{ "id": "c6da9dd8-2c0c-4157-9da3-697e4d11c7e4", "created_at": "2026-04-06T00:16:31.020603Z", "updated_at": "2026-04-10T13:12:16.413016Z", "deleted_at": null, "sha1_hash": "936d216fd558bd4e58d2e486651504f4695378da", "title": "Triton (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78051, "plain_text": "Triton (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 21:38:12 UTC\r\nTriton\r\naka: Trisis, HatMan\r\nActor(s): XENOTIME\r\nMalware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System\r\n(SIS) controllers.\r\nReferences\r\n2022-07-26 ⋅ Mandiant ⋅ Daniel Kapellmann Zafra, Jay Christiansen, Keith Lunden, Ken Proska, Thibault van Geluwe de Berlaere\r\nMandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers\r\nClop Industroyer MimiKatz Triton\r\n2022-04-20 ⋅ CISA ⋅ CISA\r\nAlert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure\r\nVPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality\r\nSmokeLoader TrickBot Triton Zloader Killnet\r\n2022-04-20 ⋅ CISA ⋅ Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI,\r\nGovernment Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA\r\nAA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure\r\nVPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality\r\nSmokeLoader TrickBot Triton Zloader\r\n2022-03-24 ⋅ FBI ⋅ FBI\r\nPIN Number 20220324-001 TRITON Malware Remains Threat to Global Critical Infrastructure Industrial\r\nControl Systems (ICS)\r\nTriton\r\n2022-03-24 ⋅ CISA ⋅ US-CERT\r\nAlert (AA22-083A) Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors\r\nTargeting the Energy Sector\r\nHavex RAT Triton\r\n2021-02-11 ⋅ DomainTools ⋅ Joe Slowik\r\nVisibility, Monitoring, and Critical Infrastructure Security\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.triton\r\nPage 1 of 3\n\nIndustroyer Stuxnet Triton\r\n2020-12-21 ⋅ IronNet ⋅ Adam Hlavek, Kimberly Ortiz\r\nRussian cyber attack campaigns and actors\r\nWellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess\r\n2020-10-23 ⋅ U.S. Department of the Treasury ⋅ U.S. Department of the Treasury\r\nTreasury Sanctions Russian Government Research Institution Connected to the Triton Malware\r\nTriton\r\n2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT\r\nAPT trends report Q2 2019\r\nZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger\r\nHOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy\r\n2019-04-10 ⋅ Github (ICSrepo) ⋅ Marcin Dudek\r\nTRISIS / TRITON / HatMan Malware Repository\r\nTriton\r\n2019-03-07 ⋅ E\u0026E News ⋅ Blake Sobczak\r\nThe inside story of the world's most dangerous malware\r\nTriton\r\n2018-10-23 ⋅ FireEye ⋅ FireEye Intelligence\r\nTRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for\r\nTRITON Attackers\r\nTriton\r\n2018-10-01 ⋅ SANS Cyber Summit ⋅ Andrea Carcano\r\nTRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems,\r\nForever\r\nTriton\r\n2018-08-08 ⋅ Nozomi Networks ⋅ Alessandro Di Pinto, Andrea Carcano, Younes Dragoni\r\nTRITON: The First ICS Cyber Attack on Safety Instrument Systems\r\nTriton\r\n2018-04-10 ⋅ NCCIC ⋅ NCCIC\r\nMAR-17-352-01 HatMan - Safety System Targeted Malware (Update A)\r\nTriton\r\n2018-01-16 ⋅ Midnight Blue Labs ⋅ Carlo Meijer, Jos Wetzels\r\nAnalyzing the TRITON industrial malware\r\nTriton\r\n2017-12-18 ⋅ NCCIC ⋅ NCCIC\r\nMalware Analysis Report on Hatman\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.triton\r\nPage 2 of 3\n\nTriton\r\n2017-12-14 ⋅ FireEye ⋅ Blake Johnson, Christopher Glyer, Dan Caban, Dan Scali, Marina Krotofil, Nathan Brubaker\r\nAttackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical\r\nInfrastructure\r\nTriton TEMP.Veles\r\n2017-12-13 ⋅ Dragos ⋅ Dragos\r\nTRISIS Malware: Analysis of Safety System Targeted Malware\r\nTriton\r\nYara Rules\r\n[TLP:WHITE] win_triton_w0 (20180123 | TRITON framework recovered during Mandiant ICS\r\nincident response)\r\n[TLP:WHITE] win_triton_w1 (20210727 | Matches the known samples of the HatMan malware.)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.triton\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.triton\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.triton" ], "report_names": [ "win.triton" ], "threat_actors": [ { "id": "5fb9f77b-1273-4658-884e-49f5f511dcd7", "created_at": "2022-10-25T15:50:23.591795Z", "updated_at": "2026-04-10T02:00:05.383475Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "TEMP.Veles", "XENOTIME" ], "source_name": "MITRE:TEMP.Veles", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c97cf0c1-7f0d-4e35-9bb9-bceaad178c3d", "created_at": "2023-01-06T13:46:38.760807Z", "updated_at": "2026-04-10T02:00:03.091254Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [], "source_name": "MISPGALAXY:ZooPark", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c", "created_at": "2023-01-06T13:46:39.001286Z", "updated_at": "2026-04-10T02:00:03.1772Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "Xenotime", "G0088", "ATK91" ], "source_name": "MISPGALAXY:TEMP.Veles", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "93edf98a-03c1-48b3-a94c-e1bddc24f0e6", "created_at": "2022-10-25T16:07:24.435275Z", "updated_at": "2026-04-10T02:00:04.988022Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [ "APT-C-38", "Cobalt Juno", "Saber Lion", "TG-2884" ], "source_name": "ETDA:ZooPark", "tools": [ "ZooPark" ], "source_id": "ETDA", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20012494-3f05-48ce-8c0f-92455e46a4f9", "created_at": "2022-10-25T16:07:24.319939Z", "updated_at": "2026-04-10T02:00:04.934107Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "ATK 91", "G0088", "Xenotime" ], "source_name": "ETDA:TEMP.Veles", "tools": [ "Cryptcat", "HatMan", "Mimikatz", "NetExec", "PsExec", "SecHack", "TRISIS", "TRITON", "Trisis", "Triton", "Wii" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434591, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/936d216fd558bd4e58d2e486651504f4695378da.pdf", "text": "https://archive.orkl.eu/936d216fd558bd4e58d2e486651504f4695378da.txt", "img": "https://archive.orkl.eu/936d216fd558bd4e58d2e486651504f4695378da.jpg" } }