{ "id": "0ff70d41-bce7-4f4b-8195-7685d9908633", "created_at": "2026-04-06T00:18:56.187349Z", "updated_at": "2026-04-10T13:12:36.459983Z", "deleted_at": null, "sha1_hash": "8fe0c037b9f4a1ff88c4da571637f182e39af1bc", "title": "Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 670950, "plain_text": "Frequent freeloader part I: Secret Blizzard compromising Storm-0156\r\ninfrastructure for espionage | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-12-04 · Archived: 2026-04-05 17:14:12 UTC\r\nBased on both Microsoft Threat Intelligence’s findings and those reported by governments and other security vendors, we\r\nassess that the Russian nation-state actor tracked as Secret Blizzard has used the tools and infrastructure of at least six other\r\nthreat actors during the past seven years. They also have actively targeted infrastructure where other threat actors have\r\nstaged exfiltrated data from victims with the intention of collecting this data for their own espionage program. We assess that\r\nSecret Blizzard’s use of other actors’ infrastructure and tools, both state-sponsored and cybercriminal, is exclusively for\r\nfacilitating espionage operations.\r\nIn this first of a two-part blog series, we discuss how Secret Blizzard has used the infrastructure of the Pakistan-based threat\r\nactivity cluster we call Storm-0156 — which overlaps with the threat actor known as SideCopy, Transparent Tribe, and\r\nAPT36 — to install backdoors and collect intelligence on targets of interest in South Asia. Microsoft Threat Intelligence\r\npartnered with Black Lotus Labs, the threat intelligence arm of Lumen Technologies, to confirm that Secret Blizzard\r\ncommand-and-control (C2) traffic emanated from Storm-0156 infrastructure, including infrastructure used by Storm-0156 to\r\ncollate exfiltrated data from campaigns in Afghanistan and India. We thank the Black Lotus Team for recognizing the impact\r\nof this threat and collaborating on investigative efforts. In the second blog, Microsoft Threat Intelligence will be detailing\r\nhow Secret Blizzard has used Amadey bots and the PowerShell backdoor of two other threat actors to deploy the Tavdig\r\nbackdoor and then use that foothold to install their KazuarV2 backdoor on target devices in Ukraine.\r\nMicrosoft Threat Intelligence tracks Secret Blizzard campaigns and, when we are able, directly notifies customers who have\r\nbeen targeted or compromised, providing them with the necessary information to help secure their environments. As part of\r\nour continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on Secret Blizzard’s\r\nactivity to raise awareness of this threat actor’s tradecraft and to educate organizations on how to harden their attack surfaces\r\nagainst this and similar activity. In addition, we highlight that, while Secret Blizzard’s use of infrastructure and access by\r\nother threat actors is unusual, it is not unique. Therefore, organizations compromised by one threat actor may also find\r\nthemselves compromised by another through the initial intrusion.\r\nWho is Secret Blizzard?\r\nThe United States Cybersecurity and Infrastructure Security Agency (CISA) has attributed Secret Blizzard to Center 16 of\r\nRussia’s Federal Security Service (FSB), which is one of Russia’s Signals Intelligence and Computer Network Operations\r\n(CNO) services responsible for intercepting and decrypting electronic data as well as the technical penetration of foreign\r\nintelligence targets. Secret Blizzard overlaps with the threat actor tracked by other security vendors as Turla, Waterbug,\r\nVenomous Bear, Snake, Turla Team, and Turla APT Group.\r\nSecret Blizzard is known for targeting a wide array of verticals, but most prominently ministries of foreign affairs,\r\nembassies, government offices, defense departments, and defense-related companies worldwide. Secret Blizzard focuses on\r\ngaining long-term access to systems for intelligence collection using extensive resources such as multiple backdoors,\r\nincluding some with peer-to-peer functionality and C2 communication channels. During intrusions, the threat actor collects\r\nand exfiltrates documents, PDFs, and email content. In general, Secret Blizzard seeks out information of political\r\nimportance with a particular interest in advanced research that might impact international political issues. Campaigns where\r\nSecret Blizzard has used the tools or compromised infrastructure of other threat adversaries that have been publicly reported\r\nby other security vendors include:\r\nAccessing tools and infrastructure of Iranian state-sponsored threat actor Hazel Sandstorm (also called OilRig, APT-34 and Crambus) in 2017, as reported by Symantec and the US and UK intelligence services\r\nReusing Andromeda malware to deploy the KopiLuwak and QuietCanary backdoors in 2022, as reported by\r\nMandiant.\r\nUsing the backdoor of the Kazakhstan-based threat actor tracked by Microsoft Threat Intelligence as Storm-0473,\r\nalso called Tomiris, in an attempt to deploy QuietCanary in 2022, as reported by Kaspersky.\r\nWhile not unique, leveraging the access of other adversaries is a somewhat unusual attack vector for threat actors in general.\r\nSecret Blizzard’s use of this technique highlights their approach to diversifying attack vectors, including using strategic web\r\ncompromises (watering holes) and adversary-in-the-middle (AiTM) campaigns likely facilitated via legally mandated\r\nintercept systems in Russia such as the “System for Operative Investigative Activities” (SORM). More commonly, Secret\r\nBlizzard uses server-side and edge device compromises as initial attack-vectors to facilitate further lateral movement within\r\na network of interest.\r\nCompromise and post-compromise activities\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/\r\nPage 1 of 9\n\nSince November 2022, Microsoft Threat Intelligence has observed Secret Blizzard compromising the C2 infrastructure of a\r\nPakistan-based espionage cluster that we track as Storm-0156. Secret Blizzard has used Storm-0156’s backdoors to deploy\r\ntheir own backdoors to compromised devices. In addition, Secret Blizzard tools have been deployed to virtual private\r\nservers (VPS) staging Storm-0156’s exfiltrated data.\r\nThe initial access mechanism used by Secret Blizzard to compromise Storm-0156 infrastructure is currently not known. In\r\nsome instances, observed by Microsoft Threat Intelligence, Storm-0156 appeared to have used the C2 server for a\r\nconsiderable amount of time, while in other observed incidents Storm-0156 began accessing the VPS when Secret Blizzard\r\ndeployed tools.\r\nOn the VPS used for C2, Storm-0156 operators consistently deploy a tool with the filename ArsenalV2%.exe. This is a\r\nserver-side C2 tool that Microsoft Threat Intelligence refers to as Arsenal. Arsenal is an executable built on top of the cross-platform application development framework QtFramework, indicating it may also be deployed on operating systems other\r\nthan Windows. Upon execution, Arsenal listens over a hardcoded port for incoming requests from controlled devices. Once\r\nconnected, the tool enables threat actors to upload or download files to or from the device on which it is deployed.\r\nWhen Arsenal is deployed, at least two SQLite3 databases, named ConnectionInfo.db and DownloadPriority.db, are set up.\r\nArsenal uses these databases to store and look up information in different tables, such as:\r\nUploaded files and a distinct username of the uploader\r\nAffected device information, including IP address, location, operating system version, and installed antivirus\r\nsoftware\r\nNetwork connection events, duration of the session, and timestamps like the disconnect and connect time\r\nInitially, Secret Blizzard deployed a fork of the TinyTurla backdoor to Storm-0156 C2 servers. However, since October\r\n2023, Secret Blizzard predominantly has been using a .NET backdoor that Microsoft Threat Intelligence refers to as\r\nTwoDash alongside a clipboard monitoring tool referred to as Statuezy. Shortly after we observed the deployment of these\r\ncapabilities, our partner Black Lotus Labs observed C2 communication from the Storm-0156 C2 infrastructure to dedicated\r\nSecret Blizzard C2s. This privileged position on Storm-0156 C2s has allowed Secret Blizzard to commandeer Storm-0156\r\nbackdoors such as CrimsonRAT, which was previously observed in Storm-0156 campaigns in 2023 and earlier, and a Storm-0156 Golang backdoor we refer to as Wainscot.\r\nStorm-0156 extensively uses a renamed version (cridviz.exe, crezly.exe) of the Credential Backup and Restore Wizard,\r\ncredwiz.exe which is vulnerable to DLL-sideloading, to load malicious payloads using a file name DUser.dll. Secret Blizzard\r\noften drops their own malicious payloads into a directory separate from that used by Storm-0156, but also uses credwiz.exe\r\nto load their malicious payload in a file called duser.dll. This DLL may contain a simple Meterpreter-like backdoor referred\r\nto as MiniPocket or the previously referenced TwoDash .NET backdoor. Secret Blizzard’s use of DLL-sideloading using the\r\nsame legitimate executable and malicious payloads having similar names to those used by Storm-0156 may indicate Secret\r\nBlizzard attempts to masquerade as Storm-0156. Another Search-Order-Hijack used by Secret Blizzard is the deployment of\r\nTwoDash into the directory c:\\windows\\system32 with the filename oci.dll and then using the default Windows installation\r\nDistributed Transaction Coordinator, msdtc.exe, to DLL-sideload the malicious payload in oci.dll as described by a\r\nPenetration Testing Lab blog published in 2020.\r\nFigure 1. Secret Blizzard and Storm-0156 chain of compromise\r\nIn August 2024, Microsoft observed Secret Blizzard using a CrimsonRAT compromise that Storm-0156 had established in\r\nMarch 2024. Secret Blizzard is assessed to have commandeered the CrimsonRAT backdoor to download and execute Secret\r\nBlizzard’s TwoDash backdoor. Additionally, Microsoft observed instances of Secret Blizzard accessing Storm-0156’s\r\nCrimsonRAT on target devices in India. One of these CrimsonRAT deployments was configured with a C2 server at Contabo\r\n(ur253.duckdns[.]org: 45.14.194[.]253), where Secret Blizzard had deployed the clipboard monitor tool in January,\r\nFebruary, and September 2024. Between May and August 2024, Black Lotus Labs confirmed network activity indicating\r\nbackdoor communication from this same CrimsonRAT C2 to known Secret Blizzard infrastructure.\r\nSecret Blizzard backdoors deployed on Storm-0156 infrastructure\r\nTinyTurla variant\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/\r\nPage 2 of 9\n\nSimilar to the TinyTurla backdoor reported by Cisco Talos in 2021, the TinyTurla variant is installed using a batch file and\r\ndisguises itself as a Windows-based service. The batch file also configures a variety of registry keys used by the malware\r\nincluding Delay (sleep time), Key (public key), and Hosts (C2 addresses).\r\nFigure 2. mp.bat file containing configuring parameters for the TinyTurla variant\r\nWhile there is not complete feature parity between the TinyTurla variant sample and the sample analyzed by Cisco Talos,\r\nthere are significant functional and code overlaps.\r\nTwoDash\r\nTwoDash is a custom downloader comprised of two main components: a native Win32/64 PE file and a .NET application.\r\nThe native binary acts as a loader for the .NET application which it decrypts and executes. The .NET application conducts a\r\nbasic device survey and sends this information to the configured C2 servers. Finally, it waits for follow-on tasks, which are\r\ncompiled as additional .NET assemblies/modules.\r\nStatuezy\r\nStatuezy is a custom trojan that monitors and logs data saved to the Windows clipboard. Each time the clipboard is updated\r\nwith new data, the trojan saves the current timestamp, associated clipboard format (such as CF_TEXT), and the clipboard\r\ndata itself to a temporary file which we assess is exfiltrated by a separate malware family.\r\nMiniPocket\r\nMiniPocket is a small custom downloader that connects to a hardcoded IP address/port using TCP to retrieve and execute a\r\nsecond-stage binary.\r\nStorm-0156 backdoors used in this campaign\r\nWainscot\r\nWainscot is a Golang-based backdoor seen in the wild since at least October 2023. This backdoor can handle various\r\ncommands from C2, including launching arbitrary commands, uploading and downloading files, and taking screenshots on\r\nthe target host. Though Microsoft Threat Intelligence has primarily observed this backdoor targeting Windows users, we also\r\nhave identified public reports of a possible Wainscot variant targeting Linux-based platforms. Interestingly, this Linux\r\nvariant has far more features than the Windows variant.\r\nCrimsonRAT\r\nCrimsonRAT is a .NET-based backdoor with varied capabilities that has gone through multiple iterations over the years. The\r\nmost recent variant of CrimsonRAT analyzed by Microsoft Threat Intelligence can gather system information, list running\r\nprocesses, file information, download or upload files, and execute arbitrary commands on target. We also have observed\r\nCrimsonRAT dropping additional modules to act as a keylogger on the target host.\r\nWho has been affected by Secret Blizzard’s compromises using Storm-0156\r\ninfrastructure?\r\nIn Afghanistan, Secret Blizzard generally has used their positions on Storm-0156 C2 servers to deploy backdoors to devices\r\nwithin the extended Afghan government—including the Ministry of Foreign Affairs, the General Directorate of Intelligence\r\n(GDI), and foreign consulates of the government of Afghanistan. In each of these cases, we observed the deployment of\r\nStorm-0156 backdoors which were subsequently used to download the Secret Blizzard tools to target devices in Afghanistan.\r\nIn India, Secret Blizzard generally appears to have avoided direct deployment via Storm-0156 backdoors, instead deploying\r\nSecret Blizzard backdoors to C2 servers or Storm-0156 servers hosting data exfiltrated from Indian military and defense-related institutions. We observed only one instance of Secret Blizzard using a Storm-0156 backdoor to deploy the TwoDash\r\nbackdoor to a target desktop in India. The difference in Secret Blizzard’s approach in Afghanistan and India could reflect\r\npolitical considerations within the Russian leadership, differing geographical areas of responsibility within the FSB, or a\r\ncollection gap on Microsoft Threat Intelligence’s part.    \r\nConclusion\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/\r\nPage 3 of 9\n\nThe frequency of Secret Blizzard’s operations to co-opt or commandeer the infrastructure or tools of other threat actors\r\nsuggests that this is an intentional component of Secret Blizzard’s tactics and techniques. Leveraging this type of resource\r\nhas both advantages and drawbacks. Taking advantage of the campaigns of others allows Secret Blizzard to establish\r\nfootholds on networks of interest with relatively minimal effort. However, because these initial footholds are established on\r\nanother threat actor’s targets of interest, the information obtained through this technique may not align entirely with Secret\r\nBlizzard’s collection priorities. In addition, if the threat actor that established the initial foothold has poor operational\r\nsecurity, this technique might trigger endpoint or network security alerts on the tools deployed by the actor conducting the\r\ninitial compromise, resulting in unintended exposure of Secret Blizzard activity.\r\nMitigation and protection guidance\r\nTo harden networks against the Secret Blizzard activity listed above, defenders can implement the following:\r\nStrengthen Microsoft Defender for Endpoint configuration\r\nMicrosoft Defender XDR customers can implement attack surface reduction rules to harden an environment against\r\ntechniques used by threat actors\r\nBlock execution of potentially obfuscated scripts\r\nBlock process creations originating from PSExec and WMI commands\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nBlock abuse of exploited vulnerable signed drivers\r\nBlock Webshell creation for Servers\r\nEnable network protection in Microsoft Defender for Endpoint\r\nEnsure tamper protection is enabled in Microsoft Defender for Endpoint\r\nRun endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious\r\nartifacts even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is\r\nrunning in passive mode\r\nConfigure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take\r\nimmediate action on alerts to resolve breaches, significantly reducing alert volume\r\nStrengthen Microsoft Defender Antivirus configuration\r\nTurn on PUA protection in block mode in Microsoft Defender Antivirus\r\nTurn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to\r\ncover rapidly evolving threat actor tools and techniques\r\nTurn on Microsoft Defender Antivirus real-time protection\r\nStrengthen operating environment configuration\r\nEncourage users to use Microsoft Edge and other web browsers that support SmartScreen which identifies and blocks\r\nmalicious websites, including phishing sites, scam sites, and sites that host malware. Implement PowerShell\r\nexecution policies to control conditions under which PowerShell can load configuration files and run scripts\r\nTurn on and monitor PowerShell module and script block logging\r\nImplement PowerShell execution policies to control conditions under which PowerShell can load configuration files\r\nand run scripts.\r\nTurn on and monitor PowerShell module and script block logging.\r\nMicrosoft Defender XDR detections\r\nMicrosoft Defender Antivirus \r\nMicrosoft Defender Antivirus detects this threat as the following malware: \r\nBackdoor:Win64/Wainscot\r\nBackdoor:MSIL/CrimsonRat.A\r\nBackdoor:MSIL/CrimsonRat.B\r\nTrojanSpy:MSIL/CrimsonRat.A\r\nTrojanDownloader:Win64/TwoDash\r\nTrojan:MSIL/ReverseRAT\r\nTrojan:Win32/TinStrut.A\r\nTrojan:Win64/TinyTurla.A\r\nTrojan:Win64/TinyTurla.B\r\nTrojan:Win32/MiniPocket.A\r\nTrojanDownloader:Win64/TwoDash.A\r\nTrojan:Win64/TwoDash.B\r\nTrojan:Win64/PostGallery.A\r\nTrojan:Win32/Statuezy.B\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/\r\nPage 4 of 9\n\nTrojan:Win32/TinyTurla\r\nMicrosoft Defender for Endpoint\r\nThe following Microsoft Defender for Endpoint alerts can indicate associated threat activity:\r\nSecret Blizzard Actor activity detected\r\nThe following alerts might also indicate threat activity related to this threat. Note, however, these alerts also can be triggered\r\nby unrelated threat activity. \r\nAn executable file loaded an unexpected DLL file\r\nProcess loaded suspicious .NET assembly\r\nThreat intelligence reports\r\nMicrosoft customers can use the following reports in Microsoft products to get the most up-to-date information about the\r\nthreat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection\r\ninformation, and recommended actions to prevent, mitigate, or respond to associated threats found in customer\r\nenvironments. Microsoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft\r\nDefender Threat Intelligence to get more information about this threat actor.\r\nMicrosoft Defender Threat Intelligence\r\nSecret Blizzard co-opts SideCopy’s infrastructure to target Afghanistan government\r\nHunting queries  \r\nMicrosoft Defender XDR\r\nThe following sample queries let you search for a week’s worth of events. To explore up to 30 days’ worth of raw data to\r\ninspect events in your network and locate potential PowerShell-related indicators for more than a week, go to the Advanced\r\nhunting page \u003e Query tab, select the calendar dropdown menu to update your query to hunt for the Last 30 days.\r\nStorm-0156 compromise-associated malware\r\nSurface events that may have involved Storm-0156 compromise-associated malware.\r\nlet fileHashes = dynamic([\"e298b83891b192b8a2782e638e7f5601acf13bab2f619215ac68a0b61230a273\",\r\n\"08803510089c8832df3f6db57aded7bfd2d91745e7dd44985d4c9cb9bd5fd1d2\",\r\n\"aba8b59281faa8c1c43a4ca7af075edd3e3516d3cef058a1f43b093177b8f83c\",\r\n\"7c4ef30bd1b5cb690d2603e33264768e3b42752660c79979a5db80816dfb2ad2\",\r\n\"dbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced\",\r\n\"7c7fad6b9ecb1e770693a6c62e0cc4183f602b892823f4a451799376be915912\",\r\n\"e2d033b324450e1cb7575fedfc784e66488e342631f059988a9a2fd6e006d381\",\r\n\"C039ec6622393f9324cacbf8cfaba3b7a41fe6929812ce3bd5d79b0fdedc884a\",\r\n\"59d7ec6ec97c6b958e00a3352d38dd13876fecdb2bb13a8541ab93248edde317\"\r\n]);\r\nunion\r\n(\r\nDeviceFileEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceFileEvents\"\r\n),\r\n(\r\nDeviceEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceEvents\"\r\n),\r\n(\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/\r\nPage 5 of 9\n\nDeviceImageLoadEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceImageLoadEvents\"\r\n),\r\n(\r\nDeviceProcessEvents\r\n| where SHA256 in (fileHashes)\r\n| project Timestamp, FileHash = SHA256, SourceTable = \"DeviceProcessEvents\"\r\n)\r\n| order by Timestamp desc\r\nMicrosoft Sentinel \r\nMicrosoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to\r\nautomatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map\r\nanalytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel\r\nContent Hub to have the analytics rule deployed in their Sentinel workspace.  \r\nSearch for file-based IOCs:\r\nlet selectedTimestamp = datetime(2024-10-17T00:00:00.0000000Z);\r\nlet fileName =\r\ndynamic([\"hubstck.exe\",\"auddrv.exe\",\"lustsorelfar.exe\",\"duser.dll\",\"mfmpef.exe\",\"MpSvcS.dll\",\"WinHttpSvc.dll\",\"regsvr.exe\"]);\r\nlet FileSHA256 =\r\ndynamic([\"e298b83891b192b8a2782e638e7f5601acf13bab2f619215ac68a0b61230a273\",\"08803510089c8832df3f6db57aded7bfd2d91745e7dd44985d4c9cb9bd5f\r\nsearch in\r\n(AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceBaselineComplianceProfiles,DeviceEvents,DeviceFileEvents,DeviceImageLoadEvents,\r\nDeviceLogonEvents,DeviceNetworkEvents,DeviceProcessEvents,DeviceRegistryEvents,DeviceFileCertificateInfo,DynamicEventCollection,EmailAtt\r\nTimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from October 17th runs the\r\nsearch for last 90 days, change the selectedTimestamp or 90d accordingly.\r\nand\r\n(FileName in (fileName) or OldFileName in (fileName) or ProfileName in (fileName) or\r\nInitiatingProcessFileName in (fileName) or InitiatingProcessParentFileName in (fileName)\r\nor InitiatingProcessVersionInfoInternalFileName in (fileName) or InitiatingProcessVersionInfoOriginalFileName\r\nin (fileName) or PreviousFileName in (fileName)\r\nor ProcessVersionInfoInternalFileName in (fileName) or ProcessVersionInfoOriginalFileName in (fileName) or\r\nDestinationFileName in (fileName) or SourceFileName in (fileName)\r\nor ServiceFileName in (fileName) or SHA256 in (FileSHA256) or InitiatingProcessSHA256 in (FileSHA256))\r\nSearch for network IOCs:\r\nlet selectedTimestamp = datetime(2024-10-17T00:00:00.0000000Z);\r\nlet ip =\r\ndynamic([\"94.177.198.94\",\"162.213.195.129\",\"46.249.58.201\",\"95.111.229.253\",\"146.70.158.90\",\"143.198.73.108\",\"161.35.192.207\",\"91.234.33.\r\n\"167.86.118.69\",\"164.68.108.153\",\"144.91.72.17\",\"130.185.119.198\r\n\",\"176.57.184.97\",\"173.212.252.2\",\"209.126.11.251\",\"45.14.194.253\",\"37.60.236.186\",\"5.189.183.63\",\"109.123.244.46\"]);\r\nlet url = dynamic([\"connectotels.net\",\"hostelhotels.net\",”ur253.duckdns.org”]);\r\nsearch in\r\n(AlertEvidence,BehaviorEntities,CommonSecurityLog,DeviceInfo,DeviceNetworkEvents,DeviceNetworkInfo,DnsEvents,SecurityEvent,VMConnection,W\r\nTimeGenerated between ((selectedTimestamp - 1m) .. (selectedTimestamp + 90d)) // from October 17th runs the\r\nsearch for last 90 days, change the above selectedTimestamp or 90d accordingly.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/\r\nPage 6 of 9\n\nand\r\n(RemoteIP in (ip) or DestinationIP in (ip) or DeviceCustomIPv6Address1 in (ip) or DeviceCustomIPv6Address2 in\r\n(ip) or DeviceCustomIPv6Address3 in (ip) or DeviceCustomIPv6Address4 in (ip) or\r\nMaliciousIP in (ip) or SourceIP in (ip) or PublicIP in (ip) or LocalIPType in (ip) or RemoteIPType in (ip) or\r\nIPAddresses in (ip) or IPv4Dhcp in (ip) or IPv6Dhcp in (ip) or IpAddress in (ip) or\r\nNASIPv4Address in (ip) or NASIPv6Address in (ip) or RemoteIpAddress in (ip) or RemoteUrl in (url))\r\nIndicators of compromise\r\nStorm-0156 compromise-associated malware\r\nIndicator Type Association Last seen\r\ne298b83891b192b8a2782e638e7f5601acf13bab2f619215ac68a0b61230a273\r\nWainscot SHA-256\r\n(hubstck.exe)\r\nStorm-0156  \r\n08803510089c8832df3f6db57aded7bfd2d91745e7dd44985d4c9cb9bd5fd1d2\r\nWainscot SHA-256\r\n(auddrv.exe)\r\nStorm-0156  \r\naba8b59281faa8c1c43a4ca7af075edd3e3516d3cef058a1f43b093177b8f83c\r\nCrimsonRAT\r\nSHA-256\r\n(lustsorelfar.exe)\r\nStorm-0156  \r\n7c4ef30bd1b5cb690d2603e33264768e3b42752660c79979a5db80816dfb2ad2\r\nMinipocket\r\nSHA-256\r\n(duser.dll)\r\nSecret\r\nBlizzard\r\n \r\ndbbf8108fd14478ae05d3a3a6aabc242bff6af6eb1e93cbead4f5a23c3587ced\r\nTwoDash\r\nbackdoor SHA-256\r\n(mfmpef.exe)\r\nSecret\r\nBlizzard\r\n \r\n7c7fad6b9ecb1e770693a6c62e0cc4183f602b892823f4a451799376be915912\r\nTwoDash\r\nbackdoor SHA-256 (duser.dll)\r\nSecret\r\nBlizzard\r\n \r\ne2d033b324450e1cb7575fedfc784e66488e342631f059988a9a2fd6e006d381\r\nTinyTurla\r\nvariant SHA-256 (MpSvcS.dl)\r\nSecret\r\nBlizzard\r\n \r\nC039ec6622393f9324cacbf8cfaba3b7a41fe6929812ce3bd5d79b0fdedc884a\r\nTinyTurla\r\nvariant SHA-256\r\n(WinHttpSvc.dll)\r\nSecret\r\nBlizzard\r\n \r\n59d7ec6ec97c6b958e00a3352d38dd13876fecdb2bb13a8541ab93248edde317\r\nClipboard\r\nmonitor SHA-256 (regsvr.exe)\r\nSecret\r\nBlizzard\r\n \r\nconnectotels[.]net\r\nTinyTurla C2\r\ndomain\r\nSecret\r\nBlizzard\r\nApril 2022\r\nhostelhotels[.]net\r\nTinyTurla C2\r\ndomain\r\nSecret\r\nBlizzard\r\nFebruary 2023\r\n94.177.198[.]94\r\nTinyTurla C2 IP\r\naddress\r\nSecret\r\nBlizzard\r\nSeptember2022\r\n162.213.195[.]129\r\nTinyTurla C2 IP\r\naddress\r\nSecret\r\nBlizzard\r\nFebruary 2023\r\n46.249.58[.]201\r\nTinyTurla C2 IP\r\naddress\r\nSecret\r\nBlizzard\r\nFebruary 2023\r\n95.111.229[.]253\r\nTinyTurla C2 IP\r\naddress\r\nSecret\r\nBlizzard\r\nSeptember\r\n2022\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/\r\nPage 7 of 9\n\n146.70.158[.]90\r\nMiniPocket and\r\nTwoDash C2 IP\r\naddress\r\nSecret\r\nBlizzard May 2024\r\n143.198.73[.]108\r\nTwoDash C2 IP\r\naddress\r\nSecret\r\nBlizzard\r\nSeptember2023\r\n161.35.192[.]207\r\nTwoDash C2 IP\r\naddress\r\nSecret\r\nBlizzard\r\nApril 2024\r\n91.234.33[.]48\r\nTwoDash C2 IP\r\naddress\r\nSecret\r\nBlizzard\r\nApril 2024\r\n154.53.42[.]194\r\nReverseRAT C2\r\nIP address\r\nCompromised\r\nStorm-0156\r\ninfrastructure\r\nJuly 2024\r\n38.242.207[.]36\r\nReverseRAT C2\r\nIP address\r\nCompromised\r\nStorm-0156\r\ninfrastructure\r\nMay 2023\r\n167.86.118[.]69\r\nReverseRAT C2\r\nIP address\r\nCompromised\r\nStorm-0156\r\ninfrastructure\r\nMay 2023\r\n164.68.108[.]153\r\nReverseRAT C2\r\nIP address\r\nCompromised\r\nStorm-0156\r\ninfrastructure\r\nAugust 2024\r\n144.91.72[.]17\r\nAction RAT C2\r\nIP address\r\nCompromised\r\nStorm-0156\r\ninfrastructure\r\nFebruary 2023\r\n130.185.119[.]198\r\nWainscot C2 IP\r\naddress\r\nCompromised\r\nStorm-0156\r\ninfrastructure\r\nAugust 2024\r\n176.57.184[.]97\r\nWainscot C2 IP\r\naddress\r\nCompromised\r\nStorm-0156\r\ninfrastructure\r\nSeptember\r\n2024\r\n173.212.252[.]2\r\nWainscot C2 IP\r\naddress\r\nCompromised\r\nStorm-0156\r\ninfrastructure\r\nAugust 2024\r\n209.126.11[.]251\r\nWainscot C2 IP\r\naddress\r\nCompromised\r\nStorm-0156\r\ninfrastructure\r\nJune 2024\r\n45.14.194[.]253\r\nCrimsonRAT\r\nC2 IP address\r\nCompromised\r\nStorm-0156\r\ninfrastructure\r\nSeptember\r\n2024\r\n37.60.236[.]186\r\nCrimsonRAT\r\nC2 IP address\r\nCompromised\r\nStorm-0156\r\ninfrastructure\r\nAugust 2024\r\n5.189.183[.]63\r\nCrimsonRAT\r\nC2 IP address\r\nCompromised\r\nStorm-0156\r\ninfrastructure\r\nAugust 2024\r\n109.123.244[.]46\r\nC2 Server\r\nhosting\r\nexfiltrated target\r\ndata\r\nCompromised\r\nStorm-0156\r\ninfrastructure\r\nAugust 2024\r\nReferences\r\nhttps://attack.mitre.org/groups/G1008/\r\nhttps://attack.mitre.org/groups/G0134/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/\r\nPage 8 of 9\n\nhttps://blog.lumen.com/snowblind-the-invisible-hand-of-secret-blizzard/\r\nhttps://securelist.com/the-epic-turla-operation/65545/\r\nhttps://www.darkreading.com/endpoint-security/upgraded-kazuar-backdoor-offers-stealthy-power\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a\r\nhttps://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet\r\nhttps://attack.mitre.org/groups/G0010/\r\nhttps://symantec-enterprise-blogs.security.com/threat-intelligence/waterbug-espionage-governments\r\nhttps://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021 ver 4 – nsa.gov.pdf\r\nhttps://attack.mitre.org/software/S1074/\r\nhttps://attack.mitre.org/software/S1075/\r\nhttps://attack.mitre.org/software/S1076/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/turla-galaxy-opportunity/\r\nhttps://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/\r\nhttps://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/\r\nhttps://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/\r\nhttps://www.welivesecurity.com/2018/01/09/turlas-backdoor-laced-flash-player-installer/\r\nhttps://blog.talosintelligence.com/tinyturla/\r\nhttps://www.sentinelone.com/labs/transparent-tribe-apt36-pakistan-aligned-threat-actor-expands-interest-in-indian-education-sector/\r\nhttps://www.trendmicro.com/en_dk/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html\r\nhttps://pentestlab.blog/2020/03/04/persistence-dll-hijacking/\r\nhttps://attack.mitre.org/software/S0668/\r\nhttps://blog.talosintelligence.com/tinyturla/#:~:text=Cisco%20Secure%20Malware%20Analytics%20(Threat%20Grid)\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/russian-hackers-using-iranian-apt-s-infrastructure-in-widespread-attacks\r\nhttps://www.securityweek.com/russian-turla-cyberspies-leveraged-other-hackers-usb-delivered-malware/\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape,\r\nlisten to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage/" ], "report_names": [ "frequent-freeloader-part-i-secret-blizzard-compromising-storm-0156-infrastructure-for-espionage" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "493c47f7-b265-4b10-95de-d86af942c543", "created_at": "2023-04-27T02:04:45.385041Z", "updated_at": "2026-04-10T02:00:04.939878Z", "deleted_at": null, "main_name": "Tomiris", "aliases": [], "source_name": "ETDA:Tomiris", "tools": [ "JLOGRAB", "JLORAT", "Kapushka", "KopiLuwak", "Meterpreter", "QUIETCANARY", "RATel", "RocketMan", "Roopy", "Telemiris", "Tomiris", "Topinambour", "Tunnus", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "496581d1-3674-4e00-bad1-59b8b764bd21", "created_at": "2025-01-27T02:00:02.938071Z", "updated_at": "2026-04-10T02:00:03.57364Z", "deleted_at": null, "main_name": "Storm-0473", "aliases": [ "UNC2849" ], "source_name": "MISPGALAXY:Storm-0473", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434736, "ts_updated_at": 1775826756, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8fe0c037b9f4a1ff88c4da571637f182e39af1bc.pdf", "text": "https://archive.orkl.eu/8fe0c037b9f4a1ff88c4da571637f182e39af1bc.txt", "img": "https://archive.orkl.eu/8fe0c037b9f4a1ff88c4da571637f182e39af1bc.jpg" } }