{ "id": "3c8a9425-6fee-4b28-91b5-8f12dee87f7f", "created_at": "2026-04-06T00:07:50.891532Z", "updated_at": "2026-04-10T13:11:40.400533Z", "deleted_at": null, "sha1_hash": "7f13be3af704c8a62e551cdf67259f7bcec5e917", "title": "TDrop2 Attacks Suggest Dark Seoul Attackers Return", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 526421, "plain_text": "TDrop2 Attacks Suggest Dark Seoul Attackers Return\r\nBy Bryan Lee, Josh Grunzweig\r\nPublished: 2015-11-18 · Archived: 2026-04-02 11:40:29 UTC\r\nWhile researching new, unknown threats collected by WildFire, we discovered the apparent re-emergence of a\r\ncyber espionage campaign thought to be dormant after its public disclosure in June 2013. The tools and tactics\r\ndiscovered, while not identical to the previous Dark Seoul campaign, showed extreme similarities in their\r\nfunctions, structure, and tools. In this post, we will provide an overview of the original Dark Seoul campaign in\r\n2013, the similarities and differences in tactics, the malware used, as well as attempt to answer the question of\r\n‘why now’?\r\nOverview\r\nIn March 2013, the country of South Korea experienced a major cyberattack, affecting tens of thousands of\r\ncomputer systems in the financial and broadcasting industries. This attack was dubbed ‘Dark Seoul’; it involved\r\nwreaking havoc on affected systems by wiping their hard drives, in addition to seeking military intelligence.\r\nThe attack was initially thought to be attributed to North Korea, by way of a Chinese IP found during the attack,\r\nbut no other strong evidence of North Korea’s involvement has been produced since then. In June 2013, McAfee\r\npublished a report detailing the chronology and variance of the Dark Seoul campaign, but renamed it ‘Operation\r\nTroy’. The report analyzed the entirety of the purported attack campaign, beginning in 2009 using a family of\r\ntools dubbed ‘Troy’. McAfee further attributed two groups to the campaign: the NewRomanic Cyber Army Team\r\nand The Whois Hacking Team; both groups believed to be state sponsored. Since the publication of that report, no\r\nother activity involving either group or the tools have been detected or shared publically.\r\nThat is, until now.\r\nDark Seoul Returns \r\nUsing the Palo Alto Networks AutoFocus threat intelligence platform, we identified several samples of malicious\r\ncode with behavior similar to the aforementioned Operation Troy campaign dating back to June 2015, over two\r\nyears after the original attacks in South Korea. Session data revealed a live attack targeting the transportation and\r\nlogistics sector in Europe. The initial attack was likely a spear-phishing email, which leveraged a trojanized\r\nversion of a legitimate software installation executable hosted by a company in the industrial control systems\r\nsector. The modified executable still installs the legitimate video player software it claims to contain, but also\r\ninfects the system. Based on deep analysis of the Trojan’s behavior, binary code, and previous reports of similar\r\nattacks, we have concluded that these samples were the same as the original tools used in the Dark\r\nSeoul/Operation Troy attacks. It is likely the same adversary group is involved, although there is currently\r\ninsufficient data to confirm this conclusion.\r\nMalware Overview\r\nhttps://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/\r\nPage 1 of 6\n\nThe malicious code was delivered via the following two executable names, packaged together in a zip archive file:\r\n[redacted]Player_full.exe\r\n[redacted]Player_light.exe\r\nBoth executables present themselves as legitimate installation programs offered by the industrial control systems\r\norganization, providing video player software for security camera solutions. When either sample was executed, the\r\nmalware dropped and subsequently executed the actual video player it disguised itself as.\r\nThe new malware variant, which we call TDrop2, proceeds to select a legitimate Microsoft Windows executable\r\nin the system32 folder executes it, and then uses the legitimate executable’s process as a container for the\r\nmalicious code, a technique known as process hollowing. Once successfully executed, the corresponding process\r\nthen attempts to retrieve the second-stage payload.\r\nThe second-stage instruction attempts to obfuscate its activity by retrieving a payload that appears to be an image\r\nfile, but upon further inspection appears actually to be a portable executable.\r\nThe C2 server replaces the first two bytes, which are normally ‘MZ’, with the characters ‘DW’, which may allow\r\nthis C2 activity to evade rudimentary network security solutions and thus increase the success rate of retrieval.\r\nOnce downloaded, the dropper will replace the initial two bytes prior to executing it. This second stage payload\r\nwill once again perform process hollowing against a randomly selected Windows executable located in the\r\nsystem32 folder. The overall workflow of this malware is visualized below:\r\nThe final payload provides the following capabilities to attackers:\r\nCommand Description\r\nhttps://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/\r\nPage 2 of 6\n\n1001 Modify C2 URLs\r\n1003 Download\r\n1013 Download/execute malware in other process\r\n1018 Modify wait interval time\r\n1025 Download/execute and return response\r\nDefault Execute command and return results\r\nThese commands are encrypted/encoded when transferred over the network, as we can see below.\r\nThe malware uses an unidentified cryptographic routine for encryption. Additionally, the following custom\r\nalphabet is used for base64 encoding that takes place after the encryption of the data:\r\n3bcd1fghijklmABCDEFGH-J+LMnopq4stuvwxyzNOPQ7STUVWXYZ0e2ar56R89K/\r\nOnce decoded and decrypted, we see the following command being provided:\r\ntick 7880\r\nsysteminfo \u0026 net view \u0026 netstat -naop tcp \u0026 tasklist \u0026 dir /a \"%userprofile%\\AppData\\Local\\Microsoft\\Outlook\"\r\n\u0026 dir /a \"%temp%\\*.exe\" \u0026 dir \"%ProgramFiles%\" \u0026 dir \"%ProgramFiles%\\Microsoft Office\"\r\n1018; 60\r\nThe initial ‘tick’ string is hardcoded and must be present for the malware to accept the subsequent command(s). In\r\nthis case, the initial commands are used to perform basic reconnaissance on the infected host and return the results\r\nto the attacker, then initialize a sleep period of 60 seconds.\r\nWe will publish more details about the TDrop2 malware variant in a follow up blog.\r\nMalware Similarities\r\nAnalysis of the malicious code identified reveals the distinct similarities in behavior and functionality to the\r\noriginal Dark Seoul/Operation Troy toolset.\r\nhttps://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/\r\nPage 3 of 6\n\nThe use of the custom base64 alphabet was observed in the following twelve samples that were specified within\r\nthe Operation Troy whitepaper:\r\n2e500b2f160f927b1140fb105b83300ca21762c21bb6195c44e8dc613f7d7b12\r\n353a1288b1f8866af17cd7dffb8b202860f03da8d42e6a76df7b5212b3294632\r\n4a11e0453af1155262775e182e5889fc7141f0fa73f8ac916fd83d2942480437\r\n4df8a104c9d992c6ea6bd682f86c96ddffab302591330588465640eb8a04fa2d\r\n591eb8ce448ab95b28a043943bd9de91489b5ebb1ef4a7b2646742b635fa93f2\r\n8e84f93fd0e00acba0e1c4b1c1cef441fa33ad5c95e7bacbd7261ee262be039a\r\n971fd9ae00ffce5738670ec26bca6cf3ad1a4c47d133cee672470381c559b5a7\r\na30eb5774fe309044467a6a90355cc69d62843cc946eb9cc568095a053980098\r\nb323d4c3bef99742dda27df3bf07a46941932fec147daaa4863440c13a21ec49\r\nc1a7b065555b833f76d87b54f1dd2ede90bce9268325e8524b372c01f3ef4403\r\nc1cf57f2bdec8c9b650dfaba0427d12c39189330efab8cd9aa4dbfbd6735cf40\r\ndbb0f061dd29b3f69d5fe48e3827e279bd8bdcf584f30fe35b037074c00eb840\r\nThe majority of these samples had debug strings that referenced the ‘TDrop’ malware family, which is likely the\r\npredecessor to the malware observed in this campaign and the source of the name ‘TDrop2’.\r\nThe new variant also uses a distinct string decryption routine, which was also observed in a number of Operation\r\nTroy samples.\r\nThe same string decryption routine was also observed in 64-bit samples from the Operation Troy campaign. The\r\nfollowing samples were found to have this decryption routine present:\r\n486141d174acec27a4139c4593362bd5c51a88f49dfde46d134a987b34896dc2\r\n9d84e173796657162790377be2303b59d3cf680edec73627e209ca975fabe41c\r\nhttps://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/\r\nPage 4 of 6\n\na15aafcc79cc66ce7b45113ceff892261874fad9cf140af5b9fa401a1f06c4a4\r\nbc724f66807e2f9c9cab946a3e97da51ad7a34f692e93d6e2b2db8cf39ae01db\r\nNetwork communications appeared identical to that described in a Korean blog post written in June 2013\r\nregarding what appears to be a partial analysis of the Dark Seoul attack. The behavior of the analyzed malicious\r\ncode made references to decoding a PE file from both a .gif and .jpg URL. Additionally, a unique POST separator\r\nstring is identified (6e8fad908fe13c), which also matches the malware payload observed in TDrop2 samples.\r\nThe command and control (C2) servers used in these recent attacks are compromised websites located in South\r\nKorea and Europe. It’s not clear what led to the compromise of these four web servers (listed in the IOC section\r\nbelow), but they all appear to use shared hosting providers and operate on out-of-date software that may contain\r\nvulnerabilities and/or misconfigurations.\r\nThe Attackers\r\nAt this time, it is unclear if this attack is attributed to the same two groups previously outlined in McAfee’s 2013\r\nreport. There are obvious similarities in the malware used, as well as other tactics, but there are also some obvious\r\ndifferences. The targeting for example, is completely different in that this observed attack is not aimed at military,\r\ngovernment, or financial institutions in the South Korea region. In addition, there has been no evidence of\r\ndestructive functionality in the samples analyzed by Unit 42, although the malware is capable of downloading\r\nadditional components so those simply may not yet have been observed.\r\nThe similarities in tactics however, do seem to outweigh the differences, and it is highly likely this is the same\r\ngroup or groups responsible for the original Dark Seoul/Operation Troy attacks, but with a new target and a new\r\ncampaign.\r\nConclusion\r\nIt is not uncommon for threat actors to become dormant for some period of time, especially after public unveiling\r\nas the groups behind Dark Seoul/Operation Troy experienced. What we do know is that changing infrastructure\r\nand toolsets can be challenging, and it is not nearly as common that a very specialized tool developed for specific\r\nteams would be shared amongst threat actors.\r\nThere is insufficient data at this time to clearly state why Dark Seoul/Operation Troy would resurface at this time,\r\nbut Unit 42 will continue to monitor the activity as the situation develops.\r\nWe have created the AutoFocus tag TDrop2 to identify samples of this new variant and have added known C2\r\ndomains and hash values to the Threat Prevention product set. At this time, WildFire is able to correctly identify\r\nthe samples associated with this campaign as malicious.\r\nIOC List\r\nhttps://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/\r\nPage 5 of 6\n\nSHA256 Hashes\r\n52939b9ec4bc451172fa1c5810185194af7f5f6fa09c3c20b242229f56162b0f\r\n1dee9b9d2e390f217cf19e63cdc3e53cc5d590eb2b9b21599e2da23a7a636184\r\n52d465e368d2cb7dbf7d478ebadb367b3daa073e15d86f0cbd1a6265abfbd2fb\r\na02e1cb1efbe8f3551cc3a4b452c2b7f93565860cde44d26496aabd0d3296444\r\n43eb1b6bf1707e55a39e87985eda455fb322afae3d2a57339c5e29054fb52042\r\nDomains\r\nwww.junfac[.]com\r\nwww.htomega[.]com\r\nmcm-yachtmanagement[.]com\r\nwww.combra[.]eu\r\nURLs\r\nwww.junfac[.]com/tires/skin/tires.php\r\nwww.htomega[.]com/rgboard/image/rgboard.gif\r\nmcm-yachtmanagement[.]com/installx/install_ok.php\r\nwww.combra[.]eu/includes/images/logo.jpg\r\nSource: https://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/\r\nhttps://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/" ], "report_names": [ "tdrop2-attacks-suggest-dark-seoul-attackers-return" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434070, "ts_updated_at": 1775826700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7f13be3af704c8a62e551cdf67259f7bcec5e917.pdf", "text": "https://archive.orkl.eu/7f13be3af704c8a62e551cdf67259f7bcec5e917.txt", "img": "https://archive.orkl.eu/7f13be3af704c8a62e551cdf67259f7bcec5e917.jpg" } }