{
	"id": "5f941f78-4e18-4ee0-8201-5cfd6742416b",
	"created_at": "2026-04-06T01:31:58.148028Z",
	"updated_at": "2026-04-10T03:31:13.502433Z",
	"deleted_at": null,
	"sha1_hash": "6e41e230a5c19a64885c00cf8fc6e30811f247fd",
	"title": "Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2420093,
	"plain_text": "Old dog, new tricks - Analysing new RTF-based campaign\r\ndistributing Agent Tesla, Loki with PyREbox\r\nBy Holger Unterbrink\r\nPublished: 2018-10-15 · Archived: 2026-04-06 00:41:08 UTC\r\nMonday, October 15, 2018 12:00\r\nThis blog post was authored by Edmund Brumaghin and Holger Unterbrink with contributions from Emmanuel\r\nTacheau.\r\nExecutive Summary\r\nCisco Talos has discovered a new malware campaign that drops the sophisticated information-stealing trojan\r\ncalled \"Agent Tesla,\" and other malware such as the Loki information stealer. Initially, Talos' telemetry systems\r\ndetected a highly suspicious document that wasn't picked up by common antivirus solutions. However, Threat\r\nGrid, Cisco's unified malware analysis and threat intelligence platform, identified the unknown file as malware.\r\nThe adversaries behind this malware use a well-known exploit chain, but modified it in such a way so that\r\nantivirus solutions don't detect it. In this post, we will outline the steps the adversaries took to remain undetected,\r\nand why it's important to use more sophisticated software to track these kinds of attacks. If undetected, Agent\r\nTesla has the ability to steal user's login information from a number of important pieces of software, such as\r\nGoogle Chrome, Mozilla Firefox, Microsoft Outlook and many others. It can also be used to capture screenshots,\r\nrecord webcams, and allow attackers to install additional malware on infected systems.\r\nTechnical Details\r\nIn most cases, the first stage of the attack occurred in a similar way to the FormBook malware campaign, which\r\nwe discussed earlier this year in a blog post. The actors behind the previous FormBook campaign used CVE-2017-\r\n0199 — a remote code execution vulnerability in multiple versions of Microsoft Office — to download and open\r\nan RTF document from inside a malicious DOCX file. We have also observed newer campaigns being used to\r\ndistribute Agent Tesla and Loki that are leveraging CVE-2017-11882. An example of one of the malware\r\ndistribution URLs is in the screenshot below. Besides Agent Tesla and Loki, this infrastructure is also distributing\r\nmany other malware families, such as Gamarue, which has the ability to completely take over a user's machine\r\nand has the same capabilities as a typical information stealer.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 1 of 20\n\nThe aforementioned FormBook blog contains more information about this stage. Many users have the assumption\r\nthat modern Microsoft Word documents are less dangerous than RTF or DOC files. While this is partially true,\r\nattackers can still find ways with these newer file formats to exploit various vulnerabilities.\r\nFigure 1 - First stage exploit\r\nIn the case of Agent Tesla, the downloaded file was an RTF file with the SHA256 hash\r\n cf193637626e85b34a7ccaed9e4459b75605af46cedc95325583b879990e0e61. At the time the file was analyzed, it\r\nhad almost no detections on the multi-engine antivirus scanning website VirusTotal. Only two out of 58 antivirus\r\nprograms found anything suspicious. The programs that flagged this sample were only warning about a wrongly\r\nformatted RTF file. AhnLab-V3 marked it for \"RTF/Malform-A.Gen,\" while Zoner said it was likely flagged for\r\n\"RTFBadVersion.\"\r\nHowever, Cisco's Threat Grid painted a different picture, and identified the file as malware.\r\nFigure 2 - ThreatGrid Behavior Indicators (BI)\r\nFigure 2 above shows just a subset of the triggered behaviour indicators (BI), and the part of the process tree\r\nbelow shows the highly suspicious execution chain.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 2 of 20\n\nFigure 3 - ThreatGrid process tree\r\nIn figure 3, we can see that Winword.exe starts, and a bit later, a svchost process executes the Microsoft Equation\r\nEditor (EQNEDT32.exe), which starts a process called \"scvhost.exe\". Equation Editor is a tool that Microsoft\r\nOffice uses as a helper application to embed mathematical equations into documents. Word for example, uses\r\nOLE/COM functions to start the Equation Editor, which matches what we see in figure 3. It's pretty uncommon\r\nfor the Equation Editor application to start other executables, like the executable shown in figure 3. Not to\r\nmention that an executable using such a similar name, like the system file \"svchost.exe,\" is suspicious on its own.\r\nA user could easily miss the fact that the file name is barely changed.\r\nThe Threat Grid process timeline below confirms that this file is behaving like typical malware.\r\nFigure 4 - ThreatGrid process timeline\r\nYou can see in figure 4 at points 1 and 2 that the Equation Editor downloaded a file called \"xyz[1].123\" and then\r\ncreated the scvhost.exe process, which created another instance [scvhost.exe(26)] of itself a bit later (blue\r\nrectangle). Typical command and control (C2) traffic follows at point 4. At this point, we were sure that this is\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 3 of 20\n\nmalware. The question was — why isn't it detected by any antivirus systems? And how does it manage to fly\r\nunder the radar?\r\nThe malicious RTF file\r\nThe RTF standard is a proprietary document file format developed by Microsoft as a cross-platform document\r\ninterchange. A simplified, standard RTF file looks like what you can see in figure 4. It is built out of text and\r\ncontrol words (strings). The upper portion is the source code and the lower shows how this file is displayed in\r\nMicrosoft Word.\r\nFigure 5 - Simple RTF document\r\nRTF files do not support any macro language, but they do support Microsoft Object Linking and Embedding\r\n(OLE) objects and Macintosh Edition Manager subscriber objects via the '\\object' control word. The user can link\r\nor embed an object from the same or different format into the RTF document. For example, the user can embed a\r\nmathematical equation formula, created by the Microsoft Equation Editor into the RTF document. Simplified, it\r\nwould be stored in the object's data as a hexadecimal data stream. If the user opens this RTF file with Word, it\r\nhands over the object data to the Equation Editor application via OLE functions and gets the data back in a format\r\nthat Word can display. In other words, the equation is displayed as being embedded in the document, even if Word\r\ncould not handle it without the external application. This is pretty much what the file \"3027748749.rtf\" is doing.\r\nThe only difference is, it is adding a lot of obfuscation, as you can see in figure 6. The big disadvantages of the\r\nRTF standard are that it comes with so many control words and common RTF parsers are supposed to ignore\r\nanything they don't know. Therefore, adversaries have plenty of options to obfuscate the content of the RTF files.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 4 of 20\n\nFigure 6 - 3027748749.rtf\r\nWe were able to use the rtfdump/rtfobj tools to verify the structure and extract the actual object data payload,\r\ndespite the fact that the RTF file was heavily obfuscated. Figure 8 shows that the file tries to start the Microsoft\r\nEquation Editor (class name: EQuATioN.3).\r\nFigure 7 - rtfdump\r\nFigure 8 - rtfobj\r\nIn figure 6, you can also see that the adversaries are using the \\objupdate trick. This forces the embedded object to\r\nupdate before it's displayed. In other words, the user does not have to click on the object before it's loaded. This\r\nwould be the case for \"normal\" objects. But by force-opening the file, the exploit starts right away.\r\nLet's have a look to the objdata content from above, converted to a hexadecimal binary stream. More header\r\ndetails can be found here.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 5 of 20\n\nFigure 9 - Headers\r\nWe can find a similar MTEF Header like the one described in the FormBook post, but to avoid detection, the\r\nadversaries have changed the header's values. The only difference is that, except in the MTEF version field, the\r\nactors have filled the header fields with random values. The MTEF version field needs to be 2 or 3 to make the\r\nexploit work.\r\nFigure 10 - MTEF V2 header\r\nAfter the MTEF header, we have an unknown MTEF byte stream tag of two bytes (F1 01) followed by the a Font\r\nTag (08 E0 7B … ).The bytes following the Font Tag (B9 C3 …) do not look like a normal font name, so this is a\r\ngood indicator that we are looking at an exploit. The bytes do look very different to what we have seen in our\r\nresearch mentioned previously, but let's decode them.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 6 of 20\n\nFigure 11 - Shellcode - new campaign.\r\nThis looks pretty similar to what we have seen before. In figure 12, you can see the decoded shellcode from our\r\nprevious research.\r\nFigure 12 - Shellcode - former campaign.\r\nThe adversaries have just changed registers and some other minor parts. At this point, we are already pretty sure\r\nthat this is CVE-2017-11882, but let's prove this.\r\nPyREBox rock 'n' roll\r\nIn order to verify that the malicious RTF file is exploiting CVE-2017-11882, we used PyREBox, a dynamic\r\nanalysis engine developed by Talos. This tool allows us to instrument the execution of a complete system and\r\nmonitor different events, such as instruction execution, memory read and writes, operating system events, and also\r\nprovides interactive analysis capabilities that allow us to inspect the state of the emulated system at any time. For\r\nadditional information about the tool, please refer to the blog posts about its release and the malware monitoring\r\nscriptspresented at the Hack in the Box 2018 conference.\r\nFor this analysis, we leveraged the shadow stack plugin, which was released together with other exploit analysis\r\nscripts (shellcode detection and stack pivoting detection) at EuskalHack Security Congress III earlier this year\r\n(slides available). This script monitors all the call and RET instructions executed under the context of a given\r\nprocess (in this case, the equation editor process), and maintains a shadow stack that keeps track of all the valid\r\nreturn addresses (those that follow every executed call instruction).\r\nThe only thing we need to do is configure the plugin to monitor the equation editor process (the plugin will wait\r\nfor it to be created), and open the RTF document inside the emulated guest. PyREBox will stop the execution of\r\nthe system whenever a RET instruction jumps into an address that is not preceded by a call instruction. This\r\napproach allows us to detect the exploitation of stack overflow bugs that overwrite the return address stored on the\r\nstack. Once the execution is stopped, PyREBox spawns an interactive IPython shell that allows us to inspect the\r\nsystem and debug and/or trace the execution of the equation editor process.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 7 of 20\n\nFigure 13 - PyREBox stops the execution the moment it detects the first return to an invalid address:\r\n0x44fd22.\r\nPyREBox will stop the execution on the return address at 0x00411874, which belongs to the vulnerable function\r\nreported in CVE-2017-11882. In this case, the malware authors decided to leverage this vulnerability to overwrite\r\nthe return address with an address contained in Equation Editor's main executable module: 0x0044fd22. If we\r\nexamine this address (see Figure 13), we see that it points to another RET instruction that will pop another address\r\nfrom the stack and jump into it. The shadow stack plugin detects this situation again, and stops the execution on\r\nthe next step of the exploit.\r\nFigure 14 — First stage of the shellcode.\r\nFigure 14 shows the first stage of the shellcode, which is executed right after the second RET. This shellcode will\r\ncall to GlobalLock function (0x18f36e) and afterward, will jump into a second buffer containing the second stage\r\nof the shellcode.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 8 of 20\n\nFigure 15 - Start of the second stage of the shellcode.\r\nThe second stage of the shellcode consists of a sequence of jmp/call instructions followed by a decryption loop.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 9 of 20\n\nFigure 16 - Decryption loop of the second stage of the shellcode.\r\nThis decryption loop will unpack the final payload of the shellcode, and finally jump into this decoded buffer.\r\nPyREBox allows us to dump the memory buffer containing the shellcode at any point during the execution. There\r\nare several ways to achieve this, but one possible way is to use the volatility framework (which is available\r\nthrough the PyREBox shell) to list the VAD regions in the process and dump the buffer containing the interesting\r\ncode. This buffer can then be imported into IDA Pro for a deeper analysis.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 10 of 20\n\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 11 of 20\n\nFigure 17 — Decrypted buffer of the second stage (final stage of the shellcode).\r\nThis final stage of the shellcode is quite straightforward. It leverages standard techniques to find the kernel32.dll\r\nmodule in the linked list of loaded modules available in the PEB, and afterward, will parse its export table to\r\nlocate the LoadLibrary and GetProcAddress functions. By using these functions, the script resolves several API\r\nfunctions (ExpandEnvironmentStrings, URLDownloadToFileA, and ShellExecute) to download and execute the\r\nxyz.123 binary from the URL, which we have already seen in the Threat Grid analysis. The shellcode starts this\r\nexecutable with the name \"scvhost.exe,\" which we have also seen before in the Threat Grid report.\r\nWe have also seen several other campaigns using the exact same infection chain, but delivering Loki as the final\r\npayload. We list these in the IOC sections.\r\nPayload details\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 12 of 20\n\nLet's look into the final payload file \"xyz.123\"\r\n(a8ac66acd22d1e194a05c09a3dc3d98a78ebcc2914312cdd647bc209498564d8) or \"scvhost.exe\" if you prefer the\r\nprocess name from above.\r\n$ file xyz123.exe\r\nxyz123.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nLoading the file into dnSpy — a .NET assembly editor, decompiler and debugger — confirms that it's a .NET\r\nexecutable that's heavily obfuscated.\r\nFigure 18 - xyz123.exe.\r\nThe execution starts at the class constructor (cctor) executing the\r\n\u003cModule\u003e.ҭъЩӂӬҀУ\\u0486\\u0489їҒреӱҤЫѝйҹП()method. It loads a large array into memory and decodes it.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 13 of 20\n\nThe rest of the cctor reconstructs a xs.dll and other code from the array and proceeds at the entry point with\r\nadditional routines. At the end, it jumps by calling the P.M() method into the xs.dll.  \r\nFigure 19 - P.M() method.\r\nThis one is interesting because it presents us a well-known artifact that shows that the assembly was obfuscated\r\nwith the Agile.Net obfuscator.\r\nFigure 20 - Agile.Net obfuscator artifact.\r\nSince there is no custom obfuscation, we can just execute the file, wait a while, and dump it via Megadumper, a\r\ntool that dumps .NET executables directly from memory. This already looks much better.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 14 of 20\n\nFigure 21 - Deobfuscated code step one.\r\nUnfortunately, the obfuscator has encrypted all strings with the H.G() method and we cannot see the content of\r\nthose strings.\r\nFigure 22 - H.G() method\r\nLuckily, the de4dot .NET deobfuscator tool kills this with one command. We just need to tell it which method in\r\nthe sample is used to decrypt the strings at runtime. This is done by handing over the Token from the\r\ncorresponding method, in this case, 0x06000001. De4dot has an issue with auto-detecting the Agile\r\n.NETobfuscator, so we have to hand over this function via the '-p' option.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 15 of 20\n\nFigure 23 - de4dot .NET deobfuscator.\r\nEven if it looks like the operation failed, it has successfully replaced all obfuscated strings and recovered them, as\r\nwe can see below.\r\nFigure 24 - Decoded strings.\r\nExamining the source code shows us that the adversaries are using an information stealer/RAT sold by a company\r\nselling grayware products: Agent Tesla. Agent Tesla contains a number of questionable functions, such as\r\npassword stealing, screen capturing and the ability to download additional malware. However, the sellers of this\r\nproduct say that it is used for password recovery and child monitoring.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 16 of 20\n\nFigure 25 - Sample of password stealing methods.\r\nThe malware comes with password-stealing routines for more than 25 common applications and other rootkit\r\nfunctions such as keylogging, clipboard stealing, screenshots and webcam access. Passwords are stolen from the\r\nfollowing applications, among others:\r\nChrome\r\nFirefox\r\nInternet Explorer\r\nYandex\r\nOpera\r\nOutlook\r\nThunderbird\r\nIncrediMail\r\nEudora\r\nFileZilla\r\nWinSCP\r\nFTP Navigator\r\nPaltalk\r\nInternet Download Manager\r\nJDownloader\r\nApple keychain\r\nSeaMonkey\r\nComodo Dragon\r\nFlock\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 17 of 20\n\nDynDNS\r\nThis version comes with routines for SMTP, FTP and HTTP exfiltration, but is using only the HTTP POST one\r\nwhich you can see in figure 26 below. The decision as to which exfiltration method is used is hardcoded in a\r\nvariable stored in the configuration, which is checked in almost all methods like this:\r\nif (Operators.CompareString(_P.Exfil, \"webpanel\", false) == 0)\r\n...\r\nelse if (Operators.CompareString(_P.Exfil, \"smtp\", false) == 0)\r\n...\r\nelse if (Operators.CompareString(_P.Exfil, \"ftp\", false) == 0)\r\nFigure 26 - HTTP exfiltration routine.\r\nFor example, it creates the POST request string, as you can see below in figure 27.\r\nFigure 27 - POST request.\r\nThen, it encrypts it with 3DES before sending it (figure 28). The _P.Y (\"0295A...1618C\") method in figure 26\r\ncreates the MD5 hash of the string. This hash is used as secret for the 3DES encryption.\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 18 of 20\n\nFigure 28 - 3DES Encryption method\r\nConclusion\r\nThis is a highly effective malware campaign that is able to avoid detection by most antivirus applications.\r\nTherefore, it is necessary to have additional tools such as Threat Grid to defend your organization from these\r\nkinds of threats.\r\nThe actor behind this malware used the RTF standard because of its complexity, and used a modified exploit of a\r\nMicrosoft Office vulnerability to download Agent Tesla and other malware. It is not completely clear if the actor\r\nchanged the exploit manually, or if they used a tool to produce the shellcode. Either way, this shows that the actor\r\nor their tools have ability to modify the assembler code in such a way that the resulting opcode bytes look\r\ncompletely different, but still exploit the same vulnerability. This is a technique that could very well be used to\r\ndeploy other malware in a stealthy way in the future.\r\nIOC\r\nMaldocs\r\ncf193637626e85b34a7ccaed9e4459b75605af46cedc95325583b879990e0e61 - 3027748749.rtf\r\nA8ac66acd22d1e194a05c09a3dc3d98a78ebcc2914312cdd647bc209498564d8 - xyz.123\r\n38fa057674b5577e33cee537a0add3e4e26f83bc0806ace1d1021d5d110c8bb2 -        \r\nProforma_Invoice_AMC18.docx\r\n4fa7299ba750e4db0a18001679b4a23abb210d4d8e6faf05ce2cbe2586aff23f - Proforma_Invoice_AMC19.docx\r\n1dd34c9e89e5ce7a3740eedf05e74ef9aad1cd6ce7206365f5de78a150aa9398 - HSBC8117695310_doc\r\nDistribution Domains\r\navast[.]dongguanmolds[.]com\r\navast[.]aandagroupbd[.]website\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 19 of 20\n\nLoki related samples from hxxp://avast[.]dongguanmolds[.]com\r\na8ac66acd22d1e194a05c09a3dc3d98a78ebcc2914312cdd647bc209498564d8 - xyz.123\r\n5efab642326ea8f738fe1ea3ae129921ecb302ecce81237c44bf7266bc178bff - xyz.123\r\n55607c427c329612e4a3407fca35483b949fc3647f60d083389996d533a77bc7 - xyz.123\r\n992e8aca9966c1d42ff66ecabacde5299566e74ecb9d146c746acc39454af9ae - xyz.123\r\n1dd34c9e89e5ce7a3740eedf05e74ef9aad1cd6ce7206365f5de78a150aa9398 - HSBC8117695310.doc\r\nd9f1d308addfdebaa7183ca180019075c04cd51a96b1693a4ebf6ce98aadf678 - plugin.wbk\r\nLoki related URLs:\r\nhxxp://46[.]166[.]133[.]164/0x22/fre.php\r\nhxxp://alphastand[.]top/alien/fre.php\r\nhxxp://alphastand[.]trade/alien/fre.php\r\nhxxp://alphastand[.]win/alien/fre.php\r\nhxxp://kbfvzoboss[.]bid/alien/fre.php\r\nhxxp://logs[.]biznetviigator[.]com/0x22/fre.php\r\nOther related samples\r\n1dd34c9e89e5ce7a3740eedf05e74ef9aad1cd6ce7206365f5de78a150aa9398\r\n7c9f8316e52edf16dde86083ee978a929f4c94e3e055eeaef0ad4edc03f4a625\r\n8b779294705a84a34938de7b8041f42b92c2d9bcc6134e5efed567295f57baf9\r\n996c88f99575ab5d784ad3b9fa3fcc75c7450ea4f9de582ce9c7b3d147f7c6d5\r\ndcab4a46f6e62cfaad2b8e7b9d1d8964caaadeca15790c6e19b9a18bc3996e18\r\nSource: https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nhttps://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html"
	],
	"report_names": [
		"old-dog-new-tricks-analysing-new-rtf_15.html"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775439118,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6e41e230a5c19a64885c00cf8fc6e30811f247fd.pdf",
		"text": "https://archive.orkl.eu/6e41e230a5c19a64885c00cf8fc6e30811f247fd.txt",
		"img": "https://archive.orkl.eu/6e41e230a5c19a64885c00cf8fc6e30811f247fd.jpg"
	}
}