{ "id": "442711d3-002f-439b-af7a-e2be33f1cc78", "created_at": "2026-04-06T00:17:07.482247Z", "updated_at": "2026-04-10T03:37:51.373323Z", "deleted_at": null, "sha1_hash": "76cd7f35cc8501451368d39fb6d2f513b6958975", "title": "BazarBackdoor (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 320754, "plain_text": "BazarBackdoor (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:20:10 UTC\r\nBazarBackdoor is a small backdoor, probably by a TrickBot \"spin-off\" like anchor. Its called team9 backdoor (and\r\nthe corresponding loader: team9 restart loader).\r\nFor now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for\r\nBazarLoader and BEERBOT for BazarBackdoor.\r\n2023-02-03 ⋅ Mandiant ⋅ Genevieve Stark, Kimberly Goody\r\nFloat Like a Butterfly Sting Like a Bee\r\nBazarBackdoor BumbleBee Cobalt Strike 2022-12-06 ⋅ EuRepoC ⋅ Camille Borrett, Kerstin Zettl-Schabath, Lena Rottinger\r\nConti/Wizard Spider\r\nBazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER 2022-11-21 ⋅ Palo Alto Networks\r\nUnit 42 ⋅ Kristopher Russo\r\nThreat Assessment: Luna Moth Callback Phishing Campaign\r\nBazarBackdoor Conti Luna Moth 2022-10-06 ⋅ Trellix ⋅ Daksh Kapur\r\nEvolution of BazarCall Social Engineering Tactics\r\nBazarBackdoor BazarCall 2022-08-06 ⋅ MalwareBookReports ⋅ muzi\r\nA LOOK BACK AT BAZARLOADER’S DGA\r\nBazarBackdoor 2022-08-03 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan\r\nFlight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware\r\nBazarBackdoor BumbleBee Cobalt Strike Conti 2022-06-24 ⋅ Palo Alto Networks Unit 42 ⋅ Mark Lim, Riley Porter\r\nThere Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various\r\nMalware Families\r\nBazarBackdoor Zloader 2022-06-21 ⋅ McAfee ⋅ Lakshya Mathur\r\nRise of LNK (Shortcut files) Malware\r\nBazarBackdoor Emotet IcedID QakBot 2022-06-15 ⋅ AttackIQ ⋅ AttackIQ Adversary Research Team, Jackson Wells\r\nAttack Graph Emulating the Conti Ransomware Team’s Behaviors\r\nBazarBackdoor Conti TrickBot 2022-06-12 ⋅ cocomelonc\r\nMalware development: persistence - part 7. Winlogon. Simple C++ example.\r\nBazarBackdoor Gazer TurlaRPC Turla SilentMoon 2022-05-27 ⋅ 0ffset Blog ⋅ Chuong Dong\r\nBAZARLOADER: Analysing The Main Loader\r\nBazarBackdoor 2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center\r\n(MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi\r\nHelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor\r\nPage 1 of 8\n\nPhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT 2022-05-09 ⋅\r\nMicrosoft Security ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nGriffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot 2022-04-29\r\n⋅ NCC Group ⋅ Mike Stokkel, Nikolaos Pantazopoulos, Nikolaos Totosis\r\nAdventures in the land of BumbleBee – a new malicious loader\r\nBazarBackdoor BumbleBee Conti 2022-04-25 ⋅ paloalto Networks Unit 42 ⋅ Mark Lim\r\nDefeating BazarLoader Anti-Analysis Techniques\r\nBazarBackdoor 2022-04-19 ⋅ 0ffset Blog ⋅ Chuong Dong\r\nBAZARLOADER: Unpacking An ISO File Infection\r\nBazarBackdoor 2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy\r\nEnter KaraKurt: Data Extortion Arm of Prolific Ransomware Group\r\nAvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt 2022-04-17 ⋅ BushidoToken\r\nBlog ⋅ BushidoToken\r\nLessons from the Conti Leaks\r\nBazarBackdoor Conti Emotet IcedID Ryuk TrickBot 2022-04-15 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nKarakurt revealed as data extortion arm of Conti cybercrime syndicate\r\nAnchor BazarBackdoor Conti TrickBot 2022-04-05 ⋅ Intel 471 ⋅ Intel 471\r\nMove fast and commit crimes: Conti’s development teams mirror corporate tech\r\nBazarBackdoor TrickBot 2022-03-30 ⋅ Prevailion ⋅ Prevailion\r\nWizard Spider continues to confound\r\nBazarBackdoor Cobalt Strike Emotet 2022-03-22 ⋅ Red Canary ⋅ Red Canary\r\n2022 Threat Detection Report\r\nFAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT 2022-03-21 ⋅ eSentire\r\n⋅ eSentire Threat Response Unit (TRU)\r\nConti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered\r\nHelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID 2022-03-17 ⋅ Google ⋅ Benoit Sevens,\r\nGoogle Threat Analysis Group, Vladislav Stolyarov\r\nExposing initial access broker with ties to Conti\r\nBazarBackdoor BumbleBee Cobalt Strike Conti 2022-03-17 ⋅ Trend Micro ⋅ Trend Micro Research\r\nNavigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report\r\nREvil BazarBackdoor Buer IcedID QakBot REvil 2022-03-17 ⋅ Google ⋅ Benoit Sevens, Vladislav Stolyarov\r\nExposing initial access broker with ties to Conti\r\nBazarBackdoor BumbleBee Conti EXOTIC LILY 2022-03-10 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nCorporate website contact forms used to spread BazarBackdoor malware\r\nBazarBackdoor 2022-03-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nCISA updates Conti ransomware alert with nearly 100 domain names\r\nBazarBackdoor Cobalt Strike Conti TrickBot 2022-03-09 ⋅ Abnormal ⋅ Belem Regalado, Rachelle Chouinard\r\nBazarLoader Actors Initiate Contact via Website Contact Forms\r\nBazarBackdoor 2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research\r\nCyberattacks are Prominent in the Russia-Ukraine Conflict\r\nBazarBackdoor Cobalt Strike Conti Emotet WhisperGate 2022-02-26 ⋅ Mandiant ⋅ Mandiant\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor\r\nPage 2 of 8\n\nTRENDING EVIL Q1 2022\r\nKEYPLUG FAKEUPDATES GootLoader BazarBackdoor QakBot 2022-02-25 ⋅ CyberScoop ⋅ Joe Warminsky\r\nTrickBot malware suddenly got quiet, researchers say, but it's hardly the end for its operators\r\nBazarBackdoor Emotet TrickBot 2022-02-24 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien\r\n[QuickNote] Techniques for decrypting BazarLoader strings\r\nBazarBackdoor 2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nTrickBot Gang Likely Shifting Operations to Switch to New Malware\r\nBazarBackdoor Emotet QakBot TrickBot 2022-02-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nNotorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure\r\nBazarBackdoor Emotet TrickBot 2022-02-16 ⋅ Medium elis531989 ⋅ Eli Salem\r\nHighway to Conti: Analysis of Bazarloader\r\nBazarBackdoor 2022-02-02 ⋅ IBM ⋅ Kevin Henson\r\nTrickBot Gang Uses Template-Based Metaprogramming in Bazar Malware\r\nBazarBackdoor TrickBot 2022-01-22 ⋅ forensicitguy ⋅ Tony Lambert\r\nBazarISO Analysis - Loading with Advpack.dll\r\nBazarBackdoor 2022-01-18 ⋅ Recorded Future ⋅ Insikt Group®\r\n2021 Adversary Infrastructure Report\r\nBazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot 2022-01-15 ⋅ MalwareBookReports ⋅ muzi\r\nBazarLoader - Back from Holiday Break\r\nBazarBackdoor 2022-01-02 ⋅ BleepingComputer ⋅ Lawrence Abrams\r\nMalicious CSV text files used to install BazarBackdoor malware\r\nBazarBackdoor 2021-12-13 ⋅ The DFIR Report ⋅ The DFIR Report\r\nDiavol Ransomware\r\nBazarBackdoor Conti Diavol 2021-11-30 ⋅ Symantec ⋅ Symantec Threat Hunter Team\r\nYanluowang: Further Insights on New Ransomware Threat\r\nBazarBackdoor Cobalt Strike FiveHands 2021-11-29 ⋅ The DFIR Report ⋅ The DFIR Report\r\nCONTInuing the Bazar Ransomware Story\r\nBazarBackdoor Cobalt Strike Conti 2021-11-23 ⋅ Trend Micro ⋅ Ian Kenefick\r\nBazarLoader Adds Compromised Installers, ISO to Arrival and Delivery Vectors\r\nBazarBackdoor 2021-11-16 ⋅ PC's Xcetra Support ⋅ David Ledbetter\r\nExcel 4 macro code obfuscation\r\nBazarBackdoor 2021-11-11 ⋅ SophosLabs Uncut ⋅ Andrew Brandt\r\nBazarLoader ‘call me back’ attack abuses Windows 10 Apps mechanism\r\nBazarBackdoor 2021-11-05 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42\r\nTweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops\r\nBazarBackdoor Cobalt Strike 2021-10-18 ⋅ paloalto Netoworks: Unit42 ⋅ Brad Duncan\r\nCase Study: From BazarLoader to Network Reconnaissance\r\nBazarBackdoor Cobalt Strike 2021-10-13 ⋅ IBM ⋅ Charlotte Hammond, Ole Villadsen\r\nTrickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds\r\nBazarBackdoor TrickBot 2021-10-08 ⋅ Zscaler ⋅ Lenart Brave, Tarun Dewan\r\nNew Trickbot and BazarLoader campaigns use multiple delivery vectorsi\r\nBazarBackdoor TrickBot 2021-10-07 ⋅ Mandiant ⋅ Adam Brunner, Genevieve Stark, Jennifer Brooks, Jeremy Kennelly, Joshua\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor\r\nPage 3 of 8\n\nShilko, Kimberly Goody, Zach Riddle\r\nFIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets\r\nBazarBackdoor GRIMAGENT Ryuk 2021-10-04 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBazarLoader and the Conti Leaks\r\nBazarBackdoor Cobalt Strike Conti 2021-10-04 ⋅ Cisco ⋅ Tiago Pereira\r\nThreat hunting in large datasets by clustering security events\r\nBazarBackdoor TrickBot 2021-09-17 ⋅ CrowdStrike ⋅ Falcon OverWatch Team\r\nFalcon OverWatch Hunts Down Adversaries Where They Hide\r\nBazarBackdoor Cobalt Strike 2021-09-13 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBazarLoader to Conti Ransomware in 32 Hours\r\nBazarBackdoor Cobalt Strike Conti 2021-09-04 ⋅ cocomelonc ⋅ cocomelonc\r\nAV engines evasion for C++ simple malware: part 1\r\n4h_rat Azorult BADCALL BadNews BazarBackdoor Cardinal RAT 2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel\r\nThe State of SSL/TLS Certificate Usage in Malware C\u0026C Communications\r\nAdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex\r\nFindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT\r\nRockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader 2021-08-15 ⋅ Symantec ⋅\r\nThreat Hunter Team\r\nThe Ransomware Threat\r\nBabuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike\r\nConti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex\r\nMimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker 2021-08-09 ⋅ Johannes Bader's Blog ⋅ Johannes\r\nBader\r\nA BazarLoader DGA that Breaks Down in the Summer\r\nBazarBackdoor 2021-08-01 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBazarCall to Conti Ransomware via Trickbot and Cobalt Strike\r\nBazarBackdoor Cobalt Strike Conti TrickBot 2021-07-30 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42\r\nTweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability\r\nBazarBackdoor Cobalt Strike 2021-07-30 ⋅ Medium walmartglobaltech ⋅ Jason Reaves\r\nDecrypting BazarLoader strings with a Unicorn\r\nBazarBackdoor 2021-07-29 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team\r\nBazaCall: Phony call centers lead to exfiltration and ransomware\r\nBazarBackdoor Cobalt Strike 2021-07-29 ⋅ Microsoft ⋅ Microsoft Defender Threat Intelligence\r\nBazaCall: Phony call centers lead to exfiltration and ransomware\r\nBazarBackdoor BazarCall 2021-07-14 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nBazarBackdoor sneaks in through nested RAR and ZIP archives\r\nBazarBackdoor 2021-06-16 ⋅ Proofpoint ⋅ Daniel Blackford, Garrett M. Graff, Selena Larson\r\nThe First Step: Initial Access Leads to Ransomware\r\nBazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker TA570 TA575 TA577 2021-05-\r\n19 ⋅ Intel 471 ⋅ Intel 471\r\nLook how many cybercriminals love Cobalt Strike\r\nBazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot 2021-05-19 ⋅ Palo Alto Networks\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor\r\nPage 4 of 8\n\nUnit 42 ⋅ Brad Duncan\r\nBazarCall: Call Centers Help Spread BazarLoader Malware\r\nBazarBackdoor campoloader 2021-05-11 ⋅ Mal-Eats ⋅ mal_eats\r\nCampo, a New Attack Campaign Targeting Japan\r\nAnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader 2021-05-10 ⋅ Mal-Eats ⋅\r\nmal_eats\r\nOverview of Campo, a new attack campaign targeting Japan\r\nAnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader 2021-04-15 ⋅ SophosLabs Uncut ⋅ Andrew\r\nBrandt\r\nBazarLoader deploys a pair of novel spam vectors\r\nBazarBackdoor 2021-04-14 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nApril 2021 Forensic Quiz: Answers and Analysis\r\nAnchor BazarBackdoor Cobalt Strike 2021-04-12 ⋅ Trend Micro ⋅ Don Ovid Ladores, Frankylnn Uy, Junestherry Salvador, Lala\r\nManly, Raphael Centeno\r\nA Spike in BazarCall and IcedID Activity Detected in March\r\nBazarBackdoor IcedID 2021-04-06 ⋅ Intel 471 ⋅ Intel 471\r\nEtterSilent: the underground’s new favorite maldoc builder\r\nBazarBackdoor ISFB QakBot TrickBot 2021-03-30 ⋅ YouTube ( malware-traffic-analysis.net) ⋅ Brad Duncan\r\n2021-03-29 BazaCall (BazarCall) Example\r\nBazarBackdoor 2021-03-30 ⋅ FR3D.HK ⋅ Fred HK\r\nCampo Loader - Simple but effective\r\nBazarBackdoor 2021-03-21 ⋅ Blackberry ⋅ Blackberry Research\r\n2021 Threat Report\r\nBashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth\r\nBazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader\r\nTrickBot 2021-03-08 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBazar Drops the Anchor\r\nAnchor BazarBackdoor Cobalt Strike 2021-03-01 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt\r\nNimar Loader\r\nBazarBackdoor BazarNimrod Cobalt Strike 2021-03-01 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev\r\nRansomware Uncovered 2020/2021\r\nRansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot\r\nRansomEXX REvil Ryuk SDBbot TrickBot Zloader 2021-02-28 ⋅ PWC UK ⋅ PWC UK\r\nCyber Threats 2020: A Year in Retrospect\r\nelf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot\r\nBazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx\r\nFunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk\r\nStoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess\r\nWinnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception\r\nFramework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team 2021-02-25 ⋅ ANSSI ⋅ CERT-FR\r\nRyuk Ransomware\r\nBazarBackdoor Buer Conti Emotet Ryuk TrickBot 2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor\r\nPage 5 of 8\n\n2021 Global Threat Report\r\nRansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide\r\nDoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker\r\nMespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT\r\nRagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST\r\nSunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER\r\nSOLAR SPIDER VIKING SPIDER 2021-02-12 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nNew Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I\r\nBazarBackdoor 2021-02-12 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nNew Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part II\r\nBazarBackdoor 2021-02-11 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team\r\nA Baza Valentine’s Day\r\nBazarBackdoor 2021-02-09 ⋅ Cofense ⋅ Zachary Bailey\r\nBazarBackdoor’s Stealthy Infiltration Evades Multiple SEGs\r\nBazarBackdoor 2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández\r\nDe ataque con Malware a incidente de Ransomware\r\nAvaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire\r\nDownloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX\r\nREvil Ryuk SDBbot SmokeLoader TrickBot Zloader 2021-02-01 ⋅ GoSecure ⋅ Lilly Chalupowski\r\nBazarLoader Mocks Researchers in December 2020 Malspam Campaign\r\nBazarBackdoor 2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBazar, No Ryuk?\r\nBazarBackdoor Cobalt Strike Ryuk 2021-01-28 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab\r\nBazarLoader’s Elaborate Flower Shop Lure\r\nBazarBackdoor 2021-01-28 ⋅ Huntress Labs ⋅ John Hammond\r\nAnalyzing Ryuk Another Link in the Cyber Attack Chain\r\nBazarBackdoor Ryuk 2021-01-23 ⋅ Johannes Bader's Blog ⋅ Johannes Bader\r\nYet Another Bazar Loader DGA\r\nBazarBackdoor 2021-01-12 ⋅ Cybereason ⋅ Lior Rochberger\r\nCybereason vs. Conti Ransomware\r\nBazarBackdoor Conti 2021-01-12 ⋅ Minerva Labs ⋅ MinervaLabs\r\nSlamming The Backdoor On BazarLoader\r\nBazarBackdoor 2021-01-06 ⋅ DomainTools ⋅ Joe Slowik\r\nHoliday Bazar: Tracking a TrickBot-Related Ransomware Incident\r\nBazarBackdoor TrickBot 2020-12-16 ⋅ Johannes Bader's Blog ⋅ Johannes Bader\r\nNext Version of the Bazar Loader DGA\r\nBazarBackdoor 2020-12-10 ⋅ Cybereason ⋅ Joakim Kandefelt\r\nCybereason vs. Ryuk Ransomware\r\nBazarBackdoor Ryuk TrickBot 2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu\r\nThe malware that usually installs ransomware and you need to remove right away\r\nAvaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx\r\nMegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader 2020-11-10 ⋅ Intel 471 ⋅ Intel 471\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor\r\nPage 6 of 8\n\nTrickbot down, but is it out?\r\nBazarBackdoor TrickBot 2020-11-09 ⋅ Area 1 ⋅ Threat Research Team\r\nPhishing Campaign Threatens Job Security, Drops Bazar and Buer Malware\r\nBazarBackdoor Buer 2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez\r\nAnatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware \"one\" Group via Cobalt Strike\r\nBazarBackdoor Cobalt Strike Ryuk 2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report\r\nRyuk Speed Run, 2 Hours to Ransom\r\nBazarBackdoor Cobalt Strike Ryuk 2020-11-05 ⋅ SCYTHE ⋅ Jorge Orchilles, Sean Lyngaas\r\n#ThreatThursday - Ryuk\r\nBazarBackdoor Ryuk 2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna\r\nTrick or Threat: Ryuk ransomware targets the health care industry\r\nBazarBackdoor Cobalt Strike Ryuk TrickBot 2020-10-30 ⋅ Cofense ⋅ The Cofense Intelligence Team\r\nThe Ryuk Threat: Why BazarBackdoor Matters Most\r\nBazarBackdoor Ryuk 2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect\r\nUNC 1878 Indicators from Threatconnect\r\nBazarBackdoor Cobalt Strike Ryuk 2020-10-29 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan, Brittany Barbehenn, Doel Santos\r\nThreat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector\r\nAnchor BazarBackdoor Ryuk TrickBot 2020-10-29 ⋅ Twitter (@anthomsec) ⋅ Andrew Thompson\r\nTweet on UNC1878 activity\r\nBazarBackdoor Ryuk TrickBot UNC1878 2020-10-28 ⋅ FireEye ⋅ Douglas Bienstock, Jeremy Kennelly, Joshua Shilko,\r\nKimberly Goody, Steve Elovitz\r\nUnhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser\r\nBazarBackdoor Cobalt Strike Ryuk UNC1878 2020-10-28 ⋅ CISA ⋅ CISA, FBI, HHS\r\nAA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector\r\nAnchorDNS Anchor BazarBackdoor Ryuk 2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report\r\nRyuk in 5 Hours\r\nBazarBackdoor Cobalt Strike Ryuk 2020-10-16 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team\r\nWIZARD SPIDER Update: Resilient, Reactive and Resolute\r\nBazarBackdoor Conti Ryuk TrickBot 2020-10-13 ⋅ Hornetsecurity ⋅ Security Lab\r\nBazarLoader Campaign with Fake Termination Emails\r\nBazarBackdoor 2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez\r\n\"Front Door\" into BazarBackdoor: Stealthy Cybercrime Weapon\r\nBazarBackdoor Cobalt Strike Ryuk 2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report\r\nRyuk’s Return\r\nBazarBackdoor Cobalt Strike Ryuk 2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector\r\nCybersecurity Coordination Center (HC3)\r\nReport 202010021600: Recent Bazarloader Use in Ransomware Campaigns\r\nBazarBackdoor Cobalt Strike Ryuk TrickBot 2020-09-29 ⋅ Zscaler ⋅ Atinderpal Singh, Mohd Sadique\r\nSpear Phishing Campaign Delivers Buer and Bazar Malware\r\nBazarBackdoor Buer 2020-07-16 ⋅ Cybereason ⋅ Assaf Dahan, Daniel Frank, Mary Zhao\r\nA Bazar of Tricks: Following Team9’s Development Cycles\r\nBazarBackdoor 2020-07-16 ⋅ Cybereason ⋅ Assaf Dahan, Daniel Frank, Mary Zhao\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor\r\nPage 7 of 8\n\nA Bazar of Tricks: Following Team9’s Development Cycles (IOCs)\r\nBazarBackdoor 2020-07-15 ⋅ Johannes Bader's Blog ⋅ Johannes Bader\r\nThe Defective Domain Generation Algorithm of BazarBackdoor\r\nBazarBackdoor 2020-07-14 ⋅ Johannes Bader's Blog ⋅ Johannes Bader\r\nThe Domain Generation Algorithm of BazarBackdoor\r\nBazarBackdoor 2020-06-02 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos, Stefano Antenucci\r\nIn-depth analysis of the new Team9 malware family\r\nBazarBackdoor 2020-06-02 ⋅ Fox-IT ⋅ NCC RIFT, Nikolaos Pantazopoulos, Stefano Antenucci\r\nIn-depth analysis of the new Team9 malware family\r\nBazarBackdoor 2020-05-19 ⋅ AlienLabs ⋅ Ofer Caspi\r\nTrickBot BazarLoader In-Depth\r\nAnchor BazarBackdoor TrickBot 2020-04-27 ⋅ Trend Micro ⋅ Trend Micro\r\nGroup Behind TrickBot Spreads Fileless BazarBackdoor\r\nBazarBackdoor 2020-04-24 ⋅ Vitali Kremez\r\nTrickBot \"BazarBackdoor\" Process Hollowing Injection Primer\r\nBazarBackdoor 2020-04-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nBazarBackdoor: TrickBot gang’s new stealthy network-hacking malware\r\nBazarBackdoor\r\n[TLP:WHITE] win_bazarbackdoor_auto (20251219 | Detects win.bazarbackdoor.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor\r\nPage 8 of 8\n\nThe malware Avaddon that usually BazarBackdoor installs ransomware Buer Clop Cobalt and Strike you need to remove Conti DoppelPaymer right away Dridex Egregor Emotet FriedEx\nMegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader 2020-11-10 ⋅ Intel 471 ⋅ Intel 471\n Page 6 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor" ], "report_names": [ "win.bazarbackdoor" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "d87fb380-03db-447c-a560-33e1b6e70e87", "created_at": "2025-05-29T02:00:03.231385Z", "updated_at": "2026-04-10T02:00:03.881295Z", "deleted_at": null, "main_name": "Luna Moth", "aliases": [ "Silent Ransom", "TG2729" ], "source_name": "MISPGALAXY:Luna Moth", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99d9dd87-91c3-4371-9943-0a1c9c3cd99c", "created_at": "2022-10-25T16:07:23.277763Z", "updated_at": "2026-04-10T02:00:04.514755Z", "deleted_at": null, "main_name": "Solar Spider", "aliases": [], "source_name": "ETDA:Solar Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4594f985-865e-4862-8047-2e80226e246a", "created_at": "2022-10-27T08:27:12.984825Z", "updated_at": "2026-04-10T02:00:05.293575Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "EXOTIC LILY" ], "source_name": "MITRE:EXOTIC LILY", "tools": [ "Bazar" ], "source_id": "MITRE", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "7583fbd4-2bc9-458d-81da-50b27b84e136", "created_at": "2023-02-15T02:01:49.565258Z", "updated_at": "2026-04-10T02:00:03.349283Z", "deleted_at": null, "main_name": "TA575", "aliases": [], "source_name": "MISPGALAXY:TA575", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e227b757-7032-4a99-b119-1bfda2ebd543", "created_at": "2023-01-06T13:46:39.21663Z", "updated_at": "2026-04-10T02:00:03.248543Z", "deleted_at": null, "main_name": "SOLAR SPIDER", "aliases": [], "source_name": "MISPGALAXY:SOLAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "92c0dae2-e255-4b90-8d8f-be88e393ab8d", "created_at": "2022-10-25T16:07:24.402328Z", "updated_at": "2026-04-10T02:00:04.97641Z", "deleted_at": null, "main_name": "Wild Neutron", "aliases": [ "Butterfly", "Morpho", "Sphinx Moth", "The Postal Group", "Wild Neutron" ], "source_name": "ETDA:Wild Neutron", "tools": [ "HesperBot", "Jiripbot", "JripBot" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38", "created_at": "2023-01-06T13:46:39.487358Z", "updated_at": "2026-04-10T02:00:03.344509Z", "deleted_at": null, "main_name": "BazarCall", "aliases": [ "BazzarCall", "BazaCall" ], "source_name": "MISPGALAXY:BazarCall", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "3f53ecb7-e228-471d-8f85-0b2ba110ab4b", "created_at": "2023-01-06T13:46:39.181151Z", "updated_at": "2026-04-10T02:00:03.237995Z", "deleted_at": null, "main_name": "Red Charon", "aliases": [], "source_name": "MISPGALAXY:Red Charon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "5fba09c3-73cc-4898-9b82-e73b012016c6", "created_at": "2025-08-07T02:03:24.578591Z", "updated_at": "2026-04-10T02:00:03.767329Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "Secureworks:BRONZE EDGEWOOD", "tools": [ "Chinoxy", "Cobalt Strike", "FunnyDream", "Md_client", "Nishang Post Exploitation Framework", "PCShare", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "56384d06-abc2-4853-8440-db4d7b7d1b5f", "created_at": "2023-01-06T13:46:39.367122Z", "updated_at": "2026-04-10T02:00:03.303733Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "DEV-0413" ], "source_name": "MISPGALAXY:EXOTIC LILY", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "96d5b301-0872-444c-ba32-eecf7a9241c0", "created_at": "2023-02-15T02:01:49.560566Z", "updated_at": "2026-04-10T02:00:03.347926Z", "deleted_at": null, "main_name": "TA570", "aliases": [ "DEV-0450" ], "source_name": "MISPGALAXY:TA570", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f72bb9d8-ff75-444f-8fb7-1e8e113cef73", "created_at": "2023-01-06T13:46:39.401929Z", "updated_at": "2026-04-10T02:00:03.314524Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "MISPGALAXY:BRONZE EDGEWOOD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434627, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/76cd7f35cc8501451368d39fb6d2f513b6958975.pdf", "text": "https://archive.orkl.eu/76cd7f35cc8501451368d39fb6d2f513b6958975.txt", "img": "https://archive.orkl.eu/76cd7f35cc8501451368d39fb6d2f513b6958975.jpg" } }