{ "id": "23832c9c-9936-46fc-afe6-1374dc07a2e6", "created_at": "2026-04-06T00:10:01.002601Z", "updated_at": "2026-04-10T13:11:38.305612Z", "deleted_at": null, "sha1_hash": "7eccc47c8707a8c9363d0829a1a64d0b9d9e5d2a", "title": "REvil (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 624311, "plain_text": "REvil (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:41:51 UTC\r\nREvil Beta\r\nMD5: bed6fc04aeb785815744706239a1f243\r\nSHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf\r\nSHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45\r\n* Privilege escalation via CVE-2018-8453 (64-bit only)\r\n* Rerun with RunAs to elevate privileges\r\n* Implements a requirement that if \"exp\" is set, privilege escalation must be successful for full execution to occur\r\n* Implements target whitelisting using GetKetboardLayoutList\r\n* Contains debug console logging functionality\r\n* Defines the REvil registry root key as SOFTWARE\\!test\r\n* Includes two variable placeholders in the ransom note: UID \u0026 KEY\r\n* Terminates processes specified in the \"prc\" configuration key prior to encryption\r\n* Deletes shadow copies and disables recovery\r\n* Wipes contents of folders specified in the \"wfld\" configuration key prior to encryption\r\n* Encrypts all non-whitelisted files on fixed drives\r\n* Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can\r\nimpersonate the security context of explorer.exe\r\n* Partially implements a background image setting to display a basic \"Image text\" message\r\n* Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not\r\nimplemented.)\r\n------------------------------------\r\nREvil 1.00\r\nMD5: 65aa793c000762174b2f86077bdafaea\r\nSHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457\r\nSHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc\r\n* Adds 32-bit implementation of CVE-2018-8453 exploit\r\n* Removes console debug logging\r\n* Changes the REvil registry root key to SOFTWARE\\recfg\r\n* Removes the System/Impersonation success requirement for encrypting network mapped drives\r\n* Adds a \"wipe\" key to the configuration for optional folder wiping\r\n* Fully implements the background image setting and leverages values defined in the \"img\" configuration key\r\n* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT\r\n* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL\r\n* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data\r\n------------------------------------\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 1 of 20\n\nREvil 1.01\r\nMD5: 2abff29b4d87f30f011874b6e98959e9\r\nSHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c\r\nSHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb\r\n* Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege\r\nlevel\r\n* Makes encryption of network mapped drives optional by adding the \"-nolan\" argument\r\n------------------------------------\r\nREvil 1.02\r\nMD5: 4af953b20f3a1f165e7cf31d6156c035\r\nSHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299\r\nSHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4\r\n* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and\r\nGetSystemDefaultUILanguage\r\n* Partially implements \"lock file\" logic by generating a lock filename based on the first four bytes of the Base64-\r\ndecoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the\r\nREvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There\r\nis no evidence that a lock file is dropped to disk.)\r\n* Enhances folder whitelisting logic that take special considerations if the folder is associated with \"program files\"\r\ndirectories\r\n* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories\r\n* Hard-codes whitelisting of \"sql\" subfolders within program files\r\n* Encrypts program files sub-folders that does not contain \"sql\" in the path\r\n* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they\r\nare whitelisted\r\n* Encodes stored strings used for URI building within the binary and decodes them in memory right before use\r\n* Introduces a REvil registry root key \"sub_key\" registry value containing the attacker's public key\r\n------------------------------------\r\nREvil 1.03\r\nMD5: 3cae02306a95564b1fff4ea45a7dfc00\r\nSHA1: 0ce2cae5287a64138d273007b34933362901783d\r\nSHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf\r\n* Removes lock file logic that was partially implemented in 1.02\r\n* Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the\r\nprc configuration key (Previous versions performed this action once.)\r\n* Encodes stored shellcode\r\n* Adds the -path argument:\r\n* Does not wipe folders (even if wipe == true)\r\n* Does not set desktop background\r\n* Does not contact the C2 server (even if net == true)\r\n* Encrypts files in the specified folder and drops the ransom note\r\n* Changes the REvil registry root key to SOFTWARE\\QtProject\\OrganizationDefaults\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 2 of 20\n\n* Changes registry key values from --\u003e to:\r\n* sub_key --\u003e pvg\r\n* pk_key --\u003e sxsP\r\n* sk_key --\u003e BDDC8\r\n* 0_key --\u003e f7gVD7\r\n* rnd_ext --\u003e Xu7Nnkd\r\n* stat --\u003e sMMnxpgk\r\n------------------------------------\r\nREvil 1.04\r\nMD5: 6e3efb83299d800edf1624ecbc0665e7\r\nSHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d\r\nSHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6\r\n* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than\r\nWindows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil\r\nversions.)\r\n* Removes the folder wipe capability\r\n* Changes the REvil registry root key to SOFTWARE\\GitForWindows\r\n* Changes registry key values from --\u003e to:\r\n* pvg --\u003e QPM\r\n* sxsP --\u003e cMtS\r\n* BDDC8 --\u003e WGg7j\r\n* f7gVD7 --\u003e zbhs8h\r\n* Xu7Nnkd --\u003e H85TP10\r\n* sMMnxpgk --\u003e GCZg2PXD\r\n------------------------------------\r\nREvil v1.05\r\nMD5: cfefcc2edc5c54c74b76e7d1d29e69b2\r\nSHA1: 7423c57db390def08154b77e2b5e043d92d320c7\r\nSHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea\r\n* Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to\r\nimplement persistence.\r\n* Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of\r\nthe currently running executable. The executable is never moved into any 'working directory' such as %AppData%\r\nor %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' :\r\n* SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\lNOWZyAWVv\r\n* Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to\r\nMoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT).\r\nThis breaks persistence however as the target executable specified in the Run key will no longer exist once this is\r\ndone.\r\n* Changes registry key values from --\u003e to:\r\n* QPM --\u003e tgE\r\n* cMtS --\u003e 8K09\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 3 of 20\n\n* WGg7j --\u003e xMtNc\r\n* zbhs8h --\u003e CTgE4a\r\n* H85TP10 --\u003e oE5bZg0\r\n* GCZg2PXD --\u003e DC408Qp4\r\n------------------------------------\r\nREvil v1.06\r\nMD5: 65ff37973426c09b9ff95f354e62959e\r\nSHA1: b53bc09cfbd292af7b3609734a99d101bd24d77e\r\nSHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e\r\n* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.\r\n* Modified handling of network file encryption. Now explicitly passes every possible \"Scope\" constant to the\r\nWNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type\" from\r\nRESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.\r\n* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'\r\n* Changes registry key values from --\u003e to:\r\n* tgE --\u003e 73g\r\n* 8K09 --\u003e vTGj\r\n* xMtNc --\u003e Q7PZe\r\n* CTgE4a --\u003e BuCrIp\r\n* oE5bZg0 --\u003e lcZd7OY\r\n* DC408Qp4 --\u003e sLF86MWC\r\n------------------------------------\r\nREvil v1.07\r\nMD5: ea4cae3d6d8150215a4d90593a4c30f2\r\nSHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e\r\nSHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3\r\nTBD\r\n2024-06-05 ⋅ S-RM ⋅ David Broom, Gavin Hull\r\nExmatter malware levels up: S-RM observes new variant with simultaneous remote code execution and data\r\ntargeting\r\nBlackCat BlackMatter Conti ExMatter LockBit REvil Ryuk 2023-04-18 ⋅ Mandiant ⋅ Mandiant\r\nM-Trends 2023\r\nQUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive\r\nINDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC\r\nWhisperGate 2023-02-02 ⋅ cocomelonc ⋅ cocomelonc\r\nMalware analysis: part 7. Yara rule example for CRC32. CRC32 in REvil ransomware\r\nREvil 2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein\r\nFollowing the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware\r\nAgent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer\r\n(PWS) Maze NetWire RC Remcos REvil TrickBot 2022-08-22 ⋅ Microsoft ⋅ Microsoft\r\nExtortion Economics - Ransomware’s new business model\r\nBlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 4 of 20\n\nLocker Nokoyawa Ransomware REvil Ryuk 2022-07-27 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama\r\nGootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike\r\nCobalt Strike GootKit Kronos REvil SunCrypt 2022-06-13 ⋅ SecurityScorecard ⋅ Vlad Pasca\r\nA Detailed Analysis Of The Last Version Of REvil Ransomware (Download PDF)\r\nREvil 2022-05-09 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nREvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence\r\nREvil 2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi\r\nHelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker\r\nPhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT 2022-05-01 ⋅\r\nBleeping Computer ⋅ Lawrence Abrams\r\nREvil ransomware returns: New malware sample confirms gang is back\r\nREvil 2022-05-01 ⋅ Github (k-vitali) ⋅ Vitali Kremez\r\nREvil Reborn Ransom Config\r\nREvil 2022-04-20 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nREvil's TOR sites come alive to redirect to new ransomware operation\r\nREvil 2022-04-12 ⋅ ConnectWise ⋅ ConnectWise CRU\r\nThreat Profile: REvil\r\nREvil 2022-04-04 ⋅ Bankinfo Security ⋅ Jeremy Kirk\r\nThe Ransomware Files, Episode 6: Kaseya and REvil\r\nREvil 2022-03-24 ⋅ United States Senate ⋅ U.S. Senate Committee on Homeland Security \u0026 Governmental Affairs\r\nAmerica's Data Held Hostage: Case Studies in Ransomware Attacks on American Companies\r\nREvil 2022-03-24 ⋅ United States Senate ⋅ U.S. Senate Committee on Homeland Security \u0026 Governmental Affairs\r\nNew Portman Report Demonstrates Threat Ransomware Presents to the United States\r\nREvil 2022-03-23 ⋅ splunk ⋅ Shannon Davis\r\nGone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed\r\nAvaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk 2022-03-17 ⋅ Sophos ⋅ Tilly\r\nTravers\r\nThe Ransomware Threat Intelligence Center\r\nATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry\r\nDharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker\r\nRagnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker 2022-03-17 ⋅ Trend Micro ⋅ Trend\r\nMicro Research\r\nNavigating New Frontiers Trend Micro 2021 Annual Cybersecurity Report\r\nREvil BazarBackdoor Buer IcedID QakBot REvil 2022-03-16 ⋅ Red Canary ⋅ Brian Donohue, Laura Brosnan\r\nUncompromised: When REvil comes knocking\r\nREvil 2022-03-09 ⋅ Department of Justice ⋅ Office of Public Affairs\r\nSodinokibi/REvil Ransomware Defendant Extradited to United States and Arraigned in Texas\r\nREvil 2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe\r\nAn Empirically Comparative Analysis of Ransomware Binaries\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 5 of 20\n\nAvaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk 2022-02-14 ⋅ Darktrace ⋅ Oakley\r\nCox\r\nStaying ahead of REvil’s Ransomware-as-a-Service business model\r\nREvil REvil 2022-01-27 ⋅ ANALYST1 ⋅ Jon DiMaggio\r\nA History of Revil\r\nREvil REvil 2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nKraken the Code on Prometheus\r\nPrometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk 2022-01-14 ⋅\r\nAdvanced Intelligence ⋅ Yelisey Boguslavskiy\r\nStorm in \"Safe Haven\": Takeaways from Russian Authorities Takedown of REvil\r\nREvil REvil 2022-01-14 ⋅ FSB ⋅ FSB\r\nUnlawful Activities of Members of an Organized Criminal Community were suppressed\r\nREvil REvil 2021-12-20 ⋅ Trend Micro ⋅ Trend Micro Research\r\nRansomware Spotlight: REvil\r\nREvil REvil 2021-11-17 ⋅ BBC ⋅ Joe Tidy\r\nEvil Corp: 'My hunt for the world's most wanted hackers'\r\nREvil REvil 2021-11-16 ⋅ Trend Micro ⋅ Trend Micro\r\nGlobal Operations Lead to Arrests of Alleged Members of GandCrab/REvil and Cl0p Cartels\r\nREvil Clop Gandcrab REvil 2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Joey Fitzpatrick, Morgan Demboski, Peter Rydzynski\r\nHow IronNet's Behavioral Analytics Detect REvil and Conti Ransomware\r\nCobalt Strike Conti IcedID REvil 2021-11-10 ⋅ Blackberry ⋅ Codi Starks, Ryan Chapman\r\nREvil Under the Microscope\r\nGootKit REvil 2021-11-10 ⋅ ⋅ RT on the Russian ⋅ Aleksey Polyakov, Alena Goinskaya, Ekaterina Suslova, Elizaveta Koroleva\r\n\"He does not get in touch\": what is known about Barnaul, wanted by the FBI on charges of cybercrime\r\nREvil REvil 2021-11-08 ⋅ Europol ⋅ Europol\r\nFive Affiliates to Sodinokibi/REvil Unplugged\r\nREvil 2021-11-08 ⋅ ⋅ DIICOT (Romanian Directorate for Investigating Organized Crime and Terrorism) ⋅ DIICOT (Romanian\r\nDirectorate for Investigating Organized Crime and Terrorism)\r\nPress release 2 08.11.2021\r\nREvil REvil 2021-11-08 ⋅ U.S. Department of the Treasury ⋅ U.S. Department of the Treasury\r\nTreasury Continues to Counter Ransomware as Part of Whole-of-Government Effort; Sanctions Ransomware\r\nOperators and Virtual Currency Exchange (Yaroslav Vasinskyi \u0026 Yevgeniy Polyanin)\r\nREvil REvil 2021-11-08 ⋅ U.S. Department of the Treasury ⋅ U.S. Department of the Treasury\r\nAdvisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments\r\nREvil REvil 2021-11-08 ⋅ Department of Justice ⋅ Department of Justice\r\nIndictment of Yevgeniy Polyanin, one off the REvil affliates\r\nREvil REvil 2021-11-08 ⋅ Department of Justice ⋅ Department of Justice\r\nUkrainian Arrested and Charged with Ransomware Attack on Kaseya\r\nREvil REvil 2021-11-08 ⋅ FBI ⋅ FBI\r\nWANTED poster for Yevhgyeniy Polyanin (REvil affiliate)\r\nREvil REvil 2021-11-08 ⋅ The Record ⋅ Catalin Cimpanu\r\nUS arrests and charges Ukrainian man for Kaseya ransomware attack\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 6 of 20\n\nREvil REvil 2021-11-08 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nREvil Ransom Arrest, $6M Seizure, and $10M Reward\r\nREvil REvil 2021-11-08 ⋅ Department of Justice ⋅ Department of Justice\r\nIndictment of Yaroslav Vasinskyi (REvil affiliate)\r\nREvil REvil 2021-11-03 ⋅ CERT-FR ⋅ ANSSI\r\nIdentification of a new cybercriminal group: Lockean\r\nDoppelPaymer Egregor Maze PwndLocker REvil 2021-10-28 ⋅ ⋅ BR.DE ⋅ Hakan Tanriverdi, Maximilian Zierer\r\nMutmaßlicher Ransomware-Millionär identifiziert\r\nREvil REvil 2021-10-26 ⋅ ANSSI\r\nIdentification of a new cyber criminal group: Lockean\r\nCobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil 2021-10-25 ⋅ KELA ⋅ Victoria Kivilevich\r\nWill the REvil Story Finally be Over?\r\nREvil REvil 2021-10-22 ⋅ Reuters ⋅ Christopher Bing, Joseph Menn\r\nEXCLUSIVE Governments turn tables on ransomware gang REvil by pushing it offline\r\nREvil REvil 2021-10-22 ⋅ Darkowl ⋅ Darkowl\r\n“Page Not Found”: REvil Darknet Services Offline After Attack Last Weekend\r\nREvil REvil 2021-10-22 ⋅ HUNT \u0026 HACKETT ⋅ Krijn de Mik\r\nAdvanced IP Scanner: the preferred scanner in the A(P)T toolbox\r\nConti DarkSide Dharma Egregor Hades REvil Ryuk 2021-10-18 ⋅ Flashpoint ⋅ Flashpoint\r\nREvil Disappears Again: ‘Something Is Rotten in the State of Ransomware’\r\nREvil REvil 2021-10-17 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nREvil ransomware shuts down again after Tor sites were hijacked\r\nREvil REvil 2021-10-12 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity\r\nBabuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil 2021-10-11 ⋅\r\nAccenture ⋅ Accenture Cyber Threat Intelligence\r\nMoving Left of the Ransomware Boom\r\nREvil Cobalt Strike MimiKatz RagnarLocker REvil 2021-10-05 ⋅ Trend Micro ⋅ Byron Gelera, Fyodor Yarochkin, Janus\r\nAgcaoili, Nikko Tamana\r\nRansomware as a Service: Enabler of Widespread Attacks\r\nCerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk 2021-09-29 ⋅ Flashpoint ⋅ Flashpoint\r\nRussian hacker Q\u0026A: An Interview With REvil-Affiliated Ransomware Contractor\r\nREvil REvil 2021-09-28 ⋅ Flashpoint ⋅ Flashpoint\r\nREvil’s “Cryptobackdoor” Con: Ransomware Group’s Tactics Roil Affiliates, Sparking a Fallout\r\nREvil 2021-09-23 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nREVil ransomware devs added a backdoor to cheat affiliates\r\nREvil 2021-09-22 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nREvil Ransomware Reemerges After Shutdown; Universal Decryptor Released\r\nREvil REvil 2021-09-21 ⋅ Washington Post ⋅ Ellen Nakashima, Rachel Lerman\r\nFBI held back ransomware decryption key from businesses to run operation targeting hackers\r\nREvil 2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nBig Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 7 of 20\n\nBlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades\r\nREvil 2021-09-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nREvil ransomware's servers mysteriously come back online\r\nREvil 2021-09-03 ⋅ IBM ⋅ Andrew Gorecki, Camille Singleton, John Dwyer\r\nDissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight\r\nValak QakBot REvil 2021-08-30 ⋅ CrowdStrike ⋅ Eric Loui, Josh Reynolds\r\nCARBON SPIDER Embraces Big Game Hunting, Part 1\r\nBateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil 2021-08-25 ⋅ GoggleHeadedHacker Blog ⋅ Jacob\r\nPimental\r\nReverse Engineering Crypto Functions: RC4 and Salsa20\r\nREvil 2021-08-20 ⋅ ⋅ TEAMT5 ⋅ TeamT5\r\nSee REvil again?! See how hackers use the same encryption ransomware program REvil to annihilate the attack\r\nevidence\r\nREvil 2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team\r\nThe Ransomware Threat\r\nBabuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike\r\nConti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex\r\nMimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker 2021-08-11 ⋅ BleepingComputer ⋅ Lawrence\r\nAbrams\r\nKaseya's universal REvil decryption key leaked on a hacking forum\r\nREvil 2021-08-10 ⋅ Flashpoint ⋅ Flashpoint\r\nREvil Master Key for Kaseya Attack Posted to XSS\r\nREvil 2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nRansomware Gangs and the Name Game Distraction\r\nDarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze\r\nRansomEXX REvil Ryuk Sekhmet 2021-08-04 ⋅ Trend Micro ⋅ Janus Agcaoili, Jessie Prevost, Joelson Soares, Ryan Maglaque\r\nSupply Chain Attacks from a Managed Detection and Response Perspective\r\nREvil 2021-08-02 ⋅ The Record ⋅ Dmitry Smilyanets\r\nAn interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and\r\nREvil\r\nDarkSide LockBit REvil 2021-07-31 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nBlackMatter ransomware gang rises from the ashes of DarkSide, REvil\r\nDarkSide REvil 2021-07-28 ⋅ Digital Shadows ⋅ Photon Research Team\r\nREvil: Analysis of Competing Hypotheses\r\nREvil REvil 2021-07-27 ⋅ Recorded Future ⋅ Insikt Group®\r\nBlackMatter Ransomware Emerges As Successor to DarkSide, REvil\r\nDarkSide LockBit REvil 2021-07-27 ⋅ Youtube (SANS Institute) ⋅ John Hammond, Katie Nickels\r\nSANS Threat Analysis Rundown - Kaseya VSA attack\r\nREvil 2021-07-27 ⋅ Flashpoint ⋅ Flashpoint\r\nChatter Indicates BlackMatter as REvil Successor\r\nREvil 2021-07-27 ⋅ Twitter (@fwosar) ⋅ Fabian Wosar\r\nTweet on new REvil variant\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 8 of 20\n\nREvil 2021-07-25 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani\r\nAnalysis of Malware from Kaseya/Revil Supply Chain attack.\r\nREvil 2021-07-22 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nKaseya obtains universal decryptor for REvil ransomware victims\r\nREvil 2021-07-20 ⋅ Huntress Labs ⋅ John Hammond\r\nSecurity Researchers’ Hunt to Discover Origins of the Kaseya VSA Mass Ransomware Incident\r\nREvil 2021-07-19 ⋅ Elliptic ⋅ Elliptic\r\nREvil Revealed - Tracking a Ransomware Negotiation and Payment\r\nREvil REvil 2021-07-15 ⋅ YouTube ( DuMp-GuY TrIcKsTeR) ⋅ Jiří Vinopal\r\nFast API resolving of REvil Ransomware related to Kaseya attack\r\nREvil 2021-07-14 ⋅ Advanced Intelligence ⋅ AdvIntel Security \u0026 Development Team, Yelisey Boguslavskiy\r\nREvil Vanishes From Underground - Infrastructure Down\r\nREvil 2021-07-13 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nREvil ransomware gang's web sites mysteriously shut down\r\nREvil 2021-07-13 ⋅ Threat Post ⋅ Lisa Vaas\r\nRansomware Giant REvil’s Sites Disappear\r\nREvil REvil 2021-07-09 ⋅ The Record ⋅ Catalin Cimpanu\r\nRansomwhere project wants to create a database of past ransomware payments\r\nEgregor Mailto Maze REvil 2021-07-09 ⋅ Twitter (@SophosLabs) ⋅ SophosLabs\r\nTweet on speed at which Kaseya REvil attack was conducted\r\nREvil 2021-07-09 ⋅ cyjax ⋅ william thomas\r\nREvil-ution – A Persistent Ransomware Operation\r\nREvil 2021-07-08 ⋅ Gigamon ⋅ Joe Slowik\r\nObservations and Recommendations from the Ongoing REvil-Kaseya Incident\r\nREvil 2021-07-08 ⋅ KELA ⋅ Victoria Kivilevich\r\nRansomware Gangs are Starting to Look Like Ocean’s 11\r\nREvil 2021-07-08 ⋅ Sekoia ⋅ sekoia\r\nKaseya: Another Massive Heist by REvil\r\nREvil 2021-07-07 ⋅ Trustwave ⋅ Nikita Kazymirskyi, Rodel Mendrez\r\nDiving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails\r\nCobalt Strike REvil 2021-07-07 ⋅ Elastic ⋅ Jamie Butler\r\nElastic Security prevents 100% of REvil ransomware samples\r\nREvil 2021-07-07 ⋅ CrowdStrike ⋅ Karan Sood, Liviu Arsene\r\nHow CrowdStrike Falcon Stops REvil Ransomware Used in the Kaseya Attack\r\nREvil 2021-07-07 ⋅ Netskope ⋅ Gustavo Palazolo\r\nNetskope Threat Coverage: REvil\r\nREvil 2021-07-07 ⋅ Twitter (@resecurity_com) ⋅ Resecurity\r\nTweet REvil attack chain used against Kaseya\r\nREvil 2021-07-06 ⋅ paloalto Networks Unit 42 ⋅ John Martineau\r\nUnderstanding REvil: The Ransomware Gang Behind the Kaseya Attack\r\nGandcrab REvil 2021-07-06 ⋅ Cybereason ⋅ Tom Fakterman\r\nCybereason vs. REvil Ransomware: The Kaseya Chronicles\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 9 of 20\n\nREvil 2021-07-06 ⋅ CrowdStrike ⋅ Adam Meyers\r\nThe Evolution of PINCHY SPIDER from GandCrab to REvil\r\nGandcrab REvil 2021-07-06 ⋅ TRUESEC ⋅ Alexander Andersson\r\nHow the Kaseya VSA Zero Day Exploit Worked\r\nREvil 2021-07-06 ⋅ splunk ⋅ Splunk Threat Research Team\r\nREvil Ransomware Threat Research Update and Detections\r\nREvil 2021-07-06 ⋅ Twitter (@_alex_il_) ⋅ Alex Ilgayev\r\nTweet on REvil ransomware actor using vulnerable defender executable in its infection flow in early may before\r\nKaseya attack\r\nREvil 2021-07-06 ⋅ Zscaler ⋅ Zscaler\r\nKaseya Supply Chain Ransomware Attack - Technical Analysis of the REvil Payload\r\nREvil 2021-07-05 ⋅ Kaspersky ⋅ Kaspersky\r\nREvil ransomware attack against MSPs and its clients around the world\r\nREvil 2021-07-05 ⋅ ⋅ S2W LAB Inc. ⋅ S2W LAB INTELLIGENCE TEAM\r\nKaseya supply chain attack delivers mass ransomware\r\nREvil 2021-07-05 ⋅ Morphisec ⋅ Morphisec\r\nReal-Time Prevention of the Kaseya VSA Supply Chain REvil Ransomware Attack\r\nREvil 2021-07-05 ⋅ splunk ⋅ Ryan Kovar\r\nKaseya, Sera. What REvil Shall Encrypt, Shall Encrypt\r\nREvil 2021-07-05 ⋅ Twitter (@SophosLabs) ⋅ SophosLabs\r\nTweet with a REvil ransomware execution demo\r\nREvil 2021-07-05 ⋅ Twitter (@R3MRUM) ⋅ R3MRUM\r\nTwitter thread with additional context on C2 domains found in REvil configuration\r\nREvil 2021-07-04 ⋅ CISA ⋅ US-CERT\r\nCISA-FBI Guidance for MSPs and their Customers Affected by the Kaseya VSA Supply-Chain Ransomware\r\nAttack\r\nREvil REvil 2021-07-04 ⋅ TRUESEC ⋅ Fabio Viggiani\r\nKaseya supply chain attack targeting MSPs to deliver REvil ransomware\r\nREvil 2021-07-04 ⋅ Twitter (@svch0st) ⋅ Zach\r\nTweet on #Kaseya detection tool for detecting REvil\r\nREvil 2021-07-04 ⋅ Sophos ⋅ Anand Ajjan, Mark Loman, Sean Gallagher\r\nIndependence Day: REvil uses supply chain exploit to attack hundreds of businesses\r\nREvil 2021-07-03 ⋅ Kaseya ⋅ Kaseya\r\nKaseya VSA Detection Tool\r\nREvil 2021-07-03 ⋅ Cybleinc ⋅ cybleinc\r\nUncensored Interview with REvil / Sodinokibi Ransomware Operators\r\nREvil REvil 2021-07-03 ⋅ Kaseya ⋅ Kaseya\r\nUpdates Regarding VSA Security Incident\r\nREvil 2021-07-03 ⋅ Symantec ⋅ Threat Hunter Team\r\nKaseya Ransomware Supply Chain Attack: What You Need To Know\r\nREvil 2021-07-03 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nThreat Brief: Kaseya VSA Ransomware Attack\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 10 of 20\n\nREvil 2021-07-03 ⋅ Twitter (@LloydLabs) ⋅ Lloyd\r\nTwitter Thread on Revil sideloading DLL used in Kaseya attack\r\nREvil 2021-07-03 ⋅ Medium Doublepulsar ⋅ Kevin Beaumont\r\nKaseya supply chain attack delivers mass ransomware event to US companies\r\nREvil 2021-07-03 ⋅ Twitter (@fwosar) ⋅ Fabian Wosar\r\nTwitter thread on REvil's cryptographic scheme\r\nREvil 2021-07-02 ⋅ The Record ⋅ Catalin Cimpanu\r\nREvil ransomware gang executes supply chain attack via malicious Kaseya update\r\nREvil 2021-07-02 ⋅ Twitter (@SyscallE) ⋅ SeAccessCheck\r\nTweet on Revil dropper used in Kaseya attack\r\nREvil 2021-07-02 ⋅ Github (fwosar) ⋅ Fabian Wosar\r\nREvil configuration dump used in Kaseya attack\r\nREvil 2021-07-02 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez\r\nTweet on Revil ransomware analysis used in Kaseya attack\r\nREvil 2021-07-02 ⋅ Huntress Labs ⋅ Huntress Labs\r\nCrticial Ransomware Incident in Progress\r\nREvil 2021-07-02 ⋅ ⋅ Velzart ⋅ Niels den Hild\r\nRansomware attack\r\nREvil 2021-07-02 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nREvil ransomware hits 1,000+ companies in MSP supply-chain attack\r\nREvil 2021-07-01 ⋅ AT\u0026T Cybersecurity ⋅ Fernando Martinez, Ofer Caspi\r\nREvil’s new Linux version\r\nREvil REvil 2021-07-01 ⋅ DomainTools ⋅ Chad Anderson\r\nThe Most Prolific Ransomware Families: A Defenders Guide\r\nREvil Conti Egregor Maze REvil 2021-06-30 ⋅ Advanced Intelligence ⋅ AdvIntel Security \u0026 Development Team, Brandon\r\nRudisel, Yelisey Boguslavskiy\r\nRansomware-\u0026-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets\r\nBlackKingdom Ransomware Clop dearcry Hades REvil 2021-06-30 ⋅ Sophos ⋅ Tilly Travers\r\nMTR in Real Time: Hand-to-hand combat with REvil ransomware chasing a $2.5 million pay day\r\nREvil 2021-06-30 ⋅ Group-IB ⋅ Oleg Skulkin\r\nREvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs\r\nCobalt Strike REvil 2021-06-30 ⋅ Sophos SecOps ⋅ Tilly Travers\r\nWhat to expect when you’ve been hit with REvil ransomware\r\nREvil 2021-06-28 ⋅ Twitter (@AdamTheAnalyst) ⋅ AdamTheAnalyst\r\nTweet on suspected REvil exfiltration (over RClone FTP) server\r\nREvil REvil 2021-06-23 ⋅ ⋅ Medium s2wlab ⋅ Sojun Ryu\r\nDeep analysis of REvil Ransomware\r\nREvil 2021-06-22 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nLV Ransomware\r\nREvil 2021-06-16 ⋅ Proofpoint ⋅ Daniel Blackford, Garrett M. Graff, Selena Larson\r\nThe First Step: Initial Access Leads to Ransomware\r\nBazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker TA570 TA575 TA577 2021-06-\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 11 of 20\n\n15 ⋅ Trend Micro ⋅ Byron Gelera, Earle Earnshaw, Janus Agcaoili, Miguel Ang, Nikko Tamana\r\nRansomware Double Extortion and Beyond: REvil, Clop, and Conti\r\nClop Conti REvil 2021-06-11 ⋅ SophosLabs Uncut ⋅ Anand Ajjan, Andrew Brandt, Hajnalka Kope, Mark Loman, Peter Mackenzie\r\nRelentless REvil, revealed: RaaS as variable as the criminals who use it\r\nREvil 2021-06-10 ⋅ HUNT \u0026 HACKETT ⋅ Krijn de Mik\r\nREvil: the usage of legitimate remote admin tooling\r\nREvil 2021-06-09 ⋅ Palo Alto Networks Unit 42 ⋅ Doel Santos\r\nPrometheus Ransomware Gang: A Group of REvil?\r\nHakbit Prometheus REvil 2021-06-08 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy\r\nFrom QBot...with REvil Ransomware: Initial Attack Exposure of JBS\r\nQakBot REvil 2021-06-02 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nFBI: REvil cybergang behind the JBS ransomware attack\r\nREvil 2021-06-02 ⋅ TEAMT5 ⋅ TeamT5\r\nIntroducing The Most Profitable Ransomware REvil\r\nGandcrab REvil 2021-06-02 ⋅ CrowdStrike ⋅ Heather Smith, Josh Dalman\r\nUnder Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware\r\nDarkSide Conti DarkSide REvil 2021-05-28 ⋅ Twitter (@Jacob_Pimental) ⋅ Jacob Pimental\r\nTweet on REvil ver 2.07\r\nREvil 2021-05-25 ⋅ Medium s2wlab ⋅ Denise Dasom Kim, Hyunmin Suh, Jungyeon Lim\r\nW4 May | EN | Story of the week: Ransomware on the Darkweb\r\nBabuk REvil 2021-05-20 ⋅ Digital Shadows ⋅ Stefano De Blasi\r\nRansomware-as-a-Service, Rogue Affiliates, and What’s Next\r\nDarkSide DarkSide REvil 2021-05-20 ⋅ CrowdStrike ⋅ joshua fraser\r\nResponse When Minutes Matter: When Good Tools Are Used for (R)Evil\r\nREvil 2021-05-18 ⋅ The Record ⋅ Catalin Cimpanu\r\nDarkside gang estimated to have made over $90 million from ransomware attacks\r\nDarkSide DarkSide Mailto Maze REvil Ryuk 2021-05-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nDarkSide ransomware made $90 million in just nine months\r\nDarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk 2021-05-14 ⋅ The Record ⋅ Catalin Cimpanu\r\nDarkside ransomware gang says it lost control of its servers \u0026 money a day after Biden threat\r\nDarkSide Avaddon REvil 2021-05-13 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nPopular Russian hacking forum XSS bans all ransomware topics\r\nDarkSide DarkSide LockBit REvil 2021-05-12 ⋅ Kaspersky ⋅ Dmitry Galov, Ivan Kwiatkowski, Leonid Bezvershenko\r\nRansomware world in 2021: who, how and why\r\nBabuk REvil 2021-05-11 ⋅ Flashpoint ⋅ Flashpoint\r\nDarkSide Ransomware Links to REvil Group Difficult to Dismiss\r\nDarkSide REvil 2021-05-10 ⋅ DarkTracer ⋅ DarkTracer\r\nIntelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware\r\ngangs released on the DarkWeb\r\nRansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze\r\nMedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok\r\nRansomEXX REvil Sekhmet SunCrypt ThunderX 2021-05-08 ⋅ Twitter (@Jacob_Pimental) ⋅ Jacob Pimental\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 12 of 20\n\nTweet on CyberChef recipe to extract Revil Ransomware configuration\r\nREvil 2021-05-06 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team\r\nThreat Thursday: Dr. REvil Ransomware Strikes Again, Employs Double Extortion Tactics\r\nREvil 2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker\r\nRansomware: Hunting for Inhibiting System Backup or Recovery\r\nAvaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX\r\nREvil Ryuk Snatch ThunderX 2021-05-02 ⋅ GoggleHeadedHacker Blog ⋅ Jacob Pimental\r\nSodinokibi Ransomware Analysis\r\nREvil 2021-04-28 ⋅ IBM ⋅ Limor Kessem\r\nThe Sodinokibi Chronicles: A (R)Evil Cybercrime Gang Disrupts Organizations for Trade Secrets and Cash\r\nREvil 2021-04-26 ⋅ CoveWare ⋅ CoveWare\r\nRansomware Attack Vectors Shift as New Software Vulnerability Exploits Abound\r\nAvaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt 2021-04-25 ⋅ Vulnerability.ch\r\nBlog ⋅ Corsin Camichel\r\nRansomware and Data Leak Site Publication Time Analysis\r\nAvaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil 2021-04-23 ⋅ CNBC ⋅ Eamon Javers\r\nAxis of REvil: What we know about the hacker collective taunting Apple\r\nREvil 2021-04-20 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nREvil gang tries to extort Apple, threatens to sell stolen blueprints\r\nREvil 2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report\r\nSodinokibi (aka REvil) Ransomware\r\nCobalt Strike IcedID REvil 2021-03-24 ⋅ Cisco ⋅ Caitlin Huey, David Liebenberg\r\nQuarterly Report: Incident Response trends from Winter 2020-21\r\nEgregor REvil WastedLocker 2021-03-24 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez\r\nTweet on REvil ransomware\r\nREvil 2021-03-19 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nREvil ransomware has a new ‘Windows Safe Mode’ encryption mode\r\nREvil 2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42\r\nRansomware Threat Report 2021\r\nRansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker\r\n2021-03-16 ⋅ The Record ⋅ Dmitry Smilyanets\r\n‘I scrounged through the trash heaps… now I’m a millionaire:’ An interview with REvil’s Unknown\r\nREvil 2021-03-11 ⋅ Flashpoint ⋅ Flashpoint\r\nCL0P and REvil Escalate Their Ransomware Tactics\r\nClop REvil 2021-03-01 ⋅ Techtarget ⋅ Rob Wright\r\nRansomware negotiations: An inside look at the process\r\nREvil 2021-03-01 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev\r\nRansomware Uncovered 2020/2021\r\nRansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot\r\nRansomEXX REvil Ryuk SDBbot TrickBot Zloader 2021-02-28 ⋅ PWC UK ⋅ PWC UK\r\nCyber Threats 2020: A Year in Retrospect\r\nelf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 13 of 20\n\nBazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx\r\nFunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk\r\nStoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess\r\nWinnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception\r\nFramework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team 2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui,\r\nSergei Frankoff\r\nHypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to\r\nMaximize Impact\r\nDarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil\r\n2021-02-24 ⋅ IBM ⋅ IBM SECURITY X-FORCE\r\nX-Force Threat Intelligence Index 2021\r\nEmotet QakBot Ramnit REvil TrickBot 2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2021 Global Threat Report\r\nRansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide\r\nDoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker\r\nMespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT\r\nRagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST\r\nSunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER\r\nSOLAR SPIDER VIKING SPIDER 2021-02-11 ⋅ CTI LEAGUE ⋅ CTI LEAGUE\r\nCTIL Darknet Report – 2021\r\nConti Mailto Maze REvil Ryuk 2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández\r\nDe ataque con Malware a incidente de Ransomware\r\nAvaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire\r\nDownloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX\r\nREvil Ryuk SDBbot SmokeLoader TrickBot Zloader 2021-02-01 ⋅ AhnLab ⋅ ASEC Analysis Team\r\nBlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment\r\nCobalt Strike REvil 2021-01-28 ⋅ ⋅ AhnLab ⋅ ASEC Analysis Team\r\nBlueCrab ransomware constantly trying to bypass detection\r\nCobalt Strike REvil 2021-01-26 ⋅ Trend Micro ⋅ Trend Micro Research\r\nExamining a Sodinokibi Attack\r\nREvil 2021-01-21 ⋅ InfoSec Handlers Diary Blog ⋅ Xavier Mertens\r\nPowershell Dropping a REvil Ransomware\r\nREvil 2021-01-04 ⋅ KELA ⋅ Almog Zoosman, Victoria Kivilevich\r\nDarknet Threat Actors Are Not Playing Games with the Gaming Industry\r\nREvil 2021-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nThreat Profile: GOLD SOUTHFIELD\r\nREvil GOLD SOUTHFIELD 2021-01-01 ⋅ Acronis ⋅ Alexander Koshelev, Ravikant Tiwari\r\nTaking Deep Dive into Sodinokibi Ransomware\r\nREvil 2020-12-16 ⋅ Accenture ⋅ Paul Mansfield\r\nTracking and combatting an evolving danger: Ransomware extortion\r\nDarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt 2020-12-16 ⋅ Dragos ⋅ Camille Singleton, IBM\r\nSECURITY X-FORCE, Selena Larson\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 14 of 20\n\nAssessing Ransomware and Extortion Activities Impacting Industrial Organizations: Ransomware in ICS\r\nEnvironments\r\nREvil 2020-12-10 ⋅ US-CERT ⋅ FBI, MS-ISAC, US-CERT\r\nAlert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data\r\nPerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim\r\nREvil Ryuk Zeus 2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall\r\nIt's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)\r\nCobalt Strike DoppelPaymer QakBot REvil 2020-12-03 ⋅ KELA ⋅ Victoria Kivilevich\r\nEasy Way In? 5 Ransomware Victims Had Their Pulse Secure VPN Credentials Leaked\r\nREvil 2020-12-01 ⋅ Trend Micro ⋅ Ryan Flores\r\nThe Impact of Modern Ransomware on Manufacturing Networks\r\nMaze Petya REvil 2020-11-30 ⋅ Malwarebytes ⋅ hasherezade, Jérôme Segura\r\nGerman users targeted with Gootkit banker or REvil ransomware\r\nGootKit REvil 2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall\r\nIt's not FINished The Evolving Maturity in Ransomware Operations\r\nCobalt Strike DoppelPaymer MimiKatz QakBot REvil 2020-11-18 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nREvil ransomware hits Managed.com hosting provider, 500K ransom\r\nREvil 2020-11-18 ⋅ KELA ⋅ Victoria Kivilevich\r\nZooming into Darknet Threats Targeting Japanese Organizations\r\nConti DoppelPaymer Egregor LockBit Maze REvil Snake 2020-11-16 ⋅ Intel 471 ⋅ Intel 471\r\nRansomware-as-a-service: The pandemic within a pandemic\r\nAvaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk\r\nSunCrypt ThunderX 2020-11-10 ⋅ AP News ⋅ Ashish Gahlot\r\nThreat Hunting for REvil Ransomware\r\nREvil 2020-11-04 ⋅ ZDNet ⋅ Catalin Cimpanu\r\nREvil ransomware gang 'acquires' KPOT malware\r\nKPOT Stealer REvil 2020-10-29 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nREvil ransomware gang claims over $100 million profit in a year\r\nREvil 2020-10-28 ⋅ Intel 471 ⋅ Intel 471\r\nAlleged REvil member spills details on group’s ransomware operations\r\nREvil 2020-10-26 ⋅ Checkpoint ⋅ Eyal Itkin, Itay Cohen\r\nExploit Developer Spotlight: The Story of PlayBit\r\nDyre Maze PyLocky Ramnit REvil 2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab\r\nLeakware-Ransomware-Hybrid Attacks\r\nAvaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet\r\nSunCrypt 2020-10-20 ⋅ ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ BSI\r\nDie Lage der IT-Sicherheit in Deutschland 2020\r\nClop Emotet REvil Ryuk TrickBot 2020-10-06 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team\r\nDouble Trouble: Ransomware with Data Leak Extortion, Part 2\r\nMaze MedusaLocker REvil VIKING SPIDER 2020-10-01 ⋅ KELA ⋅ Victoria Kivilevich\r\nTo Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem\r\nConti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt 2020-09-29 ⋅ Microsoft ⋅ Microsoft\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 15 of 20\n\nMicrosoft Digital Defense Report\r\nEmotet IcedID Mailto Maze QakBot REvil RobinHood TrickBot 2020-09-29 ⋅ PWC UK ⋅ Andy Auld\r\nWhat's behind the increase in ransomware attacks this year?\r\nDarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk\r\nSMAUG SunCrypt TrickBot WastedLocker 2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team\r\nDouble Trouble: Ransomware with Data Leak Extortion, Part 1\r\nDoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker\r\nMIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER 2020-09-24 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT\r\nThreat landscape for industrial automation systems - H1 2020\r\nPoet RAT Mailto Milum RagnarLocker REvil Ryuk Snake 2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich\r\nHow Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing\r\nAvaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil\r\nSekhmet 2020-08-21 ⋅ Vimeo (RiskIQ) ⋅ Josh Burgess, Steve Ginty\r\nThe Evolution of Ransomware \u0026 Pinchy Spider's Shot at the Title\r\nGandcrab REvil 2020-08-21 ⋅ RiskIQ ⋅ Steve Ginty\r\nPinchy Spider: Ransomware Infrastructure Connected to Dark Web Marketplace\r\nREvil 2020-08-20 ⋅ DomainTools ⋅ Chad Anderson\r\nRevealing REvil Ransomware With DomainTools and Maltego\r\nREvil 2020-08-20 ⋅ sensecy ⋅ cyberthreatinsider\r\nGlobal Ransomware Attacks in 2020: The Top 4 Vulnerabilities\r\nClop Maze REvil Ryuk 2020-08-01 ⋅ Temple University ⋅ CARE\r\nCritical Infrastructure Ransomware Attacks\r\nCryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor 2020-07-31 ⋅\r\nPRODAFT Threat Intelligence ⋅ PRODAFT\r\nOpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion\r\nCarbanak REvil FIN7 2020-07-29 ⋅ ESET Research ⋅ welivesecurity\r\nTHREAT REPORT Q2 2020\r\nDEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB\r\nLocker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin\r\nNemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor 2020-07-29 ⋅ AmosSys ⋅\r\nNicolas Guillois\r\nSodinokibi / REvil Malware Analysis\r\nREvil 2020-07-22 ⋅ ⋅ TEHTRIS ⋅ TEHTRIS\r\nPeut-on neutraliser un ransomware lancé en tant que SYSTEM sur des milliers de machines en même temps?\r\nREvil 2020-07-15 ⋅ Advanced Intelligence ⋅ Samantha van de Ven, Yelisey Boguslavskiy\r\nInside REvil Extortionist “Machine”: Predictive Insights\r\nGandcrab REvil 2020-07-10 ⋅ Advanced Intelligence ⋅ Advanced Intelligence\r\nThe Dark Web of Intrigue: How REvil Used the Underground Ecosystem to Form an Extortion Cartel\r\nGandcrab REvil 2020-06-30 ⋅ AppGate ⋅ The Immunity Team\r\nElectric Company Ransomware Attack Calls for $14 Million in Ransom\r\nREvil 2020-06-23 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team\r\nSodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 16 of 20\n\nCobalt Strike REvil 2020-06-19 ⋅ Panda Security ⋅ Aaron Jornet Sales, Javier Muñoz Alcázar, Jorge Barelles Menes, Pablo Cardós\r\nMarqués\r\nSodinokibi Malware report\r\nREvil 2020-06-02 ⋅ ZDNet ⋅ Catalin Cimpanu\r\nREvil ransomware gang launches auction site to sell stolen data\r\nREvil 2020-06-01 ⋅ Arete ⋅ Arete Incident Response\r\nSodinokibi / REvil Ransomware attacks against the Education Sector\r\nREvil 2020-05-26 ⋅ DataBreaches.net ⋅ Dissent\r\nA former DarkSide listing shows up on REvil’s leak site\r\nDarkSide REvil 2020-05-07 ⋅ REDTEAM.PL ⋅ Adam Ziaja\r\nSodinokibi / REvil ransomware\r\nMaze MimiKatz REvil 2020-05-04 ⋅ Intel 471 ⋅ Intel 471 Malware Intelligence team\r\nChanges in REvil ransomware version 2.2\r\nREvil 2020-04-28 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team\r\nRansomware groups continue to target healthcare, critical services; here’s how to reduce risk\r\nLockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood 2020-04-11 ⋅ Bleeping Computer ⋅\r\nLawrence Abrams\r\nSodinokibi Ransomware to stop taking Bitcoin to hide money trail\r\nREvil 2020-04-09 ⋅ Graham Cluley Blog ⋅ Graham Cluley\r\nTravelex paid hackers $2.3 million worth of Bitcoin after ransomware attack\r\nREvil 2020-03-31 ⋅ Intel 471 ⋅ Intel 471\r\nREvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation\r\nGandcrab REvil 2020-03-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nThree More Ransomware Families Create Sites to Leak Stolen Data\r\nClop DoppelPaymer Maze Nefilim Nemty REvil 2020-03-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nRansomware Threatens to Reveal Company's 'Dirty' Secrets\r\nREvil 2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team\r\nHuman-operated ransomware attacks: A preventable disaster\r\nDharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil\r\nRobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA 2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2020 CrowdStrike Global Threat Report\r\nMESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon\r\nSystem Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx\r\nGandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook\r\nBackdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon\r\nTerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40\r\nBlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group\r\nGOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER\r\nPINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY\r\nTIGER 2020-03-03 ⋅ PWC UK ⋅ PWC UK\r\nCyber Threats 2019:A Year in Retrospect\r\nKevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 17 of 20\n\nEmotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar\r\nLockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper\r\nStoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle 2020-02-29 ⋅ Security Affairs ⋅\r\nPierluigi Paganini\r\nSodinokibi Ransomware gang threatens to disclose data from Kenneth Cole fashion firm\r\nREvil 2020-02-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nSodinokibi Ransomware May Tip NASDAQ on Attacks to Hurt Stock Prices\r\nREvil 2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua\r\nFeds Fighting Ransomware: How the FBI Investigates and How You Can Help\r\nFastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk\r\nSamSam Zeus 2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Chris Boyd, David Ruiz, Jérôme Segura, Jovi Umawing, Nathan Collier,\r\nPieter Arntz, Thomas Reed, Wendy Zamora\r\n2020 State of Malware Report\r\nmagecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor 2020-02-02 ⋅ Nullteilerfrei Blog ⋅ Lars Wallenborn\r\nDefeating Sodinokibi/REvil String-Obfuscation in Ghidra\r\nREvil 2020-01-30 ⋅ Under The Breach ⋅ Under The Breach\r\nTracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods\r\nREvil 2020-01-30 ⋅ Digital Shadows ⋅ Photon Research Team\r\nCompetitions on Russian-language cybercriminal forums: Sharing expertise or threat actor showboating?\r\nREvil 2020-01-29 ⋅ ANSSI ⋅ ANSSI\r\nÉtat de la menace rançongiciel\r\nClop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam 2020-01-28 ⋅\r\nKPN ⋅ KPN\r\nTracking REvil\r\nREvil 2020-01-26 ⋅ Youtube (OALabs) ⋅ Sean Wilson, Sergei Frankoff\r\nIDA Pro Automated String Decryption For REvil Ransomware\r\nREvil 2020-01-23 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nSodinokibi Ransomware Threatens to Publish Data of Automotive Group\r\nREvil 2020-01-18 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nNew Jersey Synagogue Suffers Sodinokibi Ransomware Attack\r\nREvil 2020-01-17 ⋅ Secureworks ⋅ Keita Yamazaki, Tamada Kiyotaka, You Nakatsuru\r\nIs It Wrong to Try to Find APT Techniques in Ransomware Attack?\r\nDefray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam\r\nScarab Ransomware 2020-01-11 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nSodinokibi Ransomware Publishes Stolen Data for the First Time\r\nREvil 2020-01-10 ⋅ BleepingComputer ⋅ Sergiu Gatlan\r\nSodinokibi Ransomware Hits New York Airport Systems\r\nREvil 2020-01-09 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nSodinokibi Ransomware Says Travelex Will Pay, One Way or Another\r\nREvil 2020-01-06 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nSodinokibi Ransomware Hits Travelex, Demands $3 Million\r\nREvil 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 18 of 20\n\nGOLD SOUTHFIELD\r\nREvil 2020-01-01 ⋅ Blackberry ⋅ Blackberry Research\r\nState of Ransomware\r\nMaze MedusaLocker Nefilim Phobos REvil Ryuk STOP 2019-12-20 ⋅ Trustwave ⋅ Rodel Mendrez\r\nUndressing the REvil\r\nREvil 2019-12-18 ⋅ Hatching.io ⋅ Pete Cowman\r\nUnderstanding Ransomware Series: Detecting Sodin\r\nREvil 2019-12-12 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nAnother Ransomware Will Now Publish Victims' Data If Not Paid\r\nREvil 2019-12-04 ⋅ Elastic ⋅ David French\r\nRansomware, interrupted: Sodinokibi and the supply chain\r\nREvil 2019-11-09 ⋅ Lars Wallenborn\r\nAPI-Hashing in the Sodinokibi/Revil Ransomware - Why and How?\r\nREvil 2019-10-20 ⋅ McAfee ⋅ Christiaan Beek, Jessica Saavedra-Morales, Ryan Sherstobitoff\r\nMcAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo\r\nREvil 2019-10-02 ⋅ McAfee ⋅ McAfee Labs\r\nMcAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us\r\nGandcrab REvil 2019-09-24 ⋅ Secureworks ⋅ CTU Research Team\r\nREvil: The GandCrab Connection\r\nREvil GOLD SOUTHFIELD 2019-09-24 ⋅ Secureworks ⋅ CTU Research Team\r\nREvil/Sodinokibi Ransomware\r\nREvil GOLD SOUTHFIELD 2019-08-30 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nA Look Inside the Highly Profitable Sodinokibi Ransomware Business\r\nREvil 2019-08-23 ⋅ The New York Times ⋅ David E. Sanger, Manny Fernandez, Marina Trahan Martinez\r\nRansomware Attacks Are Testing Resolve of Cities Across America\r\nREvil 2019-08-10 ⋅ Dissecting Malware ⋅ Marius Genheimer\r\nGermanWiper's big Brother? GandGrab's kid ? Sodinokibi!\r\nREvil 2019-07-15 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nIs ‘REvil’ the New GandCrab Ransomware?\r\nREvil 2019-07-03 ⋅ Kaspersky Labs ⋅ Artur Pakulov, Fedor Sinitsyn, Orkhan Mamedov\r\nSodin ransomware exploits Windows vulnerability and processor architecture\r\nREvil 2019-06-24 ⋅ VirIT ⋅ Federico Girotto, Gianfranco Tonello, Michele Zuin\r\nRansomware REvil - Sodinokibi: Technical analysis and Threat Intelligence Report\r\nREvil 2019-06-14 ⋅ Certego ⋅ Matteo Lodi\r\nMalware Tales: Sodinokibi\r\nREvil 2019-05-01 ⋅ WatchGuard ⋅ WatchGuard\r\nInternet Security Report\r\nREvil RobinHood 2019-04-30 ⋅ Cisco Talos ⋅ Colin Grady, Jaeson Schultz, Matt Valites, Pierre Cadieux\r\nSodinokibi ransomware exploits WebLogic Server vulnerability\r\nREvil\r\n[TLP:WHITE] win_revil_auto (20251219 | Detects win.revil.)\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 19 of 20\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.revil\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.revil" ], "report_names": [ "win.revil" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "e5a1096e-e481-4a8c-ae06-e3328276d935", "created_at": "2022-10-25T16:07:23.199712Z", "updated_at": "2026-04-10T02:00:04.485374Z", "deleted_at": null, "main_name": "Clockwork Spider", "aliases": [], "source_name": "ETDA:Clockwork Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "99d9dd87-91c3-4371-9943-0a1c9c3cd99c", "created_at": "2022-10-25T16:07:23.277763Z", "updated_at": "2026-04-10T02:00:04.514755Z", "deleted_at": null, "main_name": "Solar Spider", "aliases": [], "source_name": "ETDA:Solar Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "56daf304-dd2c-4fa1-a01f-8c0a7e5e5c30", "created_at": "2022-10-25T16:07:23.586985Z", "updated_at": "2026-04-10T02:00:04.676803Z", "deleted_at": null, "main_name": "EmpireMonkey", "aliases": [ "Anthropoid Spider", "CobaltGoblin", "EmpireMonkey" ], "source_name": "ETDA:EmpireMonkey", "tools": [ "AKO Doxware", "AKO Ransomware", "MedusaLocker", "MedusaReborn" ], "source_id": "ETDA", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "539855ac-def3-46a0-a490-f33abde7976f", "created_at": "2025-08-07T02:03:24.802704Z", "updated_at": "2026-04-10T02:00:03.718613Z", "deleted_at": null, "main_name": "GOLD ANDREW", "aliases": [ "Smoky Spider " ], "source_name": "Secureworks:GOLD ANDREW", "tools": [ "Smoke Loader" ], "source_id": "Secureworks", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "88854a9f-641a-4412-89db-449b4d5cbc51", "created_at": "2022-10-25T16:07:23.963599Z", "updated_at": "2026-04-10T02:00:04.810023Z", "deleted_at": null, "main_name": "Operation HangOver", "aliases": [ "G0042", "Monsoon", "Operation HangOver", "Viceroy Tiger" ], "source_name": "ETDA:Operation HangOver", "tools": [ "AutoIt backdoor", "BADNEWS", "BackConfig", "JakyllHyde", "TINYTYPHON", "Unknown Logger", "WSCSPL" ], "source_id": "ETDA", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "748eb9f3-ef15-4645-881b-b91681111812", "created_at": "2022-10-25T16:07:24.510024Z", "updated_at": "2026-04-10T02:00:05.016515Z", "deleted_at": null, "main_name": "Monty Spider", "aliases": [ "Gold Riverview" ], "source_name": "ETDA:Monty Spider", "tools": [ "Necurs", "nucurs" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d1762e8-c48c-4fda-b4d1-ecb91179720e", "created_at": "2022-10-25T16:07:24.55351Z", "updated_at": "2026-04-10T02:00:05.031489Z", "deleted_at": null, "main_name": "Salty Spider", "aliases": [], "source_name": "ETDA:Salty Spider", "tools": [ "Kookoo", "Kukacka", "Kuku", "SalLoad", "SaliCode", "Sality" ], "source_id": "ETDA", "reports": null }, { "id": "058823d4-60c2-42ab-a3aa-4c10f0ff37c9", "created_at": "2022-10-25T16:07:24.57064Z", "updated_at": "2026-04-10T02:00:05.036609Z", "deleted_at": null, "main_name": "Smoky Spider", "aliases": [], "source_name": "ETDA:Smoky Spider", "tools": [ "Dofoil", "Oficla", "Sasfis", "Sharik", "Smoke Loader", "SmokeLoader" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "b57a3b93-3a22-4889-af28-37cc53e824e7", "created_at": "2023-01-06T13:46:39.24034Z", "updated_at": "2026-04-10T02:00:03.256906Z", "deleted_at": null, "main_name": "MIMIC SPIDER", "aliases": [], "source_name": "MISPGALAXY:MIMIC SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788", "created_at": "2022-10-25T15:50:23.722608Z", "updated_at": "2026-04-10T02:00:05.397432Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "Thrip" ], "source_name": "MITRE:Thrip", "tools": [ "PsExec", "Mimikatz", "Catchamas" ], "source_id": "MITRE", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd", "created_at": "2023-01-06T13:46:39.110148Z", "updated_at": "2026-04-10T02:00:03.216613Z", "deleted_at": null, "main_name": "NARWHAL SPIDER", "aliases": [ "GOLD ESSEX", "TA544", "Storm-0302" ], "source_name": "MISPGALAXY:NARWHAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fe7fd84-e2b4-4db5-9c90-c4a5791d3f94", "created_at": "2023-01-06T13:46:38.904178Z", "updated_at": "2026-04-10T02:00:03.14055Z", "deleted_at": null, "main_name": "SALTY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SALTY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7583fbd4-2bc9-458d-81da-50b27b84e136", "created_at": "2023-02-15T02:01:49.565258Z", "updated_at": "2026-04-10T02:00:03.349283Z", "deleted_at": null, "main_name": "TA575", "aliases": [], "source_name": "MISPGALAXY:TA575", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "dd08f179-5c65-4497-92ad-8ca0997e17e8", "created_at": "2023-01-06T13:46:39.113278Z", "updated_at": "2026-04-10T02:00:03.217613Z", "deleted_at": null, "main_name": "NOCTURNAL SPIDER", "aliases": [], "source_name": "MISPGALAXY:NOCTURNAL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e227b757-7032-4a99-b119-1bfda2ebd543", "created_at": "2023-01-06T13:46:39.21663Z", "updated_at": "2026-04-10T02:00:03.248543Z", "deleted_at": null, "main_name": "SOLAR SPIDER", "aliases": [], "source_name": "MISPGALAXY:SOLAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "fdf30f70-537c-458d-82b2-54b4f09cea48", "created_at": "2023-01-06T13:46:39.119613Z", "updated_at": "2026-04-10T02:00:03.221272Z", "deleted_at": null, "main_name": "SMOKY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SMOKY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "58db0213-4872-41fe-8a76-a7014d816c73", "created_at": "2023-01-06T13:46:38.61757Z", "updated_at": "2026-04-10T02:00:03.040816Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "G0131", "PLA Unit 65017", "Earth Akhlut", "TAG-74", "CactusPete", "KARMA PANDA", "BRONZE HUNTLEY", "Red Beifang" ], "source_name": "MISPGALAXY:Tonto Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "f2fa9952-301f-4376-ac69-743d6f2bec1e", "created_at": "2023-01-06T13:46:39.122721Z", "updated_at": "2026-04-10T02:00:03.22231Z", "deleted_at": null, "main_name": "VENOM SPIDER", "aliases": [ "badbullz", "badbullzvenom" ], "source_name": "MISPGALAXY:VENOM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "da483338-e479-4d74-a6dd-1fb09343fd07", "created_at": "2022-10-25T15:50:23.698197Z", "updated_at": "2026-04-10T02:00:05.355597Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ], "source_name": "MITRE:Tonto Team", "tools": [ "Mimikatz", "Bisonal", "ShadowPad", "LaZagne", "NBTscan", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98", "created_at": "2022-10-25T15:50:23.538608Z", "updated_at": "2026-04-10T02:00:05.378092Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon", "RADIUM", "Raspberry Typhoon", "Bilbug", "Thrip" ], "source_name": "MITRE:Lotus Blossom", "tools": [ "AdFind", "Impacket", "Elise", "Hannotog", "NBTscan", "Sagerunex", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb", "created_at": "2023-01-06T13:46:38.793461Z", "updated_at": "2026-04-10T02:00:03.102807Z", "deleted_at": null, "main_name": "Thrip", "aliases": [ "G0076", "ATK78" ], "source_name": "MISPGALAXY:Thrip", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d", "created_at": "2023-01-06T13:46:38.883911Z", "updated_at": "2026-04-10T02:00:03.132231Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "COBALT HICKMAN", "G0087", "Radio Serpens", "TA454", "ITG07", "Burgundy Sandstorm", "REMIX KITTEN" ], "source_name": "MISPGALAXY:APT39", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9099912b-a00a-4afb-8294-c6d35af421a1", "created_at": "2023-01-06T13:46:39.338108Z", "updated_at": "2026-04-10T02:00:03.292102Z", "deleted_at": null, "main_name": "Scarab", "aliases": [], "source_name": "MISPGALAXY:Scarab", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "3f53ecb7-e228-471d-8f85-0b2ba110ab4b", "created_at": "2023-01-06T13:46:39.181151Z", "updated_at": "2026-04-10T02:00:03.237995Z", "deleted_at": null, "main_name": "Red Charon", "aliases": [], "source_name": "MISPGALAXY:Red Charon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486", "created_at": "2022-10-25T16:07:24.158325Z", "updated_at": "2026-04-10T02:00:04.884772Z", "deleted_at": null, "main_name": "Scarab", "aliases": [ "UAC-0026" ], "source_name": "ETDA:Scarab", "tools": [ "Scieron" ], "source_id": "ETDA", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cc045f52-bbdb-4fcc-8fbf-a0d8a7c5e64f", "created_at": "2022-10-25T16:07:24.519535Z", "updated_at": "2026-04-10T02:00:05.019918Z", "deleted_at": null, "main_name": "Narwhal Spider", "aliases": [ "Gold Essex", "Storm-0302" ], "source_name": "ETDA:Narwhal Spider", "tools": [ "Cutwail", "Pushdo" ], "source_id": "ETDA", "reports": null }, { "id": "17d16126-35d7-4c59-88a5-0b48e755e80f", "created_at": "2025-08-07T02:03:24.622109Z", "updated_at": "2026-04-10T02:00:03.726126Z", "deleted_at": null, "main_name": "BRONZE HUNTLEY", "aliases": [ "CactusPete ", "Earth Akhlut ", "Karma Panda ", "Red Beifang", "Tonto Team" ], "source_name": "Secureworks:BRONZE HUNTLEY", "tools": [ "Bisonal", "RatN", "Royal Road", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7961bf6e-e429-484c-93e2-bd1d36fa5588", "created_at": "2023-01-06T13:46:39.275053Z", "updated_at": "2026-04-10T02:00:03.270128Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [], "source_name": "MISPGALAXY:GOLD SOUTHFIELD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "02ef8063-7ad4-42ba-a646-97210000f6b5", "created_at": "2024-06-19T02:03:08.117993Z", "updated_at": "2026-04-10T02:00:03.614663Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "" ], "source_name": "Secureworks:GOLD SOUTHFIELD", "tools": [ "REvil" ], "source_id": "Secureworks", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ccd0f6b5-6d20-4d28-9796-88ab6deb4087", "created_at": "2024-06-19T02:03:08.067518Z", "updated_at": "2026-04-10T02:00:03.671628Z", "deleted_at": null, "main_name": "GOLD HERON", "aliases": [ "Doppel Spider " ], "source_name": "Secureworks:GOLD HERON", "tools": [ "Cobalt Strike", "DoppelPaymer", "Dridex", "Grief", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b72c2616-cc7c-4c47-a83d-6b7866b94746", "created_at": "2023-01-06T13:46:39.425297Z", "updated_at": "2026-04-10T02:00:03.323082Z", "deleted_at": null, "main_name": "Red Nue", "aliases": [ "LuoYu" ], "source_name": "MISPGALAXY:Red Nue", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "c39b0fe6-5642-4717-9a05-9e94265e3e3a", "created_at": "2022-10-25T16:07:24.332084Z", "updated_at": "2026-04-10T02:00:04.940672Z", "deleted_at": null, "main_name": "Tonto Team", "aliases": [ "Bronze Huntley", "CactusPete", "Earth Akhlut", "G0131", "HartBeat", "Karma Panda", "LoneRanger", "Operation Bitter Biscuit", "TAG-74", "Tonto Team" ], "source_name": "ETDA:Tonto Team", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Bioazih", "Bisonal", "CONIME", "Dexbia", "Korlia", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "956fc691-b6c6-4b09-b69d-8f007c189839", "created_at": "2025-08-07T02:03:24.860251Z", "updated_at": "2026-04-10T02:00:03.656547Z", "deleted_at": null, "main_name": "GOLD ESSEX", "aliases": [ "Narwhal Spider ", "Storm-0302 ", "TA544 " ], "source_name": "Secureworks:GOLD ESSEX", "tools": [ "Cutwail", "Pony", "Pushdo" ], "source_id": "Secureworks", "reports": null }, { "id": "5fba09c3-73cc-4898-9b82-e73b012016c6", "created_at": "2025-08-07T02:03:24.578591Z", "updated_at": "2026-04-10T02:00:03.767329Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "Secureworks:BRONZE EDGEWOOD", "tools": [ "Chinoxy", "Cobalt Strike", "FunnyDream", "Md_client", "Nishang Post Exploitation Framework", "PCShare", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cfdd350b-de30-4d29-bbee-28159f26c8c2", "created_at": "2023-01-06T13:46:38.433736Z", "updated_at": "2026-04-10T02:00:02.972971Z", "deleted_at": null, "main_name": "VICEROY TIGER", "aliases": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", "SectorE02", "Orange Kala" ], "source_name": "MISPGALAXY:VICEROY TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4e2776db-982d-4c07-8dd5-3888242aa7bc", "created_at": "2023-01-06T13:46:38.437237Z", "updated_at": "2026-04-10T02:00:02.974399Z", "deleted_at": null, "main_name": "PIZZO SPIDER", "aliases": [ "DD4BC", "Ambiorx" ], "source_name": "MISPGALAXY:PIZZO SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3070c7b-c1e8-462c-94f1-62a0d2bdbc67", "created_at": "2023-01-06T13:46:39.116254Z", "updated_at": "2026-04-10T02:00:03.218594Z", "deleted_at": null, "main_name": "SCULLY SPIDER", "aliases": [], "source_name": "MISPGALAXY:SCULLY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "96d5b301-0872-444c-ba32-eecf7a9241c0", "created_at": "2023-02-15T02:01:49.560566Z", "updated_at": "2026-04-10T02:00:03.347926Z", "deleted_at": null, "main_name": "TA570", "aliases": [ "DEV-0450" ], "source_name": "MISPGALAXY:TA570", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "186f3cc2-500c-4233-b688-8b6d6e08e2a3", "created_at": "2023-01-06T13:46:39.098169Z", "updated_at": "2026-04-10T02:00:03.212492Z", "deleted_at": null, "main_name": "ANTHROPOID SPIDER", "aliases": [ "Empire Monkey", "CobaltGoblin" ], "source_name": "MISPGALAXY:ANTHROPOID SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "28a272c4-098b-4d1b-9115-c7ff8decab7c", "created_at": "2023-01-06T13:46:39.101189Z", "updated_at": "2026-04-10T02:00:03.21354Z", "deleted_at": null, "main_name": "CLOCKWORK SPIDER", "aliases": [], "source_name": "MISPGALAXY:CLOCKWORK SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a0d0e1ef-3562-40a8-a021-321db92644d9", "created_at": "2023-01-06T13:46:39.104046Z", "updated_at": "2026-04-10T02:00:03.2146Z", "deleted_at": null, "main_name": "DOPPEL SPIDER", "aliases": [ "GOLD HERON" ], "source_name": "MISPGALAXY:DOPPEL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a15363f3-ec73-4a94-a94c-60ffb4925a40", "created_at": "2023-01-06T13:46:39.10693Z", "updated_at": "2026-04-10T02:00:03.215548Z", "deleted_at": null, "main_name": "MONTY SPIDER", "aliases": [ "Spandex Tempest" ], "source_name": "MISPGALAXY:MONTY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b774174f-aeca-4ea8-8f2a-b4a70a2a0b85", "created_at": "2023-01-06T13:46:39.451474Z", "updated_at": "2026-04-10T02:00:03.333575Z", "deleted_at": null, "main_name": "PARINACOTA", "aliases": [ "Wine Tempest" ], "source_name": "MISPGALAXY:PARINACOTA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d555c5da-abe4-42aa-a8cf-77b68905891a", "created_at": "2022-10-25T16:07:23.548385Z", "updated_at": "2026-04-10T02:00:04.65211Z", "deleted_at": null, "main_name": "Doppel Spider", "aliases": [ "Gold Heron", "Grief Group" ], "source_name": "ETDA:Doppel Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "DoppelPaymer", "Pay OR Grief", "Pay or Grief", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "eaa8168f-3fab-4831-aa60-5956f673e6b3", "created_at": "2022-10-25T16:07:23.805824Z", "updated_at": "2026-04-10T02:00:04.754761Z", "deleted_at": null, "main_name": "Lotus Blossom", "aliases": [ "ATK 1", "ATK 78", "Billbug", "Bronze Elgin", "CTG-8171", "Dragonfish", "G0030", "G0076", "Lotus Blossom", "Operation Lotus Blossom", "Red Salamander", "Spring Dragon", "Thrip" ], "source_name": "ETDA:Lotus Blossom", "tools": [ "BKDR_ESILE", "Catchamas", "EVILNEST", "Elise", "Group Policy Results Tool", "Hannotog", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PsExec", "Rikamanu", "Sagerunex", "Spedear", "Syndicasec", "WMI Ghost", "Wimmie", "gpresult" ], "source_id": "ETDA", "reports": null }, { "id": "703c2493-d713-4697-a691-4c2e09c032e9", "created_at": "2022-10-25T16:07:24.53647Z", "updated_at": "2026-04-10T02:00:05.025223Z", "deleted_at": null, "main_name": "Parinacota", "aliases": [ "Wine Tempest" ], "source_name": "ETDA:Parinacota", "tools": [ "Mimikatz", "ProcDump", "Wadhrama" ], "source_id": "ETDA", "reports": null }, { "id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea", "created_at": "2023-01-06T13:46:39.444946Z", "updated_at": "2026-04-10T02:00:03.331753Z", "deleted_at": null, "main_name": "GOBLIN PANDA", "aliases": [ "Conimes", "Cycldek" ], "source_name": "MISPGALAXY:GOBLIN PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f72bb9d8-ff75-444f-8fb7-1e8e113cef73", "created_at": "2023-01-06T13:46:39.401929Z", "updated_at": "2026-04-10T02:00:03.314524Z", "deleted_at": null, "main_name": "BRONZE EDGEWOOD", "aliases": [ "Red Hariasa" ], "source_name": "MISPGALAXY:BRONZE EDGEWOOD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "6b6155e4-94ec-4909-b908-550afe758ad6", "created_at": "2022-10-25T15:50:23.365074Z", "updated_at": "2026-04-10T02:00:05.2978Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "APT39", "ITG07", "Remix Kitten" ], "source_name": "MITRE:APT39", "tools": [ "NBTscan", "MechaFlounder", "Remexi", "CrackMapExec", "pwdump", "Mimikatz", "Windows Credential Editor", "Cadelspy", "PsExec", "ASPXSpy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "7a257844-df90-4bd4-b0f1-77d00ff82802", "created_at": "2022-10-25T16:07:24.376356Z", "updated_at": "2026-04-10T02:00:04.964565Z", "deleted_at": null, "main_name": "Venom Spider", "aliases": [ "Golden Chickens", "TA4557", "Venom Spider" ], "source_name": "ETDA:Venom Spider", "tools": [ "More_eggs", "PureLocker", "SONE", "SpicyOmelette", "StealerOne", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Taurus Loader Reconnaissance Module", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraCrypt", "TerraLogger", "TerraPreter", "TerraRecon", "TerraStealer", "TerraTV", "TerraWiper", "ThreatKit", "VenomKit", "VenomLNK", "lite_more_eggs" ], "source_id": "ETDA", "reports": null }, { "id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef", "created_at": "2022-10-25T16:07:23.455744Z", "updated_at": "2026-04-10T02:00:04.61281Z", "deleted_at": null, "main_name": "Chimera", "aliases": [ "Bronze Vapor", "G0114", "Nuclear Taurus", "Operation Skeleton Key", "Red Charon", "THORIUM", "Tumbleweed Typhoon" ], "source_name": "ETDA:Chimera", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "SkeletonKeyInjector", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39", "created_at": "2022-10-25T16:07:23.690871Z", "updated_at": "2026-04-10T02:00:04.709966Z", "deleted_at": null, "main_name": "Goblin Panda", "aliases": [ "1937CN", "Conimes", "Cycldek", "Goblin Panda" ], "source_name": "ETDA:Goblin Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "BackDoor-FBZT!52D84425CDF2", "BlueCore", "BrowsingHistoryView", "ChromePass", "CoreLoader", "Custom HDoor", "Destroy RAT", "DestroyRAT", "DropPhone", "FoundCore", "HDoor", "HTTPTunnel", "JsonCookies", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "NBTscan", "NewCore RAT", "PlugX", "ProcDump", "PsExec", "QCRat", "RainyDay", "RedCore", "RedDelta", "RoyalRoad", "Sisfader", "Sisfader RAT", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Win32.Staser.ytq", "USBCulprit", "Win32/Zegost.BW", "Xamtrav", "ZeGhost", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434201, "ts_updated_at": 1775826698, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7eccc47c8707a8c9363d0829a1a64d0b9d9e5d2a.pdf", "text": "https://archive.orkl.eu/7eccc47c8707a8c9363d0829a1a64d0b9d9e5d2a.txt", "img": "https://archive.orkl.eu/7eccc47c8707a8c9363d0829a1a64d0b9d9e5d2a.jpg" } }