{ "id": "11c8d2c6-5ed5-4b7c-8305-70ab42235b03", "created_at": "2026-04-06T00:12:57.432553Z", "updated_at": "2026-04-10T13:12:52.1274Z", "deleted_at": null, "sha1_hash": "80b86ab0afb603e016a97048f1a3d98ba49c33f0", "title": "The curious case of the 7777-Botnet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2461128, "plain_text": "The curious case of the 7777-Botnet\r\nBy Gi7w0rm\r\nPublished: 2023-10-20 · Archived: 2026-04-05 18:21:21 UTC\r\nHello there and welcome back again to yet another blog post. Today, I am reporting on something I have been\r\ninvestigating for a while now. An alledged botnet which at its peak included more than 16.000 infected devices\r\nhas been observed in targeted attacks in the US, UK, and France. There is even a link to organized cybercrime.\r\nBut in the end, it still remains a mystery…\r\nSummary:\r\nIn recent months an unknown botnet has been observed brute forcing Microsoft Azure instances via Microsoft\r\nAzure PowerShell bruteforcing. The botnet has a unique pattern of opening port 7777 on infected devices,\r\nreturning an “xlogin:” message. The botnet has been used for low-volume attacks against targets of all industry\r\nsectors at a global scale, almost exclusively targeting C-Level employee logins. Due to the very low volume of\r\naround 2–3 login requests per week, the botnet is able to evade most security solutions. An attribution is not\r\npossible with the current insights. — h-o-w-e-v-e-r-,--a-l-o-o-s-e-c-o-n-n-e-c-t-i-o-n- -w-i-t-h- -e-i-t-h-e-r- -U-N-C-3-9-4-4- -/- -S-t-o-r-m- — 0-8-7-5- -/- -S-c-a-t-t-e-r-e-d- -S-p-i-d-e-r- -o-r- -t-h-e- -L-a-z-a-r-u-s- -g-r-o-u-p- -c-a-n- -b-e- -m-a-d-e-. — *\r\nChapter 1: A New Contact\r\nAs with most of my current Cyber Threat Intelligence endeavors, this case starts with someone reaching out to me\r\nfor help. On the 19th of July of this year, I was contacted by an employee of the British cybersecurity company\r\nGoldilock, who sent me the following message:\r\nFigure 1: The beginning\r\nhttps://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd\r\nPage 1 of 11\n\nWhat the researcher at Goldilock had found was a strange set of IP addresses that time and time again attempted\r\n(and failed) to log into their Microsoft Azure/Exchange environment, in what appeared to be a very very slow and\r\ncontinuous brute-force attempt. This attack had the following characteristics:\r\nAn average of 2–3 attempts per week on a single account was observed, interspersed with occasional 7 to\r\n10-day hiatuses\r\nEach IP address is used uniquely for each user and is not recycled for different accounts\r\nThe login attempts all attempted to abuse “Microsoft Azure PowerShell” according to Azure Portal Sign-In\r\nlogs, failing at the credential stage.\r\nWhat is interesting here is that this particular attack had not been identified by any security measure in place,\r\nneither the company's SIEM nor its Microsoft Security implementations. The attack was simply so low in volume\r\nthat the security appliances did not see it as unusual. Only when the employee noticed a strange login from a\r\ncountry they had no business in, this attack was discovered.\r\nChapter 2: A botnet?!\r\nAfter some digging, the employee was able to uncover around 50 different IPs that had taken part in this attack. In\r\na first effort to uncover the source of this attack, the employee put them into the Shodan Search engine. And\r\nindeed they all shared one similarity: An open port 7777!\r\nHere is a random example of how one of the identified devices looks in Shodan:\r\nPress enter or click to view image in full size\r\nhttps://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd\r\nPage 2 of 11\n\nFigure 2: An example device forming part of this Botnet\r\nAs you can see, port 7777 is open and showing a mysterious “xlogin:” message. Luckily enough, this particular\r\npattern is pretty unique. So we can use Shodan to pivot on it via the following query:\r\nAs of today, 07.10.2023, the following info can be obtained using this search:\r\nPress enter or click to view image in full size\r\nhttps://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd\r\nPage 3 of 11\n\nFigure 3: Shodan Report for our alleged Botnet\r\nAs you can see, a total amount of 3996 devices return the identified pattern. However, this is far from the original\r\nsize of this pattern. When we first looked at the data presented by Shodan, we were looking at 9345 IPs. Indeed,\r\nShodan’s history feature gives us a pretty telling history graph on the matter:\r\nPress enter or click to view image in full size\r\nFigure 4: Historical Pattern Analysis\r\nAs can be seen, somewhere between June and July 2022, the pattern of this botnet started appearing. It quickly\r\namounted to 16.108 devices in a 2-month timespan reaching its peak distribution around August 2022. From there,\r\nthe number of devices reflecting this pattern continuously decreased. However, there is a sudden strong decrease\r\nhttps://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd\r\nPage 4 of 11\n\nbetween August and September 2023. It is yet unknown what is the cause of this. But there is an explanation for\r\nthe constant decrease in numbers. We will get there later.\r\nTo no one's real surprise, the devices showing the above-mentioned behavior all seem to be IoT devices many of\r\nthem connected via a residential IP. Among others, we identified HKVision software, Software related to TP-Link\r\nRouters, and Dahua digital video recorders. One of the most affected devices seems to be the TL-WR841N router\r\nwhich accounts for most of the infected devices in Bulgaria. We were able to identify that one of Bulgaria’s largest\r\nISPs issues this device to most of their clients. We will have a closer look at this device later on.\r\nObservational sidenote: Curiously, the strong decrease in numbers coincides with the Qakbot Takedown at the end\r\nof August 2023.\r\nChapter 3: Expanding Comms\r\nWell, after we jointly had mapped out this information about the supposed botnet, we attempted several things to\r\nfind out more.\r\nFirst of all, I obviously send out a tweet. I knew something was odd and I knew where to look, but what to look\r\nfor? Without direct access to an infected device, it is hard to get ahold of any malware or identify any script used\r\nto spread malicious code. So to gather some ideas I sent out a tweet.\r\nAnd while no one really had a good answer to my question, there was another interesting side effect. Shortly after\r\nmaking this tweet, a researcher going by the handle B1RD_D06 from the United States reached out to me because\r\nbased on the information he was able to identify a threat that he himself had identified attacking their network\r\nduring recent weeks. After some conversation, he disclosed that he was at that time working at a big company in\r\nthe US Energy sector. He had shared his observations with a community of cybersecurity-responsible individuals\r\nin the energy sector and in fact, several other US companies in this sector were affected as well. The attacks were\r\nall targeted at members of the individual companies' C-Level members, which hints that this attack is somewhat\r\nmore sophisticated than your average spray-and-pray brute-force attack.\r\nI was then also contacted by a researcher from the French security company Intrinsec. Among other services,\r\nIntrinsec provides 24/7 SoC Monitoring and the particular researcher was interested in using the information about\r\nthe botnet to increase the security of their clients and in turn to provide me with some helpful information on their\r\ninsights into this particular threat. Besides that, we discussed the idea of reaching out to victims of the IoT attack\r\nchain, as to see if we could extract valuable information from the infected devices. In fact, the researcher from\r\nGoldilock had the exact same idea and in a later part of this blog post, we will have a look at our attempts at\r\nphysically reverse-engineering an infected router. However, I first want to point out another observation that\r\nIntrinsec made after I had provided a list of IPs associated with this particular threat:\r\nPress enter or click to view image in full size\r\nhttps://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd\r\nPage 5 of 11\n\nhttps://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd\r\nPage 6 of 11\n\nFigure 5: Intrinsec observed attacks (sorry for the emoji spam, I was excited ^^ )\r\nSo indeed after some further discussion with the SoC employees of Intrinsec, we were able to confirm that this\r\nbotnet had also targeted several companies in France, using the attack method of low volume “Microsoft Azure\r\nPowerShell” brute-forcing targeting exclusively VIPs. However, Intrinsec was further able to confirm that there\r\nwas no specific business sector targeted. Based on their findings and the rather limited insight I have into other\r\nbusiness sectors in the US, I do believe the botnet does not target the Energy Sector exclusively but that other\r\nsectors are targeted as well. The goal does seem to be to compromise high-value targets, which could be an\r\nindication of an actor with financial motives.\r\nA cross-check with the Greynoise platform, which collects and marks known botnet attacks and activity revealed a\r\ncomplete absence of these IPs from their tracker. This is a further indication that the observed botnet is not broadly\r\ntargeting in a spray-and-pray-like pattern but actually working in a more targeted manner.\r\nChapter 4: Physical Reversing Attempt\r\nEarly on in this research, the researcher from Goldilock and I did agree that one of the best things to do to identify\r\nthe malware used in this botnet attack was to get ahold of an infected device. With a bit of digging into the\r\nretrieved list of IP addresses from Shodan, we were able to identify several affected entities both in France and the\r\nUK which were in the area of the Goldilock and Intrinsec locations. And indeed after some digging and sending\r\nout several emails, the researcher at Goldilock was able to retrieve a router with the above-mentioned\r\ncharacteristics. As Goldilock itself is a producer of security hardware, my contact had sufficient expertise in trying\r\nto physically reverse engineer the device.\r\nPress enter or click to view image in full size\r\nhttps://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd\r\nPage 7 of 11\n\nFigure 6: Physical reverse attempt of an infected TP-Link router\r\nWhile this makes for some pretty neat images, we soon arrived at a sad conclusion: There was no evidence we\r\ncould recover, which could be associated with an attack. In fact, after setting up the router at Goldilock’s lab, there\r\nwas no port 7777 open on the infected device. It was all gone.\r\nGet Gi7w0rm’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nhttps://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd\r\nPage 8 of 11\n\nRemember me for faster sign in\r\nTo explain this, we need to look at the hardware level of IoT devices. The TP-Link TL-WR940N, like many of the\r\nbasic models we noticed were infected, operates on an entry-level ARM/RISC-based System on Chip, in this case,\r\nthe Qualcomm Atheros TP9343 processor. This system has a mere 4MB of persistent flash storage, most of it\r\nbeing occupied by the firmware and operating system.\r\nThe operating system used is a customized Linux Build Root image which is loaded into the router’s RAM\r\nthrough SquashFS. As a result, if a Remote Code Execution (RCE) attack occurs, any malicious software or\r\ncommands will only last until the router is turned off and on again. Once restarted, there’s no evidence of the\r\nbreach.\r\nThis could shed light on why we’ve seen a drop in the number of these routers over the past 6–8 months.\r\nTypically, users might restart their routers every few months, especially if they’re experiencing connectivity or\r\nperformance problems.\r\nWe did not get any further intel, but I share this information to make sure that other researchers who might look\r\ninto this issue take the appropriate care when trying to analyze an infected device. Mistakes were made.\r\nChapter 5: An attempt at attribution\r\nSo as you can see, after several months of research, our findings are still based mostly on IP addresses in Logs\r\nattempting brute force. Neither were we able to recover the associated malware nor were we able to recover\r\nenough evidence to identify the people behind it. However, there is one interesting observation that I have kept for\r\nthe end of this post.\r\nYou see, while investigating the botnet, there was one IP which stood out:\r\n45.61.136[.]133\r\nWhen looking at this IP using the Shodan history tab, we can see that in January this year, the IP had a very\r\nsimilar pattern sitting on Port 7777:\r\nPress enter or click to view image in full size\r\nFigure 7: Port 7777 on a WebServer?\r\nThis particular IP stands out because it is the only IP we could identify, which is not an IoT device but an actual\r\nweb server at a hosting company. Also the “xlogin:” pattern is slightly off according to Intrinsec CTI team, who\r\ndetermined a 1 Byte difference in the communication pattern. The fact that this is the only non-IoT device we have\r\nbeen observing makes me believe that it might have been a C2 Server for the botnet in or around January of this\r\nyear.\r\n*outdated paragraph*\r\nhttps://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd\r\nPage 9 of 11\n\nHowever, this leads to an interesting correlation. The IP 45.61.136[.]133 actually appears in a Threat Intelligence\r\nreport by ReversingLabs.\r\nThe report, which was released in August 2023, discusses a Supply Chain attack on the Python Package Index\r\n(PyPI) repository. The attackers uploaded several different malicious Python packages which were designed to\r\ndownload additional malicious instructions after being imported into other projects.\r\nIn their article, ReversingLabs states that they attribute their observed campaign to the Lazarus actor based on\r\nthe following observations:\r\nPress enter or click to view image in full size\r\nFigure 8: Lazarus?\r\nHowever, here is where it gets a bit tricky. After reading this report I actually reached out to some contact at\r\nCrowdStrike about the attribution of this particular IP. And what I was told is that the CrowdStrike CTI product\r\nactually has this IP attributed to a completely different group:\r\nUNC3944 / Storm-0875 / Scattered Spider. This didn’t really make things easier. So I decided to double-check with\r\na researcher from Microsoft MSTIC. They confirmed that the IP Address in question is attributed to UNC3944 /\r\nStorm-0875 / Scattered Spider. And as if this was not enough, RecordedFuture, another big Threat Intelligence\r\nvendor has it under Lazarus (Labyrinth Chollima). So that's a solid 2 vs 2 on the attribution site. And even if we\r\nwould have a clear picture of whom to attribute the IP to, it wouldn't be safe to say the potential Botnet control\r\nserver was run by this group or if the server was rented by yet another entity at the time of its malicious\r\ninvolvement in the Botnet activity.*outdated paragraph end*\r\nUpdate: After releasing this article, I was contacted by a fellow IT Security researcher. The\r\nresearcher pointed out that at the time of the observed pattern, the IP 45.61.136[.]133 was owned\r\nby them. The researcher had indeed observed the same botnet pattern and activity and had\r\nhttps://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd\r\nPage 10 of 11\n\ntherefore made an attempt to copy the pattern. Their goal was to collect additional intelligence on\r\nthe botnet's activity by trying to mimic a compromised device. Sadly their attempt was\r\nunsuccessful, likely because the botnet has some sort of C2 Server that actively registers new\r\ndevices which is why his fake device did not receive any commands. The attribution made above is\r\ntherefore obsolete.\r\nSo yet again, our investigation had run into a dead-end. Even after more weeks of searching and some people at\r\nRecordedFuture and Microsoft running additional queries, no further intelligence was uncovered.\r\nThank you for reading this blog post. I really appreciate your time and hope you have learned something of value.\r\nAlso thank you to:\r\nGoldilock\r\nthe researchers of the Intrinsec SoC and their CTI team\r\nDunstable Toblerone\r\nFr0gger\r\nB1RD_D06\r\nSOSIntel\r\naejleslie\r\nwho all to some extent took a role in investigating the 7777Botnet.\r\nIf any additional findings are based on this blog post I would love to be tagged on it as I am still very curious\r\nabout this threat. Consider following me here (to get notified on upcoming posts) or on Twitter.\r\nCheers ❤\r\n*Update 20.10.2023: Added a paragraph in Chapter 5 to reflect further intelligence gathered in regard to\r\nattribution. Please read the highlighted section!\r\nSource: https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd\r\nhttps://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd\r\nPage 11 of 11\n\nFigure 4: Historical As can be seen, somewhere Pattern Analysis between June and July 2022, the pattern of this botnet started appearing. It quickly\namounted to 16.108 devices in a 2-month timespan reaching its peak distribution around August 2022. From there,\nthe number of devices reflecting this pattern continuously decreased. However, there is a sudden strong decrease\n Page 4 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://gi7w0rm.medium.com/the-curious-case-of-the-7777-botnet-86e3464c3ffd" ], "report_names": [ "the-curious-case-of-the-7777-botnet-86e3464c3ffd" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434377, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/80b86ab0afb603e016a97048f1a3d98ba49c33f0.pdf", "text": "https://archive.orkl.eu/80b86ab0afb603e016a97048f1a3d98ba49c33f0.txt", "img": "https://archive.orkl.eu/80b86ab0afb603e016a97048f1a3d98ba49c33f0.jpg" } }