{ "id": "4899a844-9730-4b7e-afc5-2740cf7dc516", "created_at": "2026-04-06T01:30:03.744768Z", "updated_at": "2026-04-10T03:37:50.336272Z", "deleted_at": null, "sha1_hash": "94e4e6378eb860a44f420645d149d1149d8f03c1", "title": "Defence Evasion Technique: Timestomping Detection – NTFS Forensics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 314887, "plain_text": "Defence Evasion Technique: Timestomping Detection – NTFS\r\nForensics\r\nBy inversecos\r\nPublished: 2022-04-28 · Archived: 2026-04-06 00:29:39 UTC\r\nForensic analysts are often taught two methods for detecting file timestomping that can lead to blind spots in an\r\ninvestigation. The two most well-taught methods for analysts to detect timestomping are:\r\nCompare the $STANDARD_INFORMATION timestamps vs the $FILE_NAME timestamps in the Master File\r\nTable (MFT)\r\nLook for nanoseconds in a timestamp matching “0000000” as this often shows the use of an automated tool\r\n(i.e. Metasploit) \r\nThese two detection methods are based on two fallacies that I will explore in this blog post:\r\nMyth 1: $FILE_NAME timestamps cannot be timestomped \r\nMyth 2: Attacker tools cannot alter nanoseconds in a timestamp\r\nINTRODUCTION TO TIMESTOMPING\r\nTimestomping is a technique where the timestamps of a file are modified for defence evasion. Threat actors often\r\nperform this technique to blend malicious files with legitimate files so that when an analyst is performing IR, critical\r\nevidence escapes detection. \r\nTimestomping using tools like Cobalt Strike (offensive-security tool), Timestomp.exe (timestomping tool) and\r\nMetasploit (offensive-security framework) will result in timestamp changes to the MAC(b) times in an MFT file’s\r\n$STANDARD_INFORMATION attribute. These MAC(b) times stand for:\r\nModified\r\nAccessed\r\nChanged (MFT change)\r\nBirth (Creation time) \r\nThere are two attributes that record times in an MFT file – the $STANDARD_INFORMATION ($SI) and the\r\n$FILE_NAME ($FN) attribute.  Each of these attributes stores the MAC(b) times for the file accordingly. For files\r\nhttps://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html\r\nPage 1 of 8\n\nwith filenames that are longer, there will be two corresponding $FN MAC(b) attributes totalling another 8 timestamps\r\non top of the existing $SI timestamps.\r\nModification of the $SI timestamp is the most common method of timestomping as it can be modified at the user-level\r\nusing a set of API calls. However, modification of the $FN attribute requires the kernel – OR abuse of how the $FN\r\ntimestamps are set (when a file is renamed or moved). \r\nAs such, there are two methods for modifying the $FN timestamps:\r\nMethod 1\r\nModification of $FN on older operating systems where Patch Guard hasn’t been introduced using Windows\r\nAPI calls to the native APIs NtSetInformationFile and NtQueryInformationFile.\r\nMethod 2\r\nModification of $FN on any OS by timestomping the $SI attribute and then moving or renaming the file to\r\ncopy the $SI time into the $FN time. This technique was discussed in this Black Hat Presentation. \r\nThreat Actors Utilising Timestomping \r\nJust to demonstrate for those who haven’t come across timestomping in an investigation – threat actors and malware\r\noften use this technique. Some notable threat actors that have used timestomping during their attacks include (and is\r\nnot limited to): \r\nIRON TWILIGHT (APT28)\r\nIRON HEMLOCK (APT29) – Timestomped their backdoors\r\nTIN WOODLAWN (APT32) – Timestomped raw XML scheduled task files and modified the CREATE times.  \r\nNICKEL GLADSTONE (APT38) – Modifying file times to match other files on the system.\r\nNICKEL ACADEMY (Lazarus) – Copying timestamp from calc.exe to their malicious dropped files (this is\r\nsomething that Cobalt Strike does) \r\nIf you're interested in reading more about this - check out the Mitre attack page for this technique. \r\nATTACK METHODOLOGY: Timestomping $FN \r\nIf a threat actor timestomps the $SI attribute, and then moves or renames the file – Windows will copy the\r\ntimestomped $SI times into the $FN attributes. On older versions of Windows where Patch Guard does not exist, you\r\ncan use SetMace to alter the $FN timestamps by relying on the API calls (NTSetInformationFile and\r\nNTQueryInformationFile). \r\nStep 1: Timestomp the $SI attributes by setting nanosecond precision \r\nThe tool I am using here is nTimetools and as you can see here, this already sets the nanosecond to an arbitrary\r\nattacker-defined number. This defeats the first detection that’s commonly taught to “look for .0000000 in the\r\nnanoseconds”. This has been documented by Forensics Wiki, Mari DeGrazia and Harlan Carvey.  \r\nhttps://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html\r\nPage 2 of 8\n\nWhen you analyse the MFT just to track the changes you can see that these are the timestamps for the $SI and $FN\r\nattributes. \r\n$STANDARD_INFORMATION Timestamps:\r\nCreation – 2020-05-19 12:34:56\r\nModification - 2020-05-19 12:34:56\r\nMFT change – 2020-05-19 12:34:56\r\nLast Access - 2020-05-19 12:34:56\r\n$FILENAME Timestamps:\r\nCreation – 2022-04-21 02:45:38\r\nModification - 2022-04-21 02:45:38\r\nMFT change - 2022-04-21 02:55:01\r\nLast Access - 2022-04-21 02:45:38\r\nStep 2: Move the file\r\nIn this instance I moved my “file.txt” from my Desktop into the Temp folder. \r\nStep 3: Check the $FI and $SI times have been altered\r\nhttps://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html\r\nPage 3 of 8\n\nWhen I dumped out the MFT and reviewed the timestamps for my file C:\\temp\\file.txt – these were the following\r\ntimestamps:\r\n$STANDARD_INFORMATION Timestamps:\r\nCreation – 2020-05-19 12:34:56\r\nModification - 2020-05-19 12:34:56\r\nMFT change – 2020-04-21 02:55:01\r\nLast Access - 2020-05-19 12:34:56\r\n$FILENAME Timestamps:\r\nCreation – 2020-05-19 12:34:56\r\nModification - 2020-05-19 12:34:56\r\nMFT change - 2020-05-19 12:34:56\r\nLast Access - 2020-05-19 12:34:56\r\nAs you can see here, the $FN attributes have been changed. The threat actors at this point just need to timestomp the\r\nMFT change time and then you have a perfect set of timestamps. \r\nStep 4: Alternate Method\r\nIf you’re faced with an older version of windows without Patch Guard – you can use the SetMace tool and rely on API\r\nmanipulation of the timestamps. I performed this on a 32-bit Windows 2003 Server and got the same results:\r\nFirst I created a file on my Desktop named “test.txt”\r\nhttps://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html\r\nPage 4 of 8\n\nThen proceeded to run SetMace to timestomp both $FI and $FN attributes:\r\nhttps://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html\r\nPage 5 of 8\n\nAnd then I parsed out the $MFT and you can see here that the $FN and $SI attributes were both manipulated:\r\nDETECTION METHODOLOGY \r\nFor most cases of timestomping where an attacker uses one of the following methods below - the detection methods of\r\ncomparing $FI and $SI along with looking at nanosecond precision will suffice.\r\nCobalt Strike \r\nMetasploit\r\nTimestomp.exe\r\nSetMace.exe\r\nAPIs to manipulate timestamps\r\nHowever, as demonstrated above, it’s almost trivial to bypass these two detection mechanisms which will force an\r\nanalyst to consider other methods for detection. The best method I have found for detecting these anomalies is by\r\nanalysing the USN Journal file and the $Logfile. On busy systems, the $Logfile may be overwritten very quickly\r\nwhich would force an analyst to consider pulling a $Logfile from a shadow copy. However, just the USN Journal file\r\nwill show enough information for an analyst to “question” the authenticity of the timestamps. \r\nUSN Journal Detection\r\nAs you can see in my parsed USN Journal output below, there are multiple operations that are tracked:\r\nhttps://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html\r\nPage 6 of 8\n\nFILE_CREATE \r\nRENAME_OLD_NAME \r\nRENAME_NEW_NAME\r\nFor all these timestamps that are tracked, you can see the timestamps correlating to 21st April 2021 around 2:45.\r\nThese timestamps greatly contradict the timestamps stored in the MFT where the timestomped times date back to\r\n2020. By reviewing the USN Journal and seeing this anomaly, an analyst should have alarm bells ringing. In my\r\nopinion, this is a more foolproof way of detecting timestomping versus looking for nanosecond precision / comparing\r\n$FN to $SI. \r\n$Logfile Detection \r\nIt’s not always feasible that the $Logfile will store the information that you’re looking for – especially on busy disks.\r\nHowever, for the sake of showing the detection – I did this on my “not busy” VM. \r\nWhat you want to look for the $Logfile are two logs pertaining to:\r\nOperation: CreateAttribute\r\nFilename: file.txt (or your filename)\r\nCurrentAttribute: $FILE_NAME \r\nWhen performing timestomping where you’re trying to overwrite the $FN attribute – there are two logs of interest in\r\nthe $Logfile:\r\nThe original $FILE_NAME timestamp when the file was originally created\r\nThe new $FILE_NAME timestamp when the files $FI attribute is timestomped\r\nTherefore, when considering the detection, you should look for both of these lines in the $Logfile. This is incredibly\r\nuseful to see and is also another great method for determining if timestomping has occurred – especially when\r\nconsidering that the time will not match the time in the $MFT $FI and $SI attributes.\r\nJust to show you the example from my test – this is what the two contradicting log lines look \r\nHappy hunting! \r\nREFERENCES\r\nhttps://github.com/limbenjamin/nTimetools\r\nhttps://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html\r\nPage 7 of 8\n\nhttp://windowsir.blogspot.com/2014/07/file-system-ops-effects-on-mft-records.html\r\nhttps://github.com/jschicht/SetMace\r\nhttp://forensicinsight.org/wp-content/uploads/2013/06/F-INSIGHT-NTFS-Log-TrackerEnglish.pdf\r\nhttps://az4n6.blogspot.com/2014/10/timestomp-mft-shenanigans.html\r\nhttps://forensicswiki.xyz/wiki/index.php?\r\ntitle=Timestomp#:~:text=Timestomp%20is%20a%20utility%20co,timestamp%2Drelated%20information%20on%20files.\r\nhttps://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf\r\nhttp://undocumented.ntinternals.net/index.html?\r\npage=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FProcess%2FNtSetInformationProcess.html\r\nSource: https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html\r\nhttps://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html\r\nPage 8 of 8\n\n https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html \nThen proceeded to run SetMace to timestomp both $FI and $FN attributes:\n Page 5 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html" ], "report_names": [ "defence-evasion-technique-timestomping.html" ], "threat_actors": [ { "id": "998746e1-b4b8-429b-a737-6eb368247c42", "created_at": "2022-10-25T16:07:23.505704Z", "updated_at": "2026-04-10T02:00:04.632806Z", "deleted_at": null, "main_name": "Covellite", "aliases": [ "Black Artemis", "CTG-2460", "Nickel Academy" ], "source_name": "ETDA:Covellite", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2439ad53-39cc-4fff-8fdf-4028d65803c0", "created_at": "2022-10-25T16:07:23.353204Z", "updated_at": "2026-04-10T02:00:04.55407Z", "deleted_at": null, "main_name": "APT 32", "aliases": [ "APT 32", "APT-C-00", "APT-LY-100", "ATK 17", "G0050", "Lotus Bane", "Ocean Buffalo", "OceanLotus", "Operation Cobalt Kitty", "Operation PhantomLance", "Pond Loach", "SeaLotus", "SectorF01", "Tin Woodlawn" ], "source_name": "ETDA:APT 32", "tools": [ "Agentemis", "Android.Backdoor.736.origin", "AtNow", "Backdoor.MacOS.OCEANLOTUS.F", "BadCake", "CACTUSTORCH", "CamCapture Plugin", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Cuegoe", "DKMC", "Denis", "Goopy", "HiddenLotus", "KOMPROGO", "KerrDown", "METALJACK", "MSFvenom", "Mimikatz", "Nishang", "OSX_OCEANLOTUS.D", "OceanLotus", "PHOREAL", "PWNDROID1", "PhantomLance", "PowerSploit", "Quasar RAT", "QuasarRAT", "RatSnif", "Remy", "Remy RAT", "Rizzo", "Roland", "Roland RAT", "SOUNDBITE", "Salgorea", "Splinter RAT", "Terracotta VPN", "Yggdrasil", "cobeacon", "denesRAT", "fingerprintjs2" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439003, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/94e4e6378eb860a44f420645d149d1149d8f03c1.pdf", "text": "https://archive.orkl.eu/94e4e6378eb860a44f420645d149d1149d8f03c1.txt", "img": "https://archive.orkl.eu/94e4e6378eb860a44f420645d149d1149d8f03c1.jpg" } }