{ "id": "c279c198-ab6d-46cc-b9cc-862f6769b7fb", "created_at": "2026-04-06T00:18:20.842765Z", "updated_at": "2026-04-10T13:11:46.3697Z", "deleted_at": null, "sha1_hash": "7a95aa3c6473ee6e2f2a841d4ad62566ab5f2491", "title": "Conti (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 472971, "plain_text": "Conti (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 17:48:04 UTC\r\nConti is an extremely damaging ransomware due to the speed with which it encrypts data and spreads to other\r\nsystems. It was first observed in 2020 and it is thought to be led by a Russia-based cybercrime group that goes\r\nunder the Wizard Spider pseudonym. In early May 2022, the US government announced a reward of up to $10\r\nmillion for information on the Conti ransomware gang.\r\n2025-05-23 ⋅ Shadow Banker ⋅\r\nShadow Banker Makes Glorious Return, Interviews Guy Exposing Conti Command \u0026 Control\r\nConti Conti 2025-01-17 ⋅ Google Cloud Security ⋅ Office of the CISO\r\nThreat Horizons - H1 2025 Threat Horizons Report\r\nFAKEUPDATES Conti Hades LockBit Phoenix Locker RansomHub TRIPLESTRENGTH 2024-06-05 ⋅ S-RM ⋅\r\nDavid Broom, Gavin Hull\r\nExmatter malware levels up: S-RM observes new variant with simultaneous remote code execution and data\r\ntargeting\r\nBlackCat BlackMatter Conti ExMatter LockBit REvil Ryuk 2024-05-01 ⋅ Natto Thoughts ⋅ Natto Team\r\nRansom-War: Russian Extortion Operations as Hybrid Warfare, Part One\r\nClop Conti Maze TrickBot 2024-04-10 ⋅ 0ffset Blog ⋅ Daniel Bunce\r\nResolving Stack Strings with Capstone Disassembler \u0026 Unicorn in Python\r\nConti 2023-10-03 ⋅ Luca Mella\r\nLighting the Exfiltration Infrastructure of a LockBit Affiliate (and more)\r\nLockBit LockBit Conti LockBit 2023-09-12 ⋅ ⋅ ANSSI ⋅ ANSSI\r\nFIN12: A Cybercriminal Group with Multiple Ransomware\r\nBlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC\r\n2023-09-07 ⋅ Department of Justice ⋅ Office of Public Affairs\r\nMultiple Foreign Nationals Charged in Connection with Trickbot Malware and Conti Ransomware Conspiracies\r\nConti Conti TrickBot 2023-07-26 ⋅ Arctic Wolf ⋅ Akshay Suthar, Connor Belfiore, Steven Campbell\r\nConti and Akira: Chained Together\r\nAkira Conti 2023-06-27 ⋅ SecurityIntelligence ⋅ Charlotte Hammond, Ole Villadsen\r\nThe Trickbot/Conti Crypters: Where Are They Now?\r\nBlack Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot 2023-06-17 ⋅ Github\r\n(EmissarySpider) ⋅ EmissarySpider\r\nransomware-descendants\r\nBabuk Conti LockBit 2023-06-08 ⋅ VMRay ⋅ Patrick Staubmann\r\nBusy Bees - The Transformation of BumbleBee\r\nBumbleBee Cobalt Strike Conti Meterpreter Sliver 2023-03-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt\r\nFrom Royal With Love\r\nCobalt Strike Conti PLAY Royal Ransom Somnia 2023-02-10 ⋅ cocomelonc ⋅ cocomelonc\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti\r\nPage 1 of 12\n\nMalware analysis: part 8. Yara rule example for MurmurHash2. MurmurHash2 in Conti ransomware\r\nConti 2023-02-01 ⋅ Security Affairs ⋅ Pierluigi Paganini\r\nNew LockBit Green ransomware variant borrows code from Conti ransomware\r\nConti LockBit 2023-01-04 ⋅ cocomelonc\r\nMalware development tricks: part 26. Mutex. C++ example.\r\nAsyncRAT Conti HelloKitty 2022-12-06 ⋅ EuRepoC ⋅ Camille Borrett, Kerstin Zettl-Schabath, Lena Rottinger\r\nConti/Wizard Spider\r\nBazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER 2022-11-21 ⋅ Palo Alto Networks\r\nUnit 42 ⋅ Kristopher Russo\r\nThreat Assessment: Luna Moth Callback Phishing Campaign\r\nBazarBackdoor Conti Luna Moth 2022-09-20 ⋅ vmware ⋅ Dana Behling\r\nThreat Report: Illuminating Volume Shadow Deletion\r\nConti HelloKitty 2022-09-07 ⋅ Blackberry ⋅ Anuj Soni, Ryan Chapman\r\nThe Curious Case of “Monti” Ransomware: A Real-World Doppelganger\r\nConti MimiKatz Veeam Dumper 2022-09-07 ⋅ Intel 471 ⋅ Intel 471\r\nConti vs. Monti: A Reinvention or Just a Simple Rebranding?\r\nConti 2022-08-22 ⋅ Microsoft ⋅ Microsoft\r\nExtortion Economics - Ransomware’s new business model\r\nBlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount\r\nLocker Nokoyawa Ransomware REvil Ryuk 2022-08-10 ⋅ Avast Decoded ⋅ Threat Research Team\r\nAvast Q2/2022 Threat Report: Farewell to Conti, Zloader, and Maldocs; Hello Resurrection of Raccoon Stealer,\r\nand more Ransomware Attacks\r\nConti Raccoon RecordBreaker Zloader Caramel Tsunami 2022-08-03 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan\r\nFlight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware\r\nBazarBackdoor BumbleBee Cobalt Strike Conti 2022-08-02 ⋅ Recorded Future ⋅ Insikt Group\r\nInitial Access Brokers Are Key to Rise in Ransomware Attacks\r\nAzorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar 2022-07-20 ⋅ Kaspersky ⋅\r\nDmitry Galov, Jornt van der Wiel, Marc Rivero López, Sergey Lozhkin\r\nLuna and Black Basta — new ransomware for Windows, Linux and ESXi\r\nBlack Basta Conti 2022-06-23 ⋅ Kaspersky ⋅ Danila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav\r\nBurtsev\r\nThe hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)\r\nBlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker 2022-06-23 ⋅ Trellix ⋅ Christiaan Beek\r\nThe Sound of Malware\r\nConti VHD Ransomware 2022-06-15 ⋅ ThreatStop ⋅ Ofir Ashman\r\nFirst Conti, then Hive: Costa Rica gets hit with ransomware again\r\nConti Hive Conti Hive 2022-06-15 ⋅ AttackIQ ⋅ AttackIQ Adversary Research Team, Jackson Wells\r\nAttack Graph Emulating the Conti Ransomware Team’s Behaviors\r\nBazarBackdoor Conti TrickBot 2022-06-02 ⋅ Eclypsium ⋅ Eclypsium\r\nConti Targets Critical Firmware\r\nConti HermeticWiper TrickBot WhisperGate 2022-05-24 ⋅ The Hacker News ⋅ Florian Goutin\r\nMalware Analysis: Trickbot\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti\r\nPage 2 of 12\n\nCobalt Strike Conti Ryuk TrickBot 2022-05-23 ⋅ Trend Micro ⋅ Matsugaya Shingo\r\nLockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1\r\n2022\r\nBlackCat Conti LockBit 2022-05-23 ⋅ Trend Micro ⋅ Trend Micro Research\r\nLockBit, Conti, and BlackCat Lead Pack Amid Rise in Active RaaS and Extortion Groups: Ransomware in Q1\r\n2022 (PDF)\r\nBlackCat Conti LockBit 2022-05-20 ⋅ AdvIntel ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy\r\nDisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape\r\nAvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive 2022-05-18 ⋅ PRODAFT Threat Intelligence ⋅\r\nPRODAFT\r\nWizard Spider In-Depth Analysis\r\nCobalt Strike Conti WIZARD SPIDER 2022-05-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy\r\nHydra with Three Heads: BlackByte \u0026 The Future of Ransomware Subsidiary Groups\r\nBlackByte Conti 2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center\r\n(MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi\r\nHelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker\r\nPhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT 2022-05-05 ⋅\r\nYouTube (The Vertex Project) ⋅ Ryan Hallbeck\r\nContileaks: Identifying, Extracting, \u0026 Modeling Bitcoin Addresses\r\nConti 2022-05-03 ⋅ Cisco ⋅ JAIME FILSON, Kendall McKay, Paul Eubanks.\r\nConti and Hive ransomware operations: Leveraging victim chats for insights\r\nConti Hive 2022-05-03 ⋅ Talos Intelligence ⋅ JON MUNSHAW\r\nConti and Hive ransomware operations: What we learned from these groups' victim chats\r\nConti Hive 2022-05-02 ⋅ Cisco Talos ⋅ JAIME FILSON, Kendall McKay, Paul Eubanks\r\nConti and Hive ransomware operations: Leveraging victim chats for insights\r\nCobalt Strike Conti Hive 2022-04-29 ⋅ NCC Group ⋅ Mike Stokkel, Nikolaos Pantazopoulos, Nikolaos Totosis\r\nAdventures in the land of BumbleBee – a new malicious loader\r\nBazarBackdoor BumbleBee Conti 2022-04-28 ⋅ PWC ⋅ PWC UK\r\nCyber Threats 2021: A Year in Retrospect (Annex)\r\nCobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen 2022-04-28 ⋅ Symantec ⋅ Karthikeyan C\r\nKasiviswanathan, Vishal Kamble\r\nRansomware: How Attackers are Breaching Corporate Networks\r\nAvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot 2022-04-26 ⋅ Intel 471 ⋅ Intel 471\r\nConti and Emotet: A constantly destructive duo\r\nCobalt Strike Conti Emotet IcedID QakBot TrickBot 2022-04-21 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nGOLD ULRICK Continues Conti Operations Despite Public Disclosures\r\nConti Conti 2022-04-20 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nMicrosoft Exchange servers hacked to deploy Hive ransomware\r\nBabuk BlackByte Conti Hive LockFile 2022-04-18 ⋅ Trellix ⋅ Alexandre Mundo, Jambul Tologonov, Marc Elias\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti\r\nPage 3 of 12\n\nConti Group Targets ESXi Hypervisors With its Linux Variant\r\nConti Conti 2022-04-17 ⋅ BushidoToken Blog ⋅ BushidoToken\r\nLessons from the Conti Leaks\r\nBazarBackdoor Conti Emotet IcedID Ryuk TrickBot 2022-04-15 ⋅ Arctic Wolf ⋅ Arctic Wolf\r\nThe Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model\r\nConti Diavol Ryuk TrickBot 2022-04-15 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nKarakurt revealed as data extortion arm of Conti cybercrime syndicate\r\nAnchor BazarBackdoor Conti TrickBot 2022-04-12 ⋅ ConnectWise ⋅ ConnectWise CRU\r\nThreat Profile: Conti\r\nConti 2022-04-11 ⋅ cocomelonc\r\nConti ransomware source code investigation - part 2\r\nConti 2022-04-09 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nHackers use Conti's leaked ransomware to attack Russian companies\r\nConti 2022-04-08 ⋅ ReversingLabs ⋅ Paul Roberts\r\nConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles\r\nConti Emotet TrickBot 2022-04-06 ⋅ TRM Labs ⋅ TRM Labs\r\nTRM Analysis Corroborates Suspected Ties Between Conti and Ryuk Ransomware Groups and Wizard Spider\r\nConti Ryuk 2022-04-04 ⋅ The DFIR Report ⋅ @0xtornado, @MettalicHack, @yatinwad, @_pete_0\r\nStolen Images Campaign Ends in Conti Ransomware\r\nConti IcedID 2022-04-02 ⋅ Github (cocomelonc) ⋅ cocomelonc\r\nMalware development tricks. Find kernel32.dll base: asm style. C++ example.\r\nConti 2022-03-31 ⋅ nccgroup ⋅ Alex Jessop, Nikolaos Pantazopoulos, RIFT: Research and Intelligence Fusion Team, Simon Biggs\r\nConti-nuation: methods and techniques observed in operations post the leaks\r\nCobalt Strike Conti QakBot 2022-03-31 ⋅ Trellix ⋅ Jambul Tologonov, John Fokker\r\nConti Leaks: Examining the Panama Papers of Ransomware\r\nLockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot 2022-03-27 ⋅ cocomelonc\r\nConti ransomware source code investigation - part 1\r\nConti 2022-03-25 ⋅ Zscaler ⋅ Brett Stone-Gross\r\nConti Ransomware Attacks Persist With an Updated Version Despite Leaks\r\nConti 2022-03-23 ⋅ Intel 471 ⋅ Intel 471\r\nConti puts the ‘organized’ in organized crime\r\nConti 2022-03-23 ⋅ splunk ⋅ Shannon Davis\r\nGone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed\r\nAvaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk 2022-03-23 ⋅ Secureworks ⋅\r\nCounter Threat Unit ResearchTeam\r\nThreat Intelligence Executive Report Volume 2022, Number 2\r\nConti Emotet IcedID TrickBot 2022-03-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nGOLD ULRICK Leaks Reveal Organizational Structure and Relationships\r\nConti Emotet IcedID TrickBot 2022-03-22 ⋅ ThreatStop ⋅ Ofir Ashman\r\nConti ransomware leaks - what happens when hackers support Russia\r\nConti 2022-03-21 ⋅ Threat Post ⋅ Lisa Vaas\r\nConti Ransomware V. 3, Including Decryptor, Leaked\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti\r\nPage 4 of 12\n\nCobalt Strike Conti TrickBot 2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)\r\nConti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered\r\nHelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID 2022-03-18 ⋅ eSentire ⋅ eSentire Threat\r\nResponse Unit (TRU)\r\nAnalysis of Leaked Conti Intrusion Procedures by eSentire’s Threat Response Unit (TRU)\r\nConti Conti 2022-03-17 ⋅ Google ⋅ Benoit Sevens, Google Threat Analysis Group, Vladislav Stolyarov\r\nExposing initial access broker with ties to Conti\r\nBazarBackdoor BumbleBee Cobalt Strike Conti 2022-03-17 ⋅ Sophos ⋅ Tilly Travers\r\nThe Ransomware Threat Intelligence Center\r\nATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry\r\nDharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker\r\nRagnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker 2022-03-17 ⋅ Google ⋅ Benoit Sevens,\r\nVladislav Stolyarov\r\nExposing initial access broker with ties to Conti\r\nBazarBackdoor BumbleBee Conti EXOTIC LILY 2022-03-16 ⋅ Dragos ⋅ Josh Hanrahan\r\nSuspected Conti Ransomware Activity in the Auto Manufacturing Sector\r\nConti Emotet 2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team\r\nThe Ransomware Threat Landscape: What to Expect in 2022\r\nAvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty\r\nSquirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin 2022-03-15 ⋅ Prevailion ⋅ Matt Stafford, Sherman Smith\r\nWhat Wicked Webs We Un-weave\r\nCobalt Strike Conti 2022-03-10 ⋅ Check Point Research\r\nLeaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up… Sort Of\r\nConti 2022-03-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nCISA updates Conti ransomware alert with nearly 100 domain names\r\nBazarBackdoor Cobalt Strike Conti TrickBot 2022-03-08 ⋅ Github (whichbuffer) ⋅ Arda Büyükkaya\r\nConti-Ransomware-IOC\r\nConti 2022-03-08 ⋅ The Record ⋅ Dina Temple-Raston\r\nInside Conti leaks: The Panama Papers of ransomware\r\nConti 2022-03-08 ⋅ Yoroi ⋅ Carmelo Ragusa, Luca Mella, Luigi Martire\r\nConti Ransomware source code: a well-designed COTS ransomware\r\nConti 2022-03-08 ⋅ ⋅ MBSD ⋅ MBSD\r\nContiLeaks\r\nConti 2022-03-07 ⋅ CyberScoop ⋅ Suzanne Smalley\r\nRansomware gang Conti has already bounced back from damage caused by chat leaks, experts say\r\nConti 2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research\r\nIOC Resource for Russia-Ukraine Conflict-Related Cyberattacks\r\nClipBanker Conti HermeticWiper PartyTicket WhisperGate 2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research\r\nCyberattacks are Prominent in the Russia-Ukraine Conflict\r\nBazarBackdoor Cobalt Strike Conti Emotet WhisperGate 2022-03-02 ⋅ CyberArk ⋅ CyberArk Labs\r\nConti Group Leaked!\r\nTeamTNT Conti TrickBot 2022-03-02 ⋅ ⋅ elDiario ⋅ Carlos del Castillo\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti\r\nPage 5 of 12\n\nCybercrime bosses warn that they will \"fight back\" if Russia is hacked\r\nConti Ryuk 2022-03-02 ⋅ Cluster25 ⋅ Cluster25\r\nConti's Source Code: Deep-Dive Into\r\nConti 2022-03-02 ⋅ Threatpost ⋅ Lisa Vaas\r\nConti Ransomware Decryptor, TrickBot Source Code Leaked\r\nConti TrickBot 2022-03-02 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nConti Ransomware Group Diaries, Part II: The Office\r\nConti Emotet Ryuk TrickBot 2022-03-02 ⋅ Youtube (OALabs) ⋅ Sean Wilson, Sergei Frankoff\r\nBotleggers Exposed - Analysis of The Conti Leaks Malware\r\nConti 2022-03-01 ⋅ Medium whickey000 ⋅ Wade Hickey\r\nHow I Cracked CONTI Ransomware Group’s Leaked Source Code ZIP File\r\nConti 2022-03-01 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report\r\nTwitter thread with highlights from conti leaks\r\nConti 2022-03-01 ⋅ VX-Underground\r\nLeaks: Conti / Trickbot\r\nConti TrickBot 2022-03-01 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nConti Ransomware source code leaked by Ukrainian researcher\r\nConti 2022-03-01 ⋅ Arctic Wolf ⋅ Arctic Wolf\r\nConti Ransomware: An Analysis of Key Findings\r\nConti 2022-02-28 ⋅ Github (TheParmak) ⋅ TheParmak\r\nconti-leaks-englished\r\nConti 2022-02-28 ⋅ Medium arnozobec ⋅ Arnaud Zobec\r\nAnalyzing conti-leaks without speaking russian — only methodology\r\nConti 2022-02-28 ⋅ Sophos ⋅ Sean Gallagher\r\nConti and Karma actors attack healthcare provider at same time through ProxyShell exploits\r\nConti Karma 2022-02-27 ⋅ The Record ⋅ Catalin Cimpanu\r\nConti ransomware gang chats leaked by pro-Ukraine member\r\nConti LockBit 2022-02-27 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nConti ransomware's internal chats leaked after siding with Russia\r\nConti 2022-02-25 ⋅ ⋅ Red Hot Cyber ⋅ Red Hot Cyber\r\nIl ransomware Conti si schiera a favore della Russia.\r\nConti 2022-02-23 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy\r\n24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)\r\nCobalt Strike Conti 2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe\r\nAn Empirically Comparative Analysis of Ransomware Binaries\r\nAvaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk 2022-02-22 ⋅ Bankinfo Security ⋅\r\nMatthew J. Schwartz\r\nCybercrime Moves: Conti Ransomware Absorbs TrickBot Malware\r\nConti TrickBot 2022-02-22 ⋅ Sophos ⋅ Chester Wisniewski\r\nCyberthreats during Russian-Ukrainian tensions: what can we learn from history to be prepared?\r\nConti 2022-02-20 ⋅ Security Affairs ⋅ Pierluigi Paganini\r\nThe Conti ransomware group takes over TrickBot malware operation and plans to replace it with BazarBackdoor\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti\r\nPage 6 of 12\n\nmalware.\r\nConti TrickBot 2022-02-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nConti ransomware gang takes over TrickBot malware operation\r\nConti TrickBot 2022-02-14 ⋅ Cyware\r\nRansomware Becomes Deadlier, Conti Makes the Most Money\r\nConti 2022-02-09 ⋅ Dragos ⋅ Anna Skelton\r\nDragos ICS/OT Ransomware Analysis: Q4 2021\r\nLockBit Conti LockBit 2022-02-04 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nHHS: Conti ransomware encrypted 80% of Ireland's HSE IT systems\r\nConti 2022-01-27 ⋅ BleepingComputer ⋅ Sergiu Gatlan\r\nTaiwanese Apple and Tesla contractor hit by Conti ransomware\r\nConti 2022-01-27 ⋅ CoveWare\r\nRansomware as a Service Innovation Curve\r\nConti LockBit 2022-01-24 ⋅ CyCraft ⋅ CyCraft AI\r\nThe Road to Ransomware Resilience, Part 2: Behavior Analysis\r\nConti Prometheus WastedLocker 2022-01-01 ⋅ Silent Push ⋅ Silent Push\r\nConsequences- The Conti Leaks and future problems\r\nCobalt Strike Conti 2022-01-01 ⋅ Symposium on Electronic Crime Research ⋅ Benjamin Brown, Damon McCoy, Ian W. Gray, Jack\r\nCable, Vlad Cuiujuclu\r\nMoney Over Morals: A Business Analysis of Conti Ransomware\r\nConti Conti 2021-12-23 ⋅ Symantec ⋅ Siddhesh Chandrayan\r\nLog4j Vulnerabilities: Attack Insights\r\nTsunami Conti Dridex Khonsari Orcus RAT TellYouThePass 2021-12-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey\r\nBoguslavskiy\r\nRansomware Advisory: Log4Shell Exploitation for Initial Access \u0026 Lateral Movement\r\nConti 2021-12-13 ⋅ The DFIR Report ⋅ The DFIR Report\r\nDiavol Ransomware\r\nBazarBackdoor Conti Diavol 2021-12-08 ⋅ Darktrace ⋅ Justin Fier\r\nThe double extortion business: Conti Ransomware Gang finds new avenues of negotiation\r\nConti 2021-12-03 ⋅ HSE ⋅ HSE\r\nConti cyber attack on the HSE\r\nConti 2021-12-01 ⋅ Trend Micro ⋅ Trend Micro\r\nRansomware Spotlight: Conti\r\nConti 2021-11-29 ⋅ The DFIR Report ⋅ The DFIR Report\r\nCONTInuing the Bazar Ransomware Story\r\nBazarBackdoor Cobalt Strike Conti 2021-11-18 ⋅ Elliptic ⋅ Elliptic Intel\r\nConti Ransomware Nets at Least $25.5 Million in Four Months\r\nConti 2021-11-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT\r\nConti Ransomware Group In-Depth Analysis\r\nConti 2021-11-18 ⋅ Red Canary ⋅ The Red Canary Team\r\nIntelligence Insights: November 2021\r\nAndromeda Conti LockBit QakBot Squirrelwaffle 2021-11-18 ⋅ Qualys ⋅ Ghanshyam More\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti\r\nPage 7 of 12\n\nConti Ransomware\r\nConti 2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Joey Fitzpatrick, Morgan Demboski, Peter Rydzynski\r\nHow IronNet's Behavioral Analytics Detect REvil and Conti Ransomware\r\nCobalt Strike Conti IcedID REvil 2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani\r\nProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks\r\nCobalt Strike Conti QakBot 2021-11-10 ⋅ AT\u0026T ⋅ Josh Gomez\r\nStories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!\r\nCobalt Strike Conti 2021-11-09 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Eli Salem\r\nTHREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware\r\nCobalt Strike Conti 2021-11-07 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli\r\nCONTI Ransomware: Cheat Sheet\r\nConti 2021-11-02 ⋅ Intel 471 ⋅ Intel 471\r\nCybercrime underground flush with shipping companies’ credentials\r\nCobalt Strike Conti 2021-11-02 ⋅ unh4ck ⋅ Cyb3rSn0rlax\r\nDetecting CONTI CobaltStrike Lateral Movement Techniques - Part 2\r\nCobalt Strike Conti 2021-10-26 ⋅ unh4ck ⋅ Hamza OUADIA\r\nDetecting CONTI CobaltStrike Lateral Movement Techniques - Part 1\r\nCobalt Strike Conti 2021-10-25 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nConti Ransom Gang Starts Selling Access to Victims\r\nConti 2021-10-22 ⋅ HUNT \u0026 HACKETT ⋅ Krijn de Mik\r\nAdvanced IP Scanner: the preferred scanner in the A(P)T toolbox\r\nConti DarkSide Dharma Egregor Hades REvil Ryuk 2021-10-05 ⋅ Trend Micro ⋅ Byron Gelera, Fyodor Yarochkin, Janus\r\nAgcaoili, Nikko Tamana\r\nRansomware as a Service: Enabler of Widespread Attacks\r\nCerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk 2021-10-04 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBazarLoader and the Conti Leaks\r\nBazarBackdoor Cobalt Strike Conti 2021-09-29 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy\r\nBackup “Removal” Solutions - From Conti Ransomware With Love\r\nCobalt Strike Conti 2021-09-22 ⋅ CISA ⋅ US-CERT\r\nAlert (AA21-265A) Conti Ransomware\r\nCobalt Strike Conti 2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nBig Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack\r\nBlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades\r\nREvil 2021-09-13 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBazarLoader to Conti Ransomware in 32 Hours\r\nBazarBackdoor Cobalt Strike Conti 2021-09-03 ⋅ Sophos ⋅ Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Peter Mackenzie,\r\nSean Gallagher, Sergio Bestulic, Syed Zaidi\r\nConti affiliates use ProxyShell Exchange exploit in ransomware attacks\r\nCobalt Strike Conti 2021-09-02 ⋅ Talos ⋅ Azim Khodjibaev, Caitlin Huey, David Liebenberg, Dmytro Korzhevin\r\nTranslated: Talos' insights from the recently leaked Conti ransomware playbook\r\nConti 2021-08-19 ⋅ Sekoia ⋅ sekoia\r\nAn insider insights into Conti operations – Part two\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti\r\nPage 8 of 12\n\nCobalt Strike Conti 2021-08-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy\r\nHunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration\r\nCobalt Strike Conti 2021-08-17 ⋅ Sekoia ⋅ sekoia\r\nAn insider insights into Conti operations – Part one\r\nCobalt Strike Conti 2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team\r\nThe Ransomware Threat\r\nBabuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike\r\nConti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex\r\nMimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker 2021-08-11 ⋅ Advanced Intelligence ⋅ Vitali Kremez\r\nSecret \"Backdoor\" Behind Conti Ransomware Operation: Introducing Atera Agent\r\nCobalt Strike Conti 2021-08-10 ⋅ Youtube (OALabs) ⋅ OALabs\r\nLeaked Conti Ransomware Playbook - Red Team Reacts\r\nConti 2021-08-10 ⋅ LIFARS ⋅ Vlad Pasca\r\nA Detailed Analysis of The Last Version of Conti Ransomware\r\nConti 2021-08-06 ⋅ Threat Post ⋅ Elizabeth Montalbano\r\nAngry Affiliate Leaks Conti Ransomware Gang Playbook\r\nConti 2021-08-06 ⋅ Sophos Naked Security ⋅ Paul Ducklin\r\nConti ransomware affiliate goes rogue, leaks “gang data”\r\nConti 2021-08-05 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nAngry Conti ransomware affiliate leaks gang's attack playbook\r\nConti 2021-08-05 ⋅ The Record ⋅ Catalin Cimpanu\r\nDisgruntled ransomware affiliate leaks the Conti gang’s technical manuals\r\nConti 2021-08-05 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie\r\nTweet on Conti ransomware affiliates using AnyDesk, Atera, Splashtop, Remote Utilities and ScreenConnect to\r\nmaintain network access\r\nConti 2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nRansomware Gangs and the Name Game Distraction\r\nDarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze\r\nRansomEXX REvil Ryuk Sekhmet 2021-08-01 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBazarCall to Conti Ransomware via Trickbot and Cobalt Strike\r\nBazarBackdoor Cobalt Strike Conti TrickBot 2021-07-21 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie\r\nTweet on Conti ransomware actor installing AnyDesk for remote access in victim environment\r\nConti 2021-07-08 ⋅ SentinelOne ⋅ Antonio Pirozzi, Idan Weizman\r\nConti Unpacked: Understanding Ransomware Development as a Response to Detection - A Detailed Technical\r\nAnalysis\r\nConti 2021-07-01 ⋅ DomainTools ⋅ Chad Anderson\r\nThe Most Prolific Ransomware Families: A Defenders Guide\r\nREvil Conti Egregor Maze REvil 2021-07-01 ⋅ Fortinet ⋅ Asaf Rubinfeld, Dor Neemani\r\nDiavol - A New Ransomware Used By Wizard Spider?\r\nConti Diavol 2021-06-30 ⋅ Cynet ⋅ Max Malyutin\r\nShelob Moonlight – Spinning a Larger Web From IcedID to CONTI, a Trojan and Ransomware collaboration\r\nConti IcedID 2021-06-18 ⋅ Palo Alto Networks Unit 42 ⋅ Richard Hickman\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti\r\nPage 9 of 12\n\nConti Ransomware Gang: An Overview\r\nConti 2021-06-15 ⋅ Trend Micro ⋅ Byron Gelera, Earle Earnshaw, Janus Agcaoili, Miguel Ang, Nikko Tamana\r\nRansomware Double Extortion and Beyond: REvil, Clop, and Conti\r\nClop Conti REvil 2021-06-02 ⋅ CrowdStrike ⋅ Heather Smith, Josh Dalman\r\nUnder Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware\r\nDarkSide Conti DarkSide REvil 2021-05-20 ⋅ FBI ⋅ FBI\r\nAlert Number CP-000147-MW: Conti Ransomware Attacks Impact Healthcare and First Responder Networks\r\nConti 2021-05-16 ⋅ NCSC Ireland ⋅ NCSC Ireland\r\nRansomware Attack on Health Sector - UPDATE 2021-05-16\r\nCobalt Strike Conti 2021-05-12 ⋅ The DFIR Report\r\nConti Ransomware\r\nCobalt Strike Conti IcedID 2021-05-10 ⋅ DarkTracer ⋅ DarkTracer\r\nIntelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware\r\ngangs released on the DarkWeb\r\nRansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze\r\nMedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok\r\nRansomEXX REvil Sekhmet SunCrypt ThunderX 2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker\r\nRansomware: Hunting for Inhibiting System Backup or Recovery\r\nAvaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX\r\nREvil Ryuk Snatch ThunderX 2021-04-29 ⋅ The Institute for Security and Technology ⋅ The Institute for Security and Technology\r\nCombating Ransomware A Comprehensive Framework for Action: Key Recommendations from the Ransomware\r\nTask Force\r\nConti EternalPetya 2021-04-26 ⋅ CoveWare ⋅ CoveWare\r\nRansomware Attack Vectors Shift as New Software Vulnerability Exploits Abound\r\nAvaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt 2021-04-25 ⋅ Vulnerability.ch\r\nBlog ⋅ Corsin Camichel\r\nRansomware and Data Leak Site Publication Time Analysis\r\nAvaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil 2021-04-13 ⋅ ⋅ MBSD ⋅ Kei Sugawara,\r\nTakashi Yoshikawa\r\nUnraveling the internal structure of the Conti Ransomware\r\nConti 2021-04-07 ⋅ ANALYST1 ⋅ Jon DiMaggio\r\nRansom Mafia Analysis of the World's First Ransomware Cartel\r\nConti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER 2021-04-07 ⋅ ANALYST1 ⋅\r\nJon DiMaggio\r\nRansom Mafia - Analysis of the World's First Ransomware Cartel\r\nConti Egregor LockBit Maze RagnarLocker SunCrypt VIKING SPIDER 2021-03-01 ⋅ Group-IB ⋅ Oleg Skulkin, Roman\r\nRezvukhin, Semyon Rogachev\r\nRansomware Uncovered 2020/2021\r\nRansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot\r\nRansomEXX REvil Ryuk SDBbot TrickBot Zloader 2021-02-28 ⋅ PWC UK ⋅ PWC UK\r\nCyber Threats 2020: A Year in Retrospect\r\nelf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti\r\nPage 10 of 12\n\nBazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx\r\nFunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk\r\nStoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess\r\nWinnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception\r\nFramework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team 2021-02-25 ⋅ ANSSI ⋅ CERT-FR\r\nRyuk Ransomware\r\nBazarBackdoor Buer Conti Emotet Ryuk TrickBot 2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2021 Global Threat Report\r\nRansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide\r\nDoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker\r\nMespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT\r\nRagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST\r\nSunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER\r\nSOLAR SPIDER VIKING SPIDER 2021-02-16 ⋅ SophosLabs Uncut ⋅ Michael Heller\r\nA Conti ransomware attack day-by-day\r\nConti 2021-02-16 ⋅ SophosLabs Uncut ⋅ Anand Ajjan, Andrew Brandt\r\nConti ransomware: Evasive by nature\r\nConti 2021-02-16 ⋅ SophosLabs Uncut ⋅ Peter Mackenzie, Tilly Travers\r\nWhat to expect when you’ve been hit with Conti ransomware\r\nConti 2021-02-11 ⋅ CTI LEAGUE ⋅ CTI LEAGUE\r\nCTIL Darknet Report – 2021\r\nConti Mailto Maze REvil Ryuk 2021-02-04 ⋅ ClearSky ⋅ ClearSky Research Team\r\nCONTI Modus Operandi and Bitcoin Tracking\r\nConti Ryuk 2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández\r\nDe ataque con Malware a incidente de Ransomware\r\nAvaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire\r\nDownloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX\r\nREvil Ryuk SDBbot SmokeLoader TrickBot Zloader 2021-01-17 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie\r\nTweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders\r\nCobalt Strike Conti 2021-01-12 ⋅ Cybereason ⋅ Lior Rochberger\r\nCybereason vs. Conti Ransomware\r\nBazarBackdoor Conti 2020-12-15 ⋅ Medium 0xthreatintel ⋅ 0xthreatintel\r\nReversing Conti Ransomware\r\nConti 2020-12-15 ⋅ Chuongdong blog ⋅ Chuong Dong\r\nConti Ransomware v2\r\nConti 2020-12-12 ⋅ Github (cdong1012) ⋅ Chuong Dong\r\nContiUnpacker: An automatic unpacker for Conti rasnomware\r\nConti 2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu\r\nThe malware that usually installs ransomware and you need to remove right away\r\nAvaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx\r\nMegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader 2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich\r\nZooming into Darknet Threats Targeting Japanese Organizations\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti\r\nPage 11 of 12\n\nConti DoppelPaymer Egregor LockBit Maze REvil Snake 2020-11-16 ⋅ Intel 471 ⋅ Intel 471\r\nRansomware-as-a-service: The pandemic within a pandemic\r\nAvaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk\r\nSunCrypt ThunderX 2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab\r\nLeakware-Ransomware-Hybrid Attacks\r\nAvaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet\r\nSunCrypt 2020-10-16 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team\r\nWIZARD SPIDER Update: Resilient, Reactive and Resolute\r\nBazarBackdoor Conti Ryuk TrickBot 2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich\r\nTo Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem\r\nConti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt 2020-09-29 ⋅ PWC UK ⋅ Andy Auld\r\nWhat's behind the increase in ransomware attacks this year?\r\nDarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk\r\nSMAUG SunCrypt TrickBot WastedLocker 2020-08-25 ⋅ BleepingComputer ⋅ Lawrence Abrams\r\nRyuk successor Conti Ransomware releases data leak site\r\nConti 2020-08-18 ⋅ Arete ⋅ Arete Incident Response\r\nIs Conti the New Ryuk?\r\nConti Ryuk 2020-07-08 ⋅ VMWare Carbon Black ⋅ Brian Baskin\r\nTAU Threat Discovery: Conti Ransomware\r\nConti\r\n[TLP:WHITE] win_conti_auto (20251219 | Detects win.conti.)\r\n[TLP:WHITE] win_conti_w0   (20220318 | Detect the Conti ransomware (x64))\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.conti\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.conti\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.conti" ], "report_names": [ "win.conti" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "d87fb380-03db-447c-a560-33e1b6e70e87", "created_at": "2025-05-29T02:00:03.231385Z", "updated_at": "2026-04-10T02:00:03.881295Z", "deleted_at": null, "main_name": "Luna Moth", "aliases": [ "Silent Ransom", "TG2729" ], "source_name": "MISPGALAXY:Luna Moth", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99d9dd87-91c3-4371-9943-0a1c9c3cd99c", "created_at": "2022-10-25T16:07:23.277763Z", "updated_at": "2026-04-10T02:00:04.514755Z", "deleted_at": null, "main_name": "Solar Spider", "aliases": [], "source_name": "ETDA:Solar Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4594f985-865e-4862-8047-2e80226e246a", "created_at": "2022-10-27T08:27:12.984825Z", "updated_at": "2026-04-10T02:00:05.293575Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "EXOTIC LILY" ], "source_name": "MITRE:EXOTIC LILY", "tools": [ "Bazar" ], "source_id": "MITRE", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "8492b1a0-126f-4113-b8f7-101d28559629", "created_at": "2023-01-06T13:46:38.864213Z", "updated_at": "2026-04-10T02:00:03.126178Z", "deleted_at": null, "main_name": "GRIM SPIDER", "aliases": [ "GOLD ULRICK" ], "source_name": "MISPGALAXY:GRIM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e227b757-7032-4a99-b119-1bfda2ebd543", "created_at": "2023-01-06T13:46:39.21663Z", "updated_at": "2026-04-10T02:00:03.248543Z", "deleted_at": null, "main_name": "SOLAR SPIDER", "aliases": [], "source_name": "MISPGALAXY:SOLAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38", "created_at": "2023-01-06T13:46:39.487358Z", "updated_at": "2026-04-10T02:00:03.344509Z", "deleted_at": null, "main_name": "BazarCall", "aliases": [ "BazzarCall", "BazaCall" ], "source_name": "MISPGALAXY:BazarCall", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "3f53ecb7-e228-471d-8f85-0b2ba110ab4b", "created_at": "2023-01-06T13:46:39.181151Z", "updated_at": "2026-04-10T02:00:03.237995Z", "deleted_at": null, "main_name": "Red Charon", "aliases": [], "source_name": "MISPGALAXY:Red Charon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fb23d29-6c6c-459b-8985-e11f125cebcf", "created_at": "2025-03-07T02:00:03.805635Z", "updated_at": "2026-04-10T02:00:03.83403Z", "deleted_at": null, "main_name": "TRIPLESTRENGTH", "aliases": [], "source_name": "MISPGALAXY:TRIPLESTRENGTH", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "5fba09c3-73cc-4898-9b82-e73b012016c6", "created_at": "2025-08-07T02:03:24.578591Z", "updated_at": "2026-04-10T02:00:03.767329Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "Secureworks:BRONZE EDGEWOOD", "tools": [ "Chinoxy", "Cobalt Strike", "FunnyDream", "Md_client", "Nishang Post Exploitation Framework", "PCShare", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9c8a7541-1ce3-450a-9e41-494bc7af11a4", "created_at": "2023-01-06T13:46:39.358343Z", "updated_at": "2026-04-10T02:00:03.300601Z", "deleted_at": null, "main_name": "Red Menshen", "aliases": [ "Earth Bluecrow", "Red Dev 18" ], "source_name": "MISPGALAXY:Red Menshen", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "56384d06-abc2-4853-8440-db4d7b7d1b5f", "created_at": "2023-01-06T13:46:39.367122Z", "updated_at": "2026-04-10T02:00:03.303733Z", "deleted_at": null, "main_name": "EXOTIC LILY", "aliases": [ "DEV-0413" ], "source_name": "MISPGALAXY:EXOTIC LILY", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b", "created_at": "2024-02-02T02:00:04.032871Z", "updated_at": "2026-04-10T02:00:03.532955Z", "deleted_at": null, "main_name": "Caramel Tsunami", "aliases": [ "SOURGUM", "Candiru" ], "source_name": "MISPGALAXY:Caramel Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f72bb9d8-ff75-444f-8fb7-1e8e113cef73", "created_at": "2023-01-06T13:46:39.401929Z", "updated_at": "2026-04-10T02:00:03.314524Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "MISPGALAXY:BRONZE EDGEWOOD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434700, "ts_updated_at": 1775826706, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7a95aa3c6473ee6e2f2a841d4ad62566ab5f2491.pdf", "text": "https://archive.orkl.eu/7a95aa3c6473ee6e2f2a841d4ad62566ab5f2491.txt", "img": "https://archive.orkl.eu/7a95aa3c6473ee6e2f2a841d4ad62566ab5f2491.jpg" } }