{ "id": "a451113e-e9ae-4e5e-be90-e485db1cca5b", "created_at": "2026-04-06T00:07:27.614269Z", "updated_at": "2026-04-10T13:11:54.922826Z", "deleted_at": null, "sha1_hash": "6dc8f8f9eac993621fa478ed5d9c7c20ad4463bc", "title": "HawkEye Malware: Technical Analysis - ANY.RUN's Cybersecurity Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 466959, "plain_text": "HawkEye Malware: Technical Analysis - ANY.RUN's\r\nCybersecurity Blog\r\nBy Aaron Jornet Sales (RexorVc0)\r\nArchived: 2026-04-05 13:27:07 UTC\r\nEditor’s note: The current article is authored by the threat researcher Aaron Jornet Sales, also known as\r\nRexorVc0. You can find him on X and LinkedIn. \r\nHawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the\r\nyears, it has adopted new functionalities that align it with the capabilities of other tools like stealers.\r\nHistory of HawkEye\r\nHawkEye emerged before 2010, with records of its use and sale dating back to 2008, making it quite long-lived.\r\nAfter several spearphishing campaigns in which this well-known malware was attached, it gained significant\r\npopularity starting in 2013.\r\nThis keylogger has been available on various dark web sites, even having dedicated websites where the tool was\r\nsold. However, this keylogger has been cracked for years and used by different actors without going through the\r\nsubscription method imposed by its creators, whose price ranged between $20 and $50. This has contributed to its\r\ncontinued notoriety, and it has been used not only by criminal actors but also by script kiddies due to its ease of\r\nuse.\r\nAlthough it is not one of the most widely used malwares, it remains in active use and saw a significant resurgence\r\nduring the COVID period. During this time, certain actors took advantage of the general hysteria to obtain\r\ncompany data through phishing campaigns.\r\nAdditionally, HawkEye has been used in conjunction with other loaders and/or malware that invoked this\r\nkeylogger. Over its long trajectory, various actors and malware have been involved in attacks on companies, some\r\nof which include Galleon Gold, Mikroceen, iSPY crypter related with Gold Skyline, Remcos used on campaigns\r\nwith HawkEye, Pony used on campaigns with HawkEye, etc.\r\nThe method of HawkEye’s delivery has varied throughout its history, as have the types of sources behind the\r\nattacks. Nevertheless, it has been primarily involved in spearphishing campaigns, where attackers devised\r\nconvincing scenarios to trick victims into downloading the malicious file, which could be a document, compressed\r\nfile, or another malware acting as a loader for the keylogger.\r\nIt has also been used to target websites of portals typically accessed by companies, which were the main targets of\r\nthe attacking groups. Another common method of spreading HawkEye was through “free” software, which turned\r\nout to be malware in disguise.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 1 of 31\n\nHawkEye’s delivery methods are quite diverse compared to other malware. However, its execution and behavior\r\nhave remained relatively consistent over the years. A behavior graph of what has been observed in recent months\r\nwould look as follows:\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 2 of 31\n\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 3 of 31\n\nHawkEye graph\r\nDuring the analysis process, I typically spend weeks, even months, collecting samples to understand how they\r\nfunction as a whole based on the existing variants. Therefore, we may observe variations among those presented.\r\nIn most executions, we encounter enormous trees of processes based on their activities.\r\nTo simplify, as you’ve seen in the previous graph, it’s not as complex compared to other stealers or RATs. It\r\ngenerally consists of an executable that drops others in temporary paths, then injects code into one of them or into\r\na .NET-related software. Later, in memory, it gathers all possible data and sends it to a C\u0026C.\r\nProcDOT detonation chart\r\nGoing straight to the point, in an initial execution of one of the samples I analyzed, we see a rather extensive\r\nprocess—a succession of execution copies launched in temporary paths.\r\nProcess Tree execution (Image 1)\r\nProcess Tree execution (Image 2)\r\nIn this instance, they used the Roaming\\Templates path, but this is highly variable depending on who created it.\r\nGenerally speaking, they tend to abuse paths like AppData\\Roaming and AppData\\Temp, which are classic\r\nchoices.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 4 of 31\n\nPaths commonly abused (Image 1)\r\nPaths commonly abused (Image 2)\r\nPaths commonly abused (Image 3)\r\nHere’s the list of paths observed for dropping files:\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\System\\\r\nC:\\Users\\\u003cuser\u003e\\Music\\\r\nAll of these files that are launched, and which we’ve observed executing in the previous step, are copies of\r\nthemselves. The filenames are also highly variable, as you might expect, but they often try to have an icon that\r\nmakes the victim think it’s a legitimate program, or the malware description might be altered to make it seem like\r\nlegitimate software.\r\nUltimately, after comparing the dropped files, we can see they are simple copies of the original, with the\r\nparticularity that some versions launch them in hidden mode, so you can’t see them unless you’ve enabled the\r\n“View hidden files” function in Windows.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 5 of 31\n\nHidden files duplication graph\r\nDuring these file droppings, we can encounter both replicas of the original file in different paths, as well as\r\nsupport files whose functionality is typically to establish persistence (or check if it’s already done, and if not, do\r\nit) and to perform injector functions, which is a characteristic of this malware. In this case, the smaller binary is\r\nresponsible for these actions.\r\nInjector written in temporary folder\r\nI check to see if there is any shared information between the two binaries and notice that certain parts of the code\r\nmatch the original. This will become relevant later, as right now we’re seeing them separately, but everything will\r\nmake sense afterward.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 6 of 31\n\nComparison of the injector and the Hawkeye bin\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 7 of 31\n\nAfter this step, we can see how persistence is established. PredatorPain isn’t just a malware that establishes\r\npersistence once—it’s been observed to check and establish persistence up to three different times, depending on\r\nthe phases (Loader \u003e Injector \u003e Payload).\r\nThis makes it clear that the malware is determined to persist on the system, one way or another. At this stage, to\r\navoid revealing persistence mechanisms through strings, it obfuscates a string and then decodes it to introduce, in\r\nthis case, one of the binaries launched earlier. This practice isn’t as common and adds a level of sophistication not\r\nfound in other samples.\r\nHawkeye persistence in registers\r\nNot only does it create persistence in the registry, but we also find samples that establish persistence in tasks using\r\ncommands like the following:\r\nschtasks.exe /Create /TN \"\u003cPath\u003e\\\u003cTaskName\u003e\" /XML \"\u003cFile\u003e\"\r\nAfter observing its behavior in the early stages, we delve deeper into the entire execution thread throughout the\r\nanalysis phase with debugging. I’ve followed several samples, and they’re mostly similar—samples in .NET,\r\nsometimes obfuscated with tools like Confuser, Eaz, Reactor, or similar, which are relatively easy to deobfuscate.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 8 of 31\n\nHawkeye code obfuscated\r\nIn most samples, I noticed heavy interaction with resources, which will become crucial shortly since I observed a\r\nsignificant amount of data in these resources across most of the samples I found.\r\nResources data content (Image 1)\r\nResources data content (Image 2)\r\nIn the malware’s initial phases, it looks for the running process (which will be the previously prepared copy),\r\nwhere it will check the PID to access the resources. Within these resources, we see two distinct types of code: the\r\ninitial part, which acts as a key, and the data chunk, which is what will be deobfuscated. To achieve this, it uses\r\nXOR + Poly, and at the end of the process, it extracts a Portable Executable.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 9 of 31\n\nGraph of binary load from resources\r\nIt can do this in various ways depending on the sample, but we see the same extraction of a binary from a resource\r\nas we do from obfuscated code in memory, like the example shown below.\r\nGraph of PE extraction from memory\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 10 of 31\n\nThe result of this phase is two extracted files—one will be the injector, and the other will be the Keylogger.\r\nExtracted Injector\r\nExtracted Keylogger\r\nI compared both files, and they’re entirely different, in size, in structure—the only common factor is that both are\r\n.NET binaries.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 11 of 31\n\nBinary comparison\r\nTo highlight the difference between the injector dropped on disk (Right) and the one extracted from memory\r\n(Left), we can compare the extended content. We can observe how the memory-extracted injector includes imports\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 12 of 31\n\nrelated to injection that the disk version doesn’t (such as ZwUnmapViewOfSection, VirtualAllocEx,\r\nWriteProcessMemory, etc.).\r\nExtracted and dropped injector comparison\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 13 of 31\n\nExtracted and dropped injector comparison\r\nHere we can observe various functionalities while extracting the binaries, such as self-deletion. This is done to\r\nmaintain evasion and avoid revealing its location, as it drops replicas of the original binary in various locations, as\r\nwe saw earlier.\r\nSelf-deletion and self-copy of the original binary (Image 1)\r\nSelf-deletion and self-copy of the original binary (Image 2)\r\nSelf-deletion and self-copy of the original binary (Image 3)\r\nSelf-deletion and self-copy of the original binary (Image 4)\r\nOne of the dropped files, the smaller one, acts as the injector. When extracted from memory, it has more\r\nfunctionalities than the one seen on disk. This is because the injection tasks are carried out during runtime, but the\r\nwritten file is actually a portion of this, triggering the main binary located in the temporary path.\r\nIt checks persistence and restarts the entire process, including injection. Therefore, it’s a part of the file without\r\nrevealing all of its functionalities. I’ll show you how it performs injection using Process Hollowing.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 14 of 31\n\nGraph of the process injection\r\nIn essence, the injector doesn’t have much more functionality. It includes a phase where it checks running\r\nprocesses, which is an interesting technique to detect analysis tools or to determine if the process is already\r\nrunning. If not, it launches the process, adds it to the registry (as seen earlier), and restarts the execution.\r\nProcess collection routine (Image 1)\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 15 of 31\n\nProcess collection routine (Image 2)\r\nProcess collection routine (Image 3)\r\nLastly, we only have the second extraction left to observe, which is HawkEye itself. I’ve encountered many\r\nversions of it, as the modules included will vary significantly based on what the creator configures in the builder\r\nof the Keylogger itself.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 16 of 31\n\nLearn to analyze cyber threats\r\nSee a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis\r\nRead full guide\r\nWe’ll talk more about this later, but you can see all the functionalities that can be added during its creation, which\r\nwill impact the modules incorporated into it.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 17 of 31\n\nComparison between crack and extracted keylogger features (Image 1)\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 18 of 31\n\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 19 of 31\n\nComparison between crack and extracted keylogger features (Image 2)\r\nAt this point, I conducted tests with several builders to verify this theory, as I had extracted multiple samples to\r\nthe final phase, and almost none of them resembled each other too much. I tested by removing or adding options,\r\nand even with the same sample, there were significant differences, so you can imagine how different it can be if\r\nit’s not exactly the same version of the keylogger and different elements were selected during its creation.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 20 of 31\n\nComparison between crack and extracted keylogger\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 21 of 31\n\nAt this stage, we just need to examine the payload’s functionalities. Upon first glance, we can see strings that\r\nreveal its nature—this sample didn’t expect anyone to reach this point, as it has three well-defined phases that\r\nconceal its tracks, but here we can see many indicators of what it is.\r\nOverview of the extracted HawkEye (Image 1)\r\nOverview of the extracted HawkEye (Image 2)\r\nDuring the execution of this specific module, we can observe it invoking vbc.exe as it injects the payload into this\r\nprocess, using the same techniques we’ve previously seen.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 22 of 31\n\nExecution of HawkEye’s final stage (Image 1)\r\nExecution of HawkEye’s final stage (Image 2)\r\nExecution of HawkEye’s final stage (Image 3)\r\nRegarding the modules it brings, I compared three different samples, and they are quite similar in terms of what\r\nthey can do. The general functionalities that typically match include:\r\nKeylogging (Monitoring and stealing keyboard and clipboard data)\r\nSystem information gathering (OS, HW, Network)\r\nCredential theft (Mail, FTP, browsers, video games, etc.)\r\nWallet theft\r\nScreenshot capture\r\nSecurity software detection\r\nAnalysis tools detection (Dbg, traffic, etc.)\r\nPersistence (usually via registry keys or Tasks)\r\nInformation exfiltration through various methods (FTP, HTTP, SMTP, etc.)\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 23 of 31\n\nGraph of payload module diffing\r\nCalling HawkEye a keylogger is really an oversimplification, as it performs more functions than many stealers\r\nI’ve seen. Once injected into vbc.exe or other processes, it carries out various actions mentioned above.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 24 of 31\n\nGraph of HawkEye functionality\r\nOutro\r\nAs we discussed earlier, different groups have used this keylogger, as well as independent criminals or even script\r\nkiddies. In my research, I found different places where this keylogger was sold—there were up to 4-5 different\r\nsites, as it changed developers and domains over time, which is quite common.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 25 of 31\n\nHawkEye webpage\r\nIt has also been distributed through cracks, where it was sold or offered on forums to members, avoiding the usual\r\nmembership fees or markets, offering it for very low payments compared to the standard price, which as we\r\nmentioned earlier, ranged from $20 to $50.\r\nHawkEye product sales\r\nIt’s always important with these kinds of tools to locate the original software in different versions to understand\r\nhow it works from both the victim’s and the attacker’s perspectives, so we can get a complete view of the malware\r\nHere, we can see that the builder provides a multitude of configuration options, allowing us to choose where to\r\nsend the stolen information (email, FTP, etc.), what we want to collect (browser info, FTP credentials, mail, etc.),\r\nwhether to check for certain tools, establish persistence, delete data, download from a domain (this could function\r\nas a downloader for other malware), change the payload data to make it appear like legitimate software (e.g.,\r\nchanging the icon, description, etc.). As you can see, it’s incredibly comprehensive. After compiling, we’ll have\r\nour complete Keylogger, Stealer, or Downloader (call it what you will, as it does everything) ready to use.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 26 of 31\n\nGraph of HawkEye builder\r\nI don’t want to repeat myself too much, but when comparing the versions we’ve seen and extracted with the ones\r\nwe created ourselves, they function exactly the same—same injections, persistence, data theft (or whatever was\r\nchosen in the builder). Therefore, in telemetry, we won’t find any surprises, as you can see below.\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 27 of 31\n\nGraph of HawkEye builded execution\r\nAfter analyzing all of this, I hope you are as impressed as I am by the sheer versatility and longevity HawkEye has\r\ndisplayed over the decades. It’s truly a tremendously powerful and easy-to-use tool that, unfortunately, we will\r\ncontinue to see in security incidents from actors of all types.\r\nFinally, I would like to thank you for reading this analysis and for supporting me.\r\nAbout ANY.RUN  \r\nANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies\r\nmalware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI\r\nLookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to\r\nincidents faster.  \r\nWith ANY.RUN you can: \r\nDetect malware in seconds\r\nInteract with samples in real time\r\nSave time and money on sandbox setup and maintenance\r\nRecord and study all aspects of malware behavior\r\nCollaborate with your team \r\nScale as you need\r\nRequest free trial of ANY.RUN’s products →\r\nDetection Opportunities\r\n[TA0005][T1036] Duplication of original files in temporary paths\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 28 of 31\n\n(WriteFile) C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\*.exe\r\n(WriteFile) C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\*.exe\r\n(WriteFile) C:\\Users\\\u003cuser\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*.exe\r\n(WriteFile) C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\System\\*.exe\r\n(WriteFile) C:\\Users\\\u003cuser\u003e\\Music\\*.exe\r\n[TA0003][T1053] Scheduled Task persistence\r\nschtasks.exe /Create /TN “\u003cPath\u003e\\\u003cTaskName\u003e” /XML “\u003cTempPath\u003e\\\u003cFile\u003e”\r\n[TA0003][T1547.001] Registry Run Keys persistence\r\n(Registry) HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run \r\n(ValueData) \u003cPath Used on [TA0005][T1036] Duplication of original files in temporary paths\u003e\r\n[TA0005][T1055.012] Process injection on vbc or itself\r\nFrom file in temporary folder \u003e injection \u003e vbc.exe \r\nFrom file in temporary folder \u003e injection \u003e Other unidentified file in same temporary path\r\n[TA0009][T1074.001] Save stolen info on txt files\r\n\\vbc.exe /stext “*\\AppData\\Local\\Temp\\holdermail.txt”\r\n[TA0009][T1113] Saving screenshots of the victim’s screen\r\n(WriteFile / Regex NameFile) screenshot\\d{1}.jpeg\r\n[TA0006][T1555] Queries to browser paths or third-party software to obtain user account\r\ninformation\r\n(Registry/Path query) Web Data | login data | Accounts | Profiles  | \\Cookies\\index.dat | profiles.ini |\r\n*.oeaccount\r\nTTPs\r\n[TA0001][T1566.001] SpearPhishing\r\n[TA0002][T1204] User Execution\r\n[TA0003][T1053] Scheduled Task/Job\r\n[TA0003][T1547.001] Registry Run Keys / Startup Folder\r\n[TA0005][T1112] Modify Registry\r\n[TA0005][T1564.001] Hidden Files and Directories\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 29 of 31\n\n[TA0005][T1055] Process Injection\r\n[TA0005][T1562] Impair Defenses\r\n[TA0005][T1027] Obfuscated Files or Information\r\n[TA0005][T1140] Deobfuscate/Decode Files or Information\r\n[TA0005][T1036] Masquerading\r\n[TA0005][T1497] Virtualization/Sandbox Evasion\r\n[TA0006][T1552] Unsecured Credentials\r\n[TA0006][T1555] Credentials from Password Stores\r\n[TA0007][T1087] Account Discovery\r\n[TA0007][T1518.001] Security Software Discovery\r\n[TA0007][T1033] System Owner/User Discovery\r\n[TA0007][T1012] Query Registry\r\n[TA0007][T1016] System Network Configuration Discovery\r\n[TA0007][T1518] Software Discovery\r\n[TA0007][T1082] System Information Discovery\r\n[TA0009][T1074.001] Local Data Staging\r\n[TA0009][T1005] Data from Local System\r\n[TA0009][T1560] Archive Collected Data\r\n[TA0009][T1114] Email Collection\r\n[TA0009][T1115] Clipboard Data\r\n[TA0009][T1113] Screen Capture\r\n[TA0011][T1105] Ingress Tool Transfer\r\n[TA0011][T1071] Application Layer Protocol\r\n[TA0011][T1571] Non-Standard Port\r\n[TA0042][T1583.008] Malvertising\r\nIOCs\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 30 of 31\n\n60fabd1a2509b59831876d5e2aa71a6b\r\ndefc51f31f6c4fa89cc6a39a62d8a08f\r\ndea59d578e0e64728780fb67dde7d96d\r\n040058f70ffdee6398f7b64ae1ea46d3\r\ne651dca5c850451cdba7f25cbb4134e7\r\nde823ba5d67de8682e6d7b8b472dbbcb\r\n25a2d98dfcf6a12ea6459882c56aa2e0\r\n179b219afa2ac15b14affd399273148b\r\n38a3cb547a0a19a61534792f572f08b0\r\naddcd85e0126e63e46da09eb8ea97120\r\n0a2f6501a36c1b13532139e3c1843109\r\naddcd85e0126e63e46da09eb8ea97120\r\n06916c9505da82f63a73768c6f336192\r\nab264deb2563dc4df8b281b18e0861ba\r\n66[.]147[.]236[.]46\r\n204[.]141[.]42[.]56\r\n129[.]204[.]194[.]84\r\nRexorVc0\r\nAaron Jornet Sales (RexorVc0)\r\nI am a threat researcher who spends his working time analysing TTPs and malwares of criminal groups and APTs\r\nand in my spare time, I usually focus on the same kind of stuff.\r\nAaron's website\r\nI am a threat researcher who spends his working time analysing TTPs and malwares of criminal groups and APTs\r\nand in my spare time, I usually focus on the same kind of stuff.\r\nAaron's website\r\nSource: https://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nhttps://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/\r\nPage 31 of 31\n\n https://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/ \nBinary comparison \nTo highlight the difference between the injector dropped on disk (Right) and the one extracted from memory\n(Left), we can compare the extended content. We can observe how the memory-extracted injector includes imports\n Page 12 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/" ], "report_names": [ "hawkeye-malware-technical-analysis" ], "threat_actors": [ { "id": "87a8c9a6-4e83-4659-84ee-ce4a72c97bbd", "created_at": "2023-01-06T13:46:39.272146Z", "updated_at": "2026-04-10T02:00:03.269164Z", "deleted_at": null, "main_name": "GOLD SKYLINE", "aliases": [], "source_name": "MISPGALAXY:GOLD SKYLINE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b457843-f00b-486b-8c25-64532b30630e", "created_at": "2022-10-25T16:47:55.827158Z", "updated_at": "2026-04-10T02:00:03.699367Z", "deleted_at": null, "main_name": "GOLD SKYLINE", "aliases": [ "Wire-Wire Group 1 " ], "source_name": "Secureworks:GOLD SKYLINE", "tools": [ "iSpySoftware" ], "source_id": "Secureworks", "reports": null }, { "id": "3c7097f4-849b-4bc0-a7e6-ba2b510722b6", "created_at": "2022-10-25T16:07:23.869951Z", "updated_at": "2026-04-10T02:00:04.766204Z", "deleted_at": null, "main_name": "Mikroceen", "aliases": [ "SixLittleMonkeys" ], "source_name": "ETDA:Mikroceen", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Ghost RAT", "Microcin", "Mikroceen", "Mimikatz", "Moudour", "Mydoor", "PCRat", "logon.dll", "logsupport.dll", "pcaudit.bat", "sqllauncher.dll" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434047, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6dc8f8f9eac993621fa478ed5d9c7c20ad4463bc.pdf", "text": "https://archive.orkl.eu/6dc8f8f9eac993621fa478ed5d9c7c20ad4463bc.txt", "img": "https://archive.orkl.eu/6dc8f8f9eac993621fa478ed5d9c7c20ad4463bc.jpg" } }