{ "id": "53741cdf-8dc6-4c4a-aa4c-58a13f14a380", "created_at": "2026-04-06T00:12:22.782718Z", "updated_at": "2026-04-10T03:36:37.002216Z", "deleted_at": null, "sha1_hash": "7c532c70196ffd1247108a70bfb5c6dbe3c75474", "title": "Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript Downloader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2404133, "plain_text": "Deobfuscating Ostap: TrickBot’s 34,000 Line JavaScript\r\nDownloader\r\nBy Alex Holland\r\nPublished: 2019-09-03 · Archived: 2026-04-05 21:12:20 UTC\r\nIntroduction\r\nFor a malicious actor to compromise a system, they need to avoid being detected at the point of entry into the\r\ntarget’s network. Commonly, phishing emails delivering malicious attachments (T1193) serve as the initial access\r\nvector.[1]\r\nAdversaries also need a way to execute code on target computers without tipping off automated tools and the\r\nmonitoring efforts of security teams. One of the most common code execution techniques is to use interpreted\r\nscripting languages (T1064) that can run on an operating system without additional dependencies.[2] On Windows,\r\npopular interpreted languages that are abused by attackers include PowerShell, VBScript, JScript, VBA (Visual\r\nBasic for Applications), and commands interpreted by Command shell (cmd.exe).\r\nNetwork attackers and defenders are in a constant state of competition to out-do the other to gain an advantage that\r\ncould determine the outcome of an intrusion attempt. Against this background, we regularly see malicious actors\r\nchange their tooling to increase the chances of a successful intrusion, particularly the downloaders used to initially\r\ncompromise systems.\r\nIn early August 2019, we noticed that high-volume malicious spam campaigns delivering TrickBot started using\r\nOstap, a commodity JavaScript (or more specifically, JScript) downloader. Previously, TrickBot campaigns relied\r\non downloaders that used obfuscated Command shell and later PowerShell commands that were triggered by VBA\r\nAutoOpen macros to download their payloads.\r\nIn this post, I explain how to deobfuscate Ostap and describe a Python script I wrote (deobfuscate_ostap.py) that\r\nautomates the deobfuscation of this JScript malware. The tool is available to download on GitHub.[3]\r\nTrickBot, also known as The Trick, is a modular banking Trojan and dropper thought to be operated by at least three\r\nthreat actors, tracked in the security community as TA505, Grim Spider and Wizard Spider.[4][5][6][7] While\r\nJavaScript-based downloaders aren’t new, TrickBot’s latest downloader is notable for its size, virtual machine\r\ndetection and anti-analysis measures. For example, the Ostap samples analysed in this post generated incomplete\r\ntraces in two different public sandboxes and neither downloaded their respective TrickBot payloads.[8][9]\r\nMoreover, a sample that was uploaded to VirusTotal had a low detection rate of 6/55 (11%) when it was first\r\nuploaded, suggesting that Ostap is effective at evading most anti-virus engines.\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 1 of 15\n\nFigure 1 – VirusTotal detection summary for one of the Ostap samples.\r\nOstap, TrickBot’s JScript Downloader\r\nDownloaders are a type of malware designed to retrieve and run secondary payloads from one or more remote\r\nservers. Their simple function means that downloaders are rarely more than several hundred lines of code, even\r\nwhen obfuscated. Ostap counters this trend in that it is very large, containing nearly 35,000 lines of obfuscated code\r\nonce beautified. Historical TrickBot campaigns suggest that their operators prefer code obfuscation that is lengthier\r\nthan most other e-crime actors to bypass detection, as seen, for example in campaigns in August 2018.[10]\r\nFigure 2 – Line, word and byte count of a sample of Ostap used to deliver TrickBot after being beautified. The\r\ndownloader is 34,757 lines long.\r\nMacro Analysis\r\nThe downloader is delivered as a Microsoft Word 2007 macro-enabled document (.DOCM) that contains the two\r\ncomponents of the downloader: a VBA macro and the JScript (figure 3). The emails and samples analysed were\r\nthemed as purchase orders, suggesting that the campaigns were likely intended to target businesses rather than\r\nindividuals.\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 2 of 15\n\nFigure 3\r\n– Lure document of the downloader.\r\nThe JScript component of the downloader is stored in the body of the document as white text, resulting in a high\r\nword and page count.\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 3 of 15\n\nFigure 4 – JScript in lure document.\r\nThe VBA macro is saved in a project called “Sorry”. When the document is opened, it first copies the JScript to\r\nfiles named 2angola.dot and 2angola.dotu in the user’s default Word template directory\r\n(%AppData%\\Microsoft\\Templates). The procedure is triggered by a Document.Open event.[11]\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 4 of 15\n\nFigure 5 – Annotated VBA code that runs when the document is opened.\r\nThe rest of the macro only runs if the document is closed, which is achieved by monitoring for a Document.Close\r\nevent (figure 6).[12] This is an anti-sandbox measure used to defeat behavioural analysis by sandboxes that don’t\r\nimitate user activity such as closing documents.\r\nFigure 6 – Annotated VBA code that runs when the document is closed.\r\nIf the document is closed, the macro renames 2angola.dot to 2angola.Jse and then runs it:\r\n1. The macro calls the Create method from the Win32_Process WMI class to run a new Explorer.exe process\r\nwith 2angola.Jse as its command line argument (figure 7).[13]\r\n2. When a new Explorer.exe process is created where one is already running, the new process is created with\r\nthe /factory,{75DFF2B7-6936-4C06-A8BB-676A7B00B24B} -Embedding command-line arguments (figure\r\n8). The CLSID corresponds to the ProgID called “CLSID_SeparateMultipleProcessExplorerHost”.[14]\r\n3. Explorer runs 2angola.Jse using Windows Script Host (WScript.exe), the default file handler for JScript\r\nEncoded Files (.JSE), as shown in figure 9. The file extension of 2angola.dot is renamed to .Jse ensure that\r\nthe JScript is opened using WScript.exe. Relying on default file associations means that the macro can evade\r\ndetection by indirectly referencing WScript, a program commonly used for malicious purposes in the context\r\nof macros.\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 5 of 15\n\nFigure 7 – Sysmon event showing an Explorer.exe process running the JScript file after being launched by WMI\r\nProvider Host (WmiPrvSE.exe).\r\nFigure 8 – Sysmon event showing the new Explorer.exe process being created with the arguments /factory,CLSID\r\n{75DFF2B7-6936-4C06-A8BB-676A7B00B24B} -Embedding.\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 6 of 15\n\nFigure 9 – Sysmon event showing WScript.exe running the JScript file.\r\nAnti-Analysis Measures\r\nInterestingly, the Ostap includes a fake Windows Script Host runtime error that occurs shortly after the script is run.\r\nIt’s likely that the fake error was included to discourage manual examination of the downloader.\r\nFigure 10 – Fake error message displayed early during the runtime of the downloader.\r\nFigure 11 – Variable storing the fake error message in TrickBot’s downloader.\r\nSome samples of the downloader contain the characters **/ at the beginning on the JSE file. This is another anti-analysis measure that is used to trip up automated JavaScript analysis tools which may interpret the rest of the script\r\nas being part of a comment block, rather than executable code.\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 7 of 15\n\nOnce deobfuscated, several other anti-analysis measures are revealed. For example, Ostap queries WMI to check if\r\nit is running in a virtual machine by looking for a blacklist of running processes:\r\nAgentSimulator.exe\r\nanti-virus.EXE\r\nBehaviorDumper\r\nBennyDB.exe\r\nctfmon.exe\r\nfakepos_bin\r\nFrzState2k\r\ngemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe)\r\nImmunityDebugger.exe\r\nKMS Server Service.exe\r\nProcessHacker\r\nprocexp\r\nProxifier.exe\r\npython\r\ntcpdump\r\nVBoxService\r\nVBoxTray.exe\r\nVmRemoteGuest\r\nvmtoolsd\r\nVMware2B.exe\r\nVzService.exe\r\nwinace\r\nWireshark\r\nMany sandboxes run these processes in their guest images, such as Cuckoo Sandbox and its derivatives which use a\r\nPython agent. The script also checks for a blacklist of host and user names.\r\nEmily\r\nHANSPETER-PC\r\nHAPUBWS\r\nHong Lee\r\nIT-ADMIN\r\nJOHN-PC\r\nJohnson\r\nMiller\r\nMUELLER-PC\r\nPeter Wilson\r\nSystemIT | admin\r\nTimmy\r\nWIN7-TRAPS\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 8 of 15\n\nBeautifying the JScript\r\nThe JScript that is written to disk is one line, making it difficult to analyse manually. To make it more readable, you\r\ncan reformat and add indentations to the code using Einar Lielmanis’s JS Beautifier tool, which also works for\r\nJScript because they share a similar syntax.[15]\r\njs-beautify 2angola.Jse \u003e 2angola.Jse.beautified\r\nIdentifying Code Structure, Key Variables and Functions\r\nNow that the code is readable, we can begin analysing the script’s structure, variables and functions. Our aim here is\r\nto identify the functions responsible for deobfuscating the downloader.\r\nThe script includes many junk variables that aren’t used anywhere else in the script. We can simply remove these\r\nvariables. It is often possible to distinguish the variables that have been automatically generated by an obfuscator\r\nfrom meaningful ones because their naming convention will differ.\r\nFor example, in figure 12 you can see some of the variable assignments in the script. All of them are junk code,\r\nexcept the variable called gunsder, which looks interesting because it contains the string “from”. It’s also referenced\r\n2,515 times, which is promising.\r\nFigure 12 – Some of the variables in the script.\r\nIn figure 13, you can see at line 15 a function called xxqneol. The variable that we identified as interesting, gunsder,\r\nis concatenated with other strings. After concatenation, you can see that the returned string is a reference to the\r\nfromCharCode() method which converts a Unicode character code into a character.[16] This function is supplied a\r\nparameter called etsfhis. Before calling fromCharCode, the function checks that the second parameter, vqjpvi, is the\r\ncharacter h. This function is also referenced 7,540 times, so it’s likely that this function is used in the deobfuscation\r\nof the script.\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 9 of 15\n\nNow that we understand what the function does, we can give it, its variables and parameters meaningful names\r\n(figure 14).\r\nFigure 13 – Function xxqneol before deobfuscation.\r\nFigure 14 – Renamed xxqneol function.\r\nAnalysis of Character Code Calculation Functions\r\nNext, we can look at the functions where fromCharCode is referenced to understand how it is used. After cleaning\r\nup the code in figure 15, you can see that the function uses arithmetic operators to calculate a Unicode character\r\ncode from the values stored in an array called pkkwrit4. The Unicode character code and the character h are then\r\nsupplied to the fromCharCode function, which returns a Unicode character. In this case, the character returned is f.\r\nEach character in the downloader has its own function to calculate its character code. This particular sample has\r\n7,540 functions that are used to calculate all the characters codes.\r\nFigure 15 – One of the many functions used to calculate Unicode character codes.\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 10 of 15\n\nFigure 16 –\r\nCleaned up function.\r\nWriting a Python Script (deobfuscate_ostap.py) to Automate Deobfuscation\r\nSince we don’t want to have to manually calculate and decode 7,540 Unicode character codes, let’s write a Python\r\nscript to do this for us.\r\nBy looking for code similarities we can work out what actions we need the script to perform. In the functions that\r\ncalculate the Unicode character codes, the final character code value is always calculated using the elements at\r\nindex 0 and 1 of an array. Some arithmetic is performed on these elements before they are supplied to the\r\nfromCharCode function. So far we’ve seen addition and subtraction used in Ostap samples in the wild.\r\nWe can use Python’s re module to write regular expressions that match the elements in each array at index 0 and 1\r\nand store them in lists.[17] Next, we’ll clean up the matches using the re.sub() function and then convert them into\r\nintegers. We can then use Python’s zip() function to perform the arithmetic on the values in the index 0 and 1 lists.\r\n[18] The script tries subtraction and addition operations to deobfuscate the downloader. Finally, the script converts\r\nthe character codes into Unicode characters, removes line breaks and prints the result.\r\nThe script is available on GitHub to download and can be modified to support automated analysis pipelines.[3] To\r\ntest the script, a YARA rule was written to detect Ostap and then run against 100 samples from August 2019. The\r\nextracted and deduplicated URLs are at the end of the report.\r\nAnalysis of the Deobfuscated Downloader\r\nAfter running the script, we can examine the deobfuscated strings from the downloader, including the URL where\r\nthe TrickBot payload is hosted:\r\nhxxps://185.180.199[.]102/angola/mabutu.php?min=14b\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 11 of 15\n\nFigure 17 – Deobfuscated strings of Ostap sample using deobfuscate_ostap.py.\r\nThe strings are very similar to older Ostap samples from 2018 onwards, enabling us to make a high confidence\r\nassessment that the downloaders used to deliver TrickBot in August 2019 belong to this family of malware. Public\r\nreporting shows that this malware has been used in campaigns unrelated to TrickBot since 2016, delivering various\r\nfinancial malware families.[19][20] The variety of malware delivered by Ostap suggests that it is commodity\r\nmalware that is popular among different threat actors, including now TrickBot’s operators.\r\nOstap’s aggressive anti-analysis features and low detection rate compared to downloaders that use other interpreted\r\nscripting languages make it an attractive choice for malware operators seeking a downloader.\r\nYARA Rule\r\nrule win_ostap_jse {\r\nmeta:\r\nauthor = \"Alex Holland @cryptogramfan (Bromium Labs)\"\r\ndate = \"2019-08-29\"\r\nsample_1 = \"F3E03E40F00EA10592F20D83E3C5E922A1CE6EA36FC326511C38F45B9C9B6586\"\r\nsample_2 = \"38E2B6F06C2375A955BEA0337F087625B4E6E49F6E4246B50ECB567158B3717B\"\r\nstrings:\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 12 of 15\n\n$comment = { 2A 2A 2F 3B } // Matches on **/;\r\n$array_0 = /\\w{5,8}\\[\\d+\\]=\\d{1,3};/\r\n$array_1 = /\\w{5,8}\\[\\d+\\]=\\d{1,3};/\r\ncondition:\r\n((($comment at 0) and (#array_0 \u003e 100) and (#array_1 \u003e 100)) or\r\n((#array_0 \u003e 100) and (#array_1 \u003e 100))) and\r\n(filesize \u003e 500KB and filesize \u003c 1500KB)\r\n}\r\nHashes (SHA-256)\r\nF3E03E40F00EA10592F20D83E3C5E922A1CE6EA36FC326511C38F45B9C9B6586 –\r\nLast_order_specification_1217492.docm\r\n38E2B6F06C2375A955BEA0337F087625B4E6E49F6E4246B50ECB567158B3717B –\r\nHeiress_Documents_id18598.docm\r\nExtracted URLs\r\nhxxps://185.130.104[.]149/odr/updateme.php?oxx=p\r\nhxxps://185.130.104[.]149/odr/updateme.php?oxx=up\r\nhxxps://185.130.104[.]149/odr/updateme.php?oxx=z\r\nhxxps://185.130.104[.]236/deerhunter/inputok.php?min=29h\r\nhxxps://185.130.104[.]236/deerhunter/inputok.php?min=up3\r\nhxxps://185.130.104[.]236/deerhunter2/inputok.php?min=6h\r\nhxxps://185.130.104[.]236/deerhunter2/inputok.php?min=8h\r\nhxxps://185.130.104[.]236/deerhunter2/inputok.php?min=9a\r\nhxxps://185.130.104[.]236/deerhunter2/inputok.php?min=9h\r\nhxxps://185.130.104[.]236/targ/inputok.php?min=13s\r\nhxxps://185.130.107[.]236/deerhunter3/inputok.php?min=12a\r\nhxxps://185.159.82[.]15/hollyhole/c644.php?min=up\r\nhxxps://185.159.82[.]15/hollyhole/c644.php?min=17ha\r\nhxxps://185.159.82[.]15/hollyhole/c644.php?min=18h\r\nhxxps://185.159.82[.]15/hollyhole/c644.php?min=19a\r\nhxxps://185.159.82[.]15/hollyhole/c644.php?min=19h\r\nhxxps://185.159.82[.]15/hollyhole/c644.php?min=a\r\nhxxps://185.159.82[.]15/hollyhole/c644.php?min=m\r\nhxxps://185.159.82[.]15/hollyhole/c644.php?min=m2\r\nhxxps://185.159.82[.]15/hollyhole/c644.php?min=t2\r\nhxxps://185.159.82[.]15/hollyhole/c644.php?min=tu\r\nhxxps://185.159.82[.]15/hollyhole/c644.php?min=w\r\nhxxps://185.159.82[.]15/hollyhole2/c644.php?min=19h\r\nhxxps://185.159.82[.]15/hollyhole2/c644.php?min=79\r\nhxxps://185.159.82[.]20/t-30/x644.php?min=m\r\nhxxps://185.159.82[.]20/t-34/x644.php?min=24\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 13 of 15\n\nhxxps://185.159.82[.]20/t-34/x644.php?min=f\r\nhxxps://185.159.82[.]20/t-34/x66744.php?min=u2\r\nhxxps://185.180.199[.]102/angola/mabutu.php?min=14b\r\nhxxps://189.130.104[.]236/deerhunter3/inputok.php?min=13h\r\nReferences\r\n[1] MITRE ATT\u0026CK technique T1193 “Spearphishing Attachment”, https://attack.mitre.org/techniques/T1193/\r\n[2] MITRE ATT\u0026CK technique T1064 “Scripting”, https://attack.mitre.org/techniques/T1064/\r\n[3] https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py\r\n[4] “Security Primer: TrickBot”, Multi-State Information Sharing and Analysis Center, March 2019,\r\nhttps://www.cisecurity.org/wp-content/uploads/2019/03/MS-ISAC-Security-Primer-Trickbot-11March2019-mtw.pdf\r\n[5] “Threat Group Cards: A Threat Actor Encyclopedia”, ThaiCERT, p. 226,\r\nhttps://www.thaicert.or.th/downloads/files/A_Threat_Actor_Encyclopedia.pdf\r\n[6] “Threat Group Cards: A Threat Actor Encyclopedia”, ThaiCERT, p. 259\r\n[7] “Threat Group Cards: A Threat Actor Encyclopedia”, ThaiCERT, p. 272\r\n[8] https://app.any.run/tasks/dc86fb23-b8ac-49db-8c22-a53b88236676/\r\n[9] https://www.hybrid-analysis.com/sample/38e2b6f06c2375a955bea0337f087625b4e6e49f6e4246b50ecb567158b3717b?\r\nenvironmentId=120\r\n[10]\r\nhttps://www.virustotal.com/gui/file/1512b7e34006ff7b69c76601fcf554668a3378d31c77b44507960d46e3a7c02c/details\r\n[11] https://docs.microsoft.com/en-us/office/vba/api/word.document.open\r\n[12] https://docs.microsoft.com/en-us/office/vba/api/word.document.close(even)\r\n[13] https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/create-method-in-class-win32-process\r\n[14] https://en.wikipedia.org/wiki/ProgID\r\n[15] https://github.com/beautify-web/js-beautify\r\n[16] https://www.w3schools.com/jsref/jsref_fromcharcode.asp\r\n[17] https://docs.python.org/3/library/re.html\r\n[18] https://docs.python.org/3.3/library/functions.html#zip\r\n[19] https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 14 of 15\n\n[20] https://www.carbonblack.com/2017/06/12/carbon-black-threat-research-dissects-emerging-mouseover-malware/\r\nSource: https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nhttps://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/" ], "report_names": [ "deobfuscating-ostap-trickbots-javascript-downloader" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "8492b1a0-126f-4113-b8f7-101d28559629", "created_at": "2023-01-06T13:46:38.864213Z", "updated_at": "2026-04-10T02:00:03.126178Z", "deleted_at": null, "main_name": "GRIM SPIDER", "aliases": [ "GOLD ULRICK" ], "source_name": "MISPGALAXY:GRIM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434342, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7c532c70196ffd1247108a70bfb5c6dbe3c75474.pdf", "text": "https://archive.orkl.eu/7c532c70196ffd1247108a70bfb5c6dbe3c75474.txt", "img": "https://archive.orkl.eu/7c532c70196ffd1247108a70bfb5c6dbe3c75474.jpg" } }