{ "id": "08a39222-e326-430d-8e15-2632cb21533b", "created_at": "2026-04-06T00:22:23.464275Z", "updated_at": "2026-04-10T03:36:48.350623Z", "deleted_at": null, "sha1_hash": "93acc446651107a3b99aaeb33b04ae0a47191475", "title": "PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1903107, "plain_text": "PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell\r\nBackdoor for Espionage\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 21:49:41 UTC\r\nOver the past months, the Cybereason Nocturnus Team observed an uptick in the activity of the Iranian attributed\r\ngroup dubbed Phosphorus (AKA Charming Kitten, APT35), known for previously attacking medical research\r\norganizations in the US and Israel in late 2020, and for targeting academic researchers from the US, France, and\r\nthe Middle East region back in 2019.\r\nThey have also previously targeted human rights activists, the media sector, and interfered with the US\r\npresidential elections.\r\nTowards the end of 2021, multiple attacks were carried out exploiting the notorious Microsoft Exchange Server\r\nvulnerabilities chained together and referred to as ProxyShell, which ultimately enabled multiple threat actors to\r\ndeploy malware on their targets’ networks. There have been several reports detailing the exploitation of these\r\nvulnerabilities by Iranian state sponsored threat actors, among them the Phosphorus APT group carrying out\r\nransomware attacks. \r\nCybereason researchers recently discovered a new set of tools which were developed by the Phosphorus group and\r\nincorporated into their arsenal, including a novel PowerShell backdoor dubbed PowerLess Backdoor. Our research\r\nalso highlights a stealthy technique used by the group to avoid PowerShell detection by running the PowerShell\r\nBackdoor in a .NET context rather than spawning the PowerShell process.\r\nIn addition, several interesting connections were found between the Phosphorus group and the Memento\r\nRansomware that first emerged in late 2021. (Related Iranian APT research: StrifeWater RAT: Iranian APT Moses\r\nStaff Adds New Trojan to Ransomware Operations).\r\nKey Findings\r\nNovel PowerShell Backdoor: A novel and previously undocumented PowerShell backdoor related to the\r\nPhosphorus group was discovered by the Cybereason Nocturnus Team and dubbed PowerLess Backdoor. It\r\nsupports downloading additional payloads, such as a keylogger and an info stealer.\r\nEvasive PowerShell Execution: The PowerShell code runs in the context of a .NET application, thus not\r\nlaunching “powershell.exe” which enables it to evade security products.\r\nModular Malware: The toolset analyzed includes extremely modular, multi-staged malware that decrypts\r\nand deploys additional payloads in several stages for the sake of both stealth and efficacy.\r\nHighly Active Infrastructure: At the time of writing this report, some of the IOCs remained active\r\ndelivering new payloads.\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 1 of 18\n\nWide Range of Open Source Tools: A lot of the activity observed involved a variety of publicly available\r\ntools, such as cryptography libraries, weaponizing them for payloads and communication encryption.\r\nShared IOCs with Memento Ransomware: One of the IP addresses serves a domain which is being used\r\nas command and control (C2) for the recently discovered Memento Ransomware. \r\nPhosphorus Threat Group: The Phosphorus Threat Group was previously spotted attacking research\r\nfacilities in multiple regions such as the US, Europe and the Middle East. The group is known to be behind\r\nmultiple cyber espionage and offensive cyber attacks, operating in the interest of the Iranian regime,\r\nleveraging cyberwarfare in accordance with Iran’s geopolitical interests. \r\nUse of Publicly Available Exploits: The Phosphorus Group was first seen exploiting the ProxyShell\r\nvulnerability, and later on the Log4j vulnerability as well, utilizing fresh exploits in the wild.\r\nA Glimpse into Phosphorus Updated Arsenal\r\nFollowing up on both public and non-public intelligence that is available to Cybereason in regard to the\r\nPhosphorus threat actor, the Cybereason Nocturnus Team was able to identify a new toolset that includes a novel\r\nbackdoor, malware loaders, a browser info stealer, and a keylogger.\r\nIt is worth noting that some of the more recent methods that were observed in attacks attributed to the Phosphorus\r\ngroup included open-source tools such as the famous DiskCryptor library and also BitLocker, along with the Fast\r\nReverse Proxy which is used for RDP proxying.\r\nThe following sections will detail the discovery process and analysis of the newly identified tools. \r\nPivoting from a Previously Known Arsenal\r\nThe journey to the discovery of the new toolset started with threat intelligence efforts that included pivoting on an\r\nIP address (162.55.136[.]20) that was already attributed to Iranian threat actors by multiple sources, including US\r\nCERT. \r\nWhile examining different files that were downloaded from this IP address, we stumbled upon a file named\r\n“WindowsProcesses.exe”: \r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 2 of 18\n\nWindowsProcesses.exe hosted on the abovementioned IP\r\nThe file seems to have only been detected by 35/68 antivirus vendors, according to VirusTotal:\r\nWindowsProcesses.exe details as seen in VirusTotal\r\nAnalysis of WindowsProcesses.exe\r\nThis file, entitled “WindowsProcesses.exe” is a 64-bit executable loader whose sole purpose is to resolve relevant\r\nDLLs and load another file from the “%windir%\\Temp” path entitled “dll.dll”:\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 3 of 18\n\nWindowsProcesses and related modules execution diagram\r\nOnce the relevant DLLs (mostly related to .NET runtime libraries) and API calls are resolved, dll.dll is executed:\r\nThe main code of WindowsProcesses.exe\r\nBy the looks of it, the authors could have been inspired by a code snippet found publicly available on GitHub,\r\nwhich facilitates running PowerShell with CLR in native runtime. The snippet is named “Powerless”, and the\r\nauthors seem to have kept that naming convention, as shown in the PDB path of the binary: \r\nC:\\\\Users\\\\pugna\\\\Desktop\\\\126\\\\V1\\\\PowerLessCLR\\\\x64\\\\Release\\\\PowerLessCLR.pdb\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 4 of 18\n\nAnalysis of dll.dll\r\nDll.dll is a simple .NET AES decryptor that uses a hardcoded key “()*\u00263dCfabE2/123” to decode another file\r\nnamed “upc” to ultimately execute PowerShell code from the decrypted object:\r\nThe code of dll.dll\r\nupc\r\nThe upc encrypted BLOB is decrypted using dll.dll, and contains multiple encryption layers that all are decrypted\r\nin stages using base64 and AES ECB decryption.\r\nThe keys that are being used for decryption are as follows:\r\n()*\u00263dCfabE2/123\r\n0123654789mkiujn\r\n25sL(*14@#SDFcgd\r\nPrior to decrypting the PowerShell backdoor, an intermediate stage takes place when the victim’s machine is\r\nassigned a unique identifier which is sent to the C2, which downloads an additional configuration:\r\nThe intermediate stage during the PowerLess backdoor decryption\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 5 of 18\n\nAnalysis of the PowerLess Backdoor\r\nAfter all the AES encrypted layers are decrypted, the PowerLess backdoor is executed:\r\nPowerLess backdoor command parsing code segment\r\nThe PowerLess backdoor is equipped with the following capabilities:\r\nDownloading and executing additional malware and files\r\nAdditional modules:\r\nBrowsers info stealer\r\nKeylogger module\r\nEncrypted channel with the C2\r\nExecuting arbitrary commands\r\nKilling processes\r\nStealing browser data\r\nKeylogging\r\nIt is worth mentioning that the backdoor is being run within a .NET context, so therefore it does not spawn\r\n“powershell.exe”. This behavior can be interpreted as an attempt to evade certain PowerShell detections, although\r\nPowerShell logs are being saved on the machine:\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 6 of 18\n\nWindows Processes and the malicious loaded module “dll.dll” as seen in the Cybereason XDR Platform\r\nOddly enough, there is a part of the code in the PowerLess Backdoor, that do spawn a powershell.exe process,\r\nwhen the request to kill a process is received from the C2:\r\nA part of the PowerLess Backdoor that spawns powershell.exe\r\nIt can be assumed that the native language of the backdoor’s authors is likely not English given the abundance of\r\ntypos and grammatical mistakes found in the code: \r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 7 of 18\n\nPowerLess backdoor logging\r\nKeylogger\r\nOne of the modules downloaded by the PowerLess backdoor is a keylogger that is written in .NET. It’s core\r\nfunctionality is quite simple, consisting of hooks and the logging of the user’s keystrokes:\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 8 of 18\n\nPartial code from the keylogger module\r\nThe logs are being stored in the following path: \"C:\\\\Windows\\\\Temp\\\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK\":\r\nLogs path of the keylogger module\r\nStealer\r\nAnother module is a browser info stealer, which is also written in .NET, and includes the BouncyCastle crypto\r\nlibrary. It also uses an SQLite data reader object for Chrome and Edge browser database files. In the staging\r\nphase, the data is encrypted and written in JSON format for exfiltration:\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 9 of 18\n\nPartial code from the info stealer module\r\nThe logs are being stored in the following path: “C:\\\\Windows\\\\Temp\\\\cup.tmp”:\r\nLogs path of the stealer module\r\nAdditional Tools Potentially Related to Phosphorus\r\nIn addition to the newly discovered PowerLess Backdoor, other tools were identified by the Nocturnus Team\r\nwhich are suspected to originate from the same developer. However, at this point in time there isn't enough\r\nevidence to conclusively tie these tools to Phosphorus with a high level of confidence. \r\nLooking at the PE info of “WindowsProcesses.exe”, the below PDB path is present:\r\n“C:\\Users\\pugna\\Desktop\\126\\V1\\PowerLessCLR\\x64\\Release\\PowerLessCLR.pdb”:\r\nThe PDB path from WindowsProcesses.exe\r\nSearching for the prefix “C:\\Users\\pugna” returns other unidentified tools:\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 10 of 18\n\nArtifacts found in VirusTotal with the search “C:\\Users\\pugna”\r\nChromium F\r\n“Chromium F.exe” is yet another .NET browser info stealer. Although the code is different, by the functionality it\r\nis similar to the abovementioned info stealer module, leading us to assess that it might be an earlier variant:\r\nCode segment from Chromium F.exe\r\nSou.exe - Audio Recorder\r\n“Sou.exe” is another .NET file, but this time it’s an audio recorder which uses the NAudio open source library:\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 11 of 18\n\nCode segment from Sou.exe\r\nA New Locker in the Making? \r\nOne of the more recent tools that was allegedly from the same developer is what appears to be an unfinished\r\nRansomware variant. It is also written in .NET and at this point doesn’t do anything except locking the target’s\r\nscreen. As can be seen, the fields like the ransom amount and attacker’s email are yet to be set. Although\r\nunfinished, it is worth mentioning that the sample was uploaded from Iran via web, and it might imply yet another\r\nstep in the direction of this threat actor towards ransomware:\r\nUnfinished ransomware sample uploaded to VirusTotal from Iran\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 12 of 18\n\nThe unfinished ransomware locker screen\r\nAnalysis of FRP Loaders\r\nJava Multi Platform Loader\r\nOne of the more active IPs that was reported in the ProxyShell attacks was 148.251.71[.]182. In addition, another\r\nrecent report mentions this IP address as part of an active exploitation of the Log4j vulnerability:\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 13 of 18\n\nFiles found on the IP address 148.251.71[.]182\r\nThe “symantec” and “update” themed files all serve the FRP again. The “RCE” links, on the other hand, serve a\r\nJava loader that distinguishes the victim machine’s operating system and drops the appropriate version of FRP:\r\nThe Java RCE class\r\nThere are two slightly different variations of the loader, but eventually they check for the file separator of the OS,\r\nwhich is “/” in case it’s Linux or “\\” in Windows, and then downloads the payload and creates persistence:\r\nContent of the malicious Java class\r\nPowershell to Exe Downloader\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 14 of 18\n\nAnother loader which eventually delivers FRP is PowerShell code converted to an executable by the “Ps1 To Exe”\r\nfreeware that is available for download on public forums, where less technical people can successfully use it:\r\nInformation about one of the FRP loaders \r\nFinally, the loader creates a scheduled task for FRP, of course while being dependent on the OS type.\r\nA full process tree of a real time attack that exploits the ProxyShell vulnerability and deployment of the FRP\r\nmodules, can be seen below: \r\nA real time FRP staging and execution as seen in the Cybereason XDR Platform\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 15 of 18\n\nOnce the attackers exploited the vulnerable Microsoft Exchange Server, they downloaded the FRP module, ran\r\nmultiple reconnaissance commands, created persistence, dumped credentials using a known LOLBIN technique\r\n(Comsvcs.dll), and attempted to move laterally, as can be seen in the above Cybereason XDR Platform image. \r\nThe Memento Ransomware Connection\r\nAnother IP that appears in US CERT’s list is 91.214.124[.]143. Searching it in VirusTotal reveals other malicious\r\nfiles communicating with it, as well as unique URL directory patterns that reveal a potential connection to\r\nMemento Ransomware:\r\nThe string “gsdhdDdfgA5sS” appears to be generated by the same script as the one listed in the Memento\r\nRansomware IOCs: “gadfTs55sghsSSS”.\r\nThe domain “google.onedriver-srv[.]ml” was previously resolved to the IP address 91.214.124[.]143\r\nmentioned in the US CERT alert about Iran state sponsored actors activity:\r\nSome of the Memento IOCs that are suspected to be related to Phosphorus\r\nThe “Connector3.exe” naming convention: as mentioned above, Phosphorus has been observed using the\r\nFRP tool in many occasions. The file name that is used for FRP and reported by the US CERT is\r\n“Connector3.exe”. As can be seen below, the same name is being used to name a backdoor by Memento:\r\nFRP named “Connector3.exe” from US CERT report\r\nThe activity of Phosphorus with regard to ProxyShell took place in about the same time frame as Memento.\r\nIranian threat actors were also reported to be turning to ransomware during that period, which strengthens\r\nthe hypothesis that Memento is operated by an Iranian threat actor.\r\nConclusion\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 16 of 18\n\nIn this report, the Cybereason Nocturnus Team detailed a previously undocumented PowerShell backdoor dubbed\r\nPowerLess, used by the Iranian APT Phosphorus in recent attacks. This research also provided further details\r\nregarding the group’s tools and techniques, including the use of publicly available tools and a combination of\r\ncoding languages. \r\nThe extensive usage of open source tools that is assessed to demonstrate the intermediate coding skills of the\r\nattackers. The use of various programming languages also might point to a lack of specialization in any specific\r\ncoding language. This research also highlights how important it is for threat intelligence analysts to “follow the\r\nbreadcrumbs,” such as pivoting on known infrastructure or the PDB paths left by the attackers in this case, in\r\norder to pave the way for discovering additional tools and connections to other operations. \r\nFinally, a connection between Phosphorus and the Memento ransomware was also found through mutual TTP\r\npatterns and attack infrastructure, strengthening the connection between this previously unattributed ransomware\r\nand the Phosphorus group.\r\nThe Cybereason XDR Platform detects and blocks the PowerLess Trojan and other advanced TTPs used in this\r\noperation. Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to\r\neverywhere the battle is taking place.\r\nMITRE ATT\u0026CK BREAKDOWN\r\nReconnaissance Execution Persistence Defense Evasion\r\nGather Victim Host\r\nInformation\r\nCommand and\r\nScripting Interpreter:\r\nPowerShell\r\nBoot or Logon Autostart\r\nExecution: Registry Run\r\nKeys / Startup Folder\r\nMasquerading\r\nGather Victim\r\nIdentity Information\r\nExploitation for Client\r\nExecution\r\nScheduled Task/Job: At\r\n(Windows)\r\nImpair Defenses: Disable\r\nor Modify System\r\nFirewall\r\n \r\nScheduled Task/Job:\r\nAt (Windows)\r\nScheduled Task/Job: At\r\n(Linux)\r\nModify Registry\r\n \r\nScheduled Task/Job:\r\nAt (Linux)\r\nServer Software Component:\r\nWeb Shell\r\n \r\nDiscovery Collection Command and Control Credential Access\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 17 of 18\n\nAccount Discovery:\r\nLocal Account\r\nArchive Collected\r\nData\r\nApplication Layer Protocol: Web\r\nProtocols\r\nOS Credential\r\nDumping\r\n  Audio Capture\r\nData Encoding: Standard\r\nEncoding\r\n \r\n \r\nInput Capture:\r\nKeylogging\r\nEncrypted Channel: Symmetric\r\nCryptography\r\n \r\n    Proxy  \r\nAbout the Researcher:\r\nDANIEL FRANK\r\nDaniel Frank is a senior Malware Researcher at Cybereason. Prior to Cybereason, Frank was a Malware\r\nResearcher in F5 Networks and RSA Security. His core roles as a Malware Researcher include researching\r\nemerging threats, reverse-engineering malware and developing security-driven code. Frank has a BSc degree in\r\ninformation systems.\r\nSource: https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nhttps://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" ], "report_names": [ "powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "527e04ee-7f5f-49aa-8653-f893b43730bd", "created_at": "2022-10-25T16:07:24.512541Z", "updated_at": "2026-04-10T02:00:05.017592Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Abraham's Ax", "Cobalt Sapling", "DEV-0500", "G1009", "Marigold Sandstorm", "Vengeful Kitten", "White Dev 95" ], "source_name": "ETDA:Moses Staff", "tools": [ "DCSrv", "DCrSrv", "PyDCrypt", "StrifeWater", "StrifeWater RAT" ], "source_id": "ETDA", "reports": null }, { "id": "bef06c82-0f51-44ba-8451-049cd4ad8a52", "created_at": "2023-01-06T13:46:39.325635Z", "updated_at": "2026-04-10T02:00:03.288171Z", "deleted_at": null, "main_name": "MosesStaff", "aliases": [ "Moses Staff", "Marigold Sandstorm", "DEV-0500", "VENGEFUL KITTEN" ], "source_name": "MISPGALAXY:MosesStaff", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "c4d0e4e1-5ad3-4455-8291-ce72a1e09e46", "created_at": "2022-10-27T08:27:13.055675Z", "updated_at": "2026-04-10T02:00:05.323068Z", "deleted_at": null, "main_name": "Moses Staff", "aliases": [ "Moses Staff", "DEV-0500", "Marigold Sandstorm" ], "source_name": "MITRE:Moses Staff", "tools": [ "PyDCrypt", "PsExec", "DCSrv", "StrifeWater" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "6a5293c8-2a88-4a33-927a-4a0c946dc867", "created_at": "2025-08-07T02:03:24.778647Z", "updated_at": "2026-04-10T02:00:03.647413Z", "deleted_at": null, "main_name": "COBALT SAPLING", "aliases": [ "Abraham's Ax ", "DEV-0500", "Marigold Sandstorm ", "Moses Staff ", "Vengeful Kitten " ], "source_name": "Secureworks:COBALT SAPLING", "tools": [ "DCSrv", "PyDcrypt", "StrifeWater RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434943, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93acc446651107a3b99aaeb33b04ae0a47191475.pdf", "text": "https://archive.orkl.eu/93acc446651107a3b99aaeb33b04ae0a47191475.txt", "img": "https://archive.orkl.eu/93acc446651107a3b99aaeb33b04ae0a47191475.jpg" } }