{ "id": "08b91f5c-79ee-4dab-a88d-3ab061b62518", "created_at": "2026-04-06T00:06:20.417309Z", "updated_at": "2026-04-10T13:12:38.53517Z", "deleted_at": null, "sha1_hash": "7be9913adcb77245c31c0bce9479f8f06bad3cca", "title": "APT and financial attacks on industrial organizations in Q3 2025 | Kaspersky ICS CERT EN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 186598, "plain_text": "APT and financial attacks on industrial organizations in Q3 2025 |\r\nKaspersky ICS CERT EN\r\nBy Kaspersky ICS CERT Team\r\nPublished: 2025-12-01 · Archived: 2026-04-05 15:26:25 UTC\r\nQuarterly summary\r\nArtificial intelligence serving the attackers\r\nExploiting generic and long-standing security issues in traditional operating systems and other IT\r\nsystems\r\nDLL hijacking/sideloading\r\nBYOVD (Bring Your Own Vulnerable Driver)\r\nZero-day vulnerabilities\r\nIncomplete patches and ‘Won’t Fix’\r\nUAC bypass\r\nExploiting trust\r\nLegitimate (including stolen) digital signature certificates\r\nExploiting compromised email accounts\r\nIndifference and carelessness\r\nRussian-speaking activity\r\nRomCom attacks\r\nStatic Tundra attacks\r\nCurly COMrades attacks\r\nTargets in Russia\r\nUNG0901 attacks/Operation CargoTalon\r\nAttacks with Batavia stealer\r\nPaper Werewolf/GOFFEE attacks\r\nPhantomCore attacks\r\nCavalry Werewolf attacks\r\nHive0117 attacks\r\nComicForm attacks\r\nClusters of cyberthreats targeting Russia and Belarus\r\nSouth Asia\r\nAPT36/Transparent Tribe attacks\r\nMiddle East-related activity\r\nUNC1549 attacks\r\nChinese-speaking activity\r\nAttacks against the Taiwanese semiconductor industry\r\nUNC3886 attacks\r\nSalt Typhoon joint advisory\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 1 of 23\n\nGhostRedirector attacks\r\nRedNovember/TAG-100 attacks\r\nNaikon attacks\r\nCybercriminal and others\r\nScattered Spider/UNC3944 attacks\r\nAttacks with Gunra ransomware\r\nTGR-CRI-0045/Gold Melody attacks\r\nGLOBAL GROUP attacks\r\nCharon ransomware attacks\r\nCISA alert on Interlock ransomware group\r\nWarlock ransomware attacks\r\nCrypto24 ransomware attacks\r\nThe Gentlemen ransomware attacks\r\nThe DireWolf ransomware attacks\r\nAttacks with ToolShell vulnerability\r\nAttacks targeting CVE-2025-32433\r\nAttacks with PipeMagic backdoor\r\nAttacks with UpCrypter\r\nEvilAI attacks\r\nAttacks with DarkCloud\r\nThis summary provides an overview of reports on APT and financial attacks on industrial enterprises disclosed in\r\nQ3 2025, as well as the related activities of groups observed attacking industrial organizations. For each topic, we\r\nsummarize the key facts, findings and conclusions of researchers that we believe may be useful to professionals\r\naddressing practical issues of cybersecurity in industrial enterprises.\r\nQuarterly summary\r\nThe third quarter of 2025 saw a wealth of technical details related to attacks that affected industrial organizations\r\nworldwide. This article contains more stories than last quarter’s summary and significantly more than the Q3 2024\r\narticle.\r\nNumerous conclusions can be drawn from the reports and technical papers by various researchers on attacks on\r\nindustrial organizations published this quarter. Some of these conclusions are trivial and expected; they indicate\r\ntrends in the evolving threat landscape for industrial enterprises that had already been noted, or are part of broader\r\nprocesses affecting cybersecurity in general. Others may seem unexpected and paradoxical. Some highlight\r\nsecurity issues that ought to be familiar by now, but have proven difficult to get accustomed to – perhaps due to a\r\nsense of fairness.\r\nArtificial intelligence serving the attackers\r\nAs expected, artificial intelligence is useful not only to analysts, engineers, traders, journalists, business\r\nexecutives, government officials, and ordinary people, but also to attackers. This quarter, we learned more about\r\nhow it’s being used in attacks on industrial enterprises.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 2 of 23\n\nThe first and most obvious use is the concept of AI itself. Attackers have long taken advantage of their\r\npotential victims’ interest in new technologies by disguising their malicious code as a seemingly harmless\r\nAI tools. For example, in attacks on Middle Eastern organizations, a downloader was used to deliver the\r\nPipeMagic backdoor under the guise of the ChatGPT client.\r\nThe second obvious use of AI is to leverage its capabilities. For instance, the operators of the GLOBAL\r\nGROUP ransomware platform built an automated ransom negotiation system with AI-powered chatbots to\r\nspare their members the trouble of learning English.\r\nAnd, of course, it’s possible to combine different AI approaches, as the attackers nicknamed EvilAI did.\r\nThey disguised their malware as AI-powered productivity tools and partially developed it using an LLM,\r\nmaking the malicious code appear more legitimate.\r\nExploiting generic and long-standing security issues in traditional operating systems and other IT\r\nsystems\r\nAs we and others have repeatedly stated, cybersecurity experts will not achieve a definitive victory in the fight\r\nagainst threat actors as long as IT systems and technologies that were not developed with cybersecurity as a high\r\npriority are widely used. This includes most general-purpose operating systems, even the most modern ones.\r\nGeneric security issues in these systems, including architectural ones, increase the attack surface and facilitate the\r\ndevelopment of malicious activity by complicating automatic detection and blocking.\r\nDLL hijacking/sideloading\r\nThis is one of the most frequently exploited architectural flaws in Windows operating systems by attackers\r\nbecause it allows developers (including Microsoft itself) to create insecure applications. Attackers can load\r\nmalicious code into these applications by replacing legitimate dynamic libraries with their own malicious ones.\r\nThis approach can significantly complicate the detection and blocking of malicious activity. Security solutions\r\ncannot analyze the behavior of all running processes equally deeply for performance reasons, so they are forced to\r\nreduce the depth of analysis for many operating system key processes and trusted applications.\r\nDLL sideloading was used in attacks on telecommunications and manufacturing organizations in Central\r\nand South Asia using the PlugX malware, and in Charon ransomware attacks on Middle Eastern\r\norganizations for the shellcode deployment.\r\nThe MiniBike malware components used in attacks on European telecommunications, aerospace, and\r\ndefense companies are compiled specifically for the victim and executed via DLL sideloading. Attackers\r\nutilize a specific method of modifying the export tables of legitimate DLLs to seamlessly integrate the\r\nmalicious code.\r\nResearchers also described a couple of other interesting DLL hijacking techniques. The first was\r\ndemonstrated by the aforementioned attackers who targeted organizations using PipeMagic. In one of its\r\nloader variants, the dynamic link library for a Google Chrome update executable contained malicious code\r\nin the DllMain function. The second technique was employed by the Nimbus Manticore group in attacks on\r\ndefense, telecommunications, and aviation companies in Western Europe using the MiniJunk backdoor.\r\nDuring the backdoor’s execution, DLL sideloading is used twice. The first time is rather unusual: the\r\nDllPath parameter of the RTL_USER_PROCESS_PARAMETERS structure used in undocumented low-https://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 3 of 23\n\nlevel NT API is manipulated. This parameter determines the search path for the DLL if it is not found in the\r\napplication directory. Thus, the malware was loaded from the directory to which it was copied from an\r\narchive into the memory of a Windows Defender process running from a different directory entirely.\r\nBYOVD (Bring Your Own Vulnerable Driver)\r\nIn addition to loading malicious code from the context of trusted applications, which makes it more difficult to\r\ndetect and block, attackers can perform malicious actions using legitimate code at the OS kernel level by installing\r\nnew or using existing legitimate vulnerable drivers. These drivers enable attackers to sometimes completely\r\ndisable or render security solutions ineffective (e.g., by disabling their ability to intercept system operations, such\r\nas process launches, file openings, etc.). The OS itself is the only reliable protection against all such scenarios.\r\nHowever, modern general-purpose operating systems (such as Windows and Linux) do not offer this level of\r\nprotection, meaning security solution developers must devise their own strategies to minimize this risk.\r\nThis quarter, researchers published two stories about attacks on industrial organizations in which the\r\nattackers used these tactics. Notably, both stories describe ransomware operations (Crypto24 and The\r\nGentlemen) rather than APTs, further demonstrating that some ransomware actors have become\r\n“advanced” in many ways.\r\nZero-day vulnerabilities\r\nAlthough extending the OS kernel functionality by installing an additional driver is a convenient architectural\r\napproach for third-party developers of hardware components, peripherals and performance-intensive applications,\r\nit’s a cybersecurity nightmare, as discussed above. Unfortunately, vulnerabilities exist not only in drivers from\r\nthird-party vendors but also in drivers developed and maintained by general-purpose OS developers. These\r\nvulnerabilities are also exploited in attacks, including those against industrial organizations.\r\nThis quarter, our colleagues at Kaspersky reported one such case. CVE-2025-29824 is a privilege\r\nescalation vulnerability in the Common Log File System (CLFS) driver that allows read and write access to\r\nkernel memory. Surprisingly, this is the 33rd vulnerability discovered in this particular driver, and the\r\nfourth to be exploited by attackers. Researchers have suggested that the security issues in the driver likely\r\nstem from two sources. The first is related to the architecture of the storage system for the logs it processes,\r\nspecifically their format. They explicitly store kernel data structures, including pointers to kernel memory.\r\nThe second originates in the architecture of the driver itself: to protect the OS from “screens of death”\r\nwhen the driver crashes, the developers layered its code with exception handlers. This masks errors in the\r\ncode, making them difficult to detect via fuzzing techniques. It is also noteworthy that this zero-day\r\nvulnerability was first discovered in attacks by a ransomware group, not an APT.\r\nZero-day vulnerabilities in popular applications may not be as dangerous as vulnerabilities in OS kernel code,\r\nbut they can still provide attackers with significant advantages at various stages of an attack, especially during the\r\ninitial access and persistence phases.\r\nThis quarter, researchers reported two cases of attacks on industrial organizations exploiting the zero-day\r\nvulnerability CVE-2025-8088 in WinRAR, which allowed attackers to trick victims and bypass security\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 4 of 23\n\nsolutions. Interestingly, the RomCom cybercriminal group used the exploit for this vulnerability in attacks\r\nby before it was used in the Paper Werewolf/GOFFEE APT operations.\r\nIncomplete patches and ‘Won’t Fix’\r\nAnother of the most serious problems with the current widespread approach to securing IT and OT systems,\r\nincluding their key components such as the OS, is that vendors tend to give this task a relatively low priority. As a\r\nresult, we often see carelessness when developing and releasing security patches, or even a complete reluctance to\r\nrelease them. This quarter, security researchers publicly shared two stories that confirm this.\r\nThe first concerns a chain of ToolShell vulnerabilities used in attacks on SharePoint servers running on\r\norganizational networks in many countries, including those of industrial enterprises. The patches initially\r\nreleased by Microsoft (CVE-2025-49704 and CVE-2025-49706) proved insufficient. According to the\r\nresearchers, changing just one byte in the exploit code was enough to bypass the patches. Microsoft was\r\nforced to release new patches (CVE-2025-53770 and CVE-2025-53771) to address the vulnerabilities.\r\nThe second describes attacks by access brokers on ASP.NET applications, including those on publicly\r\naccessible resources of industrial enterprises. The attackers stole “machine keys” and used them to inject\r\nmalicious modules into the memory of Internet Information Services (IIS), a web server developed by\r\nMicrosoft. This technique, known since 2014 as “Viewstate Deserialization,” was exploited in attacks on\r\nvarious ASP.NET services that use this serialization technology. Microsoft has labeled this security issues\r\nas a “Won’t Fix”.\r\nUAC bypass\r\nAnother systemic security problem in modern IT and OT environments is that developers of key components, such\r\nas the OS, do not always ensure the effectiveness of their security enhancements. The developers’ creation and\r\nimplementation of other functional system components and their new features can often allow attackers to bypass\r\npreviously implemented security measures. This is the case, for example, with the User Account Control (UAC)\r\nmechanism, which requires additional confirmation from the user when a process attempts to perform a privileged\r\naction. Since some system processes are among those requiring privileged access, this mechanism has numerous\r\nexceptions, allowing attackers to bypass it. There are currently several dozen known UAC bypass techniques,\r\nmany of which are frequently used in attacks, including against industrial enterprises.\r\nOne such case is described in the aforementioned Crypto24 ransomware campaign, in which the attackers\r\nbypassed UAC using one of the most common methods: exploiting the CMSTPLUA COM interface.\r\nExploiting trust\r\nIt’s common knowledge that, in addition to the technical issues described above, attackers routinely exploit their\r\npotential victims’ organizational weaknesses, employing psychological tactics to develop social engineering\r\nmethods that exploit trust. However, trusting relationships between people and organizations often have a\r\ntechnical aspect beyond psychological and communicative ones. This can include additional communication\r\nchannels that bypass the security perimeter or are less secure, or a lack of technical capability on one side to fully\r\nverify the information security status of technological components and digital artifacts provided by the other party.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 5 of 23\n\nOne of the most interesting technical stories published this quarter described attacks by Chinese-speaking\r\nAPT groups targeting organizations in the telecommunications, government, transportation, military, and\r\nhousing sectors in various countries. The attackers primarily targeted the network cores of major\r\ntelecommunications providers, as well as the edge routers of providers and their client organizations. They\r\nthen used compromised devices and trusted relationships to compromise the networks of new victims.\r\nLegitimate (including stolen) digital signature certificates\r\nThe most common method of automating trust relationships in IT and OT is based on cryptographic signature\r\nmechanisms. For example, a mail server signs outgoing email messages with a DKIM key enabling the receiving\r\nserver to verify the email’s origin, even if it passes through multiple relays. The sender signs the email using\r\nSMIME or PGP so that the recipient can identify the sender and verify that the email’s contents were not altered\r\nduring delivery. The operating system verifies the digital signature of an executable file before launching it to\r\nensure it was created by a legitimate developer and has not been modified. A specialized security solution also\r\nverifies this digital signature to determine the level of analysis required for the application’s behavior, as discussed\r\nabove in the section on DLL hijacking. Unfortunately, attackers who obtain a valid private signature key can use it\r\nto bypass trust mechanisms. They can do this by stealing the key from the legitimate owner or by deceiving the\r\ncertification authority. For example, they can create a fake organization or temporarily seize the domain zone of a\r\nlegitimate organization. Two such cases were included in stories published this quarter about attacks on industrial\r\norganizations.\r\nSubtle Snail has been using digital signatures for its malware in attacks on European telecommunications,\r\naerospace, and defense companies since at least May 2025. All malicious binaries used in the group’s\r\nattacks are signed with a valid digital certificate issued by SSL.com to Dutch company Insight Digital B.V.\r\nGhostRedirector, which compromised at least 65 Windows servers belonging to educational, healthcare,\r\ninsurance, transportation, retail, and IT organizations in several countries, signed some of its malware with\r\na certificate issued by TrustAsia RSA Code Signing CA G3 to the developer Shenzhen Diyuan Technology\r\nCo., Ltd.\r\nIn both cases, it is unclear from the published articles how the attackers obtained the certificates.\r\nExploiting compromised email accounts\r\nThe final method of exploiting trust relationships highlighted in this quarter’s technical articles on attacks on\r\nindustrial organizations involves exploiting the trust between people. This reduces the likelihood that malicious\r\nactivity will be detected by automated security tools. When you receive an email from a known (“trusted”)\r\ncounterparty, especially if it’s part of an ongoing conversation, you’re likely to open the attachment, click the link,\r\nor perform some other reckless action prompted by the email’s content – after all, the corporate spam and phishing\r\nfilter has automatically checked it and didn’t flag it as suspicious. Therefore, many attackers are keen to gain\r\naccess to legitimate email accounts, which they then use in subsequent attacks. In one of our articles, we\r\nuncovered an entire ecosystem of attackers operating primarily using this method.\r\nIn the aforementioned malicious campaign, Paper Werewolf/GOFFEE posed as a major research institute\r\nand sent emails to Russian and Uzbek organizations. They used a compromised email address belonging to\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 6 of 23\n\na furniture supplier.\r\nIn a large-scale cyberespionage campaign against Russian organizations, including industrial enterprises,\r\nthe Head Mare/PhantomCore APT group gained initial access to victim networks through phishing emails.\r\nThe attackers used compromised email accounts belonging to legitimate Russian companies.\r\nThe Tomiris APT group specifically sent phishing emails to Russian government agencies, as well as\r\nenergy, mining, and manufacturing companies. The senders purported to be Kyrgyz government officials.\r\nOne of the emails used an address that was listed on the website of the Kyrgyz Republic’s regulator. This\r\naddress had apparently been compromised for use in previous attacks.\r\nComicForm specifically targets Russian companies in the industrial, financial, tourism, biotechnology,\r\nresearch, and trade sectors, as well as organizations in Belarus and Kazakhstan. The attackers send\r\nphishing emails and distribute malware from email addresses registered in the .ru, .by, and .kz top-level\r\ndomains. Some of these addresses were presumably compromised.\r\nThe UNK_FistBump group sent phishing emails to recruiters and HR staff at organizations involved in the\r\ndesign, production, and supply of semiconductor products. The emails were sent from compromised\r\nNational Taiwan University email accounts, with the senders posing as university graduates seeking\r\nemployment.\r\nIndifference and carelessness\r\nFinally, and perhaps the most glaring problem of all, is the lack of attention to industrial enterprise information\r\nsecurity by responsible employees. This quarter, researchers published two papers that highlight the issue’s\r\nrelevance.\r\nCisco Talos, in collaboration with the Federal Bureau of Investigation, issued a warning about an APT\r\ngroup exploiting the seven-year-old CVE-2018-0171 vulnerability against border routers of organizations\r\nin the critical infrastructure sector.\r\nPalo Alto Networks researchers reported attacks exploiting the critical (CVSS 10.0) CVE-2025-32433\r\nvulnerability in the SSH server implementation of the Open Telecom Platform. This vulnerability was\r\ndiscovered and patched in April 2025. It is worth noting that approximately 70% of more than 3000\r\nexploitation attempts occurred on specialized industrial firewalls accessible from the internet. These\r\nfirewalls are designed to separate communications between IT and technological networks and are most\r\nlikely not equipped to counter the wide variety of threats that can reach them from the internet.\r\nRussian-speaking activity\r\nRomCom attacks\r\nCybercriminal | Spear phishing | Zero-day vulnerability | Backdoor\r\nESET researchers discovered an unknown vulnerability in WinRAR that is currently being exploited in the wild\r\nby the RomCom (also known as Storm-0978, Tropical Scorpius, or UNC2596) threat actor. This is at least the\r\nthird time RomCom has been caught exploiting a significant zero-day vulnerability in the wild. The path traversal\r\nvulnerability, assigned CVE-2025-8088, is made possible by the use of alternate data streams. After immediate\r\nnotification, WinRAR released a patched version on July 30, 2025. The vulnerability enables attackers to hide\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 7 of 23\n\nmalicious files in an archive, which are silently deployed during extraction. Successful exploitation attempts\r\ndelivered various backdoors used by the RomCom group, specifically a SnipBot variant, RustyClaw, and the\r\nMythic agent. The campaign targeted financial, manufacturing, defense, and logistics companies in Europe and\r\nCanada.\r\nStatic Tundra attacks\r\nAPT | Exploitation of network devices | Firmware implant\r\nBoth Cisco Talos and the Federal Bureau of Investigation (FBI) warned that a state-sponsored cyber-espionage\r\ngroup was exploiting a seven-year-old vulnerability in the Smart Install feature of Cisco IOS software. CVE-2018-\r\n0171 is an improper input validation issue in the discontinued Smart Install feature of Cisco IOS and Cisco IOS\r\nXE software. Cisco Talos named the group Static Tundra. It is likely a sub-cluster of the Energetic Bear APT\r\ngroup (also known as Crouching Yeti, Berserk Bear, and Dragonfly), based on an overlap in tactics, techniques\r\nand procedures (TTPs), as well as victimology. The attackers  target end-of-life devices that have not been patched\r\nin the telecommunications, higher education, and manufacturing sectors around the world. Users unable to apply\r\nthe patch have been urged to disable Smart Install. According to Cisco Talos, the attackers’ goal is to steal\r\nconfiguration data and gain persistent access to vulnerable systems. Static Tundra employs sophisticated\r\npersistence techniques, including the historic SYNful Knock firmware implant (first reported in 2015), as well as\r\nbespoke SNMP tooling, to maintain undetected access for years.\r\nCurly COMrades attacks\r\nNew threat actor | Backdoor | Compromised websites \r\nBitdefender researchers detailed a cluster of malicious activity that they’ve been tracking since mid-2024, which\r\nrevealed a new threat actor group named Curly COMrades. The group has targeted critical organizations in post-Soviet countries, launching focused attacks against judicial and government bodies in Georgia and an energy\r\ndistribution company in Moldova. The group’s primary objective is to gain long-term access to target networks\r\nand steal valid credentials. Curly COMrades uses proxy tools such as Resocks, SSH, and Stunnel to establish\r\nmultiple entry points into internal networks. The group frequently executes remote commands through these\r\nestablished proxy relays, often using tools like Atexec. As the last stage tool, the attackers deployed a new\r\nbackdoor dubbed MucorAgent. To maintain persistent access, they involve using a sophisticated technique that\r\nhijacks of Windows Tasks responsible for periodical or occasional (such as on .NET Framework updates) running\r\nof NGEN (Native Image Generator) – a performance optimizer precompiling .NET intermediate code into native\r\nmachine code. They also strategically use compromised but legitimate websites as traffic relays. Curly COMrades\r\nrepeatedly attempted to extract the NTDS database from domain controllers. The database is the primary\r\nrepository for user password hashes and authentication data in a Windows network. Additionally, they attempted\r\nto dump LSASS memory from specific systems to recover active user credentials.\r\nTargets in Russia\r\nUNG0901 attacks/Operation CargoTalon\r\nUnknown threat actor | Spear phishing | Backdoor\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 8 of 23\n\nSeqrite Labs researchers uncovered a cyber-espionage campaign called Operation CargoTalon that targeted\r\nRussian companies using the EAGLET backdoor. The malicious activity was attributed to a threat cluster tracked\r\nas UNG0901 (Unknown Group 901). The targets were employees of an aircraft production association, as\r\nsuggested by a malicious email file uploaded to VirusTotal. The attacks involved phishing emails with bait related\r\nto cargo delivery, titled “Транспортная_накладная_ТТН_№391-44_от_26.06.2025.zip”\r\n(Transport_Consignment_Note_TTN_No.391-44_from_26.06.2025.zip). The ZIP archive contains an LNK file\r\nthat uses PowerShell to display a decoy XLS document and execute the EAGLET DLL file via rundll32.exe.\r\nEAGLET collects system information, establishes connections to a hardcoded remote server, and executes\r\ncommands on the compromised Windows machine. The implant supports shell access and file upload/download\r\ncapabilities. However, the exact nature of the next-stage payloads being delivered is unknown because the C2\r\nserver was offline at the time of the study.\r\nSeqrite researchers discovered a similar campaign targeting the Russian military-industrial complex with the\r\ndecoy “Договор_РН83_изменения.zip” (Contract_RN83_Changes.zip) using EAGLET. Unlike previous\r\ncampaigns, in the second similar campaign, the EAGLET implant didn’t contain a decoy file in its overlay section.\r\nThe researchers observed multiple overlaps between these campaigns, including similar target interests and\r\nimplant code, and the threat entity known as Head Mare, which has been targeting Russian-speaking entities, and\r\nwas initially discovered by researchers at Kaspersky. In particular, the researchers noted functional parallels\r\nbetween EAGLET and PhantomDL, a Go-based backdoor with a shell and file upload/download capabilities, as\r\nwell as similarities in the naming algorithm applied to attachments in phishing emails.\r\nAttacks with Batavia stealer\r\nNew threat actor | Spear phishing | Spyware\r\nKaspersky researchers reported on new, previously unknown spyware dubbed Batavia that is involved in attacks\r\non Russian industrial enterprises. Batavia consists of the following malicious components: a VBS script and two\r\nexecutable files. The targeted attacks began in July 2024 with the sending of emails containing malicious links\r\nunder the pretext of signing a contract. After clicking on the link, an archive containing a VBS script is\r\ndownloaded. The script is encrypted with a proprietary Microsoft algorithm.  The observed script names were\r\n“договор-2025-5.vbe” (contract-2025-5.vbe), “приложение.vbe” (application.vbe), and “dogovor.vbe”. The\r\nscript initiates a three-stage infection of the machine that involves two more executable files. The first executable\r\nfile, written in Delphi, collects files of several categories, including various system logs and office documents on\r\ncomputers and removable media. In addition, it periodically takes screenshots and sends them to the C2. The\r\nsecond executable file, written in C++, has similar spyware functionality, but with additional file extensions added\r\nto the list of collected files. The second malicious file also contained two commands: one to change the C2 server\r\nand another to download and run additional files.\r\nPaper Werewolf/GOFFEE attacks\r\nAPT | Spear phishing | Zero-day vulnerability\r\nAccording to the BI.ZONE team, the Paper Werewolf/GOFFEE threat actor attacked Russian and Uzbek\r\norganizations in July and early August. One of the targets was a Russian manufacturer of specialized equipment.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 9 of 23\n\nThe attackers sent an email that appeared to be from a large research institute, but was actually from a\r\ncompromised email address belonging to a furniture manufacturer. The RAR archive attached to the email\r\ncontained decoy documents purporting to be from a ministry and a modified XPS Viewer executable with\r\nembedded malicious shellcode (a reverse shell) that connects to the C2 server. This provided the attackers with\r\nremote access to the cmd.exe shell on the victim’s computer. In this attack, the attackers exploited the known\r\nvulnerability CVE-2025-6218 in WinRAR. Subsequent attacks targeting companies in Russia and Uzbekistan\r\nexploited a new zero-day vulnerability, CVE-2025-8088, that hadn’t yet been described and affected WinRAR\r\nversions up to and including 7.12. This vulnerability was also used by the RomCom threat actor. ESET researchers\r\nnoted that Paper Werewolf began exploiting CVE‑2025‑8088 a few days after RomCom started doing so. The\r\nphishing emails targeting Russian organizations included an archive disguised as a document from the Ministry of\r\nIndustry and Trade. The phishing emails targeting Uzbek organizations included an archive named\r\n“DON_AVIA_TRANS_RU.rar” that impersonated a travel agency. The attachments contained a malicious file\r\nthat exploited a directory traversal vulnerability to write files outside the target directory. Notably, shortly before\r\nthese attacks occurred, an apparently functioning WinRAR exploit, presumably for this vulnerability, appeared on\r\na darknet forum. The dropped malicious files were .NET applications written in C# that downloaded a .NET\r\nassembly payload from a server and ran it in memory.\r\nPhantomCore attacks\r\nAPT \u0026 Cybercriminal | Spear phishing | Compromised legitimate mailboxes | Phishing websites | ClickFix |\r\nPolyglot files | Backdoor\r\nPositive Technologies researchers published a report on the PhantomCore APT (also known as Head Mare). Over\r\nthe past year and a half, the group has significantly expanded its offensive arsenal and carried out cyberattacks on\r\nRussia’s critical infrastructure. In early May, researchers detected a new large-scale cyber-espionage campaign\r\ntargeting Russia. According to PT researchers, at the time of publication, the PhantomCore group had gained\r\naccess to 181 infected hosts as part of its campaign. The first infection occurred on May 12, 2025. The cyberattack\r\npeaked in late June, when 56% of all infections occurred on June 30. The group’s average stay in a compromised\r\nnetwork is 24 days, with a maximum of 78 days. As of publication, 49 hosts remained under the group’s control.\r\nThe group initially gains access by delivering backdoors in phishing emails in the form of polyglot files, using\r\nhacked email addresses of legitimate Russian companies, among other things. The group uses the following tools:\r\nPhantomRAT, PhantomRShell C++ backdoor, PhantomTaskShell PowerShell backdoor, PhantomStealer written in\r\nGo, PhantomProxyLite SSH-tunnel, XenArmor All‑In‑One Password Recovery Pro, the RClone and RSocx open-source utilities, and MeshAgent. Researchers discovered that the group registered its phishing website in April,\r\njust before the cyber-espionage campaign was discovered, using the real identity of a Russian citizen. It uses the\r\noriginal HTML layout of the official Moscow City Compulsory Medical Insurance Fund website and entices\r\nvisitors to paste and run the contents of the clipboard in the Windows command prompt under the pretext of\r\ncompleting a fake CAPTCHA, implying a ClickFix technique. Furthermore, researchers discovered a branch of\r\nthe group that is separate from the main group and composed of low-skilled specialists. It operates another reverse\r\nshell with some similarities to PhatomRAT and PhantomRShell. It is written in Go and was called\r\nPhantomGoShell by the researchers. The identified group was probably organized as a cybercriminal startup by a\r\ncore member of PhantomCore who had access to the source code of custom tools and recruited Russian-speaking\r\namateur hackers from gaming Discord communities.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 10 of 23\n\nCavalry Werewolf attacks\r\nAPT | Spear phishing | RAT | Telegram C2 | Compromised legitimate mailbox\r\nFrom May to August 2025, BI.ZONE Threat Intelligence recorded activity from the Cavalry Werewolf threat actor\r\n(also known as YoroTrooper, SturgeonPhisher, Silent Lynx, Comrade Saiga, Tomiris, and ShadowSilk). The group\r\nconducted targeted phishing campaigns against Russian state agencies and enterprises in the energy, mining, and\r\nmanufacturing sectors, using spoofed email addresses of Kyrgyz state agency employees. In one phishing email,\r\nthe attackers used a real email address found on the website of a Kyrgyz regulatory agency. It appears the\r\nattackers had previously compromised this address for use in attacks.\r\nThe phishing emails contain RAR files with FoalShell or StallionRAT malware, both of which are controlled via\r\nTelegram. FoalShell, written in Go, C++, and C#, is a simple reverse shell used by Cavalry Werewolf to execute\r\narbitrary commands in the cmd.exe command-line interpreter on a compromised host. StallionRAT is a remote\r\naccess Trojan written in various variants in Go, PowerShell, and Python. It allows attackers to execute commands,\r\ndownload files, and exfiltrate data.\r\nThe group’s attacks were not limited to Russia and other CIS countries; they also targeted countries in the Middle\r\nEast, as evidenced by the presence of files named in Arabic. The investigation revealed more information related\r\nto Cavalry Werewolf’s preparations for attacks and testing of malicious programs. This includes potential\r\ntargeting of Tajikistan and the use of other tools such as AsyncRAT.\r\nHive0117 attacks\r\nCybercriminal | Spear phishing | Backdoor\r\nResearchers at F6 detected a new wave of malicious emails from Hive0117, a financially motivated group that has\r\nbeen conducting attacks using the DarkWatchman RAT since February 2022. The emails were distributed on a\r\nmassive scale. The attackers masquerade as legitimate organizations by registering infrastructure for email\r\ncampaigns and control domains, often reusing domains. On September 24, after several months of silence, F6\r\ndetected new activity from the DarkWatchman RAT Trojan. Previously, it was distributed under the guise of an\r\narchive supposedly from the Ministry of Defense and fake subpoenas. This time, the attackers impersonated the\r\nFederal Bailiff Service to target companies using emails. Similar email campaigns were also detected in June and\r\nJuly. Instead of legitimately looking domain names these mailings used the domains 4ad74aab[.]cfd and\r\n4ad74aab[.]xyz. A recipient analysis showed that the HIVE0117 group targeted companies in Russia and\r\nKazakhstan. The list of 51 recipients includes banks, marketplaces, telecom operators, logistics companies, auto\r\ndealerships, manufacturing companies, construction companies, grocery retailers, lottery operators, insurers,\r\ninvestment companies, fuel and energy companies, pharmaceutical companies, research institutes, technology\r\nparks, waste management operators, travel services, fitness centers, and IT companies.\r\nComicForm attacks\r\nSpear phishing | Spyware\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 11 of 23\n\nF6 researchers released a report analyzing phishing attacks by the new ComicForm group. The group targeted\r\nRussian companies in the industrial, financial, tourism, biotechnology, research, and trade sectors, as well as\r\ncompanies in Belarus and Kazakhstan. The ComicForm group has been active since at least April 2025. The\r\nattackers use phishing emails to distribute FormBook, a data-stealing malware. F6 observed a phishing campaign\r\ntargeting Russian organizations that took place between May and June 2025. The emails contained the following\r\nsubject lines: “Re: proforma invoice”, “Re: Bank Reconciliation report”, “Re: invoice and shipping documents”,\r\n“INvoice for Payment”, and others. The attached file contained a hidden downloader that delivered the stealer to\r\nthe victim’s computer. A distinctive feature of the phishing emails was hidden links to animated GIF images of\r\nsuperheroes in the attachment code that were not used in the attack. For this reason, F6 assigned the name\r\nComicForm to the attackers. ComicForm uses email addresses registered on the top-level domains .ru, .by, and .kz\r\nfor their phishing emails; some senders may have been compromised. Another distinctive feature of the group was\r\nthe use of the “rivet_kz@” email address, which was registered with a publicly accessible Russian email service\r\nand used as a reply-to address. In addition to malicious attachments, the attackers also used phishing pages of\r\ndocument storage services. After clicking the link in the email, victims were redirected to phishing login forms.\r\nTheir data was then transferred to the attackers’ remote servers.\r\nClusters of cyberthreats targeting Russia and Belarus\r\nCybercriminal | Hacktivist | APT\r\nThe study by Kaspersky examined the cyberthreat posed by pro-Ukrainian groups and focuses on their activities\r\ntargeting the Russian Federation and Belarus. To provide a comprehensive understanding of these threats,\r\nKaspersky researchers have compiled a study that clusters pro-Ukrainian groups, describes their tactics,\r\ntechniques, and procedures (TTPs), and investigates their motivations and interconnections. The study describes\r\nthree clusters. Cluster One consists of hacktivist and financially motivated groups using similar TTPs. It includes\r\nthefollowing groups: Twelve, BlackJack, Crypt Ghouls, Head Mare, and C.A.S. Cluster II included pro-Ukrainian\r\nAPT groups whose TTPs differ from those of hacktivists: Awaken Likho,Angry Likho, Mythic Likho, Librarian\r\nLikho, Cloud Atlas, GOFFEE, and XDSpy. Cluster III included hacktivist groups that showed no signs of active\r\ncollaboration with the other groupsdescribed above: Bo Team and Cyberpartisans.\r\nSouth Asia\r\nAPT36/Transparent Tribe attacks\r\nAPT | Linux malware | Phishing websites | Backdoor\r\nHunt.io researchers investigated recent campaigns conducted by the APT36 threat actor (also known as\r\nTransparent Tribe). What began as military-focused campaigns expanded to encompass broader targets, including\r\nIndian railway systems, oil and gas infrastructure, and the Ministry of External Affairs. These campaigns use\r\nadvanced phishing techniques, novel payload strategies, and persistent backdoors. When targeting Linux systems,\r\nthe attackers use .desktop files disguised as PDF documents to execute scripts that download malware and\r\nestablish persistence via cron jobs. Two attack variants were identified. One variant uses a single C2 server, while\r\nthe other variant includes redundant servers for resiliency. The Poseidon backdoor, which is built on the Mythic\r\nframework and written in Go, is used to maintain access and support lateral movement. More than 100 phishing\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 12 of 23\n\ndomains were discovered, many of which impersonated Indian government organizations and were hosted by\r\nAlexHost. The first phishing domains in this campaign were registered in early July 2025, with live infrastructure\r\nobserved as of mid-July. This suggests ongoing and active targeting.\r\nUNC1549 attacks\r\nAPT | Spear phishing | Backdoor | C2 proxied via Azure | DLL sideloading | Code signing certificates\r\nProdaft researchers have been tracking cyberattacks by the Subtle Snail threat actor (also known as UNC1549,\r\nSmoke Sandstorm, TA455, or Imperial Kitten), which is part of the Eclipsed Wasp (Charming Kitten) network.\r\nActive since at least June 2022, the group has recently shifted its focus to European telecommunications,\r\naerospace, and defense organizations. In their latest campaign, Subtle Snail infected 34 distinct devices belonging\r\nto 11 organizations through targeted operations leveraging fake recruitment processes on LinkedIn. The group\r\nposes as HR representatives from legitimate entities to engage employees and compromises them by deploying a\r\nMinibike backdoor variant that communicates with C2 infrastructure proxied through Azure cloud services to\r\nbypass detection.\r\nMiniBike’s primary purpose is to load additional components in the form of DLLs. The threat actor deployed\r\nadditional DLL modules: a keylogger, a browser stealer, and an Outlook/Winlogon credential stealer. Since at least\r\nMay 2025, Subtle Snail has been digitally signing their malware. According to Prodaft, all malicious binaries used\r\nin Subtle Snail attacks are signed with a valid digital certificate issued by by SSL.com to the Dutch company\r\nInsight Digital B.V. Malicious DLLs developed by the threat actor – each implementing a dedicated malicious\r\nfunction and tailored to specific victims – are being run via DLL sideloading. To facilitate seamless execution, the\r\nactor modifies legitimate DLLs manipulating their export tables, thus the resultant files appear as legitimate\r\nthough carrying out malicious activities. The group creates email accounts to support their phishing operations. To\r\nmanage their Azure proxy servers and support their phishing campaigns, the threat actor also creates cloud\r\naccounts using these email accounts. They purchase these accounts in line with the domains they will use for their\r\nphishing attacks. Depending on their target, they create a fake PDF job ad that is made to look like it came from\r\nTelespazio. To increase their success rate, they purchase deceptive domains like telespazio-careers.com. Similarly,\r\nthey purchased the safrangroup-careers.com domain to impersonate Safran Group, the French multinational\r\naerospace, defense and security corporation. The attackers consistently choose domains that follow the same *-\r\ncareers.com or *careers.com patterns.\r\nResearchers at Check Point also tracked a long‑running campaign by the Nimbus Manticore actor that overlaps\r\nwith UNC1549, Smoke Sandstorm, and the “Iranian Dream Job” operations. According to the researchers, the\r\nongoing campaign targets defense manufacturing, telecommunications, and aviation. Recent activity by Nimbus\r\nManticore indicates a heightened focus on Western Europe, specifically Denmark, Sweden, and Portugal. The\r\nthreat actor impersonates local and global organizations in the aerospace, defense manufacturing, and\r\ntelecommunications industries. The threat actor uses tailored spear‑phishing from alleged HR recruiters to direct\r\nvictims to fake career portals. The campaign relies on a highly obfuscated backdoor called MiniJunk and a\r\nlightweight stealer with separate versions for stealing credentials from Chrome and Edge browsers called\r\nMiniBrowse. Check Point’s analysis of MiniJunk showed that it was a much-improved version of Minibike. The\r\nmalware’s new capabilities include method of loading malicious DLLs into a Windows Defender and other\r\nvulnerable binaries by Microsoft via manipulating DllPath parameter of the\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 13 of 23\n\nRTL_USER_PROCESS_PARAMETERS structure used in the undocumented low-level NT API. The parameter\r\ndefines the search path for the dll if it’s not found in the process directory. Nimbus Manticore actors have been\r\ndigitally signing their malware using certificates from the SSL.com service since at least May 2025. Based on the\r\nsigning dates and an analysis of samples signed by this certificate, the researchers determined that they were\r\ngenerated by the threat actor, masquerading as legitimate IT organizations in Europe.\r\nChinese-speaking activity\r\nAttacks against the Taiwanese semiconductor industry\r\nAPT | Spear phishing | AitM | Backdoor | Compromised legitimate mailboxes\r\nFrom March to June 2025, Proofpoint researchers observed three Chinese-speaking threat actors conducting\r\ntargeted phishing campaigns against Taiwan’s semiconductor industry. In all cases, the motive was most likely\r\nespionage. The targets of these campaigns ranged from organizations involved in the manufacturing, design, and\r\ntesting of semiconductors and integrated circuits to entities within the wider equipment and services supply chain\r\nof this sector, as well as financial investment analysts who specialize in the Taiwanese semiconductor market. The\r\nUNK_FistBump threat actor launched employment-themed phishing campaigns targeting semiconductor design,\r\nmanufacturing, and supply chain organizations, resulting in the delivery of Cobalt Strike or the custom Voldemort\r\nbackdoor. Posing as a graduate student seeking employment, the actor used compromised Taiwanese university\r\nemail addresses to send phishing emails to recruitment and HR personnel. The UNK_DropPitch threat actor\r\nconducted targeted phishing campaigns against multiple large investment banks. This activity focused specifically\r\non individuals specializing in financial investment analysis of the Taiwanese semiconductor and technology\r\nsectors. The phishing emails were sent from attacker-owned email addresses purporting to be from a fictitious\r\nfinancial investment firm seeking to collaborate with the individuals. The campaign delivered a custom backdoor.\r\nUsing a custom adversary-in-the-middle (AitM) phishing kit, UNK_SparkyCarp conducted a credential phishing\r\ncampaign targeting a Taiwanese semiconductor industry company that the group had previously targeted in\r\nNovember 2024. The phishing emails masqueraded as account login security warnings and contained a link to the\r\nactor-controlled credential phishing domain.\r\nUNC3886 attacks\r\nAPT | Zero-day vulnerabilities | Linux malware | LOTL | Backdoor\r\nOn July 18, Singapore’s Coordinating Minister for National Security revealed that the country was under attack by\r\na highly sophisticated threat actor targeting critical infrastructure – UNC3886. First reported in 2022, this threat\r\ngroup has been targeting essential services in Singapore, posing a severe risk to the country’s national security.\r\nTrend Micro researchers provided analysis of previously recorded UNC3886 attacks. The group’s known targets\r\nalso include entities in the US and Europe. It has historically targeted critical infrastructure, including\r\ntelecommunications, government, technology, and defense. The group is known for rapidly exploiting zero-day\r\nand high-impact vulnerabilities in network and virtualization devices, such as VMware vCenter/ESXi, Fortinet\r\nFortiOS, and Juniper Junos OS. UNC3886 deploys custom toolsets, including TinyShell, a covert remote access\r\ntool, Reptile, a stealthy Linux rootkit, as well as Medusa, leveraging layered persistence and advanced defense\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 14 of 23\n\nevasion methods, such as rootkit deployment, living-off-the-land tactics, and replacement or backdooring of core\r\nsystem binaries.\r\nSalt Typhoon joint advisory\r\nAPT | Exploitation of network devices and public-facing applications | Trusted relationship\r\nThe National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and other US\r\nand foreign organizations from 13 countries have published a joint Cybersecurity Advisory. It provides technical\r\ndetails about Chinese-speaking APT actors. The advisory is published jointly by agencies from the US, Australia,\r\nCanada, New Zealand, the UK, Czechia, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The\r\nmalicious activity outlined in the advisory partially overlaps with cybersecurity industry reporting on threat actors\r\nreferred to by names such as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor,\r\namong others. This cluster of cyberthreat activity has been observed in the United States, Australia, Canada, New\r\nZealand, the United Kingdom, and other regions worldwide. These activities have been linked by the advisory\r\nauthors to multiple China-based entities, that are said to be providing cyber products and services to China’s\r\nauthorities. The advisory notes that the threat actors are targeting networks worldwide, including, but not limited\r\nto, those in the telecommunications, government, transportation, lodging, and military infrastructure networks.\r\nWhile these actors focus on large backbone routers of major telecommunications providers, as well as provider\r\nedge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to\r\npivot to other networks. These actors often modify routers to maintain persistent, long-term access to networks.\r\nThe document provides technical details about the group’s initial access, persistence, lateral movement, lateral\r\ndata collection, and exfiltration. It also includes a case study, threat hunting guidance, indicators of compromise,\r\nsuggested mitigations, and other resources.\r\nGhostRedirector attacks\r\nNew threat actor | Exploitation of public-facing application | Backdoor | Code signing certificates\r\nESET researchers identified a previously unknown Chinese-speaking threat actor dubbed GhostRedirector. This\r\nactor compromised at least 65 Windows servers across multiple regions, including Brazil, Thailand, and Vietnam.\r\nGhostRedirector doesn’t appear to be interested in a specific industry or sector. Researchers have seen victims in\r\nsectors such as education, healthcare, insurance, transportation, technology, and retail. The attackers exploited\r\npublic-facing applications, likely through SQL injection, to gain initial access. They then deployed a variety of\r\nmalicious tools, including a passive C++ backdoor called Rungan for remote command execution, and Gamshen,\r\na malicious Internet Information Services (IIS) module designed to manipulate Google search results for SEO\r\nfraud benefiting gambling websites. The toolkit also included custom privilege escalation utilities based on\r\nBadPotato and EfsPotato, a multi-purpose DLL called Comdai, and a tool called Zunput that dropped multiple\r\nweb shells. GhostRedirector abused code-signing certificates, created rogue administrator accounts, and used tools\r\nlike GoToHTTP to maintain persistent access.\r\nRedNovember/TAG-100 attacks\r\nAPT | Exploitation of network devices and public-facing applications | Backdoor\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 15 of 23\n\nInsikt Group reported on the activity of the TAG-100 group, tracked under the name RedNovember. Between June\r\n2024 and July 2025, RedNovember targeted the perimeter appliances of high-profile organizations around the\r\nworld. The group used the Go-based Pantegana backdoor and Cobalt Strike to carry out these intrusions. The\r\ngroup expanded its targeting to include government and private sector organizations, such as defense and\r\naerospace companies, space agencies, and law firms. RedNovember has been observed performing reconnaissance\r\nand compromising edge devices, including SonicWall, Cisco ASA, F5 BIG-IP, Fortinet FortiGate instances, as\r\nwell as Outlook Web Access and Ivanti Connect Secure VPN appliances. The group’s activity demonstrates the\r\nability to combine weaponized proof-of-concept exploits with open-source post-exploitation frameworks,\r\nlowering the entry barrier for less-capable threat actors. Insikt Group identified several new likely victims,\r\nincluding a Central Asian ministry of foreign affairs, an African state security organization, a European\r\ngovernment directorate, and a Southeast Asian government. RedNovember also targeted at least two US defense\r\ncontractors, two US oil and gas companies, a European engine manufacturer, and a trade-focused\r\nintergovernmental organization in Southeast Asia. RedNovember’s targeting efforts have also been observed in\r\nclose proximity to geopolitical and military events that are of key strategic interest to China.\r\nNaikon attacks\r\nAPT | Backdoor | DLL sideloading\r\nCisco Talos discovered a campaign active since 2022 that targets the telecommunications and manufacturing\r\nsectors in Central and South Asia. The campaign delivers a new variant of the PlugX malware. This new variant\r\nexhibits similarities to the RainyDay and Turian backdoors, such as the use of the same legitimate applications for\r\nDLL sideloading and the XOR-RC4-RtlDecompressBuffer algorithm to encrypt and decrypt payloads. The new\r\nvariant’s configuration differs from the standard PlugX configuration format, but resembles the structure used by\r\nRainyDay, leading Talos to assess with medium confidence that this campaign can be attributed to Naikon, a\r\nChinese-speaking threat actor. Analysis of the victimology and technical malware implementation suggests a\r\npotential connection between Naikon and the BackdoorDiplomacy threat actor. This raises the possibility that they\r\nare the same group or are sourcing their tools from the same vendor.\r\nCybercriminal and others\r\nScattered Spider/UNC3944 attacks\r\nCybercriminal | Phone calls | Ransomware\r\nGoogle Threat Intelligence Group (GTIG) reported on a sophisticated campaign conducted by the financially\r\nmotivated threat group UNC3944 (also known as 0ktapus, Octo Tempest, and Scattered Spider) that targeted\r\nmultiple sectors, including the retail, aviation and insurance industries. The group was suspected of turning its\r\nransomware and extortion operations to the US retail sector, according to GTIG. The campaign soon expanded to\r\ninclude airline and transportation organizations in North America. The group’s core tactics have remained\r\nconsistent, and do not rely on software exploits. Instead, they use a proven playbook that centers on phone calls to\r\nan IT help desk by someone impersonating a regular employee. After compromising one or more user accounts\r\nusing social engineering, they manipulate trusted administrative systems and use their control of Active Directory\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 16 of 23\n\nas a launchpad to pivot to the VMware vSphere environment. This provides an avenue to exfiltrate data and\r\ndeploy ransomware directly from the hypervisor.\r\nThe GTIG publication was followed by a Palo Alto Networks report and a Cybersecurity and Infrastructure\r\nSecurity Agency (CISA) advisory on the Scattered Spider actor, describing its TTPs and providing\r\nrecommendations for hardening defenses. The report and advisory indicated that Scattered Spider had deployed\r\nDragonForce ransomware in recent campaigns.\r\nAttacks with Gunra ransomware\r\nCybercriminal | Linux malware | Ransomware\r\nTrend Micro researchers analyzed the Linux variant of Gunra ransomware, which has notable features, including\r\nthe ability to run up to 100 encryption threads in parallel and support partial encryption. It also allows attackers to\r\ncontrol how much of each file gets encrypted and provides the option to store RSA-encrypted keys in separate\r\nkeystore files. Gunra ransomware was first observed in April 2025 in a campaign targeting Windows systems with\r\ntechniques inspired by the infamous Conti ransomware. The Gunra ransomware’s leak site claims it has\r\nsuccessfully targeted enterprises in Brazil, Japan, Canada, Turkey, and the United States. Its leak site also lists\r\nvictims from various industries, including manufacturing, legal and consulting services, healthcare, IT, and\r\nagriculture. Trend Micro’s threat intelligence data detected activity from Gunra ransomware in enterprises in\r\nTurkey, Taiwan, the United States, and South Korea. Trend Micro data showed that the ransomware group targeted\r\ngovernment organizations, as well as enterprises in the healthcare, manufacturing, and transportation industries.\r\nTGR-CRI-0045/Gold Melody attacks\r\nCybercriminal | Access brokers | Exploitation of Machine Keys | ASP.NET View State deserialization\r\nUnit 42 researchers uncovered a campaign by an initial access broker (IAB) that exploited leaked machine keys –\r\ncryptographic keys used on ASP.NET sites – to gain access to targeted organizations. IABs breach organizations\r\nand then sell access to other threat actors. The IAB used these leaked keys to sign malicious payloads that provide\r\nunauthorized access to targeted servers. The technique has been known since 2014 as “Viewstate Deserialization”\r\nand has been exploited in attacks against various ASP.NET services that use serialization technology, a security\r\nissue for which Microsoft has labeled “Won’t Fix.” This minimized their on-disk presence and left few forensic\r\nartifacts, making detection more challenging. The group’s tooling appears to be under active development. The\r\nearliest evidence of exploitation and tool deployment occurred in October 2024, followed by a significant increase\r\nin activity between late January and March 2025. This surge included the deployment of post-exploitation tools,\r\nsuch as open-source port scanners and custom-built utilities for persistence and privilege escalation. Unit 42 tracks\r\nthis actor as the temporary group TGR-CRI-0045 and, with medium confidence, attributes it to Gold Melody (also\r\nknown as UNC961 or Prophet Spider). This group appears to follow an opportunistic approach and has attacked\r\norganizations in Europe and the United States in the following industries: financial services, manufacturing,\r\nwholesale and retail, high technology, and transportation and logistics.\r\nGLOBAL GROUP attacks\r\nCybercriminal | RaaS | AI chatbots | Exploitation of public-facing applications | Ransomware\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 17 of 23\n\nEclecticIQ researchers reported a new ransomware-as-a-service (RaaS) called GLOBAL GROUP that is\r\nleveraging advanced AI technologies to carry out campaigns targeting a wide range of companies. As of July 14,\r\n2025, the group claimed 17 victims in the United States, United Kingdom, Australia, and Brazil in the healthcare,\r\noil and gas equipment manufacturing, industrial machinery and precision engineering, automotive repair, and\r\nbusiness process outsourcing industries. The group actively uses initial access brokers (IAB) to distribute\r\nransomware and leverages access to vulnerable VPN appliances such as Cisco, Fortinet, and Palo Alto Networks\r\nperipherals. They also use brute-force tools to crack passwords for Microsoft Outlook and RDWeb portals. The\r\nRaaS platform includes a negotiation portal and a partner panel that allows cybercriminals to manage victims,\r\ncreate ransomware malware for VMware ESXi, NAS, BSD, and Windows, and monitor operations. GLOBAL\r\nGROUP uses an automated system powered by AI chatbots to conduct ransom negotiations, enabling non-English-speaking operators to engage more effectively with victims. EclecticIQ assesses with medium confidence that\r\nGLOBAL GROUP was likely a rebranding of the BlackLock RaaS operation. Analysis of the GLOBAL\r\nransomware sample confirms that the group uses a customized variant of Mamona ransomware. Unlike Mamona,\r\nGLOBAL includes added functionality for automated, domain-wide installation of ransomware. It uses SMB\r\nconnections and malicious Windows service creation to enable more scalable deployment. EclecticIQ analysts\r\nobserved that the now-defunct Mamona RIP ransomware operation and GLOBAL GROUP operation used the\r\nsame Russian VPS provider, IpServer.\r\nCharon ransomware attacks\r\nCybercriminal | DLL sideloading | Ransomware\r\nTrend Micro researchers identified a new ransomware family called Charon, which was deployed in a targeted\r\nattack on the public sector and aviation industry in the Middle East. The threat actor employed a DLL sideloading\r\ntechnique similar to tactics previously documented in the Earth Baxia campaigns, which have historically targeted\r\ngovernment sectors. The attack chain leveraged a legitimate browser-related file, Edge.exe (originally named\r\ncookie_exporter.exe), to sideload a malicious msedge.dll (SWORDLDR), which then deployed the Charon\r\nransomware payload. Although the researchers observed technical overlap, particularly in the usage of the same\r\nbinary to load a malicious DLL that deploys encrypted shellcode, they could not definitively attribute this attack to\r\nEarth Baxia. The techniques could indicate either direct involvement, deliberate imitation, or the independent\r\ndevelopment of similar tactics. The ransomware’s custom ransom note specifically references the victim\r\norganization by name, confirming that this was a targeted operation rather than an opportunistic campaign. This\r\ncase exemplifies a concerning trend of ransomware operators adopting APT-level techniques, including DLL\r\nsideloading, process injection, and anti-EDR capabilities.\r\nCISA alert on Interlock ransomware group\r\nCybercriminal | Compromised websites | Drive-by download | ClickFix | Linux malware | RAT\r\nOn July 22, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation\r\n(FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and\r\nAnalysis Center (MS-ISAC) published a Cybersecurity Advisory highlighting known Interlock ransomware\r\nindicators of compromise, as well as tactics, techniques, and procedures identified through recent FBI\r\ninvestigations. Interlock ransomware first gained visibility in late September 2024, targeting various businesses,\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 18 of 23\n\ncritical infrastructure, and other organizations in North America and Europe. The FBI stated that these actors\r\ntarget their victims based on opportunity, and their motive is purely financial. Interlock ransomware encryptors\r\nwere created for Windows and Linux operating systems. These encryptors have been encrypting virtual machines\r\n(VMs) on both operating systems. The FBI observed attackers obtaining initial access via a drive-by download\r\nfrom compromised legitimate websites, which is an uncommon method among ransomware groups. Interlock\r\nactors use fake Google Chrome or Microsoft Edge browser updates or common security software to trick users\r\ninto executing a RAT on the targeted system. The attackers also used the ClickFix social engineering technique for\r\ninitial access. After accomplishing this, the attackers then use various methods for discovery, credential access,\r\nand lateral movement to spread to other systems on the network.\r\nWarlock ransomware attacks\r\nCybercriminal | Exploitation of public-facing applications | LOTL | Ransomware\r\nTrend Micro researchers discovered an attack by the Warlock ransomware group that exploited internet-exposed,\r\nunpatched on-premises Microsoft SharePoint servers, abusing newly discovered vulnerabilities to gain initial\r\naccess to their target’s system. Warlock ransomware operators exploited vulnerable Microsoft SharePoint servers\r\nby sending targeted HTTP POST requests to upload web shells, which enabled reconnaissance and credential\r\ntheft. According to earlier reports, Warlock’s list of victims included organizations spanning industries from the\r\ntechnological sector to critical infrastructure in North America, Europe, Asia, and Africa. Just a few days after its\r\nfirst public statement, the group had claimed responsibility for at least 16 successful attacks, roughly half of which\r\ntargeted government agencies in countries such as Portugal, Croatia, and Turkey. Other victims included\r\norganizations from the financial services and manufacturing sectors. The attacks escalated through Group Policy\r\nabuse, credential theft, and lateral movement using built-in Windows tools and custom malware, culminating in\r\nthe deployment of ransomware. Encrypted files had the .x2anylock extension, and data was exfiltrated via\r\nRClone.\r\nCrypto24 ransomware attacks\r\nCybercriminal | Google Drive | LOTL | BYOVD | Ransomware\r\nTrend Micro researchers identified Crypto24, a ransomware group targeting organizations in Asia, Europe, and the\r\nUnited States. The group focuses on sectors such as financial services, manufacturing, entertainment, and\r\ntechnology. Crypto24 uses legitimate tools such as PSExec and AnyDesk alongside custom malware, including a\r\nkeylogger that exfiltrates data via Google Drive and a customized RealBlindingEDR tool that disables security\r\nsolutions, potentially exploiting new or unknown vulnerable drivers. The attackers maintain persistence by\r\ncreating privileged accounts and scheduling tasks that integrate malicious activities with normal operations.\r\nCrypto24 ransomware achieves privilege escalation by exploiting the CMSTPLUA COM interface to bypass User\r\nAccount Control (UAC) restrictions. This technique has been observed in other sophisticated ransomware\r\nfamilies, including BlackCat and LockBit. It enables execution with elevated privileges without triggering UAC\r\nprompts. Analysis revealed that the threat actor operates with a high level of coordination, frequently launching\r\nattacks during off-peak hours to evade detection and maximize impact.\r\nThe Gentlemen ransomware attacks\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 19 of 23\n\nNew threat actor | Ransomware | Double extortion | BYOVD\r\nResearchers at Trend Micro analyzed a new ransomware campaign launched by The Gentlemen, a previously\r\nundocumented threat group that demonstrated advanced capabilities in compromising enterprise environments.\r\nThe campaign leveraged a combination of legitimate driver abuse, Group Policy manipulation, custom anti-AV\r\ntools, privileged account compromise, and encrypted exfiltration channels to bypass enterprise endpoint\r\nprotections. The group has targeted multiple industries and regions, including manufacturing, construction,\r\nhealthcare, and insurance, with attacks spanning at least 17 countries. The group also engineered ransomware\r\ndeployment via privileged domain accounts and created evasion methods to persist against security controls.\r\nThe DireWolf ransomware attacks\r\nCybercriminal | Ransomware | Double extortion | Anti-recovery technique\r\nAhnLab researchers detailed the activities of the DireWolf ransomware group, which emerged in May 2025 and\r\nhas since launched attacks against companies worldwide, targeting various industries, including manufacturing,\r\nIT, construction, and finance. The group uses a double extortion technique, encrypting data and threatening to leak\r\nit, and has already compromised 16 organizations in 16 regions. DireWolf’s ransomware relies on command-line\r\narguments to control its operations and uses a combination of Curve25519-based Diffie-Hellman key exchange\r\nand ChaCha20 stream encryption to encrypt files. The encryption process generates a random session key for each\r\nfile, which is then used to derive the encryption key. The affected files are given the .direwolf extension, and the\r\nencryption design effectively blocks all known decryption methods. DireWolf also employs anti-recovery and\r\nanti-analysis techniques, including terminating backup and restoration processes, deleting event logs, and\r\ndisabling recovery environments. Once encryption is complete, the malware attempts to force a reboot and\r\nremoves the malicious executable file, reducing the likelihood of forensic analysis and malware recovery.\r\nAttacks with ToolShell vulnerability\r\nUnknown threat actors | Exploitation of public-facing applications\r\nOn July 19-20, 2025, various security companies and national CERTs published alerts about the active\r\nexploitation of on-premises SharePoint servers. According to the reports, the observed attacks did not require\r\nauthentication and allowed the attackers to gain full control over the infected servers. The attacks were performed\r\nusing an exploit chain of two vulnerabilities: CVE-2025-49704 and CVE-2025-49706, publicly named ToolShell.\r\nOn the same dates, Microsoft also released out-of-band security patches for the vulnerabilities CVE-2025-53770\r\nand CVE-2025-53771, intended to address the security bypasses in previously issued fixes for CVE-2025-49704\r\nand CVE-2025-49706. According to the researchers changing just one byte in the exploit code would be enough to\r\nbypass the initial fixes by Microsoft. The release of the new, “proper” updates caused confusion about which\r\nvulnerabilities the attackers were exploiting and whether they were using zero-day exploits. Kaspersky products\r\nproactively detected and blocked malicious activity linked to these attacks. This allowed us to gather statistics\r\nabout the timeframe and spread of the campaign.\r\nThe Kaspersky report examined the internal workings of the exploitation mechanism of ToolShell vulnerabilities.\r\nThe researchers demonstrated how the payload can be injected without proper authentication, highlighting the\r\nbypass mechanism that enables effective exploitation. According to Kaspersky statistics, widespread exploitation\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 20 of 23\n\nstarted on July 18, 2025. The attackers targeted servers in Egypt, Jordan, Russia, Vietnam, and Zambia. Entities in\r\nmultiple sectors were affected, including those in government, finance, manufacturing, forestry, and agriculture.\r\nAttacks targeting CVE-2025-32433\r\nUnknown threat actors | Exploitation of public-facing applications\r\nOn August 11, researchers from Palo Alto Networks published a post detailing their observations of attacks\r\nexploiting a maximum-severity flaw discovered and patched in April 2025. The flaw affected the Erlang\r\nprogramming language’s Open Telecom Platform (OTP) libraries prior to versions OTP-27.3.3, OTP-26.2.5.11,\r\nand OTP-25.3.2.20. CVE-2025-32433 has a CVSS score of 10.0 and allows malicious actors to gain unauthorized\r\naccess to a system and execute arbitrary commands without valid credentials by exploiting the secure shell (SSH)\r\ndaemon’s improper state enforcement. The researchers noted that OT and 5G environments use Erlang/OTP\r\nbecause of its fault-tolerance and scalability for high availability systems with minimal downtime. Remote\r\ncommands are often executed through the native SSH implementation.\r\nPalo Alto Networks provided an analysis of the payloads, vulnerable attack surface, and distribution of\r\nexploitation attempts by geography, timing, industry, and correlation with OT firewalls, noting that a significant\r\nnumber of OT firewalls are both vulnerable and exposed to the internet. Overall, nearly 70% of all the exploitation\r\nattempts came from the internet-facing OT firewalls.\r\nResearchers found that the education industry was hit hardest and that OT firewalls in the healthcare, agriculture,\r\nmedia and entertainment, and high technology sectors were disproportionately affected -over 85% of all attacks\r\ntargeting these sectors were detected on their OT firewalls.\r\nThe manufacturing, wholesale and retail, and financial services industries experienced more balanced detection\r\nacross both IT and OT, necessitating integrated defenses.\r\nAlthough the utilities, energy, mining, aerospace and defense sectors did not return detections in OT networks,\r\nPalo Alto Networks viewed this as potential evidence of weak detection or delayed targeting.\r\nThe researchers recommended applying current security patches, updating signatures in intrusion prevention\r\nsystems, and closely monitoring environments, possibly also disabling the SSH server or restricting access with\r\nfirewall rules if patching is not immediately possible. \r\nAttacks with PipeMagic backdoor\r\nRansomware | Backdoor | Zero-day vulnerability\r\nIn April 2025, Microsoft patched 121 vulnerabilities in its products. According to the company, only one of them\r\nwas being used in real-world attacks when the patch was released: CVE-2025-29824. The exploit for this\r\nvulnerability was executed by the PipeMagic malware, which Kaspersky researchers first identified in December\r\n2022 in a RansomExx ransomware campaign. The victims were industrial companies in Southeast Asia. The\r\nbackdoor’s loader was a trojanized version of Rufus, a utility for formatting USB drives. In September 2024,\r\nKaspersky researchers encountered it again in attacks on organizations in the Middle East. This time, rather than\r\nexploiting vulnerabilities for initial penetration, the attackers used a fake ChatGPT client application as bait. The\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 21 of 23\n\nfake app was written in Rust using two frameworks: Tauri for rendering graphical applications, and Tokio for\r\nexecuting asynchronous tasks. The fake app had no user functionality – when launched, it simply displayed a\r\nblank screen. Notably, it was the same version of PipeMagic used in 2022. Most recently, in 2025, Kaspersky\r\nsolutions prevented PipeMagic infections at organizations in Brazil and the Middle East. In a joint investigation\r\nwith BI.ZONE, researchers traced the evolution of PipeMagic – from its initial detection in 2022 to new incidents\r\nin 2025 – and identified key changes in the tactics of its operators. They also provided an analysis of PipeMagic\r\nmodules, including the asynchronous communication module, loader, and injector. In addition to the fake\r\nChatGPT client loader, a Microsoft Help Index File loader was also used. Instead of code for reading .mshi\r\ncontainer data, this loader contained C# code that decrypted and executed shellcode, which then extracted and\r\nexecuted the final malware code. A third loader variant used the DLL Hijacking technique, loading a malicious\r\nlibrary into the legitimate Google Chrome update executable. In turn, BI.ZONE researchers conducted a technical\r\nanalysis of the CVE-2025-29824 vulnerability itself. On the same day, Microsoft Threat Intelligence published\r\ntheir own analysis of PipeMagic’s architecture and additional payloads, including a dedicated networking module.\r\nAttacks with UpCrypter\r\nCybercriminal | Spear phishing | Backdoor | RAT\r\nResearchers at Fortinet Labs detected a global campaign targeting organizations in various sectors, with\r\nmanufacturing, technology, healthcare, construction, and retail/hospitality bearing the brunt of the attacks. As part\r\nof the campaign, the attackers used various social engineering tactics to lure users to realistic-looking phishing\r\npages via emails related to purported voicemails for missed phone calls, purchase orders, and other topics that\r\n“require immediate attention.” The attackers personalize these pages with the victim’s email address and their\r\ncompany’s logo to make them appear legitimate. The attack chain begins with a small, obfuscated script that\r\nredirects victims to a spoofed site. The pages are designed to entice recipients into downloading JavaScript files\r\nthat act as droppers for UpCrypter, which is the malware that ultimately deploys various remote access tools\r\n(RATs). The deployed payloads observed in the attacks include PureHVNC, DCRat, and Babylon RAT.\r\nEvilAI attacks\r\nUnknown threat actor | Backdoor | AI-generated code | Disguised as AI-powered productivity toolset\r\nResearchers at Trend Micro identified a new malware campaign dubbed EvilAI that masquerades as legitimate\r\nproductivity and AI-enhanced tools, featuring professional-looking interfaces and valid digital signatures.\r\nAccording to Trend Research telemetry data, EvilAI infections have been detected globally, primarily affecting\r\norganizations in manufacturing, government, and healthcare, with a significant impact in Europe, the Americas,\r\nand the AMEA region. The malware leveraged an LLM to produce code that appears legitimate at first glance. It\r\nexfiltrates sensitive browser data and maintains encrypted communication with its command-and-control servers\r\nusing AES-encrypted channels. To ensure persistence, it creates scheduled tasks, Registry Run key entries and\r\nmalicious shortcuts. The backdoor functionality includes file downloads via a dedicated downloader, file write\r\noperations, registry operations, and process execution. EvilAI employs a sophisticated evasion tactic that makes\r\nmalicious software appear legitimate at every level. This includes the use of plausible file names and silent\r\nexecution of a JavaScript payload via Node.js. It utilizes MurmurHash3 32-bit hashing to generate unpredictable\r\ncontrol flow conditions, creating loops that appear potentially infinite to static analysis tools, along with other\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 22 of 23\n\nobfuscation and anti-analysis techniques. The malware establishes persistence by creating a scheduled task\r\ndisguised as a legitimate Windows process. It also maintains autonomous communication with the C2 server,\r\nprocessing structured commands and ensuring uninterrupted control of the infected system.\r\nAttacks with DarkCloud\r\nCybercriminal | Spear phishing | Spyware\r\nIn September 2025, researchers at ESentire detected a spear-phishing campaign targeting a customer in the\r\nmanufacturing industry. The campaign attempted to deliver DarkCloud, malware used to steal information. The\r\nphishing email was sent to the client’s Zendesk support email and featured a financial theme. It contained a\r\nmalicious ZIP archive with a packed DarkCloud sample. The phishing lure was designed to appear as legitimate\r\nfinancial correspondence with a subject line and message body related to banking. DarkCloud has undergone\r\nnumerous updates, including a full malware stub rewrite in VB6, string encryption and evasion updates. It targets\r\nsensitive information such as browser passwords, credit card details, keystrokes, FTP credentials, and\r\ncryptocurrency wallets. Stolen credentials and data are sent to endpoints controlled by the attacker, including\r\nTelegram, FTP, SMTP, and Web Panel (PHP). The version of DarkCloud used in this campaign was 3.2, an older\r\nversion released earlier in 2025.\r\nSource: https://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nhttps://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://ics-cert.kaspersky.com/publications/reports/2025/12/01/apt-and-financial-attacks-on-industrial-organizations-in-q3-2025/" ], "report_names": [ "apt-and-financial-attacks-on-industrial-organizations-in-q3-2025" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "709ceea7-db99-405e-b5a7-a159e6c307e0", "created_at": "2022-10-25T16:07:23.373699Z", "updated_at": "2026-04-10T02:00:04.571971Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [], "source_name": "ETDA:BackdoorDiplomacy", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "493c47f7-b265-4b10-95de-d86af942c543", "created_at": "2023-04-27T02:04:45.385041Z", "updated_at": "2026-04-10T02:00:04.939878Z", "deleted_at": null, "main_name": "Tomiris", "aliases": [], "source_name": "ETDA:Tomiris", "tools": [ "JLOGRAB", "JLORAT", "Kapushka", "KopiLuwak", "Meterpreter", "QUIETCANARY", "RATel", "RocketMan", "Roopy", "Telemiris", "Tomiris", "Topinambour", "Tunnus", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "c416152c-d268-40a3-8887-01d2ec452b7c", "created_at": "2023-04-27T02:04:45.481771Z", "updated_at": "2026-04-10T02:00:04.987067Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Silent Lynx" ], "source_name": "ETDA:YoroTrooper", "tools": [ "Loda", "Loda RAT", "LodaRAT", "Meterpreter", "Nymeria", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "3b56d733-88da-4394-b150-d87680ce67e4", "created_at": "2023-01-06T13:46:39.287189Z", "updated_at": "2026-04-10T02:00:03.274816Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackDip", "CloudComputating", "Quarian" ], "source_name": "MISPGALAXY:BackdoorDiplomacy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "69cba9ab-de35-4103-a699-7d243bcfd196", "created_at": "2023-01-06T13:46:39.159472Z", "updated_at": "2026-04-10T02:00:03.233731Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "MISPGALAXY:XDSpy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "322248d6-4baf-4ada-af8e-074bc6c10132", "created_at": "2023-11-05T02:00:08.072145Z", "updated_at": "2026-04-10T02:00:03.397406Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Comrade Saiga", "Salted Earth", "Sturgeon Fisher", "ShadowSilk", "Silent Lynx", "Cavalry Werewolf", "SturgeonPhisher" ], "source_name": "MISPGALAXY:YoroTrooper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "056826cb-6e17-4954-a9b4-2cc8c6ae3cb8", "created_at": "2023-03-04T02:01:54.115678Z", "updated_at": "2026-04-10T02:00:03.360898Z", "deleted_at": null, "main_name": "Prophet Spider", "aliases": [ "GOLD MELODY", "UNC961" ], "source_name": "MISPGALAXY:Prophet Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0f91a2f-ae05-4658-a6df-14938355eecb", "created_at": "2024-03-02T02:00:03.833721Z", "updated_at": "2026-04-10T02:00:03.598612Z", "deleted_at": null, "main_name": "UNC1549", "aliases": [ "Nimbus Manticore" ], "source_name": "MISPGALAXY:UNC1549", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f45af9e4-5037-4a5a-82c1-4627845eea49", "created_at": "2024-09-26T02:00:04.286721Z", "updated_at": "2026-04-10T02:00:03.707415Z", "deleted_at": null, "main_name": "Earth Baxia", "aliases": [], "source_name": "MISPGALAXY:Earth Baxia", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d513772b-a5ef-4e28-9e9d-d1c2bcd32737", "created_at": "2026-03-08T02:00:03.462729Z", "updated_at": "2026-04-10T02:00:03.97828Z", "deleted_at": null, "main_name": "The Gentlemen", "aliases": [], "source_name": "MISPGALAXY:The Gentlemen", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "90307967-d5eb-4b7b-b8de-6fa2089a176e", "created_at": "2022-10-25T15:50:23.501119Z", "updated_at": "2026-04-10T02:00:05.347826Z", "deleted_at": null, "main_name": "Dragonfly 2.0", "aliases": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ], "source_name": "MITRE:Dragonfly 2.0", "tools": [ "netsh", "Impacket", "MCMD", "CrackMapExec", "Trojan.Karagany", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "b69484be-98d1-49e6-aed1-a28dbf65176a", "created_at": "2022-10-25T16:07:23.886782Z", "updated_at": "2026-04-10T02:00:04.779029Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "G0019", "Hellsing", "ITG06", "Lotus Panda", "Naikon", "Operation CameraShy" ], "source_name": "ETDA:Naikon", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "AR", "ARL", "Agent.dhwf", "Aria-body", "Aria-body loader", "Asset Reconnaissance Lighthouse", "BackBend", "Creamsicle", "Custom HDoor", "Destroy RAT", "DestroyRAT", "Flashflood", "FoundCore", "Gemcutter", "HDoor", "JadeRAT", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LadonGo", "Lecna", "Living off the Land", "NBTscan", "Naikon", "NetEagle", "Neteagle_Scout", "NewCore RAT", "Orangeade", "PlugX", "Quarks PwDump", "RARSTONE", "RainyDay", "RedDelta", "RoyalRoad", "Sacto", "Sandboxie", "ScoutEagle", "Shipshape", "Sisfader", "Sisfader RAT", "Sogu", "SslMM", "Sys10", "TIGERPLUG", "TVT", "TeamViewer", "Thoper", "WinMM", "Xamtrav", "XsFunction", "ZRLnk", "nbtscan", "nokian", "norton", "xsControl", "xsPlus" ], "source_id": "ETDA", "reports": null }, { "id": "1a9c4f3f-2178-4c83-a9b5-d2135d90520a", "created_at": "2024-04-19T02:00:03.623733Z", "updated_at": "2026-04-10T02:00:03.615238Z", "deleted_at": null, "main_name": "BlackJack", "aliases": [], "source_name": "MISPGALAXY:BlackJack", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2912fc0-c34e-4e4b-82e9-665416c8fe32", "created_at": "2023-04-20T02:01:50.979595Z", "updated_at": "2026-04-10T02:00:02.913011Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "BRONZE STERLING", "G0013", "PLA Unit 78020", "OVERRIDE PANDA", "Camerashy", "BRONZE GENEVA", "G0019", "Naikon" ], "source_name": "MISPGALAXY:Naikon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df8987a-27fc-45c5-83b0-20dceb8288af", "created_at": "2025-10-29T02:00:51.836932Z", "updated_at": "2026-04-10T02:00:05.253487Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "UNC3886" ], "source_name": "MITRE:UNC3886", "tools": [ "MOPSLED", "VIRTUALPIE", "CASTLETAP", "THINCRUST", "VIRTUALPITA", "RIFLESPINE" ], "source_id": "MITRE", "reports": null }, { "id": "47b52642-e5b8-4502-b714-b625002d86aa", "created_at": "2024-06-19T02:03:08.086579Z", "updated_at": "2026-04-10T02:00:03.812509Z", "deleted_at": null, "main_name": "GOLD MELODY", "aliases": [ "PROPHET SPIDER", "UNC961" ], "source_name": "Secureworks:GOLD MELODY", "tools": [ "7-Zip", "AUDITUNNEL", "BURP Suite", "GOTROJ", "JSP webshells", "Mimikatz", "Wget" ], "source_id": "Secureworks", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "64a08f65-4ef8-4ad5-bac1-ce4e0fd2808c", "created_at": "2024-08-28T02:02:09.663698Z", "updated_at": "2026-04-10T02:00:04.927384Z", "deleted_at": null, "main_name": "TAG-100", "aliases": [ "Storm-2077" ], "source_name": "ETDA:TAG-100", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "CrossC2", "LESLIELOADER", "Pantegana", "SparkRAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "a08d93aa-41e4-4eca-a0fd-002d051a2c2d", "created_at": "2024-08-28T02:02:09.711951Z", "updated_at": "2026-04-10T02:00:04.957678Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [ "Fire Ant" ], "source_name": "ETDA:UNC3886", "tools": [ "BOLDMOVE", "CASTLETAP", "LOOKOVER", "MOPSLED", "RIFLESPINE", "TABLEFLIP", "THINCRUST", "Tiny SHell", "VIRTUALGATE", "VIRTUALPIE", "VIRTUALPITA", "VIRTUALSHINE", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1c91699d-77d3-4ad7-9857-9f9196ac1e37", "created_at": "2023-11-04T02:00:07.663664Z", "updated_at": "2026-04-10T02:00:03.385989Z", "deleted_at": null, "main_name": "UNC3886", "aliases": [], "source_name": "MISPGALAXY:UNC3886", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d69b3831-de95-42c9-b4b6-26232627206f", "created_at": "2022-10-25T16:07:24.429466Z", "updated_at": "2026-04-10T02:00:04.985102Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "ETDA:XDSpy", "tools": [ "ChromePass", "IE PassView", "MailPassView", "Network Password Recovery", "OperaPassView", "PasswordFox", "Protected Storage PassView", "XDDown", "XDList", "XDLoc", "XDMonitor", "XDPass", "XDRecon", "XDUpload" ], "source_id": "ETDA", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d18b9735-1af7-433c-a582-a01886bc5e3f", "created_at": "2024-10-25T02:02:07.582653Z", "updated_at": "2026-04-10T02:00:04.569471Z", "deleted_at": null, "main_name": "Awaken Likho", "aliases": [ "Core Werewolf" ], "source_name": "ETDA:Awaken Likho", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "4b7f4f69-7c56-4691-9071-9365884a7f30", "created_at": "2024-10-25T02:02:07.672671Z", "updated_at": "2026-04-10T02:00:04.660715Z", "deleted_at": null, "main_name": "Earth Baxia", "aliases": [], "source_name": "ETDA:Earth Baxia", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "EAGLEDOOR", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "786139da-4139-49d0-9685-e249c5f89f25", "created_at": "2024-12-30T02:01:48.731055Z", "updated_at": "2026-04-10T02:00:04.763086Z", "deleted_at": null, "main_name": "TA455", "aliases": [ "Bohrium", "DEV-0056", "Operation Iranian Dream Job", "Smoke Sandstorm", "TA455", "UNC1549", "Yellow Dev 13" ], "source_name": "ETDA:TA455", "tools": [ "LIGHTRAIL", "MINIBIKE", "SlugResin", "SnailResin" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "401a2035-ed5a-4795-8e37-8b7465484751", "created_at": "2022-10-25T15:50:23.616232Z", "updated_at": "2026-04-10T02:00:05.304705Z", "deleted_at": null, "main_name": "BackdoorDiplomacy", "aliases": [ "BackdoorDiplomacy" ], "source_name": "MITRE:BackdoorDiplomacy", "tools": [ "Turian", "China Chopper", "Mimikatz", "NBTscan", "QuasarRAT" ], "source_id": "MITRE", "reports": null }, { "id": "c6d22751-e854-47de-a33d-2adf0058683e", "created_at": "2025-03-03T02:02:00.191696Z", "updated_at": "2026-04-10T02:00:04.534478Z", "deleted_at": null, "main_name": "Angry Likho", "aliases": [], "source_name": "ETDA:Angry Likho", "tools": [ "Lumma Stealer", "LummaC2" ], "source_id": "ETDA", "reports": null }, { "id": "ce6c9df9-bf82-4e6c-b355-9285463a37c8", "created_at": "2025-03-07T02:00:03.792481Z", "updated_at": "2026-04-10T02:00:03.818734Z", "deleted_at": null, "main_name": "Angry Likho", "aliases": [ "Sticky Werewolf" ], "source_name": "MISPGALAXY:Angry Likho", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "65ab58e8-770d-4405-bd4c-55903100585b", "created_at": "2024-11-16T02:00:03.814784Z", "updated_at": "2026-04-10T02:00:03.77413Z", "deleted_at": null, "main_name": "TA455", "aliases": [], "source_name": "MISPGALAXY:TA455", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "5af25e74-ab1e-4b3e-a3f8-c39227d79a2d", "created_at": "2025-09-27T02:00:03.95423Z", "updated_at": "2026-04-10T02:00:03.889451Z", "deleted_at": null, "main_name": "UNK_DropPitch", "aliases": [], "source_name": "MISPGALAXY:UNK_DropPitch", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9678b3fd-5373-4049-af73-25ab371ced8b", "created_at": "2025-09-27T02:00:03.956533Z", "updated_at": "2026-04-10T02:00:03.890321Z", "deleted_at": null, "main_name": "UNK_SparkyCarp", "aliases": [], "source_name": "MISPGALAXY:UNK_SparkyCarp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "604a4a41-3fa7-4bee-9c1b-4f83c21b9d35", "created_at": "2025-09-27T02:00:03.938884Z", "updated_at": "2026-04-10T02:00:03.888766Z", "deleted_at": null, "main_name": "UNK_FistBump", "aliases": [], "source_name": "MISPGALAXY:UNK_FistBump", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f1ce7e3-77cd-4af0-bedb-1643f55c9baf", "created_at": "2022-10-25T15:50:23.31611Z", "updated_at": "2026-04-10T02:00:05.370146Z", "deleted_at": null, "main_name": "Naikon", "aliases": [ "Naikon" ], "source_name": "MITRE:Naikon", "tools": [ "ftp", "netsh", "WinMM", "Systeminfo", "RainyDay", "RARSTONE", "HDoor", "Sys10", "SslMM", "PsExec", "Tasklist", "Aria-body" ], "source_id": "MITRE", "reports": null }, { "id": "d4fdfdea-a0f3-48ff-ac9f-e418689ec6b9", "created_at": "2026-02-11T02:00:03.939312Z", "updated_at": "2026-04-10T02:00:03.967059Z", "deleted_at": null, "main_name": "ComicForm", "aliases": [], "source_name": "MISPGALAXY:ComicForm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "401a4c49-1b76-49ea-8b31-9a8c3c0bd9b9", "created_at": "2025-03-18T11:50:08.877355Z", "updated_at": "2026-04-10T02:00:03.639241Z", "deleted_at": null, "main_name": "Head Mare", "aliases": [], "source_name": "MISPGALAXY:Head Mare", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "120b98af-cc15-468d-ae91-52d5af9216e4", "created_at": "2025-05-29T02:00:03.189197Z", "updated_at": "2026-04-10T02:00:03.84415Z", "deleted_at": null, "main_name": "GOFFEE", "aliases": [], "source_name": "MISPGALAXY:GOFFEE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d38d3292-8164-433a-879a-a6f4b63932f5", "created_at": "2025-05-29T02:00:03.23291Z", "updated_at": "2026-04-10T02:00:03.882124Z", "deleted_at": null, "main_name": "Hive0117", "aliases": [], "source_name": "MISPGALAXY:Hive0117", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0dc20eeb-81e3-48ef-9a12-7b38fdcf07b1", "created_at": "2025-09-20T02:04:46.693616Z", "updated_at": "2026-04-10T02:00:03.735806Z", "deleted_at": null, "main_name": "COBALT SMOKEY", "aliases": [ "Nimbus Manticore ", "Smoke Sandstorm ", "Subtle Snail ", "TA455 ", "UNC1549 " ], "source_name": "Secureworks:COBALT SMOKEY", "tools": [ "LIGHTRAIL", "MINIBIKE", "MINIBUS" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "90074ca4-8a4a-42dc-a395-25db4f44c1a4", "created_at": "2024-10-08T02:00:04.462582Z", "updated_at": "2026-04-10T02:00:03.722048Z", "deleted_at": null, "main_name": "Awaken Likho", "aliases": [ "Core Werewolf" ], "source_name": "MISPGALAXY:Awaken Likho", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "db5b833a-965e-4f46-b75d-7e829466a5fa", "created_at": "2024-12-21T02:00:02.843374Z", "updated_at": "2026-04-10T02:00:03.780907Z", "deleted_at": null, "main_name": "Storm-2077", "aliases": [ "TAG-100", "RedNovember" ], "source_name": "MISPGALAXY:Storm-2077", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8cb98420-1ff5-4a85-977b-b4e063eec334", "created_at": "2026-01-17T02:00:03.200683Z", "updated_at": "2026-04-10T02:00:03.896419Z", "deleted_at": null, "main_name": "Curly COMrades", "aliases": [], "source_name": "MISPGALAXY:Curly COMrades", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9a008ebb-676f-4c3b-9e25-e19305d1b5d7", "created_at": "2026-01-23T02:00:03.286173Z", "updated_at": "2026-04-10T02:00:03.928041Z", "deleted_at": null, "main_name": "GhostRedirector", "aliases": [], "source_name": "MISPGALAXY:GhostRedirector", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6ba499e8-6c4d-4c49-8d0c-2bf29ea014c5", "created_at": "2026-02-03T02:00:03.44377Z", "updated_at": "2026-04-10T02:00:03.942489Z", "deleted_at": null, "main_name": "UNG0901", "aliases": [ "Operation CargoTalon", "Unknown-Group-901" ], "source_name": "MISPGALAXY:UNG0901", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e2a4bc0b-6745-4e55-9d7c-3d169d70b025", "created_at": "2022-10-25T16:07:23.386907Z", "updated_at": "2026-04-10T02:00:04.576815Z", "deleted_at": null, "main_name": "Berserk Bear", "aliases": [ "Berserk Bear", "Dragonfly 2.0", "Dymalloy", "G0074" ], "source_name": "ETDA:Berserk Bear", "tools": [ "Fuerboos", "Goodor", "Impacket", "Karagany", "Karagny", "LOLBAS", "LOLBins", "Living off the Land", "Phishery", "Trojan.Karagany", "Trojan.Phisherly", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null }, { "id": "531c57fb-7453-495b-99e8-e29acebe5d26", "created_at": "2026-04-10T02:00:04.014201Z", "updated_at": "2026-04-10T02:00:04.014201Z", "deleted_at": null, "main_name": "Mythic Likho", "aliases": [ "Arcane Werewolf" ], "source_name": "MISPGALAXY:Mythic Likho", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433980, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7be9913adcb77245c31c0bce9479f8f06bad3cca.pdf", "text": "https://archive.orkl.eu/7be9913adcb77245c31c0bce9479f8f06bad3cca.txt", "img": "https://archive.orkl.eu/7be9913adcb77245c31c0bce9479f8f06bad3cca.jpg" } }