{ "id": "cef18155-7070-489d-8b92-5c891a6a6076", "created_at": "2026-04-06T00:12:17.021434Z", "updated_at": "2026-04-10T03:38:19.844577Z", "deleted_at": null, "sha1_hash": "74430c4f1aea763673aabc2d2f4c9d8b4e5c63dd", "title": "Insights on Cyber Threats Targeting Users and Enterprises in Brazil", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 808195, "plain_text": "Insights on Cyber Threats Targeting Users and Enterprises in\r\nBrazil\r\nBy Threat Analysis Group, Mandiant\r\nPublished: 2024-06-12 · Archived: 2026-04-05 13:41:29 UTC\r\nThreat Analysis Group\r\nMandiant\r\nWritten by: Kristen Dennesen, Luke McNamara, Dmitrij Lenz, Adam Weidemann, Aline Bueno\r\nNote: A Portuguese-language version of this blog post is available.\r\nIndividuals and organizations in Brazil face a unique cyber threat landscape because it is a complex interplay of\r\nglobal and local threats, posing significant risks to individuals, organizations, and critical sectors of Brazilian\r\nsociety. Many of the cyber espionage threat actors that are prolific in campaigns across the globe are also active in\r\ncarrying out attempted intrusions into critical sectors of Brazilian society. Brazil also faces threats posed by the\r\nworldwide increase in multifaceted extortion, as ransomware and data theft continue to rise. At the same time, the\r\nthreat landscape in Brazil is shaped by a domestic cybercriminal market, where threat actors coordinate to carry\r\nout account takeovers, conduct carding and fraud, deploy banking malware and facilitate other cyber threats\r\ntargeting Brazilians. The rise of the Global South, with Brazil at the forefront, marks a significant shift in the\r\ngeopolitical landscape; one that extends into the cyber realm. As Brazil's influence grows, so does its digital\r\nfootprint, making it an increasingly attractive target for cyber threats originating from both global and domestic\r\nactors.\r\nThis blog post brings together Google’s collective understanding of the Brazilian threat landscape, combining\r\ninsights from Google’s Threat Analysis Group (TAG) and Mandiant’s frontline intelligence. As Brazil’s economic\r\nand geopolitical role in global affairs continues to rise, threat actors from an array of motivations will further seek\r\nopportunities to exploit the digital infrastructure that Brazilians rely upon across all aspects of society. By sharing\r\nour global perspective, we hope to enable greater resiliency in mitigating these threats.\r\nGoogle uses the results of our research to improve the safety and security of our products, making them secure by\r\ndefault. Chrome OS has built-in and proactive security to protect from ransomware, and there have been no\r\nreported ransomware attacks ever on any business, education, or consumer Chrome OS device. Google security\r\nteams continuously monitor for new threat activity, and all identified websites and domains are added to Safe\r\nBrowsing to protect users from further exploitation. We deploy and constantly update Android detections to\r\nprotect users' devices and prevent malicious actors from publishing malware to the Google Play Store. We send\r\ntargeted Gmail and Workspace users government-backed attacker alerts, notifying them of the activity and\r\nencouraging potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are\r\nupdated.  \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil\r\nPage 1 of 11\n\nCyber Espionage Operations Targeting Brazil\r\nBrazil’s status as a globally influential power and the largest economy in South America have drawn attention\r\nfrom cyber espionage actors for several years, including targeting by government-backed groups from the\r\nPeople’s Republic of China (PRC), Russia, and North Korea.\r\nSince 2020, cyber espionage groups from more than a dozen countries have targeted users in Brazil; however,\r\nmore than 85% of government-backed phishing activity is concentrated among groups from the PRC, North\r\nKorea, and Russia. The Brazil-focused targeting of these groups mirrors the broader priorities and industry\r\ntargeting trends we see elsewhere. North Korean government-backed groups, for example, have shown a keen\r\ninterest in Brazilian cryptocurrency firms, aerospace and defense, and government targets. PRC groups,\r\nmeanwhile, have targeted Brazilian government organizations, as well as the energy sector. Russian cyber\r\nespionage groups have targeted users in Brazil regularly dating back more than a decade; however since the start\r\nof Russia’s war in Ukraine, Russian activity targeting Brazil has scaled back considerably - likely an indication of\r\nRussia’s efforts to focus resources on Ukrainian and NATO targets in the context of the Russia-Ukraine war.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil\r\nPage 2 of 11\n\nThe examples here highlight recent and historical examples where cyber espionage actors have targeted users and\r\norganizations in Brazil. It should be noted that these campaigns describe targeting and do not indicate successful\r\ncompromise or exploitation.\r\nPRC Cyber Espionage Activity Targeting Brazil\r\nCyber espionage activity linked to the People’s Republic of China (PRC) targeting Brazil dates back more than a\r\ndecade. Since 2020, we have observed 15 PRC cyber espionage groups targeting users in Brazil, and these groups\r\nhave accounted for over 40% of government-backed phishing activity targeting Brazil. As the largest recipient of\r\nChinese investment in Latin America, this volume of PRC cyber espionage is reminiscent of activity in other\r\nregions where Chinese government investment has been focused, such as countries within China’s Belt and Road\r\nInitiative. In addition to activity targeting Gmail users, PRC groups have targeted Brazil’s military, national\r\ngovernment, diplomatic organizations, and the provincial governments of multiple Brazilian states. These groups\r\nhave targeted users in Brazil using tactics ranging from phishing to malware distribution and exploitation of\r\nknown vulnerabilities. \r\nIn August 2023, for example, Google detected a campaign from a PRC group that targeted nearly two hundred\r\nusers in a Brazilian executive branch organization. The phishing emails contained links to an encrypted ZIP\r\narchive hosted on a known phishing domain. Organizations in Brazil’s state governments have also been a target.\r\nIn late 2022, PRC actors used an operational relay box (ORB) network to anonymize their activity and attempted\r\nto send a mass phishing campaign to nearly two thousand email addresses, including 70 email addresses in the .br\r\nccTLD, the majority of which belonged to Brazilian state government organizations. The mass email, which\r\nGmail blocked, contained a malicious TAR attachment designed to exploit CVE-2022-41352, an n-day\r\nvulnerability in the Zimbra Collaboration Suite that enables an attacker to upload arbitrary files and gain\r\nunauthorized access to other user accounts. The campaign targeted organizations globally and appeared\r\nopportunistic - most of the targeted email addresses were addressed to the domain admin (e.g.,\r\nadmin@[domain].gov.br). \r\nPRC cyber espionage activity against local and provincial entities is of note in light of campaigns by threat actors\r\nsuch as UNC4841 that have focused on similar targets globally, including in Brazil. As part of their exploitation of\r\nthe Barracuda Email Security Gateway in 2023, UNC4841 targeted a Brazilian business association focused on\r\npromoting state-level commerce across several industries.\r\nPhishing pages created by PRC cyber espionage groups targeting Brazil’s government\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil\r\nPage 3 of 11\n\nNorth Korean Government-Backed Groups Targeting Brazil\r\nSince 2020, North Korean cyber actors have accounted for approximately a third of government-backed phishing\r\nactivity targeting Brazil. North Korean government-backed actors have targeted the Brazilian government and\r\nBrazil’s aerospace, technology, and financial services sectors. Similar to their targeting interests in other regions,\r\ncryptocurrency and financial technology firms have been a particular focus, and at least three North Korean\r\ngroups have targeted Brazilian cryptocurrency and fintech companies.\r\nIn early 2024, PUKCHONG (UNC4899) targeted cryptocurrency professionals in multiple regions, including\r\nBrazil, using a Python app that was trojanized with malware. To deliver the malicious app, PUKCHONG reached\r\nout to targets via social media and sent a benign PDF containing a job description for an alleged job opportunity at\r\na well known cryptocurrency firm. If the target replied with interest, PUKCHONG sent a second benign PDF with\r\na skills questionnaire and instructions for completing a coding test. The instructions directed users to download\r\nand run a project hosted on GitHub. The project was a trojanized Python app for retrieving cryptocurrency prices\r\nthat was modified to reach out to an attacker-controlled domain to retrieve a second stage payload if specific\r\nconditions were met.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil\r\nPage 4 of 11\n\nPUKCHONG (UNC4899) sent targets instructions to download a trojanized Python app from GitHub\r\nNorth Korean government-backed groups have also in the past targeted Brazil’s aerospace and defense industry. In\r\none example, PAEKTUSAN created an account impersonating an HR director at a Brazilian aerospace firm and\r\nused it to send phishing emails to employees at a second Brazilian aerospace firm. In a separate campaign,\r\nPAEKTUSAN masqueraded as a recruiter at a major US aerospace company and reached out to professionals in\r\nBrazil and other regions via email and social media about prospective job opportunities. Google blocked the\r\nemails, which contained malicious links to a DOCX file containing a job posting lure that dropped\r\nAGAMEMNON, a downloader written in C++. The attacker also likely attempted to deliver the malware via\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil\r\nPage 5 of 11\n\nmessages on social media and chat applications like WhatsApp. The campaigns were consistent with Operation\r\nDream Job and activity previously described by Google.  In both campaigns, we also sent users government-backed attacker alerts notifying them of the activity and sharing information about how to keep their accounts\r\nsafe.  \r\nOne North Korean group, PRONTO, concentrates on targeting diplomats globally, and their targets in Brazil\r\nfollow this pattern. In one case, Google blocked a campaign that used a denuclearization-themed phishing lure and\r\nthe group’s typical phishing kit - a fake PDF viewer that presents the users with a login prompt to enter their\r\ncredentials in order to view the lure document. In another case, PRONTO used North Korea news-themed lures to\r\ndirect diplomatic targets to credential harvesting pages.\r\nOne of the emerging trends we are witnessing globally from North Korean threat activity today is the insider\r\nthreat posed by North Korean nationals gaining employment surreptitiously at corporations to conduct work in\r\nvarious IT roles. Though we have not yet observed direct connections between any of these North Korean IT\r\nworkers and Brazilian enterprises, we note the potential for it to present a future risk given the growing startup\r\necosystem in Brazil, historical activity by North Korean threat actors in Brazil, and expansiveness of this\r\nproblem. \r\nDiminished Activity From Russia Since Start of Ukraine War\r\nActivity by Russian government-backed groups targeting Brazil has diminished significantly since the start of the\r\nwar in Ukraine. Of the seven Russia-backed groups observed targeting Brazil, over 95% of the phishing activity\r\ntargeting users in Brazil comes from one group, APT28 (aka FROZENLAKE). APT28’s targeting of Brazil dates\r\nback more than a decade, and Brazilian users have regularly been a target in the group’s frequent phishing\r\ncampaigns. In late 2021, more than 200 Brazil-based users were targeted in large scale phishing campaigns by\r\nAPT28. In those campaigns, which took place over several days between September and October 2021, APT28\r\nsent credential phishing emails to over 14K recipients globally. Following late 2021, Russian groups have not\r\ntargeted Brazil on a regular basis - a shift likely due at least in part to Russia’s efforts to prioritize cyber operations\r\nfocused on Ukraine and NATO.\r\nBrazil’s Unique Cybercrime Ecosystem\r\nFinancially motivated threat activity represents a constant, serious threat to users and organizations in Brazil.\r\nNotably, we have observed a variety of operations, including ransomware and data theft extortion as well as\r\nunderground forum and social media advertisements for access to malicious insiders, databases, sensitive\r\ninformation, and specialized tools to compromise Brazilian users and institutions. \r\nAlthough cybercriminal actors focused on financial gain represent a transnational threat and emanate from all\r\ncorners of the globe, particular communities sometimes spring up with more localized characteristics. For\r\nexample, Russian-language only forums in the eastern European underground market ecosystem shape the flow of\r\nmalware, data offered for sale, and formation of criminal relationships. Similarly in Brazil, Brazilian Portuguese-specific cybercriminal communities enable a localized and domestic threat. \r\nBrazilian Cybercrime Communities \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil\r\nPage 6 of 11\n\nMandiant’s insights into advertisements and discussions within Brazilian Portuguese-language underground\r\nmarketplace over the past year illustrate that these actors have access to a variety of malicious tools and products,\r\nincluding the compromise and sale of payment card data, credentials, and sensitive databases; phishing;\r\ndevelopment and sale of remote access trojans (RATs); insider access; and mobile threats. \r\nNotably, these actors rely significantly less on traditional underground forums, which are the most common\r\nplatforms used in other regions, and tend to rely on alternatives such as mobile apps and social media, particularly\r\nTelegram and WhatsApp. \r\nIn general, the technical capability of actors engaged in cybercrime activity is generally low to moderate relative\r\nto underground communities in other regions. Consistent with past trends, we continue to see threat actors from\r\nLatin American underground communities primarily advertise products designed to target their own region.\r\nNotably, more experienced members of Brazilian Portuguese-language cybercrime underground often appear\r\nwilling to teach and mentor less skilled and/or new actors. While some actors charge for this, others offer this help\r\nand support for free. Teaching less experienced members for free can help the mentor improve their reputation,\r\ngrow their group's membership, and demonstrate their own skills and knowledge.\r\nMalware Targeting PIX Interbank Transfer System \r\nWe have observed Latin American-based threat actors leverage and target country-specific payment platforms,\r\neither to facilitate sales of services or to target payment information from victims. In the case of Brazil, such\r\nactivity has focused on Pix, an instant payment platform created and managed by the Brazilian Central Bank. Pix\r\nenables instant payments and transfers between bank accounts within seconds using a key, and it is one of the\r\nmost common methods of payment in Brazil. \r\nOpen source reporting indicates threat actors as recently as late 2023 were involved in distributing malware called\r\n“GoPix” to specifically targeted Pix users via malicious advertisement techniques or “malvertising.” The reported\r\nfunctionality of this malware includes the ability to hijack clipboard functionality for Pix or cryptocurrency\r\ntransactions, replacing the Pix string or wallet address with one controlled by the attacker. \r\nUNC5176 Distributes URSA Malware \r\nAnother group that has historically targeted users and enterprises across Latin America, is UNC5176, a suspected\r\nBrazil-based threat cluster that distributes malware targeting users of Latin American and Spanish banks,\r\nincluding in Brazil. In late April, Mandiant observed an UNC5176 campaign distributing URSA to victim\r\norganizations in sectors such as financial services, healthcare, retail, and hospitality. In this recent campaign\r\nMandiant did not observe targeting of entities in Brazil. URSA is a backdoor that is capable of stealing login\r\ncredentials for various banks, cryptocurrency websites, and email clients. UNC5176 uses emails and malvertising\r\ncampaigns to compromise users, typically delivering emails that have a ZIP file attached that contains a malicious\r\nHTA file. When opened, these HTA files drop a VBS file that connects to a C2 and downloads a second stage VBS\r\nfile. The downloaded VBS file contains guardrails including anti-VM/Sandbox and OS language checks, if the\r\nchecks are passed it initiates connections to the C2 and an URSA payload is downloaded and executed.\r\nBeyond Borders: Multifaceted Extortion’s Impact on Brazil \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil\r\nPage 7 of 11\n\nWhile many of the financially motivated cyber threats impacting Brazil originate domestically, Brazil also faces\r\nglobal risks such as ransomware and data theft as a means of extortion. While the most prolific multifaceted\r\nextortion campaigns continue to focus on North America and Europe, these threat actors have also exploited\r\nBrazil. For example, based on analysis of alleged victims listed on Ransomware as a Service (RAAS)\r\nRANSOMHUB's data leak site, their second most targeted country based on listed victims is Brazil, after the\r\nUnited States. RANSOMHUB’s ransomware operations have impacted organizations across multiple geographic\r\nregions and spanning almost every industry vertical. Since January 2023, across data leak sites (DLS) that\r\nMandiant tracks, for enterprises based in Brazil, the top most targeted verticals were technology, healthcare, and\r\nfinancial services.\r\nImpersonating Official Government Services to Distribute Malware \r\nMalware distribution campaigns targeting Brazilians frequently use tax and finance-themed lures to convince\r\nrecipients to open malicious links or files. One financially motivated group we track, PINEAPPLE, regularly\r\nmasquerades as Brazil’s revenue service, Receita Federal do Brasil, in spam campaigns that attempt to convince\r\nusers to install the Astaroth infostealer. The overwhelming majority of these campaigns were blocked on arrival\r\nfor Gmail and Workspace users. The campaigns often spoof Receita Federal’s legitimate email address,\r\nreceita@gov[.]br , and use different techniques to convince email gateways the email is authentic - for example,\r\nusing mail forwarding services, which do not drop messages with failed SPF records, or placing unexpected data\r\nin the SMTP Return-Path field to trigger a DNS request timeout and cause SPF email authentication checks to\r\nfail. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil\r\nPage 8 of 11\n\nIn one recent campaign blocked by Gmail, PINEAPPLE’s spam emails impersonated Brazil’s finance ministry and\r\ndirected recipients to a social engineering page that mimicked the Brazilian government’s electronic tax document\r\nsystem (Portal da Nota Fiscal Eletrônica). The site directed visitors to click a button to view an electronic tax\r\ndocument generated by the system. If clicked, the link directed users to an LNK payload hosted on an attacker-controlled IP address. In a likely effort to evade detection, the attackers incorporated multiple legitimate services\r\ninto the campaign. Links on the social engineering site used the ms-search:// protocol to direct users to the\r\nattackers’ IP address, and threat actors hosted their site on GCP Cloud Run. Google disabled the malicious Cloud\r\nRun site and suspended the associated GCP project.\r\nSocial engineering page impersonating the Brazilian government’s electronic tax document system (Portal da Nota\r\nFiscal Eletrônica)\r\nAbusing Legitimate Cloud Services to Distribute Astaroth Infostealer\r\nPINEAPPLE often abuses legitimate cloud services in their attempts to distribute malware to users in Brazil. The\r\ngroup has experimented with a number of cloud platforms, including Google Cloud, Amazon AWS, Microsoft\r\nAzure and others. \r\nIn 2023, teams across Google worked together to disrupt PINEAPPLE’s misuse of Google Cloud Run and Cloud\r\nFunctions. In those campaigns, PINEAPPLE used compromised Google Cloud instances and Google Cloud\r\nprojects they created themselves to create their own Google Cloud container URLs hosted on legitimate GCP\r\ndomains such as cloudfunctions.net and run.app . The URLs hosted landing pages that then redirected\r\ntargets to malicious infrastructure that dropped the Astaroth infostealer. Upon discovery, Google disabled the\r\nmalicious Cloud Run and Cloud Functions sites and suspended the associated GCP projects. We also increased our\r\ndetection and response coverage and implemented product level security improvements to significantly increase\r\nthe difficulty of our platforms being used by this threat actor. These mitigation measures reduced the volume of\r\nthe Astaroth campaigns by 99% compared to the campaign’s peak. \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil\r\nPage 9 of 11\n\nPINEAPPLE reacts quickly and iteratively adapts their TTPs in response to new detections. Following the\r\ndisruption of their scaled abuse campaigns, PINEAPPLE’s abuse of Cloud Run has continued intermittently at\r\nlower volumes. The group has also experimented with other cloud services, including Google Compute Engine.\r\nSimilar to their past campaigns, PINEAPPLE distributed malicious links via email. The GCE links were\r\nconfigured to serve an unencrypted archive such as a ZIP, LNK, or other, lesser known file types. Google Cloud\r\nTrust \u0026 Safety suspended PINEAPPLE’s attacker-operated GCP projects. Shortly thereafter, the group began\r\nexperimenting with other cloud platforms including Microsoft and Tencent. \r\nRecent PINEAPPLE campaigns in May and June 2024 continued to spoof Receita Federal and hosted landing\r\npages on dedicated virtual servers created through GoDaddy’s reverse IP hostname service. In other recent cases,\r\nPINEAPPLE has used mail forwarding services to send emails that appear to come from WhatsApp. We continue\r\nto monitor their campaigns and regularly update Google’s protections to ensure users are protected. \r\nCredential Phishing \r\nCredential phishing is also a common threat affecting users and organizations in Brazil. In 2023, for example,\r\nGoogle disrupted phishing activity hosted on GCP serverless projects that were being used to harvest credentials\r\nfor one of Latin America's largest online payment platforms. The pages were operated by Latin America-based\r\nfinancially motivated actor, FLUXROOT, a group best known for their distribution of the Grandoreiro banking\r\nmalware. Upon discovering the FLUXROOT sites, we updated detection signatures and added the sites to the Safe\r\nBrowsing blocklist. More recently, FLUXROOT has continued distribution of Grandoreiro, using cloud services\r\nsuch as Azure and Dropbox to serve the malware.\r\nCredential harvesting page hosted on GCP serverless project\r\nConclusion\r\nAs Brazil continues to grow in economic and geopolitical significance, it will remain an attractive target for threat\r\nactors driven by diverse motivations. The country’s digital landscape is a complex arena, developed and expanded\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil\r\nPage 10 of 11\n\nover the years by a convergence of both global and local threats. Global cyber espionage actors from North Korea,\r\nthe People’s Republic of China (PRC), and Russia as well as multinational cybercriminals pose longstanding\r\nthreats, and Brazil's domestic cybercriminal market remains a persistent challenge–increasing the complexities of\r\nthis dynamic landscape.To effectively safeguard Brazilian enterprises and users, it is important to understand this\r\nunique interplay of threats and adopt a proactive approach to cybersecurity.\r\nWe hope the analysis and research here helps to inform defenders in Brazil, providing fresh insights for collective\r\ndefense. At Google, we are committed to supporting the safety and security of online users everywhere and will\r\ncontinue to take action to disrupt malicious activity to protect our users and help make the Internet safe for all.\r\nIndicators of Compromise (IOCs)\r\nHost-Based Indicators (HBIs)\r\nFilename SHA256 Description\r\nQuestion Sheet.pdf\r\ne9841e5c218611add64c07b6d6e8b2f2\r\na899ee32da2bb0326238b332f34bd045\r\nBenign PDF delivered in\r\nPUKCHONG social\r\nengineering activity targeting\r\ncryptocurrency firms\r\n0tiukr.verdelimp.com518.429006.\r\n45528.lnk\r\n38fad88f0fefb385fdfba2e0be28a1fe6\r\n302387bc4a0a9f8b010cca09836361d\r\nMalicious LNK dropped in\r\nPINEAPPLE campaigns\r\nNFe92759625212697.115112.\r\n62531.lnk\r\n57a0a64ff7d5ca462fe18857f552ab186\r\nd118a80ecad741be62ee16e500ac424\r\nMalicious LNK dropped in\r\nPINEAPPLE campaigns\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil" ], "report_names": [ "cyber-threats-targeting-brazil" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "a2c3c22a-b3db-4d4a-9a5a-76bfe6171843", "created_at": "2023-11-21T02:00:07.315543Z", "updated_at": "2026-04-10T02:00:03.461446Z", "deleted_at": null, "main_name": "UNC4841", "aliases": [ "SLIME57" ], "source_name": "MISPGALAXY:UNC4841", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0106b19a-ac99-4bc9-90b9-4647bfc5f3ce", "created_at": "2023-11-08T02:00:07.144995Z", "updated_at": "2026-04-10T02:00:03.425891Z", "deleted_at": null, "main_name": "TraderTraitor", "aliases": [ "Pukchong", "Jade Sleet", "UNC4899" ], "source_name": "MISPGALAXY:TraderTraitor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434337, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/74430c4f1aea763673aabc2d2f4c9d8b4e5c63dd.pdf", "text": "https://archive.orkl.eu/74430c4f1aea763673aabc2d2f4c9d8b4e5c63dd.txt", "img": "https://archive.orkl.eu/74430c4f1aea763673aabc2d2f4c9d8b4e5c63dd.jpg" } }