{ "id": "473191dd-d5b7-4b0b-8470-a845b9248849", "created_at": "2026-04-06T00:20:01.544639Z", "updated_at": "2026-04-10T13:12:46.253001Z", "deleted_at": null, "sha1_hash": "8839303f0609ecf60a9935cc35267ef657cc4cd5", "title": "Amadey Bot: A Rising Threat to Internet Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1530288, "plain_text": "Amadey Bot: A Rising Threat to Internet Security\r\nBy cybleinc\r\nPublished: 2023-01-25 · Archived: 2026-04-05 21:51:33 UTC\r\nCyble Research \u0026 Intelligence Labs analyzes how Amadey bot pushes password stealing and clipper module to infect users.\r\nBotnet with Clipper Capabilities being pushed via Phishing Sites\r\nThe Amadey bot is a Trojan that was first discovered in 2018 and is used to steal sensitive information from the infected\r\ndevice. Initially, it was found to be distributed through exploit kits, and Threat Actors (TAs) utilized it to deploy other\r\nmalware, such as the GrandCrab ransomware and the Flawed Ammyy Remote Access Trojan. In 2022, the Amadey bot was\r\nused by affiliates of LOCKBIT to spread ransomware to the victims.\r\nRecently, Cyble Research and Intelligence Labs (CRIL) has detected a significant increase in the number of Amadey bot\r\nsamples, indicating that threat actors are actively utilizing this bot to infect victims’ systems with additional malware. The\r\nstatistics below depict the frequency of Amadey bot samples observed over Q4-2022.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nFigure 1 – Amadey bot statistics\r\nInitial Infection:\r\nRecently, the Amadey bot has been observed spreading through phishing sites, in addition to its usual method of being\r\ndownloaded by the smoke loader through spam emails. The phishing site mimics Game Cheat that downloads a “Bossmenu\r\nSetup.rar” file from the URL:\r\nhttps://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/\r\nPage 1 of 9\n\n“hxxps[:]//valorantcheatsboss[.]com/upload/boss/Bossmenu%20Setup[.]rar”.\r\nUsers are shown the phishing site used by the TAs for spreading the Amadey bot when they click the download button,\r\nshown in the figure below.\r\nFigure 2 – Phishing website downloading Amadey bot\r\nThe downloaded .rar file contains a file named “Seil.exe” (sha256:\r\n0f74d2fb5d1b603cdac4bf0179feba25ee0343f759b71404e5cd120e32a60517), which is responsible for downloading the\r\nAmadey bot from the remote server.\r\nThe “Seil.exe” file is a .NET compiled file that downloads encrypted content from\r\nhxxp[:]//valorantcheatsboss[.]com/upload/bass/808, decrypts it, and loads another DLL module as shown below.\r\nFigure 3 – Code snippet to download DLL Module\r\nThe DLL Module is protected by multiple layers, which finally loads the Amadey bot in the running process “Seil.exe”.\r\nAmadey Bot Technical Analysis\r\nWe have taken the below sample hash for analysis (SHA256),\r\nb00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65, which is a 32-bit VC++ compiled executable\r\nfile, as shown below.\r\nhttps://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/\r\nPage 2 of 9\n\nFigure 4 – Static details of loader\r\nThe Amadey bot malware creates a copy of itself in a random directory located in the %Temp% location and executes it\r\nusing the ShellExecuteA() API.\r\nC:\\Users\\[user-name]\\AppData\\Local\\Temp\\4b9a106e76\\nbveek.exe\r\nAfter this, the Amadey bot creates a Mutex named “c1ec479e5342a25940592acf24703eb2” to ensure that only one instance\r\nof malware is running at any given time on the infected system.\r\nPersistence\r\nThe malware establishes persistence by adding a “startup” value in the below registry key.\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders.\r\nThe registry value “Startup” contains the path of the Amadey bot that was dropped in the %temp% location. Using this\r\ntechnique, the Amadey bot executes whenever a user logs in.\r\nFigure 5 – Registry entry for persistence\r\nThe Amadey bot creates persistence by creating a Task Scheduler entry for the sample dropped in the %temp% location. The\r\nTask Scheduler configured by the malware is set to execute the malicious sample every minute, as shown below.\r\nFigure 6 – Task scheduler entry for persistence\r\nThe Amadey bot now gets the machine’s username and modifies the permission of the file “nbveek.exe” and folder\r\n“4b9a106e76” by granting the user to read/write and execute files using the following command.\r\n“/k echo Y|CACLS “nbveek.exe” /P “User Name:N”\u0026\u0026CACLS “nbveek.exe” /P “User Name:R” /E\u0026\u0026echo\r\nY|CACLS “..\\4b9a106e76” /P “User Name:N”\u0026\u0026CACLS “..\\4b9a106e76” /P “User Name:R” /E\u0026\u0026Exit”\r\nAfter gaining permission, the malware collects information from the victim’s machine and connects to its C\u0026C server using\r\na POST request, as shown below.\r\nhttps://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/\r\nPage 3 of 9\n\nFigure 7 – C\u0026C communication\r\nThe POST request contains the following fields with the victim’s sensitive information, such as username, system name, etc.\r\nField Description\r\nid Victims’ ID\r\nVs Bot Version Number\r\nSd Bot ID\r\nOs Operating system version\r\nbi System Architecture\r\nar Admin Privilege status\r\npc Victims PC Name\r\nUn Username\r\ndm Domain Name\r\nav Anti-virus name\r\nLv Unknown\r\nOg Unknown\r\nUpon connecting to a Command and Control (C\u0026C) server, the Amadey bot downloads two DLL files, “cred64.dll” and\r\n“clip64.dll,” to the %appdata% location and executes them using rundll32.exe. These files are a credential stealing module\r\nand a clipper module, respectively.\r\nThe below figure shows the C\u0026C panel of the Amadey bot.\r\nFigure 8 – C\u0026C panel of Amadey Bot\r\nStealer Module\r\nThe file “Cred64.dll” (SHA256:398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3) is a 64-bit\r\nMicrosoft Visual C/C++ DLL executable. The figure below shows the static details of the malicious binary file.\r\nhttps://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/\r\nPage 4 of 9\n\nFigure 9 – Static details of the stealer module\r\nThe “Cred64.dll” module is designed to collect sensitive information from browser files, such as the “Local State” and\r\n“Login Data” files.\r\nThe “Local State” file is a configuration file that holds various settings and information associated with the browser,\r\nincluding user preferences, the status of open tabs, and the location of the user’s profile folder, which contains information\r\nlike browsing history, cache, bookmarks, and extensions.\r\nThe “Login Data” file contains the user’s saved login credentials, such as usernames and passwords of websites visited by\r\nthe user. The following table illustrates the web browsers and files targeted to collect victims’ sensitive information.\r\nChrome\r\n\\Google\\Chrome\\User Data\\Local State \\Google\\Chrome\\User Data\\Default\\Login\r\nData\r\nOrbitum \\Orbitum\\User Data\\Local State \\Orbitum\\User Data\\Default\\Login Data\r\nComodo\r\nDragon\r\n\\Comodo\\Dragon\\User Data\\Local State \\Comodo\\Dragon\\User Data\\Default\\Login\r\nData\r\nChedot \\Chedot\\User Data\\Local State \\Chedot\\User Data\\Default\\Login Data\r\nCentBrowser \\CentBrowser\\User Data\\Local State \\CentBrowser\\User Data\\Default\\Login Data\r\nOpera Software \\Opera Software\\Opera Stable\\Local State \\Opera Software\\Opera Stable\\Login Data\r\nMicrosoft Edge\r\n\\Microsoft\\Edge\\User Data\\Local State \\Microsoft\\Edge\\User Data\\Default\\Login\r\nData\r\nSputnikLab\r\n\\SputnikLab\\Sputnik\\User Data\\Local State \\SputnikLab\\Sputnik\\User\r\nData\\Default\\Login Data\r\nChromium \\Chromium\\User Data\\Local State \\Chromium\\User Data\\Default\\Login Data\r\nVivaldi \\Vivaldi\\User Data\\Local State \\Vivaldi\\User Data\\Default\\Login Data\r\nCocCoc\r\n\\CocCoc\\Browser\\User Data\\Local State \\CocCoc\\Browser\\User Data\\Default\\Login\r\nData\r\nThe below image shows the assembly code used by the Stealer to collect information from one of the targeted web browsers,\r\n“Orbitum”.\r\nhttps://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/\r\nPage 5 of 9\n\nFigure 10 – Assembly Code used to collect data from browsers\r\nThen, the DLL module extracts information related to crypto wallets by querying and reading files from specific directories.\r\nThe stealer targets the following crypto wallets:\r\n%appdata%\\Armory\\\r\n%appdata%\\Dogecoin\\\r\n%appdata%\\Exodus\\exodus.wallet\\\r\n%appdata%\\Electrum\\wallets\r\n%appdata%\\Litecoin\\wallets\r\n%appdata%\\DashCore\\wallets\\\r\n%appdata%\\Monero\\wallets\\\r\nLet’s assume the malware cannot access files containing sensitive wallet information. In that event, it uses the Taskkill\r\ncommand to forcefully terminate the crypto wallet client process if it is currently running on the victim’s device using the\r\nbelow commands.\r\nTaskkill /IM litecoin-qt.exe /F\r\nTaskkill /IM dash-qt.exe /F\r\nTaskkill /IM ArmoryQt.exe /F\r\nThe below image shows the assembly code used by malware to collect information from one of the targeted crypto wallets\r\n“Litecoin”.\r\nFigure 11 – Assembly Code used to collect data from crypto wallet\r\nThe malicious DLL file continues to gather information by searching for specific applications such as FTP client software\r\n(WinSCP, FileZilla), Telegram, and Pidgin instant messenger on the victim’s device. It then steals important information\r\nfrom their configuration and session data files.\r\nFinally, the Stealer module communicates with the below C\u0026C server URL and sends the stolen information to the Threat\r\nActor(s).\r\nhttps://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/\r\nPage 6 of 9\n\nhxxp[:]//62[.]204[.]41[.]242/9vZbns/index[.]php\r\nClipper Module:\r\nThe Clip64.dll (SHA256 : 45f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e) is a 32-bit VC++\r\ncompiled DLL file which has three export functions named:\r\n??4CClipperDLL@@QAEAAV0@$$QAV0@@Z\r\n??4CClipperDLL@@QAEAAV0@ABV0@@Z\r\nMain\r\nThe “Clip64.dll” is a Clipper module that intercepts cryptocurrency transactions by replacing a victim’s intended recipient\r\nwith the attacker’s wallet address. It does this by monitoring the clipboard of the victim’s computer and swapping any\r\ncopied cryptocurrency wallet addresses with the TA’s address. This results in the victim unknowingly sending their funds to\r\nthe attacker instead of the intended recipient.\r\nWhen the Clipper module runs, it retrieves the value stored in the clipboard of the victims by utilizing the\r\nGetClipBoardData() API function, as shown below.\r\nFigure 12 – GetClipBoardData() function\r\nThen, the malware checks the data in the clipboard to see if it contains a cryptocurrency wallet address by evaluating it\r\nbased on certain conditions, such as the length and starting character of the string. If a wallet address is detected, the\r\nmalware uses the OpenClipBoard(), EmptyClipBoard(), and SetClipBoard() functions to replace the legitimate wallet\r\naddress with the attacker’s address, as shown below.\r\nFigure 13 – Replacing Clipboard value with TA’s wallet address.\r\nhttps://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/\r\nPage 7 of 9\n\nCryptocurrencies TA’s Wallet Address\r\nBitcoin (BTC) bc1qslzv7hczpsatc8lq285gy38r4af0c3alsc4m77\r\nEthereum (ETH) 0x89E34Ee2016a5E5a97b5E9598C251D2a2746Ba0D\r\nDogecoin\r\n(DOGE)\r\nDBjzffi3umhLQbUGLRoNQwZ4pjoKyNFahf\r\nLitecoin (LTC) LdYspWr6nkQ3ZNNTsmba77u4frHDhji1Nv\r\nMonero (XMR) 42zbZM5ozb4iDSN7hxNnQ1DSAvEmGY3z2KvAYmMxSJkUCc5bJyJ5hdkUu4324VJx8ACcDJJXg2NbRdWVcD\r\nCRIL also identified that the Amadey Bot is responsible for downloading various malware families, such as Redline,\r\nManuscript, BrowserHijackers, etc., into the victim’s machine.\r\nConclusion\r\nIn recent years, the design and capabilities of bots have advanced significantly.\r\nA bot like Amadey is fully equipped with features such as system reconnaissance, information stealing, downloading \u0026\r\nexecuting other malware, data exfiltration, and even clipper functionalities in its latest version.\r\nThis allows Threat Actors to steal personal, financial, and login information stored in web browsers, which can then be used\r\nfor various fraudulent activities.\r\nThis type of malware’s wide range of capabilities makes them a significant threat to a broad range of potential victims.\r\nCyble Research and Intelligence Labs will continue monitoring the latest phishing or malware strains in the wild and update\r\nblogs with actionable intelligence to protect users from such notorious attacks.\r\nOur Recommendations\r\nThe initial infection may happen via phishing websites, so enterprises should use security products to detect phishing\r\nwebsites.\r\nAvoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as\r\nYouTube, Torrent sites, etc., contains such malware. \r\nUse strong passwords and enforce multi-factor authentication wherever possible.   \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices.  \r\nUse a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and\r\nmobile.  \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.   \r\nEducate employees on protecting themselves from threats like phishing/untrusted URLs.  \r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.  \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.\r\nUsers should also carefully check their wallet addresses before making any cryptocurrency transaction to ensure there\r\nis no change when copying and pasting the actual wallet addresses.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nExecution\r\nT1204\r\nT1059\r\nT1218\r\nT1047\r\nT1106\r\nUser Execution\r\nCommand and Scripting Interpreter\r\nRundll32\r\nWindows Management Instrumentation\r\nNative API\r\nPersistence\r\nT1547\r\nT1053\r\nRegistry Run Keys / Startup Folder\r\nScheduled Task/Job\r\nDefense Evasion\r\nT1027\r\nT1497\r\nObfuscated Files or Information\r\nVirtualization/Sandbox Evasion\r\nhttps://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/\r\nPage 8 of 9\n\nCredential Access\r\nT1003\r\nT1552\r\nT1552\r\nT1056\r\nOS Credential Dumping\r\nCredentials in Registry\r\nCredentials In Files\r\nInput Capture\r\nDiscovery\r\nT1082\r\nT1518\r\nT1083\r\nT1087\r\nSystem Information Discovery\r\nSecurity Software Discovery\r\nFile and Directory Discovery\r\nAccount Discovery\r\nCollection\r\nT1005\r\nT1213\r\nData from Local System\r\nData from Information Repositories\r\nCommand and Control\r\nT1071\r\nT1095\r\nApplication Layer Protocol\r\nNon-Application Layer Protocol\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n0f74d2fb5d1b603cdac4bf0179feba25ee0343f759b71404e5cd120e32a60517 Sha256 Seil.exe\r\nb00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65 Sha256 Amadey Bot\r\n398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3 Sha256 Cred64.dll\r\n45f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e Sha256 Clip64.dll\r\nhxxps[:]//valorantcheatsboss[.]com/upload/boss/Bossmenu%20Setup[.]rar URL\r\nDownload\r\nURL\r\nhxxp[:]//valorantcheatsboss[.]com/upload/bass/808 URL\r\nDownload\r\nURL\r\nhxxp[:]//62[.]204[.]41[.]242/9vZbns/index[.]php URL C\u0026C\r\nSource: https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/\r\nhttps://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.cyble.com/2023/01/25/the-rise-of-amadey-bot-a-growing-concern-for-internet-security/" ], "report_names": [ "the-rise-of-amadey-bot-a-growing-concern-for-internet-security" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434801, "ts_updated_at": 1775826766, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8839303f0609ecf60a9935cc35267ef657cc4cd5.pdf", "text": "https://archive.orkl.eu/8839303f0609ecf60a9935cc35267ef657cc4cd5.txt", "img": "https://archive.orkl.eu/8839303f0609ecf60a9935cc35267ef657cc4cd5.jpg" } }