{ "id": "3087538b-02d8-40de-9600-fbce4f60db4b", "created_at": "2026-04-06T00:10:41.493124Z", "updated_at": "2026-04-10T13:11:49.737743Z", "deleted_at": null, "sha1_hash": "8944a7406390652b91f4874b1b6a4182713fb7b2", "title": "How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1023011, "plain_text": "How Emotet is changing tactics in response to Microsoft’s\r\ntightening of Office macro security\r\nBy Rene Holt\r\nArchived: 2026-04-05 14:58:40 UTC\r\nOne of the key findings from the ESET Threat Report T1 2022 is that the Emotet botnet has risen, Phoenix-like,\r\nfrom the ashes, pumping out vast amounts of spam in March and April 2022, to the point that its detections grew\r\nmore than a hundredfold in the first four months of 2022 compared to the last four months of 2021. Much of this\r\nactivity involved Word documents tainted with malicious macros.\r\nFigure 1. Emotet detections in ESET telemetry\r\nBecause Microsoft is tightening up the default handling of macro-enabled files, finagling recipients into clicking\r\n“Enable Content” will not remain a viable tactic for long. What does this mean for Emotet? Could this extremely\r\npervasive threat even sink into oblivion barely a few months after it shook off the effects of the law enforcement\r\noperation hailed as one of the largest of its kind ever?\r\nNot so fast – Emotet’s operators aren’t known for resting on their laurels.\r\nEmotet – a macro view\r\nhttps://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/\r\nPage 1 of 10\n\nFirst sighted as a banking trojan in June 2014, Emotet has since changed drastically into a crime-as-a-service\r\nplatform, selling access to compromised systems to other criminal groups. Thus, once Emotet is running on a\r\ncomputer, it typically downloads and executes other strains of malware, such as Dridex, Gootkit, IcedId, Nymaim,\r\nQbot, TrickBot, Ursnif, and Zbot.\r\nEmotet has a modular program design, with a main module that is disseminated through vast spam campaigns that\r\ndistribute emails containing malicious Microsoft Word documents. Emotet then uses additional modules to:\r\nspread further by assembling and delivering spam emails\r\nspread to nearby, insecure Wi-Fi networks by compromising connected users\r\nbrute-force network share usernames and passwords\r\nturn compromised systems into proxies within its command-and-control infrastructure\r\nabuse legitimate Nirsoft applications, such as MailPassView and WebBrowserView, that can recover\r\npasswords from popular email clients and web browsers, respectively.\r\nsteal email addresses and names from the compromised system’s Microsoft Outlook instance\r\nsteal all email messages and attachments from compromised systems\r\nIn 2018, Emotet resuscitated an effective technique – email thread hijacking – to increase the likelihood of a\r\npotential victim opening the email attachments. It started stealing email conversations found in compromised\r\nsystems’ inboxes and reusing them in its spam campaigns. This is, of course, a very effective way of adding\r\nlegitimacy to a malicious email:\r\nFigure 2. Emotet’s operators use macro-enabled Word documents to deliver malware\r\nShould the victim extract the macro-laden Word document from the ZIP archive, open it, and then click “Enable\r\nContent”, the malicious macros can run, ultimately downloading Emotet.\r\nMicrosoft’s move (on February 30th 2022, so to speak) to throw out the “Enable Content” button came at a time\r\nfor Emotet when, after recovering from last year’s takedown efforts, it had been churning out spam campaigns en\r\nmasse in March and April 2022. Taking note of the change, Emotet’s developers have shifted to experimenting\r\nwith different techniques to replace their dependence on macros as the initial code stage of their malware delivery\r\nplatform.\r\nEmotet shifting techniques\r\nhttps://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/\r\nPage 2 of 10\n\nBetween April 26th\r\n and May 2nd, 2022, ESET researchers picked up a test campaign run by Emotet operators\r\nwhere they replaced the typical Microsoft Word document with a shortcut (LNK) file as the malicious attachment.\r\nFigure 3. A malicious email sent by Emotet's operators\r\nFigure 4. Another malicious email sent by Emotet's operators\r\nhttps://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/\r\nPage 3 of 10\n\nFigure 5. Yet another malicious email sent by Emotet's operators\r\nFigure 6. And another malicious email sent by Emotet's operators\r\nWhen double-clicked, a shortcut file can launch a target resource, in this case, a PowerShell script that\r\ndownloaded and executed Emotet:\r\nhttps://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/\r\nPage 4 of 10\n\nFigure 7. Emotet’s operators use shortcut (LNK) files to deliver malware\r\nMost detections were in Japan (28%), Italy (16%), and Mexico (11%).\r\nIn an earlier test campaign between April 4th and April 19th, the Emotet operators attracted victims to a ZIP\r\narchive, stored on OneDrive, containing Microsoft Excel Add-in (XLL) files, which are used to add custom\r\nfunctions to Excel. If extracted and executed, these files dropped and ran Emotet.\r\nWhen Emotet’s operators first resurrected their botnet from the takedown efforts in late 2021, another campaign\r\nwas discovered that uses Cobalt Strike Beacon, a popular pentesting tool. By using a Beacon, the Emotet\r\noperators can decrease the time to deploy their final payload – often ransomware.\r\nMitigating macro malware\r\nEmailing documents that contain macros is both a common occurrence in corporate environments and can serve as\r\na technique to deliver malware when those macros are malicious. Recognizing this potential abuse of macros,\r\nduring the heyday of Word 97 Microsoft introduced the first built-in security feature in Word that blocked Visual\r\nBasic for Applications (VBA) macros from running:\r\nFigure 8. The default behavior of Word 97 when opening a document containing a VBA macro\r\nThis feature continued to be developed in later versions of Office, now probably most familiar via the yellow\r\nMessage Bar with the “Enable Content” button introduced in Office 2010:\r\nhttps://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/\r\nPage 5 of 10\n\nFigure 9. The Enable Content button in Excel 2010\r\nSince then, two clicks have been typically required to enable macros: first, clicking on “Enable Editing”, which\r\nremoves the document from Protected View, a security feature in place since Office 2010 that provides a read-only, sandboxed environment; second, clicking on “Enable Content”, which allows the macros to run. So long as\r\nan admin policy is not in place to prevent recipients from clicking through, the macros successfully load and run.\r\nAlthough the blocking of macros helped limit the delivery of malware, malicious actors, such as the Emotet\r\noperators, adapted their efforts by focusing on duping victims into clicking through to enable macros.\r\nWith a phased rollout starting in April 2022, Microsoft has been tightening up the default handling of macro-enabled files downloaded from the internet by entirely removing the option to click “Enable Content”. After this\r\nchange is deployed, macros are still blocked from running as before. So in order to run them, either the data about\r\nthe file’s zone – sometimes called the Mark of the Web – needs to be removed, or the file has to come from a zone\r\nwith a higher level of trust than that of the internet. These are much more complex actions to socially engineer\r\nrecipients into and should thus help stymie future spam campaigns.\r\n(UPDATE: On July 7th, 2022, Microsoft announced it is “rolling back this change from Current Channel” with a\r\nvague promise of bringing it back again later. This is not the first time that Microsoft has made a similar\r\nregressive step for security, as also attested by the complaints of IT admins who cannot figure out how to set up a\r\nsigning infrastructure for macros. Word 2000 offered a security setting (Figure 10) that only allowed macros\r\nsigned by trusted certificates to run. However, due to complaints, Microsoft introduced the “Enable Content”\r\nbutton in Word 2010, which effectively said, “We will block macros, but here’s an easy way to shoot yourself in the\r\nfoot”.)\r\nhttps://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/\r\nPage 6 of 10\n\nFigure 10. Macro security dialog box in Word 2000\r\nSince the increased security benefit offered by this (now rolled-back) change is only as strong as the Mark of the\r\nWeb, let’s dive deeper into what it is, how it is used to determine when to block macros from running, and how\r\nspammers attempt to bypass it.\r\nDeterring malware with the Mark of the Web\r\nThe Mark of the Web refers to the comment added to HTML files (as well as to MHT and XML files) indicating\r\ntheir host URL:\r\nFigure 11. Browsers add the Mark of the Web to HTML files downloaded from the internet\r\nhttps://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/\r\nPage 7 of 10\n\nThis comment is automatically added by the Internet Explorer browser when the HTML file is being saved, or can\r\nbe added manually by web site developers for testing or by other browsers and applications. The URL is then used\r\nto determine the level of trust assigned to the HTML file and any scripts or active content on which the URL\r\nmight depend.\r\nBy default, every URL is treated as coming from the Internet zone: that is, as neither trusted nor untrusted.\r\nAlthough scripts and other active content embedded in the file can automatically run, they cannot access the local\r\nfile system.\r\nA URL could be added to different zones: the Restricted Sites zone for potentially unsafe content, or the Local\r\nIntranet and Trusted Sites zones for trusted content; there is also a Local Machine zone that, although it originally\r\nallowed scripts and ActiveX content to run automatically as trusted, was eventually equipped with a lockdown\r\nfeature that prohibited such automatic execution.\r\nEven before the demise of Internet Explorer, the Mark of the Web was also an informal name for the information\r\nabout a file’s zone that the New Technology File System (NTFS), the default file system of Windows NT-based\r\noperating systems, provides in an Alternate Data Stream (ADS). In NTFS, every file has an unnamed stream with\r\na stream type of $DATA that contains the expected content of the file when it is opened by a program that can\r\nhandle its file type:\r\nFigure 12. Opening an NTFS file normally\r\nFigure 13. The unnamed (default) stream of an NTFS file contains the same data as when the file is opened\r\nnormally\r\nThe filename, the stream name, and the stream type are joined and delimited by colons. Thus, in the eyes of\r\nNTFS, filename.txt is equivalent to filename.txt::$DATA. Notice how there is no stream name, only a file name\r\nand a stream type.\r\nOn the other hand, the file’s zone is contained in a stream that looks like this: filename.txt:Zone.Identifier:$DATA.\r\nThe Zone.Identifier is a well-known stream name that modern browsers and some other applications automatically\r\nadd or propagate to files to indicate their zone: the internet, the intranet, the trusted zone, the restricted zone, or the\r\nlocal machine. Some applications, such as the Chrome browser, add the host URL and the referrer URL to the\r\nZone.Identifier as well:\r\nhttps://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/\r\nPage 8 of 10\n\nFigure 14. Browsers can add the Zone.Identifier stream to files downloaded from the internet (ZoneId=3)\r\nThere are other known techniques to get around the Mark of the Web that the Emotet gang could try as well. It is\r\npossible to use container files, such as ISO disk images and VHDX files, or compressed/archive files, such as .arj\r\nand .gzip files, that do not propagate the Mark of the Web to files extracted from them. Ultimately, should one of\r\nthese techniques yield a satisfactory return on investment, we can expect Emotet to return with force.\r\nAbusing Alternate Data Streams\r\nAn NTFS file can contain an arbitrary number of streams, meaning these can and have been put to malicious use.\r\nFor example, the Winnti Group operators stored a malicious, encrypted payload in a stream they named\r\nNULL.DAT. After decryption, the payload was either the PortReuse backdoor or the ShadowPad malware.\r\nWhen the Turla operators deployed the Gazer backdoor against embassies and consulates around the world in\r\n2016, the backdoor would hide its files in streams using GUIDs as stream names when it couldn’t store them in\r\nthe Windows registry.\r\nGuildma also used streams as one method of hiding its binary modules, storing multiple files in the streams of a\r\nsingle file. Specifically, Guildma stored all of its malicious modules, including a couple of tools from Nirsoft for\r\nextracting saved credentials from popular email clients and web browsers, as the streams of the single desktop.ini\r\nfile:\r\ndesktop.ini:nauwuygiaa.jpg (MailPassView)\r\ndesktop.ini:nauwuygiab.jpg (BrowserPassView)…\r\nFor targeting air-gapped networks, malicious actors have used streams to hide malicious components within\r\notherwise innocuous-looking files on USB drives. The streams could contain data being stolen and command-and-control instructions from the malicious operators. Considering that air-gapped networks lack an internet\r\nconnection, clamping down on the use of USB devices and other portable storage devices travelling in and out of\r\nair-gapped networks is crucial for their continued security.\r\nSome malware, like GoBotKR, can remove the Zone.Identifier stream from files to conceal the fact that they were\r\ndownloaded from the internet zone. This entirely bypasses any protection that relies solely on the Mark of the Web\r\nto determine when to block macros from running.\r\nFinally, spammers like the Emotet developers have taken a social engineering approach, attempting to trick\r\nrecipients into enabling macros instead of removing the Zone.Identifier stream or using streams to hide payloads –\r\nuntil now.\r\nSecurity tips\r\nhttps://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/\r\nPage 9 of 10\n\nBe aware that some software does not add or propagate the Zone.Identifier stream, at least not consistently. For\r\nexample, using 7-Zip to extract a .exe file from an archive downloaded from the internet does not propagate the\r\narchive’s Zone.Identifier to its contents, meaning that there is no Mark of the Web to trigger any security blocks or\r\nwarnings if any of the extracted files are run. The Zone.Identifier is propagated, however, by double-clicking on\r\nthe .exe from within the archive. (UPDATE: Version 22.00 of 7-Zip offers a new menu option and a new command\r\nline switch to enable propagation of the Zone.Identifier.)\r\nIn light of the removal of the “Enable Content” button, a handy list that tracks whether file archivers support the\r\nMark of the Web has been compiled in GitHub here.\r\nFor organizations that rely on macros as part of employees’ workflows, IT admins may need to adjust the policies\r\nfor how Office handles macros. Furthermore, organizations should take advantage of this opportunity to review\r\ntheir security stance against threats vectoring via email with the following:\r\nUse an email security solution that can block phishing, spam, and other malicious emails from reaching\r\ninboxes.\r\nRun phishing simulation exercises to test and renew employees’ security awareness.\r\nConsider deploying a detection and response solution that can help track down whether the root cause of a\r\ncyberattack on your network was a malicious email or a different vector.\r\nThe impending close of the era of the “Enable Content” button has two consequences. First, that users can expect\r\nbetter protection against malicious macros delivered via email. Second, that spammers like Emotet are adapting\r\ntheir favorite tactics to dupe their future victims. Should any of these experiments prove successful, we can expect\r\nnew malicious campaigns to hit inboxes, meaning that continued vigilance for email-based threats should remain\r\ntop of mind.\r\nUPDATE (June 27th, 2022): This article was updated to add information about new features in 7-Zip.\r\nUPDATE (July 8th, 2022): This article was updated to add information about Microsoft’s decision to delay the\r\nremoval of the “Enable Content” button.\r\nFurther reading:\r\nESET Threat Report T 1 2022\r\nEmotet botnet disrupted in global operation\r\nEmotet botnet hits quiet patch before Black Friday – the calm before the storm?\r\nEmotet strikes Quebec’s Department of Justice: An ESET Analysis\r\nAnalysis of the latest Emotet propagation campaign\r\nBlack Friday and Cyber Monday by Emotet: Filling inboxes with infected XML macros\r\nEmotet trojan frustrated by ESET protection\r\nSource: https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/\r\nhttps://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/" ], "report_names": [ "how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434241, "ts_updated_at": 1775826709, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8944a7406390652b91f4874b1b6a4182713fb7b2.pdf", "text": "https://archive.orkl.eu/8944a7406390652b91f4874b1b6a4182713fb7b2.txt", "img": "https://archive.orkl.eu/8944a7406390652b91f4874b1b6a4182713fb7b2.jpg" } }