{ "id": "b165ed14-a367-454c-879e-384c9c2556f1", "created_at": "2026-04-06T00:21:18.731506Z", "updated_at": "2026-04-10T03:30:36.18794Z", "deleted_at": null, "sha1_hash": "76d82224091c633671b8b446977b773392a1ce7b", "title": "The Anatomy of Wiper Malware, Part 1: Common Techniques | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2492466, "plain_text": "The Anatomy of Wiper Malware, Part 1: Common Techniques |\r\nCrowdStrike\r\nBy Ioan Iacob - Iulian Madalin Ionita\r\nArchived: 2026-04-05 13:29:00 UTC\r\nThis is the first blog post in a four-part series. Read Part 2 | Part 3 | Part 4. This blog post is the first in a four-part series in which CrowdStrike’s Endpoint Protection Content Research Team will dive into various wipers\r\ndiscovered by the security community over the past 10 years. Our goal is to review in depth the various techniques\r\nemployed by wipers that target the Windows operating system.\r\nBackground\r\nA wiper is a type of malware with a single purpose: to erase user data beyond recoverability. Wipers are used to\r\ndestroy computer networks in public or private companies ranging from industrial to entertainment sectors. Threat\r\nactors also use wipers to cover up traces left after an intrusion, weakening their victim's ability to respond.\r\nWipers gained popularity back in 2012, when Saudi Arabia’s Saudi Aramco and Qatar's RasGas oil companies\r\nwere targeted by threat actors using the Shamoon family of wipers. After four years in which little to no wiper\r\nactivity was observed, the Shamoon wiper resurfaced in 2016 with threat actors having the same goals and targets\r\nin mind.\r\nThe year 2017 put multiple wiper families on our radar. A wiper variant of Petya was used to target multiple\r\ninstitutions in Ukraine, Russia and western Europe. Institutions in Israel and Germany faced the wipers named\r\nSQLShred and Ordinypt, respectively, which masqueraded as ransomware. Middle Eastern companies again found\r\nthemselves the target of a wiper, this time one named StoneDrill.\r\nLittle wiper activity was observed in the following three years. In 2018, South Korea was the host of the Olympic\r\ngames that were targeted by threat actors using Olympic Destroyer. In late 2019 and early 2020, Dustman and\r\nZeroCleare were used to target organizations in the energy and industrial sectors from the Middle East.\r\nIn 2021 threat actors again targeted the Olympics, now hosted in Tokyo, with a wiper named Tokyo Olympic\r\nWiper. In the same year, a pro-Palestinian wiper dubbed IsraBye was used to target Israeli organizations.\r\nAlready, 2022 has been the most active year yet for wipers. Ukraine, while fighting Russian forces in traditional\r\nwarfare, has seen its government institutions targeted by numerous cyberattacks using the wipers CaddyWiper,\r\nDoubleZero, DriveSlayer, IsaacWiper, KillDisk and WhisperGate.\r\nTechniques\r\nOver the years, threat actors have used different strategies to achieve their objectives. During that time, we've\r\nstudied different adversary strategies that use wipers singularly or in combination with other destructive\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nPage 1 of 13\n\ntechniques. While quick and easy techniques can also have quick and easy countermeasures, the more advanced\r\nand lengthy ones may give victims a chance to react in time but usually not without difficulty.\r\nRansomware and wipers share some techniques. Both walk the disk in search of files to modify or corrupt, and\r\nboth are capable of making data recovery impossible for the victim. But in this latter aspect lies one of the biggest\r\ndifferences between the two threats: ransomware typically enables file restoration for victims who pay the ransom,\r\nwhereas the objective of wipers is to destroy files beyond recoverability. Another difference is in performance;\r\nbecause wipers need not read the data from disk, they work faster and require fewer resources than ransomware.\r\nOne of the easiest techniques we’ve found in the analyzed wiper samples is to merely delete the files on disk. Yet\r\nthis technique could allow forensics examiners to recover the files by carving them out from the raw disk. Because\r\nstandard deletion is not a secure method, threat actors have resorted to overwriting target files with bogus data. To\r\nincrease the speed of the operation, some wipers overwrite only the first part of the target file, while others resort\r\nto wiping the Master Boot Record (MBR).\r\nAs we'll discuss, these techniques vary in their unique advantages and weaknesses, as well as in the degrees of\r\nrecoverability of destroyed data. Each of these techniques demands a different course of action to properly detect\r\nand respond to the various threats posed by destructive wiper malware families.\r\nFile Discovery\r\nIn search of files to destroy or corrupt, most wipers recursively iterate through the file system by using Windows\r\nAPIs like FindFirstFile and FindNextFile.\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nPage 2 of 13\n\nFigure 1. File iteration via FindFirstFile and FindNextFile APIs\r\nWhile some wipers immediately overwrite their targets, Apostle, DoubleZero, SQLShred and WhisperGate\r\nconstruct a list of target files to be later processed by the wiping routine. This introduces a bit of overhead before\r\nthe destructive functionalities are launched, buying the victim time to react.\r\nWipers are implemented to do as much damage as possible without crashing the operating system. During the file\r\ndiscovery operation, many wipers will implement different strategies to maintain the stability of the operating\r\nsystem. If critical files are overwritten, the machine will crash and the wiper may not achieve the desired outcome.\r\nIn order to prolong the life of the machine, wipers can delay, skip or prioritize certain targets:\r\nCaddyWiper, DoubleZero, IsaacWiper, SQLShred, and StoneDrill start the wiping routine with non-OS\r\nrelated drives (including mounted network shares) and directories\r\nDoubleZero, CaddyWiper, KillDisk, SQLShred, and StoneDrill will skip certain directories (e.g.,\r\nWindows, Program Files, ProgramData or others) from the wiper routine or delay their destruction at a\r\nlater time of execution\r\nKillDisk and WhisperGate skip certain file extensions like DLL, EXE, LIB, SYS\r\nOrdinypt uses a list of targeted extensions similar to ransomware\r\nCaddyWiper and SQLShred — if the configuration sets disk destruction — have been observed to first\r\ndestroy target files and then destroy physical drives or disk volumes\r\nFile Overwrite\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nPage 3 of 13\n\nWhen it comes to overwriting files, wipers implement different techniques that achieve the same purpose. While\r\nsome techniques are fairly common, others implement unique methods.\r\nFile System API\r\nThe standard method to overwrite a file is by using the CreateFile and WriteFile API combination. The first is\r\nused to grab a handle to the desired file and the second is used to overwrite the file contents with new data. This\r\nbasic technique has been seen in multiple wiper families like CaddyWiper, DoubleZero, IsaacWiper, KillDisk,\r\nMeteor (including Stardust and Comet variants), Petya wiper, Shamoon, SQLShred, StoneDrill, and WhisperGate.\r\nSome wipers overwrite the entire file — a computationally costly operation — while others only overwrite a fixed\r\nnumber of bytes.\r\nFigure 2. Determine file size, allocate memory and write to file\r\nIn Figure 2, Destover overwrites the entire file by determining its size via GetFileSize, allocates memory of the\r\nsame size, excludes files based on their extension and overwrites the file using WriteFile.\r\nFile IOCTL\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nPage 4 of 13\n\nWhile the previous method was the most common among the researched samples, DoubleZero implements a\r\nsecond mechanism for overwriting files. In order to overwrite the entire file with zeros, this wiper uses the\r\nNtFsControlFile API to send the FSCTL_SET_ZERO_DATA control code to the file system driver along with\r\nthe size of the file to be overwritten.\r\nFigure 3. DoubleZero uses FCSTL_SET_ZERO_DATA to overwrite file contents\r\nFile Deletion\r\nWhen the operating system deletes a file from disk, the corresponding sectors are not overwritten with “null” data,\r\nthey are only marked as unused. This indicates that the raw sectors are free to use when other files are created.\r\nOrdinypt, Olympic wiper and Apostle wipers implement simple file deletion, where files are only deleted, not\r\noverwritten. In this case, the data can still be recovered from the disk via file carving techniques used in digital\r\nforensics. To make the files unrecoverable, secure file deletion needs to be implemented and it requires the files to\r\nbe overwritten before they are deleted from the disk.\r\nMost wipers do not need to delete the files because their contents have been destroyed, but some implement file\r\ndeletion. This is the case of Destover, KillDisk, Meteor (Stardust/Comet), Shamoon, SQLShred, and StoneDrill\r\nwhich overwrite the target files with random bytes. Only after replacing the file contents, the file is deleted from\r\ndisk via the DeleteFile API.\r\nThe following code snippet displays an implementation of File Deletion and File Overwrite found in the\r\nShamoon wiper.\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nPage 5 of 13\n\nFigure 4. How Shamoon wiper overwrites and deletes files\r\nAlthough families like Apostle and Ordinypt do not implement a secure deletion, they are still considered\r\ndestructive because file carving is not a perfect recovery technique.\r\nDrive Destruction\r\nSome wipers go one step further and attempt to destroy the contents of the disk itself, not just files. This approach\r\nprovides several advantages to attackers and makes recovery more difficult, if not impossible. Because files may\r\nbe fragmented across the disk, wiping the files will require the hard disk drive actuator arm to commute to\r\nmultiple locations, thus decreasing wiping speeds. Overwriting the raw sectors in successive order is\r\nadvantageous because it drastically increases the speed of the wiping operation. This also applies to modern solid\r\nstate drives where sequential access is still more performant than random access.\r\nWiping raw sectors also removes any file system information like partitioning tables, journaling, parity data,\r\nmetadata and even OS protected files. These operations are equivalent to raw full-disk formatting, ensuring that\r\nfiles cannot be recovered via any forensic methods.\r\nDisk Write\r\nSimilar to the way files can be overwritten, IsaacWiper, KillDisk, Petya wiper variant, SQLShred, StoneDrill,\r\nWhisperGate and DriveSlayer use the same CreateFile and WriteFile APIs to overwrite physical disks\r\n(\\\\.\\PhysicalDisk0) and/or volumes (\\\\.\\c:) with either random or predefined bytes buffers. “PhysicalDisk0” is used\r\nto access the first sector of a disk, where the Master Boot Record (MBR) is stored, while “\\\\.\\C:” will allow the\r\nwiper to reference the first sector of the partition.\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nPage 6 of 13\n\nFigure 5. Overwrite the MBR of the drive 0 via CreateFile and WriteFile APIs\r\nThe code snippet displays an implementation found in various wipers to delete the MBR by directly accessing the\r\ndisk. The MBR is a structure that resides in the first sector of the disk and holds information about how the disk is\r\nformatted into one or multiple partitions. Deleting this structure removes information about the partitions making\r\nthe system unbootable and also the files present in the partitions inaccessible.\r\nDisk Drive IOCTL\r\nInstead of using the WriteFile APIs for overwriting the physical disk, CaddyWiper wipes the disk by sending it a\r\nInput/Output Control (IOCTL) code. The IOCTL_DISK_SET_DRIVE_LAYOUT_EX IOCTL is sent via the\r\nDeviceIoControl API alongside a buffer filled with zeros in order to wipe information about drive partitions\r\nincluding MBR and/or GUID Partition Table (GPT).\r\nThe code snippet below displays the implementation found in CaddyWiper.\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nPage 7 of 13\n\nFigure 6. Wipers corrupt the disk layout using IOCTL_DISK_SET_DRIVE_LAYOUT_EX\r\nFile Contents\r\nAs discussed previously, wipers may implement destructive actions on the contents of the file to reduce chances of\r\nrecovery. We observed multiple approaches when deciding the data to be written over the target files. Some\r\nsamples overwrite the files with the same data across the entire length, others randomize the contents, while others\r\nwrite predefined buffers to the target files.\r\nOverwrite with Same Byte Value\r\nA simple method is to write the same byte over the entire file contents. Wiper families like CaddyWiper,\r\nDoubleZero, KillDisk, Meteor (with its Stardust/Comet variants) and SQLShred implement this technique.\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nPage 8 of 13\n\nThis method does not add any overhead to the wiping process, but might leave an opportunity to recover the data\r\nvia magnetic-force microscopy.\r\nOverwrite with Random Bytes\r\nTo avoid any potential weakness of the previous method, threat actors can decide to generate random data to be\r\nused while overwriting files. Even some forensic tools implement secure wiping by overwriting the disk or file\r\nmultiple times with random data, leaving no chance for magnetic-force microscopy to recover the data.\r\nOftentimes the random buffer is generated via the seed and rand functions, followed by a write to the file.\r\nGenerating random data adds overhead, thus lengthening the wiping times. Destover, IsaacWiper, KillDisk,\r\nSQLShred and StoneDrill are a few examples of wipers that overwrite target files with random data.\r\nIsaacWiper implements its own pseudorandom number generator to fill a memory buffer, an implementation of\r\nMersenne Twister PRNG.\r\nFigure 7. Malloc is used to “generate random” bytes that will be written to the file\r\nIn Figure 6, Destover takes advantage of a caveat in the malloc function to generate “random” data. Malloc will\r\nallocate a memory buffer, but it will contain residual data from previous usage of that memory page that is then\r\nwritten over the entire length of the file.\r\nOverwrite with Predefined Data\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nPage 9 of 13\n\nThe final method to discuss is the use of hard coded data to overwrite files. This method eliminates the overhead\r\nintroduced by generating random bytes, thus increasing the speed of data destruction.\r\nShamoon overwrites files with a predefined jpeg image that is hardcoded and obfuscated in the wiper binary. It\r\nuses the WriteFile API to write the image; the header of the jpeg is seen in the memory view in the second half of\r\nthe screenshot.\r\nFigure 8. Debugger view, showcasing the JPEG image being written to a file\r\nIn contrast, the wiper IsraBye writes only a message to the file contents, and it does not overwrite every byte in\r\nthe file content, leaving some data available for forensics analysts to extract. However, even though it is not as\r\ndestructive as others, this wiper is able to overwrite the file header, reducing the possibility of data carving or\r\nrecovery.\r\nFigure 9. IsraBye code snippet used to file overwrite and file rename\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nPage 10 of 13\n\nHow the CrowdStrike Falcon® Platform Protects Customers Against Wipers\r\nThe CrowdStrike Falcon® platform takes a layered approach to protect workloads. Using on-sensor and cloud-based machine learning, behavior-based detection using indicators of attack (IOAs), and intelligence related to\r\ntactics, techniques and procedures (TTPs) employed by threat actors, the Falcon platform equips users with\r\nvisibility, threat detection, automated protection and continuous monitoring to rapidly detect and mitigate threats\r\nin any environment.\r\nFigure 10. Falcon UI screenshot showcasing detection of Apostle by Falcon sensor.\r\nFigure 11. Falcon UI screenshot showcasing detection of Ordinypt by Falcon sensor.\r\nSummary\r\nDepending on the skill set of different threat actors, wipers have implemented different techniques in order to\r\nsabotage the operations of their targets. Most often, wipers use file system specific APIs to iterate through files\r\nand overwrite and delete as many as possible.\r\nSome wipers don’t target only the files from the victim’s machine, but may also target the raw disk. This latter\r\ntechnique provides several advantages like increased wiping speeds for example. Also, it may bypass security\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nPage 11 of 13\n\nmeasures implemented by the file system or operating system and may even be invisible to security products.\r\nTo further increase the speed of the operations, some wipers do not overwrite the entire length of the target data,\r\nbut only parts of it enough to make the files unrecoverable. To increase the destruction capability, randomizing the\r\ncontents overwritten to the files seems like a good approach, but it becomes a time intensive task. An interesting\r\nand time efficient approach seen in some wipers is the usage of malloc to use garbage data to overwrite the target.\r\nIn part two of this wiper series, we will dive into how wipers use legitimate third-party drivers to destroy files as\r\nwell as disk clusters.\r\nHashes\r\nWiper name SHA256 hash value\r\nApostle\r\n6fb07a9855edc862e59145aed973de9d459a6f45f17a8e779b95d4c55502dcce\r\n19dbed996b1a814658bef433bad62b03e5c59c2bf2351b793d1a5d4a5216d27e\r\nCaddyWiper a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\r\nDestover e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a\r\nDoubleZero\r\n3b2e708eaa4744c76a633391cf2c983f4a098b46436525619e5ea44e105355fe\r\n30b3cbe8817ed75d8221059e4be35d5624bd6b5dc921d4991a7adc4c3eb5de4a\r\nDriveSlayer\r\n0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da\r\n1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591\r\na259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec\r\nDustman f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7\r\nIsaacWiper\r\n13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033\r\n7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0\r\nIsraBye 5a209e40e0659b40d3d20899c00757fa33dc00ddcac38a3c8df004ab9051de0d\r\nKillDisk\r\n8a81a1d0fae933862b51f63064069aa5af3854763f5edc29c997964de5e284e5\r\n1a09b182c63207aa6988b064ec0ee811c173724c33cf6dfe36437427a5c23446\r\nMeteor and\r\nComet/Stardust\r\n2aa6e42cb33ec3c132ffce425a92dfdb5e29d8ac112631aec068c8a78314d49b\r\nd71cc6337efb5cbbb400d57c8fdeb48d7af12a292fa87a55e8705d18b09f516e\r\n6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4\r\n9b0f724459637cec5e9576c8332bca16abda6ac3fbbde6f7956bc3a97a423473\r\nOrdinypt085256b114079911b64f5826165f85a28a2a4ddc2ce0d935fa8545651ce5ab09\r\nPetya\r\n0f732bc1ed57a052fecd19ad98428eb8cc42e6a53af86d465b004994342a2366\r\nfd67136d8138fb71c8e9677f75e8b02f6734d72f66b065fc609ae2b3180a1cbf\r\n4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nPage 12 of 13\n\nShamoon\r\ne2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a\r\nc7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a\r\n7dad0b3b3b7dd72490d3f56f0a0b1403844bb05ce2499ef98a28684fbccc07b4\r\n8e9681d9dbfb4c564c44e3315c8efb7f7d6919aa28fcf967750a03875e216c79\r\nf9d94c5de86aa170384f1e2e71d95ec373536899cb7985633d3ecfdb67af0f72\r\n4f02a9fcd2deb3936ede8ff009bd08662bdb1f365c0f4a78b3757a98c2f40400\r\nSQLShred/Agrius\r\n18c92f23b646eb85d67a890296000212091f930b1fe9e92033f123be3581a90f\r\ne37bfad12d44a247ac99fdf30f5ac40a0448a097e36f3dbba532688b5678ad13\r\nStoneDrill\r\n62aabce7a5741a9270cddac49cd1d715305c1d0505e620bbeaec6ff9b6fd0260\r\n2bab3716a1f19879ca2e6d98c518debb107e0ed8e1534241f7769193807aac83\r\nbf79622491dc5d572b4cfb7feced055120138df94ffd2b48ca629bb0a77514cc\r\nTokyo Olympic\r\nwiper\r\nfb80dab592c5b2a1dcaaf69981c6d4ee7dbf6c1f25247e2ab648d4d0dc115a97\r\nc58940e47f74769b425de431fd74357c8de0cf9f979d82d37cdcf42fcaaeac32\r\nWhisperGate\r\na196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92\r\n44ffe353e01d6b894dc7ebe686791aa87fc9c7fd88535acc274f61c2cf74f5b8\r\ndcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78\r\nZeroCleare becb74a8a71a324c78625aa589e77631633d0f15af1473dfe34eca06e7ec6b86\r\nAdditional Resources\r\nFind out more about today’s adversaries and how to combat them at Fal.Con 2022, the cybersecurity\r\nindustry’s most anticipated annual event. Register now and meet us in Las Vegas, Sept. 19-21!\r\nLearn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your\r\norganization, workers and data, wherever they are located.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nhttps://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/" ], "report_names": [ "the-anatomy-of-wiper-malware-part-1" ], "threat_actors": [ { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434878, "ts_updated_at": 1775791836, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/76d82224091c633671b8b446977b773392a1ce7b.pdf", "text": "https://archive.orkl.eu/76d82224091c633671b8b446977b773392a1ce7b.txt", "img": "https://archive.orkl.eu/76d82224091c633671b8b446977b773392a1ce7b.jpg" } }