{ "id": "e4bae608-05a4-4c0d-af0d-7d057f3f01c8", "created_at": "2026-04-06T00:18:23.737845Z", "updated_at": "2026-04-10T03:38:20.209622Z", "deleted_at": null, "sha1_hash": "8b87c6fb381829f163e6296cb3c7d3550acb4105", "title": "APT attacks on industrial organizations in H2 2022 | Kaspersky ICS CERT EN", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 93754, "plain_text": "APT attacks on industrial organizations in H2 2022 | Kaspersky\r\nICS CERT EN\r\nBy Kaspersky ICS CERT Team\r\nPublished: 2023-03-24 · Archived: 2026-04-05 17:44:02 UTC\r\nSoutheast Asia and Korean Peninsula\r\nDEV-0530 attacks\r\nTropic Trooper attacks\r\nGwisinLocker ransomware attacks\r\nLazarus attacks\r\nUNC4034/ZINC attacks\r\nMiddle East\r\nUNC3890 attacks\r\nPOLONIUM attacks\r\nChinese-speaking activity\r\nTA428 attacks\r\nAPT31 attacks\r\nTA423/Red Ladon attacks\r\nEspionage activity against Asian governments\r\nBudworm attacks\r\nEarth Longzhi attacks\r\nRussian-speaking activity\r\nIRIDIUM/Sandworm attacks\r\nCloud Atlas/Inception attacks\r\nOther\r\nWoody Rat attacks\r\nWorok attacks\r\nCISA alerts\r\nIran-backed APT actors\r\nMilitary contractor hack\r\nThis summary provides an overview of APT attacks on industrial enterprises disclosed in H2 2022 and related\r\nactivity of groups that have been observed attacking industrial organizations and critical infrastructure facilities.\r\nFor each story, we sought to summarize the most significant facts, findings, and conclusions of researchers, which\r\nwe believe can be of use to experts who address practical issues related to ensuring the cybersecurity of industrial\r\nenterprises.\r\nSoutheast Asia and Korean Peninsula\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/\r\nPage 1 of 9\n\nDEV-0530 attacks\r\nResearchers have attributed an emerging ransomware threat to a North Korean based threat actor they call DEV-0530 (the group calls itself “H0lyGh0st”). DEV-0530 has targeted small-to-medium businesses in multiple\r\ncountries since September 2021, including manufacturing organizations, banks, schools, and event and meeting\r\nplanning companies. The attackers employ “double extortion”, encrypting data and also threatening to publish\r\ndata if the target refuses to pay. Researchers have found connections of DEV-0530 with the PLUTONIUM APT\r\ngroup (aka DarkSeoul and Andariel).\r\nBetween June 2021 and May 2022, the Microsoft Threat Intelligence Center (MSTIC) classified H0lyGh0st\r\nransomware under two new malware families: SiennaPurple and SiennaBlue. Researchers suspect that DEV-0530\r\nmay have exploited vulnerabilities such as CVE-2022-26352 (a DotCMS remote code execution vulnerability) on\r\npublic-facing web applications and content management systems to gain initial access into target networks.\r\nTropic Trooper attacks\r\nFor over a decade, the Tropic Trooper APT actor has been actively targeting victims in East and Southeast Asia.\r\nKaspersky has been tracking this threat actor for several years and has published a report describing its malicious\r\noperations. The report is available to subscribers of the Threat Intelligence Reporting service.\r\nIn February 2022, Symantec published a report describing a campaign called “Antlion”, which has been observed\r\ntargeting financial institutions and a manufacturing company in Taiwan. In the manufacturing target, where the\r\nattackers maintained their presence for about 175 days, researchers saw the attackers attempting to download\r\nmalicious files via SMB shares. While analyzing the IoCs of this campaign, Kaspersky found strong connections\r\nwith the Tropic Trooper threat actor, which led to the conclusion that the group was behind the Antlion campaign.\r\nIn the Kaspersky investigation, different attacks conducted by this threat actor using the malware families\r\ndescribed by Symantec were discovered and studied, together with new versions of the malware that were\r\ndiscussed in an earlier Kaspersky report on the Tropic Trooper APT actor. The infection chain for these attack\r\ncases, the attack infrastructure, lateral movement and post-exploitation activities carried out by this actor were\r\nanalyzed. Additional target verticals besides the finance sector were identified, including the tech hardware \u0026\r\nsemiconductors industry, as well as a political entity.\r\nFurthermore, Kaspersky discovered a previously unknown, multi-module backdoor deployed to a victim machine\r\nin August 2021, which uses the MQTT protocol for network communication with its C\u0026C server. Tracing the\r\nhistory of the backdoor, it appears that the module has been used by this threat actor since at least 2019 and only\r\nwith a selected set of targets.\r\nGwisinLocker ransomware attacks\r\nReversingLabs researchers discovered a new ransomware family targeting Linux-based systems with features\r\nspecially designed to operate and interact with VMWare ESXI virtual machines. The malware, which was dubbed\r\nGwisinLocker, was detected in successful campaigns targeting South Korean industrial and pharmaceutical firms.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/\r\nPage 2 of 9\n\nAnalysis and public reporting of the larger GwisinLocker campaign suggests that the ransomware is in the hands\r\nof sophisticated threat actors who gain access to target environments prior to the deployment of the ransomware\r\nand steal sensitive data for use in so-called “double extortion” campaigns. Details in samples of the group’s\r\nransom notes suggest a familiarity with the Korean language as well as South Korean government and law\r\nenforcement. This has led to speculation that the attackers belong to a North Korean-linked advanced persistent\r\nthreat (APT) group.\r\nLazarus attacks\r\nThe threat actor Lazarus has used a signed malicious macOS executable to target engineers. It drops a fake job\r\ndocument named Coinbase_online_careers_2022_07.pdf. The executable, which targets systems based on both\r\nApple and Intel chips, was disguised as a job description from Coinbase seeking an engineering manager for\r\nproduct security. The second executable used by the threat actor is a downloader that fetches the next-stage\r\npayload from a remote location. Researchers have linked the malware to “Operation In(ter)ception”, a Lazarus\r\ncampaign targeting high-profile aerospace and defense industries.\r\nDTrack is a backdoor used by subsets of the Lazarus group. The backdoor has been used in a variety of attacks,\r\nincluding ransomware attacks and espionage campaigns. Kaspersky experts identified and investigated new\r\nDTrack samples. These new samples are packed in a different way and with relatively minor changes in the code.\r\nThis latest set of samples was analyzed in detail in a public report that describes these changes and packing\r\nmechanisms. According to KSN telemetry, DTrack activity has been detected in Brazil, Germany, India, Italy,\r\nMexico, Saudi Arabia, Switzerland, Turkey, and the United States, indicating that DTrack is being distributed into\r\nmore parts of the world. Targeted sectors were education, chemical manufacturing, governmental research centers\r\nand government ministries, an IT services provider, utility providers, and telecommunications.\r\nResearchers from Cisco Talos reported on Lazarus attacks that targeted energy providers in the US, Canada and\r\nJapan between February and July, with the aim of stealing data and trade secrets. The attacks start by exploiting\r\nLog4j vulnerabilities in VMware Horizon, followed by the deployment of three custom malware implants. The\r\nfirst, “VSingle”, executes arbitrary code from a remote network and can download and execute plugins. The\r\nsecond, “YamaBot”, is a custom-made Golang implant that communicates with the C\u0026C servers. The third,\r\nMagicRAT, is a Remote Access Trojan that launches additional payloads such as custom-built port scanners.\r\nESET researchers uncovered and analyzed a set of malicious tools that were used by the Lazarus APT group in\r\nattacks during the autumn of 2021. The campaign started with spearphishing emails containing malicious\r\nAmazon-themed documents and targeted an employee of an aerospace company in the Netherlands and a political\r\njournalist in Belgium. The primary goal of the attackers was data exfiltration. The most notable tool used in this\r\ncampaign represents the first recorded abuse of the CVE‑2021‑21551 vulnerability, which affects Dell DBUtil\r\ndrivers. This BYOVD (Bring Your Own Vulnerable Driver) technique was used to disable 7 Windows OS\r\nmonitoring mechanisms and to blind the security solutions on compromised machines. In this campaign, Lazarus\r\nalso used their fully featured HTTP(S) backdoor known as BLINDINGCAN.\r\nKaspersky researchers uncovered an ongoing Lazarus campaign targeting defense contractors in South Africa and\r\nBrazil and dating back to March. The actor contacted potential victims via social networks or email and sent the\r\ninitial malware through Skype. The malware is a Trojanized PDF application that initiates a multi-stage infection\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/\r\nPage 3 of 9\n\nchain, loading additional payloads that contain C\u0026C communication capability via the DLL side-loading\r\ntechnique. The attackers also deployed additional malware to the initial host to pivot and perform lateral\r\nmovement. In this process, the operator took advantage of a relatively new DLL side-loading technique named\r\n“ServiceMove”. The technique was introduced by a red team researcher and abused the “Windows Perception\r\nSimulation Service” to load arbitrary DLL files for malicious purposes. The Lazarus group is equipped with a\r\nvariety of tools, which it employs with various infection chains. While examining all the samples in this case,\r\ndifferent clusters were observed: ThreatNeedle, Bookcode, and DeathNote.\r\nUNC4034/ZINC attacks\r\nMandiant researchers have uncovered Trojanized versions of the PuTTY SSH client being used by a threat actor\r\nknown as UNC4034 to deploy a backdoor, “AIRDRY.V2”, on target devices. This activity seems to be a\r\ncontinuation of the “Operation Dream Job” campaign, which has been ongoing since June 2020 and is suspected\r\nto have a North Korean nexus. The attackers approach potential targets via email with a lucrative job offer,\r\npurportedly from Amazon, and then move the communication to WhatsApp, where they share an ISO file. The file\r\ncontains a readme file with an IP address and login credentials, and a Trojanized version of PuTTY, a popular\r\nopen-source SSH console application.\r\nMicrosoft has been tracking the actor behind these attacks under the name ZINC. The group uses weaponized\r\nopen-source software in its attacks. Microsoft experts have observed activity targeting employees in organizations\r\nacross multiple industries, including media, defense and aerospace, and IT services in the USA, UK, India, and\r\nRussia. They have observed ZINC weaponizing a wide range of open-source software for these attacks, including\r\nPuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer.\r\nMiddle East\r\nUNC3890 attacks\r\nA suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy,\r\nand healthcare organizations, in a campaign stretching back to late 2020. Researchers believe that the data\r\nharvested during the campaign could be used to support various activities. UNC3890, the threat actor behind the\r\nattacks, deployed two proprietary pieces of malware – a backdoor named “SUGARUSH” and a browser credential\r\nstealer called “SUGARDUMP”, which exfiltrates password information to email addresses registered with Gmail,\r\nProtonMail, Yahoo and Yandex email services. The threat actor also employs a network of C\u0026C servers that host\r\nfake login pages impersonating legitimate platforms such as Office 365, LinkedIn and Facebook. These servers\r\nare designed to communicate with the targets and also with a watering hole hosted on the login page of a\r\nlegitimate Israeli shipping company.\r\nPOLONIUM attacks\r\nResearchers have discovered previously undocumented custom backdoors and cyberespionage tools deployed by\r\nthe POLONIUM APT threat actor against targets in Israel. The targets include organizations in the engineering, IT,\r\nlaw, communications, branding and marketing, media, insurance, and social services sectors. The threat actor\r\ntargeted more than a dozen organizations between September 2021 and September 2022.\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/\r\nPage 4 of 9\n\nPOLONIUM’s toolset consists of seven custom backdoors: CreepyDrive, which abuses OneDrive and Dropbox\r\ncloud services for C\u0026C; CreepySnail, which executes commands received from the attackers’ own infrastructure;\r\nDeepCreep and MegaCreep, which make use of Dropbox and Mega file storage services, respectively; and\r\nFlipCreep, TechnoCreep, and PapaCreep, which receive commands from attackers’ servers. The group has also\r\ndeveloped several custom modules to spy on its targets by taking screenshots, logging keystrokes, spying via the\r\nwebcam, opening reverse shells, exfiltrating files, and more. According to the researchers, “most of the group’s\r\nmalicious modules are small, with limited functionality” such as “one module for taking screenshots and another\r\nfor uploading them to the C\u0026C server”. The attackers like to divide the code, distributing malicious functionality\r\ninto various small DLLs, perhaps expecting this to prevent defenders or researchers from observing the complete\r\nattack chain.\r\nChinese-speaking activity\r\nTA428 attacks\r\nKaspersky ICS CERT experts have detected a wave of targeted attacks on military industrial complex enterprises\r\nand public institutions in several countries. The attack targeted over a dozen organizations, including industrial\r\nplants, design bureaus and research institutes, government agencies, ministries and departments in several East\r\nEuropean countries (Belarus, Russia, and Ukraine), as well as Afghanistan. Some of the malware used in these\r\nattacks had previously been observed in attacks conducted by the IronHusky APT group. The research has also\r\nidentified malware and command-and-control (C\u0026C) servers previously used in attacks attributed by other\r\nresearchers to the TA428 APT group.\r\nThe attackers penetrate the enterprise network using carefully crafted phishing emails containing information\r\nsome of which is not publicly available. In the new series of attacks, the attackers used six different backdoors\r\n(PortDoor, nccTrojan, Cotx, DNSep, Logtu, and CotSam) at the same time – probably to set up redundant\r\ncommunication channels with infected systems in case one of the malicious programs was removed by an\r\nantivirus solution. The backdoors used provide extensive functionality for controlling infected systems and\r\ncollecting confidential data. The attack’s final stage involves hijacking the domain controller and gaining\r\ncomplete control of all of the organization’s workstations and servers.\r\nAfter gaining domain administrator privileges, the attackers search for and exfiltrate documents and other files\r\ncontaining the attacked organization’s sensitive data to their servers, which are hosted in different countries and\r\nwhich are also used as C\u0026C servers. The attackers compress stolen files into encrypted and password-protected\r\nZIP archives, possibly to bypass DLP systems. After receiving the data collected, the C\u0026C servers forward the\r\narchives received to a stage two server located in China.\r\nAPT31 attacks\r\nIn April 2022, the Positive Technologies Expert Security Center detected an attack on a number of Russian energy\r\nand media companies using a malicious document. The investigation subsequently revealed a number of other\r\ndocuments used in attacks on the same companies. The campaigns contained identical snippets of code for\r\nharvesting information about network adapters and collecting data about the infected system; the document stubs\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/\r\nPage 5 of 9\n\nhad clear similarities, and in all cases cloud servers were used to control the malware. An investigation of the tools\r\nshowed that the attackers used Yandex.Disk as the C\u0026C server.\r\nThe malware samples analyzed date from November 2021 to June 2022. In all cases legitimate files were used,\r\nwhose main task was to pass control to a malicious library using, for instance, DLL side-loading, as well as to\r\ngenerate an initialization package to be sent to C\u0026C. A significant part of the legitimate executable files identified\r\nturned out to be Yandex.Browser components and were signed with a valid digital signature. An analysis of the\r\nmalware samples showed that the APT31 group was behind the attacks.\r\nTA423/Red Ladon attacks\r\nProofpoint and PwC Threat Intelligence teams published a joint research paper about a cyberespionage campaign\r\nthat focused on government, energy and manufacturing organizations in the Asia-Pacific region. It deployed\r\nphishing emails directing targets to a fake news outlet. The attackers — referred to as TA423, Red Landon, or\r\nAPT40 — designed the site to deliver malware known as ScanBox.\r\nScanBox delivers JavaScript code either in a single block or, as in the April 2022 campaign, as a plugin-based\r\nmodular architecture. The primary payload sets its configuration, including the information to be gathered, and the\r\nC\u0026C server to be contacted. It harvests detailed data on the browser being used.\r\nSubsequent ScanBox plugins delivered to the victim include a keylogger, browser plugin identification, browser\r\nfingerprinting, a peer connection plugin, which can be used to establish connections with the infected node\r\nthrough NATs and to bypass firewalls and other security solutions installed on the same network device as the\r\nNAT (see our blog for details on the attack vector), as well as a security check for Kaspersky Internet Security\r\n(KIS).\r\nEspionage activity against Asian governments\r\nAccording to Symantec, government and state-owned organizations in a number of Asian countries have been\r\ntargeted by a group of cyber-espionage hackers formerly associated with the ShadowPad RAT. The attackers use a\r\nwide range of legitimate software packages to load their malware payloads using DLL side-loading.\r\nThe campaign targets government institutions, state-owned media, IT, telecoms firms and government-owned\r\naerospace and defense companies. The payloads used include information stealers, keyloggers, PowerSploit\r\nscripts, PlugX/Korplug, Trochilus RAT, QuasarRAT, publicly available tools, etc. The researchers couldn’t make a\r\nsolid attribution but found limited evidence to suggest links to past attacks by a number of known groups,\r\nincluding Blackfly/Grayfly (APT41) and Mustang Panda.\r\nBudworm attacks\r\nResearchers at Symantec have published a report detailing a cyber espionage campaign that has targeted the\r\ngovernment of a Middle Eastern country, a multinational electronics manufacturer, and a US State Legislature.\r\nThe hacking group, which is called Budworm, is believed to have ties to China’s government.\r\nAccording to the report, Budworm leveraged the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105)\r\nin recent attacks to compromise the Apache Tomcat service on servers in order to install web shells. The attackers\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/\r\nPage 6 of 9\n\nused Virtual Private Servers (VPS) hosted on Vultr and Telstra as command-and-control (C\u0026C) servers. While the\r\nthreat actor’s main tool is HyperBro, it has also used other tools, including CyberArk Viewfinity, Cobalt Strike,\r\nLaZagne, IOX, Fast Reverse Proxy and Fscan.\r\nEarth Longzhi attacks\r\nAccording to Trend Micro research, a previously undocumented sub-group of APT41 (aka Winnti) has been\r\ntargeting organizations in East and Southeast Asia and Ukraine since at least 2020.\r\nIn its first wave of attacks, the threat actor, which has been dubbed Earth Longzhi, targeted government\r\norganizations, infrastructure companies, and healthcare companies in Taiwan, as well as Chinese banks. In the\r\nsecond wave, the group infiltrated high-profile victims in Ukraine and several countries in Asia, including\r\ndefense, aviation, insurance, and urban development companies.\r\nBoth campaigns used spear-phishing emails as the primary entry vector to deliver Earth Longhzhi’s malware,\r\nwhich was either embedded in a password-protected archive or downloaded via a Google Drive link hosting a\r\npassword-protected archive. In both cases, the archive contained a customized Cobalt Strike loader.\r\nFor the post-exploitation operations of one of the campaigns Earth Longzhi prepared an all-in-one tool to combine\r\nall the necessary tools in one package, including a proxy, a port scanner, password scans and others. Most of the\r\ntools included in this one package are either publicly available or were used in previous attack deployments.\r\nMultiple hacking tools used for privilege escalation (PrintNightmare and PrintSpoofer), credential dumping\r\n(custom standalone Mimikatz), and defense evasion (disablement of security products) were collected during the\r\ninvestigation of the second campaign. The threat actors were able to reimplement or develop their own tools based\r\non some open-source projects.\r\nRussian-speaking activity\r\nIRIDIUM/Sandworm attacks\r\nIn October, researchers at Microsoft reported on new ransomware named “Prestige”, which was used to target\r\ntransport and logistics industries in Ukraine and Poland. Initially, the malware was given a temporary name, DEV-0960. There is an overlap in victims between Prestige and HermeticWiper malware, although it is unclear whether\r\nthe two are controlled by the same attacker – DEV-0960. Prior to deploying ransomware, the DEV-0960 activity\r\nincluded the use of RemoteExec and an open-source utility called Impacket WMIexec. To gain access to highly\r\nprivileged credentials, in some of the environments, DEV-0960 used the winPEAS open-source utility for\r\nprivilege escalation, a tool for dumping the memory of the LSASS process and stealing credentials, and a tool for\r\nbacking up the Active Directory database. In November, MSTIC (Microsoft Threat Intelligence Center)\r\nresearchers updated their original blogpost and attributed the attack to the threat actor IRIDIUM (aka Sandworm,\r\nHades).\r\nCloud Atlas/Inception attacks\r\nResearchers at CheckPoint have observed Cloud Atlas (aka Inception) campaigns focused on very specific targets\r\nin Belarus, mainly in the country’s transportation and military radio-electronics sectors, and in Russia, including\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/\r\nPage 7 of 9\n\nthe government sector, energy and metal industries, since June 2022. The actor has also maintained its focus on\r\nthe Crimean Peninsula, as well as Lugansk and Donetsk regions. Cloud Atlas has used spear-phishing emails\r\ncontaining malicious attachments as their initial attack vector for many years, using current geo-political issues\r\ndirectly related to the target country as a lure. They mostly use public email services such as Yandex, Mail.ru and\r\nOutlook.com, but in some cases, they have also attempted to spoof existing domains of other entities that are\r\nlikely to be trusted by the target. The next stage of a Cloud Atlas attack is usually a PowerShell-based backdoor\r\ncalled PowerShower.\r\nResearchers at Positive Technologies have also reported on the actor and specified some additional countries in\r\nwhich the group targets the government sector. The report provides information on the actor’s attack chain and\r\ntoolset.\r\nOther\r\nWoody Rat attacks\r\nThe Malwarebytes Threat Intelligence team has identified a previously unknown Remote Access Trojan they\r\ndubbed Woody Rat, which has been in the wild for at least one year. This advanced custom RAT is mainly used by\r\na threat actor that targets Russian entities by using lures in an archive file format (filenames\r\n“anketa_brozhik.doc.zip” and “zayavka.zip”) and, more recently, Office documents (“Памятка.docx”) leveraging\r\nthe Follina vulnerability (CVE-2022-30190). Researchers believe that a Russian aerospace and defense entity\r\nknown as OAK was targeted by Woody RAT, based on a fake domain registered by the threat actor. According to\r\ncurrent research, there weren’t any solid indicators to attribute this campaign to a specific known threat actor.\r\nWorok attacks\r\nESET researchers have discovered targeted attacks against high-profile companies and local government bodies,\r\nmostly in Asia but also in the Middle East and Africa. The attacks were conducted by a previously unknown\r\ncyberespionage group, active since at least 2020, that they named “Worok”. Targets included companies from the\r\ntelecoms, banking, maritime, energy, government and public sectors. In some cases, Worok exploited the infamous\r\nProxyShell vulnerabilities to gain initial access. Once access had been acquired, the operators deployed multiple\r\npublicly available tools for reconnaissance, including Mimikatz, EarthWorm, ReGeorg, and NBTscan, and then\r\ndeployed their custom implants: a first-stage loader, followed by a second stage .NET loader (PNGLoad). The\r\nfinal payloads couldn’t be retrieved.\r\nAvast researchers were able to provide additional details on the actor’s compromise chain and confirmed the use\r\nof steganography to hide malware in PNG images. While the initial infection method remains unknown, they\r\nbelieve that the threat actor probably uses DLL side-loading to execute the CLRLoader malware loader in\r\nmemory. This loads a second-stage DLL, PNGLoader, which extracts bytes embedded in PNG files and uses them\r\nto assemble two malicious payloads. The first payload implementation is a PowerShell script. Researchers don’t\r\nhave a sample of this payload yet, but expect it to have similar functionality to the second payload\r\nimplementation. The second payload is a .NET C# backdoor called DropBoxControl, which communicates with\r\nthe attackers via the DropBox service. The victims of this campaign observed by Avast researchers were similar to\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/\r\nPage 8 of 9\n\nthose described by ESET and included companies and government institutions in Asia (Vietnam and Cambodia)\r\nand North America, specifically in Mexico.\r\nCISA alerts\r\nIran-backed APT actors\r\nCISA (Cybersecurity and Infrastructure Security Agency), the FBI, the NSA (National Security Agency), U.S.\r\nCyber Command (USCC) – Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury)\r\nhave released a joint advisory, which warns of APT actors affiliated with the Islamic Revolutionary Guard Corps\r\n(IRGC) of Iran targeting a broad range of entities, including entities across multiple U.S. critical infrastructure\r\nsectors. The advisory was also written in collaboration with Australian, Canadian, and British cybersecurity\r\nagencies. This new advisory updates a November 2021 advisory, which warned of these same APT actors\r\nexploiting Microsoft, Fortinet, and ProxyShell vulnerabilities. In addition to these prior vulnerabilities, it became\r\nknown that the VMware Horizon Log4j vulnerability has now been added to the list of attack methods in the\r\nthreat actors’ tool box and is used to gain initial access to target environments. The APT groups have used the\r\ninitial access to carry out malicious activity, such as disk encryption and data extortion that supports ransom\r\noperations. The agencies that collaborated on the joint advisory urge organizations, especially critical\r\ninfrastructure organizations, to use the mitigation list provided in the advisory to minimize any risk of\r\ncompromise by this APT group.\r\nMilitary contractor hack\r\nAccording to a joint alert from the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal\r\nBureau of Investigation (FBI), and the National Security Agency (NSA), between November 2021 and March\r\n2022 attackers hid inside a US Defense Industrial Base organization’s enterprise network and stole sensitive data.\r\nThe CISA alert provides technical details of incident response activities. It was determined that likely multiple\r\nAPT groups compromised the organization’s network, and some APT actors had long-term access to the\r\nenvironment. The attackers compromised the organization’s Exchange Server and used a compromised\r\nadministrator account to query Exchange via its EWS API. They also used the Impacket open source network\r\ntoolkit to control computers remotely and perform lateral movement.\r\nSource: https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/\r\nhttps://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/" ], "report_names": [ "apt-attacks-on-industrial-organizations-in-h2-2022" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "d866a181-c427-43df-9948-a8010a8fdad6", "created_at": "2022-10-27T08:27:13.080609Z", "updated_at": "2026-04-10T02:00:05.303153Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "POLONIUM", "Plaid Rain" ], "source_name": "MITRE:POLONIUM", "tools": [ "CreepyDrive", "CreepySnail" ], "source_id": "MITRE", "reports": null }, { "id": "6cfeba14-c84e-4606-88b9-c7a7689c450f", "created_at": "2022-10-25T16:07:24.06766Z", "updated_at": "2026-04-10T02:00:04.857565Z", "deleted_at": null, "main_name": "Polonium", "aliases": [ "G1005", "Incendiary Jackal", "Plaid Rain" ], "source_name": "ETDA:Polonium", "tools": [ "CreepyDrive", "CreepySnail", "DeepCreep", "FlipCreep", "MegaCreep", "PapaCreep", "TechnoCreep" ], "source_id": "ETDA", "reports": null }, { "id": "a7e5d6c0-5f7e-4d1c-87fa-bbf65b4e65b9", "created_at": "2022-10-25T16:07:24.42571Z", "updated_at": "2026-04-10T02:00:04.984213Z", "deleted_at": null, "main_name": "Worok", "aliases": [], "source_name": "ETDA:Worok", "tools": [ "CLRLoad", "Mimikatz", "NBTscan", "PNGLoad", "PowHeartBeat", "SAMRID", "nbtscan", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "5b317799-01c0-48fa-aee2-31a738116771", "created_at": "2022-11-20T02:02:37.746719Z", "updated_at": "2026-04-10T02:00:04.561617Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "Earth Longzhi" ], "source_name": "ETDA:Earth Longzhi", "tools": [ "Agentemis", "BigpipeLoader", "Cobalt Strike", "CobaltStrike", "CroxLoader", "MultiPipeLoader", "OutLoader", "Symatic Loader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6360ea44-b90d-435c-b3cd-9724751b8294", "created_at": "2023-01-06T13:46:39.304451Z", "updated_at": "2026-04-10T02:00:03.281303Z", "deleted_at": null, "main_name": "Antlion", "aliases": [], "source_name": "MISPGALAXY:Antlion", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e294737b-6aa7-480e-841d-cbed102c356c", "created_at": "2023-07-20T02:00:08.787855Z", "updated_at": "2026-04-10T02:00:03.368575Z", "deleted_at": null, "main_name": "Worok", "aliases": [], "source_name": "MISPGALAXY:Worok", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d06cd44b-3efe-47dc-bb7c-a7b091c02938", "created_at": "2023-11-08T02:00:07.135638Z", "updated_at": "2026-04-10T02:00:03.42332Z", "deleted_at": null, "main_name": "IronHusky", "aliases": [], "source_name": "MISPGALAXY:IronHusky", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40ec2da8-7156-4bff-b878-41984eb70df4", "created_at": "2024-02-02T02:00:04.080917Z", "updated_at": "2026-04-10T02:00:03.555365Z", "deleted_at": null, "main_name": "Storm-0530", "aliases": [ "DEV-0530", "H0lyGh0st" ], "source_name": "MISPGALAXY:Storm-0530", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253", "created_at": "2022-10-25T16:07:24.277669Z", "updated_at": "2026-04-10T02:00:04.919609Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "Operation LagTime IT", "Operation StealthyTrident", "ThunderCats" ], "source_name": "ETDA:TA428", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Agent.dhwf", "Albaniiutas", "BlueTraveller", "Chymine", "Cotx RAT", "CoughingDown", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "LuckyBack", "PhantomNet", "PlugX", "Poison Ivy", "RedDelta", "RoyalRoad", "SManager", "SPIVY", "Sogu", "TIGERPLUG", "TManger", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "f8fdc3fb-e38e-44a2-87a8-ae11d93b9e02", "created_at": "2023-11-05T02:00:08.088979Z", "updated_at": "2026-04-10T02:00:03.402497Z", "deleted_at": null, "main_name": "UNC3890", "aliases": [], "source_name": "MISPGALAXY:UNC3890", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b7823339-891d-4ded-b01d-1f142a88bc64", "created_at": "2023-01-06T13:46:39.381591Z", "updated_at": "2026-04-10T02:00:03.308737Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "GREATRIFT", "INCENDIARY JACKAL", "Plaid Rain", "UNC4453" ], "source_name": "MISPGALAXY:POLONIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2caf4672-1812-4bb9-9576-6011e56102d2", "created_at": "2022-10-25T16:07:23.742765Z", "updated_at": "2026-04-10T02:00:04.733853Z", "deleted_at": null, "main_name": "IronHusky", "aliases": [ "BBCY-TA1", "Operation MysterySnail" ], "source_name": "ETDA:IronHusky", "tools": [ "Agent.dhwf", "Chymine", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "MysterySnail", "MysterySnail RAT", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "d196cb29-a861-4838-b157-a31ac92c6fb1", "created_at": "2023-11-04T02:00:07.66699Z", "updated_at": "2026-04-10T02:00:03.386945Z", "deleted_at": null, "main_name": "Earth Longzhi", "aliases": [ "SnakeCharmer" ], "source_name": "MISPGALAXY:Earth Longzhi", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "6ad5ab33-9a45-43d3-b0e4-70b7f9d836f8", "created_at": "2022-10-25T16:07:23.309518Z", "updated_at": "2026-04-10T02:00:04.535597Z", "deleted_at": null, "main_name": "Antlion", "aliases": [], "source_name": "ETDA:Antlion", "tools": [ "CheckID", "EHAGBPSL", "EHAGBPSL Loader", "ENCODE MMC", "JpgRun", "JpgRun Loader", "LOLBAS", "LOLBins", "Living off the Land", "NERAPACK", "NetSessionEnum", "ProcDump", "PsExec", "WinRAR", "xPack" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1", "created_at": "2023-01-06T13:46:39.042499Z", "updated_at": "2026-04-10T02:00:03.194713Z", "deleted_at": null, "main_name": "TA428", "aliases": [ "BRONZE DUDLEY", "Colourful Panda" ], "source_name": "MISPGALAXY:TA428", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434703, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8b87c6fb381829f163e6296cb3c7d3550acb4105.pdf", "text": "https://archive.orkl.eu/8b87c6fb381829f163e6296cb3c7d3550acb4105.txt", "img": "https://archive.orkl.eu/8b87c6fb381829f163e6296cb3c7d3550acb4105.jpg" } }