{ "id": "fcd667c2-d9b5-4496-a6d7-24b5a510602a", "created_at": "2026-04-06T00:15:05.42608Z", "updated_at": "2026-04-10T13:12:31.541225Z", "deleted_at": null, "sha1_hash": "736317860bb65785ba712359c8b547127ade2338", "title": "Hacker Infrastructure Used in Cisco Breach Discovered Attacking a Top Workforce Management Corporation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 432704, "plain_text": "Hacker Infrastructure Used in Cisco Breach Discovered Attacking\r\na Top Workforce Management Corporation\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 12:37:55 UTC\r\neSentire's security research team, the Threat Response Unit (TRU), has discovered that the IT infrastructure used\r\nto attack Cisco in May 2022 was also used in an attempted compromise of one of its clients in April 2022. In their\r\nclient’s case, eSentire prevented the deployment of ransomware into the company’s environment. The client is a\r\nlarge workforce management solutions holding company made up of numerous subsidiaries that provide employee\r\nstaffing, recruiting, contract staffing and services around identifying and placing direct hires. TRU believes that a\r\nhacker who uses the alias, mx1r, is the cybercriminal behind the attack. Security company Mandiant reported on\r\nthis actor recently, in association with UNC2165, but didn't name them.\r\nWho is threat actor mx1r and what is their connection to Evil Corp?\r\nDuring the initial investigation of the attack against the workforce management company, TRU researchers were\r\nespecially interested in the criminal(s)’ use of a crypter product called CryptOne. Essentially, a crypter is a piece\r\nof software used to encrypt a malware payload so it will sneak past anti-virus software. Following this thread,\r\nTRU, found a security report from Secureworks which detailed the use of CryptOne by a hacker group they call\r\nGold Drake but which is more commonly known as Evil Corp.\r\nThis thread led to a security report by Mandiant which details various cyberattacks that were carried out by an\r\naffiliate group of Evil Corp, which they call UNC2165. Interestingly, it is in this report that TRU discovered that\r\nthe Evil Corp affiliate (UNC2165) was known to use compromised VPN credentials in their attacks. Within their\r\nreporting, Mandiant also described the activities of one of the Evil Corp members which were very similar to the\r\nTactics, Techniques and Procedures (TTPs) of the attack TRU detected and shut down. However, Mandiant did not\r\nname the threat actor.\r\nTRU began scouring underground hacker forums for posts from this threat actor and discovered a member of\r\nexploit.in, an underground Russian forum, whose posts were eerily similar to the modus operandi (MO) of the\r\nhacker who attacked eSentire’s client and the hacker described by Mandiant. The threat actor uses the alias mx1r.\r\nThe “Evil” Behind Evil Corp and Its Affiliates\r\nFor those who are not familiar, Evil Corp is one of the most infamous Russian hacking groups on the\r\nunderground. Evil Corp was sanctioned in 2019 by the U.S. Treasury’s Office of Foreign Assets Control (OFA) for\r\ndeveloping the Dridex banking malware and using it to steal over $100 million USD from hundreds of banks and\r\nfinancial institutions. Because of the sanctions, it is believed that the cybercriminals behind Evil Corp switched\r\ntheir MO and began running a ransomware-as-a-service operation, instead of attacking victims with their Dridex\r\nbanking malware. As such, they have recruited an array of criminal affiliates to carry out their online crimes.\r\nhttps://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire\r\nPage 1 of 10\n\nHow Did Hackers Gain Access to the Workforce Corporation’s IT Network?\r\nThe cybercriminals were able to break into the workforce management corporation’s IT network using stolen\r\nVirtual Private Network (VPN) credentials. TRU caught them trying to move laterally through the network using\r\nan arsenal of red team tools. Red team tools are typically used by security penetration testers who are testing the\r\nsecurity of an organization’s IT infrastructure. However, in this case, they were used by the threat actors to gain a\r\ndeeper foothold into the victim’s environment. The red team tools they used included: Cobalt Strike, network\r\nscanners and Active Domain crawlers. Using Cobalt Strike, the attackers were able to gain an initial foothold and\r\nhands-on-actions were immediate and swift from the time of initial access to when the attacker was able to register\r\ntheir own Virtual Machine on the victim’s VPN network.\r\nTracking threat actor mx1r to the underground\r\nAs stated, the hackers first gained access to the workforce management corporation in April 2022 via\r\ncompromised VPN credentials. Interestingly, TRU spotted several underground forum posts, dating from April\r\n2022, where a hacker going by the alias, mx1r, was looking for VPN credentials for companies with billion-dollar\r\nrevenues (Figure 1). TRU then discovered posts on a Dark Web access broker auction site where a threat actor was\r\npurchasing VPN credentials for large U.S. companies. Access broker auctions are run by cybercriminals who have\r\nbroken into a company’s IT environment and are selling their illegal access.\r\nFigure 1: mx1r placing a bid for access to a $2 billion dollar company\r\nCobalt Strike and Other Cyber Tools Used in the Attack\r\nAs previously mentioned, the threat actors who attacked the workforce management corporation attempted to\r\nmove laterally through the company’s IT network using an arsenal of red team tools which included Cobalt Strike.\r\nA GitHub account, under the mx1r alias, shows a handful of code repositories containing red team tools (Figure\r\n2). As noted by Mandiant, these repositories are consistent with the Evil Corp affiliate’s (UNC2165) tactics.\r\nhttps://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire\r\nPage 2 of 10\n\nFigure 2: A GitHub account using the mx1r alias\r\nAdditionally, Joe´s Sandbox identified the Command and Control (C2) server, used in the attack, as also serving\r\nas the C2 for the CryptOne Metasploit. Metasploit is a library of tools designed for penetration testing. The\r\nCryptOne Metasploit package is wrapped in the CryptOne crypter. The CryptOne crypter has been used by the\r\nHades Ransomware Group and ISFB (the Gozi Banking Trojan Group), both of which have associations with Evil\r\nCorp.\r\nCoincidentally, mx1r had a handful of other underground posts, in addition to the VPN posts. One of them was in\r\nJuly 2019 where the cybercriminal was recruiting a coder to “cleanup Metasploit and modules from similar\r\nframeworks”. Later, in December 2019, mx1r showed an interest in purchasing version 4.1 of Cobalt Strike.\r\n(Figure 3).\r\nFigure 3: mx1r asks to buy a copy of Cobalt Strike version 4.1 on the Russian-speaking forum, exploit.in\r\nIn June 2021, Secureworks reported that CryptOne Metasploit was deploying Cobalt Strike during a Hades\r\nransomware campaign. In October 2021, mx1r also showed an interest in hiring a “crypting expert” (Figure 4).\r\nFigure 4: mx1r looking to hire a crypter for 'the team'\r\nExtended Lateral Movement\r\neSentire’s TRU also saw the threat actors continue to try and move laterally within the workforce management\r\ncorporation’s network via Remote Desktop Protocol (RDP) access, which Mandiant also observed as a tactic used\r\nhttps://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire\r\nPage 3 of 10\n\nby Evil Corp affiliate/UNC2165.\r\nCredential Theft\r\nAnother tactic observed by TRU was the threat actor’s attempt to launch a Kerberoasting attack. This is an attack\r\nwhere the cybercriminal attempts to crack passwords within Windows Active Directory through the Kerberos\r\nauthentication protocol. This tactic is also consistent with the TTPs of the Evil Corp affiliate/UNC2165, according\r\nto Mandiant.\r\nWhile TRU successfully shut down the attackers before they could fully penetrate the client’s network, TRU\r\nsuspects that the threat actors intended to infect the workforce corporation and its subsidiaries with ransomware.\r\nTracking the Hacking Infrastructure Used in the Cisco Breach and the Attack\r\nAgainst the Workforce Management Corporation\r\nWhile the TTPs of the attack against the workforce management corporation match those of Evil Corp, the\r\ninfrastructure used matches that of a Conti ransomware affiliate, who has been seen deploying Hive and\r\nYanluowang ransomware. Looking at various technical details of the malicious infrastructure leveraged, TRU\r\ndiscovered a handful of additional instances of Cobalt Strike infrastructure. TRU tracks this infrastructure cluster\r\nas HiveStrike. The Hive group first appeared on the ransomware scene in June 2021 and quickly gained a\r\nreputation for attacking critical targets including hospitals, energy companies and IT companies.\r\nInterestingly, Cisco attributed their breach to a threat actor who has ties to three hacker groups: the Lapsus$ threat\r\ngroup, the Yanluowang ransomware operators, and a group that Mandiant security firm calls UNC2447. They\r\nhave been known to drop the FiveHands/Hello Kitty ransomware into their victims’ environments.\r\nUNC2447 was previously observed deploying FiveHands ransomware at the same time TRU observed the\r\ninfrastructure cluster, it tracks as ShadowStrike, being leveraged for FiveHands and Conti ransomware attacks.\r\nNote: several security organizations assert that both the Hive Ransomware Group and FiveHands gang are\r\nconnected to former members of the Conti Ransomware Group.\r\nTRU‘s Takeaway\r\nMicrosoft tracks the infrastructure used by the Conti ransomware group and its affiliates as DEV-0365, and\r\nHiveStrike bears some interesting similarities to the ShadowStrike infrastructure reported by TRU earlier this year\r\nwith affiliations to Conti. It seems unlikely – but not impossible – that Conti would lend its infrastructure to Evil\r\nCorp. Given that Mandiant has interpreted UNC2165´s pivot to LockBit, as an intention to distance itself from the\r\ncore Evil Corp group, it is more plausible that the Evil Corp affiliate/UNC2165 may be working with one of\r\nConti's new subsidiaries. Conti's subsidiaries provide a similar outcome – to avoid sanctions by diffusing their\r\nresources into other established brands as they retire the Conti brand. It’s also possible that initial access was\r\nbrokered by an Evil Corp affiliate but ultimately sold off to Hive operators and its affiliates.\r\neSentire‘s swift actions had tactical, operational and strategic benefits across its\r\nglobal customer base.\r\nhttps://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire\r\nPage 4 of 10\n\nTactical – This incident was escalated to active incident handling, in which hands-on defenders were engaged, to\r\nintercept the attackers and kick them out before they could disrupt the corporation‘s business. In cases where\r\nexfiltration or other high-impact actions are suspected, eSentire‘s Incident Response team is engaged.\r\nOperational –The threat group‘s Infrastructure, TTPs and other artifacts, tracked by TRU, were swept through\r\nindicator hunts and defense rule deployment. eSentire‘s Security Operations Center (SOC) actively monitors\r\nthreat signals 24/7 for potential attacks.\r\nStrategic – TRU continues to enahnce its threat actor tracking capabilities as the attack landscape evolves. New\r\ndetection models are built regularly based on original research and curated threat intelligence to enhance\r\nautomated blocking, SOC investigation and response capabilities.\r\nSummary: How to Protect Your Company from a Ransomware Attack and\r\nCyberattacks Overall\r\nBelow are a few basic security steps that every company should be employing to defend against ransomware\r\nattacks, as well as cyberattacks in general.\r\nHave a backup copy of all critical files and make sure they are offline backups. Backups connected to the\r\ninfected systems will be useless in the event of a ransomware attack.\r\nRequire multi-factor authentication to access your organization’s virtual private network (VPN) or remote\r\ndesktop protocol (RDP) services.\r\nONLY allow administrators to access network appliances using a VPN service.\r\nDomain controllers are a key target for ransomware actors, so ensure that your security team has visibility\r\ninto your IT networks using endpoint detection and response (EDR) agents and centralized logging on\r\ndomain controllers (DCs) and other servers.\r\nEmploy the principle of least privilege with staff members.\r\nImplement network segmentation.\r\nDISABLE RDP. if not being used.\r\nRegularly patch systems, prioritizing your key IT systems.\r\nUser-awareness training should be mandated for all company employees.\r\nHow to Mitigate Business Disruption from a Cyberattack\r\nIf an organization gets hit by a ransomware attack and finds that it does NOT have reliable backups of its key IT\r\nsystems and data, it is important to have in place remediation measures such as the following: \r\nEnsure that your business team and IT security team have created an action plan and have an incident\r\nresponse (IR) plan mapped out that clearly defines which IT systems need to be put back online first.\r\nReady-set-go team. Create a reliable partner ecosystem well in advance of a breach. It is critical to have\r\nsecurity vendor(s) in place to help prevent a ransomware infection, but it’s vital that you have agreements\r\nalready in place with a larger partner ecosystem, such as crisis communications agencies, digital forensic\r\nfirms, cyber investigations teams, and outside legal counsel that specializes in security incidents.\r\nhttps://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire\r\nPage 5 of 10\n\nIf you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you\r\npartner with us for security services to disrupt threats before they impact your business. Want to learn more about\r\nhow we protect organizations globally? Connect with an eSentire Security Specialist.\r\nHands-On Telemetry: From Cobalt Strike deployment to Lateral Movement\r\nThe initial investigation was kicked off by eSentire’s Security Operations Center (SOC) when they received an\r\nalert for the detection of malicious PowerShell abuse. The event was immediately identified as Cobalt Strike, as\r\nhands-on actions began to take place.\r\nCobalt Strike Deployed via PowerShell\r\nCobalt Strike Injects Bloodhound into regsvr32\r\nDiscovery\r\nAs is typical during the initial stage of a ransomware attack, the hands-on intruder performs some cursory\r\ndiscovery of the network they’ve landed in to help determine potential privilege escalation paths and opportunities\r\nfor lateral movement.\r\nAccount Discovery:\r\nnet group \"Domain Admins\" /domain\r\nDomain Discovery:\r\nnltest /domain_trusts /all_trusts\r\nCredential Access:\r\nhttps://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire\r\nPage 6 of 10\n\nTrusted Windows Process:\r\nLOLBIN Abuse:\r\nc:\\windows\\system32\\findstr.exe\r\nKerberoasting:\r\nLateral Movement\r\nBloodHound and Netscan were used to attempt lateral movement within the network\r\nInitial Access Investigation - Determining how the attackers got in\r\nBring Your Own Virtual Machine (BYOVM)\r\nThe attackers registered their own virtual machine with the VPN pool\r\nhttps://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire\r\nPage 7 of 10\n\nAttacker IP determined by gateway logs\r\nFurther research on the Attacker IP shows that the IP was observed, by GreyNoise, scanning the internet for\r\ntargets. TRU reached out to GreyNoise for more telemetry and learned that the scans were quiet and minimal, and\r\nthe attacker avoided revealing telemetry.mThis may represent the initial access broker gaining access to\r\norganizations before selling it to ransomware affiliates.\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire\r\nPage 8 of 10\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire\r\nPage 9 of 10\n\nSource: https://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporat\r\nion-russias-evil-corp-gang-suspected-reports-esentire\r\nhttps://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire" ], "report_names": [ "hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "065b7ea2-5920-4270-824e-94ea8a79d197", "created_at": "2023-12-08T02:00:05.747632Z", "updated_at": "2026-04-10T02:00:03.492858Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "MISPGALAXY:UNC2447", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51", "created_at": "2022-10-25T16:07:24.35977Z", "updated_at": "2026-04-10T02:00:04.953882Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "ETDA:UNC2447", "tools": [ "7-Zip", "AdFind", "Agentemis", "Cobalt Strike", "CobaltStrike", "DEATHRANSOM", "DeathRansom", "FIVEHANDS", "FOXGRABBER", "HELLOKITTY", "HelloKitty", "KittyCrypt", "Mimikatz", "PCHUNTER", "RCLONE", "ROUTERSCAN", "Ragnar Locker", "RagnarLocker", "Rclone", "S3BROWSER", "SombRAT", "Thieflock", "WARPRISM", "cobeacon", "deathransom", "wacatac" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434505, "ts_updated_at": 1775826751, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/736317860bb65785ba712359c8b547127ade2338.pdf", "text": "https://archive.orkl.eu/736317860bb65785ba712359c8b547127ade2338.txt", "img": "https://archive.orkl.eu/736317860bb65785ba712359c8b547127ade2338.jpg" } }