{ "id": "d3608f22-5387-46c6-a3ec-25795d21ed45", "created_at": "2026-04-06T00:11:19.680159Z", "updated_at": "2026-04-10T03:38:19.826368Z", "deleted_at": null, "sha1_hash": "9541733b25f80be3f7ce6f1f1cc080d878199d50", "title": "Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 967444, "plain_text": "Gleaming Pisces Poisoned Python Packages Campaign Delivers\r\nPondRAT Linux and macOS Backdoors\r\nBy Yoav Zemah\r\nPublished: 2024-09-18 · Archived: 2026-04-05 15:56:04 UTC\r\nExecutive Summary\r\nUnit 42 researchers have been tracking the activity of an ongoing poisoned Python packages campaign delivering\r\nLinux and macOS backdoors via infected Python software packages. We’ve also found Linux variants of\r\nPOOLRAT, a known macOS remote administration tool (RAT) previously attributed to Gleaming Pisces (aka\r\nCitrine Sleet, distributor of AppleJeus). Based on our research into both RAT families, we assess that the new\r\nPondRAT is a lighter version of POOLRAT.\r\nThe attackers behind this campaign uploaded several poisoned Python packages to PyPI, a popular repository of\r\nopen-source Python packages. We assess with medium confidence that this activity is linked to Gleaming Pisces\r\nbased on noticeable code similarities, and on previous public research and attribution.\r\nWe assess that the threat actor’s objective was to secure access to supply chain vendors through developers’\r\nendpoints and subsequently gain access to the vendors' customers' endpoints, as observed in previous incidents. A\r\nsuccessful installation of third-party packages can result in malware infection, compromising organizations that\r\nrely on the popular PyPI repository.\r\nAt the time of writing this article, it appears that the PyPI administrators have removed all the poisoned packages\r\nreferenced in this article.\r\nThrough the detection and intelligence provided by Advanced WildFire, Palo Alto Networks customers are better\r\nprotected against PondRAT and POOLRAT through the following products:\r\nCortex XDR with Advanced WildFire can help detect new variants of PondRAT and POOLRAT and\r\nprevent their attack chains.\r\nNext-Generation Firewalls with Cloud-Delivered Security Services, including Advanced WildFire\r\ndetection, Advanced URL Filtering and DNS Security categorize known command and control (C2)\r\ndomains and IP addresses as malicious.\r\nOrganizations can also engage the Unit 42 Incident Response team to help with a compromise or to\r\nprovide a proactive assessment to lower your risk.\r\nGleaming Pisces Overview\r\nGleaming Pisces (aka Citrine Sleet, distributor of AppleJeus) is a financially motivated threat actor affiliated with\r\nNorth Korea that has been active since at least 2018. This group is closely linked to North Korea's Reconnaissance\r\nGeneral Bureau (RGB) and is known for its sophisticated attacks, particularly against the cryptocurrency industry.\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 1 of 14\n\nGleaming Pisces gained notoriety for past campaigns where the group deployed fake cryptocurrency trading\r\nsoftware to infiltrate and compromise systems across various platforms.\r\nThe Connection to Known Gleaming Pisces Malware\r\nDuring our investigation of the poisoned Python packages campaign described in this writeup, we analyzed the\r\nLinux RAT that was delivered as its final payload. We discovered significant similarities with macOS malware\r\nused in a previous AppleJeus campaign reported by CISA, orchestrated by the Gleaming Pisces threat actor.\r\nThe following similarities indicate a shared codebase:\r\nOverlapping code structures\r\nIdentical function names and encryption keys\r\nSimilar execution flows\r\nWe named this RAT family PondRAT. Further analysis revealed that PondRAT shared many characteristics with\r\nPOOLRAT, another known macOS RAT in the arsenal of Gleaming Pisces. Based on these findings, we attribute\r\nthe poisoned Python packages campaign to Gleaming Pisces.\r\nPoisoned Python Packages Campaign Technical Analysis and Detection\r\nWhile tracking down recent activity by Gleaming Pisces, we came across poisoned Python packages that various\r\nmalicious fake personas uploaded to PyPI. These poisoned packages implemented an evasive infection chain to\r\navoid detection and eventually downloaded a Linux RAT onto the infected endpoints. VIPYR Security and Qihoo\r\n360 reported on this activity in detail, specifically involving the following Python packages:\r\nreal-ids (versions 0.0.3 - 0.0.5)\r\ncoloredtxt (version 0.0.2)\r\nbeautifultext (version 0.0.1)\r\nminisound (version 0.0.2)\r\nOur analysis determined that while Qihoo 360 also reported on Windows-related activities, those activities appear\r\nto be separate from the Linux and macOS campaigns. Further, we assess that the activity reported on by Qihoo\r\n360 was performed by a different threat actor, in contrast to the Linux and macOS campaigns that we here connect\r\nto Gleaming Pisces.\r\nThe infection chain includes several poisoned Python packages that decode and execute encoded code. After\r\nPython installed and loaded the malicious package, a malicious piece of code eventually ran several bash\r\ncommands to download the RAT, modifying its permissions and executing it.\r\nFigure 1 below shows the infection chain and the prevention of PondRAT by Cortex XDR.\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 2 of 14\n\nFigure 1. The PondRAT malware prevented by Cortex XDR.\r\nComparing PondRAT to Previous Gleaming Pisces Attributed Malware\r\nWe found other malware by pivoting based on code similarities to PondRAT, as well as to previously conducted\r\nresearch and attribution to Gleaming Pisces. Figure 2 below depicts a summary of these similarities.\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 3 of 14\n\nFigure 2. Similarities between the malware we found and other malware previously attributed to\r\nGleaming Pisces.\r\nCode Similarities between PondRAT and Kupayupdate_stage2\r\nIn their recently published research, VIPYR Security analyzed the code of a Linux RAT (SHA256:\r\n973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c) that was an unknown at the time,\r\nwhich we now identify as the Linux variant of PondRAT. Gleaming Pisces’ operators did not strip the code,\r\nmeaning the function names remained as the threat actor initially named them.\r\nWhen we examined this RAT's main function, we saw that it contained calls to two different functions:\r\nFConnectProxy and AcceptRequest:\r\nFConnectProxy: This function handles the connection to the C2 server. It sets up the URI and parameters\r\nof the HTTP requests.\r\nAcceptRequest: This function parses and decrypts commands from the C2 server and is responsible for\r\nreceiving and executing commands from their remote operators.\r\nBack in 2021, CISA reported about another AppleJeus attack wave called Kupay Wallet. CISA identified a macOS\r\nRAT named kupayupdate_stage2 (SHA256:\r\n91eaf215be336eae983d069de16630cc3580e222c427f785e0da312d0692d0fd) that was used as the final payload of\r\nthis wave.\r\nUpon analyzing the kupayupdate_stage2 RAT for macOS, we noticed that the malware’s functions were also not\r\nstripped. When examining its code, we observed several similarities to the Linux RAT. This included the function\r\nnames FConnectProxy and AcceptRequest, and similar code execution flow.\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 4 of 14\n\nFigure 3 shows these similarities below.\r\nFigure 3. Method names and execution flow similarities of the new Linux RAT and\r\nkupayupdate_stage2 RAT.\r\nThe next step in our analysis was comparing both of the RATs' AcceptRequest functions. We noticed both variants\r\nuse the same command numerical IDs and similar method names.\r\nFigure 4 below shows that these functions are almost identical, including the command numerical IDs.\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 5 of 14\n\nFigure 4. Comparison of both RATs’ AcceptRequest function.\r\nShared Encryption Key\r\nWhile looking into the encryption method of PondRAT, we noticed that the key used for encrypting output sent\r\nback to the server was the following string:\r\nwLqfM]%wTx`~tUTbw\u003eR^#yG5R(3C:;.\r\nWhen we compared this key to the one used by kupayupdate_stage2, we noticed it was the same. Figure 5 shows\r\nthe shared key below.\r\nFigure 5. kupayupdate_stage2 encryption key.\r\nPondRAT MacOS Variants Analysis\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 6 of 14\n\nFollowing the aforementioned findings, we pivoted and retrieved additional samples of PondRAT’s macOS\r\nvariant that shared the same encryption key. We found a macOS sample that was previously attributed to be a part\r\nof the poisoned Python packages campaign and an additional AppleJeus-related macOS RAT.\r\nos_helper\r\nAfter analyzing the additional macOS samples that shared the same encryption key, we noticed that one of the\r\nsamples, a Mach-O multi-arch binary file (SHA256:\r\nbfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b), was using the same infrastructure as\r\nthe Linux variant of PondRAT.\r\nSince multi-arch binary files for macOS support both Intel and ARM architectures, this sample contained two\r\nother Mach-O binaries. These were compiled for x64 and ARM accordingly, as expected.\r\nThe two dropped binaries share the same code (function names and encryption key) with kupayupdate_stage2 as\r\nthe Linux variant of PondRAT. Based on the apparent code similarities and the shared submitted name os_helper,\r\nwe assess it was also delivered as the final poisoned Python packages campaign payload. Additionally, these\r\nmacOS variants used the same C2 (jdkgradle[.]com) as the Linux variant.\r\nFigure 6 below depicts how Cortex XDR prevented the macOS malware execution.\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 7 of 14\n\nFigure 6. The execution of the os_helper macOS malware prevented by Cortex XDR.\r\nAppleJeus-Related MacOS Variant\r\nAnother macOS sample (SHA256: cbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86)\r\nwe found during pivoting that shared the same encryption key was configured to use rebelthumb[.]net as the C2\r\nserver. Volexity reported that this domain was part of the AppleJeus campaign back in 2022. This finding further\r\nstrengthens our attribution of this campaign to Gleaming Pisces.\r\nThe Connection between PondRAT and Gleaming Pisces’ POOLRAT\r\nDuring our analysis, we found one more difference between the two PondRAT Linux and macOS variants, aside\r\nfrom being compiled for different OS types. The Linux variant implemented a new SendPost function by using the\r\nlibcurl library while using the file path /tmp/xweb_log.md as the error log for failed connection attempts to the C2\r\nserver.\r\nSearching for files with similar behavior, we identified two more relevant samples that belonged to a Linux RAT\r\nexhibiting this trait. We identified this RAT as the Linux variant of POOLRAT.\r\nWhat Is POOLRAT?\r\nIn a 2021 report, CISA identified a macOS RAT dubbed prtspool (SHA256:\r\n5e40d106977017b1ed235419b1e59ff090e1f43ac57da1bb5d80d66ae53b1df8), used as the final payload in one of\r\nthe AppleJeus (CoinGoTrade) attack waves. Mandiant's analysis of the 3CX supply chain attack also mentioned\r\nthis RAT family. They reported that attackers used the POOLRAT malware to compromise 3CX’s macOS build\r\nenvironment.\r\nESET has also identified similarities between POOLRAT and a backdoor called BADCALL for Linux, also\r\nattributed to Gleaming Pisces. Figure 7 below shows the execution prevention of the POOLRAT macOS backdoor.\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 8 of 14\n\nFigure 7. The execution of the POOLRAT macOS malware prevented by Cortex XDR.\r\nThe Linux Variants of POOLRAT\r\nThe newly discovered Linux variants of POOLRAT (SHA256:\r\n5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456, SHA256:\r\nf3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703) exhibit several notable similarities\r\nto its macOS counterpart (prtspool). According to our analysis, we conclude that they are variants of the macOS\r\nPOOLRAT rather than a new piece of malware.\r\nThe Linux and macOS versions use an identical function structure for loading their configurations, featuring\r\nsimilar method names and functionality. Additionally, the method names in both variants are strikingly similar,\r\nand the strings are almost identical. Lastly, the mechanism that handles commands from the C2 is nearly identical.\r\nFigure 8 compares the LoadConfig method of POOLRAT’s macOS and Linux variants.\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 9 of 14\n\nFigure 8. Comparison of the LoadConfig function between POOLRAT for macOS and POOLRAT\r\nfor Linux.\r\nThese similarities in configuration and command handling suggest that the Linux versions are adaptations of the\r\noriginal macOS malware, justifying their classification as variants of POOLRAT.\r\nFigure 9 below compares the main functionality of both of the variants.\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 10 of 14\n\nFigure 9. Comparison between POOLRAT for macOS and POOLRAT for Linux.\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 11 of 14\n\nPondRAT: The Lighter Version of POOLRAT\r\nWhen analyzing PondRAT samples, we found that the command handler had similarities to POOLRAT.\r\nPondRAT has a straightforward set of commands that give the attacker the following capabilities:\r\nUploading and downloading files\r\nChecking an implant’s status to confirm if it is active\r\nInstructing the implant to pause operations for a specified duration (“sleep”)\r\nExecuting commands (with an option to either retrieve their output or not)\r\nAs the functionality of PondRAT is similar yet more limited than POOLRAT, we assess that PondRAT is a lighter\r\nversion of POOLRAT. Table 1 below compares the commands implemented in POOLRAT and PondRAT.\r\nPOOLRAT Commands PondRAT Commands Description\r\nMSG_Up MsgUp Download a file from the C2 server.\r\nMSG_Down MsgDown Upload a file to the C2 Server.\r\nMSG_Cmd MsgCmd Execute a command and retrieve the output.\r\nMSG_Run MsgRun Execute a command and don’t retrieve the output.\r\nMSG_ReadConfig Read the configuration file and send it to the C2.\r\nMSG_WriteConfig Write a new configuration file.\r\nMSG_SecureDel Delete a file.\r\nMSG_Dir List a directory.\r\nMSG_Test Attempt to connect to an IPv4 address. \r\nMSG_SetPath Change the current working directory.\r\nTable 1. Comparison between POOLRAT and PondRAT commands.\r\nConclusion\r\nWe’ve examined the poisoned Python packages campaign and its ties to the North Korean Gleaming Pisces APT\r\ngroup. Our analysis of the Linux variant of PondRAT, which was dropped as the final payload in this campaign,\r\nrevealed significant similarities to malware attributed to Gleaming Pisces (kupayupdate_stage2).\r\nFurthermore, our investigation uncovered that PondRAT shares code similarities with POOLRAT, malware that\r\nwas also previously attributed to Gleaming Pisces. The evidence of additional Linux variants of POOLRAT\r\nshowed that Gleaming Pisces has been enhancing its capabilities across both Linux and macOS platforms.\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 12 of 14\n\nThe weaponization of legitimate-looking Python packages across multiple operating systems poses a significant\r\nrisk to organizations. Such attacks pose a great risk because they can easily remain under the radar and pose\r\ndetection challenges. Successful installation of malicious third-party packages can result in malware infection that\r\ncompromises an entire network.\r\nProtections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this\r\ngroup.\r\nCortex XDR and XSIAM help detect user and credential-based threats by analyzing user activity from multiple\r\ndata sources, including the following:\r\nEndpoints\r\nNetwork firewalls\r\nActive Directory\r\nIdentity and access management solutions\r\nCloud workloads\r\nCortex XDR and XSIAM build behavioral profiles of user activity over time with machine learning. By\r\ncomparing new activity to past activity, peer activity and the expected behavior of the entity, Cortex XDR and\r\nXSIAM help detect anomalous activity indicative of credential-based attacks.\r\nPalo Alto Networks also offers the following protections related to the attacks discussed in this post:\r\nHelps prevent the execution of known malicious malware and execution of unknown malware by using\r\nBehavioral Threat Protection and machine learning based on the Local Analysis module.\r\nCortex XDR Pro and XSIAM help detect post-exploit activity, including credential-based attacks, with\r\nbehavioral analytics.\r\nNext-Generation Firewall with the Advanced Threat Prevention security subscription can help block\r\nthe malware C2 traffic via the following Threat Prevention signature: 86805.\r\nThe Advanced WildFire machine learning models and analysis techniques have been reviewed and\r\nupdated in light of these new PondRAT and POOLRAT variants. Multiple products in the Palo Alto\r\nNetworks portfolio leverage Advanced WildFire to provide coverage against both PondRAT and\r\nPOOLRAT variants and other threats.\r\nIf you think you might have been impacted or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our\r\nfellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 13 of 14\n\ntheir customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat\r\nAlliance.\r\nIndicators of Compromise\r\nPondRAT Linux variant\r\n973f7939ea03fd2c9663dafc21bb968f56ed1b9a56b0284acf73c3ee141c053c\r\nPondRAT macOS variant\r\n0b5db31e47b0dccfdec46e74c0e70c6a1684768dbacc9eacbb4fd2ef851994c7\r\n3c8dbfcbb4fccbaf924f9a650a04cb4715f4a58d51ef49cc75bfcef0ac258a3e\r\nbce1eb513aaac344b5b8f7a9ba9c9e36fc89926d327ee5cc095fb4a895a12f80\r\nbfd74b4a1b413fa785a49ca4a9c0594441a3e01983fc7f86125376fdbd4acf6b\r\ncbf4cfa2d3c3fb04fe349161e051a8cf9b6a29f8af0c3d93db953e5b5dc39c86\r\nPondRAT C2s\r\njdkgradle[.]com\r\nrebelthumb[.]net\r\nPOOLRAT Linux variant\r\nf3b0da965a4050ab00fce727bb31e0f889a9c05d68d777a8068cfc15a71d3703\r\n5c907b722c53a5be256dc5f96b755bc9e0b032cc30973a52d984d4174bace456\r\nPOOLRAT C2s\r\nwww.talesseries[.]com/write.php\r\nrgedist[.]com/sfxl.php\r\nSource: https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nhttps://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/gleaming-pisces-applejeus-poolrat-and-pondrat/" ], "report_names": [ "gleaming-pisces-applejeus-poolrat-and-pondrat" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434279, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9541733b25f80be3f7ce6f1f1cc080d878199d50.pdf", "text": "https://archive.orkl.eu/9541733b25f80be3f7ce6f1f1cc080d878199d50.txt", "img": "https://archive.orkl.eu/9541733b25f80be3f7ce6f1f1cc080d878199d50.jpg" } }