{
	"id": "53107935-611f-419e-b04b-9fd696e4feda",
	"created_at": "2026-04-06T00:06:07.818331Z",
	"updated_at": "2026-04-10T03:24:29.52563Z",
	"deleted_at": null,
	"sha1_hash": "8df04567c9794a3f9377f1c33636dac56dcad2f1",
	"title": "Botnet C\u0026C | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39361,
	"plain_text": "Botnet C\u0026C | FortiGuard Labs\r\nArchived: 2026-04-05 16:28:34 UTC\r\nEmpireMonkey malware distribution\r\n Description\r\nThis botnet is a type of malware bot that may perform many malicious tasks, such as downloading and executing\r\nadditional malware, receiving commands from a control server and relaying specific information and telemetry\r\nback to the control server, updating or deleting itself, stealing login and password information, logging keystrokes,\r\nparticipating in a Distributed Denial of Service (DDoS) attack, or locking and encrypting the contents of your\r\ncomputer and demanding payment for its safe return.\r\nSymptoms\r\nSome possible symptoms include, but are not limited to:\r\nInability to restart the computer in safe mode\r\nInability to open the Windows registry editor\r\nInability to open the Windows task manager\r\nModification or deletion of certain registry entries\r\nSignificant increase in disk activity\r\nSignificant increase in network traffic\r\nConnection attempts to known malicious IP addresses\r\nCreation of new files and directories with obfuscated or random names\r\nAnalysis\r\nA detailed analysis of this specific malware bot is not currently available. Fortinet's team of AV and bot analysts\r\nwill update this page when a complete analysis is available.\r\nInstructions\r\nIt is not recommended that any attempts to remove this malware be performed manually. Fortinet recommends\r\nthat you remove this threat by running a complete scan of your system using FortiClient Endpoint Protection.\r\nSource: https://fortiguard.com/encyclopedia/botnet/7630456\r\nhttps://fortiguard.com/encyclopedia/botnet/7630456\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://fortiguard.com/encyclopedia/botnet/7630456"
	],
	"report_names": [
		"7630456"
	],
	"threat_actors": [
		{
			"id": "56daf304-dd2c-4fa1-a01f-8c0a7e5e5c30",
			"created_at": "2022-10-25T16:07:23.586985Z",
			"updated_at": "2026-04-10T02:00:04.676803Z",
			"deleted_at": null,
			"main_name": "EmpireMonkey",
			"aliases": [
				"Anthropoid Spider",
				"CobaltGoblin",
				"EmpireMonkey"
			],
			"source_name": "ETDA:EmpireMonkey",
			"tools": [
				"AKO Doxware",
				"AKO Ransomware",
				"MedusaLocker",
				"MedusaReborn"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433967,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8df04567c9794a3f9377f1c33636dac56dcad2f1.pdf",
		"text": "https://archive.orkl.eu/8df04567c9794a3f9377f1c33636dac56dcad2f1.txt",
		"img": "https://archive.orkl.eu/8df04567c9794a3f9377f1c33636dac56dcad2f1.jpg"
	}
}