{ "id": "72d2de96-976f-4e1f-88ee-10200f974c7e", "created_at": "2026-04-06T00:10:55.396951Z", "updated_at": "2026-04-10T03:33:35.610054Z", "deleted_at": null, "sha1_hash": "708df04536ab717a9f730664f22941f10fdeec78", "title": "IronNetInjector: Turla’s New Malware Loading Tool", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 366286, "plain_text": "IronNetInjector: Turla’s New Malware Loading Tool\r\nBy Dominik Reichel\r\nPublished: 2021-02-19 · Archived: 2026-04-05 16:00:48 UTC\r\nExecutive Summary\r\nIn recent years, more and more ready-made malware is released on software development hosting sites available for\r\neverybody to use – including threat actors. This not only saves the bad guys development time, but also makes it much\r\neasier for them to find new ideas to prevent detection of their malware.\r\nUnit 42 researchers have found several malicious IronPython scripts whose purpose is to load and run Turla’s malware tools\r\non a victim’s system. The use of IronPython for malicious purposes isn’t new, but the way Turla uses it is new. The overall\r\nmethod is known as Bring Your Own Interpreter (BYOI). It describes the use of an interpreter, not present on a system by\r\ndefault, to run malicious code of an interpreted programming or scripting language.\r\nThe first malicious IronPython scripts of the tool we describe here were discovered last year by a security researcher from\r\nFireEye. At the beginning of this year, another security researcher from Dragos pointed out some new scripts of the same\r\nthreat actor uploaded to VirusTotal from two different submitters. We found that one of the submitters also uploaded two\r\nother samples, which are most likely embedded payloads of one of the IronPython scripts. These samples helped us to\r\nunderstand how this tool works, what malware it loads and which threat actor uses it.\r\nWhile the IronPython scripts are only the first part of the tool, the main task of loading malware is done by an embedded\r\nprocess injector. We dubbed this toolchain IronNetInjector, the blend of IronPython and the injector’s internal project name\r\nNetInjector. In this blog, we describe the IronPython scripts and how they’re used to load one or more payloads with the\r\nhelp of an injector.\r\nPalo Alto Networks customers are protected from this threat through WildFire and Cortex XDR. AutoFocus customers can\r\ninvestigate this activity with the tag “IronNetInjector”.\r\nWhat Is IronPython?\r\nFirst, let’s take a look at what IronPython is and why it was chosen as a loading vector. In the words of the IronPython team:\r\nIronPython is an open-source implementation of the Python programming language which is tightly integrated with the\r\n.NET Framework. IronPython can use the .NET Framework and Python libraries, and other .NET languages can use Python\r\ncode just as easily.\r\nAnd further:\r\nIronPython's sweet-spot is being able to use the .NET framework APIs directly from Python.\r\nWith IronPython, you can use .NET framework APIs directly in your Python script. It is a Python interpreter written entirely\r\nin C#. Currently, it fully supports Python 2, while support for Python 3 is still in development. As one of two official\r\nprojects formerly developed by Microsoft, the other being IronRuby, it uses the Dynamic Language Runtime (DLR).\r\nNow, it becomes clear why IronPython is also attractive for malware authors. You can make use of the .NET framework\r\nAPIs without having to compile a .NET assembly. Of course, this requires the IronPython interpreter to also be present on\r\nthe system, but that can be accomplished in different ways. Also, IronPython scripts don’t run with the original Python\r\nhttps://unit42.paloaltonetworks.com/ironnetinjector/\r\nPage 1 of 8\n\ninterpreter when .NET framework APIs are used in the code. In case of a sandbox that supports Python scripts, the\r\ninterpreter would simply crash without any dynamic analysis result. Further, as IronPython is written in C# and thus its\r\nprocess contains all the Common Language Runtime (CLR) on execution, one can easily load additional assemblies.\r\nIronNetInjector\r\nIronNetInjector is made of an IronPython script that contains a .NET injector and one or more payloads. The payloads can\r\nbe also .NET assemblies (x86/64) or native PEs (x86/64). When an IronPython script is run, the .NET injector gets loaded,\r\nwhich in turn injects the payload(s) into its own or a remote process.\r\nThe key features of the malicious IronPython scripts are as follows:\r\nFunction and variable names are obfuscated.\r\nStrings are encrypted.\r\nContain an encrypted .NET injector and one or more encrypted PE payloads.\r\nTake one argument that is the decryption key for the embedded .NET injector and PE payload(s).\r\nEmbedded .NET injector and payload(s) are encoded with Base64 and encrypted with Rijndael.\r\nLog messages are written to %PUBLIC%\\Metadata.dat\r\nError messages are written to %PUBLIC%\\Metaclass.dat\r\nThe following screenshot shows one of the IronPython scripts decoded:\r\nFigure 1. Decoded IronPython script with embedded .NET injector and ComRAT payload (both shortened).\r\nWe have found two versions of the .NET injector, a newer variant internally named NetInjector compiled in 2019 and an\r\nearlier variant named PeInjector_x64 compiled in 2018. The earlier variant is much more limited in functionality compared\r\nto the 2019 variant.\r\nBoth versions are full-blown PE injection tools able to load a native x86/64 payload reflectively into a remote process. This\r\nis accomplished via unmanaged functions and the use of PeNet, a publicly available PE parser library written in C#. The\r\ndecompiled code is self-explanatory as meaningful function, method and variable names are used throughout the code.\r\nAdditionally, log and error messages are being used extensively.\r\nMost of the code of the 2018 variant is taken from PowerShell Empire’s ReflectivePEInjection script and got translated into\r\nC#. It’s written in a much more specific manner than the 2019 variant, which is a generically written injection tool. The\r\nnewer version additionally contains the ability to inject .NET assemblies into unmanaged processes. Also, it can load\r\npayloads into its own process space, the IronPython interpreter process.\r\nhttps://unit42.paloaltonetworks.com/ironnetinjector/\r\nPage 2 of 8\n\nThe newer injector has the following PDB path left:\r\nC:\\Users\\Devel\\source\\repos\\c4\\agent\\build_tools\\agent_dll_to_Python_loader\\NetInjector\\NetInjector\\obj\\Release\\NetInjector.pd\r\nThe same submitters who uploaded the IronPython scripts also submitted other files which are directly related to\r\nIronNetInjector. Based on the file sizes and the file sizes of the embedded payloads in the IronPython scripts, we can make\r\nsome assumptions about what the payloads likely are.\r\nThe following table shows the IronPython scripts categorized by the different VirusTotal submitters. It also shows which\r\nother samples uploaded by the same submitter or the other submitters are connected and gives the assumed embedded\r\nmalware:\r\nSubmitter\r\nIronPython\r\nscript(s) uploads\r\nRelated samples uploaded by same submitter Payload assumptions\r\n1\r\n• prophile.py\r\n• profilec.py\r\n• IronPython-2.7.7z: Portable IronPython version\r\nthat contains the two IronPython scripts and a\r\nWindows task XML to start profilec.py\r\n• prophile.py: .NET injector\r\n(variant 2018) + RPC\r\nbackdoor variant\r\n• profilec.py: .NET injector\r\n(variant 2019) + ComRAT\r\nvariant\r\n2 • profile.py -\r\n• profile.py: .NET injector\r\n(variant 2019) + ComRAT\r\nvariant\r\n3\r\n• 10profilec.py\r\n• 120profilec.py\r\n• 220profile.py\r\n-\r\n• 10profilec.py: .NET injector\r\n(variant 2018) + ComRAT\r\nvariant\r\n• 120profilec.py: .NET\r\ninjector (variant 2019) +\r\nComRAT variant\r\n• 220profile.py: .NET injector\r\n(variant 2018) + Unknown\r\n4 • profilec.py\r\n• NetInjector.dll: .NET injector (variant 2019),\r\nmost likely embedded .NET injector in\r\nprofilec.py of same submitter\r\n• payload.exe: ComRAT v4 variant (DLL), most\r\nlikely embedded in profilec.py of same submitter\r\n-\r\n5 -\r\n• part_1.data: .NET injector (variant 2018), most\r\nlikely embedded in prophile.py of submitter 1\r\n• part_2.data: RPC backdoor variant, most likely\r\nembedded in prophile.py of submitter 1\r\n• part_3.data: RPC backdoor variant, most likely\r\nembedded in prophile.py of submitter 1\r\n-\r\nTable 1. Categorized IronPython samples according to VirusTotal submitters and their assumed payloads.\r\nhttps://unit42.paloaltonetworks.com/ironnetinjector/\r\nPage 3 of 8\n\nIt becomes clear that IronNetInjector is mostly used to load ComRAT. In one case, a variant of the RPC backdoor is used\r\nand in another a payload that we couldn’t associate with known malware.\r\nWe also couldn’t verify how the IronPython scripts get run in the first place. One of the submitters uploaded a 7-Zip archive\r\nwith the contents of the IronPython MSI file of version 2.7.0.40 from 2011. This archive also contains two IronPython\r\nscripts (see table) and a Windows task XML file named mssch.xml with the following content:\r\nFigure 2. Windows task XML file for IronNetInjector.\r\nThe task is used to start an IronPython script with the 64-bit version of the interpreter. As a command line argument, the\r\nRijndael decryption key is passed. However, the key didn’t decrypt on any of the embedded files in the scripts we found.\r\nThe task’s description is PythonUpdateSrvc and it runs either on Windows startup when a user logs in or when one of two\r\nsystem events get created:\r\nFigure 3. IronNetInjector task triggers.\r\nDepending on the system, the event with ID 8001 belongs to Microsoft Internet Information Services (IIS), Microsoft\r\nExchange Server or Windows Server (Source: Netsurion EventTracker). The other event with ID 5324 is likely related to the\r\nhttps://unit42.paloaltonetworks.com/ironnetinjector/\r\nPage 4 of 8\n\nlogoff from Winlogon. Both triggers only happen when these events appear in the Microsoft-Windows-GroupPolicy(/Operational) event logs.\r\nWhen we consider that the files in the 7-Zip archive were all taken from the same directory, we can make some assumptions.\r\nThe attacker might have used the IronPython MSI to install the interpreter to C:\\ProgramData\\IronPython-2.7 on the\r\nvictim’s system. The IronPython scripts and the Windows task XML were placed in the same directory. The task file is then\r\nused to create a task which in turn starts a script when triggered. However, it’s also possible that the submitter collected the\r\nfiles from different places and just bundled them into an archive for scanning purposes. It’s also unclear why the attacker\r\nwould use such an old version of IronPython.\r\nA Brief Walkthrough\r\nLet’s go briefly through the execution flow based on one of the scripts of VirusTotal submitter 4 that contains the 2019\r\nvariant of the injector and a ComRAT variant (SHA256:\r\n3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6).\r\nWhen an IronPython script is run, it is loaded into the IronPython interpreter. In the IronPython script, the embedded .NET\r\ninjector (SHA256: a56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc) and ComRAT DLL payload\r\n(SHA256: a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56) get decoded and decrypted. This is\r\ndone with the Python Base64 module and the RijndaelManaged class from the C# cryptography namespace. The decryption\r\nkey is passed as an argument to the IronPython script. The Rijndael initialization vector (IV) is stored in the script. Next, the\r\n.NET injector gets loaded into the IronPython process with the help of the Assembly.Load() method of the C# Reflection\r\nnamespace. That's possible because IronPython itself is a .NET assembly and thus its process already contains all the .NET\r\nruntime libraries.\r\nAfter the injector assembly is loaded, the ID of the process where the ComRAT DLL gets injected is retrieved. In this case,\r\nthe explorer.exe was chosen. This routine to get the PID slightly differs in the IronPython scripts we found. While one script\r\nuses the C# method GetProcessesByName() to get the PID, the other scripts run the Windows tool tasklist.exe with the help\r\nof the Python os.popen() function. The output is then parsed to the targeted process ID with the help of tasklist filters. Also,\r\nsome scripts filter the PID based on a Windows service name. When the PID is found, an instance of the injector assembly is\r\ncreated and the ComRAT payload bytes and PID are passed.\r\nFigure 4. PID retrieval function variations in the different IronPython scripts.\r\nFinally, the injector's public methods Invoke() and InvokeVoid() get called. In the latter, the exported function name VFEP\r\nof the ComRAT payload gets passed. From this point on, the .NET injector takes control over the further execution.\r\nThe .NET injector contains the following namespaces:\r\nDefaultSerializer\r\nPeNet\r\nPeNet.Parser\r\nhttps://unit42.paloaltonetworks.com/ironnetinjector/\r\nPage 5 of 8\n\nPeNet.Structures\r\nPeNet.Structures.MetaDataTables\r\nPeNet.Structures.MetaDataTables.Parsers\r\nPeNet.Utilities\r\nWhile the PeNet code is copied from the project, the namespace DefaultSerializer contains the injector code and is made of\r\nthe following classes:\r\nDefaultSerializer: Contains the injector code.\r\nNetBootstrapper: Contains 32-/64-bit bootstrappers to load an assembly into an unmanaged process.\r\nWin32: Contains the imported unmanaged function declarations and win32 structures/constants.\r\nThe DefaultSerializer class exposes four public methods:\r\nInjectAssembly\r\nInvoke\r\nInvokeAssemblyMethod\r\nInvokeVoid\r\nThese methods are used pairwise. The method InjectAssembly is used to inject a .NET assembly into a native process (or its\r\nown) and InvokeAssemblyMethod to call any chosen method of the injected assembly. The method Invoke is used to inject a\r\nnative PE into a remote process and InvokeVoid to call any exported function of the injected payload.\r\nFigure 5. Decompiled NetInjector code.\r\nDepending on the number of arguments passed to DefaultSerializer on creation time, the payload is either loaded into its\r\nown process or a remote one. In case only the payload bytes are passed, it gets loaded into its own process space. The other\r\noptions are to also pass the ID or handle of the remote process the payload gets injected to.\r\nIn our case, the second option is used with the PID of explorer.exe to load the ComRAT payload reflectively into the\r\nprocess.\r\nOne other interesting aspect of the injector is its ability to load an assembly into an unmanaged process. This needs some\r\npreparation in the remote process, as you cannot simply load and execute a .NET assembly there if the CLR isn’t present.\r\nhttps://unit42.paloaltonetworks.com/ironnetinjector/\r\nPage 6 of 8\n\nThis is accomplished with a native bootstrapper DLL, which gets injected into the remote process and prepares it so a .NET\r\nassembly can be injected afterwards.\r\nThere are two bootstrappers (x86/64) contained in the NetBootstrapper class, which have the following PDB paths left:\r\nF:\\Dev\\NetInjector\\bin\\Release\\NetBootstrapper_Win32.pdb\r\nF:\\Dev\\NetInjector\\bin\\Release\\NetBootstrapper_x64.pdb\r\nJust like the injector itself, the bootstrappers contain meaningful function names (exported functions) and useful log\r\nmessages. It uses the following exported functions:\r\nBootstrap: Load CLR services into process.\r\nGetMethodResult: Get method result from InvokeMethod.\r\nInvokeMethod: Call method of injected assembly passed as a parameter.\r\nLoadAssembly: Load .NET assembly passed as a parameter.\r\nStartClrRuntime: Same as Bootstrap.\r\nThese functions are called from the injector to prepare and load a .NET assembly payload from the IronPython script into a\r\nremote process.\r\nIn all the IronPython scripts we found, only the native payload to native remote process injection option is used.\r\nConclusion\r\nIronNetInjector is another toolset in Turla’s ever-growing arsenal, made of an IronPython script and an injector. It’s similar\r\nin structure to the previously used in-memory loading mechanism to execute malware with the help of PowerShell scripts.\r\nThese scripts contain an embedded PE loader to execute an embedded malware payload.\r\nThe tool we discussed in this blogpost was likely developed to move away from PowerShell towards .NET. This general\r\ntrend can be seen in recent years as detection of Powershell based threats became better, but also due to security mechanisms\r\nlike AMSI introduced by Microsoft.\r\nThe .NET injectors and bootstrappers contain clean code and meaningful function/method/variable names, and they use\r\ndetailed log/error messages. Only the initial IronPython scripts are obfuscated to prevent easy detection.\r\nThere are still some questions we need answers for, such as what other samples get loaded beside ComRAT and the RPC\r\nbackdoor? How do the IronPython scripts get run? And how is the interpreter deployed to a victim’s system?\r\nWe will continue to monitor for this malware loading tool to get the missing pieces of the puzzle.\r\nPalo Alto Networks customers are protected from this malware tool. Our threat prevention platform WildFire detects it as\r\nmalicious. Our extended detection and response platform Cortex XDR can identify and block the malware execution.\r\nAutoFocus customers can track the activity with the tag “IronNetInjector”.\r\nIndicators of Compromise\r\nIronPython scripts\r\nb641687696b66e6e820618acc4765162298ba3e9106df4ef44b2218086ce8040 (prophile.py, submitter 1)\r\nc430ebab4bf827303bc4ad95d40eecc7988bdc17cc139c8f88466bc536755d4e (profilec.py, submitter 1)\r\nhttps://unit42.paloaltonetworks.com/ironnetinjector/\r\nPage 7 of 8\n\nc1b8ecce81cf4ff45d9032dc554efdc7a1ab776a2d24fdb34d1ffce15ef61aad (profile.py, submitter 2)\r\n8df0c705da0eab20ba977b608f5a19536e53e89b14e4a7863b7fd534bd75fd72 (10profilec.py, submitter 3)\r\nb5b4d06e1668d11114b99dbd267cde784d33a3f546993d09ede8b9394d90ebb3 (120profilec.py, submitter 3)\r\nb095fd3bd3ed8be178dafe47fc00c5821ea31d3f67d658910610a06a1252f47d (220profile.py, submitter 3)\r\n3aa37559ef282ee3ee67c4a61ce4786e38d5bbe19bdcbeae0ef504d79be752b6 (profilec.py, submitter 4)\r\nInjector samples\r\na56f69726a237455bac4c9ac7a20398ba1f50d2895e5b0a8ac7f1cdb288c32cc (2019 variant, submitter 4)\r\nc59fadeb8f58bbdbd73d9a2ac0d889d1a0a06295f1b914c0bd5617cfb1a08ce9 (2018 variant, submitter 5)\r\nBootstrapper samples\r\n63d7695dabefb97aa30cbe522647c95395b44321e1a3b08b8028e4000d1be15e\r\nba17af72a9d90822eed447b8526fb68963f0cde78df07c16902dc5a0c44536c4\r\nRelated samples\r\n82333533f7f7cb4123bceee76358b36d4110e03c2219b80dced5a4d63424cc93 (IronPython-2.7.7z, submitter 1)\r\na62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56 (ComRAT v4 variant, submitter 4)\r\n18c173433daafcc3aea17fc4f7792d0ff235f4075a00feda88aa1c9f8f6e1746 (RPC backdoor variant, submitter 5)\r\na64e79a81b5089084ff88e3f4130e9d5fa75e732a1d310a1ae8de767cbbab061 (RPC backdoor variant, submitter 5)\r\nSource: https://unit42.paloaltonetworks.com/ironnetinjector/\r\nhttps://unit42.paloaltonetworks.com/ironnetinjector/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/ironnetinjector/" ], "report_names": [ "ironnetinjector" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434255, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/708df04536ab717a9f730664f22941f10fdeec78.pdf", "text": "https://archive.orkl.eu/708df04536ab717a9f730664f22941f10fdeec78.txt", "img": "https://archive.orkl.eu/708df04536ab717a9f730664f22941f10fdeec78.jpg" } }