{ "id": "5d488208-0408-4efc-b1a7-5fe631dc8290", "created_at": "2026-04-06T00:12:03.237509Z", "updated_at": "2026-04-10T03:37:36.895064Z", "deleted_at": null, "sha1_hash": "974428fa77a78ab0126f45fa5acc41691ee3e959", "title": "PipeSnoop (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38271, "plain_text": "PipeSnoop (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 13:40:57 UTC\r\nwin.pipesnoop (Back to overview)\r\nPipeSnoop\r\naka: TOFUPIPE\r\nCisco Talos states that PipeSnoop can accept arbitrary shellcode from a named pipe and execute it on the infected\r\nendpoint.\r\nReferences\r\n2024-09-19 ⋅ Mandiant ⋅ Mark Lechtik, Matan Mimran, Sarah Bock, Stav Shulman\r\nUNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks\r\nCRYPTOSLAY PipeSnoop TEMPLEDOOR UNC1860\r\n2023-09-19 ⋅ Cisco Talos ⋅ Arnaud Zobec, Asheer Malhotra, Caitlin Huey, Sean Taylor, Vitor Ventura\r\nNew ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants\r\nHTTPSnoop PipeSnoop LightBasin ShroudedSnooper\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.pipesnoop\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.pipesnoop\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.pipesnoop" ], "report_names": [ "win.pipesnoop" ], "threat_actors": [ { "id": "9d63303c-817c-40d7-b703-c6d62f0dbddc", "created_at": "2023-10-14T02:03:14.471787Z", "updated_at": "2026-04-10T02:00:04.891855Z", "deleted_at": null, "main_name": "ShroudedSnooper", "aliases": [], "source_name": "ETDA:ShroudedSnooper", "tools": [ "HTTPSnoop", "PipeSnoop", "TOFULOAD", "TOFUPIPE" ], "source_id": "ETDA", "reports": null }, { "id": "1ddad928-ad5f-4885-9abd-e8965dd793df", "created_at": "2023-11-08T02:00:07.129402Z", "updated_at": "2026-04-10T02:00:03.421623Z", "deleted_at": null, "main_name": "ShroudedSnooper", "aliases": [], "source_name": "MISPGALAXY:ShroudedSnooper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ece64b74-f887-4d58-9004-2d1406d37337", "created_at": "2022-10-25T16:07:23.794442Z", "updated_at": "2026-04-10T02:00:04.751764Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "DecisiveArchitect", "Luminal Panda", "TH-239", "UNC1945" ], "source_name": "ETDA:LightBasin", "tools": [ "CordScan", "EVILSUN", "FRP", "Fast Reverse Proxy", "Impacket", "LEMONSTICK", "LOGBLEACH", "LOLBAS", "LOLBins", "Living off the Land", "OKSOLO", "OPENSHACKLE", "ProxyChains", "Pupy", "PupyRAT", "SIGTRANslator", "SLAPSTICK", "SMBExec", "STEELCORGI", "Tiny SHell", "pupy", "tsh" ], "source_id": "ETDA", "reports": null }, { "id": "107d5019-7454-46cf-9e39-c72d76a14633", "created_at": "2024-10-04T02:00:04.774831Z", "updated_at": "2026-04-10T02:00:03.719006Z", "deleted_at": null, "main_name": "UNC1860", "aliases": [], "source_name": "MISPGALAXY:UNC1860", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "31c0d0e1-f793-4374-90aa-138ea1daea50", "created_at": "2023-11-30T02:00:07.29462Z", "updated_at": "2026-04-10T02:00:03.482987Z", "deleted_at": null, "main_name": "LightBasin", "aliases": [ "UNC1945", "CL-CRI-0025" ], "source_name": "MISPGALAXY:LightBasin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434323, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/974428fa77a78ab0126f45fa5acc41691ee3e959.pdf", "text": "https://archive.orkl.eu/974428fa77a78ab0126f45fa5acc41691ee3e959.txt", "img": "https://archive.orkl.eu/974428fa77a78ab0126f45fa5acc41691ee3e959.jpg" } }