{ "id": "2e472582-c410-497d-8004-5e12f419f193", "created_at": "2026-04-06T00:15:19.541696Z", "updated_at": "2026-04-10T03:35:52.946387Z", "deleted_at": null, "sha1_hash": "938c8927707a5cfd75cf5e7ca813d2d242677600", "title": "SCANdalous! (External Detection Using Network Scan Data and Automation) | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 503566, "plain_text": "SCANdalous! (External Detection Using Network Scan Data and\r\nAutomation) | Mandiant\r\nBy Mandiant\r\nPublished: 2020-07-13 · Archived: 2026-04-05 19:08:13 UTC\r\nWritten by: Aaron Stephens, Andrew Thompson\r\nReal Quick\r\nIn case you’re thrown by that fantastic title, our lawyers made us change the name of this project so we wouldn’t\r\nget sued. SCANdalous—a.k.a. Scannah Montana a.k.a. Scanny McScanface a.k.a. “Scan I Kick It? (Yes You\r\nScan)”—had another name before today that, for legal reasons, we’re keeping to ourselves. A special thanks to our\r\nlegal team who is always looking out for us, this blog post would be a lot less fun without them. Strap in folks.\r\nIntroduction\r\nAdvanced Practices is known for using primary source data obtained through Mandiant Incident Response,\r\nManaged Defense, and product telemetry across thousands of FireEye clients. Regular, first-hand observations of\r\nthreat actors afford us opportunities to learn intimate details of their modus operandi. While our visibility from\r\norganic data is vast, we also derive value from third-party data sources. By looking outwards, we extend our\r\nvisibility beyond our clients’ environments and shorten the time it takes to detect adversaries in the wild—often\r\nbefore they initiate intrusions against our clients.\r\nIn October 2019, Aaron Stephens gave his “Scan’t Touch This” talk at the annual FireEye Cyber Defense Summit\r\n(slides available on his Github). He discussed using network scan data for external detection and provided\r\nexamples of how to profile command and control (C2) servers for various post-exploitation frameworks used by\r\ncriminal and intelligence organizations alike. However, manual application of those techniques doesn’t scale. It\r\nmay work if your role focuses on one or two groups, but Advanced Practices’ scope is much broader. We needed a\r\nsolution that would enable us to track thousands of groups, malware families and profiles. In this blog post we’d\r\nlike to talk about that journey, highlight some wins, and for the first time publicly, introduce the project behind it\r\nall: SCANdalous.\r\nPre-SCANdalous Case Studies\r\nPrior to any sort of system or automation, our team used traditional profiling methodologies to manually identify\r\nservers of interest. The following are some examples. The success we found in these case studies served as the\r\nprimary motivation for SCANdalous.\r\nAPT39 SSH Tunneling\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/\r\nPage 1 of 7\n\nAfter observing APT39 in a series of intrusions, we determined they frequently created Secure Shell (SSH)\r\ntunnels with PuTTY Link to forward Remote Desktop Protocol connections to internal hosts within the target\r\nenvironment. Additionally, they preferred using BitVise SSH servers listening on port 443. Finally, they were\r\nusing servers hosted by WorldStream B.V.\r\nIndependent isolation of any one of these characteristics would produce a lot of unrelated servers; however, the\r\naggregation of characteristics provided a strong signal for newly established infrastructure of interest. We used\r\nthis established profile and others to illuminate dozens of servers we later attributed to APT39, often before they\r\nwere used against a target.\r\nAPT34 QUADAGENT\r\nIn February 2018, an independent researcher shared a sample of what would later be named QUADAGENT. We\r\nhad not observed it in an intrusion yet; however, by analyzing the characteristics of the C2, we were able to\r\ndevelop a strong profile of the servers to track over time. For example, our team identified the server\r\n185.161.208\\.37 and domain rdppath\\.com within hours of it being established. A week later, we identified a\r\nQUADAGENT dropper with the previously identified C2. Additional examples of QUADAGENT are depicted in\r\nFigure 1.\r\nFigure 1: QUADAGENT C2 servers in the Shodan user interface\r\nFive days after the QUADAGENT dropper was identified, Mandiant was engaged by a victim that was targeted\r\nvia the same C2. This activity was later attributed to APT34. During the investigation, Mandiant uncovered\r\nAPT34 using RULER.HOMEPAGE. This was the first time our consultants observed the tool and technique used\r\nin the wild by a real threat actor. Our team developed a profile of servers hosting HOMEPAGE payloads and\r\nbegan tracking their deployment in the wild. Figure 2 shows a timeline of QUADAGENT C2 servers discovered\r\nbetween February and November of 2018.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/\r\nPage 2 of 7\n\nFigure 2: Timeline of QUADAGENT C2 servers discovered throughout 2018\r\nAPT33 RULER.HOMEPAGE, POSHC2, and POWERTON\r\nA month after that aforementioned intrusion, Managed Defense discovered a threat actor using\r\nRULER.HOMEPAGE to download and execute POSHC2. All the RULER.HOMEPAGE servers were previously\r\nidentified due to our efforts. Our team developed a profile for POSHC2 and began tracking their deployment in\r\nthe wild. The threat actor pivoted to a novel PowerShell backdoor, POWERTON. Our team repeated our workflow\r\nand began illuminating those C2 servers as well. This activity was later attributed to APT33 and was documented\r\nin our OVERRULED post.\r\nSCANdalous\r\nScanner, Better, Faster, Stronger\r\nOur use of scan data was proving wildly successful, and we wanted to use more of it, but we needed to innovate.\r\nHow could we leverage this dataset and methodology to track not one or two, but dozens of active groups that we\r\nobserve across our solutions and services? Even if every member of Advanced Practices was dedicated to external\r\ndetection, we would still not have enough time or resources to keep up with the amount of manual work required.\r\nBut that’s the key word: Manual. Our workflow consumed hours of individual analyst actions, and we had to\r\nchange that. This was the beginning of SCANdalous: An automated system for external detection using third-party\r\nnetwork scan data.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/\r\nPage 3 of 7\n\nA couple of nice things about computers: They’re great at multitasking, and they don’t forget. The tasks that were\r\ntaking us hours to do—if we had time, and if we remembered to do them every day—were now taking\r\nSCANdalous minutes if not seconds. This not only afforded us additional time for analysis, it gave us the\r\ncapability to expand our scope. Now we not only look for specific groups, we also search for common malware,\r\ntools and frameworks in general. We deploy weak signals (or broad signatures) for software that isn’t inherently\r\nbad, but is often used by threat actors.\r\nOur external detection was further improved by automating additional collection tasks, executed by SCANdalous\r\nupon a discovery—we call them follow-on actions. For example, if an interesting open directory is identified,\r\nacquire certain files. These actions ensure the team never misses an opportunity during “non-working hours.” If\r\nSCANdalous finds something interesting on a weekend or holiday, we know it will perform the time-sensitive\r\ntasks against the server and in defense of our clients.\r\nThe data we collect not only helps us track things we aren’t seeing at our clients, it allows us to provide timely and\r\nhistorical context to our incident responders and security analysts. Taking observations from Mandiant Incident\r\nResponse or Managed Defense and distilling them into knowledge we can carry forward has always been our\r\nbread and butter. Now, with SCANdalous in the mix, we can project that knowledge out onto the Internet as a\r\nwhole.\r\nCollection Metrics\r\nLooking back on where we started with our manual efforts, we’re pleased to see how far this project has come,\r\nand is perhaps best illustrated by examining the numbers. Today (and as we write these continue to grow),\r\nSCANdalous holds over five thousand signatures across multiple sources, covering dozens of named malware\r\nfamilies and threat groups. Since its inception, SCANdalous has produced over two million hits. Every single one\r\nof those, a piece of contextualized data that helps our team make analytical decisions. Of course, raw volume isn’t\r\neverything, so let’s dive a little deeper.\r\nWhen an analyst discovers that an IP address has been used by an adversary against a named organization, they\r\ndenote that usage in our knowledge store. While the time at which this observation occurs does not always\r\ncorrelate with when it was used in an intrusion, knowing when we became aware of that use is still valuable. We\r\ncan cross-reference these times with data from SCANdalous to help us understand the impact of our external\r\ndetection.\r\nLooking at the IP addresses marked by an analyst as observed at a client in the last year, we find that 21.7% (more\r\nthan one in five) were also found by SCANdalous. Of that fifth, SCANdalous has an average lead time of 47 days.\r\nIf we only consider the IP addresses that SCANdalous found first, the average lead time jumps to 106 days. Going\r\neven deeper and examining this data month-to-month, we find a steady upward trend in the percentage of IP\r\naddresses identified by SCANdalous before being observed at a client (Figure 3).\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/\r\nPage 4 of 7\n\nFigure 3: Percentage of IP addresses found by SCANdalous before being marked as observed at a client by a\r\nFireEye analyst\r\nA similar pattern can be seen for SCANdalous’ average lead time over the same data (Figure 4).\r\nFigure 4: Average lead time in days for SCANdalous over the same data shown in Figure 3\r\nAs we continue to create signatures and increase our external detection efforts, we can see from these numbers\r\nthat the effectiveness and value of the resulting data grow as well.\r\nSCANdalous Case Studies\r\nToday in Advanced Practices, SCANdalous is a core element of our external detection work. It has provided us\r\nwith a new lens through which we can observe threat activity on a scale and scope beyond our organic data, and\r\nenriches our workflows in support of Mandiant. Here are a few of our favorite examples:\r\nFIN6\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/\r\nPage 5 of 7\n\nIn early 2019, SCANdalous identified a Cobalt Strike C2 server that we were able to associate with FIN6. Four\r\nhours later, the server was used to target a Managed Defense client, as discussed in our blog post, Pick-Six:\r\nIntercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware.\r\nFIN7\r\nIn late 2019, SCANdalous identified a BOOSTWRITE C2 server and automatically acquired keying material that\r\nwas later used to decrypt files found in a FIN7 intrusion worked by Mandiant consultants, as discussed in our blog\r\npost, Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques.\r\nUNC1878 (financially motivated)\r\nSome of you may also remember our recent blog post on UNC1878. It serves as a great case study for how we\r\ngrow an initial observation into a larger set of data, and then use that knowledge to find more activity across our\r\nofferings. Much of the early work that went into tracking that activity (see the section titled “Expansion”)\r\nhappened via SCANdalous. The quick response from Managed Defense gave us just enough information to build\r\na profile of the C2 and let our automated system take it from there. Over the next couple months, SCANdalous\r\nidentified numerous servers matching UNC1878’s profile. This allowed us to not only analyze and attribute new\r\nnetwork infrastructure, it also helped us observe when and how they were changing their operations over time.\r\nConclusion\r\nThere are hundreds more stories to tell, but the point is the same. When we find value in an analytical workflow,\r\nwe ask ourselves how we can do it better and faster. The automation we build into our tools allows us to not only\r\naccomplish more of the work we were doing manually, it enables us to work on things we never could before. Of\r\ncourse, the conversion doesn’t happen all at once. Like all good things, we made a lot of incremental\r\nimprovements over time to get where we are today, and we’re still finding ways to make more. Continuing to\r\ninnovate is how we keep moving forward – as Advanced Practices, as FireEye, and as an industry.\r\nExample Signatures\r\nThe following are example Shodan queries; however, any source of scan data can be used.\r\nUsed to Identify APT39 C2 Servers\r\nproduct:“bitvise” port:“443” org:“WorldStream B.V.”\r\nUsed to Identify QUADAGENT C2 Servers\r\n“PHP/7.2.0beta2”\r\nRULER.HOMEPAGE Payloads\r\nhtml:“clsid:0006F063-0000-0000-C000-000000000046”\r\nPosted in\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/\r\nPage 6 of 7\n\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/" ], "report_names": [ "scandalous-external-detection-using-network-scan-data-and-automation" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d", "created_at": "2023-01-06T13:46:38.883911Z", "updated_at": "2026-04-10T02:00:03.132231Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "COBALT HICKMAN", "G0087", "Radio Serpens", "TA454", "ITG07", "Burgundy Sandstorm", "REMIX KITTEN" ], "source_name": "MISPGALAXY:APT39", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "6b6155e4-94ec-4909-b908-550afe758ad6", "created_at": "2022-10-25T15:50:23.365074Z", "updated_at": "2026-04-10T02:00:05.2978Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "APT39", "ITG07", "Remix Kitten" ], "source_name": "MITRE:APT39", "tools": [ "NBTscan", "MechaFlounder", "Remexi", "CrackMapExec", "pwdump", "Mimikatz", "Windows Credential Editor", "Cadelspy", "PsExec", "ASPXSpy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434519, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/938c8927707a5cfd75cf5e7ca813d2d242677600.pdf", "text": "https://archive.orkl.eu/938c8927707a5cfd75cf5e7ca813d2d242677600.txt", "img": "https://archive.orkl.eu/938c8927707a5cfd75cf5e7ca813d2d242677600.jpg" } }