{
	"id": "73cb2057-6dd7-49a4-aca0-52509332f4c6",
	"created_at": "2026-04-06T00:19:07.552937Z",
	"updated_at": "2026-04-10T13:12:08.459618Z",
	"deleted_at": null,
	"sha1_hash": "7410511a120ebdd2f631f40eb2275ab1a79f20f3",
	"title": "IOControl Malware: What’s New, What’s Not?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 302348,
	"plain_text": "IOControl Malware: What’s New, What’s Not?\r\nBy By Michael Freeman Head of Threat Intelligence\r\nArchived: 2026-04-05 20:47:11 UTC\r\nIOControl malware is a sophisticated Linux backdoor, initially identified as OrpraCab and QueueCat in 2023. It\r\nre-emerges in 2024 as IOControl, targeting ARM-based IoT and Linux systems. Despite recent media\r\nmischaracterization as OT-specific malware, IOControl operates primarily as a Linux backdoor with advanced\r\ntechniques for persistence, obfuscation, and C2 (Command and Control) communication.\r\nKey Takeaways:\r\nThis malware is not new. It was first seen using other names over a year ago, at the end of 2023.\r\nThis is not OT-specific device malware but behaves more like a Linux backdoor compiled for 32-bit\r\nARM devices.\r\nArmis helps by providing Indicators Of Compromise (IOCs) and behaviors that can be used to\r\nidentify the presence of this malware in your organization.\r\nBackground and How it Works\r\nIOControl has been attributed to CyberAv3ngers, an Iranian-linked hacking group associated with the country’s\r\nstate-sponsored cyber efforts, including the Islamic Revolutionary Guard Corps (IRGC). This malware has been\r\ndeployed in campaigns against systems in Israel and the United States, impacting devices like routers,\r\nprogrammable logic controllers (PLCs), firewalls, and Supervisory Control and Data Acquisition (SCADA)\r\nsystems.\r\nThe malware deploys a backdoor that’s automatically executed every time an affected device restarts. It leverages\r\nthe widely used MQTT (Message Queuing Telemetry Transport) protocol to disguise malicious traffic.\r\nMQTT, introduced initially to streamline SCADA monitoring in oil pipeline operations, has since become a\r\nfavored protocol for IoT communication due to its lightweight nature and scalability. This malware’s use of\r\nMQTT on ports 8883 and 1883, in combination with suspicious domains and the presence of stealthy filesystem\r\nartifacts, highlights a deliberate attempt to blend into IoT environments while maintaining persistence and\r\noperational security. Other malware families that use MQTT are Chrysaor, MQsTTang, and WailingCrab.\r\nhttps://www.armis.com/blog/iocontrol-malware-whats-new-whats-not/\r\nPage 1 of 8\n\nBy leveraging MQTT over TLS, the adversary’s C2 traffic blends effortlessly with legitimate IoT network noise,\r\nproviding both encryption and a lower likelihood of raising immediate suspicion. Passing messages via an MQTT\r\nbroker offers the attacker an additional layer of indirection, complicating attribution and enhancing their\r\noperational security.\r\nDetection – Indicators Of Compromise\r\nBelow are some concrete Indicators of Compromise (IOCs) and detection strategies derived from the scripts and\r\ncode snippets presented. Security professionals can use these IOCs and behaviors to identify the presence of this\r\nmalware in their environments.\r\nProcess and\r\nBehavior\r\nIOCs:\r\nPID Files:\r\nThe presence of /var/run/iocontrol.pid associated with a non-standard or\r\nunknown process is a red flag.MD5: c92e2655d115368f92e7b7de5803b7bc, Magic:\r\nELF 32-bit MSB executable, ARM, version 1, statically linked, Size: 16208,Version:\r\n1.0.5, Packer: upx\r\nEnvironment Variables:\r\nEnv Variable Value Purpose\r\n0_0 22e70a3056aa209e90dc5a354edda2c1 AES KEY\r\n0_1 1c3b88f1e4720dc6 AES IV\r\nhttps://www.armis.com/blog/iocontrol-malware-whats-new-whats-not/\r\nPage 2 of 8\n\n1 1.0.5 Version\r\n3 5958ce MQTT User\r\n4 3-4953-8c18-3f9625 MQTT Pass\r\nInfinite Loop Persistence Mechanism:\r\nA script continuously checks for the iocontrol process using pidof \"iocontrol\"\r\nand restarting it if it’s not found. This watchdog-like behavior is not typical for\r\nlegitimate software.\r\nDomain and\r\nNetworking\r\nIOCs:\r\nC2 Domain: uwochhfsdltk.tylarion867mino.com\r\nAny outbound connections to this domain, especially over unusual ports, should be\r\nflagged.\r\nPort Usage: Port 8883 and 1883 are used for outbound connections. This port is\r\nless commonly used for regular web traffic and could indicate suspicious MQTT-like\r\nor encrypted command and control channels.\r\nIP:  159.100.6.69 for the broker\r\nDoH Queries: DNS-over-HTTPS lookups via Cloudflare’s resolver:\r\nQueries to 1.1.1.1:443/dns-query?name= with suspicious parameters or\r\nunknown hostnames.\r\nLook for unusual patterns of DoH usage that are not common for normal\r\nsystem DNS resolution.\r\nFile and Path\r\nIOCs:\r\nMD5 : c92e2655d115368f92e7b7de5803b7bc\r\nSuspicious Binary:\r\nA binary named iocontrol present in /usr/bin/ (or any directory) that is not\r\npart of a known software package or repository.\r\nMalicious Directories and Logs:\r\n/tmp/iocontrol/ directory and /tmp/iocontrol.log file. Legitimate\r\nsoftware rarely stores persistent logs or binaries in /tmp .\r\nStartup/Persistence Scripts:\r\n/etc/rc3.d/S93InitSystemd.sh is suspicious. This script may be\r\nmasquerading as a standard init script but contains malicious content.\r\nAny shell script in /etc/rc*.d/ directories that references iocontrol .\r\nThe threat actor used a script named “mr_soul_controller” and a module “oblivator”\r\nto wipe Linux device files.\r\nSuspicious\r\nCommands Environment Queries:\r\nThe script uses commands like whoami, hostname, current_user, timezone,\r\nhttps://www.armis.com/blog/iocontrol-malware-whats-new-whats-not/\r\nPage 3 of 8\n\nand\r\nTechniques:\r\nuname -r, device_model , and firmware_version to harvest system information.\r\nWhile these commands are legitimate, security teams should look for aggregated\r\nusage from unknown scripts or binaries.\r\nStrings, UID and tokens to look for:\r\nStrings like X8XR7tHHD1CqmhNS, XXFrxHMDI1CqmIN5 , 855958ce-6483-4953-\r\n8c18-3f9625d88c27 ,\r\nsCgcVpkXixEUTgEJqY708N5w2c42DssIEutp7ZIeNgt17G78iy , and\r\ncS9cYpXiX1EtUEBdjQ7O8N5wC42DssIEutp7ZtNEtg17G78iy within scripts or\r\nbinaries may indicate embedded credentials, keys, or tokens used for C2\r\nauthentication.\r\nRedirection and Obfuscation:\r\nFrequent use of 2\u003e\u00261 , \u003e/dev/null , and /dev/urandom indicate attempts to hide\r\noutput and possibly generate keys for obfuscation.\r\nAPT Group Biographical Intelligence Package\r\nThe biographical intelligence package below outlines the expertise, operations, and evolving strategies of this\r\nIranian-linked APT (Advanced Persistent Threat) group, providing actionable insights to enhance defenses against\r\ntheir campaigns.\r\nName(s)\r\nOilRig (APT34): The most commonly used name attributed by cybersecurity\r\nfirms.\r\nHELIX KITTEN: CrowdStrike designation.\r\nMagic Hound: Used for campaigns targeting specific sectors like energy and\r\ntelecommunications.\r\nCobalt Gypsy: Focus on espionage and disruptive operations.\r\nNation-State\r\nAttribution\r\nCountry: Iran\r\nSponsor: Likely linked to Iran’s Ministry of Intelligence and Security (MOIS)\r\nand Iranian military organizations.\r\nCore Objectives\r\nCyber-Espionage: Stealing sensitive data from organizations in sectors like\r\nenergy, telecommunications, finance, and government.\r\nOperational Disruption: Targeting infrastructure and operational technology\r\n(OT) systems to disrupt services or gain leverage.\r\nSurveillance: Monitoring and manipulating communications and critical data\r\nfor geopolitical gain.\r\nCore Expertise\r\nNetwork Penetration\r\nhttps://www.armis.com/blog/iocontrol-malware-whats-new-whats-not/\r\nPage 4 of 8\n\nHighly skilled in exploiting public-facing vulnerabilities in enterprise\r\nsoftware, IoT/OT devices, and supply chain ecosystems.\r\nDevelopment and use of custom malware like IOControl, OrpraCab, and\r\nQueueCat.\r\nOperational Security\r\n(OpSec)\r\nExtensive use of encryption, AES for configuration and storage, and \u0026 TLS\r\nfor command-and-control (C2) communications.\r\nDNS-over-HTTPS (DoH) using Cloud Flare and domain fronting to evade\r\ndetection and attribution.\r\nLightweight IoT and MQTT protocols to blend malicious traffic into\r\nlegitimate IoT network noise.\r\nCustom Toolkit(s)\r\nUse of modular frameworks that allow easy adaptation to new targets.\r\nProficiency in crafting specialized backdoors, like IOControl, optimized for\r\nIoT and Linux ARM devices.\r\nExamples: Karkoff, Stonedrill, Shamoon, DNSpionage, and DownPaper.\r\nTarget Profiling\r\nCapable of deep reconnaissance, gathering system details (e.g., kernel\r\nversions, device models, geolocation) to tailor attacks.\r\nUse social engineering tactics, spear-phishing campaigns, and watering-hole\r\nattacks for initial access.\r\nCommand and\r\nControl (C2)\r\nPrimary Communication Protocols: MQTT over TLS (port 8883/1883): This\r\nprotocol disguises C2 traffic as legitimate IoT messaging.\r\nDNS-over-HTTPS (DoH): Used with services like Cloudflare to encrypt and\r\nobfuscate DNS queries.\r\nAccess Channels\r\nSpear-Phishing: Custom-crafted emails targeting specific individuals within\r\nan organization. Example: Using geopolitical or industry-relevant lures to\r\ngain trust and encourage malicious file downloads.\r\nExploitation of Vulnerabilities: focus on unpatched enterprise software (e.g.,\r\nVPNs, web servers, and email platforms).\r\nEase of IoT/OT device exploitation, leveraging lightweight protocols like\r\nMQTT.\r\nSupply Chain Attacks: Compromising software supply chains to distribute\r\nmalware under the guise of legitimate updates.\r\nhttps://www.armis.com/blog/iocontrol-malware-whats-new-whats-not/\r\nPage 5 of 8\n\nExfiltration Methods\r\nEncryption of stolen data before transmission.\r\nUse of legitimate cloud services to exfiltrate data (e.g., Google Drive,\r\nDropbox).\r\nSplitting data into smaller chunks to evade detection.\r\nTools, Techniques,\r\nand Procedures\r\n(TTPs)\r\nTactics:\r\nMulti-stage attacks involving reconnaissance, exploitation, lateral movement,\r\nand exfiltration.\r\nReliance on stealthy malware and backdoors to maintain persistence.\r\nExtensive use of living-off-the-land techniques to blend into normal network\r\nactivity.\r\nKey Techniques:\r\nPhishing Campaigns: Heavily customized to the target’s industry and region.\r\nCredential Harvesting: Deployment of keyloggers and credential stealers. Use\r\nof phishing to obtain VPN and enterprise credentials.\r\nExploitation of Known Vulnerabilities: Common CVEs targeted include VPN\r\nvulnerabilities (e.g., CVE-2019-11510) and flaws in IoT firmware.\r\nLateral Movement: Deployment of tools like PowerShell scripts and\r\nMimikatz for network traversal and privilege escalation.\r\nKnown Malware Families:\r\nStonedrill: Designed for data destruction.\r\nShamoon: Wiper malware used for disruptive campaigns.\r\nDownPaper: A custom backdoor for espionage.\r\nIOControl: Focused on IoT and Linux ARM devices.\r\nDNSpionage: A tool for DNS tunneling and exfiltration.\r\nTechniques for Persistence:\r\nUse of startup scripts (`/etc/rc*.d/`) and PID monitoring to maintain malware\r\npresence.\r\nFrequent updates to malware binaries and configurations.\r\nPotential\r\nPartnerships and\r\nAffiliations\r\nIranian Government Agencies: Likely collaboration with MOIS for\r\nintelligence-gathering operations.\r\nMilitary Units: Coordination with cyber-military units for operational support\r\nand deployment.\r\nExternal Affiliations:\r\nhttps://www.armis.com/blog/iocontrol-malware-whats-new-whats-not/\r\nPage 6 of 8\n\nOther State-Sponsored Groups: Sharing infrastructure and tactics with groups\r\nlike Charming Kitten (APT35).\r\nRegional Alliances: Possible cooperation with proxy groups operating in the\r\nMiddle East.\r\nThird-Party Operators:\r\nContracting freelance hackers or groups with specialized skills in IoT\r\nexploitation and advanced obfuscation techniques.\r\nHistorical\r\nCampaigns\r\n2018: Shamoon 3\r\nDisrupted critical infrastructure in the Middle East.\r\nEmployed data-wiping malware to cripple operations.\r\n2020: DNSpionage Campaign\r\nTargeted government and telecommunications entities in the Middle East.\r\nUsed DNS tunneling to exfiltrate data.\r\n2023–2024: IOControl Campaign\r\nFocused on IoT devices and Linux ARM systems.\r\nExploited MQTT and DNS-over-HTTPS for stealthy C2 operations.\r\nCurrent Priorities\r\nand Strategic Goals\r\nExpanding IoT/OT Targeting: Leveraging lightweight protocols and\r\nexploiting poorly secured devices.\r\nGlobal Espionage: Gathering intelligence on energy production,\r\ntelecommunications, and military activities.\r\nDisruption Campaigns: Targeting critical infrastructure as leverage in\r\ngeopolitical disputes.\r\nKey Indicators of\r\nGroup Activity\r\nhttps://www.armis.com/blog/iocontrol-malware-whats-new-whats-not/\r\nPage 7 of 8\n\nRecommendations for Defense\r\nUnderstanding the operational tactics of IOControl malware helps organizations to implement a robust defense\r\nagainst similar threats. By correlating these indicators—unfamiliar binaries and scripts, suspicious domains and\r\nports, hidden persistence mechanisms, and system reconnaissance commands—security professionals can detect,\r\ninvestigate, and mitigate this malware before it causes further harm.\r\n1. Threat Intelligence Integration\r\nIncorporate these TTPs and IOCs into your SIEM/SOAR platforms and threat feeds.\r\n2. IoT Security\r\nImplement segmentation and restrict MQTT usage to trusted brokers. Here’s how Armis helps.\r\n3. Proactive Patch Management:\r\nPrioritize vulnerabilities exploited by this group. Here’s how Armis helps.\r\n4. Monitoring C2 Channels:\r\nIdentify DNS-over-HTTPS usage and non-standard domain patterns. Here’s how Armis helps.\r\nAbout Armis Labs\r\nArmis Labs, a division of Armis, is a team of seasoned security professionals dedicated to staying ahead of the\r\never-evolving cybersecurity landscape  With a deep understanding of emerging threats and cutting-edge\r\nmethodologies, Armis Labs empowers organizations with unparalleled visibility and expertise to protect against\r\nthe evolving threats that matter most, including IOControl.\r\nArmis Labs security practitioners are utilizing cutting edge technology that include dynamic honeypots, incident\r\nforensics, reverse engineering, dark web monitoring, and human intelligence to proactively identify and mitigate\r\nthreats before they manifest. Leveraging advanced AI/ML technologies, Armis Labs’ proactive threat detection\r\ncapabilities enable organizations to stay one step ahead of cyber adversaries, minimizing the risk of potential\r\nbreaches while stopping potential damage before it occurs.\r\nContact us to discuss how we can help improve your defensive security posture by ensuring your entire attack\r\nsurface is defended and managed in real-time.\r\nGet Updates\r\nSign up to receive the latest from Armis.\r\nSource: https://www.armis.com/blog/iocontrol-malware-whats-new-whats-not/\r\nhttps://www.armis.com/blog/iocontrol-malware-whats-new-whats-not/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.armis.com/blog/iocontrol-malware-whats-new-whats-not/"
	],
	"report_names": [
		"iocontrol-malware-whats-new-whats-not"
	],
	"threat_actors": [
		{
			"id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4",
			"created_at": "2022-10-25T15:50:23.458833Z",
			"updated_at": "2026-04-10T02:00:05.419537Z",
			"deleted_at": null,
			"main_name": "APT34",
			"aliases": null,
			"source_name": "MITRE:APT34",
			"tools": [
				"netstat",
				"Systeminfo",
				"PsExec",
				"SEASHARPEE",
				"Tasklist",
				"Mimikatz",
				"POWRUNER",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "82b92285-4588-48c9-8578-bb39f903cf62",
			"created_at": "2022-10-25T15:50:23.850506Z",
			"updated_at": "2026-04-10T02:00:05.418577Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"Charming Kitten"
			],
			"source_name": "MITRE:Charming Kitten",
			"tools": [
				"DownPaper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d8af157e-741b-4933-bb4a-b78490951d97",
			"created_at": "2023-01-06T13:46:38.748929Z",
			"updated_at": "2026-04-10T02:00:03.087356Z",
			"deleted_at": null,
			"main_name": "APT35",
			"aliases": [
				"COBALT MIRAGE",
				"Agent Serpens",
				"Newscaster Team",
				"Magic Hound",
				"G0059",
				"Phosphorus",
				"Mint Sandstorm",
				"TunnelVision"
			],
			"source_name": "MISPGALAXY:APT35",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5484a633-c850-4380-921b-72fce1a32e72",
			"created_at": "2024-01-18T02:02:34.026014Z",
			"updated_at": "2026-04-10T02:00:04.636248Z",
			"deleted_at": null,
			"main_name": "CyberAv3ngers",
			"aliases": [],
			"source_name": "ETDA:CyberAv3ngers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cffb3c01-038f-4527-9cfd-57ad5a035c22",
			"created_at": "2022-10-25T15:50:23.38055Z",
			"updated_at": "2026-04-10T02:00:05.258283Z",
			"deleted_at": null,
			"main_name": "OilRig",
			"aliases": [
				"COBALT GYPSY",
				"IRN2",
				"APT34",
				"Helix Kitten",
				"Evasive Serpens",
				"Hazel Sandstorm",
				"EUROPIUM",
				"ITG13",
				"Earth Simnavaz",
				"Crambus",
				"TA452"
			],
			"source_name": "MITRE:OilRig",
			"tools": [
				"ISMInjector",
				"ODAgent",
				"RDAT",
				"Systeminfo",
				"QUADAGENT",
				"OopsIE",
				"ngrok",
				"Tasklist",
				"certutil",
				"ZeroCleare",
				"POWRUNER",
				"netstat",
				"Solar",
				"ipconfig",
				"LaZagne",
				"BONDUPDATER",
				"SideTwist",
				"OilBooster",
				"SampleCheck5000",
				"PsExec",
				"SEASHARPEE",
				"Mimikatz",
				"PowerExchange",
				"OilCheck",
				"RGDoor",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b125b5c1-1431-4880-9ab8-582a583811ea",
			"created_at": "2024-04-24T02:00:49.643067Z",
			"updated_at": "2026-04-10T02:00:05.421434Z",
			"deleted_at": null,
			"main_name": "CyberAv3ngers",
			"aliases": [
				"CyberAv3ngers",
				"Soldiers of Soloman"
			],
			"source_name": "MITRE:CyberAv3ngers",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "8d76e350-dfb5-4733-800d-876de41f690d",
			"created_at": "2023-01-06T13:46:38.841887Z",
			"updated_at": "2026-04-10T02:00:03.119083Z",
			"deleted_at": null,
			"main_name": "DNSpionage",
			"aliases": [
				"COBALT EDGEWATER"
			],
			"source_name": "MISPGALAXY:DNSpionage",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "029625d2-9734-44f9-9e10-b894b4f57f08",
			"created_at": "2023-01-06T13:46:38.364105Z",
			"updated_at": "2026-04-10T02:00:02.944092Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"iKittens",
				"Group 83",
				"NewsBeef",
				"G0058",
				"CharmingCypress",
				"Mint Sandstorm",
				"Parastoo"
			],
			"source_name": "MISPGALAXY:Charming Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4",
			"created_at": "2022-10-25T15:50:23.808974Z",
			"updated_at": "2026-04-10T02:00:05.291959Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"Magic Hound",
				"TA453",
				"COBALT ILLUSION",
				"Charming Kitten",
				"ITG18",
				"Phosphorus",
				"APT35",
				"Mint Sandstorm"
			],
			"source_name": "MITRE:Magic Hound",
			"tools": [
				"Impacket",
				"CharmPower",
				"FRP",
				"Mimikatz",
				"Systeminfo",
				"ipconfig",
				"netsh",
				"PowerLess",
				"Pupy",
				"DownPaper",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03",
			"created_at": "2025-08-07T02:03:24.746965Z",
			"updated_at": "2026-04-10T02:00:03.640335Z",
			"deleted_at": null,
			"main_name": "COBALT ILLUSION",
			"aliases": [
				"APT35 ",
				"APT42 ",
				"Agent Serpens Palo Alto",
				"Charming Kitten ",
				"CharmingCypress ",
				"Educated Manticore Checkpoint",
				"ITG18 ",
				"Magic Hound ",
				"Mint Sandstorm sub-group ",
				"NewsBeef ",
				"Newscaster ",
				"PHOSPHORUS sub-group ",
				"TA453 ",
				"UNC788 ",
				"Yellow Garuda "
			],
			"source_name": "Secureworks:COBALT ILLUSION",
			"tools": [
				"Browser Exploitation Framework (BeEF)",
				"MagicHound Toolset",
				"PupyRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4632103e-8035-4a83-9ecb-c1e12e21288c",
			"created_at": "2022-10-25T16:07:23.542255Z",
			"updated_at": "2026-04-10T02:00:04.64888Z",
			"deleted_at": null,
			"main_name": "DNSpionage",
			"aliases": [],
			"source_name": "ETDA:DNSpionage",
			"tools": [
				"Agent Drable",
				"AgentDrable",
				"CACTUSPIPE",
				"DNSpionage",
				"DropperBackdoor",
				"Karkoff",
				"MailDropper",
				"OILYFACE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b",
			"created_at": "2025-08-07T02:03:24.722093Z",
			"updated_at": "2026-04-10T02:00:03.681914Z",
			"deleted_at": null,
			"main_name": "COBALT EDGEWATER",
			"aliases": [
				"APT34 ",
				"Cold River ",
				"DNSpionage "
			],
			"source_name": "Secureworks:COBALT EDGEWATER",
			"tools": [
				"AgentDrable",
				"DNSpionage",
				"Karkoff",
				"MailDropper",
				"SideTwist",
				"TWOTONE"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "c786e025-c267-40bd-9491-328da70811a5",
			"created_at": "2025-08-07T02:03:24.736817Z",
			"updated_at": "2026-04-10T02:00:03.752071Z",
			"deleted_at": null,
			"main_name": "COBALT GYPSY",
			"aliases": [
				"APT34 ",
				"CHRYSENE ",
				"Crambus ",
				"EUROPIUM ",
				"Hazel Sandstorm ",
				"Helix Kitten ",
				"ITG13 ",
				"OilRig ",
				"Yellow Maero "
			],
			"source_name": "Secureworks:COBALT GYPSY",
			"tools": [
				"Glimpse",
				"Helminth",
				"Jason",
				"MacDownloader",
				"PoisonFrog",
				"RGDoor",
				"ThreeDollars",
				"TinyZbot",
				"Toxocara",
				"Trichuris",
				"TwoFace"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "67709937-2186-4a32-b64c-a5693d40ac77",
			"created_at": "2023-01-06T13:46:38.495593Z",
			"updated_at": "2026-04-10T02:00:02.999196Z",
			"deleted_at": null,
			"main_name": "OilRig",
			"aliases": [
				"Crambus",
				"Helix Kitten",
				"APT34",
				"IRN2",
				"ATK40",
				"G0049",
				"EUROPIUM",
				"TA452",
				"Twisted Kitten",
				"Cobalt Gypsy",
				"APT 34",
				"Evasive Serpens",
				"Hazel Sandstorm",
				"Earth Simnavaz"
			],
			"source_name": "MISPGALAXY:OilRig",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f",
			"created_at": "2022-10-25T16:07:23.83826Z",
			"updated_at": "2026-04-10T02:00:04.761303Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"APT 35",
				"Agent Serpens",
				"Ballistic Bobcat",
				"Charming Kitten",
				"CharmingCypress",
				"Cobalt Illusion",
				"Cobalt Mirage",
				"Educated Manticore",
				"G0058",
				"G0059",
				"Magic Hound",
				"Mint Sandstorm",
				"Operation BadBlood",
				"Operation Sponsoring Access",
				"Operation SpoofedScholars",
				"Operation Thamar Reservoir",
				"Phosphorus",
				"TA453",
				"TEMP.Beanie",
				"Tarh Andishan",
				"Timberworm",
				"TunnelVision",
				"UNC788",
				"Yellow Garuda"
			],
			"source_name": "ETDA:Magic Hound",
			"tools": [
				"7-Zip",
				"AnvilEcho",
				"BASICSTAR",
				"CORRUPT KITTEN",
				"CWoolger",
				"CharmPower",
				"ChromeHistoryView",
				"CommandCam",
				"DistTrack",
				"DownPaper",
				"FRP",
				"Fast Reverse Proxy",
				"FireMalv",
				"Ghambar",
				"GoProxy",
				"GorjolEcho",
				"HYPERSCRAPE",
				"Havij",
				"MPK",
				"MPKBot",
				"Matryoshka",
				"Matryoshka RAT",
				"MediaPl",
				"Mimikatz",
				"MischiefTut",
				"NETWoolger",
				"NOKNOK",
				"PINEFLOWER",
				"POWERSTAR",
				"PowerLess Backdoor",
				"PsList",
				"Pupy",
				"PupyRAT",
				"SNAILPROXY",
				"Shamoon",
				"TDTESS",
				"WinRAR",
				"WoolenLogger",
				"Woolger",
				"pupy",
				"sqlmap"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b6436f7b-6012-4969-aed1-d440e2e8b238",
			"created_at": "2022-10-25T16:07:23.91517Z",
			"updated_at": "2026-04-10T02:00:04.788408Z",
			"deleted_at": null,
			"main_name": "OilRig",
			"aliases": [
				"APT 34",
				"ATK 40",
				"Chrysene",
				"Cobalt Gypsy",
				"Crambus",
				"DEV-0861",
				"EUROPIUM",
				"Earth Simnavaz",
				"Evasive Serpens",
				"G0049",
				"Hazel Sandstorm",
				"Helix Kitten",
				"IRN2",
				"ITG13",
				"Scarred Manticore",
				"Storm-0861",
				"TA452",
				"Twisted Kitten",
				"UNC1860",
				"Yellow Maero"
			],
			"source_name": "ETDA:OilRig",
			"tools": [
				"AMATIAS",
				"Agent Drable",
				"Agent Injector",
				"AgentDrable",
				"Alma Communicator",
				"BONDUPDATER",
				"CACTUSPIPE",
				"Clayslide",
				"CypherRat",
				"DNSExfitrator",
				"DNSpionage",
				"DROPSHOT",
				"DistTrack",
				"DropperBackdoor",
				"Fox Panel",
				"GREYSTUFF",
				"GoogleDrive RAT",
				"HighShell",
				"HyperShell",
				"ISMAgent",
				"ISMDoor",
				"ISMInjector",
				"Jason",
				"Karkoff",
				"LIONTAIL",
				"LOLBAS",
				"LOLBins",
				"LONGWATCH",
				"LaZagne",
				"Living off the Land",
				"MailDropper",
				"Mimikatz",
				"MrPerfectInstaller",
				"OILYFACE",
				"OopsIE",
				"POWBAT",
				"POWRUNER",
				"Plink",
				"Poison Frog",
				"PowerExchange",
				"PsList",
				"PuTTY Link",
				"QUADAGENT",
				"RDAT",
				"RGDoor",
				"SEASHARPEE",
				"Saitama",
				"Saitama Backdoor",
				"Shamoon",
				"SideTwist",
				"SpyNote",
				"SpyNote RAT",
				"StoneDrill",
				"TONEDEAF",
				"TONEDEAF 2.0",
				"ThreeDollars",
				"TwoFace",
				"VALUEVAULT",
				"Webmask",
				"WinRAR",
				"ZEROCLEAR",
				"ZeroCleare",
				"certutil",
				"certutil.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434747,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7410511a120ebdd2f631f40eb2275ab1a79f20f3.pdf",
		"text": "https://archive.orkl.eu/7410511a120ebdd2f631f40eb2275ab1a79f20f3.txt",
		"img": "https://archive.orkl.eu/7410511a120ebdd2f631f40eb2275ab1a79f20f3.jpg"
	}
}