{ "id": "f8f05e65-fb08-4dc9-9367-b9abc222554e", "created_at": "2026-04-06T00:15:44.560754Z", "updated_at": "2026-04-10T13:13:09.259194Z", "deleted_at": null, "sha1_hash": "89fc1ae78641c0c987f13ca2038eaf0f95d0d8dd", "title": "APT and financial attacks on industrial organizations in H2 2023 | Kaspersky ICS CERT EN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 175644, "plain_text": "APT and financial attacks on industrial organizations in H2 2023 |\r\nKaspersky ICS CERT EN\r\nBy Kaspersky ICS CERT Team\r\nPublished: 2024-04-02 · Archived: 2026-04-05 13:54:23 UTC\r\nKorean-speaking activity\r\nLazarus attacks\r\nСampaign targeted the defense industry and nuclear engineers\r\nAttacks with LightlessCan backdoor\r\nOperation Blacksmith\r\nAttack on a Russian missile engineering company\r\nAndariel attacks\r\nAttacks on defense contractors with the use of updated MATA framework\r\nMiddle East-related activity\r\nDark Caracal attacks\r\nBallistic Bobcat/Charming Kitten attacks\r\nImperial Kitten/Yellow Liderc/Tortoiseshell attacks\r\nOilRig attacks\r\nPeach Sandstorm/APT33 attacks\r\nChinese-speaking activity\r\nTEMP.Hex and UNC4698 USB attacks\r\nSpace Pirates attacks\r\nAPT31 attacks\r\nUNC4841 attacks\r\nFlax Typhoon attacks\r\nVolt Typhoon attacks\r\nRedfly attacks\r\nAttacks on semiconductor companies in East Asia\r\nRussian-speaking activity\r\nAttacks with DroxiDat/SystemBC\r\nAPT29/Midnight Blizzard/Nobelium attacks\r\nAttacks exploiting WinRAR vulnerability\r\nSandworm attacks\r\nAPT28 attacks\r\nMysterious Werewolf\r\nOther APT28/Fancy Bear attacks\r\nOther Sandworm/Hades attacks\r\nOther\r\nRedEnergy attacks\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 1 of 21\n\nQR code phishing campaign\r\nMysterious Team Bangladesh attacks\r\nCuba ransomware attacks\r\nCore Werewolf attacks\r\nAttacks on Russian industrial organizations\r\nXDSpy attacks\r\nDarkWatchman RAT attacks\r\nHellhounds attacks\r\nCloud Atlas attacks\r\nGrayling attacks\r\nAttack against Danish critical infrastructure\r\nAeroBlade attacks\r\nUSB attacks with Vetta Loader\r\nCISA alerts\r\nCISA advisory on CVE-2022-47966 and CVE-2022-42475\r\nCISA advisory on Snatch Ransomware\r\nCISA alert on BlackTech attacks\r\nCISA alert on Rhysida ransomware\r\nCISA alert on LockBit 3.0 ransomware\r\nCISA alert on CyberAv3ngers attacks\r\nCISA alert on Star Blizzard\r\nThis summary provides an overview of reports on APT and financial attacks on industrial enterprises that were\r\ndisclosed in H2 2023, as well as the related activities of groups that have been observed attacking industrial\r\norganizations and critical infrastructure facilities. For each topic, we have sought to summarize the key facts,\r\nfindings, and conclusions of researchers that we believe may be of use to professionals addressing the practical\r\nissues of cybersecurity for industrial enterprises.\r\nAmong many APT-related stories, three stand out. Two of them involve attack vectors that resulted in gaining\r\naccess to the automated control system and these attacks led to a physical effect – an attack on a Ukrainian energy\r\ncompany and attacks on an Israeli-made Unitronics PLC.\r\nThe third story – an attack on industrial companies using MATA tools – is interesting due to the high complexity\r\nof the tools used by the attackers, a fascinating story about the lateral movement of attackers within the network of\r\na compromised organization, and the intrigue that arose when attributing the tools to the known APT groups.\r\nKorean-speaking activity\r\nLazarus attacks\r\nСampaign targeted the defense industry and nuclear engineers\r\nKaspersky researchers discovered a Lazarus campaign beginning in 2023 that targeted the defense industry and\r\nnuclear engineers.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 2 of 21\n\nThey use Trojanized apps, especially backdoored VNC apps, to access enterprise systems. In this campaign,\r\nLazarus tricks job seekers on social media into opening malicious apps for fake job interviews. To avoid detection\r\nby behavior-based security solutions, this backdoored application operates discreetly, activating only when the\r\nuser selects a server from the Trojanized VNC client’s drop-down menu. Upon opening this initial infection\r\nvector, the application proceeds to launch additional payloads into memory and retrieve further malicious code.\r\nKaspersky researchers observed an additional payload known as LPEClient, which has been previously employed\r\nmultiple times by the Lazarus group. Furthermore, it employs sophisticated C2 communication methods and\r\ndisables application behavior monitoring of security solutions by unhooking user-mode syscalls. The use\r\nof an updated version of COPPERHEDGE as an additional backdoor was identified, exhibiting a complex\r\ninfection chain. In addition, the presence of a malware variant specifically designed to transfer targeted files to a\r\nremote server was observed. This particular malware serves the purpose of exfiltrating specific files chosen by the\r\nLazarus group and sending them to their designated remote server.\r\nOur telemetry confirms numerous instances of compromised companies. The majority of affected entities are\r\ndirectly involved in defense manufacturing, encompassing radar systems, unmanned aerial vehicles (UAVs),\r\nmilitary vehicles, vessels, weaponry, and companies related to the navy. Furthermore, in one of the cases,\r\nthe username associated with the initial infection vector was identified. Through conversations with the victim,\r\nKaspersky researchers found out that this individual was a nuclear engineer based in Hungary who received\r\nthe malicious file after getting into contact with a suspicious account via Telegram and WhatsApp.\r\nAttacks with LightlessCan backdoor\r\nResearchers at ESET detected a malware campaign involving a previously unknown backdoor named\r\nLightlessCan. The Lazarus Group managed to compromise an aerospace company in Spain. The initial vector of\r\nattack was a spear phishing email in which the hackers pretended to be recruiters from Meta and sent messages to\r\ndevelopers via LinkedIn Messaging.\r\nLightlessCan backdoor Windows functions include the ability to mimic the functionality of many native Windows\r\ncommands like ping, ipconfig, systeminfo, sc, net, and more. ESET speculated that in developing LightlessCan,\r\nLazarus may have reverse-engineered closed-source system binaries to add additional functionality to the RAT.\r\nThe threat actor also rigged LightlessCan in such a manner that its encrypted payload can only be decrypted using\r\na decryption key specific to the compromised machine. The goal is to ensure that the payload decryption is only\r\npossible on target systems and not in any other environment, Kálnai noted, such as a system belonging to a\r\nsecurity researcher.\r\nOperation Blacksmith\r\nA new Lazarus group campaign dubbed “Operation Blacksmith” by Cisco Talos researchers has been using at\r\nleast three new DLang-based malware strains in attacks on organizations worldwide from manufacturing,\r\nagriculture, and physical security sectors since as early as March 2023. This campaign consists of continued\r\nopportunistic targeting of enterprises globally that publicly host and expose their vulnerable infrastructure to n-day\r\nvulnerability exploitation, such as CVE‑2021-44228 (Log4j). Two of the malware variants are RATs, one of\r\nwhich, NineRAT” uses Telegram bots and channels for C2 communications. The non-Telegram-based RAT\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 3 of 21\n\nis tracked by researchers as DLRAT, and the DLang-based downloader is tracked as BottomLoader. Researchers\r\nobserved an overlap between the TTPs used in this campaign and those of Onyx Sleet (aka PLUTONIUM and\r\nAndariel).\r\nAttack on a Russian missile engineering company\r\nSentinelLabs researchers reported that two APT threat actors gained persistent access to the internal systems of a\r\nRussian missile and satellite developer. ScarCruft was responsible for the compromise of the company’s email\r\nsystems, while Lazarus compromised the network using a Windows backdoor called OpenCarrot. The analyzed\r\nOpenCarrot variant implements over 25 backdoor commands with a wide range of functionality representative\r\nof Lazarus group backdoors. According to research, these findings establish connections between two distinct\r\nDPRK-affiliated threat actors, suggesting the potential for shared resources, infrastructure, implants, or access\r\nto victim networks.\r\nAndariel attacks\r\nAhnLab Security Emergency Response Center (ASEC) researchers analyzed recent attacks carried out by Andariel\r\nagainst universities, ICT, electronic equipment, shipbuilding, and manufacturing companies in South Korea.\r\nA characteristic of the attacks is the use of new malware developed in the Go language, including Goat RAT and\r\nDurianBeacon. The latter also features a version developed in the Rust language. One of the attacks detected by\r\nASEC in February 2023 is said to have involved the exploitation of security flaws in an enterprise file transfer\r\nsolution called Innorix Agent to distribute backdoors such as Volgmer and Andardoor, as well as a Golang‑based\r\nreverse shell known as 1th Troy.\r\nA major cyber espionage campaign in which Andariel APT group hacked a wide range of companies and stole\r\nsensitive defense information in South Korea was reported. The investigation is being led by the Seoul Police\r\nDepartment with the involvement of the U.S. FBI. Officials believe that the hackers managed to steal information\r\nabout laser weapons used to support the operation of the national air defense system. The agencies believe the\r\nintrusions were part of a larger cyber campaign that resulted in a total data breach of more than 1.2 TB, including\r\ncorporate, government and personal data.\r\nAndariel was able to successfully hack 14 organizations, also participating in attacks using ransomware,\r\nwhich were carried out from a loosely monitored South Korean proxy server used by hackers 83 times from\r\nDecember 2022 to March 2023 from Pyongyang’s Ryugyong-dong district. The server was used to access the\r\nwebsites of firms and institutions, with the group taking advantage of a South Korean hosting service that rents\r\nservers to unidentified clients. Among those compromised were large companies in the field of communications,\r\ninformation security and IT, technology centers, universities and research institutes engaged in advanced\r\ndevelopments and technologies, pharmaceutical companies, defense enterprises, and financial organizations.\r\nAttacks on defense contractors with the use of updated MATA framework\r\nKaspersky experts discovered a new, active campaign of the MATA cluster malware compromising defense\r\ncontractors in Eastern Europe. The campaign spanned over six months and remained active until May 2023 and\r\nfeatured three new generations of the MATA.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 4 of 21\n\nOne of them is an evolution of previous MATA generation 2. Second, the malware we dubbed “MataDoor”, has\r\nbeen rewritten from scratch and may be considered as generation 4, and then generation 5 has been rewritten from\r\nscratch as well. All of them introduce several modifications to its encryption, configuration, and communication\r\nprotocols.\r\nThe actor demonstrated high capabilities of navigating through and leveraging security solutions deployed in the\r\nvictim’s environment. In situations where no communication line to a desired target host was possible, the actor\r\nused a USB propagation module capable of bridging the air-gapped networks. Attackers used many techniques to\r\nhide their activity: rootkits and vulnerable drivers, disguising files as legitimate applications, using ports open\r\nfor communication between applications, multi-level encryption of files and network activity of malware, setting\r\nlong wait times between connections to control servers – this and much more shows how sophisticated modern\r\ntargeted attacks can be. \r\nFrom the very first versions of MATA the experts have had some doubt as which APT it belongs to. This doubt\r\ngrew with the latest MATA generations. On one side, there are obvious arguments that tie the MATA family to the\r\nLazarus group. At the same time, the latest MATA generations have more techniques similar to ones used by Five\r\nEyes APT groups.\r\nDark Caracal attacks\r\nWhile tracking Dark Caracal’s activity, Kaspersky researchers discovered an ongoing campaign targeting public\r\nand private sector entities in multiple Spanish-speaking countries. Dark Caracal is known to have been conducting\r\ncyber-espionage campaigns since at least 2012. The group’s campaigns target governments, military entities,\r\nutilities, financial institutions, manufacturing companies, and defense contractors worldwide. Thousands of\r\nvictims suffered from Dark Caracal – valuable data is found to have been stolen, including intellectual property\r\nand personally identifiable information. This group has been referenced as a “cyber mercenary threat group” due\r\nto the variety of targets and apparent targeting of multiple governments throughout its campaigns. Since 2021, the\r\nactivity of this group has been reported focusing on Spanish‑speaking countries.\r\nBallistic Bobcat/Charming Kitten attacks\r\nESET researchers uncovered a sophisticated cyber-espionage campaign carried out by suspected Iranian-aligned\r\nthreat actor Ballistic Bobcat (aka APT35, APT42, Charming Kitten, TA453, and PHOSPHORUS). The group used\r\na new backdoor named Sponsor to target organizations in Brazil, Israel, and the UAE: the targeted entities include\r\nautomotive, manufacturing, engineering, financial services, media, healthcare, technology, and telecoms sectors.\r\nThe Sponsor backdoor is written in C++ and designed to collect information about the host and process commands\r\nreceived from a remote server, the results of which are sent back to the server.\r\nAccording to the report, the latest campaign, codenamed Sponsoring Access, involves gaining initial access by\r\nexploiting known vulnerabilities in Microsoft Exchange servers. In one of the incidents described by ESET, an\r\nIsraeli company was compromised by an attacker in August 2021, and the delivery of tools for the next stage\r\n(PowerLess, Plink, and a number of open source post‑exploitation tools written in Go) was implemented over\r\nseveral months.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 5 of 21\n\nAs experts concluded, Ballistic Bobcat continues to find opportunities to exploit unpatched vulnerabilities on\r\nMicrosoft Exchange servers accessible from the network using a new and diverse arsenal of tools.\r\nImperial Kitten/Yellow Liderc/Tortoiseshell attacks\r\nAccording to PwC researchers, threat actor Yellow Liderc (aka Imperial Kitten, Tortoiseshell, TA456, and\r\nCrimson Sandstorm) has launched watering-hole attacks to distribute IMAPLoader malware, which exploits\r\nWindows utilities to identify target systems and deploy additional payloads. The targets of the campaign include\r\nmaritime, shipping and logistics organizations across the Mediterranean; nuclear, aerospace, and defense\r\nindustries in the U.S. and Europe, and IT-managed service providers in the Middle East. While new attacks\r\ninvolved compromising legitimate websites with malicious JavaScript designed to exfiltrate data, the threat actor\r\nhas also used a fraudulent Microsoft Excel document as an initial attack vector.\r\nAfter the PwC report, CrowdStrike reported that the same actor referred to as Imperial Kitten has been targeting\r\ntransportation, logistics, and technology sectors in the Middle East, including Israel, since the onset of the Israel-Hamas conflict. The group’s activity is characterized by the use of social engineering, particularly job recruitment-themed content, to deliver custom .NET-based implants. The attackers use compromised websites to profile\r\nvisitors using bespoke JavaScript and exfiltrate the information. In addition to the use of watering holes, the threat\r\nactor also uses one-day exploits, stolen credentials, and phishing, and targets upstream IT service providers for\r\ninitial access.\r\nOilRig attacks\r\nESET researchers analyzed a series of new OilRig (aka APT34, Lyceum, Crambus, or Siamesekitten) downloaders\r\nthat the threat actor used in 2022 campaigns to target organizations in Israel, including a healthcare organization,\r\na manufacturing company, and a local governmental body. All targets were previously affected by multiple OilRig\r\ncampaigns. The new downloaders named SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent, and OilBooster,\r\nare notable for using legitimate cloud storage and cloud‑based email services for C2 communications and data\r\nexfiltration as a way to hide malicious communication and mask the group’s network infrastructure:\r\nMicrosoft OneDrive, Exchange Online and Office 365 through via Microsoft Graph and Outlook API, as well as\r\nMicrosoft Office Exchange Web Services (EWS). These downloaders share similarities with\r\nMrPerfectionManager and PowerExchange backdoors, other recent additions to OilRig’s toolset that use email-based C\u0026C protocols.\r\nPeach Sandstorm/APT33 attacks\r\nAccording to Microsoft, the threat actor Peach Sandstorm (aka APT33, Elfin, and Refined Kitten) targeted\r\norganizations in the defense industrial base sector using a new backdoor called FalseFont. This is a custom\r\nbackdoor that allows attackers to remotely access infected systems, launch additional files, and send information\r\nto its C2. This malware strain was first observed in the wild around early November 2023. The development and\r\nuse of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting\r\nthat Peach Sandstorm is continuing to improve their tradecraft.\r\nChinese-speaking activity\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 6 of 21\n\nTEMP.Hex and UNC4698 USB attacks\r\nResearchers at Mandiant reported a threefold increase in attacks involving USB drives in the first half of this year.\r\nIn one such campaign, threat actor TEMP.Hex (aka HoneyMyte) used USB drives to distribute the Sogu malware,\r\ndesigned to steal sensitive information from host systems. They believe that TEMP.Hex is using Sogu to collect\r\ninformation of economic and national security interest to China. TEMP.Hex is targeting a variety of sectors,\r\nincluding construction and engineering, business services, government, health, transportation, and retail\r\norganizations in Europe, Asia, and the U.S.\r\nAnother threat actor tracked as UNC4698 is also using USB drives to spread the SnowyDrive malware, which\r\ncreates a backdoor on infected systems, providing attackers a way to remotely interact with the device and issue\r\ncommands. The backdoor supports many commands that perform file operations, data exfiltration, reverse\r\nshelling, command execution, and reconnaissance. It also spreads to other USB drives and over the network.\r\nThe malware uses DLL search order hijacking to load a malicious DLL via legitimate executables such as\r\nNotepad++, Microsoft Silverlight, VentaFax Software, and CAM UnZip Software. UNC4698 is targeting oil\r\nand gas organizations in Asia.\r\nSpace Pirates attacks\r\nPositive Technologies released a report on new large-scale attacks on organizations in Russia and Serbia carried\r\nout by the Chinese-speaking Space Pirates group tracked by researchers since 2022. The main goal of the group\r\nis espionage and data theft. The group has expanded the areas of interest. Over the past year, at least 16\r\norganizations in Russia and one (a ministry) in Serbia have become victims, including state and educational\r\ninstitutions, enterprises of the aviation, rocket-space, and agricultural industries, the military‑industrial and fuel-energy complex, and infosec companies.\r\nAn Acunetix scanner was found on one of the control servers. This indicates a likely attack vector through the\r\nexploitation of vulnerabilities, which has not been observed before. The group also targeted PST mail archives.\r\nThe Godzilla web shell and obfuscated Neo-reGeorg tunnel were found on the C2 server. The group also began\r\nto use ShadowPad malware. In almost every investigation, there were traces of Deed RAT being used, which is\r\nstill under development. When investigating the incident, a 64-bit version of this malware was found on one of the\r\ninfected devices, which is almost the same as the 32-bit version. Two new plugins were found on computers\r\ninfected with Deed RAT. The first one is called Disk and is used to work with disks. The second plugin is called\r\nPortmap, which was based on the ZXPortMap utility. The plugin is used for port forwarding and supports three\r\nnetwork commands.\r\nDuring one of the investigations, a previously unknown sample of malware was found which was delivered\r\nthrough the already installed Deed RAT and subsequently named Voidoor. The life cycle of this malware included\r\ninteraction through GitHub and the voidtools forum. The latter together with the analysis of GitHub repositories\r\nled researchers to the hacker’s blog on the Chinese Software Developer Network. Positive Technologies\r\nresearchers assume with a certain degree of confidence that the author is one of the malware developers (if not the\r\nonly one).\r\nAPT31 attacks\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 7 of 21\n\nKaspersky ICS CERT identified over 15 implants and their variants planted by the APT31 (aka Judgment Panda\r\nand Zirconium) threat actor in a series of attacks against industrial organizations in Eastern Europe designed to\r\nsteal sensitive data. The malware is typically installed using DLL hijacking and covers its tracks by using the RC4\r\nalgorithm to encrypt data until just prior to being injected. The malware includes a worm component able to infect\r\nremovable drives and steal sensitive data, including data on an air-gapped device. Other implants include Variants\r\nof FourteenHi backdoor, MeatBall backdoor, Implant using Yandex Cloud as C2, and implants used to upload files\r\nto Dropbox.\r\nUNC4841 attacks\r\nFollowing up on earlier research into the exploitation of a remote command injection vulnerability affecting the\r\nBarracuda Email Security Gateway (ESG) appliance (CVE-2023-2868) by UNC4841, Mandiant researchers\r\nprovided further detail on TTPs used by the threat actor.\r\nUNC4841 deployed new malware designed to maintain presence at a small subset of high priority targets\r\ncompromised either before the patch was released or shortly afterwards. This includes use of the SKIPJACK\r\nand DEPTHCHARGE backdoors and the FOXTROT/FOXGLOVE launcher.\r\nThe threat actor targeted a wide variety of verticals: primary targets include national governments, high-tech and\r\nIT entities, local governments, telecoms providers, manufacturing entities, and colleges and universities.\r\nThe US Cybersecurity and Infrastructure Security Agency (CISA) provided additional IoCs associated with the\r\nexploitation of this vulnerability.\r\nFlax Typhoon attacks\r\nMicrosoft researchers report that a newly discovered Chinese-speaking threat actor dubbed Flax Typhoon targeted\r\ndozens of organizations in Taiwan. Flax Typhoon has been active since mid-2021 and has targeted government\r\nagencies and education, critical manufacturing, and information technology organizations in Taiwan. The purpose\r\nof the attacks is cyber-espionage.\r\nThe group seeks to maintain access to organizations across a broad range of industries for as long as possible. Flax\r\nTyphoon uses minimal malware, primarily relying on “living-off-the-land” techniques. The attackers obtained\r\ninitial access by exploiting known vulnerabilities in public-facing servers (in VPN, web, Java, and SQL\r\napplications) and deploying web shells, including China Chopper.\r\nThe threat actor is thought by some researchers to have been operating since mid-2021. However, Taiwanese\r\nthreat intelligence group TeamT5 has disputed this, dating the group’s activities back to at least 2020 and giving it\r\nthe temporary code name SLIME13.\r\nVolt Typhoon attacks\r\nThe Black Lotus Labs team at Lumen Technologies linked the threat actor Volt Typhoon (aka BRONZE\r\nSILHOUETTE) to a botnet called KV-botnet used to target routers, firewalls, and VPN devices to camouflage\r\nmalicious traffic within legitimate traffic. The targeted devices include Netgear ProSAFE firewalls, Cisco\r\nRV320s, DrayTek Vigor routers, and Axis IP cameras.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 8 of 21\n\nThe KV-botnet has been used in attacks targeting telecoms and ISPs, a U.S. territorial government entity in Guam,\r\na renewable energy firm in Europe, and U.S. military organizations, though researchers classify the majority\r\nof the KV infections as opportunistic.\r\nBeginning in August 2023, researchers observed an uptick in the exploitation of new bots for KV‑botnet. This\r\ncluster infected SOHO devices associated with a handful of high value networks. While no prebuilt functions in\r\nthe original binary to enable targeting of the adjacent LAN were discovered, there was the ability to spawn a\r\nremote shell on the SOHO device. This capability could have been used to either manually run commands or\r\npotentially retrieve a yet‑to-be discovered secondary module to target the adjacent LAN.\r\nRedfly attacks\r\nA new threat actor was discovered by Symantec dubbed Redfly that infiltrated the national power grid of an Asian\r\ncountry using the ShadowPad Trojan. The report states that the attackers managed to steal credentials\r\nand compromise several computers on the organization’s network, and that this attack is the latest in a series of\r\nespionage intrusions against the country’s critical national infrastructure.\r\nThe ShadowPad variant disguises itself as VMware files and directories on infected machines and establishes\r\npersistence by registering a service that starts when Windows starts. In addition to ShadowPad, Redfly was seen\r\ndeploying PackerLoader, a tool for downloading and executing shellcode, and a keylogger, which was installed\r\nunder different names on different machines. The group acted quite methodically and consistently changed\r\npermissions for the driver, which was later used to create file system dumps and download credentials from the\r\nWindows registry. Hackers used a tool to dump credentials from LSASS, and a scheduled task was used to\r\nexecute Oleview for side-loading and lateral movement. To install a keylogger on a compromised machine, the\r\nattackers tried to dump credentials using ProcDump.\r\nAccording to Symantec, the most obvious motive of the group is espionage. Identified tools and infrastructure\r\nused in the recent campaign targeting the national power grid overlaps with previously reported attacks attributed\r\nto a cluster of APT41 activity (aka Brass Typhoon, Wicked Panda, Winnti, and Red Echo).\r\nAttacks on semiconductor companies in East Asia\r\nSemiconductor companies in East Asia (Taiwan, Hong Kong, Singapore) have been targeted using messages\r\npurporting to come from the Taiwan Semiconductor Manufacturing Company (TSMC).\r\nThe attacks used the HyperBro backdoor, which leveraged a digitally signed CyberArk binary (fv_host.exe,\r\nrenamed by malicious actors to vfhost.exe) for DLL side-loading, resulting in the in-memory execution of a\r\nCobalt Strike beacon. The C2 address hardcoded into the Cobalt Strike implant was disguised as a legitimate\r\njQuery CDN, allowing it to bypass firewall protection.\r\nIn the second attack variant, hackers used a compromised Cobra DocGuard web server to download an additional\r\nMcAfee binary (mcods.exe) and a malicious file (which is loaded in the mcods.exe using DLL side-loading), and\r\nan encrypted Cobalt Strike shellcode. In this case, the hackers deployed a previously undocumented Go-based\r\nbackdoor called ChargeWeapon designed to collect and transmit victim’s data to the C2 in Base64 encoded form.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 9 of 21\n\nEclecticIQ researchers have attributed the campaign to a China-linked threat actor due to its use of HyperBro,\r\nwhich has been almost exclusively used by Lucky Mouse (aka APT27, Budworm, and Emissary Panda). They also\r\nfound tactical overlaps with RedHotel and Earth Lusca.\r\nRussian-speaking activity\r\nAttacks with DroxiDat/SystemBC\r\nAn unknown actor targeted an electric utility in Africa with Cobalt Strike beacons and DroxiDat, a newer variant\r\nof the SystemBC payload. This attack occurred in the third and fourth week of March 2023 as part of a small wave\r\nof attacks across the world. In one of several related incidents, Nokoyawa ransomware was detected, which is\r\nlinked with zero-day exploitation and a potential link to a group that deployed the Hive ransomware. To date,\r\nthe group behind Nokoyawa ransomware activity has not seen publicly available precise political attribution,\r\nbut appears to be used by an older Russian-speaking crimeware group/ransomware affiliate (probably Pistachio\r\nTempest or FIN12).\r\nAPT29/Midnight Blizzard/Nobelium attacks\r\nMicrosoft researchers report that Midnight Blizzard (aka Nobelium) has been using Microsoft Teams chats to\r\ntarget individuals in government, NGOs, IT services, technology, discrete manufacturing, and media sectors. \r\nOverall, the current investigation indicates this campaign has affected fewer than 40 unique global organizations.\r\nThe attackers used compromised Microsoft 365 accounts to create domains that masquerade as organizations\r\noffering tech support. They then use these domains to send chat messages with links to web pages where they try\r\nto phish recipient’s credentials, specifically MFA code.\r\nThe FortiGuard Incident Response team reported that in October 2023, a U.S.‑based biomedical manufacturing\r\norganization was compromised due to a critical CVE-2023-42793 TeamCity vulnerability that the publicly\r\naccessible exploit had been released for on September 27, 2023. TeamCity is a product by JetBrains used to\r\nmanage and automate software compilation, building, testing, and release.\r\nThe attack was initially exploited using a custom-built exploit script written in Python. The threat actor used the\r\nTeamCity exploit to install an SSH certificate, which they used to maintain access to the victim’s environment.\r\nAfter executing the discovery commands, the actor downloaded a DLL file, AclNumsInvertHost.dll, on the\r\nTeamCity host and again used the TeamCity RCE vulnerability to create a Windows-scheduled task referencing\r\nthe DLL file for persistence.\r\nThe AclNumsInvertHost.dll library and multiple other DLL files pulled from the threat actors’ webserver matched\r\non a Yara rule for a known malware family called GraphicalProton that was historically linked to APT29\r\n(aka the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard/BlueBravo). Given the technique crossover\r\nwith previously reported activity and the identification of the GraphicalProton payload, FortiGuard believes\r\nwith medium confidence that this attack was part of a new BlueBravo/APT29 campaign.\r\nIn a joint advisory published on December 13, the FBI, the Cybersecurity \u0026 Infrastructure Security Agency\r\n(CISA), the NSA, the Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 10 of 21\n\nNational Cyber Security Centre (NCSC) warned that APT29 has been exploiting an authentication bypass\r\nvulnerability (CVE-2023-42793) in TeamCity. The agencies have alerted dozens of companies in the U.S.,\r\nEurope, Asia, and Australia after discovering hundreds of compromised devices.\r\nAttacks exploiting WinRAR vulnerability\r\nThe vulnerability CVE-2023-38831 in WinRAR, a Windows file archiving utility, is the high-severity bug which\r\nhas been exploited since early 2023. RARLabs released WinRAR 6.23 in August to address the vulnerability.\r\nSandworm attacks\r\nGoogle’s Threat Analysis Group (TAG) observed multiple government-backed hacking groups exploiting the\r\nvulnerability CVE-2023-38831. In April 2023, TAG reported on FROZENBARENTS (aka SANDWORM)\r\ntargeting the energy sector and continuing hack-and-leak operations. In an early‑September attack, Sandworm\r\nhackers delivered Rhadamanthys infostealer malware in phishing attacks using fake invitations to join a Ukrainian\r\ndrone training school. Rhadamanthys is a commodity infostealer that collects and exfiltrates browser credentials\r\nand session information among other things. It operates on a subscription-based model and can be rented out for\r\nas low as $250 for 30 days.\r\nAPT28 attacks\r\nThe APT28 group (aka Frozenlake, Fancy Bear, Strontium, or Sednit) also used the flaw to deliver malware\r\ntargeting energy infrastructure in Ukraine via a phishing campaign that used a decoy document inviting targets to\r\nan event hosted by Razumkov Center, a public policy think tank in Ukraine.\r\nProofpoint also reported the use of the vulnerability CVE-2023-38831 by TA422 (aka APT28). According to\r\nProofpoint researchers, TA422 used the vulnerabilities as initial access against government, aerospace, education,\r\nfinance, manufacturing, and technology sector targets likely to either disclose user credentials or initiate follow-on\r\nactivity.\r\nIn September 2023, the actor sent malicious emails spoofing geopolitical entities and using the BRICS Summit\r\nand a European Parliament meeting as subject lures to entice targets to open the emails. The researchers also\r\nobserved that between September 2023 and November 2023, the attackers sent lures to targets which included a\r\nlink that, if clicked, initiated a chain of malicious activity from Mockbin service.\r\nIn November 2023, TA422 abandoned the use of Mockbin for initial filtering and redirection in favor of direct\r\ndelivery of InfinityFree URLs.\r\nMysterious Werewolf\r\nResearchers from Cyble Research and Intelligence Labs (CRIL) uncovered a targeted spear phishing attack on a\r\nRussian semiconductor supplier. The phishing email was disguised as an official communication from the\r\nMinistry of Industry and Trade of Russia, the email contained a deceptive archive file named\r\nresultati_sovehchaniya_11_09_2023.rar.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 11 of 21\n\nThe threat actors behind this attack also used this vulnerability.\r\nThe malicious .NET payload, the Athena agent of the Mythic C2 framework, is equipped with an extensive tool of\r\npre-installed commands tailored to perform various actions on the targeted systems. Athena comes loaded\r\nwith features, such as Crossplatform for Windows, Linux, and OSX, SOCKS5 Support, Reverse Port Forwarding,\r\nReflective loading of Assemblies, Modular loading of commands, and much more. In this case, it was configured\r\nto use Discord as the C2 communication channel.\r\nThe BI.ZONE Cyber Threat Intelligence team also tracked this activity cluster dubbed Mysterious Werewolf and\r\nuncovered another attack in the campaign, this time targeting industry facilities in Russia. Attackers posed as the\r\nRussian Ministry of Industry and Trade and used phishing emails that contained archives named\r\nPismo_izveshcanie_2023_10_16.rar with malicious CMD files that exploited the CVE-2023-38831 vulnerability\r\nto launch a PowerShell script and ultimately download an Athena agent. The attackers used a dynamic DNS\r\nservice and post-exploitation frameworks, as well as a scheduled task to run the agent every 10 minutes.\r\nOther APT28/Fancy Bear attacks\r\nCERT-UA reported a targeted cyberattack against a critical energy infrastructure facility in Ukraine. The attackers\r\nsent emails designed to lure targets into downloading a seemingly innocent archive file. This archive contained\r\nmalicious scripts that hijacked the computer and exfiltrated sensitive data using services such as mockbin.org and\r\nmocky.io.\r\nZscaler researchers analyzed the key components of this attack and another campaign dubbed StealIt with similar\r\nTTPs that align with the APT28 (Fancy Bear) threat actor. According to researchers, the attackers stole and\r\nexfiltrated NTLMv2 hashes using customized versions of Nishang’s Start-CaptureServer PowerShell script and\r\nexecuted various system commands. Threat actors focused on targeting regions including Australia, Poland, and\r\nBelgium in this campaign.\r\nSince March, Microsoft researchers have observed phishing attacks by TA422 (aka APT28, Forest Blizzard,\r\nStrontium, Fancy Bear, and Fighting Ursa) targeting government, energy, transportation, and non-governmental\r\norganizations in the U.S., Europe, and the Middle East.\r\nThe threat actor is exploiting two vulnerabilities. The first (CVE-2023-23397) is a Microsoft Outlook elevation of\r\nprivilege vulnerability. The vulnerability doesn’t require any user interaction. Palo Alto researchers have observed\r\nthe threat actor exploiting this vulnerability over the past 20 months to target at least 30 organizations in 14\r\ncountries including in the energy, transportation, and telecommunications sectors, and the military industrial base.\r\nThe campaigns all used Ubiquiti networking devices to harvest NTLM authentication messages from victim\r\nnetworks. Microsoft initially patched the Outlook vulnerability in March, warning that it was being actively\r\nexploited, and has since updated its guidance for customers.\r\nThe use of the second vulnerability – CVE-2023-38831 – was reported by Proofpoint (see above).\r\nOther Sandworm/Hades attacks\r\nAccording to Mandiant researchers, Sandworm (aka Hades) carried out a cyberattack on a Ukrainian electric\r\nutility that began in June 2022 and culminated in October 2022, causing a power blackout. The initial access\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 12 of 21\n\nvector into the IT environment wasn’t identified.\r\nAt first, the attackers deployed the Neo-REGEORG webshell on a server exposed on the public internet. After one\r\nmonth, the hackers executed the Golang-based GOGETTER tunneler to proxy encrypted communications for the\r\ncommand and control server using the Yamux open-source library.\r\nSandworm gained access to the OT environment through a hypervisor that hosted a supervisory control and data\r\nacquisition (SCADA) management instance for the victim’s substation environment and maintained access\r\nfor up to 3 months.\r\nThe attack culminated in activity that had a physical effect.\r\nFirst, Sandworm used an ISO CD-ROM image file to run the native ABB utility scilc.exe, likely to run malicious\r\ncommands written in the SCIL (Supervisory Control Implementation Language) by ABB – that would switch off\r\nthe substations on October 10, 2022.\r\nBased on the file timestamp analysis, Mandiant believes the actors needed 2 months to develop the OT capability.\r\nLoading the ISO image was possible because the virtual machine that the MicroSCADA was running on had\r\nthe autorun feature enabled, allowing CD-ROMs, physical or virtual (e.g. an ISO file), to run automatically. The\r\nscilc.exe utility is part of the MicroSCADA software suite, and Sandworm used it to run SCIL commands that the\r\nserver would convert to IEC 101/104 commands and relay them to the remote terminal units in the substation.\r\nAccording to the researchers’ findings, the compromised MicroSCADA server was running an end-of-life\r\nsoftware version that allowed default access to the SCIL-API. Using a native binary in the attack indicates\r\nthe hackers’ shift to living-off-the-land (LoL/LOTL) techniques that rely on more lightweight and generic tools,\r\nwhich make threat activity more difficult to detect.\r\nThen, on October 12, 2022, Sandworm deployed a new version of the CADDYWIPER data-destroying malware,\r\nperhaps in an attempt to hamper analysis of the intrusion. Mandiant did not reveal the location of the targeted\r\nenergy facility, or the length and scale of the blackout.\r\nOther\r\nRedEnergy attacks\r\nZscaler ThreatLabz researchers discovered .NET RedEnergy malware used in attacks on enterprises in the energy,\r\noil and gas, telecom, and machinery industries. The malware allows attackers to steal information from various\r\nbrowsers, and also has ransomware functionality (Stealer-as-a-Ransomware).\r\nThe attackers use the FAKEUPDATES tactic to deceive victims and force them to download RedEnergy malware\r\ndisguised as browser updates. The attackers used LinkedIn pages to target victims and redirect them to a\r\nfraudulent URL using quite authoritative profile pages, including Philippines Industrial Machinery Manufacturing\r\nCompany and several organizations in Brazil.\r\nThe malware operates through multiple stages, starting with the execution of disguised malicious executables. It\r\nestablishes persistence, communicates with DNS servers, and downloads additional payloads from remote\r\nlocations. RedStealer communicates with servers over HTTPS, stores itself in the Windows startup directory, and\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 13 of 21\n\ncreates a start menu entry. The researchers also found suspicious activity related to the File Transfer Protocol\r\n(FTP), which suggests that it’s used by attackers to steal data. After a successful attack, a module is used to\r\nencrypt data with the addition of the .FACKOFF! extension to encrypted files, deleting backup copies along the\r\nway.\r\nQR code phishing campaign\r\nResearchers at Cofense identified a phishing campaign that uses malicious QR codes to steal Microsoft account\r\ncredentials. The campaign has been operating since at least May 2023. One of the targets is an unnamed U.S.\r\nenergy company that received about 29% of the over 1,000 emails.\r\nMost of the phishing emails appear to be Microsoft security notifications. Top organizations were in\r\nmanufacturing, insurance, technology, and financial services that received 15%, 9%, 7%, and 6% of the emails,\r\nrespectively.\r\nMost of the identified phishing links were Bing redirect URLs (26%), followed by two domains associated\r\nwith the Salesforce application (15%) and Cloudflare’s Web3 services. The use of Bing URL redirects, coupled\r\nwith hiding the phishing links in QR codes embedded in images or documents and other obfuscation tactics,\r\nhelped the malicious messages bypass security controls and land in the recipients’ inboxes.\r\nCofense researchers didn’t attribute the new campaign to a specific actor.\r\nMysterious Team Bangladesh attacks\r\nGroup-IB Threat Intelligence researchers analyzed the activities of hacktivist group Mysterious Team Bangladesh.\r\nThis group, which typically targets logistics, government, and financial sectors in India and Israel (and, to a lesser\r\nextent, in Australia, Senegal, the Netherlands, Sweden, and Ethiopia), has been linked to more than 750 DDoS\r\nattacks and 78 website defacements since June 2022. The threat actor, thought to be Bangladeshi in origin,\r\nreportedly also gained access to web servers and administrative panels, probably by exploiting known security\r\nflaws (like vulnerable versions of PHPMyAdmin and WordPress) or poorly-secured passwords.\r\nCuba ransomware attacks\r\nKaspersky researchers presented an analysis of Cuba ransomware about the history of the group and typical TTPs.\r\nThe group first came to attention in 2020 when it was called Tropical Scorpius. Cuba targeted organizations in the\r\nU.S., Canada, Australia, and Europe with a series of high-profile attacks on oil companies, manufacturing,\r\nfinancial services, government agencies, healthcare providers, and others.\r\nThe group uses a classic double extortion model, stealing and then encrypting data using the Xsalsa20 symmetric\r\nalgorithm, and the encryption key uses the asymmetric RSA-2048 algorithm. The ransomware encrypts\r\ndocuments, images, and archives. It also stops all SQL services to encrypt all available databases, and searches for\r\ndata both locally and within network shares.\r\nIn addition to encryption, the group steals sensitive data that it discovers inside the victim’s organization. The type\r\nof data that hackers look for depends on the industry of the target company. The group uses both well-known\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 14 of 21\n\nclassic credential access tools and custom applications: Bughatch, Burntcigar, Cobeacon, Hancitor (Chanitor),\r\nTermite, SystemBC, Veeamp, Wedgecut, RomCOM RAT, Mimikatz, PowerShell, PsExec, and Remote Desktop\r\nProtocol. Already known software vulnerabilities are mainly exploited, such as the combination of ProxyShell\r\nand ProxyLogon to attack Exchange servers, as well as security holes in the Veeam data backup and recovery\r\nservice.\r\nIn the report, Kaspersky researchers present the results of an investigation into one of the incidents with an\r\nemphasis on analysis of previously undocumented software, group TTPs, and also share IoCs, Sigma, and YARA\r\nrules.\r\nCore Werewolf attacks\r\nResearchers from BI.ZONE Threat Intelligence reported new attacks by the Core Werewolf group in their\r\nTelegram channel, targeting enterprises in the defense and energy industries in Russia, as well as other critical\r\ninfrastructure facilities for espionage purposes.\r\nThe attackers sent emails with an attached UKAZ.PDF.ZIP archive, which contained an executable malicious file\r\nnamed “О предоставлении информации по согласованию и наградам.exe” (“On the provision of information\r\non approvals and awards.exe”). The executable file is a self-extracting archive that, when launched, displays the\r\nexpected PDF or Microsoft Word document on the victim’s screen. In the last identified campaign, it was a\r\ndocument with an order from the deputy general director of a well-known industrial company. At the same time, a\r\nlegitimate UltraVNC tool is installed in the background that allows the attackers to gain full control\r\nover the compromised device.\r\nAccording to BI.ZONE, Core Werewolf has been active since at least December 2021, and its TTPs were shared\r\npreviously.\r\nAttacks on Russian industrial organizations\r\nResearchers at Kaspersky Lab reported an espionage campaign targeting a number of Russian government and\r\nindustrial organizations using a custom backdoor written in Go.\r\nThe attack vector began with an email with a malicious archive named finansovyy_kontrol_2023_180529.rar. The\r\narchive contained a decoy PDF used to distract the victim, as well as an NSIS script that extracts and runs\r\nthe backdoor from an external URL.\r\nThe functionality of the backdoor is limited to spyware and is mainly focused on searching for files of certain\r\nextensions and reading the contents of the clipboard. All data sent to C2 is encrypted with AES, and the malware\r\nchecks the environment it’s located in to avoid analysis. The results of these checks are sent to C2 at the initial\r\nstage of infection and are used to profile the victim.\r\nMalicious activity was detected in June 2023, and in mid-August, researchers discovered a new version of the\r\nmalware. The updated malware provided improved evasion of security measures, which indicates ongoing\r\nsystematic work to optimize attacks.\r\nXDSpy attacks\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 15 of 21\n\nF.A.C.C.T. researchers report that the XDSpy APT group attacks Russian metallurgists and military-industrial\r\ncomplex enterprises. New malicious mailings were discovered on November 21-22 addressed to a Russian\r\nmetallurgical enterprise, as well as a research institute specializing in the development of military missiles. In both\r\ncases, the email signature displayed the logo of a nuclear research institute, and the email address of a logistics\r\ncompany from Kaliningrad was indicated as the sender. In addition, another email was discovered sent to Russian\r\nmetallurgists, but from a Belarusian address.\r\nThe group’s Kill Chain of the new November campaign corresponds to the previously described XDSpy attacks.\r\nThe emails contain a link to a PDF that leads to downloading a malicious ZIP archive. The archive contains an lnk\r\nfile and a command line file, which ultimately results in the C# code being compiled into malicious .NET\r\npayloads and launched. XDSpy’s victimology correlates with previous targets among military, financial, energy,\r\nresearch, and mining companies in the Russian Federation.\r\nDespite the fact that APT has been active since 2011, international researchers still don’t know in the interests of\r\nwhich country it works.\r\nDarkWatchman RAT attacks\r\nF.A.C.C.T. researchers detected a new campaign using the fileless JavaScript‑based DarkWatchman associated\r\nwith attacks on Russian companies under the guise of mailings from the Pony Express courier delivery service.\r\nThe list included 30 recipients from banking institutions, marketplaces, telecom operators, agricultural and fuel\r\nand energy companies, and logistics and IT companies.\r\nIn the messages, the recipient is informed that the free storage period for their packages has expired, while the\r\nattached archive with the invoice contains the malicious DarkWatchman RAT. The emails were sent\r\nfrom the ponyexpress[.]site domain, which has previously been used for phishing. Moreover, the multi-line phone\r\nnumber indicated in the email actually belongs to the Pony Express courier service.\r\nThe DarkWatchman RAT has long been observed targeting Russian entities. Previously, DarkWatchman RAT\r\noperators distributed malware under the guise of an archive with the results of a fake tender from the Russian\r\nMinistry of Defense, fake summonses from the military registration and enlistment office, and also through the\r\nfake website of a Russian developer in the field of cryptography.\r\nHellhounds attacks\r\nPositive Technologies researchers have uncovered the activities of a new group, Hellhounds, which is aimed at\r\nRussian commercial and government organizations. The campaign was called Operation Lahat because telemetry\r\nfrom infected hosts was sent to an account with the username “lahat”.\r\nResearch started in October 2023, when PT CSIRT discovered the compromise of an energy company using the\r\nDecoy Dog trojan. Decoy Dog has been used in attacks against Russian organizations since at least September\r\n2022. However, the sample found on the victim’s host was a new, more refined modification of the trojan.\r\nResearchers reported that Hellhounds makes significant efforts to hide their activity on hosts and the network. At\r\nthe first stage, attackers use the Decoy Dog Loader, which is protected by a modified version of the UPX packer.\r\nUnlike regular UPX, this modification does not unpack an executable file, but rather a shellcode written entirely in\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 16 of 21\n\nthe assembly language and using only Linux system calls. The loader itself runs on the system and disguises itself\r\nas a legitimate cron service. The second stage uses the main payload, which is a modified version of Pupy RAT (a\r\ncross-platform multi-functional backdoor) that researchers call Decoy Dog.\r\nAt least 20 Russian organizations have been affected, most of which are in the public sector, information\r\ntechnology, space industry and energy sector, but also including construction, transportation, and logistics\r\ncompanies.\r\nTTP’s analysis didn’t allow researchers to link the attackers to any previously known APT groups.\r\nAccording to PT, Hellhounds are involved in hacking a Russian telecommunications operator where they managed\r\nto put some of its services out of operation. This was reported by Solar 4RAYS researchers as part of their\r\npresentation “Thanos’ blip for the telecom operator” at SOC-Forum 2023.\r\nCloud Atlas attacks\r\nF.A.C.C.T. researchers discovered a new cyber espionage campaign by the Cloud Atlas APT group (aka Clean\r\nUrsa, Inception, Oxygen) targeting a Russian agro-industrial enterprise and a state-owned research company.\r\nThe threat actor is known for its persistent campaigns targeting Russia, Belarus, Azerbaijan, Turkey, and Slovenia.\r\nThe starting point of the new campaign are phishing messages under the guise of supporting participants in the\r\nSpecial Military Operation and military registration with a lure document that exploits CVE-2017-11882, a six-year-old memory corruption flaw in Microsoft Office’s Equation Editor, a technique Cloud Atlas has employed as\r\nearly as October 2018. The emails originate from popular Russian email services Yandex Mail and VK’s Mail.ru.\r\nSuccessful exploitation of the vulnerability leads to executing a shellcode that’s responsible for downloading and\r\nrunning an obfuscated HTA file. The downloaded malicious HTML application subsequently launches Visual\r\nBasic Script (VBS) files that are ultimately responsible for retrieving and executing an unknown VBS code from a\r\nremote server. At the time of the study, the next stage VBS code was unavailable.\r\nGrayling attacks\r\nSymantec researchers shared evidence of a new APT group dubbed “Grayling” that targeted mainly Taiwanese\r\norganizations in a cyber-espionage campaign lasting at least four months. The group’s activity began in February\r\n2023 and continued until at least May 2023, stealing sensitive information from manufacturing, IT, and\r\nbiomedical companies in Taiwan, as well as victims in the U.S., Vietnam, and Pacific Islands.\r\nThe group deployed DLL side-loading through the exported API SbieDll_Hook to load tools such as a Cobalt\r\nStrike Stager leading to the popular post-exploitation tool Cobalt Strike Beacon. It also installed\r\n“Havoc”, an open-source, post-exploitation command-and-control (C2) framework used in a similar way to Cobalt\r\nStrike. Grayling used the publicly available spyware tool NetSpy, exploited legacy Windows elevation of\r\nprivileges bug CVE-2019-0803, and downloaded and executed shellcode, the report noted. Other post-exploitation\r\nactivities carried out by these attackers includes using kill processes to kill all processes listed in a file called\r\nprocesslist.txt and using Mimikatz for credential-dumping.\r\nAttack against Danish critical infrastructure\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 17 of 21\n\nDenmark’s SektorCERT reported a simultaneous cyberattack on 22 companies associated with the country’s\r\nenergy sector on May 11, 2023. Among the shared details was that one organization lost visibility into three of its\r\nremote locations and the organization’s employees had to drive out to all that locations.\r\nThe attackers exploited a critical command injection vulnerability (CVE‑2023‑28771) affecting Zyxel firewalls.\r\nEleven companies were successfully compromised: the threat actors executed malicious code to conduct\r\nreconnaissance of the firewall configurations and determine the next course of action. Some of the deployed\r\npayloads were related to the Mirai Moobot variant.\r\nThe agency has attributed the attacks or at least part of them to Sandworm (aka Hades), but without complete\r\ncertainty. The traffic in one of the affected organizations was linked to an IP address that had previously been used\r\nby Sandworm. However, SektorCERT insisted that attribution could not be made with confidence due to the\r\noverall lack of evidence.\r\nAeroBlade attacks\r\nBlackBerry researchers discovered a previously unknown cyber espionage hacking group dubbed AeroBlade\r\ntargeting organizations in the U.S. aerospace sector. The campaign unfolded in two phases: a testing wave in\r\nSeptember 2022, and a more advanced attack in July 2023.\r\nThe attacks employed spear-phishing with weaponized documents dropping a reverse-shell payload. In both\r\nattacks, a reverse shell connected to the same C2 IP address, and the threat actors used the same lure documents\r\nin the phishing stage. The final reverse shell of the 2023 attack was stealthier, used more obfuscation and anti-analysis techniques, and included an option to list directories from infected victims.\r\nBlackBerry assesses with medium to high confidence that the goal of the attacks was commercial cyber espionage\r\naiming to gather valuable information.\r\nUSB attacks with Vetta Loader\r\nIn an investigation conducted by Yoroi’s malware ZLab team, a persistent threat was unveiled affecting several\r\nItalian companies, primarily in the industrial, manufacturing, and digital printing sectors. The modus operandi of\r\nthis threat involves the utilization of infected USB drives, exploiting the heavy reliance on pen-drives for data\r\nsharing within these sectors.\r\nResearchers identified at least four different variants of the same malware loader dubbed Vetta Loader being\r\nlaunched as part of an infection chain using USB drives, all written in different programming languages: NodeJS,\r\nGolang, Python, and .NET. All of them work with the same logic to communicate with C2s and then download\r\nother payloads. The final downloaded payloads were no longer available at the time of analysis. The initial USB\r\nInfector responsible for infecting the USB devices along with other modules capable of collecting systeminfo and\r\nBitcoin clipper malware were found.\r\nYoroi researchers say with a medium-high level of confidence that the attacks were implemented by an Italian-speaking threat actor.\r\nCISA alerts\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 18 of 21\n\nCISA advisory on CVE-2022-47966 and CVE-2022-42475\r\nThe attacks on a U.S. aeronautical organization were detailed in an advisory authored by the CISA, FBI, and the\r\nCyber National Mission Force (CNMF). The attacks are believed to have begun in January.\r\nThe advisory stated that nation‑state advanced persistent threat (APT) groups were exploiting a critical remote\r\ncode execution vulnerability (CVE-2022-47966) to gain unauthorized access to the organization’s Zoho\r\nManageEngine ServiceDesk Plus instance, then moving laterally through their network. Other APT groups\r\nexploited a heap-based buffer overflow vulnerability (CVE‑2022-42475) in FortiOS SSL-VPN to establish\r\npresence on the organization’s Fortinet firewall device.\r\nThrough the Zoho exploit, the threat actors were able to achieve root level web server access and create a local\r\nuser account with administrative privileges. Actors were further able to download malware, enumerate the\r\nnetwork, collect administrative user credentials, and move laterally through the organization’s network.\r\nIt was unclear if the attacks resulted in data being accessed, altered, or exfiltrated due to the organization not\r\nclearly defining where their data was centrally located and the CISA having limited network coverage.\r\nThe advisory did not attribute the attack to any specific threat groups, but noted CISA’s investigation uncovered\r\noverlapping tactics, techniques and procedures (TTPs) that could be ascribed to multiple APT groups.\r\nCISA advisory on Snatch Ransomware\r\nThe Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released\r\na joint Cybersecurity Advisory (CSA) to disseminate known ransomware IOCs and TTPs associated with the\r\nSnatch ransomware variant identified through FBI investigations as recently as June 1, 2023.\r\nThe alert warned of the threat actor targeting a wide range of critical infrastructure sectors, including the IT sector,\r\nthe U.S. defense industrial base, and the food and agriculture vertical.\r\nSince mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in\r\nthe cybercriminal space and have been observed purchasing previously stolen data from other ransomware groups\r\nin an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s\r\nextortion blog.\r\nIn many attacks, Snatch operators have targeted weaknesses in the Remote Desktop Protocol (RDP) to gain\r\nadministrator-level access to a target network. In other instances, they have used stolen or purchased credentials to\r\ngain an initial foothold. Once on a network, the threat actor can sometimes spend up to three months moving\r\naround the network searching for files and folders to target.\r\nThe FBI and CISA advisory described Snatch operators as using a combination of legitimate and malicious tools\r\non compromised networks. These include post-compromise tools such as the Metasploit open-source penetration\r\ntesting tool, Cobalt Strike for later movement, and utilities such as sc.exe to create, query, add, and delete services\r\nand perform other tasks.\r\nCISA alert on BlackTech attacks\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 19 of 21\n\nA joint advisory from the U.S. National Security Agency (NSA), FBI, Cybersecurity and Infrastructure Security\r\nAgency (CISA), Japan National Police Agency (NPA), and Japan National Center of Incident Readiness and\r\nStrategy for Cybersecurity (NISC) warned that a threat group called BlackTech (a.k.a. Palmerworm,\r\nTemp.Overboard, Circuit Panda, and Radio Panda) has been stealthily modifying Cisco IOS router firmware\r\nand taking advantage of routers’ domain-trust relationships to move/traverse from subsidiary organizations\r\nto primary target organizations in the U.S. and Japan. The hacks targeted government agencies, as well as\r\nindustrial, technology, media, electronics, and telecommunication companies.\r\nIn the advisory, the agencies said BlackTech used the attacks to deploy a customized firmware backdoor. The\r\nbackdoor functionality is enabled and disabled through specially crafted TCP or UDP packets. They urged\r\nmultinational organizations to review all network connections with their subsidiary offices and listed a range of\r\nsecurity measures they should take to mitigate the APT gang’s potential risk.\r\nCisco has released a bulletin noting that the most prevalent initial access vector in these attacks involves stolen or\r\nweak administrative credentials. There was no indication that any Cisco vulnerabilities were exploited.\r\nCISA alert on Rhysida ransomware\r\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI),\r\nand the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint alert that provides\r\ndefenders with Rhysida Ransomware indicators of compromise (IOCs), detection information, and tactics,\r\ntechniques, and procedures (TTPs) discovered during investigations as of September 2023.\r\nThe threat actors behind the Rhysida ransomware engage in opportunistic attacks targeting organizations in\r\nvarious industry sectors. Observed as a Ransomware-as-a-Service (RaaS) model, Rhysida actors have\r\ncompromised organizations in education, manufacturing, information technology, and government sectors since\r\nMay 2023, and any ransom paid is split between the group and affiliates.\r\nRhysida actors leverage external-facing remote services, such as VPNs, Zerologon vulnerability (CVE-2020-\r\n1472), and phishing campaigns to gain initial access and persistence within a network. It’s also said to share\r\noverlaps with another ransomware crew known as Vice Society (aka Storm-0832 or Vanilla Tempest).\r\nCISA alert on LockBit 3.0 ransomware\r\nOn November 21, 2023, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of\r\nInvestigation (FBI), Multi-State Information Sharing \u0026 Analysis Center (MS-ISAC), and Australian Signals\r\nDirectorate’s Australian Cyber Security Center (ASD’s ACSC) released a joint alert that disseminates Indicators of\r\nCompromise (IOCs), Tactics, Techniques and Procedures (TTPs), and detection methods associated with LockBit\r\n3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application\r\ndelivery control (ADC) and NetScaler Gateway appliances. The vulnerability allows adversaries to bypass\r\npassword requirements and multi-factor authentication (MFA), allowing them to take control of user sessions\r\non Citrix NetScaler ADC and Gateway appliances.\r\nLockBit is a ransomware family active since September 2019 that operates under the Ransomware-as-a-Service\r\n(RaaS) model. LockBit 3.0 affiliates have conducted attacks against organizations of varying sizes across multiple\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 20 of 21\n\ncritical infrastructure sectors, including education, energy, financial services, food and agriculture, government\r\nand emergency services, healthcare, manufacturing, and transportation.\r\nCISA alert on CyberAv3ngers attacks\r\nThe Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), NSA, EPA,\r\nand Israel’s National Cyber Directorate published a joint Cybersecurity Advisory (CSA) on December 14 on the\r\nthreat actor calling itself CyberAv3ngers responsible for the attack on the Municipal Water Authority of Aliquippa\r\nin Pennsylvania. In addition to the November CISA alert, the authoring agencies released the joint CSA to share\r\nindicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the actor’s cyber\r\noperations.\r\nThe actor is focused on targeting and compromising Israeli-made Unitronics Vision Series programmable logic\r\ncontrollers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and\r\nadditionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and\r\nhealthcare. Once the devices are compromised, the hackers defaced their user interface, potentially making the\r\nPLC inoperable.\r\nThe agencies said IRGC-affiliated threat actors targeted multiple U.S. water sector facilities that rely on\r\nUnitronics Vision PLCs since November 22. The victims were located in multiple states.\r\nCISA alert on Star Blizzard\r\nIn a joint advisory published on December 7, the “Five Eyes” security agencies (the Cybersecurity and\r\nInfrastructure Security Agency (CISA) in coordination with the United Kingdom’s National Cyber Security Centre\r\n(UK-NCSC), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre\r\nfor Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), and the U.S. National\r\nSecurity Agency (NSA), Federal Bureau of Investigation (FBI), and Cyber Command Cyber National Mission\r\nForce (CNMF)) warned about the evolving phishing techniques employed by Star Blizzard and its targeting of\r\nindividuals and organizations, including the U.S. government and defense industrial base.\r\nThe alert shares the group’s tactics and techniques based on real-world observations. The attacker uses typical\r\nphishing tradecraft and shares a link in an email message or document allegedly leading to a document or website\r\nof interest. This leads the target to an actor-controlled server, prompting the target to enter account credentials.\r\nStar Blizzard uses the open-source framework EvilGinx in their spear-phishing activity, which allows them to\r\nharvest credentials and session cookies to successfully bypass the use of two-factor authentication. Star Blizzard\r\nthen uses the stolen credentials to log in to a target’s email account, where they are known to access and steal\r\nemails and attachments from the victim’s inbox. They have also set up mail-forwarding rules, giving them\r\nongoing visibility of victim correspondence, and have also used compromised email accounts for further phishing\r\nactivity.\r\nSource: https://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nhttps://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/" ], "report_names": [ "apt-and-financial-attacks-on-industrial-organizations-in-h2-2023" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "536ca49a-2666-4005-8a50-e552fc7e16ef", "created_at": "2023-11-21T02:00:07.375813Z", "updated_at": "2026-04-10T02:00:03.471967Z", "deleted_at": null, "main_name": "Webworm", "aliases": [ "Space Pirates" ], "source_name": "MISPGALAXY:Webworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b2d90939-4491-40e6-9ba1-7f97f6908af9", "created_at": "2024-01-18T02:02:33.896267Z", "updated_at": "2026-04-10T02:00:04.525Z", "deleted_at": null, "main_name": "AeroBlade", "aliases": [], "source_name": "ETDA:AeroBlade", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5484a633-c850-4380-921b-72fce1a32e72", "created_at": "2024-01-18T02:02:34.026014Z", "updated_at": "2026-04-10T02:00:04.636248Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [], "source_name": "ETDA:CyberAv3ngers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2c3c22a-b3db-4d4a-9a5a-76bfe6171843", "created_at": "2023-11-21T02:00:07.315543Z", "updated_at": "2026-04-10T02:00:03.461446Z", "deleted_at": null, "main_name": "UNC4841", "aliases": [ "SLIME57" ], "source_name": "MISPGALAXY:UNC4841", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "69cba9ab-de35-4103-a699-7d243bcfd196", "created_at": "2023-01-06T13:46:39.159472Z", "updated_at": "2026-04-10T02:00:03.233731Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "MISPGALAXY:XDSpy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fecc0d5a-3654-425d-9290-b6d0b4105463", "created_at": "2023-10-17T02:00:08.330061Z", "updated_at": "2026-04-10T02:00:03.37711Z", "deleted_at": null, "main_name": "Void Rabisu", "aliases": [ "Tropical Scorpius" ], "source_name": "MISPGALAXY:Void Rabisu", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2", "created_at": "2023-04-26T02:03:02.969306Z", "updated_at": "2026-04-10T02:00:05.341127Z", "deleted_at": null, "main_name": "CURIUM", "aliases": [ "CURIUM", "Crimson Sandstorm", "TA456", "Tortoise Shell", "Yellow Liderc" ], "source_name": "MITRE:CURIUM", "tools": [ "IMAPLoader" ], "source_id": "MITRE", "reports": null }, { "id": "3ec9542a-2245-466b-86e3-cd345819b09b", "created_at": "2023-11-04T02:00:07.67045Z", "updated_at": "2026-04-10T02:00:03.388063Z", "deleted_at": null, "main_name": "Redfly", "aliases": [], "source_name": "MISPGALAXY:Redfly", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8de10e16-817c-4907-bd98-b64cf4a3e77b", "created_at": "2022-10-25T15:50:23.552766Z", "updated_at": "2026-04-10T02:00:05.362919Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "Dark Caracal" ], "source_name": "MITRE:Dark Caracal", "tools": [ "FinFisher", "CrossRAT", "Bandook" ], "source_id": "MITRE", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e7501832-edc8-4dff-a979-17cdc3091f82", "created_at": "2023-12-08T02:00:05.738096Z", "updated_at": "2026-04-10T02:00:03.491058Z", "deleted_at": null, "main_name": "AeroBlade", "aliases": [], "source_name": "MISPGALAXY:AeroBlade", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "9d2b77c7-ddb6-4ab3-9ae7-d3ecd11e0527", "created_at": "2023-10-14T02:03:14.230825Z", "updated_at": "2026-04-10T02:00:04.712961Z", "deleted_at": null, "main_name": "Grayling", "aliases": [], "source_name": "ETDA:Grayling", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Havokiz", "Mimikatz", "NetSpy", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a0effeb-3ee2-4a67-9a9f-ef5c330b1c3a", "created_at": "2023-09-07T02:02:47.827633Z", "updated_at": "2026-04-10T02:00:04.873323Z", "deleted_at": null, "main_name": "RedHotel", "aliases": [ "Operation FishMedley", "RedHotel", "TAG-22" ], "source_name": "ETDA:RedHotel", "tools": [ "Agentemis", "BIOPASS", "BIOPASS RAT", "BleDoor", "Brute Ratel", "Brute Ratel C4", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "POISONPLUG.SHADOW", "RbDoor", "RibDoor", "RouterGod", "ShadowPad Winnti", "SprySOCKS", "Spyder", "Winnti", "XShellGhost", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "11d9bc85-5bb6-4aa7-a237-a103ff31b1a2", "created_at": "2023-10-21T02:00:12.136874Z", "updated_at": "2026-04-10T02:00:02.901347Z", "deleted_at": null, "main_name": "Grayling", "aliases": [], "source_name": "MISPGALAXY:Grayling", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "b125b5c1-1431-4880-9ab8-582a583811ea", "created_at": "2024-04-24T02:00:49.643067Z", "updated_at": "2026-04-10T02:00:05.421434Z", "deleted_at": null, "main_name": "CyberAv3ngers", "aliases": [ "CyberAv3ngers", "Soldiers of Soloman" ], "source_name": "MITRE:CyberAv3ngers", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "4f56bb34-098d-43f6-a0e8-99616116c3ea", "created_at": "2024-06-19T02:03:08.048835Z", "updated_at": "2026-04-10T02:00:03.870819Z", "deleted_at": null, "main_name": "GOLD FLAMINGO", "aliases": [ "REF9019 ", "Tropical Scorpius ", "UAC-0132 ", "UAC0132 ", "UNC2596 ", "Void Rabisu " ], "source_name": "Secureworks:GOLD FLAMINGO", "tools": [ "Chanitor", "Cobalt Strike", "Cuba", "Meterpreter", "Mimikatz", "ROMCOM RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-10T02:00:03.195743Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133", "COBALT LYCEUM", "UNC1530" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d69b3831-de95-42c9-b4b6-26232627206f", "created_at": "2022-10-25T16:07:24.429466Z", "updated_at": "2026-04-10T02:00:04.985102Z", "deleted_at": null, "main_name": "XDSpy", "aliases": [], "source_name": "ETDA:XDSpy", "tools": [ "ChromePass", "IE PassView", "MailPassView", "Network Password Recovery", "OperaPassView", "PasswordFox", "Protected Storage PassView", "XDDown", "XDList", "XDLoc", "XDMonitor", "XDPass", "XDRecon", "XDUpload" ], "source_id": "ETDA", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "d18b9735-1af7-433c-a582-a01886bc5e3f", "created_at": "2024-10-25T02:02:07.582653Z", "updated_at": "2026-04-10T02:00:04.569471Z", "deleted_at": null, "main_name": "Awaken Likho", "aliases": [ "Core Werewolf" ], "source_name": "ETDA:Awaken Likho", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "3aedca2f-6f6c-4470-af26-a46097d3eab5", "created_at": "2024-11-01T02:00:52.689773Z", "updated_at": "2026-04-10T02:00:05.396502Z", "deleted_at": null, "main_name": "Star Blizzard", "aliases": [ "Star Blizzard", "SEABORGIUM", "Callisto Group", "TA446", "COLDRIVER" ], "source_name": "MITRE:Star Blizzard", "tools": [ "Spica" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4a62c0be-1583-4d82-8f91-46e3a1c114e6", "created_at": "2023-01-06T13:46:38.73639Z", "updated_at": "2026-04-10T02:00:03.083265Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "G0070" ], "source_name": "MISPGALAXY:Dark Caracal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "8e385d36-06a2-4294-b3d3-01fe8e9d95f4", "created_at": "2022-10-25T16:07:24.219051Z", "updated_at": "2026-04-10T02:00:04.902017Z", "deleted_at": null, "main_name": "Space Pirates", "aliases": [ "Erudite Mogwai", "Webworm" ], "source_name": "ETDA:Space Pirates", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BH_A006", "Chymine", "Darkmoon", "Deed RAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "MyKLoadClient", "Mydoor", "PCRat", "PCShare", "POISONPLUG.SHADOW", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SnappyBee", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "XShellGhost", "Xamtrav", "Zupdax", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada", "created_at": "2022-10-25T16:07:23.477794Z", "updated_at": "2026-04-10T02:00:04.625004Z", "deleted_at": null, "main_name": "Cold River", "aliases": [ "Blue Callisto", "BlueCharlie", "Calisto", "Cobalt Edgewater", "Gossamer Bear", "Grey Pro", "IRON FRONTIER", "Mythic Ursa", "Nahr Elbard", "Nahr el bared", "Seaborgium", "Star Blizzard", "TA446", "TAG-53", "UNC4057" ], "source_name": "ETDA:Cold River", "tools": [ "Agent Drable", "AgentDrable", "DNSpionage", "LOSTKEYS", "SPICA" ], "source_id": "ETDA", "reports": null }, { "id": "af704c54-a580-4c29-95f2-82db06fbb6f9", "created_at": "2022-10-25T16:07:23.525064Z", "updated_at": "2026-04-10T02:00:04.64019Z", "deleted_at": null, "main_name": "Dark Caracal", "aliases": [ "ATK 27", "G0070", "Operation Dark Caracal", "TAG-CT3" ], "source_name": "ETDA:Dark Caracal", "tools": [ "Bandok", "Bandook", "CrossRAT", "FinFisher", "FinFisher RAT", "FinSpy", "Pallas", "Trupto" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "2603d977-6e3a-4269-ba49-b5a85c943641", "created_at": "2024-06-26T02:00:04.847439Z", "updated_at": "2026-04-10T02:00:03.666442Z", "deleted_at": null, "main_name": "HellHounds", "aliases": [], "source_name": "MISPGALAXY:HellHounds", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "3a057a97-db21-4261-804b-4b071a03c124", "created_at": "2024-06-04T02:03:07.953282Z", "updated_at": "2026-04-10T02:00:03.813595Z", "deleted_at": null, "main_name": "IRON FRONTIER", "aliases": [ "Blue Callisto ", "BlueCharlie ", "CALISTO ", "COLDRIVER ", "Callisto Group ", "GOSSAMER BEAR ", "SEABORGIUM ", "Star Blizzard ", "TA446 " ], "source_name": "Secureworks:IRON FRONTIER", "tools": [ "Evilginx2", "Galileo RCS", "SPICA" ], "source_id": "Secureworks", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "c93a7f58-3f75-487c-9bd6-e705b73fc07f", "created_at": "2023-01-06T13:46:38.330916Z", "updated_at": "2026-04-10T02:00:02.931171Z", "deleted_at": null, "main_name": "RADIO PANDA", "aliases": [ "Shrouded Crossbow" ], "source_name": "MISPGALAXY:RADIO PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "90074ca4-8a4a-42dc-a395-25db4f44c1a4", "created_at": "2024-10-08T02:00:04.462582Z", "updated_at": "2026-04-10T02:00:03.722048Z", "deleted_at": null, "main_name": "Awaken Likho", "aliases": [ "Core Werewolf" ], "source_name": "MISPGALAXY:Awaken Likho", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434544, "ts_updated_at": 1775826789, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/89fc1ae78641c0c987f13ca2038eaf0f95d0d8dd.pdf", "text": "https://archive.orkl.eu/89fc1ae78641c0c987f13ca2038eaf0f95d0d8dd.txt", "img": "https://archive.orkl.eu/89fc1ae78641c0c987f13ca2038eaf0f95d0d8dd.jpg" } }