{ "id": "015a3bc7-fb3e-413c-8b69-5a46067509ef", "created_at": "2026-04-06T00:13:55.250557Z", "updated_at": "2026-04-10T03:38:19.570794Z", "deleted_at": null, "sha1_hash": "86a87d83999aaae5e8d7843af674472ba84fde1e", "title": "Analysis of APT Attack Cases Using Dora RAT Against Korean Companies (Andariel Group)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1215443, "plain_text": "Analysis of APT Attack Cases Using Dora RAT Against Korean\r\nCompanies (Andariel Group)\r\nBy ATCP\r\nPublished: 2024-05-15 · Archived: 2026-04-05 21:12:58 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has recently discovered Andariel APT attack cases against Korean\r\ncorporations and institutes. Targeted organizations included educational institutes and manufacturing and\r\nconstruction businesses in Korea. Keylogger, Infostealer, and proxy tools on top of the backdoor were utilized for\r\nthe attacks. The threat actor probably used these malware strains to control and steal data from the infected\r\nsystems.\r\nThe attacks had malware strains identified in Andariel group’s past cases, the most notable of which is Nestdoor, a\r\nbackdoor addressed in this post. Other cases include the addition of web shells. Proxy tools discovered from the\r\nLazarus group’s previous attacks were also used, although their files were not identical to the current case.\r\n1. Evidence of Attacks\r\nAmong many pieces of evidence from the attack process, a case that was actually confirmed involved the\r\ndistribution of malware using a web server that operated an Apache Tomcat server. Because the system in question\r\nran the 2013 version of Apache Tomcat, it was prone to various vulnerability attacks. The threat actor used the\r\nweb server to install backdoors, proxy tools, etc.\r\nFigure 1. Malware installed via Apache Tomcat\r\n2. Malware Analysis\r\n2.1. Nestdoor\r\nhttps://asec.ahnlab.com/en/66088/\r\nPage 1 of 9\n\nNestdoor is an RAT malware strain that has been found since at least May 2022. It can receive the threat actor’s\r\ncommands to control the infected system and has been discovered continuously in the Andariel group’s attack\r\ncases. For the convince of classification, this post lists cases as Nestdoor based on their collected names.\r\nIn June 2022, the United States Cybersecurity \u0026 Infrastructure Security Agency (CISA) analyzed and disclosed\r\nattack cases that exploited the VMware Horizon product’s Log4Shell vulnerability (CVE-2021-44228) for\r\nmalware installation. The cases included malware types classified as “Unidentified RAT” and loader strains that\r\nexecuted them in the memory. [1] [2]\r\nThe malware strains classified as an “Unidentified RAT” are developed in C++ and can receive the threat actor’s\r\ncommands and carry out malicious behaviors such as file upload and download, reverse shell, and command\r\nexecution. Its other characteristics include binary obfuscation to disrupt analysis and various features such as\r\nkeylogging, clipboard logging, and proxy.\r\nASEC disclosed an attack case in May 2022 in which Andariel, an organization known as the Lazarus group’s\r\nsubsidiary, exploited VMware Horizon’s Log4Shell vulnerability to distribute TigerRAT. [3] There was also a case\r\nin early 2023 where Nestdoor was used with TigerRAT to deploy an attack using the same C\u0026C server as the\r\nlatter. The cases show how Nestdoor was utilized in various attacks, such as the case involving TigerRAT against\r\nKorean companies and the case that exploited the Log4Shell vulnerability.\r\nA case where the malware was distributed under the disguise of OpenVPN was also discovered in early 2024,\r\nalthough its distribution path is yet to be confirmed. The malware disguised as an installer was inside the\r\ncompressed file (see Figure 2). When the “OpenVPN Installer.exe” file is executed, the launcher malware in the\r\nsame path “FirewallAPI.dll” is loaded, ultimately leading to the execution of “openvpnsvc.exe” which is the\r\nNestdoor malware located in the “Resource” folder. Nestdoor maintains its persistence by adding itself to the Task\r\nScheduler and communicates with the C\u0026C server.\r\nhttps://asec.ahnlab.com/en/66088/\r\nPage 2 of 9\n\nFigure 2. Malware disguised as OpenVPN\r\nAlthough the Nestdoor malware identified in this case shares similarities with the OpenVPN case, it also has some\r\ndistinguishing factors. For instance, the Nestdoor case modified command codes used during C\u0026C\r\ncommunication and supports fewer features. However, its obfuscation method and the overall structure including\r\nthe early routine are similar. Of course, both cases allow the threat actor to control the infected systems by\r\noffering basic features including file tasks and reverse shell.\r\nhttps://asec.ahnlab.com/en/66088/\r\nPage 3 of 9\n\nFigure 3. Obfuscation routine and reverse shell commands of the recently discovered Nestdoor\r\n2.2. Dora RAT\r\nThe Andariel group has recently started to create a new backdoor malware strain whenever they launch an attack\r\ncampaign, developing most of the malware strains through the Go language. The newly discovered malware strain\r\nfrom this post was also developed using Go and was named “Dora RAT” by the attacker.\r\nhttps://asec.ahnlab.com/en/66088/\r\nPage 4 of 9\n\nFigure 4. Malware developed under the name “Dora RAT”\r\nDora RAT is a relatively simple malware strain that supports reverse shell and file download/upload. The\r\nidentified malware has two types: one operates as a standalone executable file, while the other runs by being\r\ninjected into the explorer.exe process.\r\n“spsvc.exe” is an executable file in a WinRAR SFX format. The file includes a normal program\r\n“OneDriverStandaloneUpdate.exe” and the injector malware “version.dll”. Upon execution, these files are\r\ninstalled in “%APPDATA%”. When “OneDriverStandaloneUpdate.exe” is executed, “version.dll” located in the\r\nsame path is loaded to carry out malicious behaviors. “version.dll” decrypts data within the internal resource,\r\nwhich is Dora RAT, and injects it into the explorer process.\r\nFigure 5. Dora RAT encrypted and saved in the resource\r\nFor reference, the attacker has also signed and distributed malware using a valid certificate. Some of the Dora\r\nRAT strains used for the attack were confirmed to be signed with a valid certificate from a United Kingdom\r\nsoftware developer.\r\nhttps://asec.ahnlab.com/en/66088/\r\nPage 5 of 9\n\nFigure 6. Dora RAT signed using a valid certificate\r\n2.3. Other Malware Strains\r\n2.3.1. Keylogger/Cliplogger\r\nSimilar to Dora RAT, which only offers basic control features, the Nestdoor malware identified in this attack\r\nsupports relatively simple functions compared to its previous versions. In other words, it does not support features\r\nsuch as keylogging or clipboard logging. Accordingly, the threat actor used Nestdoor to additionally install\r\nmalware that would initiate keylogging and clipboard logging.\r\nThe malware used for the attack generated a file for the string delivered to the “%TEMP%” path as an argument\r\nand saved the logged keystroke and clipboard information.\r\nhttps://asec.ahnlab.com/en/66088/\r\nPage 6 of 9\n\nFigure 7. Keystroke and clipboard information saved in the temp directory\r\n2.3.2. Stealer\r\nThe tools installed by the threat attacker included malware for stealing files in the system. Given that pre-existing\r\nmalware strains are fit only to steal files of small quantity or size, the threat actor might have installed additional\r\nmalware to steal files of massive size.\r\nArgument Description\r\n–protocol Protocol for communication (tcp/udp)\r\n–server Address used for exfiltration (ip:port format)\r\n–dir, –file Path of the file to be stolen\r\n–thread, –limit Performance limitation\r\nTable 1. Stealer’s argument\r\n2.3.3. Proxy\r\nThe additional malware strains that the threat actor installed were mostly proxy tools. Among the confirmed proxy\r\ntools were types that the attacker has likely created, though open-source Socks5 proxy tools have also been\r\nconfirmed. [4] [5]\r\nA notable fact is that the threat actor used a proxy tool found in the Lazarus group’s attack using ThreadNeedle\r\nthat Kaspersky disclosed in early 2021. Despite not being an identical file, the malware has the same size, routine,\r\nand string used during verification. For reference, the proxy type that exhibits the exact same traits (same\r\nauthentication string) has been deployed for attacks since at least 2014.\r\nhttps://asec.ahnlab.com/en/66088/\r\nPage 7 of 9\n\nFigure 8. A proxy tool used for the attack\r\n3. Conclusion\r\nThe Andariel group is one of the threat groups that are highly active in Korea, alongside the Kimsuky and Lazarus\r\ngroups. The group initially launched attacks to acquire information related to national security, but now they have\r\nalso been attacking for financial gain. [6] They use spear phishing or watering hole attacks and exploit\r\nvulnerabilities in software during the initial access. There have also been circumstances of the Andariel group\r\nexploiting additional vulnerabilities in the attack process to distribute malware to internal networks.\r\nUsers must be particularly cautious against attachments in emails from unknown sources and executable files\r\ndownloaded from web pages. If there are vulnerabilities within the software used by companies such as asset\r\nmanagement solutions or access control solutions, their security administrators apply patches to update them to\r\ntheir latest versions. They should also apply the latest patch for OS and programs such as internet browsers and\r\nupdate V3 to the latest version to prevent malware infection in advance.\r\nFile Detection\r\n– Trojan/Win.Injector.C5610655 (2024.04.09.03)\r\n– Trojan/Win.Agent.C5610733 (2024.04.10.00)\r\n– Backdoor/Win.Nestdoor.C5610641 (2024.04.13.00)\r\n– Backdoor/Win.DoraRAT.C5610712 (2024.04.09.03)\r\n– Dropper/Win.Agent.C5610793 (2024.04.10.00)\r\n– Trojan/Win.Injector.C5610655 (2024.04.09.03)\r\n– Dropper/Win.Agent.C5610654 (2024.04.09.03)\r\n– Trojan/Win.KeyLogger.C5610642 (2024.04.09.03)\r\n– Backdoor/Win.Nestdoor.C5622508 (2024.05.16.03)\r\n– Trojan/Win.Launcher.C5622509 (2024.05.16.03)\r\n– Trojan/Win.PWS.C5068848 (2022.04.12.01)\r\nBehavior Detection\r\n– Malware/MDP.Fraud.M800\r\nMD5\r\nhttps://asec.ahnlab.com/en/66088/\r\nPage 8 of 9\n\n094f9a757c6dbd6030bc6dae3f8feab3\r\n33b2b5b7c830c34c688cf6ced287e5be\r\n468c369893d6fc6614d24ea89e149e80\r\n4bc571925a80d4ae4aab1e8900bf753c\r\n5df3c3e1f423f1cce5bf75f067d1d05c\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//206[.]72[.]205[.]117/\r\nhttps[:]//209[.]127[.]19[.]223/\r\nhttps[:]//45[.]58[.]159[.]237/\r\nhttps[:]//kmobile[.]bestunif[.]com/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/66088/\r\nhttps://asec.ahnlab.com/en/66088/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/66088/" ], "report_names": [ "66088" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434435, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/86a87d83999aaae5e8d7843af674472ba84fde1e.pdf", "text": "https://archive.orkl.eu/86a87d83999aaae5e8d7843af674472ba84fde1e.txt", "img": "https://archive.orkl.eu/86a87d83999aaae5e8d7843af674472ba84fde1e.jpg" } }