{ "id": "7ec30f56-3eca-4d36-b2d2-a3805f258375", "created_at": "2026-04-06T00:17:25.361253Z", "updated_at": "2026-04-10T03:38:19.529856Z", "deleted_at": null, "sha1_hash": "8bc819c41cb145242f42040ec9face1b2070674c", "title": "Who Wasn’t Responsible for Olympic Destroyer?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 410833, "plain_text": "Who Wasn’t Responsible for Olympic Destroyer?\r\nBy Paul Rascagneres\r\nPublished: 2018-02-26 · Archived: 2026-04-05 19:50:23 UTC\r\nMonday, February 26, 2018 13:03\r\nSummary\r\nAbsent contributions from traditional intelligence capacities, the available evidence linking the Olympic Destroyer\r\nmalware to a specific threat actor group is contradictory, and does not allow for unambiguous attribution. The\r\nthreat actor responsible for the attack has purposefully included evidence to frustrate analysts and lead researchers\r\nto false attribution flags. This false attribution could embolden an adversary to deny an accusation, publicly citing\r\nevidence based upon false claims by unwitting third parties. Attribution, while headline grabbing, is difficult and\r\nnot an exact science. This must force one to question purely software-based attribution going forward.\r\nIntroduction\r\nThe Olympic Games in Pyeongchang, South Korea were disrupted by a cyber attack earlier this month.\r\nReportedly, the attack resulted in the Olympic website being knocked offline, meaning individuals could not print\r\ntheir tickets. Reporting on the opening ceremony was also degraded due to WiFi failing for reporters on site. On\r\nFeb. 12, Talos published a blog detailing the functionality of the malware Olympic Destroyer that we have\r\nidentified with moderate confidence as having been used in the attack.\r\nhttps://blog.talosintelligence.com/who-wasnt-responsible-for-olympic/\r\nPage 1 of 7\n\nExample press quotes suggesting attribution for Olympic Destroyer.\r\nThe malware did not write itself, the incident did not happen by accident, but who was responsible? Attributing\r\nattacks to specific malware writers or threat actor groups is not a simple or exact science. Many parameters must\r\nbe considered, analysed and compared with previous attacks in order to identify similarities. As with any crime,\r\ncriminals have preferred techniques, and tend to leave behind traces, akin to digital fingerprints, which can be\r\nfound and linked to other crimes.\r\nIn terms of cyber security incidents, analysts would look for similarities for attributes such as:\r\nTactics, Techniques and Procedures (TTPs) (how the attacker conducted the attack)\r\nVictimology (the profile of the victim)\r\nInfrastructure (the platforms used as part of the attack)\r\nIndicators of Compromise (IOCs) (identifiable artifacts left during an attack)\r\nMalware samples (the malware used as part of the attack)\r\nOne of the strengths of software engineering is the ability to share code, to build applications on top of\r\nlibraries written by others, and to learn from the success and failures of other software engineers. The same\r\nis true for threat actors. Two different threat actors may use code from the same source in their attacks,\r\nwhich means that their attacks would display similarities, despite being conducted by different groups.\r\nSometimes threat actors may choose to include features from another group in order to frustrate analysts\r\nand try to lead to making a false attribution.\r\nIn the case of Olympic Destroyer, what is the evidence, and what conclusions regarding attribution can we make?\r\nOlympic Destroyer Lineup of Suspects\r\nThe Lazarus Group\r\nThe Lazarus Group, also referred to as Group 77, is a sophisticated threat actor that has been associated with a\r\nnumber of attacks. Notably, a spinoff of Lazarus, referred to as the Bluenoroff group, conducted attacks against\r\nthe SWIFT infrastructure in a bank located in Bangladesh.\r\nhttps://blog.talosintelligence.com/who-wasnt-responsible-for-olympic/\r\nPage 2 of 7\n\nThe filename convention used in the SWIFT malware, as described by BAE Systems, was: evtdiag.exe, evtsys.exe\r\nand evtchk.bat.\r\nThe Olympic Destroyer malware checks for the existence of the following file: %programdata%\\evtchk.txt.\r\nThere is a clear similarity in the two cases. This is nowhere near proof, but it is a clue, albeit weak.\r\nFurther evidence is found in similarities between Olympic Destroyer and the wiper malware associated with\r\nBluenoroff, again described by BAE Systems. In this example, the Bluenoroff wiper is on the left, and the\r\nOlympic Destroyer wiper function on the right:\r\nClearly, the code is not identical, but the very specific logic, of wiping only the first 0x1000 bytes of large files is\r\nidentical and unique to both cases. This is another clue, and stronger evidence than the file name check.\r\nhttps://blog.talosintelligence.com/who-wasnt-responsible-for-olympic/\r\nPage 3 of 7\n\nHowever, both the file names used by Bluenoroff and the wiper function are documented and available to anyone.\r\nOur actual culprits could have added the file name check, and mimicked the wiper function simply in order to\r\nimplicate the Lazarus group and potentially distract from their true identity.\r\nOlympic Destroyer sample: 23e5bb2369080a47df8284e666cac7cafc207f3472474a9149f88c1a4fd7a9b0\r\nBluenoroff sample #1: ae086350239380f56470c19d6a200f7d251c7422c7bc5ce74730ee8bab8e6283\r\nBluenoroff sample #2: 5b7c970fee7ebe08d50665f278d47d0e34c04acc19a91838de6a3fc63a8e5630\r\nAPT3 \u0026 APT10  \r\nIntezer Labs spotted code sharing between Olympic Destroyer and malware used in attacks attributed to APT3 and\r\nAPT10.\r\nIntezer Labs identified that Olympic Destroyer shares 18.5 percent of its code with a tool used by APT3 to steal\r\ncredentials from memory. Potentially, this is a very strong clue. However, the APT3 tool is, in turn, based on the\r\nopen-source tool, Mimikatz. Since Mimikatz is available for download by anyone, it is entirely possible that the\r\nauthor of Olympic Destroyer used code derived from Mimikatz in their malware, knowing that it had been used by\r\nother malware writers.\r\nIntezer Labs also spotted similarities in the function used to generate AES keys between Olympic Destroyer and\r\nAPT10. According to Intezer Labs, this particular function has only ever been used by APT10. Maybe the\r\nmalware writer has let slip a possible vital clue to their identity.\r\nNyetya\r\nThe use of code derived from Mimikatz to steal credentials was also seen in the Nyetya (NotPetya) malware of\r\nJune 2017. Additionally, like Nyetya, Olympic Destroyer spread laterally via abusing legitimate functions of\r\nPsExec and WMI. Like Nyetya, Olympic Destroyer uses a named pipe to send stolen credentials to the main\r\nmodule.\r\nUnlike Nyetya, Olympic Destroyer didn't use the exploits EternalBlue and EternalRomance for propagation. But,\r\nthe perpetrator has left artifacts within the Olympic Destroyer source code to insinuate the presence of SMB\r\nexploits.\r\nOlympic Destroyer includes the definition of these four structures:\r\nhttps://blog.talosintelligence.com/who-wasnt-responsible-for-olympic/\r\nPage 4 of 7\n\nThese four structures can also be found in the public EternalBlue proof of concept:\r\nhttps://blog.talosintelligence.com/who-wasnt-responsible-for-olympic/\r\nPage 5 of 7\n\nThese structures are loaded during runtime, when the Olympic Destroyer is executed, but remain unused. Clearly,\r\nthe author knew of the EternalBlue PoC, but the reason why these structures are present is obscure. It's likely the\r\nauthor wanted to lay a trap for security analysts to provoke a false positive attribution. Alternatively, we could be\r\nseeing the traces of functionality, which never made it into the final malware.\r\nConclusion\r\nAttribution is hard. Rarely do analysts reach the level of evidence that would lead to a conviction in a courtroom.\r\nMany were quick to jump to conclusions, and to attribute Olympic Destroyer to specific groups. However, the\r\nbasis for such accusations are frequently weak. Now that we are potentially seeing malware authors placing\r\nmultiple false flags, attribution based off malware samples alone has become even more difficult.\r\nhttps://blog.talosintelligence.com/who-wasnt-responsible-for-olympic/\r\nPage 6 of 7\n\nFor the threat actors considered, there is no clear smoking gun indicating a guilty party with the evidence which\r\nwe have available. Other security analysts and investigative bodies may have further evidence to which we do not\r\nhave access. Organisations with additional evidence, such as signal intelligence or human intelligence sources\r\nwhich may provide significant clues to attribution, may be the least likely to share their insights so as not to betray\r\nthe nature of their intelligence-gathering operation.\r\nThe attack which we believe Olympic Destroyer to have been associated with was clearly an audacious attack,\r\nalmost certainly conducted by a threat actor with a certain level of sophistication who did not believe that they\r\nwould be easily identified and held accountable.\r\nCode sharing between threat actors is to be expected. Open-source tools are a useful source of functionality, and\r\nadopting techniques from successful attacks conducted by other groups are likely to be sources of misleading\r\nevidence leading to false attribution.\r\nEqually, we can expect sophisticated threat actors to take advantage of this, and to integrate evidence designed to\r\nfool analysts, to lead to attribution of their attacks to other groups. Potentially, threat actors take pleasure in\r\nreading incorrect information being published by security analysts. This could even be taken to the extreme of a\r\ncountry denying an attack based upon evidence presented by an unwitting third party due to false attribution.\r\nEvery time there is misattribution it gives adversaries something to hide behind. In this heightened era of fake\r\nnews attribution is a highly sensitive issue.\r\nAs threat actors evolve their skills and techniques, it is likely that we see threat actors further adopting ruses to\r\ncomplicate and confuse attribution. Attribution is already difficult. It is unlikely to become easier.\r\nSource: https://blog.talosintelligence.com/who-wasnt-responsible-for-olympic/\r\nhttps://blog.talosintelligence.com/who-wasnt-responsible-for-olympic/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://blog.talosintelligence.com/who-wasnt-responsible-for-olympic/" ], "report_names": [ "who-wasnt-responsible-for-olympic" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434645, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8bc819c41cb145242f42040ec9face1b2070674c.pdf", "text": "https://archive.orkl.eu/8bc819c41cb145242f42040ec9face1b2070674c.txt", "img": "https://archive.orkl.eu/8bc819c41cb145242f42040ec9face1b2070674c.jpg" } }