.control.Main\r\ncom.google.android.services.control.Home\r\nandroid.provider.Telephony.SMS_RECEIVED\r\ngs.f.SmsReceiver\r\nandroid.net.conn.CONNECTIVITY_CHANGE\r\ngs.f.NetReceiver\r\nandroid.intent.action.BOOT_COMPLETED\r\ngs.f.BootReceiver\r\nIntent Filters By Category\r\nAndroid.intent.category.LAUNCHER\r\ncom.google.android.services.control.Main\r\nAndroid.intent.category.HOME\r\nCom.google.android.services.control.Home\r\nIOCs of PINEFLOWER\r\nhxxp[:]//hardship-management.com[:]4373/\r\ncom.google.android.services.control\r\nSource: https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/\r\nhttps://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/" ], "report_names": [ "dark-web-profile-apt42-iranian-cyber-espionage-group" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48", "created_at": "2022-10-25T16:07:23.84296Z", "updated_at": "2026-04-10T02:00:04.762229Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "DEV-0270", "DireFate", "Lord Nemesis", "Nemesis Kitten", "Yellow Dev 23", "Yellow Dev 24" ], "source_name": "ETDA:DEV-0270", "tools": [ "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "WmiExec" ], "source_id": "ETDA", "reports": null }, { "id": "1d2ac189-a99e-4e16-84c0-e06df96e688c", "created_at": "2023-11-14T02:00:07.086528Z", "updated_at": "2026-04-10T02:00:03.446956Z", "deleted_at": null, "main_name": "TAG-56", "aliases": [], "source_name": "MISPGALAXY:TAG-56", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "322a0ef1-136b-400e-89d0-0d62ee2bd319", "created_at": "2023-01-06T13:46:38.662109Z", "updated_at": "2026-04-10T02:00:03.05924Z", "deleted_at": null, "main_name": "Madi", "aliases": [], "source_name": "MISPGALAXY:Madi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaef3218-1f8c-4767-b1ff-da7a6662acc0", "created_at": "2023-03-04T02:01:54.110909Z", "updated_at": "2026-04-10T02:00:03.359871Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "Nemesis Kitten", "Storm-0270" ], "source_name": "MISPGALAXY:DEV-0270", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bee22874-f90e-410b-93f3-a2f9b1c2e695", "created_at": "2022-10-25T16:07:23.45097Z", "updated_at": "2026-04-10T02:00:04.610108Z", "deleted_at": null, "main_name": "Chafer", "aliases": [ "APT 39", "Burgundy Sandstorm", "Cobalt Hickman", "G0087", "ITG07", "Radio Serpens", "Remix Kitten", "TA454" ], "source_name": "ETDA:Chafer", "tools": [ "ASPXSpy", "ASPXTool", "Antak", "CACHEMONEY", "EternalBlue", "HTTPTunnel", "LOLBAS", "LOLBins", "Living off the Land", "MechaFlounder", "Metasploit", "Mimikatz", "NBTscan", "NSSM", "Non-sucking Service Manager", "POWBAT", "Plink", "PuTTY Link", "Rana", "Remcom", "Remexi", "RemoteCommandExecution", "SafetyKatz", "UltraVNC", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "nbtscan", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d", "created_at": "2023-01-06T13:46:38.883911Z", "updated_at": "2026-04-10T02:00:03.132231Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "COBALT HICKMAN", "G0087", "Radio Serpens", "TA454", "ITG07", "Burgundy Sandstorm", "REMIX KITTEN" ], "source_name": "MISPGALAXY:APT39", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "b07fec96-80cd-4d92-aa52-a26a0b25b7c2", "created_at": "2022-10-25T16:07:23.826594Z", "updated_at": "2026-04-10T02:00:04.760416Z", "deleted_at": null, "main_name": "Madi", "aliases": [ "Mahdi" ], "source_name": "ETDA:Madi", "tools": [ "Madi" ], "source_id": "ETDA", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "6b6155e4-94ec-4909-b908-550afe758ad6", "created_at": "2022-10-25T15:50:23.365074Z", "updated_at": "2026-04-10T02:00:05.2978Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "APT39", "ITG07", "Remix Kitten" ], "source_name": "MITRE:APT39", "tools": [ "NBTscan", "MechaFlounder", "Remexi", "CrackMapExec", "pwdump", "Mimikatz", "Windows Credential Editor", "Cadelspy", "PsExec", "ASPXSpy", "ftp" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434812, "ts_updated_at": 1775826721, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6c10f1a3c3f3d335e88ac2e4def3e9938a23fed9.pdf", "text": "https://archive.orkl.eu/6c10f1a3c3f3d335e88ac2e4def3e9938a23fed9.txt", "img": "https://archive.orkl.eu/6c10f1a3c3f3d335e88ac2e4def3e9938a23fed9.jpg" } }