{ "id": "e8e557de-efd3-4cbd-bd86-7957b2eeaa76", "created_at": "2026-04-06T00:10:50.129477Z", "updated_at": "2026-04-10T13:11:22.0511Z", "deleted_at": null, "sha1_hash": "87ee12fbbec7246bbb8e3f493b77b3d69a79f147", "title": "Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 87137, "plain_text": "Threat Actor TA505 Targets Financial Enterprises Using LOLBins\r\nand a New Backdoor Malware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-02 12:30:40 UTC\r\nResearch By: Eli Salem \r\nThe cybersecurity community has long known that any information technology tool that is used for legitimate\r\npurposes can also be manipulated by attackers to enhance their malware. Recently, however, many native\r\nWindows OS processes are being used for malicious purposes as well. \r\nIn this research, we introduce a meticulously planned, malicious operation against a financial institution in April\r\nof 2019. This advanced operation combines a targeted phishing attack with advanced tools that gather intel on the\r\nenvironment. The operation chooses whether or not to create persistence and installs a sophisticated backdoor\r\ncalled ServHelper used to take over the network.\r\nKey Aspects of TA505’s Operation\r\nHighly targeted phishing campaign to a small number of specific accounts within the company.\r\nSigned and verified malicious code. This is an extra precaution taken to avoid detection.\r\nA deliberate timeline, indicated by the timing of the phishing attack and signing of the malicious code.\r\nA selective persistence mechanism and self destruct commands based on autonomous reconnaissance.\r\nLarge emphasis on removal of evidence using self destruct commands and deleting scripts.\r\nMultiple C2 domains, in the event of blacklisting or inability to connect for another reason.\r\nThe operation integrates four different LOLBins, which indicates the attackers continued, advanced\r\nattempts to avoid detection. \r\nThe attack was carried out by TA505, a threat actor that is behind infamous campaigns like the infostealer\r\nmalware Dridex, the Locky ransomware, and more. More recently, TA505 carries out targeted attacks on multiple\r\ncontinents, including North America, Asia, Africa, and South America. Primarily focusing on large financial\r\ninstitutions, this group carries out well-planned, advanced attacks in order to extract valuable data it can later\r\nleverage. \r\nAs 2019 begins, it is clear that the most widely-used and effective attack vector for malware is still email attacks.\r\nThe initial phishing attack focused on a number of accounts in a specific financial institution at a single time and\r\ndate. This enterprise was explicitly targeted with a small number of emails to a very small number of accounts\r\nwithin the company. This hints at the possibility of reconnaissance done at an earlier stage of the operation in\r\norder to select the best targets.\r\nThe malware uses a signed and verified certification from Sectigo RSA Code Signing CA to spread. This is an\r\nextra precaution taken to avoid detection. It gives the malware the appearance of legitimacy when dealing with\r\nhttps://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware\r\nPage 1 of 10\n\nvarious defense mechanisms. Furthermore, the malware was signed mere hours prior to the attack- an indication of\r\nthe operation’s deliberate timeline and nature.\r\nParticularly interesting and unusual is the selective persistence mechanism used by some of the tools in this\r\noperation. Whereas most malware will attempt to gain persistence whenever possible, the tools being used in this\r\noperation create persistence based on their environment. The tools will collect information about the target\r\nmachine and send this information to a remote C2 server, which will decide whether to set up persistence. This is a\r\ntechnique commonly used in advanced operations. \r\nThe attackers clearly placed a large emphasis on covering their tracks. The malware gathered information\r\nspecifically to decide whether to remove evidence from an infected computer. This demonstrates the level of care\r\ntaken in this operation, and indicates at the threat actor’s potential goal- to plant a backdoor that would remain\r\nundetected for as long as possible in order to more effectively exfiltrate data.\r\nThe malware makes extensive and varied use of LOLbins and legitimate, native Windows OS processes to\r\nperform malicious activities, including the delivery of the payload and the implementation of the ServHelper\r\nbackdoor. The ServHelper backdoor used in this operation is a relatively new malware family that was discovered\r\nat the end of 2018. This continues the trend Cybereason researchers have seen over the past several months\r\ntowards the wider adoption of LOLbins for attacks.\r\nCybereason detected the new ServHelper backdoor and analyzed the campaign in order to identify the techniques\r\nand tools being used.\r\nA Breakdown of the ServHelper Backdoor Spear Phishing Campaign\r\nA breakdown of the attack from the Cybereason Platform.\r\nPhase One: Gaining Access\r\nThis attack begins with a spear phishing attack through a targeted email campaign. Over 80 files were sent to 40\r\nemail accounts within the organization, within the span of about an hour. The email contains Microsoft Excel\r\nattachments with malicious macros. When the file is opened, it loads in Microsoft Excel and urges the user to\r\nenable macros. \r\nThe malicious .xls files that contains the macros\r\nAfter the victim clicks the Enable Content button, the macro commands are executed and invoke the Windows OS\r\nprocess msiexec.exe. This process is the Windows Installer, a software component and application programming\r\ninterface of Microsoft Windows used for the installation, maintenance, and removal of software.\r\nThe macro commands use msiexec.exe to connect to a remote C2 server and download the first stage payload. A\r\nsecond msiexec.exe process is created to execute the payload and take part in the second stage of the attack chain. \r\nhttps://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware\r\nPage 2 of 10\n\nmsiexec manipulated to communicate with the C2 server.\r\nAfter a TCP connection is established with the C2 server, a payload Alg is downloaded to the infected machine.\r\nThis payload is a dropper for several files the malware uses in the second stage of the attack with msiexec.exe. \r\nThe malware being downloaded from the C2 server.\r\nThe full attack tree of the first phase is visible in the Cybereason Platform. This includes all initial activity,\r\nincluding the attempt of the Windows Installer (msiexec.exe) to communicate with the C2 server.\r\nThe infiltration of the malware as seen in the Cybereason Platform.\r\nPhase Two: Deploying the Backdoor\r\n \r\nAfter Alg is downloaded, it is loaded as a binary with a .tmp extension to msiexec.exe and begins to execute its\r\nsequence of malicious activity. This temporary file acts as the main dropper of the malware and the deployer of\r\nthe malware across the target machine.\r\nWithin the .tmp file are three folders, which contain two modules pegas.dll and nsExec.dll as well as a .nsi script.\r\nAccording to threat intel, NSIS (Nullsoft Scriptable Install System) is a legitimate tool to create installers for\r\nWindows. This indicates the script is used to install something pertinent to the malware. It also allows the attack to\r\nevade detection, as it is a legitimate tool.\r\nThe content inside the temporary file.\r\nThe script contains commands for the .tmp to execute, and instructs the .tmp file to manipulate and execute\r\npegas.dll from a function kest()using the nsExec.dll module. This activity is considered legitimate because NSIS\r\nscripts are legitimate by their nature. \r\nThe NSIS script\r\nAfter being loaded and executed by msiexec.exe, the temporary file creates several additional files. It creates\r\nanother temporary file that will be loaded into the memory map of the creator temporary file, but, more\r\nimportantly, it creates two modules pegas.dll, and nsExec.dll.\r\nhttps://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware\r\nPage 3 of 10\n\nThe malware creates the file nsExec.dll.\r\nThe malware creates the file pegas.dll. \r\nIn addition, the temporary file also create a rundll32.exe process using the Windows command line in order to\r\nload the dropped module pegas.dll and execute it from a function kest().\r\nThe execution command of rundll32.exe that will load pegas.dll.\r\nThe rundll32.exe process executes pegas.dll. These events were detected by the Cybereason Defense Platform. \r\n \r\nThe malware deployment in the Cybereason Platform.\r\nFunctionality of Modules\r\nnsExec.dll\r\nThe nsExec.dll module was created by Nullsoft, and is related to the NSIS installers mentioned above. nsExec.dll\r\nwill execute command-line-based programs and capture the output without opening a DOSBox. This gives the\r\nattacker the ability to execute the command line and run the rundll32.exe process without appearing on the target\r\nmachines desktop. This increases the stealthiness of the malware when executing commands from the Windows\r\ncommand line.\r\npegas.dll\r\npegas.dll is the main module responsible for executing the full capabilities of the backdoor. This includes the\r\ncreation of malicious activity in the target machine, including reconnaissance, information stealing, and backdoor\r\ncapabilities. In addition, this module is also responsible for communicating with another C2 server that determines\r\nthe next steps for the malware. These steps are executed by the pegas.dll module.\r\nInterestingly, pegas.dll is actually a signed and verified module by certification company Sectigo RSA Code\r\nSigning CA.This is very unusual, and is the mark of a sophisticated threat actor. This certificate company is also\r\nknown for being used in the recent famous Norsk Hydro LockerGoga Ransomware Attack from last month. This\r\nattack used their Sectigo certificate to propagate.\r\n The use of this certificate gives the malware an advantage that most modern malware does not have: legitimacy.\r\nMalware that is “confirmed” and “verified” will appear harmless, and may lower the guard of security and IT\r\nspecialists in an investigation. This shows that the threat actors that developed this malware are more advanced\r\nthan most malware authors. \r\nhttps://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware\r\nPage 4 of 10\n\nThe abused certificate.\r\n pegas.dll makes use of several defense mechanisms. It is packed twice in order to ensure that it is difficult to\r\nreverse-engineer. In addition, the module is compiled merely a few hours before the spear phishing attack occurs,\r\nwhich ensures it is quite new. Despite this, the Cybereason Defense Platform was able to collect all the data\r\nassociated with the module.\r\n The malware packed twice.\r\n rundll32.exe executes the module pegas.dll from the function kest(). This function is one of several functions\r\nfrom the malware export table that is responsible for the initial execution of the malicious code.\r\nThe other functions from the export table are loer()and tempora(). \r\n The three export functions.\r\n These functions share similar functionality in terms of code and functions. All the variables kest() contains also\r\nappear in tempora(). In addition, kest()and loer() share function FUN_12345f08(), which is essentially the only\r\nfunctionality loer() has.\r\n The export functions pseudo-code in Ghidra.\r\nFUN_12345f08() is one of the most important functions for the malware. The malware authors execute pegas.dll\r\nwith kest() as soon as possible to make use of FUN_12345f08(). Within FUN_12345f08() there is a new indicator\r\nof compromise, a domain joisff333.icu that acts as the second C2 for the malware. This domain is reached from\r\nthe rundll32.exe process. In addition, a string enu.ps1 appears, which indicates that this malware will use\r\nPowerShell. Lastly, a string asfasga33fafafaaf is also visible, which appears to be related to the creation of the\r\nmutex BaseNamedObjects\\Global\\asfasga33fafafaaf.\r\nFUN_13246F08 pseudo-code in Ghidra.\r\nUsing static investigation, additional indicative strings become visible that show some of the malware capabilities\r\nincluding network ability, C2 commands, additional domains, and PowerShell execution activity.\r\n Additional indicative strings from the unpacked malware.\r\nReconnaissance and Information Collection\r\nhttps://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware\r\nPage 5 of 10\n\nAfter the execution of rundll32.exe, the PowerShell script enu.ps1 is executed. This script is encoded with Base64\r\nin order to avoid detection by antivirus products. \r\nenu.ps1 obfuscated using Base64.\r\nUpon decoding the script, it is clear that the script is responsible for gathering reconnaissance on the target\r\nmachine. This includes collecting information with WMI queries to identify if the user is an administrator.\r\nInternal reconnaissance by WMI queries.\r\nThe ServHelper backdoor gathers additional intel on the target machine including the users SID. An SID of S-1-5-\r\n32-544 is an identifier for the built-in Administrators group. This includes the local administrator and all local and\r\ndomain administrators user groups. Gathering this information indicates two things: the malware authors are\r\ntargeting organizations as opposed to regular home computer users, and within the organization they are targeting\r\nthe highest priority user machines. \r\nThe malware searching for administrators users. \r\nOnce the malware confirms the target machine is an administrator group user, it collects information from the\r\nmethod WindowsIdentity GetCurrent().\r\n \r\nThe malware continuing to search for administrators users and collecting information on them. \r\nAfter the malware is able to verify this user is an administrator, it collects additional information about the target\r\nmachine and retrieves data on all file system drives, including the virtual drives \r\n \r\nThe malware collecting data about the system drives.\r\n The last bit of information the script attempts to aggregate is the name of the server and the names of the local\r\ngroups on the computer. It uses net.exe, a legitimate Windows OS process, to collect this information. \r\nLocal group administrators reconnaissance.\r\n The complete process tree of the deployment of the malware shows four different LOLBins that took part in the\r\nattack cycle. Between the extensive use of LOLBins and the use of a signed and verified module pegas.dll, it is\r\nclear the malware authors went to great lengths to evade detection. \r\nhttps://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware\r\nPage 6 of 10\n\nFull process tree by process hacker.\r\nPhase Three: The Dynamic C2 Server \r\nAfter deployment, the malware connects to a second C2 domain from rundll32.exe. The malware makes use of\r\nmultiple C2 domains to ensure there is at least one C2 server available to attack from. It communicates with\r\npegas.dll to decide the malware execution’s next steps.\r\nThe second C2 server responds dependent on the information gathered on the target machine. This is an indication\r\nof the level of sophistication of the malware. Whereas most malware collects and sends data to a fixed C2 server,\r\nwhich responds the same regardless of the information, this takes on a more dynamic approach.\r\nThe malware communicates with its second C2 server.\r\nInteraction with the Second C2 Server \r\nIn the process of communicating with the C2 domain, there are several key commands and activities that the\r\nmalware performs. Some of these activities are known from previous variants seen in the wild.\r\nAbusing Certifications\r\nThe following network activity observed from msiexec.exe illustrates how the malware leveraged a signed and\r\nverified certification from Sectigo RSA Code Signing CA to propagate.\r\nAbusing certification traffic.\r\nExecuting Reconnaissance\r\nThe shell command is responsible for executing the net user /domain command on the target machine. This\r\ncommand is a remote control command that allows the attacker to execute additional reconnaissance activities.\r\n \r\nExecuting the net user /domain command.\r\nThe Persistence Mechanism\r\nThe persist command is responsible for the malware persistence mechanism on the target machine. The C2 server\r\ndecides whether to create persistence. This is another major indication of the sophistication of the malware, as the\r\nmalware does not create persistence on every target machine, but only does so on certain computers.\r\nhttps://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware\r\nPage 7 of 10\n\nThe C2 server informs the malware to create persistence.\r\n After the persist command is sent by the C2 server, the malware creates persistence using the registry. It creates a\r\nregistry key Intel Protect under Run and store pegas.dll as the value.\r\nPersistent mechanism. \r\nInternal Reconnaissance\r\nThe malware changes its behavior based on the information it gathers from the infected machine. This information\r\nis stored in the HTTP Payload, /URL: /jquery/jquery.php packet that the infected machine delivers to the C2\r\ndomain.\r\nThe information is divided into four hardcoded parameters:\r\nKey: the hardcoded parameter that stays the same in every iteration of the malware.\r\nSysid: the information about the operating system, service pack, and computer name.\r\nResp: the information about whether the user has administrator group privileges in the active directory.\r\nMisc: additional information regarding the PowerShell file. This is the newest parameter, and was observed\r\nonly in this version of ServHelper. This includes additional reconnaissance to help decide persistence. \r\nFour hardcoded strings that will be used to deliver information to the C2 server.\r\nThe behavioral change in the malware’s response to the C2 domain is dependent on whether the infected machine\r\nis a high priority target for the malware authors. When the machine is not a valuable target, the Resp parameter\r\nwill fill with, “the specified domain either does not exist or could not be contacted”. \r\nThe malware informs the C2 server about the findings (No AD admin).\r\nIf the malware identifies that the target machine is valuable, it will fill the Resp parameter with, “User accounts\r\nfor testing.com ׁ(The domain controller)” with the names the groups and accounts the machine has, such as,\r\n“Administrator”, along with the name of the user. \r\nThe malware informs the C2 server about the findings (With AD admin).\r\nSimilar to many kinds of backdoor malware, ServHelper is able to lurk quietly in a sleep state. This is a known\r\nbackdoor characteristic that lets the malware stay under the radar and strike at the exact time the attacker wants to\r\nactivate additional malicious activities. ServHelper gets information about the target machine date and time using\r\nthe function GetSystemTime(). \r\nhttps://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware\r\nPage 8 of 10\n\nThe malware staying under the radar using the sleep function.\r\nThe malware contains several other commands known to be associated with ServHelper that appear in the strings\r\nmentioned above. This includes:\r\nloaddl: a command responsible for downloading and executing additional modules using the rundll32.exe\r\nprocess.\r\nselfkill: a command that is responsible for self-terminating and deleting the malware from the machine. \r\nThe events that indicate the attempts to connect to the C2 server are identified by the Cybereason Defense\r\nPlatform. \r\n \r\nThe data exfiltration attempt within the Cybereason Platform.\r\nConclusion\r\nThrough the evaluation of this malware, we discovered an evasive infection technique used to deploy the newest\r\nvariant of the ServHelper Backdoor. We were able to detect and evaluate a targeted spear phishing attack\r\nconducted by the malware authors. This signals a continuation of an existing trend towards phishing attacks as an\r\ninitial attack vector.\r\nIn this discovery, we highlighted the use of legitimate, native Windows OS processes used to perform malicious\r\nactivities to deliver a payload without being detected, as well as how the ServHelper Backdoor operates and\r\ndeploys itself without being noticed. We also showed how sophisticated this backdoor is, and how it specifically\r\ntargets valuable machines and users in order to maximize potential damage. \r\nThe analysis of the tools and techniques used in this ServHelper spear phishing attack show how truly effective\r\nLOLBins are at evading antivirus products and how malware authors can maximize the use of them. This furthers\r\nthe trends we have seen since 2018 with regards to LOLBins more common use. This research is an example of\r\nwidespread LOLbin adoption, and shows that the use of LOLBins will only grow as we will continue through\r\n2019.\r\nThe affected customer was able to contain the attack before any damage was done. The ServHelper Backdoor was\r\ncontrolled, msiexec.exe and rundll32.exe were terminated, and all the downloaded files were deleted.\r\nFurthermore, the connections to the malicious C2 domains were blocked and the attack was halted in its tracks.\r\nPart of the difficulty in identifying this attack is in how it evades detection. It is difficult to catch, even for security\r\nteams aware of the complications in ensuring a secure system, as with our customer. LOLBins are deceptive\r\nbecause their execution seems benign at first, or even sometimes safe. In addition, the use of a signed and verified\r\nfile with certification increases the likelihood that the malware will stay under the radar.\r\nhttps://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware\r\nPage 9 of 10\n\nAs the use of LOLBins becomes more commonplace, we suspect this complex method of attack will become more\r\nwidely used as well. The potential for damage will grow as attackers look to other, more destructive payloads.\r\nLast month we discovered a new variant of the prolific Ursnif trojan. Check out our live webinar on the discovery.\r\nIndicators of Compromise\r\nSHA1\r\n880b383532534e32f3fa49692d676d9488aabac1\r\nHash Work report 011042019.xls\r\nSHA1\r\n63aeb16b5d001cbd94b636e9f557fe97b8467c8d\r\nHash Alg\r\nSHA1\r\nad35fa0b3799562931b4bfa3abd057214b8721ff\r\nHash msie988.tmp\r\nSHA1\r\n06f232210e507f09f01155e7d0cb5389b8a31042\r\nHash pegas.dll\r\n79.141.171[.]160 IP First C2\r\naasdkkkdsa3442[.]icu Domain Second C2\r\njoisff333[.]icu Domain Second C2\r\nzxskjkkjsk3232[.]pw Domain Second C2\r\nSource: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware\r\nhttps://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" ], "report_names": [ "threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1", "created_at": "2022-10-25T16:07:23.816991Z", "updated_at": "2026-04-10T02:00:04.758143Z", "deleted_at": null, "main_name": "Lurk", "aliases": [], "source_name": "ETDA:Lurk", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434250, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/87ee12fbbec7246bbb8e3f493b77b3d69a79f147.pdf", "text": "https://archive.orkl.eu/87ee12fbbec7246bbb8e3f493b77b3d69a79f147.txt", "img": "https://archive.orkl.eu/87ee12fbbec7246bbb8e3f493b77b3d69a79f147.jpg" } }