{
	"id": "4dac69d6-61c3-45d4-9a1b-ca9140b52422",
	"created_at": "2026-04-06T00:07:05.461955Z",
	"updated_at": "2026-04-10T13:12:05.191793Z",
	"deleted_at": null,
	"sha1_hash": "71d559ad4aea65489a362b41b44e4f43771e2bac",
	"title": "LofyGang - Software Supply Chain Attackers; Organized, Persistent, and Operating for over a Year",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3716860,
	"plain_text": "LofyGang - Software Supply Chain Attackers; Organized, Persistent,\r\nand Operating for over a Year\r\nBy Jossef Harush\r\nPublished: 2022-10-07 · Archived: 2026-04-05 16:40:01 UTC\r\nCheckmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called\r\n“LofyGang”.\r\nThis attack group has been operating for over a year with multiple hacking objectives:\r\nCredit card information\r\nDiscord “Nitro” (premium) upgrades\r\nStreaming services accounts (e.g. Disney+), Minecraft accounts, and more.\r\nOur findings were disclosed to the security teams of GitHub, NPM, Repl.it, Discord, and more.\r\nWe’ve launched a tracker website https://lofygang.info/ to share the findings about these attackers and share the full list of\r\nLofyGang’s related packages here.\r\nConnecting the Dots\r\nIn August 2022, we bumped into a couple of LofyGang’s malicious packages. It started with a report from one of our\r\ninternal engines. Our researchers immediately began investigating and crossing the IOC using our internal retro-hunting\r\ntools. This helped reveal more and more connections to other packages, and some of the packages linked to reports from\r\nSonatype, SecureList, and JFrog, but each report was a small piece of the big puzzle, as you can see below. The detective\r\nboard was so overloaded at some point that we had to zoom out. See the image below. We are also sharing the detective\r\nboard PDF file here.\r\nhttps://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/\r\nPage 1 of 11\n\nHistorical Hunting\r\nWhen defenders disclose malicious packages to package managers (NPM, PyPi, etc..), the package managers simply delete\r\nthe related release artifacts and metadata.\r\nWhile this does prevent users from downloading the malware, it makes things hard for defenders to (a) know what\r\nhappened, as this is not documented, and (b) learn and improve from the attacker’s activities as it’s almost impossible to get\r\nthe removed evidence.\r\nCheckmarx research team created internal tools to continuously collect open-source-related evidence. This is powering our\r\nresearch process; as you can see in this report, it helps us reveal and correlate deleted historical evidence and re-investigate\r\nsamples which assist us in telling you the story of LofyGang over time. To read more about the fruits of retro-hunting, check\r\nout this story.\r\nAbout LofyGang\r\nBy observing LofyGang’s activities across the internet, it appears they are an organized crime group focused on stealing and\r\nsharing stolen credit cards, gaming and streaming accounts, and more.\r\nThey create sock-puppets accounts using a closed dictionary of names with slight permutations of keywords such as lofy,\r\nlife, polar, panda, kakau, evil, devil, and vilão (villain in Portuguese).\r\nAs we explored this case, we guessed their origin is Brazil as much of the evidence contained Brazilian Portuguese\r\nsentences and even a file called “brazil.js”, which contained malware found in a couple of their malicious packages.\r\nDiscord Server\r\nLofyGang’s Discord server was created a year ago, on October 31, 2021, and seems to be the main channel of\r\ncommunication between the group’s administrators and their members.\r\nIn this Discord server, you can find technical support for the group’s hacking tools, a dark meme group, and a dedicated bot\r\nresponsible for a giveaway of Discord Nitro upgrades.\r\n0:00 / 1:07\r\nhttps://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/\r\nPage 2 of 11\n\nDiscord Bot – “Lofy Boost”\r\nLofyGang created a Discord bot “Lofy Boost” to deploy stolen credit cards on the operator’s account. When calling the bot\r\ncommand “ph!boost”, the operator must provide it with his personal credentials. Also, LofyGang stated that whoever uses\r\nthis bot will also automatically boost LofyGang’s Discord server.\r\nCracked.io Contributions\r\nThe group is contributing to an underground hacking community under the alias DyPolarLofy, where  they leak thousands of\r\nDisney+ and  Minecraft accounts, promote their hacking tools under their GitHub page, promote their bots, and more.\r\n0:00 / 0:56\r\nhttps://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/\r\nPage 3 of 11\n\nFake Instagram Followers As-A-Service\r\nIt seems that LofyGang’s main offering in that underground hacking community is to sell fake Instagram followers. This\r\nlinks to some of the malicious package profiles; for example, the package “fetch-string” is linked to the “victorjxl”\r\nInstagram account, which appeared to be an account with fake followers.\r\nGitHub Profile\r\nThe group is hosting hack tools under the GitHub account PolarLofy. Their open-source repositories offer tools and bots for\r\nDiscord, such as:\r\nDiscord spammer\r\nPassword stealer\r\nNitro Generator\r\nChat Wiper\r\nAnd more\r\nhttps://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/\r\nPage 4 of 11\n\nYouTube Tutorials\r\nLofyGang has a YouTube channel with self-promotion content, such as video tutorials demonstrating how to use their\r\nhacking tools. Their channel has almost 4k subscribers.\r\nUsing Legitimate Services as C2\r\nDiscord, Repl.it, glitch, GitHub, and Heroku are just a few services LofyGang is using as C2 servers for their operation.\r\nhttps://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/\r\nPage 5 of 11\n\nMalicious Packages\r\nWe were able to trace ~200 malicious open-source packages published in the past year. We saw several classes of malicious\r\npayloads, general password stealers, and Discord-specific persistent malware; some were embedded inside the package, and\r\nsome downloaded the malicious payload during runtime from c2 servers.\r\nWe’ve launched a tracker website https://lofygang.info/ to share the findings about these attackers and share the full list of\r\nLofyGang’s related packages here.\r\nTyposquatting and StarJacking\r\nTyposquatting is a technique commonly used by attackers targeting the open-source supply chain that relies on typing\r\nmistakes. Attackers register permutations of typing mistakes of popular packages, like “falsk” instead of “flask.” This leads\r\nto the accidentally installation of a malicious package.\r\nStarjacking, usually combined with Typosquatting, occurs whenever a package references a git repository; websites such as\r\nPyPi, NPM, etc., display the statistics such as GitHub issues, stars, forks, etc., accordingly. The package managers do not\r\nvalidate the accuracy of this reference, and we see attackers take advantage of that by stating their package’s git repository is\r\nlegitimate and popular, which may trick the victim into thinking this is a legitimate package due to its so-called popularity.\r\nWe saw Starjacking  in another previously reported attack last month.\r\nLofyGang, like many other attackers, used Typosquatting and Starjacking techniques to appear popular and legitimate to\r\ndevelopers. For instance, they often use the words “color” and “discord” in package names in addition to referencing a\r\nlegitimate GitHub repository and copying another popular package’s description as-is.\r\nHiding in a Sub-Dependency\r\nhttps://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/\r\nPage 6 of 11\n\nOne of the techniques used by the attackers to avoid detection is to keep the first-level package clean from malicious code,\r\nbut having it depend on another package that introduces the malicious code. We saw that whenever the malicious dependent\r\npackage was caught and removed, the attackers would replace it with a new one, and publish a new version of the main\r\npackage which was never removed.\r\nThe packages are purposely published by different NPM user accounts to decouple them as much as possible if one of them\r\nis caught.\r\nModifying the Installed Discord Application\r\nSome of the group’s malicious packages were spotted modifying the installed Discord instance with hooks to steal credit\r\ncards, sent via Discord webhook straight to the attackers whenever a payment was made.\r\nAnti-Deobfuscation\r\nSome of the malicious payloads are obfuscated. When we tried de-obfuscating the payloads, we noticed that the writers of\r\nthis code added anti-deobfuscation statements to be executed whenever de-obfuscation tools such as\r\nhttps://github.com/relative/synchrony were used. The anti-deobfuscation statements would unpack a naïve regular\r\nexpression that jams the event loop, making debugging the malicious code confusing.\r\n0:00 / 0:48\r\nhttps://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/\r\nPage 7 of 11\n\nNPM Activity Over Time\r\nSince the beginning of their malicious activities on NPM, we’ve seen a steady flow of dozens of malicious packages\r\npublished per month.\r\nDon’t Trust Code From Strangers, Especially Attackers\r\nLofyGang’s hack tools also depend on malicious packages, which infect their operators with persistent hidden malware\r\nusing the same capabilities as described above. For instance, we saw the tool “Discord-Mass-Dm” on GitHub, which\r\ndepends on “small-sm” – one of LofyGang’s malicious packages.\r\nScreenshot from the group’s hack tool “Discord-Mass-Dm” having a malicious dependency.\r\nIn addition, some reports from the underground community cautioned about LofyGang’s code examples, discord bots, and\r\nother contributions which were also infected.\r\nhttps://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/\r\nPage 8 of 11\n\nConclusion\r\nThe surge of recent open-source supply chain attacks teaches us that cyber attackers have realized that abusing the open-source ecosystem represents an easy way to increase the effectiveness of their attacks.\r\nCommunities are being formed around utilizing open-source software for malicious purposes. We believe this is the start of\r\na trend that will increase in the coming months.\r\nWe’d like to thank our friends from Sonatype, SecureList, and JFrog for publishing their reports. By crossing those findings,\r\nwe were able to connect the dots faster and create this investigation board which links the source of those activities to\r\nLofyGang.\r\nWe believe in sharing and working together to keep the ecosystem safe. Shoot us an email at\r\nsupplychainsecurity@checkmarx.com if you’re interested in this incident’s samples or other data.\r\nTracker Website\r\nWe’ve launched a tracker website https://lofygang.info/ to share new findings about these attackers. This is an open-source\r\nstatic website available on our GitHub. If you bump into more of these packages, feel free to contribute!\r\nList of Malicious Packages\r\nSee the following list of malicious packages in this gist: https://gist.github.com/jossef/aaa9e45c062d973f18bd87c43b9c4fc7\r\nhttps://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/\r\nPage 9 of 11\n\nIOC\r\nhxxps://canary[.]discord[.]com/api/webhooks/1010307578896584765/Kfko3kvm_uwgTjZlGgmTnHirUnfqDagEyMjXrPBKn-9oSJXR2-s1SOMxe4zsq_JpbbA6\r\nhxxps://canary[.]discord[.]com/api/webhooks/1011399721878814850/LfNuEU1BFNNmF_laiFT7_7OFSlHKecYXB7NdaAi1NTtOnTkDI2Dm_\r\nhxxps://canary[.]discord[.]com/api/webhooks/903018156283551775/lJOJ9526e_rzw0Js2DQPdV0eYQd5RQybtUcJqolp84JTwlxJxaWnuam9FyU\r\nhxxps://canary[.]discord[.]com/api/webhooks/914037745771499571/AB0bgB81VjZhloJ789Rlctn0IBCvi1Ldq6VDupf7bjI4T7TTJ57vMByABD\r\nhxxps://canary[.]discord[.]com/api/webhooks/918981986096381962/cSgWzzDxr-wKWtEt_6Kql2DPTF9GNgcvtjfUGzPR4hy7EuTy0q9w2_ptp0YTBauTd8xn\r\nhxxps://canary[.]discord[.]com/api/webhooks/949718758296002631/SpfpIZp0psg_QWas7fhPjcaVrXqWsAHwO3w5CsyD7CXtMW860MeI-NhX59f2nYtmeKmS\r\nhxxps://canary[.]discord[.]com/api/webhooks/984673863805837352/FzN-2AdPtz1RZBO5j3VcNmdC9x3gQ7pPZKt9Lt6J6ys_8vLtThI5SmVXosifztix66IB\r\nhxxps://canary[.]discord[.]com/api/webhooks/984688862397870080/c3qSIuHwNXCWS3KlAu3pqBD4xp_vS0WuhAClfNfcZLvtZwJn5jGcu0N\r\nhxxps://canary[.]discord[.]com/api/webhooks/984688878139109396/Yq1v7Tdd-xgba_GSVaHBGIUO9YM57xCj5wojF4CFhylLyHIc_Dl-_3vEQ35IStxwOraV\r\nhxxps://canary[.]discord[.]com/api/webhooks/984720782930358303/oYisKKXVvyFMLxeRTcri41fV0v31q7AA6BrAsJvWrGjGA2aLOqri_bZu\r\nhxxps://discord[.]com/api/webhooks/1007006820629483640/PcVef3zPDULoGoHQBQu1WK_pLYOMtOdk6ynz0wqSFJf6yv0Ro5iZpMLiZ3Pe\r\nj\r\nhxxps://discord[.]com/api/webhooks/904528194634403941/L0VOc4iDPfIqrxAT7zdu6outRd_H1Msg6KWlp5puRsHomqBx403GQOiR33KEJgA\r\nhxxps://discord[.]com/api/webhooks/905040941210009600/ePUsX_HQO2urHu8dGxIRe4Xc7f2oBYBOefzSqZOofWBOWf329EWAZ6Ou_YfH\r\nhxxps://discord[.]com/api/webhooks/914037745771499571/AB0bgB81VjZhloJ789Rlctn0IBCvi1Ldq6VDupf7bjI4T7TTJ57vMByABDTd8uCga\r\nhxxps://discord[.]com/api/webhooks/915623697610592337/Vzzg2pVt8RbaDB9FDsmcDZ7lP1NA_bAb4tIMOdZLGAJ1SW-QVtJOvCzCMjCyv56hiK0z\r\nhxxps://discord[.]com/api/webhooks/930679264238526516/RZuAyoB_lyUN8oHP4qhPcHTj4mqxUVtTjl0ns_SApm2uqt4b8fF-SaPbS98Yaw0TnzUk\r\nhxxps://discord[.]com/api/webhooks/932004105180827728/ujjSxTrm495ED2aZyy4KcGij46T04SHCW_v1R5Y9O5Fio3CWhLf7Vx_-8_1AkW\r\nhxxps://discord[.]com/api/webhooks/937305693143310356/1qn3-\r\nWmKtRciNHFemaqpKLVauBgPI00_Vu8J_UbA5ySwio_6k_8XFs3vx17MHenWhy9C\r\nhxxps://discord[.]com/api/webhooks/947531680938336296/WKswtEcag_JOyyIBpn5Gtkm5euDRHd9KYskA0PjI8APu2f5MHeLEtyY28H2Mat\r\nhxxps://discord[.]com/api/webhooks/953241659813011556/XtxjMHOnwEG-El3bYE92xidIIE1ppEvghZ697CvqbFxZF0Zug_FKyr1pyrX_eucxvIKk\r\nhxxps://discord[.]com/api/webhooks/953241815820173352/N31HYut5ZLnXg6VzYWLhaKQPs9jwi5tUinCDw5tZkP857K80F8e-ToXoJkb27KDurvid\r\nhxxps://discord[.]com/api/webhooks/955210570364223559/YjuF9W338gvOWjmvov_L-Gd76ufB1Askk52uPlCFuZIj5elVPyfV6f2BOYPCdIRBlQvB\r\nhxxps://discord[.]com/api/webhooks/957683084151623700/Pg1hrdWZQumi4YGvStMnx9om3LsiJ45keS8MHakWhZZQgvAqfraYlM2Aovyvw\r\nhxxps://discord[.]com/api/webhooks/958195333589004329/xKR83dNat_Sl90lAjgY6KLGnfEUgBvDTR8ZDV7-\r\nGtxMpJ-s2V227bN9QrlbuKZ9lIvR7\r\nhxxps://discord[.]com/api/webhooks/976901668786548787/tUVW6mqnwG3gPmouXzThYAPGEyf2qmA6T8pNGU1edSxYx881HNS4rLo88U\r\nhxxps://discord[.]com/api/webhooks/979128884324884521/AXZVtB7Iw-F4VwhNfhgsy7hDYJLvA-ECklpyOjl9mFTO8cIyIMb5w8f1ekaZCXZa3tLr\r\nhxxps://discord[.]com/api/webhooks/987289154821951528/FcCt-I0mfAglretxRcyeI_wb5RPiSMqzMcw4V14Ns8mqz14JQiz3-9MbZhmoSdwdTpzy\r\nhxxps://discord[.]com/api/webhooks/990106451324338237/mSg2aHrG-nhssCvVI5HJRH-Fg8nrLKD-S64nort9IORlH4QretOi-aAvBaeZQFwfNcjS\r\nhxxps://discord[.]com/api/webhooks/995137146530836512/mJtGOehWgbBkcHZYKVdHIxIsurkRQrg-gIHT6c0LDsO3y9_veDv38urWJrTQhHZ1HPYe\r\nhxxps://frequent-level-cornflower[.]glitch[.]me\r\nhxxps://github[.]com/NotFubukIl/DiscordTokenGrabber\r\nhxxps://github[.]com/mafintosh/end-of-stream/tree/daba5d692f7f016bad7831b4f61caad3ba2d2544\r\nhxxps://historical-mangrove-turnover[.]glitch[.]me/discord\r\nhxxps://ibb[.]co/nmDLGCT\r\nhxxps://idk[.]polarlabs[.]repl[.]co\r\nhxxps://kakau–kozune[.]herokuapp[.]com\r\nhxxps://kauedaocu[.]space/api/webhooks/evilKaue\r\nhxxps://kauelindo[.]xyz/manhattan\r\nhxxps://lofy[.]polarlofy7[.]repl[.]co\r\nhxxps://low-abaft-wax[.]glitch[.]me\r\nhxxps://nikezada[.]tk/raw/injectionviIaomoduIe\r\nhxxps://pastebin[.]com/raw/HMgsiG4k\r\nhxxps://pastebin[.]com/raw/LcqZiszq\r\nhttps://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/\r\nPage 10 of 11\n\nhxxps://pastebin[.]com/raw/Su4ip2LB\r\nhxxps://pastebin[.]com/raw/aTgt2yTk\r\nhxxps://pastebin[.]com/raw/gUKcsvAX\r\nhxxps://pastebin[.]com/raw/zaNHxzJL\r\nhxxps://pegapiranha[.]com/kauanaperigosa\r\nhxxps://ptb[.]discord[.]com/api/webhooks/953241518024572938/LD2_8dHNulaQrhtQioIo5_E8iaO866o7twVgJgPo9b8acLRZs8zwOpRnuS-11fgXced3\r\nhxxps://ptb[.]discord[.]com/api/webhooks/953241856244846593/6iDkaIFk_6Rui_SgQ-u3uNAplUSuvhPfh3o39dbezTIaKpyNkXmHl2QVbDiKO1aHQPH2\r\nhxxps://qualquer1[.]tartrweatr[.]repl[.]co\r\nhxxps://raw[.]githubusercontent[.]com/Balenciaga7/client/main/client[.]js\r\nhxxps://raw[.]githubusercontent[.]com/NotFubukIl/DiscordTokenGrabber/main/data/index[.]js\r\nhxxps://raw[.]githubusercontent[.]com/Rubyx-S/tqt/main/index[.]js\r\nhxxps://raw[.]githubusercontent[.]com/Stanley-GF/PirateStealer/main/src/Injection/injection\r\nhxxps://raw[.]githubusercontent[.]com/Stanley-GF/PirateStealer/main/src/injection/injection[.]js\r\nhxxps://raw[.]githubusercontent[.]com/VaporMax7/client/main/injection[.]csp\r\nhxxps://raw[.]githubusercontent[.]com/disclord/-js/main/index[.]js\r\nhxxps://raw[.]githubusercontent[.]com/drooutokenchecker/god/main/injection[.]js\r\nhxxps://raw[.]githubusercontent[.]com/haxdeveloper/Aryzs-Injection/main/aryzsminified[.]js\r\nhxxps://raw[.]githubusercontent[.]com/haxdeveloper/Aryzs-Injection/main/aryzsminified[.]js?\r\ntoken=GHSAT0AAAAAABTTSWAISYVCRFCXON6NGVPCYVWTAKA\r\nhxxps://raw[.]githubusercontent[.]com/haxdeveloper/Aryzs-Injection/main/aryzsminified[.]js?\r\ntoken=GHSAT0AAAAAABTTSWAJWYEPF32M7SU7VGGGYVWRLCQ\r\nhxxps://raw[.]githubusercontent[.]com/iowfqjfiowjq/AAAAAAAAAAAA/main/aliente[.]js\r\nhxxps://raw[.]githubusercontent[.]com/k4pis/Painel/main/index[.]js\r\nhxxps://raw[.]githubusercontent[.]com/shawty71/evoluiram/main/webhook\r\nhxxps://rawbutteryevents[.]kakaunfdifjjgfg[.]repl[.]co\r\nhxxps://stealer-api[.]herokuapp[.]com\r\nhxxps://vilao[.]cf/injectionmoduIeviIao\r\nhxxps://vilao[.]xyz/api/dc/core/inject\r\nhxxps://vilao[.]xyz/api/dc/core/raw\r\nhxxps://vilao[.]xyz/api/dc/inject=raw\r\nhxxps://vilao[.]xyz/raw/injectionviIaomoduIe\r\nhxxps://vilaozada[.]tk/raw/injectionviIaomoduIe\r\nhxxps://vilaozada[.]tk/raw/webhookmoduIeviIao\r\nhxxps://www[.]klgrth[.]io/paste/62fo9/raw\r\nhxxps://www[.]klgrth[.]io/paste/baez7/raw\r\nhxxps://www[.]klgrth[.]io/paste/jce5w/raw\r\nhxxps://www[.]klgrth[.]io/paste/m8fh6/raw\r\nhxxps://www[.]klgrth[.]io/paste/nfnk5/raw\r\nhxxps://www[.]klgrth[.]io/paste/vrkur/raw\r\nTo learn more about Checkmarx approach to Supply Chain Security, request a demo of our Checkmarx One™ Application\r\nSecurity Platform today. Or sign up for a 14-day free trial here.\r\nTags:\r\nAppSec\r\nArticle\r\nAwareness\r\nCheckmarx Application Security Platform\r\nDeveloper\r\nEnglish\r\nLeadership\r\nOpen-Source Security\r\nSource: https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/\r\nhttps://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year/"
	],
	"report_names": [
		"lofygang-software-supply-chain-attackers-organized-persistent-and-operating-for-over-a-year"
	],
	"threat_actors": [
		{
			"id": "617698b9-9f96-40be-9b11-ba11497efd46",
			"created_at": "2023-11-05T02:00:08.055794Z",
			"updated_at": "2026-04-10T02:00:03.392956Z",
			"deleted_at": null,
			"main_name": "LofyGang",
			"aliases": [],
			"source_name": "MISPGALAXY:LofyGang",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9041c438-4bc0-4863-b89c-a32bba33903c",
			"created_at": "2023-01-06T13:46:38.232751Z",
			"updated_at": "2026-04-10T02:00:02.888195Z",
			"deleted_at": null,
			"main_name": "Nitro",
			"aliases": [
				"Covert Grove"
			],
			"source_name": "MISPGALAXY:Nitro",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a2b44a04-a080-4465-973d-976ce53777de",
			"created_at": "2022-10-25T16:07:23.911791Z",
			"updated_at": "2026-04-10T02:00:04.786538Z",
			"deleted_at": null,
			"main_name": "Nitro",
			"aliases": [
				"Covert Grove",
				"Nitro"
			],
			"source_name": "ETDA:Nitro",
			"tools": [
				"AngryRebel",
				"Backdoor.Apocalipto",
				"Chymine",
				"Darkmoon",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"Moudour",
				"Mydoor",
				"PCClient",
				"PCRat",
				"Poison Ivy",
				"SPIVY",
				"Spindest",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434025,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71d559ad4aea65489a362b41b44e4f43771e2bac.pdf",
		"text": "https://archive.orkl.eu/71d559ad4aea65489a362b41b44e4f43771e2bac.txt",
		"img": "https://archive.orkl.eu/71d559ad4aea65489a362b41b44e4f43771e2bac.jpg"
	}
}