{ "id": "7d031c1f-a9f5-4c8e-8fa6-22685d04e2d4", "created_at": "2026-04-06T00:10:00.234743Z", "updated_at": "2026-04-10T03:37:40.868761Z", "deleted_at": null, "sha1_hash": "80eddc875d47957c80e1feee753985f2f871379d", "title": "it didn't turn into a truck, but a widely spread Android botnet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 101905, "plain_text": "it didn't turn into a truck, but a widely spread Android botnet\r\nArchived: 2026-04-05 21:26:43 UTC\r\nAndroid Flutter malware\r\nVB2024 paper: Android Flutter malware, Axelle Apvrille\r\nCeranaKeeper: a relentless shape-shifting group targeting Thailand\r\nVB2024 paper: CeranaKeeper: a relentless shape-shifting group targeting Thailand, Romain Dumont\r\nA wild RAT appears: reversing DinodasRAT on Linux\r\nVB2024 paper: A wild RAT appears: reversing DinodasRAT on Linux, Anderson Leite \u0026 Fabio Marenghi\r\nReviewing the 2022 KA-SAT incident \u0026 implications for distributed communication\r\nenvironments\r\nVB2024 paper: Reviewing the 2022 KA-SAT incident \u0026 implications for distributed communication\r\nenvironments, Joe Slowik\r\nDark deals: unveiling the underground market of exploits\r\nVB2024 paper: Dark deals: unveiling the underground market of exploits, Anna Pavlovskaia\r\nSO that looks suspicious: leveraging process memory and kernel/usermode probes to detect\r\nShared Object injection at scale on Linux\r\nVB2024 presentation: SO that looks suspicious: leveraging process memory and kernel/usermode probes to detect\r\nShared Object injection at scale on Linux, Daniel Jary\r\nP-wave of malicious code signing\r\nVB2024 paper: P-wave of malicious code signing, Yuta Sawabe, Shogo Hayashi \u0026 Rintaro Koike\r\nProject 0xA11C: deoxidizing the Rust malware ecosystem\r\nVB2024 paper: Project 0xA11C: deoxidizing the Rust malware ecosystem, Nicole Fishbein \u0026 Juan Andrés\r\nGuerrero-Saade\r\nSugarcoating KANDYKORN: a sweet dive into a sophisticated MacOS backdoor\r\nVB2024 paper: Sugarcoating KANDYKORN: a sweet dive into a sophisticated MacOS backdoor, Salim Bitam\r\nhttps://www.virusbulletin.com/conference/vb2024/abstracts/octopus-prime-didnt-turn-truck-widely-spread-android-botnet/\r\nPage 1 of 8\n\nLeveraging AI to enhance the capabilities of SHAREM Shellcode Analysis Framework\r\nVB2024 paper: Leveraging AI to enhance the capabilities of SHAREM Shellcode Analysis Framework, Bramwell\r\nBrizendine\r\nAutomatically detect and support against anti-debug with IDA/Ghidra to streamline debugging\r\nprocess\r\nVB2024 paper: Automatically detect and support against anti-debug with IDA/Ghidra to streamline debugging\r\nprocess, Takahiro Takeda\r\nGo-ing arsenal: a closer look at Kimsuky’s Go strategic advancement\r\nVB2024 paper: Go-ing arsenal: a closer look at Kimsuky’s Go strategic advancement, Jiho Kim, Sebin Lee \u0026\r\nSojun Ryu\r\nCybercrime turned cyber espionage: the many faces of the RomCom group\r\nVB2024 paper: Cybercrime turned cyber espionage: the many faces of the RomCom group, Vlad Stolyarov \u0026\r\nDan Black\r\nDon't be a PUP-pet: exposing pay-per-install networks\r\nVB2024 paper: Don't be a PUP-pet: exposing pay-per-install networks, Dmitrij Lenz \u0026 James Wyke\r\nGhosts from the past: become Gh0stbusters in 2024\r\nVB2024 paper: Ghosts from the past: become Gh0stbusters in 2024, Hiroshi Takeuchi\r\nShadow play: WildCard's malware campaigns amidst Israel-Hamas conflict\r\nVB2024 paper: Shadow play: WildCard's malware campaigns amidst Israel-Hamas conflict, Nicole Fishbein \u0026\r\nRyan Robinson\r\nSupercharge your malware analysis workflow\r\nVB2024 paper: Supercharge your malware analysis workflow, Kevin Hardy-Cooper \u0026 Ryan Samaroo\r\nFrom code to crime: exploring threats in GitHub Codespaces\r\nVB2024 paper: From code to crime: exploring threats in GitHub Codespaces, Jaromir Horejsi \u0026 Nitesh Surana\r\nThe Mask has been unmasked again\r\nVB2024 paper: The Mask has been unmasked again, Georgy Kucherin \u0026 Marc Rivero López\r\nhttps://www.virusbulletin.com/conference/vb2024/abstracts/octopus-prime-didnt-turn-truck-widely-spread-android-botnet/\r\nPage 2 of 8\n\nCrackedCantil: a malware symphony delivered by cracked software; performed by loaders,\r\ninfostealers, ransomware, et al.\r\nVB2024 paper: CrackedCantil: a malware symphony delivered by cracked software; performed by loaders,\r\ninfostealers, ransomware, et al., Lena Yu\r\nWho plays on AZORult? An unknown attacker collects various data and spreads additional\r\npayloads with AZORult for around 5 years\r\nVB2024 paper: Who plays on AZORult? An unknown attacker collects various data and spreads additional\r\npayloads with AZORult for around 5 years, Masaki Kasuya\r\nConfronting the surge of macOS stealers in 2024\r\nVB2024 paper: Confronting the surge of macOS stealers in 2024, Kseniia Yamburh \u0026 Mykhailo Hrebeniuk\r\nCode blue: energy\r\nVB2024 paper: Code blue: energy, Righard Zwienenberg \u0026 Josep Albors\r\nMarketplace scams: neanderthals hunting mammoths with Telekopye\r\nVB2024 paper: Marketplace scams: neanderthals hunting mammoths with Telekopye, Jakub Souček \u0026 Radek\r\nJizba\r\nMultimodal AI: the sixth sense for cyber defence\r\nVB2024 paper: Multimodal AI: the sixth sense for cyber defence, Younghoo Lee\r\nDown the GRAYRABBIT hole - exposing UNC3569 and its mastermind\r\nVB2024 paper: Down the GRAYRABBIT hole - exposing UNC3569 and its mastermind, Steve Su, Aragorn\r\nTseng, Chi-Yu You (YCY) \u0026 Cristiana Brafman Kittner\r\nHospitals, airports and telcos - modern approach to attributing hacktivism attacks\r\nVB2024 paper: Hospitals, airports and telcos - modern approach to attributing hacktivism attacks, Itay Cohen\r\nBreaking boundaries: investigating vulnerable drivers and mitigating risks\r\nVB2024 paper: Breaking boundaries: investigating vulnerable drivers and mitigating risks, Jiří Vinopal\r\nLife and DEaTH: building detection, forensics, and intelligence at scale\r\nVB2024 paper: Life and DEaTH: building detection, forensics, and intelligence at scale, Selena Larson \u0026\r\nKonstantin Klinger\r\nhttps://www.virusbulletin.com/conference/vb2024/abstracts/octopus-prime-didnt-turn-truck-widely-spread-android-botnet/\r\nPage 3 of 8\n\nWorkshop: Writing malware configuration parsers\r\nVB2024 Workshop: Writing malware configuration parsers, Mark Lim \u0026 Zong-Yu Wu\r\nUnveiling shadows: key tactics for tracking cyber threat actors, attribution, and infrastructure\r\nanalysis\r\nVB2024 paper: Unveiling shadows: key tactics for tracking cyber threat actors, attribution, and infrastructure\r\nanalysis\r\nOpen by default: the hidden cost of convenience in network security\r\nVB2024 paper: Open by default: the hidden cost of convenience in network security, Aurelio Picon\r\nOctopus Prime: it didn't turn into a truck, but a widely spread Android botnet\r\nVB2024 paper: Octopus Prime: it didn't turn into a truck, but a widely spread Android botnet, Thibault Seret\r\nModern-day witchcraft: a new breed of hybrid attacks by ransomware operators\r\nVB2024 paper: Modern-day witchcraft: a new breed of hybrid attacks by ransomware operators, Vaibhav\r\nDeshmukh, Ashutosh Raina \u0026 Sudhanshu Dubey\r\nUnveiling the dark side of set-top boxes: the Bigpanzi cybercrime syndicate\r\nVB2024 paper: Unveiling the dark side of set-top boxes: the Bigpanzi cybercrime syndicate, Alex Turing\r\nThe deck is stacked: analysis of OracleBamboo's SPYDEALER Android backdoor e domestic\r\nsurveillance\r\nVB2024 paper: The deck is stacked: analysis of OracleBamboo's SPYDEALER Android backdoor, Paul\r\nRascagneres \u0026 Charles Gardner\r\nArming WinRAR: deep dive into APTs exploiting WinRAR’s 0-day vulnerability - a SideCopy\r\ncase study\r\nVB2024 paper: Arming WinRAR: deep dive into APTs exploiting WinRAR’s 0-day vulnerability - a SideCopy\r\ncase study, Sathwik Ram Prakki\r\nOver the cassowary’s nest - dissecting Turla’s latest revision of the Kazuar backdoor\r\nVB2024 paper: Over the cassowary’s nest - dissecting Turla’s latest revision of the Kazuar backdoor, Daniel Frank\r\n\u0026 Tom Fakterman\r\nTA577 walked just past you: indirect syscalls in Pikabot\r\nVB2924 paper: TA577 walked just past you: indirect syscalls in Pikabot, Emre Güler\r\nhttps://www.virusbulletin.com/conference/vb2024/abstracts/octopus-prime-didnt-turn-truck-widely-spread-android-botnet/\r\nPage 4 of 8\n\nAn open-source cloud DFIR kit - Dredge!\r\nVB2024 paper: An open-source cloud DFIR kit - Dredge!, Santiago Abastante\r\nByteing back: detection, dissection and protection against macOS stealers\r\nVB2024 paper: Byteing back: detection, dissection and protection against macOS stealers, Patrick Wardle\r\nExtending STIX 2.1 to capture malware incidents\r\nVB2024 paper: Extending STIX 2.1 to capture malware incidents, Desiree Beck\r\nSpot the difference: Earth Kasha's new LODEINFO campaign and the correlation analysis with\r\nAPT10 umbrella\r\nVB2024 paper: Spot the difference: Earth Kasha's new LODEINFO campaign and the correlation analysis with\r\nAPT10 umbrella, Hiroaki Hara\r\nHow to hunt geopolitically driven Bitter APT operations\r\nVB2024 paper: How to hunt geopolitically driven Bitter APT operations, Shengbin Bao\r\nTIPS: Certified malware: a case for industry TI sharing of DigSig metadata\r\nVB2024 TIPS presentation: Certified malware: a case for industry TI sharing of DigSig metadata, Samir Mody\r\nTIPS: Bye Bye WarZone RAT (for now); Capturing Cybercriminals through\r\n#CoordindatedDisruption, Part 2\r\nVB2024 TIPS presentation: Bye Bye WarZone RAT (for now); Capturing Cybercriminals through\r\n#CoordindatedDisruption, Part 2, Sara Eberle \u0026 Mike Bordini\r\nTIPS: Fireside chat: Achtung Baby! Cybersecurity insights with U2 (you too)\r\nVB2024 TIPS presentation: Fireside chat: Achtung Baby! Cybersecurity insights with U2 (you too), Jeannette\r\nJarvis, Selena Larson, Jeanette Miller-Osborn \u0026 Kathi Whitbey\r\nTIPS: Unveiling cybersecurity impact: the role of published security findings in strengthening\r\ninternet defence strategies\r\nVB2024 TIPS presentation: Unveiling cybersecurity impact: the role of published security findings in\r\nstrengthening internet defence strategies, Slawek Grzonkowsi\r\nTIPS: Panel: Briskets or biscuits: how to construct your CTI team\r\nVB2024 TIPS presentation: Panel: Briskets or biscuits: how to construct your CTI team, Noortje Henrichs,\r\nHossein Hadian Jazi, Kathi Whitbey, Righard Zwienenberg\r\nhttps://www.virusbulletin.com/conference/vb2024/abstracts/octopus-prime-didnt-turn-truck-widely-spread-android-botnet/\r\nPage 5 of 8\n\nTIPS: Building resilience through collaboration: a data-driven and data-informed cyber threat\r\nintelligence sharing style guide based on STIX 2.1\r\nVB2024 TIPS presentation: Building resilience through collaboration: a data-driven and data-informed cyber\r\nthreat intelligence sharing style guide based on STIX 2.1, Linda Beverly\r\nTIPS: Indicator wranglin’ - an approach to dynamically typing IOCs with poor data context\r\nVB2024 TIPS presentation: Indicator wranglin’ - an approach to dynamically typing IOCs with poor data context,\r\nNoah Dunn\r\nTIPS: Adaptive protection put to the test\r\nVB2024 TIPS presentation: Adaptive protection put to the test, Zsomber Kovacs, Liam O'Murchu\r\nTIPS: Stix and stones: enabling faster intelligence gathering with GenAI and OASIS\r\nVB2024 TIPS presentation: Stix and stones: enabling faster intelligence gathering with GenAI and OASIS, Kieran\r\nHughes\r\nTIPS: Operation Endgame\r\nVB2024 TIPS presentation: Operation Endgame, Marijn Schuurbiers\r\nOpening keynote: Solving puzzles: protecting high-risk communities\r\nVB2024 opening keynote: Solving puzzles: protecting high-risk communities, Runa Sandvik\r\nClosing keynote: May you live in interesting times\r\nVB2024 closing keynote: May you live in interesting times, Brian Honan\r\nTIPS: Radical transparency in cyber\r\nVB2024 TIPS presentation: Radical transparency in cyber, Suzanne Spaulding\r\nThreat intelligence for high-risk communities\r\nVB2024 presentation: Threat intelligence for high-risk communities, Martijn Grooten\r\nIcePeony with the '996' work culture\r\nVB2024 paper: IcePeony with the '996' work culture, Rintaro Koike \u0026 Shota Nakajima\r\nUnmasking DarkPlum: inside the operations of DPRK’s elite cyber espionage group\r\nVB2024 paper: Unmasking DarkPlum: inside the operations of DPRK’s elite cyber espionage group, Amata\r\nAnantaprayoon \u0026 Rintaro Koike\r\nhttps://www.virusbulletin.com/conference/vb2024/abstracts/octopus-prime-didnt-turn-truck-widely-spread-android-botnet/\r\nPage 6 of 8\n\nThe Impersonators\r\nVB2024 paper: The Impersonators, Gabor Szappanos \u0026 Steeve Gaudreault\r\nThe dark dream of the Lumma malware developer\r\nVB2024 paper: The dark dream of the Lumma malware developer, Raman Ladutska\r\nRevivalStone: new puzzle posed by Winnti group\r\nVB2024 paper: RevivalStone: new puzzle posed by Winnti group, Yoshihiro Ishikawa \u0026 Takuma Matsumoto\r\nMind the (air) gap: GoldenJackal gooses government guardrails\r\nVB2024 presentation: Mind the (air) gap: GoldenJackal gooses government guardrails, Matias Porolli\r\nThe Phantom Syndicate: a hacking collective with a North Korean allegiance\r\nVB2024 paper: The Phantom Syndicate: a hacking collective with a North Korean allegiance, Youjin Lee\r\nTracking FIN7 malware honeypots, new AI deepfake lures\r\nVB2024 paper: Tracking FIN7 malware honeypots, new AI deepfake lures, Zach Edwards\r\nBEC and phishing targets local election candidate (me!)\r\nVB2024 paper: BEC and phishing targets local election candidate (me!), Andrew Brandt\r\nAll quiet on the signalling front? Dispatches from the front-line of telecom network security\r\nVB2024 paper: All quiet on the signalling front? Dispatches from the front-line of telecom network security,\r\nCathal Mc Daid\r\nProactively hunting for low-reputed infrastructure used by large cybercrimes and APTs\r\nVB2024 paper: Proactively hunting for low-reputed infrastructure used by large cybercrimes and APTs, Mohamed\r\nNabeel, Keerthiraj Nagaraj \u0026 Alex Starov\r\nOrigins of a logger - Agent Tesla\r\nVB2024 paper: Origins of a logger - Agent Tesla, Berk Albayrak \u0026 Utku Çorbacı\r\nA web of surveillance\r\nVB2024 paper: A web of surveillance, Jurre van Bergen\r\nGetting cozy with milk and WARMCOOKIES\r\nhttps://www.virusbulletin.com/conference/vb2024/abstracts/octopus-prime-didnt-turn-truck-widely-spread-android-botnet/\r\nPage 7 of 8\n\nVB2024 presentation: Getting cozy with milk and WARMCOOKIES, Daniel Stepanic\r\nTIPS: Wrap-up\r\nVB2024 TIPS presentation: Wrap-up, Michael Daniel\r\nSource: https://www.virusbulletin.com/conference/vb2024/abstracts/octopus-prime-didnt-turn-truck-widely-spread-android-botnet/\r\nhttps://www.virusbulletin.com/conference/vb2024/abstracts/octopus-prime-didnt-turn-truck-widely-spread-android-botnet/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.virusbulletin.com/conference/vb2024/abstracts/octopus-prime-didnt-turn-truck-widely-spread-android-botnet/" ], "report_names": [ "octopus-prime-didnt-turn-truck-widely-spread-android-botnet" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "67bf0462-41a3-4da5-b876-187e9ef7c375", "created_at": "2022-10-25T16:07:23.44832Z", "updated_at": "2026-04-10T02:00:04.607111Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "Careto", "The Mask", "Ugly Face" ], "source_name": "ETDA:Careto", "tools": [ "Careto" ], "source_id": "ETDA", "reports": null }, { "id": "a8356cf9-e9d6-4585-8ccf-d30d3efe142b", "created_at": "2023-06-23T02:04:34.262059Z", "updated_at": "2026-04-10T02:00:04.711064Z", "deleted_at": null, "main_name": "GoldenJackal", "aliases": [], "source_name": "ETDA:GoldenJackal", "tools": [ "JackalControl", "JackalPerInfo", "JackalScreenWatcher", "JackalSteal", "JackalWorm" ], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1aec4044-b06e-4821-8270-11660ba3156b", "created_at": "2024-11-03T02:00:03.647946Z", "updated_at": "2026-04-10T02:00:03.738402Z", "deleted_at": null, "main_name": "IcePeony", "aliases": [], "source_name": "MISPGALAXY:IcePeony", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b", "created_at": "2022-10-27T08:27:13.133291Z", "updated_at": "2026-04-10T02:00:05.315213Z", "deleted_at": null, "main_name": "BITTER", "aliases": [ "T-APT-17" ], "source_name": "MITRE:BITTER", "tools": [ "ZxxZ" ], "source_id": "MITRE", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "bacb81f4-18d1-4dcd-b277-65a9dac41b61", "created_at": "2023-11-04T02:00:07.680044Z", "updated_at": "2026-04-10T02:00:03.390891Z", "deleted_at": null, "main_name": "GoldenJackal", "aliases": [], "source_name": "MISPGALAXY:GoldenJackal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7e75b11d-f74c-4721-958e-f5a831ae85dc", "created_at": "2024-10-25T02:02:07.623446Z", "updated_at": "2026-04-10T02:00:04.608517Z", "deleted_at": null, "main_name": "CeranaKeeper", "aliases": [], "source_name": "ETDA:CeranaKeeper", "tools": [ "ClaimLoader", "PUBLOAD", "TONEINS", "TONESHELL" ], "source_id": "ETDA", "reports": null }, { "id": "d24c2548-d163-4a73-865f-0d4cb917fee7", "created_at": "2024-04-20T02:00:03.580316Z", "updated_at": "2026-04-10T02:00:03.628323Z", "deleted_at": null, "main_name": "UNC3569", "aliases": [], "source_name": "MISPGALAXY:UNC3569", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476", "created_at": "2023-01-06T13:46:38.677391Z", "updated_at": "2026-04-10T02:00:03.064818Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "The Mask", "Ugly Face" ], "source_name": "MISPGALAXY:Careto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "bf6cb670-bb69-473f-a220-97ac713fd081", "created_at": "2022-10-25T16:07:23.395205Z", "updated_at": "2026-04-10T02:00:04.578924Z", "deleted_at": null, "main_name": "Bitter", "aliases": [ "G1002", "T-APT-17", "TA397" ], "source_name": "ETDA:Bitter", "tools": [ "Artra Downloader", "ArtraDownloader", "Bitter RAT", "BitterRAT", "Dracarys" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "eeea8091-668c-4e89-9c67-e688fd599365", "created_at": "2024-10-08T02:00:04.464686Z", "updated_at": "2026-04-10T02:00:03.723141Z", "deleted_at": null, "main_name": "CeranaKeeper", "aliases": [], "source_name": "MISPGALAXY:CeranaKeeper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434200, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/80eddc875d47957c80e1feee753985f2f871379d.pdf", "text": "https://archive.orkl.eu/80eddc875d47957c80e1feee753985f2f871379d.txt", "img": "https://archive.orkl.eu/80eddc875d47957c80e1feee753985f2f871379d.jpg" } }