{ "id": "bb9a8450-a9ad-4cdf-be77-af2277a295d8", "created_at": "2026-04-06T00:12:52.942885Z", "updated_at": "2026-04-10T13:11:20.482938Z", "deleted_at": null, "sha1_hash": "8751286badf3f14c328ac57f46367b165e60de52", "title": "APT trends report Q2 2019", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78370, "plain_text": "APT trends report Q2 2019\r\nBy GReAT\r\nPublished: 2019-08-01 · Archived: 2026-04-05 12:49:07 UTC\r\nFor two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly\r\nsummaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence\r\nresearch and provide a representative snapshot of what we have published and discussed in greater detail in our\r\nprivate APT reports. They aim to highlight the significant events and findings that we feel people should be aware\r\nof.\r\nThis is our latest installment, focusing on activities that we observed during Q2 2019.\r\nReaders who would like to learn more about our intelligence reports or request more information on a specific\r\nreport are encouraged to contact ‘intelreports@kaspersky.com’.\r\nIn April, we published our report on TajMahal, a previously unknown APT framework that has been active for the\r\nlast five years. This is a highly sophisticated spyware framework that includes backdoors, loaders, orchestrators,\r\nC2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key\r\nstealers; and even its own file indexer for the victim’s computer. We discovered up to 80 malicious modules stored\r\nin its encrypted Virtual File System – one of the highest numbers of plugins we have ever seen in an APT toolset.\r\nThe malware features its own indexer, emergency C2s, the ability to steal specific files from external drives when\r\nthey become available again, and much more. There are two different packages, self-named ‘Tokyo’ and\r\n‘Yokohama’ and the targeted computers we found include both packages. We think the attackers used Tokyo as the\r\nfirst stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving\r\nTokyo in place for backup purposes. So far, our telemetry has revealed just a single victim, a diplomatic body\r\nfrom a country in Central Asia. This begs the question, why go to all that trouble for just one victim? We think\r\nthere may be other victims that we haven’t found yet. This theory is supported by the fact that we couldn’t see\r\nhow one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions\r\nof the malware that have yet to be detected.\r\nOn May 14, FT reported that a zero-day vulnerability in WhatsApp had been exploited, allowing attackers to\r\neavesdrop on users, read their encrypted chats, turn on the microphone and camera and install spyware that allows\r\neven further surveillance, such as browsing through a victim’s photos and videos, accessing their contact list and\r\nmore. In order to exploit the vulnerability, the attacker simply needs to call the victim via WhatsApp. This\r\nspecially crafted call can trigger a buffer overflow in WhatsApp, allowing an attacker to take control of the\r\napplication and execute arbitrary code in it. Apparently, the attackers used this method to not only snoop on\r\npeople’s chats and calls but also to exploit previously unknown vulnerabilities in the operating system, which\r\nallowed them to install applications on the device. The vulnerability affects WhatsApp for Android prior to\r\n2.19.134, WhatsApp Business for Android prior to 2.19.44, WhatsApp for iOS prior to 2.19.51, WhatsApp\r\nBusiness for iOS prior to 2.19.51, WhatsApp for Windows Phone prior to 2.18.348 and WhatsApp for Tizen prior\r\nhttps://securelist.com/apt-trends-report-q2-2019/91897\r\nPage 1 of 9\n\nto 2.18.15. WhatsApp released patches for the vulnerability on May 13. Some have suggested that the spyware\r\nmay be Pegasus, developed by Israeli company NSO.\r\nRussian-speaking activity\r\nWe continue to track the activities of Russian-speaking APT groups. These groups usually show a particular\r\ninterest in political activities, but apart from a couple of interesting exceptions we failed to detect any remarkable\r\nexamples during the last quarter.\r\nWe did find a potential connection between Hades and a leak at the RANA institute. Hades is possibly connected\r\nto the Sofacy threat actor, most notable for being behind Olympic Destroyer, as well as ExPetr and several\r\ndisinformation campaigns such as the Macron leaks. Earlier this year, a website named Hidden Reality published\r\nleaks allegedly related to an Iranian entity named the RANA institute. This was the third leak in two months that\r\ndisclosed details of alleged Iranian threat actors and groups. Close analysis of the materials, the infrastructure and\r\nthe dedicated website used by those behind the leak led us to believe that these leaks might be connected to Hades.\r\nThis might be part of a disinformation campaign in which Hades helps to raise doubts about the quality of the\r\ninformation leaked in other cases from earlier this year.\r\nZebrocy continued adding new tools to its arsenal using various kinds of programming languages. We found\r\nZebrocy deploying a compiled Python script, which we call PythocyDbg, within a Southeast Asian foreign affairs\r\norganization: this module primarily provides for the stealthy collection of network proxy and communications\r\ndebug capabilities. In early 2019, Zebrocy shifted its development efforts with the use of Nimrod/Nim, a\r\nprogramming language with syntax resembling both Pascal and Python that can be compiled down to JavaScript\r\nor C targets. Both the Nim downloaders that the group mainly uses for spear-phishing, and other Nim backdoor\r\ncode, are currently being produced by Zebrocy and delivered alongside updated compiled AutoIT scripts, Go, and\r\nDelphi modules. The targets of this new Nimcy downloader and backdoor set includes diplomats, defense officials\r\nand ministry of foreign affairs staff, from whom they want to steal login credentials, keystrokes, communications,\r\nand various files. The group appears to have turned its attention towards the March events involving Pakistan and\r\nIndia, and unrelated diplomatic and military officials, while maintaining ongoing access to local and remote\r\nnetworks belonging to Central Asian governments.\r\nWe also recently observed some interesting new artifacts that we relate to Turla with varying degrees of\r\nconfidence.\r\nIn April 2019, we observed a new COMpfun-related targeted campaign using new malware. The Kaspersky\r\nAttribution Engine shows strong code similarities between the new family and the old COMpfun. Moreover, the\r\noriginal COMpfun is used as a downloader in one of the spreading mechanisms. We called the newly identified\r\nmodules Reductor after a .pdb path left in some samples. We believe the malware was developed by the same\r\nCOMPfun authors that, internally, we tentatively associated with the Turla APT, based on victimology. Besides the\r\ntypical RAT functions (upload, download, execute files), Reductor’s authors put a lot of effort into manipulating\r\ninstalled digital root certificates and marking outbound TLS traffic with unique host-related identifiers. The\r\nmalware adds embedded root certificates to the target host and allows operators to add additional ones remotely\r\nthrough a named pipe. The solution used by Reductor’s developers to mark TLS traffic is the most ingenious part.\r\nThe authors don’t touch the network packets at all; instead they analyze Firefox source and Chrome binary code to\r\nhttps://securelist.com/apt-trends-report-q2-2019/91897\r\nPage 2 of 9\n\npatch the corresponding system pseudo-random number generation (PRNG) functions in the process’s memory.\r\nBrowsers use PRNG to generate the “client random” sequence during the very beginning of the TLS handshake.\r\nReductor adds the victims’ unique encrypted hardware- and software-based identifiers to this “client random”\r\nfield.\r\nAdditionally we identified a new backdoor that we attribute with medium confidence to Turla. The backdoor,\r\nnamed Tunnus, is .NET-based malware with the ability to run commands or perform file actions on an infected\r\nsystem and send the results to its C2. So far, the C2 infrastructure has been built using compromised sites with\r\nvulnerable WordPress installations. According to our telemetry, Tunnus’s activity started last March and was still\r\nactive at the time of writing.\r\nESET has also reported PowerShell scripts being used by Turla to provide direct, in-memory loading and\r\nexecution of malware. This is not the first time this threat actor has used PowerShell in this way, but the group has\r\nimproved these scripts and is now using them to load a wide range of custom malware from its traditional arsenal.\r\nThe payloads delivered via the PowerShell scripts – the RPC backdoor and PowerStallion – are highly\r\ncustomized.\r\nSymantec has also been tracking targeted attacks in a series of campaigns against governments and international\r\norganizations across the globe over the past 18 months. The attacks have featured a rapidly evolving toolset and,\r\nin one notable instance, the apparent hijacking of infrastructure belonging to OilRig. They have uncovered\r\nevidence that the Waterbug APT group (aka Turla, Snake, Uroburos, Venomous Bear and KRYPTON) has\r\nconducted a hostile takeover of an attack platform belonging to OilRig (aka Crambus). Researchers at Symantec\r\nsuspect that Turla used the hijacked network to attack a Middle Eastern government that OilRig had already\r\npenetrated. This is not the first time that we have seen this type of activity. Clearly, operations of this kind make\r\nthe job of attribution more difficult.\r\nThe international community continues to focus on the activity of Russian-speaking threat actors. Over the last 18\r\nmonths, the UK has shared information on attacks attributed to Russian hackers with 16 NATO allies, including\r\nattacks on critical national infrastructure and attempts to compromise central government networks. In his former\r\ncapacity as UK foreign secretary, Jeremy Hunt, recently urged nations to band together to create a deterrent for\r\nstate-sponsored hackers. As part of this push, the UK and its intelligence partners have been slowly moving\r\ntowards a ‘name and shame’ approach when dealing with cyberattacks. The use of the ‘court of public opinion’ in\r\nresponse to cyberattacks is a trend that we highlighted in our predictions for 2019. To help this new strategy the\r\nEU recently passed new laws that will make it possible for EU member states to impose economic sanctions\r\nagainst foreign hackers.\r\nResearchers at the Microstep Intelligence Bureau have published a report on targeted attacks on the Ukrainian\r\ngovernment that they attribute to the Gamaredon threat actor. Recently, the group launched attacks on a number of\r\nstate organizations in Ukraine using Pterodo, malware used exclusively by this group. Since February, the\r\nattackers have deployed a large number of dynamic domain names and newly registered domain names believed\r\nto be used to launch targeted attacks against elections in Ukraine.\r\nChinese-speaking activity\r\nhttps://securelist.com/apt-trends-report-q2-2019/91897\r\nPage 3 of 9\n\nWe found an active campaign by a Chinese APT group we call SixLittleMonkeys that uses a new version of the\r\nMicrocin Trojan and a RAT that we call HawkEye as a last stager. The campaign mainly targets government\r\nbodies in Central Asia. For persistence, the operators use .DLL search order hijacking. This consists of using a\r\ncustom decryptor with a system library name (e.g., version.dll or api-ms-win-core-fibers-l1-1-1.dll) in directories,\r\nalong with the legitimate applications that load these libraries into memory. Among other legitimate applications,\r\nthe threat actor uses the Google updater, GoogleCrashHandler.exe, for .DLL hijacking. Custom encryptors protect\r\nthe next stagers from detection on disk and from automated analysis, using the same encryption keys in different\r\nsamples. For secure TLS communication with its C2, the malware uses the Secure Channel (Schannel) Windows\r\nsecurity package.\r\nESET discovered that the attackers behind the Plead malware have been distributing it using compromised routers\r\nand man-in-the-middle (MITM) attacks in April. Researchers have detected this activity in Taiwan, where the\r\nPlead malware has been most actively deployed. Trend Micro has previously reported the use of this malware in\r\ntargeted attacks by the BlackTech group, primarily focused on cyber-espionage in Asia. ESET telemetry has\r\nrevealed multiple attempts to deploy it.\r\nLuckyMouse activity detected by Palo Alto involved the attackers installing web shells on SharePoint servers to\r\ncompromise government organizations in the Middle East, probably exploiting CVE-2019-0604, a remote code\r\nexecution vulnerability used to compromise the server and eventually install a web shell. The actors uploaded a\r\nvariety of tools that they used to perform additional activities on the compromised network, such as dumping\r\ncredentials, as well as locating and pivoting to additional systems on the network. Of particular note is the group’s\r\nuse of tools to identify systems vulnerable to CVE-2017-0144, the vulnerability exploited by EternalBlue and\r\nused in the 2017 WannaCry attacks. This activity appears to be related to campaigns exploiting CVE-2019-0604\r\nmentioned in recent security alerts from the Saudi Arabian National Cyber Security Center and the Canadian\r\nCenter for Cyber Security.\r\nLast year, a number of Chinese hackers allegedly linked to the Chinese government were indicted in the US. In\r\nMay, the US Department of Justice indicted a Chinese national for a series of computer intrusions, including the\r\n2015 data breach of health insurance company Anthem which affected more than 78 million people.\r\nMiddle East\r\nThe last three months have been very interesting for this region, especially considering the multiple leaks of\r\nalleged Iranian activity that were published within just a few weeks of each other. Even more interesting is the\r\npossibility that one of the leaks may have been part of a disinformation campaign carried out with the help of the\r\nSofacy/Hades actor.\r\nIn March, someone going by the handle Dookhtegan or Lab_dookhtegan started posting messages on Twitter\r\nusing the hashtag #apt34. Several files were shared via Telegram that supposedly belonged to the OilRig threat\r\nactor. They included logins and passwords of several alleged hacking victims, tools, infrastructure details\r\npotentially related to different intrusions, the résumés of the alleged attackers and a list of web shells – apparently\r\nrelating to the period 2014-18.\r\nhttps://securelist.com/apt-trends-report-q2-2019/91897\r\nPage 4 of 9\n\nThe targeting and TTPs are consistent with this threat actor, but it was impossible to confirm the origins of the\r\ntools included in the dump. Assuming that the data in the dump is accurate, it also shows the global reach of the\r\nOilRig group, which has generally been thought to operate primarily in the Middle East.\r\nOn April 22, an entity going by the alias Bl4ck_B0X created a Telegram channel named GreenLeakers. The\r\npurpose of the channel, as stated by its creator, was to publish information about the members of the MuddyWater\r\nAPT group, “along with information about their mother and spouse and etc.”, for free. In addition to this free\r\ninformation, the Bl4ck_B0X actor(s) also hinted that “highly confidential” information related to MuddyWater\r\nwould be put up for sale.\r\nOn April 27, three screenshots were posted in the GreenLeakers Telegram channel, containing alleged screenshots\r\nfrom a MuddyWater C2 server. On May 1, the channel was closed to the public and its status changed to private.\r\nThis was before Bl4ck_B0X had the chance to publish the promised information on the MuddyWater group. The\r\nreason for the closure is still unclear.\r\nFinally, a website named Hidden Reality published leaks allegedly related to an entity named the Iranian RANA\r\ninstitute. It was the third leak in two months disclosing details of alleged Iranian threat actors and groups.\r\nInterestingly, this leak differed from the others by employing a website that allows anyone to browse the leaked\r\ndocuments. It also relies on Telegram and Twitter profiles to post messages related to Iranian CNO capabilities.\r\nThe Hidden Reality website contains internal documents, chat messages and other data related to the RANA\r\ninstitute’s CNO (Computer Network Operations) capabilities, as well as information about victims. Previous leaks\r\nwere focused more on tools, source code and individual actor profiles.\r\nClose analysis of the materials, the infrastructure and the dedicated website used by the leakers, provided clues\r\nthat led us to believe Sofacy/Hades may be connected to these leaks.\r\nThere was also other Muddywater activity unrelated to the leak, as well as discoveries linked to previous activity\r\nby the group, such as ClearSky’s discovery of two domains hacked by MuddyWater at the end of 2018 to host the\r\ncode of its POWERSTATS malware.\r\nIn April, Cisco Talos published its analysis of the BlackWater campaign, related to MuddyWater activity. The\r\ncampaign shows how the attackers added three distinct steps to their operations, allowing them to bypass certain\r\nsecurity controls to evade detection: an obfuscated VBA script to establish persistence as a registry key, a\r\nPowerShell stager and FruityC2 agent script, and an open source framework on GitHub to further enumerate the\r\nhost machine. This could allow the attackers to monitor web logs and determine whether someone outside the\r\ncampaign has made a request to their server in an attempt to investigate the activity. Once the enumeration\r\ncommands run, the agent communicates with a different C2 and sends back data in the URL field. Trend Micro\r\nalso reported MuddyWater’s use of a new multi-stage PowerShell-based backdoor called POWERSTATS v3.\r\nWe published a private report about four Android malware families and their use of false flag techniques, among\r\nother things. One of the campaigns sent spear-phishing emails to a university in Jordan and the Turkish\r\ngovernment, using compromised legitimate accounts to trick victims into installing malware.\r\nRegarding other groups, we discovered new activity related to ZooPark, a cyber-espionage threat actor that has\r\nfocused mainly on stealing data from Android devices. Our new findings include new malicious samples and\r\nhttps://securelist.com/apt-trends-report-q2-2019/91897\r\nPage 5 of 9\n\nadditional infrastructure that has been deployed since 2016. This also led to us discovering Windows malware\r\nimplants deployed by the same threat actor. The additional indicators we found shed some light on the targets of\r\npast campaigns, including Iranian Kurds – mainly political dissidents and activists.\r\nRecorded Future published an analysis of the infrastructure built by APT33 (aka Elfin) to target Saudi\r\norganizations. Following the exposure of a wide range of their infrastructure and operations by Symantec in\r\nMarch, researchers at Recorded Future discovered that APT33, or closely aligned actors, reacted by either parking\r\nor reassigning some of their domain infrastructure. The fact that this activity was executed just a day or so after\r\nthe report went live suggests the Iranian threat actors are acutely aware of the media coverage of their activities\r\nand are resourceful enough to be able to react in a quick manner. Since then, the attackers have continued to use a\r\nlarge swath of operational infrastructure, well in excess of 1,200 domains, with many observed communicating\r\nwith 19 different commodity RAT implants. An interesting development appears to be their increased preference\r\nfor njRAT, with over half of the observed suspected APT33 infrastructure being linked to njRAT deployment.\r\nOn a more political level, there were several news stories covering Iranian activity.\r\nA group connected to the Iranian Revolutionary Guard has been blamed for a wave of cyber-attacks against UK\r\nnational infrastructure, including the Post Office, local government networks, private companies and banks.\r\nPersonal data of thousands of employees were stolen. It is believed that the same group was also responsible for\r\nthe attack on the UK parliamentary network in 2017. The UK NCSC (National Cyber Security Centre) is\r\nproviding assistance to affected organizations.\r\nMicrosoft recently obtained a court order in the US to seize control of 99 websites used by the Iranian hacking\r\ngroup APT35 (aka Phosphorus and Charming Kitten). The threat actor used spoofed websites, including those of\r\nMicrosoft and Yahoo, to conduct cyberattacks against businesses, government agencies, journalists and activists\r\nwho focus on Iran. The sinkholing of these sites will force the group to recreate part of its infrastructure.\r\nThe US Cybersecurity and Infrastructure Security Agency (CISA) has reported an increase in cyberattacks by\r\nIranian actors or proxies, targeting US industries and government agencies using destructive wiper tools. The\r\nstatement was posted on Twitter by CISA director, Chris Krebs.\r\nSoutheast Asia and Korean Peninsula\r\nThis quarter we detected a lot of Korean-related activity. However, for the rest of the Southeast Asian region there\r\nhas not been that much activity, especially when compared to earlier periods.\r\nEarly in Q2, we identified an interesting Lazarus attack targeting a mobile gaming company in South Korea that\r\nwe believe was aimed at stealing application source code. It’s clear that Lazarus keeps updating its tools very\r\nquickly. Meanwhile, BlueNoroff, the Lazarus sub-group that typically targets financial institutions, targeted a bank\r\nin Central Asia and a crypto-currency business in China.\r\nIn a recent campaign, we observed ScarCruft using a multi-stage binary to infect several victims and ultimately\r\ninstall a final payload known as ROKRAT – a cloud service-based backdoor. ScarCruft is a highly skilled APT\r\ngroup, historically using geo-political issues to target the Korean Peninsula. We found several victims worldwide\r\nidentified as companies and individuals with ties to North Korea, as well as a diplomatic agency. Interestingly, we\r\nhttps://securelist.com/apt-trends-report-q2-2019/91897\r\nPage 6 of 9\n\nobserved that ScarCruft continues to adopt publicly available exploit code in its tools. We also found an\r\ninteresting overlap in a Russian-based victim targeted both by ScarCruft and DarkHotel – not the first time that we\r\nhave seen such an overlap.\r\nESET recently analyzed a new Mac OS sample from the OceanLotus group that had been uploaded to VirusTotal.\r\nThis backdoor shares its features with a previous Mac OS variant, but the structure has changed and detection is\r\nnow much harder. Researchers were unable to find the dropper associated with this sample, so they could not\r\nidentify the initial compromise vector.\r\nThe US Department of Homeland Security (DHS) has reported Trojan variants, identified as HOPLIGHT, being\r\nused by the North Korean government. The report includes an analysis of nine malicious executable files. Seven\r\nof them are proxy applications that mask traffic between the malware and the remote operators. The proxies have\r\nthe ability to generate fake TLS handshake sessions using valid public SSL certificates, disguising network\r\nconnections with remote malicious actors. One file contains a public SSL certificate and the payload of the file\r\nappears to be encoded with a password or key. The remaining file does not contain any of the public SSL\r\ncertificates, but attempts outbound connections and drops four files: the dropped files primarily contain IP\r\naddresses and SSL certificates.\r\nIn June, we came across an unusual set of samples used to target diplomatic, government and military\r\norganizations in countries in South and Southeast Asia. The threat actor behind the campaign, which we believe to\r\nbe the PLATINUM APT group, uses an elaborate, previously unseen, steganographic technique to conceal\r\ncommunication. A couple of years ago, we predicted that more and more APT and malware developers would use\r\nsteganography, and this campaign provides proof: the actors used two interesting steganography techniques in this\r\nAPT. It’s also interesting that the attackers decided to implement the utilities they need as one huge set – an\r\nexample of the framework-based architecture that is becoming more and more popular.\r\nOther interesting discoveries\r\nOn May 14, Microsoft released fixes for a critical Remote Code Execution vulnerability (CVE-2019-0708) in\r\nRemote Desktop Services (formerly known as Terminal Services) that affects some older versions of Windows:\r\nWindows 7, Windows Server 2008 R2, Windows Server 2008 and some unsupported versions of Windows –\r\nincluding Windows 2003 and Windows XP. Details on how to mitigate this vulnerability are available in our\r\nprivate report ‘Analysis and detection guidance for CVE-2019-0708’. The Remote Desktop Protocol (RDP) itself\r\nis not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the\r\nvulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from\r\nvulnerable computer to vulnerable computer in a similar way that WannaCry spread. Microsoft has not observed\r\nexploitation of this vulnerability, but believes it is highly likely that malicious actors will write an exploit for it.\r\nEarly in June, researchers at Malwarebytes Labs observed a number of compromises on Amazon CloudFront, a\r\nContent Delivery Network (CDN), where hosted JavaScript libraries were tampered with and injected with web\r\nskimmers. Although attacks that involve CDNs usually affect a large number of web properties at once via their\r\nsupply chain, this isn’t always the case. Some websites either use Amazon’s cloud infrastructure to host their own\r\nlibraries or link to code developed specifically for them and hosted on a custom AWS S3 bucket. Without properly\r\nvalidating externally loaded content, these sites are exposing their users to various threats, including some that\r\nhttps://securelist.com/apt-trends-report-q2-2019/91897\r\nPage 7 of 9\n\npilfer credit card data. After analyzing these breaches, researchers found that they are a continuation of a\r\ncampaign from Magecart threat actors attempting to cast a wide net around many different CDNs. CDNs are\r\nwidely used because they provide great benefits to website owners, including optimizing load times and cost, as\r\nwell as helping with all sorts of data analytics. The sites they identified had nothing in common other than the fact\r\nthey were all using their own custom CDN to load various libraries. In effect, the only resulting victims of a\r\ncompromise on their CDN repository would be themselves.\r\nDragos has reported that XENOTIME, the APT group behind the TRISIS (aka TRITON and HatMan) attack on a\r\nSaudi Arabian petro-chemical facility in 2017, has expanded its focus beyond the oil and gas industries.\r\nResearchers have recently seen the group probing the networks of electric utility organizations in the US and\r\nelsewhere – perhaps as a precursor to a dangerous attack on critical infrastructure that could potentially cause\r\nphysical damage or loss of life. Dragos first noticed the shift in targeting in late 2018; and the attacks have\r\ncontinued into 2019.\r\nWe recently reported on the latest versions of FinSpy for Android and iOS, developed in mid-2018. This\r\nsurveillance software is sold to government and law enforcement organizations all over the world, who use it to\r\ncollect a variety of private user information on various platforms. WikiLeaks first discovered the implants for\r\ndesktop devices in 2011 and mobile implants were discovered in 2012. Since then Kaspersky has continuously\r\nmonitored the development of this malware and the emergence of new versions in the wild. Mobile implants for\r\niOS and Android have almost the same functionality. They are capable of collecting personal information such as\r\ncontacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from\r\nthe most popular messengers. The Android implant includes functionality to gain root privileges on an unrooted\r\ndevice by abusing known vulnerabilities. It would seem that the iOS solution doesn’t provide infection exploits\r\nfor its customers: the product seems to be fine-tuned to clean traces of publicly available jailbreaking tools. This\r\nmight imply that physical access to the victim’s device is required in cases where devices are not already\r\njailbroken. The latest version includes multiple features that we haven’t observed before. During our recent\r\nresearch, we detected up-to-date versions of these implants in the wild in almost 20 countries, but the size of the\r\ncustomer base would suggest that the real number of victims may be much higher.\r\nFinal thoughts\r\nAPT activity in the Middle East has been particularly interesting this quarter, not least because of the leaks related\r\nto alleged Iranian activity. This is especially interesting because one of those leaks might have been part of a\r\ndisinformation campaign carried out with the help of the Sofacy/Hades threat actor.\r\nIn contrast to earlier periods, when Southeast Asia was the most active region for APTs, the activities we detected\r\nthis quarter were mainly Korean-related. For the rest of the region, it was a much quieter quarter.\r\nAcross all regions, geo-politics remains the principal driver of APT activity.\r\nIt is also clear from our FinSpy research that there is a high demand for ‘commercial’ malware from governments\r\nand law enforcement agencies.\r\nOne of the most noteworthy aspects of the APT threat landscape we reported this quarter was our discovery of\r\nTajMahal, a previously unknown and technically sophisticated APT framework that has been in development for\r\nhttps://securelist.com/apt-trends-report-q2-2019/91897\r\nPage 8 of 9\n\nat least five years. This full-blown spying framework includes up to 80 malicious modules stored in its encrypted\r\nVirtual File System – one of the highest numbers of plugins we’ve ever seen for an APT toolset.\r\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it\r\nneeds to be borne in mind that, while we strive to continually improve, there is always the possibility that other\r\nsophisticated attacks may fly under our radar.\r\nSource: https://securelist.com/apt-trends-report-q2-2019/91897\r\nhttps://securelist.com/apt-trends-report-q2-2019/91897\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://securelist.com/apt-trends-report-q2-2019/91897" ], "report_names": [ "91897" ], "threat_actors": [ { "id": "5fb9f77b-1273-4658-884e-49f5f511dcd7", "created_at": "2022-10-25T15:50:23.591795Z", "updated_at": "2026-04-10T02:00:05.383475Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "TEMP.Veles", "XENOTIME" ], "source_name": "MITRE:TEMP.Veles", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "c97cf0c1-7f0d-4e35-9bb9-bceaad178c3d", "created_at": "2023-01-06T13:46:38.760807Z", "updated_at": "2026-04-10T02:00:03.091254Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [], "source_name": "MISPGALAXY:ZooPark", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c", "created_at": "2023-01-06T13:46:39.001286Z", "updated_at": "2026-04-10T02:00:03.1772Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "Xenotime", "G0088", "ATK91" ], "source_name": "MISPGALAXY:TEMP.Veles", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "3c7097f4-849b-4bc0-a7e6-ba2b510722b6", "created_at": "2022-10-25T16:07:23.869951Z", "updated_at": "2026-04-10T02:00:04.766204Z", "deleted_at": null, "main_name": "Mikroceen", "aliases": [ "SixLittleMonkeys" ], "source_name": "ETDA:Mikroceen", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Ghost RAT", "Microcin", "Mikroceen", "Mimikatz", "Moudour", "Mydoor", "PCRat", "logon.dll", "logsupport.dll", "pcaudit.bat", "sqllauncher.dll" ], "source_id": "ETDA", "reports": null }, { "id": "93edf98a-03c1-48b3-a94c-e1bddc24f0e6", "created_at": "2022-10-25T16:07:24.435275Z", "updated_at": "2026-04-10T02:00:04.988022Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [ "APT-C-38", "Cobalt Juno", "Saber Lion", "TG-2884" ], "source_name": "ETDA:ZooPark", "tools": [ "ZooPark" ], "source_id": "ETDA", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "20012494-3f05-48ce-8c0f-92455e46a4f9", "created_at": "2022-10-25T16:07:24.319939Z", "updated_at": "2026-04-10T02:00:04.934107Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "ATK 91", "G0088", "Xenotime" ], "source_name": "ETDA:TEMP.Veles", "tools": [ "Cryptcat", "HatMan", "Mimikatz", "NetExec", "PsExec", "SecHack", "TRISIS", "TRITON", "Trisis", "Triton", "Wii" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434372, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8751286badf3f14c328ac57f46367b165e60de52.pdf", "text": "https://archive.orkl.eu/8751286badf3f14c328ac57f46367b165e60de52.txt", "img": "https://archive.orkl.eu/8751286badf3f14c328ac57f46367b165e60de52.jpg" } }