{ "id": "906575a2-eda8-48f4-813a-e3c9f55ee5a4", "created_at": "2026-04-29T08:21:15.751264Z", "updated_at": "2026-04-29T10:42:16.91593Z", "deleted_at": null, "sha1_hash": "950f3c7e0a75fa084ce04714e36da3cad19f814a", "title": "Blog | Arctic Wolf", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2717863, "plain_text": "Blog | Arctic Wolf\r\nPublished: 2026-04-27 · Archived: 2026-04-29 08:16:58 UTC\r\nARCTIC WOLF BLOG\r\nExecutive Summary Arctic Wolf has identified a targeted intrusion against a North American\r\nWeb3/cryptocurrency company, which we attribute with a high confidence level to BlueNoroff, a financially\r\nmotivated subgroup of DPRK’s Lazarus Group. Arctic Wolf observed an active malicious intrusion...\r\nREAD MORE  →\r\nApril 27, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 1 of 16\n\nApril 24, 2026\r\nApril 20, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 2 of 16\n\nApril 14, 2026\r\nApril 9, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 3 of 16\n\nApril 6, 2026\r\nApril 6, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 4 of 16\n\nApril 2, 2026\r\nApril 2, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 5 of 16\n\nApril 2, 2026\r\nApril 2, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 6 of 16\n\nApril 1, 2026\r\nMarch 31, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 7 of 16\n\nMarch 31, 2026\r\nMarch 27, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 8 of 16\n\nMarch 26, 2026\r\nMarch 25, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 9 of 16\n\nMarch 25, 2026\r\nMarch 24, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 10 of 16\n\nMarch 24, 2026\r\nMarch 23, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 11 of 16\n\nMarch 23, 2026\r\nMarch 23, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 12 of 16\n\nMarch 23, 2026\r\nMarch 19, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 13 of 16\n\nMarch 18, 2026\r\nMarch 17, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 14 of 16\n\nMarch 13, 2026\r\nMarch 13, 2026\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 15 of 16\n\nMarch 13, 2026\r\nMarch 12, 2026\r\n⟵ Page1 Page2 Page3 … Page35 ⟶\r\nSource: https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nhttps://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html" ], "report_names": [ "flirting-with-ida-and-apt28.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-29T10:39:54.759763Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-29T10:39:54.794165Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-29T10:39:53.053551Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "FANCY BEAR", "ITG05", "T-APT-12", "UAC-0001", "Fancy Bear", "STRONTIUM", "Group 74", "G0007", "Fighting Ursa", "Blue Athena", "FROZENLAKE", "Forest Blizzard", "GruesomeLarch", "Pawn Storm", "Sednit", "SNAKEMACKEREL", "TG-4127", "SIG40", "ATK5", "APT-C-20", "Sofacy", "Tsar Team", "IRON TWILIGHT", "Grizzly Steppe", "TA422", "UAC-0028", "BlueDelta" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-29T10:39:53.065139Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Unit 121", "Bureau 121", "Group 77", "Whois Hacking Team", "ATK117", "Lazarus group", "BeagleBoyz", "Operation GhostSecret", "Appleworm", "COVELLITE", "Operation Troy", "Operation AppleJeus", "Moonstone Sleet", "Subgroup: Bluenoroff", "APT 38", "NICKEL GLADSTONE", "ATK3", "G0032", "DEV-0139", "DEV-1222", "Hastati Group", "Sapphire Sleet", "Black Artemis", "Hidden Cobra", "NewRomanic Cyber Army Team", "Stardust Chollima", "Citrine Sleet", "Andariel", "Bluenoroff", "Labyrinth Chollima", "APT38", "APT-C-26", "Diamond Sleet", "TA404", "Dark Seoul", "Nickel Academy", "G0082", "COPERNICIUM" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-29T10:39:54.631038Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-29T10:39:54.739129Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-29T10:39:55.352691Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-29T10:39:54.568619Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-29T10:39:54.685688Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "LAMEHUG", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-29T10:39:55.349403Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777450875, "ts_updated_at": 1777459336, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/950f3c7e0a75fa084ce04714e36da3cad19f814a.pdf", "text": "https://archive.orkl.eu/950f3c7e0a75fa084ce04714e36da3cad19f814a.txt", "img": "https://archive.orkl.eu/950f3c7e0a75fa084ce04714e36da3cad19f814a.jpg" } }