{ "id": "d517c6d3-7b23-458b-8113-a08f55590a6d", "created_at": "2026-04-06T00:14:34.889436Z", "updated_at": "2026-04-10T03:38:06.306617Z", "deleted_at": null, "sha1_hash": "92ce2121bab582043fa8ce08fc9a5f2c2aa47b11", "title": "Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2040641, "plain_text": "Microsoft shares latest intelligence on North Korean and Chinese\r\nthreat actors at CYBERWARCON | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-11-22 · Archived: 2026-04-05 13:31:53 UTC\r\nThis year at CYBERWARCON, Microsoft Threat Intelligence analysts are sharing research and insights\r\nrepresenting years of threat actor tracking, infrastructure monitoring and disruption, and attacker tooling.\r\nThe talk DPRK – All grown up will cover how the Democratic People’s Republic of Korea (DPRK) has\r\nsuccessfully built computer network exploitation capability over the past 10 years and how threat actors have\r\nenabled North Korea to steal billions of dollars in cryptocurrency as well as target organizations associated with\r\nsatellites and weapons systems. Over this period, North Korean threat actors have developed and used multiple\r\nzero-day exploits and have become experts in cryptocurrency, blockchain, and AI technology.\r\nThis presentation will also include information on North Korea overcoming sanctions and other financial barriers\r\nby the United States and multiple other countries through the deployment of North Korean IT workers in Russia,\r\nChina, and, other countries. These IT workers masquerade as individuals from countries other than North Korea to\r\nperform legitimate IT work and generate revenue for the regime. North Korean threat actors’ focus areas are:\r\nStealing money or cryptocurrency to help fund the North Korea weapons programs\r\nStealing information pertaining to weapons systems, sanctions information, and policy-related decisions\r\nbefore they occur\r\nPerforming IT work to generate revenue to help fund the North Korea IT weapons program\r\nMeanwhile, in the talk No targets left behind, Microsoft Threat Intelligence analysts will present research on\r\nStorm-2077, a Chinese threat actor that conducts intelligence collection targeting government agencies and non-governmental organizations. This presentation will trace how Microsoft assembled the pieces of threat activity\r\nnow tracked as Storm-2077 to demonstrate how we overcome challenges in tracking overlapping activities and\r\nattributing cyber operations originating from China.\r\nThis blog summarizes intelligence on threat actors covered by the two Microsoft presentations at\r\nCYBERWARCON.\r\nSapphire Sleet: Social engineering leading to cryptocurrency theft\r\nThe North Korean threat actor that Microsoft tracks as Sapphire Sleet has been conducting cryptocurrency theft as\r\nwell as computer network exploitation activities since at least 2020. Microsoft’s analysis of Sapphire Sleet activity\r\nindicates that over 10 million US dollars’ worth of cryptocurrency was stolen by the threat actor from multiple\r\ncompanies over a six-month period.\r\nMasquerading as a venture capitalist\r\nhttps://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/\r\nPage 1 of 8\n\nWhile their methods have changed throughout the years, the primary scheme used by Sapphire Sleet over the past\r\nyear and a half is to masquerade as a venture capitalist, feigning interest in investing in the target user’s company.\r\nThe threat actor sets up an online meeting with a target user. On the day of the meeting, when the target user\r\nattempts to connect to the meeting, the user receives either a frozen screen or an error message stating that the user\r\nshould contact the room administrator or support team for assistance.\r\nWhen the target contacts the threat actor, the threat actor sends a script – a .scpt file (Mac) or a Visual Basic Script\r\n(.vbs) file (Windows) – to “fix the connection issue”. This script leads to malware being downloaded onto the\r\ntarget user’s device. The threat actor then works towards obtaining cryptocurrency wallets and other credentials on\r\nthe compromised device, enabling the threat actor to steal cryptocurrency.  \r\nPosing as recruiters\r\nAs a secondary method, Sapphire Sleet masquerades as a recruiter on professional platforms like LinkedIn and\r\nreaches out to potential victims. The threat actor, posing as a recruiter, tells the target user that they have a job they\r\nare trying to fill and believe that the user would be a good candidate. To validate the skills listed on the target\r\nuser’s profile, the threat actor asks the user to complete a skills assessment from a website under the threat actor’s\r\ncontrol. The threat actor sends the target user a sign-in account and password. In signing in to the website and\r\ndownloading the code associated with the skills assessment, the target user downloads malware onto their device,\r\nallowing the attackers to gain access to the system.\r\nFigure 1. LinkedIn profiles of fake recruiters. LinkedIn accounts identified to be related to this\r\nattack have been taken down.\r\nRuby Sleet: Sophisticated phishing targeting satellite and weapons systems-related\r\ntargets\r\nRuby Sleet, a threat actor that Microsoft has been tracking since 2020, has significantly increased the\r\nsophistication of their phishing operations over the past several years. The threat actor has been observed signing\r\ntheir malware with legitimate (but compromised) certificates obtained from victims they have compromised. The\r\nhttps://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/\r\nPage 2 of 8\n\nthreat actor has also distributed backdoored virtual private network (VPN) clients, installers, and various other\r\nlegitimate software.\r\nRuby Sleet has also been observed conducting research on targets to find what specific software they run in their\r\nenvironment. The threat actor has developed custom capabilities tailored to specific targets. For example, in\r\nDecember 2023, Microsoft Threat Intelligence observed Ruby Sleet carrying out a supply chain attack in which\r\nthe threat actor successfully compromised a Korean construction company and replaced a legitimate version of\r\nVeraPort software with a version that communicates with known Ruby Sleet infrastructure.\r\nRuby Sleet has targeted and successfully compromised aerospace and defense-related organizations. Stealing\r\naerospace and defense-related technology may be used by North Korea to increase its understanding of missiles,\r\ndrones, and other related technologies.\r\nNorth Korean IT workers: The triple threat\r\nIn addition to utilizing computer network exploitation through the years, North Korea has dispatched thousands of\r\nIT workers abroad to earn money for the regime. These IT workers have brought in hundreds of millions of dollars\r\nfor North Korea. We consider these North Korean IT workers to be a triple threat, because they:\r\nMake money for the regime by performing “legitimate” IT work\r\nMay use their access to obtain sensitive intellectual property, source code, or trade secrets at the company\r\nSteal sensitive data from the company and in some cases ransom the company into paying them in\r\nexchange for not publicly disclosing the company’s data\r\nMicrosoft Threat Intelligence has observed North Korean IT workers operating out of North Korea, Russia, and\r\nChina.\r\nFacilitators complicate tracking of IT worker ecosystem\r\nMicrosoft Threat Intelligence observed that the activities of North Korean IT workers involved many different\r\nparties, from creating accounts on various platforms to accepting payments and moving money to North Korean\r\nIT worker-controlled accounts. This makes tracking their activities more challenging than traditional nation-state\r\nthreat actors.\r\nSince it’s difficult for a person in North Korea to sign up for things such as a bank account or phone number, the\r\nIT workers must utilize facilitators to help them acquire access to platforms where they can apply for remote jobs.\r\nThese facilitators are used by the IT workers for tasks such as creating an account on a freelance job website. As\r\nthe relationship builds, the IT workers may ask the facilitator to perform other tasks such as:\r\nCreating or renting their bank account to the North Korean IT worker\r\nCreating LinkedIn accounts to be used for contacting recruiters to obtain work\r\nPurchasing mobile phone numbers or SIM cards\r\nCreating additional accounts on freelance job sites\r\nhttps://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/\r\nPage 3 of 8\n\nFigure 2. The North Korean IT worker ecosystem\r\nFake profiles and portfolios with the aid of AI\r\nOne of the first things a North Korean IT worker does is set up a portfolio to show supposed examples of their\r\nprevious work. Microsoft Threat Intelligence has observed hundreds of fake profiles and portfolios for North\r\nKorean IT workers on developer platforms like GitHub.\r\nFigure 3. Example profile used by North Korean IT workers that has since been taken down.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/\r\nPage 4 of 8\n\nAdditionally, the North Korean IT workers have used fake profiles on LinkedIn to communicate with recruiters\r\nand apply for jobs. \r\nFigure 4. An example of a North Korean IT worker LinkedIn profile that has since been taken down.\r\nIn October 2024, Microsoft found a public repository containing North Korean IT worker files. The repository\r\ncontained the following information:\r\nResumes and email accounts used by the North Korean IT workers\r\nInfrastructure used by these workers (VPS and VPN accounts along with specific VPS IP addresses)\r\nPlaybooks on conducting identity theft and creating and bidding jobs on freelancer websites without\r\ngetting flagged\r\nActual images and AI-enhanced images of suspected North Korean IT workers\r\nWallet information and suspected payments made to facilitators\r\nLinkedIn, GitHub, Upwork, TeamViewer, Telegram, and Skype accounts\r\nTracking sheet of work performed and payments received by these IT workers\r\nReview of the repository indicates that the North Korean IT workers are conducting identity theft and using AI\r\ntools such as Faceswap to move their picture over to documents that they have stolen from victims. The attackers\r\nare also using Faceswap to take pictures of the North Korean IT workers and move them to more professional\r\nlooking settings. The pictures created by the North Korean IT workers using AI tools are then utilized on resumes\r\nor profiles, sometimes for multiple personas, that are submitted for job applications.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/\r\nPage 5 of 8\n\nFigure 5. Use of AI apps to modify photos used for North Korean IT workers’ resumes and profiles\r\nFigure 6. Examples of resumes for North Korean IT workers. These two resumes use different\r\nversions of the same photo.\r\nIn the same repository, Microsoft Threat Intelligence found photos that appear to be of North Korean IT workers:\r\nFigure 7. Photos of potential North Korean IT workers\r\nMicrosoft has observed that, in addition to using AI to assist with creating images used with job applications,\r\nNorth Korean IT workers are experimenting with other AI technologies such as voice-changing software. This\r\nhttps://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/\r\nPage 6 of 8\n\naligns with observations shared in earlier blogs showing threat actors using AI as a productivity tool to refine their\r\nattack techniques. While we do not see threat actors using combined AI voice and video products as a tactic, we\r\ndo recognize that if actors were to combine these technologies, it’s possible that future campaigns may involve IT\r\nworkers using these programs to attempt to trick interviewers into thinking they are not communicating with a\r\nNorth Korean IT worker. If successful, this could allow the North Korean IT workers to do interviews directly and\r\nnot have to rely on facilitators obtaining work for them by standing in on interviews or selling account access to\r\nthem.\r\nGetting payment for remote work\r\nThe North Korean IT workers appear to be very organized when it comes to tracking payments received.  Overall,\r\nthis group of North Korean IT workers appears to have made at least 370,000 US dollars through their efforts. \r\nProtecting organizations from North Korean IT workers\r\nUnfortunately, computer network exploitation and use of IT workers is a low-risk, high-reward technique used by\r\nNorth Korean threat actors. Here are some steps that organizations can take to be better protected:\r\nFollow guidance from the US Department of State, US Department of the Treasury, and the Federal Bureau\r\nof Investigation on how to spot North Korean IT workers.\r\nEducate human resources managers, hiring managers, and program managers for signs to look for when\r\ndealing with suspected North Korean IT workers.\r\nUse simple non-technical techniques such as asking IT workers to turn on their camera periodically and\r\ncomparing the person on camera with the one that picked up the laptop from your organization.\r\nAsk the person on camera to walk through or explain code that they purportedly wrote.\r\nStorm-2077: No targets left behind\r\nOver the past decade, following numerous government indictments and the public disclosure of threat actors’\r\nactivities, tracking and attributing cyber operations originating from China has become increasingly challenging\r\nas the attackers adjust their tactics. These threat actors continue to conduct operations while using tooling and\r\ntechniques against targets that often overlap with another threat actor’s operation. While analyzing activity that\r\nwas affecting a handful of customers, Microsoft Threat Intelligence assembled the pieces of what would be\r\ntracked as Storm-2077. Undoubtably, this actor had some victimology and operational techniques that overlapped\r\nwith a couple of threat actors that Microsoft was already tracking.  \r\nMicrosoft assesses that Storm-2077 is a China state threat actor that has been active since at least January 2024.\r\nStorm-2077 has targeted a wide variety of sectors, including government agencies and non-governmental\r\norganizations in the United States. As we continued to track Storm-2077, we observed that they went after several\r\nother industries worldwide, including the Defense Industrial Base (DIB), aviation, telecommunications, and\r\nfinancial and legal services. Storm-2077 overlaps with activity tracked by other security vendors as TAG-100.\r\nWe assess that Storm-2077 likely operates with the objective of conducting intelligence collection. Storm-2077\r\nhas used phishing emails to gain credentials and, in certain cases, likely exploited edge-facing devices to gain\r\ninitial access. We have observed techniques that focus on email data theft, which could allow them to analyze the\r\nhttps://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/\r\nPage 7 of 8\n\ndata later without risking immediate loss of access. In some cases, Storm-2077 has used valid credentials\r\nharvested from the successful compromise of a system.\r\nWe’ve also observed Storm-2077 successfully exfiltrate emails by stealing credentials to access legitimate cloud\r\napplications such as eDiscovery applications. In other cases, Storm-2077 has been observed gaining access to\r\ncloud environments by harvesting credentials from compromised endpoints. Once administrative access was\r\ngained, Storm-2077 created their own application with mail read rights.\r\nAccess to email data is crucial for threat actors because it often contains sensitive information that could be\r\nutilized later for malicious purposes. Emails can include sign-in credentials, confidential communication, financial\r\nrecords, business secrets, intellectual property, and credentials for accessing critical systems, or employee\r\ninformation. Access to email accounts and the ability to steal email communication could enable an attacker to\r\nfurther their operations.\r\nMicrosoft’s talk on Storm-2077 at CYBERWARCON will highlight how vast their targeting interest covers. All\r\nsectors appear to be on the table, leaving no targets behind. Our analysts will talk about the challenges of tracking\r\nChina-based threat actors and how they had to distinctly carve out Storm-2077.\r\nCYBERWARCON Recap\r\nAt this year’s CYBERWARCON, Microsoft Security is sponsoring the post-event Fireside Recap. Hosted by\r\nSherrod DeGrippo, this session will feature special guests who will dive into the highlights, key insights, and\r\nemerging themes that defined CYBERWARCON 2024. Interviews with speakers will offer exclusive insights and\r\nbring the conference’s biggest moments into sharp focus.\r\nLearn more\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-act\r\nors-at-cyberwarcon/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/11/22/microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon/" ], "report_names": [ "microsoft-shares-latest-intelligence-on-north-korean-and-chinese-threat-actors-at-cyberwarcon" ], "threat_actors": [ { "id": "810fada6-3a62-477e-ac11-2702f9a1ef80", "created_at": "2023-01-06T13:46:38.874104Z", "updated_at": "2026-04-10T02:00:03.129286Z", "deleted_at": null, "main_name": "STARDUST CHOLLIMA", "aliases": [ "Sapphire Sleet" ], "source_name": "MISPGALAXY:STARDUST CHOLLIMA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "74a1f6b1-6790-44eb-9e31-9bea8ea0192b", "created_at": "2024-02-02T02:00:04.04584Z", "updated_at": "2026-04-10T02:00:03.539136Z", "deleted_at": null, "main_name": "Ruby Sleet", "aliases": [ "CERIUM" ], "source_name": "MISPGALAXY:Ruby Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "64a08f65-4ef8-4ad5-bac1-ce4e0fd2808c", "created_at": "2024-08-28T02:02:09.663698Z", "updated_at": "2026-04-10T02:00:04.927384Z", "deleted_at": null, "main_name": "TAG-100", "aliases": [ "Storm-2077" ], "source_name": "ETDA:TAG-100", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "CrossC2", "LESLIELOADER", "Pantegana", "SparkRAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "db5b833a-965e-4f46-b75d-7e829466a5fa", "created_at": "2024-12-21T02:00:02.843374Z", "updated_at": "2026-04-10T02:00:03.780907Z", "deleted_at": null, "main_name": "Storm-2077", "aliases": [ "TAG-100", "RedNovember" ], "source_name": "MISPGALAXY:Storm-2077", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434474, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/92ce2121bab582043fa8ce08fc9a5f2c2aa47b11.pdf", "text": "https://archive.orkl.eu/92ce2121bab582043fa8ce08fc9a5f2c2aa47b11.txt", "img": "https://archive.orkl.eu/92ce2121bab582043fa8ce08fc9a5f2c2aa47b11.jpg" } }