{ "id": "04c88773-f8d0-41a2-ad72-fc2b2f70794b", "created_at": "2026-04-06T00:15:36.392371Z", "updated_at": "2026-04-10T03:38:03.289164Z", "deleted_at": null, "sha1_hash": "96dafd7ba8b22e63dd5599e73953b8258203b1b7", "title": "WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2268901, "plain_text": "WIRTE’s campaign in the Middle East ‘living off the land’ since at\r\nleast 2019\r\nBy Maher Yamout\r\nPublished: 2021-11-29 · Archived: 2026-04-05 19:49:56 UTC\r\nOverview\r\nThis February, during our hunting efforts for threat actors using VBS/VBA implants, we came across MS Excel\r\ndroppers that use hidden spreadsheets and VBA macros to drop their first stage implant. The implant itself is a\r\nVBS script with functionality to collect system information and execute arbitrary code sent by the attackers on the\r\ninfected machine.\r\nAlthough these intrusion sets may appear similar to the new MuddyWater first stage VBS implant used for\r\nreconnaissance and profiling activities, which we described recently in a private report, they have slightly\r\ndifferent TTPs and wider targeting. To date, most of the known victims are located in the Middle East, but there\r\nare also targets in other regions. Various industries are affected by this campaign. The main focus is on\r\ngovernment and diplomatic entities, though we also noticed an unusual targeting of law firms and financial\r\ninstitutions.\r\nWe attribute this campaign with high confidence to an actor named WIRTE, which is a lesser-known threat actor\r\nfirst publicly referenced by our colleagues at Lab52 in 2019. We further suspect, with low confidence, that the\r\nWIRTE group has relations with the Gaza Cybergang threat actor.\r\nMore information about WIRTE is available to customers of Kaspersky Intelligence Reporting. Contact:\r\nintelreports@kaspersky.com”\r\nIn the instances we have observed, the threat actor sent spear-phishing emails, luring the victims to open a\r\nmalicious Microsoft Excel/Word document. The Excel droppers observed in all instances were using Excel 4.0\r\nmacros – a technique that uses formulas in hidden spreadsheets or cells that execute macro 4.0 commands – to\r\ndrop malware that in our particular case was named Ferocious dropper. The Word droppers were using standard\r\nVBA macros to download the payload. The actor tailored the decoy contents to the targeted victims, using logos\r\nand themes relevant to the targeted company or using trending topics from their region and, in one instance, even\r\nmimicking the Palestinian authority.\r\nHowever, in some cases we saw a fake ‘Kaspersky Update Agent’ executable acting as a dropper for the VBS\r\nimplant. We were unable to confirm if this PE file was also distributed through email or downloaded by the threat\r\nactor after some initial penetration, but our analysis shows it has the same execution flow as the Excel 4.0 macros.\r\nSample VBS dropper Excel and Word documents, and executable\r\nExploitation, installation and persistence\r\nhttps://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044\r\nPage 1 of 9\n\nFerocious dropper\r\nThis first stage implant is composed of VBS and PowerShell scripts. The actor used some interesting new\r\ntechniques in the dropper’s execution flow. Below, we break it down into three parts:\r\n1. 1\r\nFerocious dropper: The Excel dropper, after the user opens it and disables the protected mode, will\r\nexecute a series of formulas placed in a hidden column. Initially, they will hide the main spreadsheet that\r\nrequested the user to “enable editing”, then unhide a secondary spreadsheet that contains the decoy, to\r\navoid raising suspicion. The dropper will then run formulas from a third spreadsheet with hidden columns.\r\nThe infection process will start by running three basic anti-sandbox checks using the Excel 4.0 function\r\n“GET.WORKSPACE”, with three integers:\r\n1: Get the name of the environment in which Microsoft Excel is running, as text, followed by the\r\nenvironment’s version number. The result will then be compared to a predefined Windows version\r\nin a hidden cell, for example: Windows (64-bit) NT :.00, Windows (64-bit) NT 6.01, Windows (32-\r\nbit) NT 10.00, Windows (32-bit) NT 6.02.\r\n19: Check if a mouse is present.\r\n42: Check if the host computer is capable of playing sounds.\r\nIf any of the above checks fail, or if the Windows environment matches any of the aforementioned\r\nversions predefined in the document (different documents have different predefined versions), the\r\nprocess will halt. Otherwise, the macro will open a temporary %ProgramData%\\winrm.txt file and\r\nsave a VBS stager to %ProgramData%\\winrm.vbs and set up registry keys for persistence.\r\n2. 2\r\nFerocious run-1: After the macro finishes writing to disk, it runs winrm.vbs using explorer.exe. In turn,\r\nthe VBS script will write an embedded PowerShell snippet to a predefined filename that varies between\r\nsamples, for instance, %ProgramData%\\regionh.txt. The VBS script will also add two important registry\r\nkeys for persistence.\r\nThe persistence technique observed in all intrusions uses COM hijacking. In this technique, the threat actor\r\nis able to add a Class ID in the current user registry hive (HKCU) referencing the malicious VBS script\r\nwritten previously to %ProgramData%\\winrm.vbs. This registry modification will effectively invoke the\r\nmalicious VBS script any time a program or script references “Scripting.Dictionary” COM programs\r\nduring their execution.\r\nIn our analysis and testing, the WinRM Scripting API that is called by the legitimate Windows VBS scripts\r\n“C:\\Windows\\System32\\winrm.vbs” or “C:\\Windows\\SysWOW64\\winrm.vbs”, are able to trigger the\r\npersistence mechanism smoothly. Microsoft’s command line licensing tool slmgr.vbs is also able to provide\r\nsimilar results. Both winrm.vbs and slmgr.vbs were leveraged across different intrusions. The mechanism\r\nthrough which these scripts are invoked during the boot process is described in a later section.\r\nhttps://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044\r\nPage 2 of 9\n\nRegistry keys used for COM hijacking\r\nAfter the above execution chain, the Excel 4.0 macro will clean up and delete the winrm.vbs and winrm.txt\r\nfiles.\r\n3. 3 Ferocious run-2: The macro will continue after the cleanup by recreating and opening the same files,\r\nwinrm.vbs and winrm.txt. However, this time it writes a PowerShell one-liner wrapped with VB code\r\ntemporarily into %ProgramData%\\winrm.txt and then saved into %ProgramData%\\winrm.vbs. This one-liner acts as a stager for the PowerShell snippet written in regionh.txt mentioned above. Once successful,\r\nthe macro invokes %ProgramData%\\winrm.vbs again using explorer.exe, which in turn will execute the\r\nPowerShell snippet that connects to the C2 server and which we named LitePower Stager.\r\nLitePower stager\r\nThe implant is a small PowerShell script that acts as a downloader and secondary stager used to execute\r\ncommands provided by its C2, and possibly download and deploy further malware.\r\nLitePower PowerShell implant\r\nThis script is able to connect with the embedded C2 domain using predefined HTTP settings such as a unique\r\nUser-Agent:\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0\r\nInterestingly, and across the different incidents we observed, the “rv” field of the user agent has changed. In the\r\nexample above, it is FTS_06. However, we have seen more than 10 variations. We suspect these are used to track\r\nintrusions.\r\nIf the connection to the C2 server is successful, the script parses the output and invokes it using IEX. The script\r\nsleeps for a random number of seconds between 60 and 100 after each attempt to reach the C2. If the threat actor\r\nsucceeds in establishing C2 communications using LitePower, further payloads containing system commands are\r\nsent back to the victim in the form of PowerShell functions through HTTP GET requests, and the command results\r\nare sent back as HTTP POST requests to the C2 server. The GET requests will be parsed by LitePower and\r\ninvoked using PowerShell’s IEX function.\r\nhttps://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044\r\nPage 3 of 9\n\nThe threat actor initially conducts system reconnaissance to assess the AV software installed and the user\r\nprivilege. This is followed by the creation of a legitimate scheduled task to trigger “Scripting.Dictionary” COM\r\nprograms; this will become the cornerstone that allows the persistence to work using the COM hijacking\r\ntechnique and the registry keys added during the installation phase described above.\r\nSample scheduled task settings referencing SLMGR.VBS to trigger WINRM.VBS through COM hijacking\r\nThe commands observed during the different intrusions are summarized below:\r\nCommand Description\r\nGet-WmiObject Win32_logicaldisk -Filter ‘DeviceID=”C:”’ |\r\nselect volumeserialnumber\r\nList local disk drives\r\n‘SELECT * FROM AntiVirusProduct’\r\n$antivirusProduct = Get-WmiObject -Namespace\r\n‘root\\SecurityCenter2’ -Query $wmiQuery\r\nGet list of antivirus software\r\ninstalled\r\nhttps://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044\r\nPage 4 of 9\n\nif($antivirusProduct.displayName -eq ”){$ret= ‘N/A’}\r\nelse{$ret= $antivirusProduct.displayName}\r\nNew-Object\r\nSecurity.Principal.WindowsPrincipal([Security.Principal.WindowsId\r\nentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuilt\r\ninRole]::Administrator\r\nCheck if current user has\r\nadmin privileges\r\nGet-WmiObject win32_operatingsystem).caption) + ‘ x’+ ((Get-WmiObject Win32_OperatingSystem).OSArchitecture).substring(0,2)Get operating system\r\narchitecture\r\nAdditional long functions that we observed can be summarized as follows:\r\nFunction Get-ServiceStatus: checks for possible backdoors installed as services (MsDataSvc and\r\nNgcCtrlSvc), if the computer is part of a domain, and if the current user is a member of “Domain admins”.\r\nFunction Get-PersistenceStatus: checks for the registry keys added for COM hijacking.\r\nFunction Get-HotFixes: lists all hotfixes installed.\r\nScreenshot: takes system screenshots and saves them to %AppData% before sending them to the C2 via a\r\nPOST request.\r\nCommand and control\r\nIn our initial sample analysis, the C2 domain we observed was stgeorgebankers[.]com. After conducting pivots\r\nthrough malware samples, we were able to identify multiple C2 domains that date back to at least December 2019.\r\nThese C2 domains were occasionally behind CloudFlare to obscure the real C2 IP address. Thanks to\r\ncollaboration with our partners, we were able to gather some of the original C2 IP addresses, which allowed us to\r\ndiscover that the servers are hosted in Ukraine and Estonia.\r\nhttps://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044\r\nPage 5 of 9\n\nInfrastructure overview\r\nBy looking for more machines presenting identical TLS certificates, we were able to identify additional domain\r\nnames and IP addresses. Interestingly, the server mapped to kneeexercises[.]net listens for incoming HTTPS\r\nconnections on several ports and uses common names seen on other C2 domains. For example, ports 2083 and\r\n8443 had CN firstohiobank[.]com, and TCP port 2087 had a TLS certificate with the common name\r\ndentalmatrix[.]net. We observed use of these non-standard ports during some of the older intrusions, while the\r\nnewer ones mostly use port 443.\r\nVictimology\r\nOur telemetry indicates that the threat actor has targeted a variety of verticals including diplomatic and financial\r\ninstitutions, government, law firms, military organizations, and technology companies. The affected entities are\r\nlocated in Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria and Turkey.\r\nThreat actor assessment\r\nWe assess with high confidence that the intrusions discussed here are associated with the WIRTE threat actor\r\ngroup.\r\nWIRTE used documents deploying Visual Basic Script (VBS), potentially delivered through spear phishing,\r\ndecoys with Arabic content, occasionally associated with Palestinian matters.\r\nWe see the same theme being followed in the intrusions discussed in this report. Both old and new intrusions\r\nleveraged VBS and PowerShell in similar ways to stage additional tools and communicate with the C2.\r\nhttps://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044\r\nPage 6 of 9\n\nEven though the latest intrusions are using TCP/443 over HTTPS in C2 communications, the oldest intrusions\r\nexplored in this report used similar ports to those mentioned in the public post by Lab52, such as TCP 2096 and\r\n2087. In addition, the C2 requests explored here and in the public post have similar PowerShell IEX command\r\nexecution and sleep functions.\r\nOld C2 request highlighting the status condition, IEX invocation and 60-100 sleep function\r\nNew C2 request highlighting the status condition, IEX invocation and 60-100 sleep function\r\nThe snippets above also show the custom user-agents. Although the old intrusions had them encoded, the\r\nintrusions explored in this report had them in plain text. In both cases the adversaries identified separate intrusions\r\nby changing the “rv” field.\r\nThe C2s in both cases were protected by Cloudflare, and the real VPSs were under ASNs primarily in Ukraine\r\n(e.g., ASN 201094).\r\nIn the Lab52 post, the author described the use of a defense evasion and living-off-the-land (LotL) technique using\r\nregsvr32.exe, whereas in the intrusions explored in this report, the threat actor used another LotL technique such\r\nas COM hijacking. In both cases, the working directory is %ProgramData%.\r\nAll in all, we believe that all these similarities are a strong indication that the attacks described in this report were\r\nconducted by the WIRTE threat actor.\r\nWe assess with low confidence that WIRTE is a subgroup under the Gaza Cybergang umbrella. Although the three\r\nsubgroups we are tracking use entirely different TTPs, they all occasionally use decoys associated with Palestinian\r\nhttps://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044\r\nPage 7 of 9\n\nmatters, which we haven’t seen commonly used by other threat actors, especially those operating in the Middle\r\nEast region such as MuddyWater and Oilrig.\r\nConclusion and outlook\r\nWIRTE operators use simple and rather common TTPs that have allowed them to remain undetected for a long\r\nperiod of time. If our assessment of associating WIRTE with Gaza Cybergang proves to be correct in the future, it\r\nmay signal a change in the group’s motivation. Gaza Cybergang is politically motivated and therefore primarily\r\ntargets governmental and political entities; it is unusual for such groups to target law firms and financial\r\ninstitutions. Despite the targeting of these latter spheres, the majority of victims still fall within the government\r\nand diplomatic categories.\r\nWIRTE modified their toolset and how they operate to remain stealthy for a longer period of time. Living-off-the-land (LotL) techniques are an interesting new addition to their TTPs. This suspected subgroup of Gaza Cybergang\r\nused simple yet effective methods to compromise its victims with better OpSec than its suspected counterparts.\r\nUsing interpreted language malware such as VBS and PowerShell scripts, unlike the other Gaza Cybergang\r\nsubgroups, adds flexibility to update their toolset and avoid static detection controls.\r\nWhether WIRTE is a new subgroup or an evolution of existing Gaza Cybergang subgroups, we see them\r\nexpanding their presence further in cyberspace by using updated and stealthier TTPs. In the near future we expect\r\nthem to continue compromising their victims using the TTPs discussed in this report.\r\nIndicators of compromise\r\nMalicious documents and droppers\r\nClass IDs in registry\r\nHKCU:\\Software\\Classes\\CLSID\\{50236F14-2C02-4291-93AB-B5A80F9666B0}\\LocalServer32\r\nHKCU:\\Software\\Classes\\CLSID\\{14C34482-E07F-44CF-B261-385B616C54EC}\\LocalServer32\r\nFile path\r\n%AppData%\\Temp\\9127.tmp\\9128.tmp\\\r\n%ProgramData%\\\r\nPDB paths\r\nK:\\Hacking\\NgcCtrlSvc\\NgcCtrlSvc\\obj\\Release\\NgcCtrlSvc.pdb\r\nK:\\Hacking\\Tools\\MsDataSvc-v3\\MsDataSvc\\obj\\Release\\MsDataSvc.pdb\r\nDomains and IPs\r\nnutrition-information[.]org\r\nStgeorgebankers[.]com\r\nFirstohiobank[.]com\r\nhttps://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044\r\nPage 8 of 9\n\nallaccounting[.]ca\r\nest-clinic[.]com\r\nunitedfamilyhealth[.]net\r\npocket-property[.]com\r\nkneeexercises[.]net\r\ndoctoressolis[.]com\r\nomegaeyehospital[.]com\r\nHealthyhabitsusa[.]com\r\nniftybuysellchart[.]com\r\nDentalmatrix[.]net\r\n91.211.89[.]33\r\n91.203.6[.]27\r\n45.129.96[.]174\r\n45.129.97[.]207\r\nSource: https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044\r\nhttps://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" ], "report_names": [ "105044" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "b14cd6df-3108-4839-8a2d-52eb2f8ce9c8", "created_at": "2022-10-25T15:50:23.798666Z", "updated_at": "2026-04-10T02:00:05.255838Z", "deleted_at": null, "main_name": "WIRTE", "aliases": [ "WIRTE" ], "source_name": "MITRE:WIRTE", "tools": [ "LitePower", "Ferocious" ], "source_id": "MITRE", "reports": null }, { "id": "7800d05d-e713-4a4f-9b4f-0b960fb82c9d", "created_at": "2023-11-14T02:00:07.079123Z", "updated_at": "2026-04-10T02:00:03.444083Z", "deleted_at": null, "main_name": "WIRTE", "aliases": [ "Ashen Lepus" ], "source_name": "MISPGALAXY:WIRTE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "6bad0c51-0d2b-4f04-b355-f88c960db813", "created_at": "2025-08-07T02:03:24.546734Z", "updated_at": "2026-04-10T02:00:03.691101Z", "deleted_at": null, "main_name": "ALUMINUM THORN", "aliases": [ "Frankenstein ", "WIRTE " ], "source_name": "Secureworks:ALUMINUM THORN", "tools": [ "FruityC2", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "aa5c2fa9-e018-484b-9f4a-0ef76ebbbf57", "created_at": "2022-10-25T16:07:24.41839Z", "updated_at": "2026-04-10T02:00:04.982315Z", "deleted_at": null, "main_name": "WIRTE Group", "aliases": [ "G0090", "White Dev 21" ], "source_name": "ETDA:WIRTE Group", "tools": [ "EmPyre", "EmpireProject", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "Jenxcus", "Kognito", "LOLBAS", "LOLBins", "Living off the Land", "Njw0rm", "PowerShell Empire", "SameCoin", "WSHRAT", "dinihou", "dunihi" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434536, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/96dafd7ba8b22e63dd5599e73953b8258203b1b7.pdf", "text": "https://archive.orkl.eu/96dafd7ba8b22e63dd5599e73953b8258203b1b7.txt", "img": "https://archive.orkl.eu/96dafd7ba8b22e63dd5599e73953b8258203b1b7.jpg" } }