{ "id": "d4060c23-ffea-491d-a621-9281a3894a35", "created_at": "2026-04-06T00:11:21.221233Z", "updated_at": "2026-04-10T03:38:18.959488Z", "deleted_at": null, "sha1_hash": "7f08574c8197d23e7bce2ed27b5098105fcb3e23", "title": "Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 681611, "plain_text": "Kaspersky Security Bulletin 2016. Review of the year. Overall\r\nstatistics for 2016\r\nBy Kaspersky\r\nPublished: 2016-12-14 · Archived: 2026-04-05 18:21:49 UTC\r\n Download Review of the year\r\n Download Overall statistics\r\n Download the consolidated Kaspersky Security Bulletin 2016\r\n1. Kaspersky Security Bulletin. Predictions for 2017\r\n2. Kaspersky Security Bulletin 2016. The ransomware revolution\r\nIntroduction\r\nIf they were asked to sum up 2016 in a single word, many people around the world – particularly those in Europe\r\nand the US – might choose the word ‘unpredictable’. On the face of it, the same could apply to cyberthreats in\r\n2016: the massive botnets of connected devices that paralysed much of the Internet in October; the relentless\r\nhacking of high profile websites and data dumps; the SWIFT-enabled bank heists that stole billions of dollars, and\r\nmore. However, many of these incidents had been in fact been predicted, sometimes years ago, by the IT security\r\nindustry, and the best word for them is probably ‘inevitable’.\r\nFor cyberthreats, 2016 was the year when “sooner or later” became “now” #KLReport\r\nTweet\r\nMost of all, in 2016, ransomware continued its relentless march across the world – with more new malware\r\nfamilies, more modifications, more attacks and more victims. However, there are rays of hope, including the new,\r\ncollaborative No More Ransom initiative. Kaspersky Lab has designated the revolution in ransomware its Story of\r\nthe Year for 2016 and you can read more about its evolution and impact here.\r\nElsewhere on the cybersecurity landscape, targeted cyberespionage attacks, financial theft, ‘hacktivism’ and\r\nvulnerable networks of connected devices all played their part in what has been a tense and turbulent year.\r\nThis Executive Summary provides an overview of the top threats and statistics for 2016. Full details are included\r\nin the accompanying Review \u0026 Statistics.\r\nIt also considers what these threats mean to organisations trying spot a breach or cyberattack. How ready are\r\nbusinesses to proactively prevent and mitigate a cyberthreat? What can be done to help them?\r\nhttps://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/\r\nPage 1 of 12\n\nSix things we learned this year that we didn’t know before\r\n1. That the underground economy is more sophisticated and bigger than ever: xDedic – the shady\r\nmarketplace\r\nIn May, we uncovered a large, active cybercriminal trading platform, called xDedic. xDedic listed and facilitated\r\nthe buying and selling of hacked server credentials. Around 70,000 compromised servers were on offer – although\r\nlater evidence suggests that there could have been as many as 176,000 – located in organisations around the world.\r\nIn most cases, the legitimate owners had no idea that one of their servers, humming away in a back room or data\r\ncenter, had been hijacked and was being passed from criminal to criminal.\r\nxDedic is not the first underground marketplace, but it is evidence of the growing complexity and sophistication of\r\nthe black market economic ecosystem.\r\n“xDedic is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new\r\npossibilities for both cybercriminals and advanced threat actors.”\r\nGReAT\r\n2. That the biggest financial heist did not involve a stock exchange: the SWIFT-enabled transfers\r\nOne of the most serious attacks in 2016 was that using the inter-bank network, SWIFT (Society for Worldwide\r\nInterbank Financial Telecommunication). In February 2016, hackers used the SWIFT credentials of Bangladesh\r\nCentral Bank employees to send fraudulent transaction requests to the Federal Reserve Bank of New York, asking\r\nit to transfer millions of dollars to various bank accounts in Asia. The hackers were able to get $81 million\r\ntransferred to the Rizal Commercial Banking Corporation in the Philippines and an additional $20 million to Pan\r\nAsia Banking. The campaign was cut short when the bank spotted a typo in one of the transfer requests. You can\r\nread the story here. In the following months, further bank attacks using SWIFT credentials came to light.\r\nFollowing the theft of $100 million many banks were forced to improve their authentication and\r\nSWIFT software update procedures #KLReport\r\nTweet\r\n3. That critical infrastructure is worryingly vulnerable: the BlackEnergy attacks\r\nBlackEnergy deserves a place in this list even though, strictly speaking, it took place at the end of 2015. However,\r\nit was only in early 2016 that the full effect of the BlackEnergy cyber-attack on the Ukrainian energy sector\r\nbecame clear. The attack was unique in terms of the damage it caused. This included disabling the power\r\ndistribution system in Western Ukraine, wiping software on targeted systems and unleashing a Distributed Denial\r\nof Service (DDoS) attack on the technical support services of affected companies. Kaspersky Lab has supported\r\nthe investigation into BlackEnergy since 2010, with among other things, an analysis of the tool used to penetrate\r\nthe target systems. You can find our 2016 report here.\r\nThe BlackEnergy cyberattack on the Ukrainian energy sector revealed the vulnerability of critical\r\ninfrastructures worldwide #KLReport\r\nhttps://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/\r\nPage 2 of 12\n\nTweet\r\nTo help organizations working with industrial control systems (ICS) to identify possible points of weakness,\r\nKaspersky Lab experts have conducted an investigation into ICS threats. Their findings are published in the\r\nIndustrial Control Systems Threat Landscape report.\r\n4. That a targeted attack can have no pattern: the ProjectSauron APT\r\nIn 2016 we discovered the ProjectSauron APT: a likely nation-state backed cyberespionage group that has been\r\nstealing confidential data from organisations in Russia, Iran and Rwanda – and probably other countries – since\r\nJune 2011. Our analysis uncovered some remarkable features: for example, the group adopted innovative\r\ntechniques from other major APTs, improving on their tactics in order to remain undiscovered. Most importantly\r\nof all: tools are customized for each given target, reducing their value as Indicators of Compromise (IoCs) for any\r\nother victim. An overview of the methods available to deal with such a complex threat can be found here.\r\nProjectSauron’s pattern-less spying platform has far-reaching implications for some basic principles of\r\nthreat detection #KLReport\r\nTweet\r\n5. That the online release of vast volumes of data can be an influential tactic: ShadowBrokers and\r\nother data dumps\r\n2016 saw a number of remarkable online data dumps. The most famous is probably that by a group calling itself\r\nthe ShadowBrokers. On August 13, they appeared online claiming to possess files belonging to the ultimate APT\r\npredator, the Equation Group. Our research suggests there are similarities between the data dumped by\r\nShadowBrokers and that used by the Equation Group. The initial data dump included a number of unreported\r\nzero-days, and there have been further dumps in recent months. The long-term impact of all this activity is\r\nunknown, but is has already revealed the huge and rather worrying influence such data dumps can potentially have\r\non public opinion and debate.\r\nIn 2016 we also witnessed data breaches at beautifulpeople.com, Tumblr, the nulled.io hacker forum, Kiddicare,\r\nVK.com, Sage, the official forum of DotA 2, Yahoo, Brazzers, Weebly and Tesco Bank – for motives ranging from\r\nfinancial gain to personal reputation blackmail.\r\nA LinkedIn hack made public in 2016 revealed over a million uses of the password ‘123456’.\r\n#KLReport\r\nTweet\r\n6. That a camera could be part of a global cyber-army: the insecure Internet of Things\r\nConnected devices and systems, from homes and vehicles to hospitals and smart cities, exist to make our lives\r\nsafer and easier. However, many were designed and manufactured without much thought for security – and sold to\r\npeople who underestimated the need to protect them with more than default factory security settings.\r\nhttps://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/\r\nPage 3 of 12\n\nThe risk of connecting everything without proper safeguards – after 2016, need we say more?\r\n#KLReport\r\nTweet\r\nAs the world now knows, all these millions of insecure connected devices represent a powerful temptation to\r\ncybercriminals. In October, attackers used a botnet of over half a million internet-connected home devices to\r\nlaunch a DDoS attack against Dyn – a company that provides DNS services to Twitter, Amazon, PayPal, Netflix\r\nand others. The world was shocked, but warnings about unstable IoT security have been around for a long time.\r\nFor example, in February, we showed how easy it was to find a hospital, gain access to its internal network and\r\ntake control of an MRI device – locating personal data about patients and their treatment procedures and obtaining\r\naccess to the MRI device file system. In April, we published the results of our research into, among other things,\r\nthe vulnerability of city traffic sensors and smart ticket terminals.\r\nManufacturers need to work with the security industry to implement ‘security-by-design’ #KLReport\r\nTweet\r\nOther top threats\r\nInventive APTs\r\nAt least 33 countries were targeted by APTs reported on by Kaspersky Lab #KLReport\r\nTweet\r\nIn February, we reported on Operation Blockbuster, a joint investigation by several major IT security companies\r\ninto the activities of the Lazarus gang, a highly malicious entity responsible for data destruction.\r\nThe Lazarus group is believed to have been behind the attack on Sony Pictures Entertainment in 2014\r\n#KLReport\r\nTweet\r\nAdwind, is a cross-platform, multi-functional RAT (Remote Access Tool) distributed openly as a paid service,\r\nwhere the customer pays a fee in return for use of the malicious software. It holds the dubious distinction of being\r\none of the biggest malware platforms currently in existence, with around 1,800 customers in the system by the end\r\nof 2015.\r\nAdwind’s malware-for-rent had a customer base of 1,800 #KLReport\r\nTweet\r\nAPTs everywhere continued to make the most of the fact that not everyone promptly installs new software updates\r\n– in May we reported that at least six different groups across the Asia-Pacific and Far East regions, including the\r\nnewly discovered Danti and SVCMONDR groups, were exploiting the CVE-2015-2545 vulnerability. This flaw\r\nhttps://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/\r\nPage 4 of 12\n\nenables an attacker to execute arbitrary code using a specially-crafted EPS image file. A patch for the vulnerability\r\nwas issued back in 2015.\r\nOver six APT groups used the same vulnerability – patched back in 2015 #KLReport\r\nTweet\r\nNew zero-days\r\nZero-days remained a top prize for many targeted attackers.\r\nIn June, we reported on a cyber-espionage campaign launched by a group named ScarCruft and code-named\r\nOperation Daybreak, which was using a previously unknown Adobe Flash Player exploit (CVE-2016-1010). Then\r\nin September we discovered a Windows zero-day, CVE-2016-3393, being used by a threat actor known as\r\nFruityArmor to mount targeted attacks.\r\nIn all, new Kaspersky Lab technologies designed to identify and block such vulnerabilities helped us to uncover\r\nfour zero-days in 2016. The other two are an Adobe Flash vulnerability CVE-2016-4171 and a Windows EoP\r\n(Escalation of Privilege) exploit CVE-2016-0165 .\r\nThe hunt for financial gain\r\nTricking people into either disclosing personal information or installing malware that then seizes the details for\r\ntheir online bank account remained a popular and successful option for cyber-thieves in 2016. Kaspersky Lab\r\nsolutions blocked attempts to launch such malware on 2,871,965 devices. The share of attacks targeting Android\r\ndevices increased more than four-fold.\r\nA third of banking malware attacks now target Android devices #KLReport\r\nTweet\r\nSome APT groups were also more interested in financial gain than cyberespionage. For example, the group behind\r\nMetel infiltrated the corporate network of banks in order to automate the roll-back of ATM transactions: gang\r\nmembers could then use debit cards to repeatedly steal money from ATMs without ever affecting the balance on\r\nthe card. At the end of 2016 this group remains active.\r\nMetel launched targeted attacks on banks – then sent teams to ATMs at night to withdraw the cash\r\n#KLReport\r\nTweet\r\nIn June, Kaspersky Lab supported the Russian police in their investigation into the Lurk gang. The collaboration\r\nresulted in the arrest of 50 suspects allegedly involved in creating networks of infected computers and the theft of\r\nmore than 45 million dollars from local banks, other financial institutions and commercial organizations.\r\nDuring the investigation, researchers spotted that users attacked by Lurk had the remote administration software\r\nAmmyy Admin installed on their computers. This led to the discovery that that the official Ammyy Admin website\r\nhttps://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/\r\nPage 5 of 12\n\nhad most probably been compromised, with the Trojan was downloaded to users’ computers along with the\r\nlegitimate Ammyy Admin software.\r\nThe takedown of the Lurk gang was the largest ever arrest of hackers in Russia #KLReport\r\nTweet\r\nThe ultimate vulnerability: people\r\n2016 also revealed that targeted attack campaigns don’t always need to be technically advanced in order to be\r\nsuccessful. Human beings – from hapless employees to malicious insiders – often remained the easiest access\r\nroute for attackers and their tools.\r\nIn July, we reported on a group called Dropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’). Using\r\nhigh quality social engineering combined with old exploit code and some PowerShell-based malware, the group\r\nwas able to successfully steal sensitive data from high-profile diplomatic and economic organisations linked to\r\nChina’s foreign relations.\r\nDropping Elephant and Operation Ghoul confirmed the fearsome power of high quality social\r\nengineering #KLReport\r\nTweet\r\nFurther, Operation Ghoul sent spear-phishing e-mails that appeared to come from a bank in the UAE to top and\r\nmiddle level managers of numerous companies. The messages claimed to offer payment advice from the bank and\r\nattached a look-like SWIFT document containing malware.\r\n“Cybercriminals are using insiders to gain access to telecommunications networks and subscriber data, recruiting\r\ndisaffected employees through underground channels or blackmailing staff using compromising information\r\ngathered from open sources.” Threat Intelligence Report for the Telecommunications Industry\r\nMobile advertising\r\nThe main mobile threats in 2016 were advertising Trojans able to obtain ‘root’ or superuser rights on an infected\r\nAndroid device – a level of access that allowed them to do pretty much whatever they wanted. This included\r\nhiding in the system folder, thereby making themselves almost impossible to delete, and silently installing and\r\nlaunching different apps that aggressively display advertising. They can even buy new apps from Google Play.\r\n22 of the 30 most popular Trojans in 2016 are advertising Trojans – twice as many as in 2015\r\n#KLReport\r\nTweet\r\nMany such Trojans were distributed through the Google Play Store: some of them were installed more than\r\n100,000 times, and one – an infected Pokemon GO Guide app was installed more than 500,000 times.\r\nMalware distributed through Google Play was downloaded hundreds of thousands of times #KLReport\r\nhttps://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/\r\nPage 6 of 12\n\nTweet\r\nOne Android Trojan installed and even updated as a ‘clean’ (malware-free) app before hitting targets with an\r\ninfected version. Others, including Svpeng, used the Google AdSense advertising network for distribution\r\nFurther, some Trojans found new ways to bypass Android security features – in particular the screen overlays and\r\nthe need to request permission before opening a new app – forcing the user to sign over the access rights the\r\nTrojan was looking for.\r\nMobile ransomware also evolved to make use of overlays, blocking rather than encrypting data since this is\r\ngenerally backed-up.\r\nTo read more on these stories, please download the full annual Review for 2016 here.\r\nFor an in-depth look at the Statistics for 2016, please register to download the Statistics report here.\r\nhttps://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/\r\nPage 7 of 12\n\nThe impact on business\r\nThe 2016 threat landscape indicates a growing need for security intelligence\r\nhttps://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/\r\nPage 8 of 12\n\nThe Kaspersky Security Bulletin 2016 highlights the rise of complex and damaging cybersecurity threats, many of\r\nwhich have a far-reaching impact on businesses. This impact is also reflected in our Corporate IT Security Risks\r\nReports (1, 2) based on a 2016 survey of more than 4000 businesses worldwide.\r\nAmong other things, the survey asked companies about the most crucial metric of incident detection and response:\r\ntime.\r\nIncident detection time is critical\r\nPreviously unreleased findings from the research show that the typical time required to detect an IT Security event\r\nis several days – 28.7% of companies said it took them that long to detect a security breach on average.\r\nTime required to detect an IT security event\r\nOnly 8.2% of businesses managed to detect security breaches almost instantly, and for 19.1% of businesses it\r\ntook several weeks to detect a serious security event. When we asked how they eventually detected a long-standing breach, the replies were revealing.\r\nGoing beyond prevention\r\nhttps://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/\r\nPage 9 of 12\n\nAverage time frame required to detect a security event, across all security events\r\nwithin the last 12 months\r\nIn this chart we combine the average time to discover a security event with the responses we received on how\r\nbusinesses detected a breach. Apparently, businesses that struggle to detect a breach quickly, eventually spot them\r\nthrough one or more of the following: an external or internal security audit, or, sadly, notification from a third\r\nparty.\r\nIt turns out that for these businesses a security audit of any kind is the best measure of ‘last resort’ to finally bring\r\nit to light. But should it be only a last resort?\r\nThis is where our report detects an obvious discrepancy between theory and practice. Although 65% of businesses\r\nadmit that a security audit is an effective security measure, less than half of the companies surveyed (48%) have\r\nconducted such audit in the last 12 months. Further, 52% of companies operate under the assumption that their IT\r\nsecurity will inevitably be compromised at some point, although 48% are not ready to accept this. In short: many\r\nbusinesses find a structured detection and response strategy difficult to embrace.\r\nThe cost of delay\r\nIt is safe to assume that the longer it takes to detect a security breach, the higher the mitigation costs and the\r\ngreater the potential damage. The results reveal the shocking truth that failure to discover an attack within a few\r\ndays, results in a doubling, or more of the costs.\r\nhttps://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/\r\nPage 10 of 12\n\nCost of recovery vs. time needed to discover a security breach for enterprises\r\nFor enterprises, an attack undiscovered for a week or more costs 2.77 times that of a breach detected almost\r\ninstantly. SMBs end up paying 3.8 times more to recover from an incident detected too late.\r\nIt is clear that better detection significantly reduces business costs. But the implementation of incident detection\r\nand response strategies is quite different from ensuring proper prevention. The latter provides a choice of well-established corporate solutions. The former requires security intelligence, a deep knowledge of the threat\r\nlandscape, and security talent capable of applying that expertise to the unique specifics of a company. According\r\nto our special Corporate IT Security Risks report, businesses that struggle to attract security experts end up paying\r\ntwice as much for their recovery after an incident.\r\nKaspersky Lab’s solution: turning intelligence into protection\r\nIn 2016 Kaspersky Lab significantly expanded its portfolio with products like Kaspersky Anti-Targeted Attack\r\nPlatform and security services like Penetration Testing and Threat Data Feeds, all to help meet customer needs\r\nfor better detection and response. Our plan is to offer security intelligence via any means necessary: with a\r\ntechnology to detect targeted threats, a service to analyze and respond to a security event, and intelligence that\r\nhelps investigate an issue properly.\r\nhttps://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/\r\nPage 11 of 12\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nWe appreciate that, for many businesses, going beyond prevention is a challenge. But even a single targeted\r\nattack that is detected early and mitigated rapidly is worth the investment – and increases the chances that the\r\nnext assault on the corporate infrastructure is prevented outright.\r\nSource: https://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/\r\nhttps://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/kaspersky-security-bulletin-2016-executive-summary/76858/" ], "report_names": [ "76858" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a58aedbc-e89f-4e0c-8147-c6406a616cfa", "created_at": "2022-10-25T16:07:23.494355Z", "updated_at": "2026-04-10T02:00:04.629595Z", "deleted_at": null, "main_name": "Corkow", "aliases": [ "Corkow", "Metel" ], "source_name": "ETDA:Corkow", "tools": [ "Corkow", "Metel" ], "source_id": "ETDA", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "99845f58-2c39-46f7-8369-bb621ebb7002", "created_at": "2022-10-25T16:07:24.238844Z", "updated_at": "2026-04-10T02:00:04.90851Z", "deleted_at": null, "main_name": "Strider", "aliases": [ "G0041", "ProjectSauron" ], "source_name": "ETDA:Strider", "tools": [ "Backdoor.Remsec", "ProjectSauron", "Remsec" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "2608db3e-7f7a-42c0-922b-4c9cb22c7ce9", "created_at": "2023-01-06T13:46:38.278691Z", "updated_at": "2026-04-10T02:00:02.90849Z", "deleted_at": null, "main_name": "APT16", "aliases": [ "SVCMONDR", "G0023" ], "source_name": "MISPGALAXY:APT16", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "77aedfa3-e52b-4168-8269-55ccec0946f7", "created_at": "2023-01-06T13:46:38.453791Z", "updated_at": "2026-04-10T02:00:02.981559Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038" ], "source_name": "MISPGALAXY:Stealth Falcon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde", "created_at": "2023-01-06T13:46:38.472883Z", "updated_at": "2026-04-10T02:00:02.989134Z", "deleted_at": null, "main_name": "ProjectSauron", "aliases": [ "Sauron", "Project Sauron", "G0041" ], "source_name": "MISPGALAXY:ProjectSauron", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d7530f9-cd8e-4703-8aed-ab938e3b08cf", "created_at": "2023-01-06T13:46:38.620662Z", "updated_at": "2026-04-10T02:00:03.04163Z", "deleted_at": null, "main_name": "Danti", "aliases": [], "source_name": "MISPGALAXY:Danti", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "373f10d9-9fdb-4451-b158-da634c6bfb22", "created_at": "2024-02-06T02:00:04.148051Z", "updated_at": "2026-04-10T02:00:03.579412Z", "deleted_at": null, "main_name": "Operation Ghoul", "aliases": [], "source_name": "MISPGALAXY:Operation Ghoul", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "6301aade-ca8b-431c-b5e4-1b6ddd497ffc", "created_at": "2022-10-25T16:07:23.328033Z", "updated_at": "2026-04-10T02:00:04.544144Z", "deleted_at": null, "main_name": "APT 16", "aliases": [ "APT 16", "G0023", "SVCMONDR" ], "source_name": "ETDA:APT 16", "tools": [ "ELMER", "Elmost", "IRONHALO", "SVCMONDR" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "d5919968-4173-411e-801d-9a1a3bd6a10c", "created_at": "2022-10-25T16:07:23.959228Z", "updated_at": "2026-04-10T02:00:04.808278Z", "deleted_at": null, "main_name": "Operation Ghoul", "aliases": [], "source_name": "ETDA:Operation Ghoul", "tools": [ "OpGhoul" ], "source_id": "ETDA", "reports": null }, { "id": "593dd07d-853c-46cd-8117-e24061034bbf", "created_at": "2025-08-07T02:03:24.648074Z", "updated_at": "2026-04-10T02:00:03.625859Z", "deleted_at": null, "main_name": "BRONZE OVERBROOK", "aliases": [ "Danti ", "DragonOK ", "Samurai Panda ", "Shallow Taurus ", "Temp.DragonOK " ], "source_name": "Secureworks:BRONZE OVERBROOK", "tools": [ "Aveo", "DDKONG", "Godzilla Webshell", "HelloBridge", "IsSpace", "NFLog Trojan", "PLAINTEE", "PlugX", "Rambo" ], "source_id": "Secureworks", "reports": null }, { "id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1", "created_at": "2022-10-25T16:07:23.816991Z", "updated_at": "2026-04-10T02:00:04.758143Z", "deleted_at": null, "main_name": "Lurk", "aliases": [], "source_name": "ETDA:Lurk", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a0d369c1-f0b7-4c70-a3a5-77aabbd17979", "created_at": "2022-10-25T15:50:23.311311Z", "updated_at": "2026-04-10T02:00:05.407733Z", "deleted_at": null, "main_name": "Strider", "aliases": [ "ProjectSauron" ], "source_name": "MITRE:Strider", "tools": [ "Remsec" ], "source_id": "MITRE", "reports": null }, { "id": "2b29dd16-a06f-4830-81a1-365443bc54b8", "created_at": "2023-01-06T13:46:38.460047Z", "updated_at": "2026-04-10T02:00:02.983931Z", "deleted_at": null, "main_name": "QUILTED TIGER", "aliases": [ "Chinastrats", "Sarit", "APT-C-09", "ZINC EMERSON", "ATK11", "G0040", "Orange Athos", "Thirsty Gemini", "Dropping Elephant" ], "source_name": "MISPGALAXY:QUILTED TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434281, "ts_updated_at": 1775792298, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7f08574c8197d23e7bce2ed27b5098105fcb3e23.pdf", "text": "https://archive.orkl.eu/7f08574c8197d23e7bce2ed27b5098105fcb3e23.txt", "img": "https://archive.orkl.eu/7f08574c8197d23e7bce2ed27b5098105fcb3e23.jpg" } }