{ "id": "83c86a11-8c03-45dd-8a28-f2b2c5d4b72d", "created_at": "2026-04-06T00:11:51.161433Z", "updated_at": "2026-04-10T03:38:19.357875Z", "deleted_at": null, "sha1_hash": "9057cd208f5bbbc5c67b0805fe9d43b36f6cd042", "title": "APT trends report Q1 2022", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 80911, "plain_text": "APT trends report Q1 2022\r\nBy GReAT\r\nPublished: 2022-04-27 · Archived: 2026-04-05 18:41:42 UTC\r\nFor five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly\r\nsummaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence\r\nresearch; and they provide a representative snapshot of what we have published and discussed in greater detail in\r\nour private APT reports. They are designed to highlight the significant events and findings that we feel people\r\nshould be aware of.\r\nThis is our latest installment, focusing on activities that we observed during Q1 2022.\r\nReaders who would like to learn more about our intelligence reports or request more information on a specific\r\nreport, are encouraged to contact intelreports@kaspersky.com.\r\nDisclaimer: when referring to APT groups as Russian-speaking, Chinese-speaking or other-“speaking”\r\nlanguages, we refer to various artefacts used by the groups (such as malware debugging strings, comments found\r\nin scripts, etc.) containing words in these languages, based on the information we obtained directly or which is\r\notherwise publicly known and reported widely. The use of certain languages does not necessarily indicate a\r\nspecific geographic relation but rather points to the languages that the developers behind these APT artefacts use.\r\nOn January 14, 70 Ukrainian websites were defaced: the attackers posted the message “be afraid and expect the\r\nworst”. The defacement message on the Ministry of Foreign Affairs website, written in Ukrainian, Russian and\r\nPolish, suggested that personal data uploaded to the site had been destroyed. Subsequently, DDoS attacks hit\r\nseveral government websites. The following day, Microsoft reported that it had found destructive malware,\r\ndubbed WhisperGate, on the systems of government bodies and agencies that work closely with the Ukrainian\r\ngovernment. We analyzed the associated samples and concluded that the deployed malware was not comparable in\r\ncomplexity or code similarity to malware leveraged in previous destruction campaigns such as NotPetya or\r\nBadRabbit; but was much more reminiscent of that typically used by cybercriminals. We also identified two\r\nsamples developed in December 2021 containing test strings and preceding revisions of the ransom note observed\r\nin Microsoft’s shared samples. It remains unclear who is behind the attack, although Serhiy Demedyuk, deputy\r\nsecretary of Ukraine’s National Security and Defense Council, stated that it was the work of UNC1151, a threat\r\nactor believed to be linked to Belarus. Throughout our investigation, we identified two samples developed in\r\nDecember 2021 containing test strings and earlier revisions of the ransom note observed in Microsoft’s shared\r\nsamples. We concluded with high confidence that these samples were earlier iterations of the wiper reportedly\r\nused in Ukraine. Additionally, we suspect that the MBR wiper was initially developed at that time and repurposed\r\nmore recently for the above campaign. This could have been done either by an advanced actor with the intention\r\nof conveying the false notion that the operation was being conducted by criminals; or in cooperation with lower-tier threat actors who contributed their own resources.\r\nhttps://securelist.com/apt-trends-report-q1-2022/106351/\r\nPage 1 of 8\n\nOn January 26, CERT-UA published a report showing code similarity between WhisperKill (the file wiper used\r\nduring the WhisperGate campaign) and WhiteBlackCrypt, a wiper used in the first quarter of 2021. While we were\r\nunable to obtain the same results by analyzing the CERT-UA samples, we subsequently identified a different\r\nWhiteBlackCrypt sample matching the WhisperKill architecture and sharing similar code. We also investigated\r\nthe Bitcoin wallets used by both WhisperGate and WhiteBlackCrypt, but were unable to uncover any link between\r\nthe two.\r\nOn February 23, ESET published a tweet announcing new wiper malware targeting Ukraine. The malware was\r\nmore advanced than the samples identified earlier in the year that we documented in two of our private reports.\r\nThis wiper, named HermeticWiper by the research community, abuses legitimate drivers from EaseUS Partition\r\nMaster to corrupt the drivers of the compromised system. One of the identified samples was compiled on\r\nDecember 28, 2021, suggesting that this destructive campaign had been planned for months. At the time of\r\npublication, we had not identified any similarities between HermeticWiper and other known malware.\r\nThe following day, Avast Threat Research announced the discovery of new Golang ransomware in Ukraine, which\r\nthey dubbed HermeticRansom. This malware was found around the same time as HermeticWiper; and publicly\r\navailable information from the security community indicated that it was used in recent cyberattacks in Ukraine.\r\nDue to its unsophisticated style and poor implementation, this new ransomware was probably only a smokescreen\r\nfor the HermeticWiper attack, due to its non-sophisticated style and poor implementation. We named this malware\r\nElections GoRansom.\r\nIn late February 2022, we identified two archives submitted from network addresses in Ukraine to an online multi-scanner service. Both archives leveraged the name of the Security Service of Ukraine (SBU or СБУ) to trick\r\ntargets into executing a Remote Access Tool (RAT). We were unable to determine the ultimate goal of deploying\r\nsuch RATs, or associate the campaigns with any known threat actor, but the two archives appear linked together\r\nand may have been deployed by the same operators. Such threats pose a risk to Ukrainian organizations and their\r\npartners, as well as foreign organizations with premises in Ukraine. The RAT deployment campaigns look like\r\nthey are targeted at developing access at scale in Ukraine, which could match activities from criminal groups that\r\npledged allegiance to Russia, and may enable further destructive activities.\r\nOn March 1, ESET published a blog post related to wipers used in Ukraine and to the ongoing conflict: in addition\r\nto HermeticWiper, this post introduced IsaacWiper, used to target specific machines previously compromised with\r\nanother remote administration tool named RemCom, commonly used by attackers for lateral movement within\r\ncompromised networks. Contrary to reporting from other vendors, this wiper does not leverage the Isaac PRNG.\r\nOn March 10, researchers from the Global Research and Analysis Team shared their insights into past and present\r\ncyberattacks in Ukraine. You can find the recording of the webinar here and a summary/Q\u0026A here.\r\nOn March 22, the Ukraine CERT published a new alert about the DoubleZero wiper targeting the country. This is\r\na new wiper, written in .NET, with no similarities to previously discovered wipers targeting Ukrainian entities.\r\nAccording to the CERT public statement, the campaign took place on March 17, when several targets in Ukraine\r\nreceived a ZIP archive with the filename “Вирус… крайне опасно!!!.zip” (translation: “Virus… extremely\r\ndangerous!!!.zip”).\r\nRussian-speaking activity\r\nhttps://securelist.com/apt-trends-report-q1-2022/106351/\r\nPage 2 of 8\n\nIn December 2021, as a result of our continued monitoring of the activities of the DustSquad threat actor, we\r\nobserved new infrastructure and tools being used alongside the already known Octopus Trojan. We had initially\r\nanalyzed this Delphi malware in April 2018. Since then, the actor has continued to target diplomatic entities of\r\nseveral Central Asian countries; and, according to our telemetry, their consulates in APAC and the Middle East are\r\nalso affected by recent campaigns. Octopus is only one of DustSquad’s tools, along with other Windows and\r\nAndroid malware such as Zaka, Akinak and Harpoon. For Windows development, Delphi has been the group’s\r\ntraditional programming language of choice. The actor maintains a two-layered communication scheme, with\r\nrelays and real C2s, utilizing a JSON-formatted base64-encoded network communication protocol, via the use of a\r\nthird-party IndyProject library. We have previously seen DustSquad use third-party post-exploitation tools, such as\r\nthe password dumping utility fgdump; but we have now observed new custom C modules, a first for DustSquad,\r\nand Delphi downloaders acting as post-exploitation facilitators, able to gather documents of interest for the actor.\r\nMalicious Windows executables have also been compiled with GCC under the MinGW environment.\r\nChinese-speaking activity\r\nWhile hunting for malicious IIS modules, following our earlier reports about the mass exploitation of ProxyLogon\r\nand the Owowa module, we identified another backdoor module that has been widely deployed since at least June\r\n2021. We named it BlackMoule, as we believe it is an update of BlackMould, a malicious tool that was briefly\r\nmentioned by Microsoft in late 2019 as part of GALLIUM activities against telecoms companies (aka Operation\r\nSoftCell).\r\nIn May 2021, we reported on Websiic, a cluster of activities that formed a set of attacks against high-profile\r\ntargets in Europe and Asia. The attackers used the infamous ProxyLogon exploit to compromise Exchange servers\r\nand deploy a China Chopper web shell, which was in turn used to start a sophisticated infection scheme leading to\r\nthe execution of a new backdoor that we dubbed Samurai. The toolset includes several unique loaders and\r\ninstallers that had not previously been observed and can be used to load malicious payloads directly into memory,\r\nusually in the context of a legitimate process such as svchost.exe. We discovered continued activity involving\r\nmultiple new loaders and installers, which were supposedly used to deploy different malicious payloads. We also\r\nobserved that the malware was exclusively used against servers until August 2021; but starting from September,\r\nsimilar samples were also observed targeting desktop environments via messaging applications such as Telegram.\r\nDespite the discovery of weak ties to the FunnyDream cluster, we were unable to confidently attribute this new\r\ncampaign to an existing group, so we dubbed the threat actor behind these attack clusters ToddyCat. Our private\r\nreport on the matter takes a closer look at the available  evidence: we concluded that the overlaps are weak but\r\nunlikely to be coincidental, leading us to believe that the actor behind Websiic might be part of the Chinese-speaking nebulae.\r\nAt the end of January, the BfV (Federal Office for the Protection of the Constitution of Germany) issued a report\r\ndetailing activity by the APT27 group (aka LuckyMouse) targeting German commercial companies. Their analysis\r\noutlines the usage of a common infection triad leveraged by the group, whereby a legitimate executable\r\n(mempeng.exe or vfhost.exe) side-loads a malicious DLL (vftrace.dll), which in turn invokes the execution of the\r\nHyperBro malware from position-independent code found within a third file (thumb.dat). By investigating this\r\nthreat through the lens of Kaspersky’s telemetry, we found an identical intrusion set targeting an enterprise in\r\nTaiwan that deals with the manufacture of smart city technology, which may suggest an intent to steal intellectual\r\nhttps://securelist.com/apt-trends-report-q1-2022/106351/\r\nPage 3 of 8\n\nproperty, possibly as a means of leveraging the same technology as an instrument of surveillance. Another victim\r\nin which the same chain was exhibited is a computer game manufacturer in Cambodia, where the attack could\r\nhave been used for a different purpose, possibly to infiltrate the company’s supply chain. We determined that the\r\nattackers were able to spread across the network and remain active within it for months, while making use of\r\nvarious tools. In addition to the infection chain outlined above, we found post-exploitation tools that were not\r\nmentioned by the BfV, including a custom-written keylogger and a publicly available SSH and SFTP credential\r\nstealer. Interestingly, we were able to observe the presence of a second malware loader on several hosts in the\r\nnetwork that coincided with the deployment of the HyperBro implant. This loader leverages a fake Flash installer\r\nimplanted with shellcode that is used to fetch a Cobalt Strike payload from a remote C2 server. At the time of\r\nwriting, we can only assess with medium confidence that this tool is indeed associated with the group’s activity,\r\nindicating a possible sharing of initial access to the network with an external entity, or usage of Cobalt Strike as an\r\nalternative to HyperBro in the case of unsuccessful deployment.\r\nMiddle East\r\nWhile hunting for malicious modules for Microsoft IIS servers, we identified a poorly detected and widely\r\ndeployed module that we call XTest. XTest is based on the publicly available IIS-Raid open source, and was\r\nidentified on hundreds of servers in late February, with 95 percent of them still being compromised at the time of\r\nour report. We were not able to determine the exact purpose XTest serves the threat actors, but we believe, with\r\nlow confidence, that the module may have been deployed as part of malicious activities from the APT35 actor\r\n(aka Charming Kitten and Phosphorus).\r\nSoutheast Asia and Korean Peninsula\r\nWe reported recent, ongoing malicious activity that we attribute to the threat actor Sidecopy, targeting government\r\nstaff in India. In addition to the known malware types deployed in past campaigns by this actor, such as\r\nMargulasRAT, we identified a cluster of activity targeting Linux and macOS platforms, including an unknown\r\nGolang-based Linux RAT that we attribute exclusively to this group. The supporting infrastructure for this\r\noperation overlaps with an operation described in a report published by Cisco Talos in September 2021, which\r\ndiscusses a campaign targeting government personnel in India using Netwire and Warzone (aka AveMaria RAT)\r\ndating back to the end of 2020. According to the authors, the decoys, used in malicious documents and spread in\r\nthe early stages of these operations, resemble the one used by TransparentTribe (aka APT36 and Mythic Leopard)\r\nand Sidecopy. Our private report provides additional and updated indicators of compromise (IoCs) in the context\r\nof the same campaign and a description of some Linux and macOS malware that the group behind it has recently\r\nadopted.\r\nWe identified three campaigns linked to the Konni threat actor, active since mid-2021, targeting Russian\r\ndiplomatic entities. While the attackers used the same Konni RAT implant throughout the different campaigns, the\r\ninfection vectors were different in each campaign: documents containing embedded macros, an installer\r\nmasquerading as a COVID-19 registration application and, finally, a downloader with a new year screensaver\r\ndecoy. We also identified post-exploitation tools exclusively used by Konni following a successful infection.\r\nThese are capable of taking screenshots of the active window, deploying a keylogger or listing the connected USB\r\ndevices and their content. The tools align with the threat actor’s goal of stealing sensitive information from\r\nhttps://securelist.com/apt-trends-report-q1-2022/106351/\r\nPage 4 of 8\n\ninfected systems. We found overlaps in the infrastructure used by a tunneling tool used by the actor and several\r\npossible phishing websites set up within the above time frame. One of the registered domains shared similarities\r\nwith another domain attributed to TA406 that, according to ProofPoint, incorporates the Konni APT.\r\nMonitoring APT10 activities, we discovered new variants of its tools being used against the same targets as in\r\nprevious campaigns – Japanese government agencies and diplomatic entities. We have seen versions of the\r\nLODEINFO backdoor through v0.4.7, v0.4.8, v0.4.9, v0.5.6, and v0.5.8 from January to December 2021, while\r\nLilim RAT received an update to v1.4.1 in June 2021. In 2020, we published private reports featuring\r\nLODEINFO, a sophisticated fileless malware first mentioned in a blogpost from JPCERT/CC3. In these reports,\r\nwe mentioned new families of fileless malware known as DOWNJPIT and Lilim RAT, which replaced the existing\r\ntools of the trade. Further, we disclosed, with high confidence, that LODEINFO and its related activities were\r\nattributed to APT10, the infamous Chinese-speaking actor. Our latest report on this subject includes technical\r\nanalysis of the new versions of LODEINFO and Lilim RAT and reviews updates to the malware. In particular,\r\nLODEINFO v0.5.6 and v0.5.8 introduced obfuscated backdoor command identifiers to slow down the reversing\r\nprocess. They also implemented the Vigenere cipher to evade detection by certain security products.\r\nWe recently discovered a Trojanized DeFi application, compiled in November 2021. This application contains a\r\nlegitimate program called DeFi Wallet, that saves and manages a cryptocurrency wallet, but also implants a\r\nmalicious file when executed. This malware is a fully featured backdoor containing sufficient capabilities to\r\ncontrol the compromised victim. After looking into the functionalities of this backdoor, we discovered numerous\r\noverlaps with other tools used by the Lazarus group. The malware operator exclusively used compromised web\r\nservers located in South Korea for this attack. To take over the servers, we worked closely with a local CERT and,\r\nas a result of this effort, we had the opportunity to investigate a Lazarus group C2 server. The threat actor\r\nconfigured this infrastructure with servers set up as multiple stages. The first stage is the source for the backdoor,\r\nwhile the purpose of the second stage server is to communicate with the implants. This represents a common\r\nscheme for Lazarus infrastructure. From the log files originating from the C2 servers, a number of infected hosts\r\nare visible. By only using IP addresses we weren’t able to confirm the exact victims of this campaign, given that\r\nsome may belong to researchers, but they did reveal that this attack targeted entities and/or individuals at a global\r\nlevel.\r\nSince October 2021, the Sidewinder threat actor has been using new malicious JS code with recently created C2\r\nserver domains. The attack targets victims with spear-phishing emails containing malicious OOXML files. The\r\nOOXML files have an external reference to the attacker’s server and download an RTF document exploiting the\r\nCVE-2017-11882 vulnerability. The RTF documents have an embedded JS script in an OLE object that is dropped\r\nonto the victim’s machine. Sidewinder has been using this infection chain for over a year; we provided details of\r\nthese modules and described further payloads in our previous report. Our last report, in November, showed that\r\nSidewinder’s use of the obfuscated JS script has decreased in recent months. Closer investigation of the attacks\r\nperformed in that period revealed dozens of detections of a new obfuscation technique used in their JS script,\r\nwhile the rest of the infection chain remained fairly consistent. The new attacks use the same infection chain,\r\ntargeting other victims from their traditional victim profile as well as a number of victims in countries that were\r\nnot traditionally of interest to SideWinder, such as Singapore. The timestamp of the detections and the registration\r\nof the servers used by Sidewinder in these attacks suggest that they started preparing the infrastructure and\r\nregistering domains for their new wave of attacks in late September. In early October they updated their toolset\r\nhttps://securelist.com/apt-trends-report-q1-2022/106351/\r\nPage 5 of 8\n\nwith new JS obfuscation techniques, and while they continued the use of their old obfuscation routine for a while,\r\nthey have slowly switched completely to the new one. We described the attacks using the new obfuscated JS\r\nscripts in our most recent private report. The attackers also used a new technique to reduce the suspicion raised by\r\nsome of their spear-phishing documents that had no text content. They followed their first attempt to attack the\r\nvictim – a spear-phishing email containing a malicious RTF exploit file – with another similar email, but in this\r\ncase the title of the malicious document was “_Apology Letter.docx”, and it contained some text explaining that\r\nthe previous email was sent in error and that they are reaching out to apologize for that mistake.\r\nIn January, a trusted source forwarded a suspicious email to us. This email is disguised as an invitation from the\r\nrenowned PyeongChang Peace forum and contains a DropBox link in the email body. The fetched file from the\r\nDropBox link contains a malicious Windows shortcut file capable of downloading the next stage payload from the\r\nattacker’s server. Fortunately, we were able to acquire the samples from the remote server. We dubbed this\r\nmalware Phontena; and our analysis revealed the entire infection chain of this attack, made up of multiple stages.\r\nFrom our telemetry, we discovered a full-featured backdoor that is probably the final payload of this infection.\r\nAfter analyzing the samples from the remote server, we recognized that the actor behind this attack was associated\r\nwith information published by another vendor about a threat actor named APT-C-601 or APT-Q-122. Based on the\r\nmalware sample we discovered, we assess that this group has many overlaps with the DarkHotel group. Malware\r\nused in previous DarkHotel activity, as well as the samples discovered as part of this research, has very similar C2\r\ncommunication and internal mechanisms. Moreover, the malware author left Korean comments in one of the\r\nstager payloads.\r\nTwo years after we first reported the activities of a threat actor we named FishingElephant, the group continues to\r\ntarget victims in Bangladesh and Pakistan. While we identified the use of a new keylogger by FishingElephant, it\r\nappears that the group still mainly relies on the same TTPs (such as payload and communication patterns) that\r\nwere covered in our initial reports.\r\nToddyCat, a relatively new APT actor, is responsible for multiple attacks detected since December 2020. In the\r\nfirst wave of attacks, dubbed Websiic, the attackers exploited a ProxyLogon vulnerability to compromise\r\nExchange Servers of high-profile organizations in Europe and Asia. More recently, we detected a new set of\r\nattacks against desktop machines starting in September 2021, named Ninja by the attacker. This Trojan provides a\r\nlarge set of commands allowing the attackers to control target computers. Some capabilities we analyzed are\r\nsimilar to those provided in other notorious post-exploitation toolkits.\r\nOther interesting discoveries\r\nIn December we were made aware of a UEFI firmware-level compromise through logs from our firmware\r\nscanning technology. Further analysis showed that the attackers modified a single component within the firmware\r\nto append a payload to one of its sections and incorporate inline hooks within particular functions. These changes\r\nallowed the attackers to intercept the original flow of the firmware code and have it executed alongside a\r\nsophisticated infection chain. The introduced malicious flow, in turn, is in charge of persistently executing a\r\nmalware stager from a Windows service once the operating system is running. By examining other IoCs from the\r\nsame network, we gathered a trove of evidence that led us to assess, with medium-to-high confidence, that the\r\nthreat actor involved is closely tied to the APT41 group. More specifically, we inspected communication of other\r\nnodes in the same network to infrastructure related to the server from which the payload is retrieved by the\r\nhttps://securelist.com/apt-trends-report-q1-2022/106351/\r\nPage 6 of 8\n\nmalicious stager. This traffic originated from an in-memory modular implant dubbed ScrambleCross, known to be\r\nin use by APT41 or a closely affiliated actor. Although we have covered several UEFI-based infections in APT\r\nreports in the last few months, those were cases operating through modifications introduced to the Windows boot\r\nloader image, which resides on the ESP partition on disk and can be remediated through a reinstallation of the\r\noperating system. In this case, however, the malware was found in an image typically based in the SPI flash,\r\nwhich is outside the hard disk and therefore withstands formatting or disk replacement. To the best of our\r\nknowledge, this is only the third known case found in the wild of a comparable UEFI implant, following LowJax\r\nand MosaicRegressor.\r\nWhile hunting for recent Deathstalker intrusions, we identified a new Janicab variant used in targeting legal\r\nentities in the Middle East during 2020, possibly active into early 2021 and potentially extending an extensive\r\ncampaign that can be traced back to early 2015 targeting legal, financial and travel organizations in the Middle\r\nEast and Europe. Janicab was first introduced in 2013 as malware able to run on macOS and Windows operating\r\nsystems. The Windows version has a VBS script-based implant as the final stage, instead of the C#/PowerShell\r\ncombination observed previously in Powersing samples. The VBS-based implant samples we have identified to\r\ndate have a range of version numbers, meaning it was, and still is, in development. Overall, Janicab shows the\r\nsame functionalities as its counterpart malware families, but instead of downloading several tools later in the\r\nintrusion lifecycle, as the group used to do with EVILNUM and Powersing intrusions, the analyzed samples have\r\nmost of the tools embedded and obfuscated within the dropper. Interestingly, the threat actor continues to use\r\nYouTube, Google+, and WordPress web services as Dead Drop Resolvers (DDRs). However, some of the\r\nYouTube links observed are unlisted and go back to 2015, indicating possible re-use of infrastructure. Law firms\r\nand financial institutions remain the sectors most affected by DeathStalker. However, in the intrusions we\r\nanalyzed recently, we suspect that travel agencies are a new vertical that we haven’t previously seen this threat\r\nactor targeting.\r\nWe recently identified additional malicious activities, conducted by Tomiris operators since at least October 2021,\r\nagainst government, telecoms and engineering organizations in Kyrgyzstan, Afghanistan and Russia. In July 2021,\r\nwe reported the previously unknown Tomiris Golang backdoor, deployed against government organizations within\r\na CIS country through DNS hijacking. We exposed similarities between DarkHalo’s SunShuttle backdoor and the\r\nTomiris implant. Later in 2021, we uncovered associated malicious activities that also used the open-source RATel\r\nimplant to target several government organizations within Russia and Central Asia, while drawing an additional\r\npossible link between Tomiris operators and UNC1514.\r\nFinal thoughts\r\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a\r\nmeans of gaining a foothold in a target organization or compromising an individual’s device, others refresh their\r\ntoolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key\r\ndevelopments of APT groups.\r\nHere are the main trends that we’ve seen in Q1 2022:\r\nGeopolitics has always been a key driver of APT developments; never more so than during a period of\r\nopen warfare, as illustrated by the various cyberattacks related to the conflict in Ukraine. We have, of\r\nhttps://securelist.com/apt-trends-report-q1-2022/106351/\r\nPage 7 of 8\n\ncourse, seen other activity centered around geopolitics, including the Konni and APT10 campaigns.\r\nOne of the trends we discussed in our 2021 APT review and predictions for 2022 was the further\r\ndevelopment of low-level implants. Moonbounce provides a striking example of this trend.\r\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it\r\nshould be borne in mind that, while we strive to continually improve, there is always the possibility that other\r\nsophisticated attacks may fly under our radar.\r\nSource: https://securelist.com/apt-trends-report-q1-2022/106351/\r\nhttps://securelist.com/apt-trends-report-q1-2022/106351/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/apt-trends-report-q1-2022/106351/" ], "report_names": [ "106351" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "978775b9-369d-44f7-8a42-76d7b9cb42d5", "created_at": "2022-10-25T15:50:23.846105Z", "updated_at": "2026-04-10T02:00:05.36378Z", "deleted_at": null, "main_name": "Nomadic Octopus", "aliases": [ "Nomadic Octopus", "DustSquad" ], "source_name": "MITRE:Nomadic Octopus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "f7aa6029-2b01-4eee-8fe6-287330e087c9", "created_at": "2022-10-25T16:07:23.536763Z", "updated_at": "2026-04-10T02:00:04.646542Z", "deleted_at": null, "main_name": "Deceptikons", "aliases": [ "DeathStalker", "Deceptikons" ], "source_name": "ETDA:Deceptikons", "tools": [ "EVILNUM", "Evilnum", "Janicab", "PowerPepper", "Powersing", "VileRAT" ], "source_id": "ETDA", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "493c47f7-b265-4b10-95de-d86af942c543", "created_at": "2023-04-27T02:04:45.385041Z", "updated_at": "2026-04-10T02:00:04.939878Z", "deleted_at": null, "main_name": "Tomiris", "aliases": [], "source_name": "ETDA:Tomiris", "tools": [ "JLOGRAB", "JLORAT", "Kapushka", "KopiLuwak", "Meterpreter", "QUIETCANARY", "RATel", "RocketMan", "Roopy", "Telemiris", "Tomiris", "Topinambour", "Tunnus", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "3917d167-449d-423a-89db-41f49716a6d7", "created_at": "2023-03-04T02:01:54.083975Z", "updated_at": "2026-04-10T02:00:03.355386Z", "deleted_at": null, "main_name": "TA406", "aliases": [], "source_name": "MISPGALAXY:TA406", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "b98eb1ec-dc8b-4aea-b112-9e485408dd14", "created_at": "2022-10-25T16:07:23.649308Z", "updated_at": "2026-04-10T02:00:04.701157Z", "deleted_at": null, "main_name": "FunnyDream", "aliases": [ "Bronze Edgewood", "Red Hariasa", "TAG-16" ], "source_name": "ETDA:FunnyDream", "tools": [ "Chinoxy", "Filepak", "FilepakMonitor", "FunnyDream", "Keyrecord", "LOLBAS", "LOLBins", "Living off the Land", "Md_client", "PCShare", "ScreenCap", "TcpBridge", "Tcp_transfer", "ccf32" ], "source_id": "ETDA", "reports": null }, { "id": "70661552-6715-4750-bf4e-527055d3e7b4", "created_at": "2023-11-08T02:00:07.114392Z", "updated_at": "2026-04-10T02:00:03.417207Z", "deleted_at": null, "main_name": "DustSquad", "aliases": [ "Nomadic Octopus" ], "source_name": "MISPGALAXY:DustSquad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "d67df52c-a901-4d55-b287-321818500789", "created_at": "2024-04-24T02:00:49.591518Z", "updated_at": "2026-04-10T02:00:05.314272Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "ToddyCat" ], "source_name": "MITRE:ToddyCat", "tools": [ "Cobalt Strike", "LoFiSe", "China Chopper", "netstat", "Pcexter", "Samurai" ], "source_id": "MITRE", "reports": null }, { "id": "4c4e1108-8c11-48e3-91e3-95c24042f3a5", "created_at": "2022-10-25T16:07:24.329539Z", "updated_at": "2026-04-10T02:00:04.939013Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Operation Stayin’ Alive", "Storm-0247" ], "source_name": "ETDA:ToddyCat", "tools": [ "CHINACHOPPER", "China Chopper", "Cuthead", "FRP", "Fast Reverse Proxy", "Impacket", "Krong", "LoFiSe", "Ngrok", "PcExter", "PsExec", "SIMPOBOXSPY", "Samurai", "SinoChopper", "SoftEther VPN", "TomBerBil", "WAExp" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "60d96824-1767-4b97-a6c7-7e9527458007", "created_at": "2023-01-06T13:46:39.378701Z", "updated_at": "2026-04-10T02:00:03.307846Z", "deleted_at": null, "main_name": "ToddyCat", "aliases": [ "Websiic" ], "source_name": "MISPGALAXY:ToddyCat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "f6fe4b4f-9694-4ffc-94ef-a0cc5aef94d9", "created_at": "2022-10-25T16:07:23.556112Z", "updated_at": "2026-04-10T02:00:04.655561Z", "deleted_at": null, "main_name": "DustSquad", "aliases": [ "APT-C-34", "DustSquad", "G0133", "Golden Falcon", "Nomadic Octopus" ], "source_name": "ETDA:DustSquad", "tools": [ "Garpun", "Paperbug", "Remote Control System" ], "source_id": "ETDA", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434311, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9057cd208f5bbbc5c67b0805fe9d43b36f6cd042.pdf", "text": "https://archive.orkl.eu/9057cd208f5bbbc5c67b0805fe9d43b36f6cd042.txt", "img": "https://archive.orkl.eu/9057cd208f5bbbc5c67b0805fe9d43b36f6cd042.jpg" } }