{ "id": "56c93c93-8f97-43e3-8e20-753384257337", "created_at": "2026-04-06T00:07:31.120289Z", "updated_at": "2026-04-12T02:21:57.458304Z", "deleted_at": null, "sha1_hash": "7019cad0b6e8ea27fa00d95734912e818357ea87", "title": "Darktrace's Investigation of Raspberry Robin Worm", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1523919, "plain_text": "Darktrace's Investigation of Raspberry Robin Worm\r\nBy Alexandra Sentenac\r\nPublished: 2024-04-02 · Archived: 2026-04-05 15:17:46 UTC\r\nIntroduction\r\nIn the face of increasingly hardened digital infrastructures and skilled security teams, malicious actors are forced\r\nto constantly adapt their attack methods, resulting in sophisticated attacks that are designed to evade human\r\ndetection and bypass traditional network security measures.  \r\nOne such example that was recently investigated by Darktrace is Raspberry Robin, a highly evasive worm\r\nmalware renowned for merging existing and novel techniques, as well as leveraging both physical hardware and\r\nsoftware, to establish a foothold within organization’s networks and propagate additional malicious payloads.\r\nWhat is Raspberry Robin?\r\nRaspberry Robin, also known as ‘QNAP worm’, is a worm malware that was initially discovered at the end of\r\n2023 [1], however, its debut in the threat landscape may have predated this, with Microsoft uncovering malicious\r\nartifacts linked to this threat (which it tracks under the name Storm-0856) dating back to 2019 [4]. At the time,\r\nlittle was known regarding Raspberry Robin’s objectives or operators, despite the large number of successful\r\ninfections worldwide. While the identity of the actors behind Raspberry Robin still remains a mystery, more\r\nintelligence has been gathered about the malware and its end goals as it was observed delivering payloads from\r\ndifferent malware families.\r\nWho does Raspberry Robin target?\r\nWhile it was initially reported that Raspberry Robin primarily targeted the technology and manufacturing\r\nindustries, researchers discovered that the malware had actually targeted multiple sectors [3] [4]. Darktrace’s own\r\ninvestigations echoed this, with Raspberry Robin infections observed across various industries, including public\r\nadministration, finance, manufacturing, retail, education and transportation.\r\nHow does Raspberry Robin work?\r\nInitially, it appeared that Raspberry Robin's access to compromised networks had not been utilized to deliver final-stage malware payloads, nor to steal corporate data. This uncertainty led researchers to question whether the actors\r\ninvolved were merely “cybercriminals playing around” or more serious threats [3]. This lack of additional\r\nexploitation was indeed peculiar, considering that attackers could easily escalate their attacks, given Raspberry\r\nRobin’s ability to bypass User Account Control using legitimate Windows tools [4].\r\nHowever, at the end of July 2022, some clarity emerged regarding the operators' end goals. Microsoft researchers\r\nrevealed that the access provided by Raspberry Robin was being utilized by an access broker tracked as DEV-https://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin\r\nPage 1 of 10\n\n0206 to distribute the FakeUpdates malware downloader [2]. Researchers further discovered malicious activity\r\nassociated with Evil Corp TTPs (i.e., DEV-0243) [5] and payloads from the Fauppod malware family leveraging\r\nRaspberry Robin’s access [8]. This indicates that Raspberry Robin may, in fact, be an initial access broker,\r\nutilizing its presence on hundreds of infected networks to distribute additional payloads for paying malware\r\noperators. Thus far, Raspberry Robin has been observed distributing payloads linked to FIN11, Clop Gang,\r\nBumbleBee, IcedID, and TrueBot on compromised networks [12].\r\nRaspberry Robin’s Continued Evolution\r\nSince it first appeared in the wild, Raspberry Robin has evolved from \"being a widely distributed worm with no\r\nobserved post-infection actions [...] to one of the largest malware distribution platforms currently active\" [8]. The\r\nfact that Raspberry Robin has become such a prevalent threat is likely due to the continual addition of new\r\nfeatures and evasion capabilities to their malware [6] [7].  \r\nSince its emergence, the malware has “changed its communication method and lateral movement” [6] in order to\r\nevade signature detections based on threat intelligence and previous versions. Endpoint security vendors\r\ncommonly describe it as heavily obfuscated malware, employing multiple layers of evasion techniques to hinder\r\ndetection and analysis. These include for example dropping a fake payload when analyzed in a sandboxed\r\nenvironment and using mixed-case executing commands, likely to avoid case-sensitive string-based detections.  \r\nIn more recent campaigns, Raspberry Robin further appears to have added a new distribution method as it was\r\nobserved being downloaded from archive files sent as attachments using the messaging service Discord [11].\r\nThese attachments contained a legitimate and signed Windows executable, often abused by attackers for side-loading, alongside a malicious dynamic-link library (DLL) containing a Raspberry Robin sample.\r\nAnother reason for the recent success of the malware may be found in its use of one-day exploits. According to\r\nresearchers, Raspberry Robin now utilizes several local privilege escalation exploits that had been recently\r\ndisclosed, even before a proof of concept had been made available [9] [10]. This led cyber security professionals\r\nto believe that operators of the malware may have access to an exploit seller [6]. The use of these exploits\r\nenhances Raspberry Robin's detection evasion and persistence capabilities, enabling it to propagate on networks\r\nundetected.\r\nThrough two separate investigations carried out by Darktrace’s Threat Research team, first in late 2022 and then in\r\nNovember 2023, it became evident that Raspberry Robin was capable of integrating new functionalities and\r\ntactics, techniques and procedures (TTPs) into its attacks. Darktrace DETECT™ provided full visibility over the\r\nevolving campaign activity, allowing for a comparison of the threat across both investigations. Additionally, if\r\nDarktrace RESPOND™ was enabled on affected networks, it was able to quickly mitigate and contain emerging\r\nactivity during the initial stages, thwarting the further escalation of attacks.\r\nRaspberry Robin Initial Infection\r\nThe most prevalent initial infection vector appears to be the introduction of an infected external drive, such as a\r\nUSB stick, containing a malicious .LNK file (i.e., a Windows shortcut file) disguised as a thumb drive or network\r\nshare. When clicked, the LNK file automatically launches cmd.exe to execute the malicious file stored on the\r\nexternal drive, and msiexec.exe to connect to a Raspberry Robin command-and-control (C2) endpoint and\r\nhttps://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin\r\nPage 2 of 10\n\ndownload the main malware component. The whole process leverages legitimate Windows processes and is\r\ntherefore less likely to raise any alarms from more traditional security solutions. However, Darktrace DETECT\r\nwas able to identify the use of Msiexec to connect to a rare endpoint as anomalous in every case investigated.\r\nLittle is currently known regarding how the external drives are infected and distributed, but it has been reported\r\nthat affected USB drives had previously been used for printing at printing and copying shops, suggesting that the\r\ninfection may have originated from such stores [13].\r\nA method as simple as leaving an infected USB on a desk in a public location can be a highly effective social\r\nengineering tactic for attackers. Exploiting both curiosity and goodwill, unsuspecting individuals may innocently\r\nplug in a found USB, hoping to identify its owner, unaware that they have unwittingly compromised their device.\r\nAs Darktrace primarily operates on the network layer, the insertion of a USB endpoint device would not be within\r\nits visibility. Nevertheless, Darktrace did observe several instances wherein multiple Microsoft endpoints were\r\ncontacted by compromised devices prior to the first connection to a Raspberry Robin domain. For example,\r\nconnections to the URI '/fwlink/?LinkID=252669\u0026clcid=0x409' were observed in multiple customer\r\nenvironments prior to the first Raspberry Robin external connection. This connectivity seems to be related to\r\nWindows attempting to retrieve information about installed hardware, such as a printer, and could also be related\r\nto the inserting of an external USB drive.\r\nFigure 1: Device Event Log showing an affected device making connections to Microsoft endpoints,\r\nprior to contacting the Raspberry Robin C2 endpoint ‘vqdn[.]net’.\r\nhttps://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin\r\nPage 3 of 10\n\nRaspberry Robin Command-and-Control Activity\r\nIn all cases investigated by Darktrace, compromised devices were detected making HTTP GET connections via\r\nthe unusual port 8080 to Raspberry Robin C2 endpoints using the new user agent 'Windows Installer'.\r\nThe C2 hostnames observed were typically short and matched the regex /[a-zA-Z0-9]{2,4}.[a-zA-Z0-9]{2,6}/,\r\nand were hosted on various top-level domains (TLD) such as ‘.rocks’, ‘.pm’, and ‘.wf’. On one customer network,\r\nDarktrace observed the download of an MSI file from the Raspberry Robin domain ‘wak[.]rocks’. This package\r\ncontained a heavily protected malicious DLL file whose purpose was unknown at the time.  \r\nHowever, in September 2022, external researchers revealed that the main purpose of this DLL was to download\r\nfurther payloads and enable lateral movement, persistence and privilege escalation on compromised devices, as\r\nwell as exfiltrating sensitive information about the device. As worm infections spread through networks\r\nautomatically, exfiltrating device data is an essential process for threat actor to keep track of which systems have\r\nbeen infected.\r\nOn affected networks investigated by Darktrace, compromised devices were observed making C2 connections that\r\ncontained sensitive device information, including hostnames and credentials, with additional host information\r\nlikely found within the data packets [12].\r\nFigure 2: Model Breach Event Log displaying the events that triggered the the ‘New User Agent and\r\nSuspicious Request Data’ DETECT model breach.\r\nAs for C2 infrastructure, Raspberry Robin leverages compromised Internet of Things (IoT) devices such as QNAP\r\nnetwork attached storage (NAS) systems with hijacked DNS settings [13]. NAS devices are data storage servers\r\nthat provide access to the files they store from anywhere in the world. These features have been abused by\r\nRaspberry Robin operators to distribute their malicious payloads, as any uploaded file could be stored and shared\r\neasily using NAS features.\r\nHowever, Darktrace found that QNAP servers are not the only devices being exploited by Raspberry Robin, with\r\nDETECT identifying other IoT devices being used as C2 infrastructure, including a Cerio wireless access point in\r\none example. Darktrace recognized that this connection was new to the environment and deemed it as suspicious,\r\nespecially as it also used new software and an unusual port for the HTTP protocol (i.e., 8080 rather than 80).\r\nIn several instances, Darktrace observed Raspberry Robin utilizing TOR exit notes as backup C2 infrastructure,\r\nwith compromised devices detected connecting to TOR endpoints.\r\nhttps://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin\r\nPage 4 of 10\n\nFigure 3: Raspberry Robin C2 endpoint when viewed in a sandbox environment.\r\nFigure 4: Raspberry Robin C2 endpoint when viewed in a sandbox environment.\r\nhttps://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin\r\nPage 5 of 10\n\nRaspberry Robin in 2022 vs 2023\r\nDespite the numerous updates and advancements made to Raspberry Robin between the investigations carried out\r\nin 2022 and 2023, Darktrace’s detection of the malware was largely the same.\r\nDETECT models breached during first investigation at the end of 2022:\r\nDevice / New User Agent\r\nAnomalous Server Activity / New User Agent from Internet Facing System\r\nDevice / New User Agent and New IP\r\nCompromise / Suspicious Request Data\r\nCompromise / Uncommon Tor Usage\r\nPossible Tor Usage\r\nDETECT models breached during second investigation in late 2023:\r\nDevice / New User Agent and New IP\r\nDevice / New User Agent and Suspicious Request Data\r\nDevice / New User Agent\r\nDevice / Suspicious Domain\r\nPossible Tor Usage\r\nDarktrace’s anomaly-based approach to threat detection enabled it to consistently detect the TTPs and IoCs\r\nassociated with Raspberry Robin across the two investigations, despite the operator’s efforts to make it stealthier\r\nand more difficult to analyze.\r\nIn the first investigation in late 2022, Darktrace detected affected devices downloading addition executable (.exe)\r\nfiles following connections to the Raspberry Robin C2 endpoint, including a numeric executable file that appeared\r\nto be associated with the Vidar information stealer. Considering the advanced evasion techniques and privilege\r\nescalation capabilities of Raspberry Robin, early detection is key to prevent the malware from downloading\r\nadditional malicious payloads.\r\nIn one affected customer environment investigated in late 2023, a total of 12 devices were compromised between\r\nmid-September and the end of October. As this particular customer did not have Darktrace RESPOND, the\r\nRaspberry Robin infection was able to spread through the network unabated until the customer acted upon\r\nDarktrace DETECT’s alerts.\r\nHad Darktrace RESPOND been enabled in autonomous response mode, it would have been able to take\r\nimmediate action following the first observed connection to a Raspberry Robin C2 endpoint, by blocking\r\nconnections to the suspicious endpoint and enforcing a device’s normal ‘pattern of life’.\r\nBy enforcing a pattern of life on an affected device, RESPOND would prevent it from carrying out any activity\r\nthat deviates from this learned pattern, including connections to new endpoints using new software as was the case\r\nin Figure 5, effectively shutting down the attack in the first instance.\r\nhttps://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin\r\nPage 6 of 10\n\nFigure 5: Model Breach Event Log showing RESPOND’s actions against connections to Raspberry\r\nRobin C2 endpoints.\r\nConclusion\r\nRaspberry Robin is a highly evasive and adaptable worm known to evolve and change its TTPs on a regular basis\r\nin order to remain undetected on target networks for as long as possible. Due to its ability to drop additional\r\nmalware variants onto compromised devices, it is crucial for organizations and their security teams to detect\r\nRaspberry Robin infections at the earliest possible stage to prevent the deployment of potentially disruptive\r\nsecondary attacks.\r\nDespite its continued evolution, Darktrace's detection of Raspberry Robin remained largely unchanged across the\r\ntwo investigations. Rather than relying on previous IoCs or leveraging existing threat intelligence, Darktrace\r\nDETECT’s anomaly-based approach allows it to identify emerging compromises by detecting the subtle\r\ndeviations in a device’s learned behavior that would typically come with a malware compromise.\r\nBy detecting the attacks at an early stage, Darktrace gave its customers full visibility over malicious activity\r\noccurring on their networks, empowering them to identify affected devices and remove them from their\r\nenvironments. In cases where Darktrace RESPOND was active, it would have been able to take autonomous\r\nfollow-up action to halt any C2 communication and prevent the download of any additional malicious payloads.  \r\nCredit to Alexandra Sentenac, Cyber Analyst, Trent Kessler, Senior Cyber Analyst, Victoria Baldie, Director of\r\nIncident Management\r\nAppendices\r\nDarktrace DETECT Model Coverage\r\nDevice / New User Agent and New IP\r\nDevice / New User Agent and Suspicious Request Data\r\nDevice / New User Agent\r\nCompromise / Possible Tor Usage\r\nhttps://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin\r\nPage 7 of 10\n\nCompromise / Uncommon Tor Usage\r\nMITRE ATT\u0026CK Mapping\r\nTactic - Technique\r\nCommand \u0026 Control - T1090.003 Multi-hop Proxy\r\nLateral Movement - T1210 Exploitation of remote services\r\nExfiltration over C2 Data - T1041 Exfiltration over C2 Channel\r\nData Obfuscation - T1001 Data Obfuscation\r\nVulnerability Scanning - T1595.002 Vulnerability Scanning\r\nNon-Standard Port - T1571 Non-Standard Port\r\nPersistence - T1176 Browser Extensions\r\nInitial Access - T1189 Drive By Compromise / T1566.002  Spearphishing Link\r\nCollection - T1185 Man in the browser\r\nList of IoCs\r\nIoC - Type - Description + Confidence\r\nvqdn[.]net - Hostname - C2 Server\r\nmwgq[.]net - Hostname - C2 Server\r\nwak[.]rocks - Hostname - C2 Server\r\no7car[.]com - Hostname - C2 Server\r\n6t[.]nz - Hostname - C2 Server\r\nfcgz[.]net - Hostname - Possible C2 Server\r\nd0[.]wf - Hostname - C2 Server\r\ne0[.]wf - Hostname - C2 Server\r\nc4z[.]pl - Hostname - C2 Server\r\n5g7[.]at - Hostname - C2 Server\r\n5ap[.]nl - Hostname - C2 Server\r\n4aw[.]ro - Hostname - C2 Server\r\nhttps://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin\r\nPage 8 of 10\n\n0j[.]wf - Hostname - C2 Server\r\nf0[.]tel - Hostname - C2 Server\r\nh0[.]pm - Hostname - C2 Server\r\ny0[.]pm - Hostname - C2 Server\r\n5qy[.]ro - Hostname - C2 Server\r\ng3[.]rs - Hostname - C2 Server\r\n5qe8[.]com - Hostname - C2 Server\r\n4j[.]pm - Hostname - C2 Server\r\nm0[.]yt - Hostname - C2 Server\r\nzk4[.]me - Hostname - C2 Server\r\n59.15.11[.]49 - IP address - Likely C2 Server\r\n82.124.243[.]57 - IP address - C2 Server\r\n114.32.120[.]11 - IP address - Likely C2 Server\r\n203.186.28[.]189 - IP address - Likely C2 Server\r\n70.124.238[.]72 - IP address - C2 Server\r\n73.6.9[.]83 - IP address - Likely C2 Server\r\nReferences\r\n[1] https://redcanary.com/blog/raspberry-robin/  \r\n[2] https://www.bleepingcomputer.com/news/security/microsoft-links-raspberry-robin-malware-to-evil-corp-attacks/\r\n[3] https://7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/FLINT%202022-016%20-\r\n%20QNAP%20worm_%20who%20benefits%20from%20crime%20(1).pdf\r\n[4] https://www.bleepingcomputer.com/news/security/microsoft-finds-raspberry-robin-worm-in-hundreds-of-windows-networks/\r\n[5] https://therecord.media/microsoft-ties-novel-raspberry-robin-malware-to-evil-corp-cybercrime-syndicate\r\n[6] https://securityaffairs.com/158969/malware/raspberry-robin-1-day-exploits.html\r\n[7] https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/\r\nhttps://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin\r\nPage 9 of 10\n\n[8] https://redmondmag.com/articles/2022/10/28/microsoft-details-threat-actors-leveraging-raspberry-robin-worm.aspx\r\n[9] https://www.bleepingcomputer.com/news/security/raspberry-robin-malware-evolves-with-early-access-to-windows-exploits/\r\n[10] https://www.bleepingcomputer.com/news/security/raspberry-robin-worm-drops-fake-malware-to-confuse-researchers/\r\n[11] https://thehackernews.com/2024/02/raspberry-robin-malware-upgrades-with.html\r\n[12] https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/\r\n[13] https://blog.bushidotoken.net/2023/05/raspberry-robin-global-usb-malware.html\r\nSource: https://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin\r\nhttps://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin\r\nPage 10 of 10\n\n https://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin \nFigure 3: Raspberry Robin C2 endpoint when viewed in a sandbox environment.\nFigure 4: Raspberry Robin C2 endpoint when viewed in a sandbox environment.\n Page 5 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://darktrace.com/blog/the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin" ], "report_names": [ "the-early-bird-catches-the-worm-darktraces-hunt-for-raspberry-robin" ], "threat_actors": [ { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-12T02:00:03.316783Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-12T02:00:04.350002Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-12T02:00:03.46909Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-12T02:00:03.482647Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-12T02:00:04.599978Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-12T02:00:04.664507Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-12T02:00:03.315269Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434051, "ts_updated_at": 1775960517, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7019cad0b6e8ea27fa00d95734912e818357ea87.pdf", "text": "https://archive.orkl.eu/7019cad0b6e8ea27fa00d95734912e818357ea87.txt", "img": "https://archive.orkl.eu/7019cad0b6e8ea27fa00d95734912e818357ea87.jpg" } }