{ "id": "8d2abf4a-c2c9-423f-a6f0-a793ac7c4438", "created_at": "2026-04-06T00:13:37.625102Z", "updated_at": "2026-04-10T13:11:36.599427Z", "deleted_at": null, "sha1_hash": "93e91456c81359faf4267b340a34a018e110eabe", "title": "LevelBlue - Open Threat Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 416781, "plain_text": "LevelBlue - Open Threat Exchange\r\nBy CyberHunter_NL\r\nArchived: 2026-04-05 17:57:03 UTC\r\n841 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:defray777\r\nPage 1 of 12\n\n49 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:defray777\r\nPage 2 of 12\n\n841 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:defray777\r\nPage 3 of 12\n\nRansomEXX\r\nCVE: 6 | FileHash-MD5: 13 | FileHash-SHA1: 13 | FileHash-SHA256: 22 | URL: 4 | Domain: 2 | Hostname:\r\n3\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:defray777\r\nPage 4 of 12\n\nThe full text of the key characters for the TSPY-Trojan malware, which has now been identified as the \"backdoor\",\r\ncan be seen here: £1.\r\n354 Subscribers\r\n72 Subscribers\r\nRansomExx Renner\r\nRansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares\r\ncommonalities with Defray777.\r\n72 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:defray777\r\nPage 5 of 12\n\n7 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:defray777\r\nPage 6 of 12\n\n3 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:defray777\r\nPage 7 of 12\n\nGoldMax\r\nThe full list ofSHA-256 and GoldFInder\r\n130 Subscribers\r\n431 Subscribers\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:defray777\r\nPage 8 of 12\n\nHYPERVISOR JACKPOTTING: ANONYMOUS TARGETS ON ESXI SERVER WITH\r\nRANSOMWARE\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:defray777\r\nPage 9 of 12\n\nSPRITE SPIDER is an eCrime actor that conducts low-volume Big Game Hunting ransomware campaigns using\r\nthe Defray777 ransomware. Other tools used by SPRITE SPIDER include the Vatet loader and the PyXie remote\r\naccess tool (RAT). The adversary has established initial access by exploiting vulnerable Citrix Application\r\nDelivery Controllers, as well as by using LUNAR SPIDER’s BokBot trojan. To avoid detection, SPRITE SPIDER\r\noften stages payloads on internal servers within a victim network and uses in-memory-only deployments of its\r\nlater-stage tooling. SPRITE SPIDER uses both PyXie and Cobalt Strike to move laterally within a victim\r\nenvironment after obtaining initial access.\r\n250 Subscribers\r\nNew Ransomware Tactic: Adversaries Target ESXi Servers\r\nFileHash-MD5: 2 | FileHash-SHA1: 2 | FileHash-SHA256: 2\r\nTargeted large-scale ransomware campaigns, referred to as big game hunting (BGH), remained the primary\r\neCrime threat to organizations across all sectors in 2020. The relentless volume and pace of these campaigns mean\r\nthat some sophisticated BGH actors have not attracted much attention. While ransomware for Linux has existed\r\nfor many years, BGH actors have not historically targeted Linux, much less the ESXi hypervisor specifically. This\r\nlikely reflects the overwhelming dominance of the Windows operating system in businesses and large\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:defray777\r\nPage 10 of 12\n\norganizations. However, in the second half of 2020, SPRITE SPIDER and CARBON SPIDER began deploying\r\nLinux versions of Defray777 and Darkside, respectively, designed specifically to affect ESXi.\r\n373,955 Subscribers\r\n551 Subscribers\r\nWhen Threat Actors Fly Under the Radar: Vatet, PyXie, and Defray777\r\nFileHash-MD5: 42 | FileHash-SHA1: 42 | FileHash-SHA256: 72 | Domain: 12 | Hostname: 1\r\nWe first noticed that there may be a relationship between the Vatet loader, PyXie Remote Access Tool (RAT) and\r\nDefray777 ransomware when there were remnants and/or detections of all three in various Incident Response and\r\nManaged Threat Hunting engagements. After digging deep into each malware family, it became apparent that\r\nVatet, PyXie and Defray777 are all associated with the same financially motivated threat group that has been\r\noperating since as early as 2018. That threat group, sometimes referred to as PyXie by BlackBerry Cylance and\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:defray777\r\nPage 11 of 12\n\nGOLD DUPONT by SecureWorks, has been actively conducting successful ransomware operations that have\r\nimpacted organizations in a number of sectors including healthcare, education, government and technology while\r\nremaining under the radar.\r\n373,955 Subscribers\r\n1,344 Subscribers\r\nSource: https://otx.alienvault.com/browse/pulses?q=tag:defray777\r\nhttps://otx.alienvault.com/browse/pulses?q=tag:defray777\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://otx.alienvault.com/browse/pulses?q=tag:defray777" ], "report_names": [ "pulses?q=tag:defray777" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434417, "ts_updated_at": 1775826696, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93e91456c81359faf4267b340a34a018e110eabe.pdf", "text": "https://archive.orkl.eu/93e91456c81359faf4267b340a34a018e110eabe.txt", "img": "https://archive.orkl.eu/93e91456c81359faf4267b340a34a018e110eabe.jpg" } }