{ "id": "e5ca4239-5178-419c-8cdc-dde7ad70fdf1", "created_at": "2026-04-06T00:06:24.692445Z", "updated_at": "2026-04-10T13:12:36.119846Z", "deleted_at": null, "sha1_hash": "981062d3bac04408fd21d4a1598b2fe8331db337", "title": "TrickBot gang doubles down enterprise infection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1617054, "plain_text": "TrickBot gang doubles down enterprise infection\r\nBy Ole Villadsen, Charlotte Hammond\r\nPublished: 2021-10-13 · Archived: 2026-04-05 18:43:54 UTC\r\nOle Villadsen\r\nCyber Threat Hunt Analyst\r\nIBM Security\r\nCharlotte Hammond\r\nMalware Reverse Engineer\r\nIBM Security\r\nIBM X-Force has been tracking the activity of ITG23, a prominent cybercrime gang also known as the TrickBot\r\nGang and Wizard Spider. Researchers are seeing an aggressive expansion of the gang’s malware distribution\r\nchannels, infecting enterprise users with Trickbot and BazarLoader. This move is leading to more ransomware\r\nattacks — particularly ones using the Conti ransomware.\r\nAs of mid-2021, X-Force observed ITG23 partner with two additional malware distribution affiliates — Hive0106\r\n(aka TA551) and Hive0107. These and other cybercrime vendors are infecting corporate networks with malware\r\nby hijacking email threads, using fake customer response forms and social engineering employees with a fake call\r\ncenter known as BazarCall, which is tracked as Hive0105. In one of their recent BazarCall campaigns,\r\nransomware distributors sent fake emails announcing the recipient had purchased tickets for a Justin Bieber\r\nconcert tour. ITG23 is adept at using its distribution channels to increase scale and drive profits.\r\nGame on\r\nIn recent months, the cybercriminal organization that IBM X-Force threat intelligence tracks as ITG23, also\r\nknown as Trickbot and Wizard Spider, has expanded the number and variety of channels it uses to distribute its\r\nkey initial payloads. In this article, IBM X-Force, together with Cylera analysts, addresses the growing number of\r\ncampaigns that ITG23 is using to deliver proprietary malware, including distribution through other cybercrime\r\ngroups that X-Force tracks as Hive0105, Hive0106 and Hive0107.\r\nEarlier this year, ITG23 primarily relied on email campaigns delivering Excel documents and a call center ruse\r\nknown as BazarCall to deliver its payloads to corporate users. However, starting around June 2021, ITG23 has\r\npartnered with two prominent malware distribution affiliates while continuing to use existing channels for\r\nmalware distribution. The new affiliates have added the use of hijacked email threads and fraudulent website\r\ncustomer inquiry forms. This move not only increased the volume of its delivery attempts but also diversified\r\ndelivery methods with the goal of infecting more potential victims than ever.\r\nhttps://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\r\nPage 1 of 10\n\nTrickbot and BazarLoader are two prolific malware variants that are used against organizations across the globe,\r\noften to stage targeted ransomware and extortion attacks. Campaigns IBM has analyzed in the second half of 2021\r\nlikely further contributed to a corresponding increase in Conti ransomware attacks.\r\nThis trend increases the ability of ITG23 to infect more enterprise users, raises the risk of ransomware attacks and\r\ndemands vigilance and employee awareness training. X-Force expects to continue seeing it for the remainder of\r\nthe year.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nThe evolution of ITG23\r\nITG23 is known primarily for developing the Trickbot banking Trojan, which was first identified in 2016 and\r\ninitially used to facilitate online banking fraud. Trickbot has evolved in recent years into a modular malware\r\nfamily capable of stealing credentials and moving laterally and is being used for downloading additional\r\nbackdoors and ransomware such as Ryuk and Conti.\r\nITG23 is also responsible for developing a prolific loader known as BazarLoader and its most common payload,\r\nthe BazarBackdoor, which were first identified in April 2020. Trickbot’s developers were also credited with\r\ndeveloping the Anchor backdoor.\r\nIn September 2020, U.S. Cyber Command worked to disrupt ITG23’s operations by poisoning configuration files\r\non its command-and-control (C2) servers. Microsoft, the following month, announced its own efforts to disrupt\r\nITG23 by taking down a large number of their C2 servers. The gang pivoted its infrastructure and continues to\r\noperate in the wild. Most recently, ITG23’s move to expand its malware distribution further demonstrates that it\r\nwas able to recover from last year’s disruptions and the arrest of an ITG23 developer in February 2021.\r\nAs the gang continues to rise, its activity also leads to the potential for more ransomware attacks, particularly\r\nusing the Conti ransomware, which is also developed by ITG23. Trickbot and BazarLoader infections often lead\r\nto the deployment of Ryuk and Conti ransomware; indeed, there has been an increase in Conti ransomware\r\ndeployments coinciding with the increase in Trickbot and BazarLoader activity.\r\nOther articles in recent months have also discussed ITG23’s continued efforts to upgrade its malware, touching on\r\nboth its fraud operations and ransomware attacks. Some examples of the upgraded components are its web-inject\r\nand Virtual Network Computing modules and possibly the new Diavol ransomware.\r\nBazarCall campaigns persist into the Fall\r\nPerhaps the most well-publicized distributor of BazarLoader, and occasionally the Trickbot malware, is known as\r\nBazarCall (or BazaCall), which IBM tracks as Hive0105. A phishing email sent to enterprise users lures them into\r\ncalling a call center to cancel a pending subscription charge. Those who proceed to a website to download a fake\r\ncancelation form are thereby infected with BazarLoader.\r\nhttps://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\r\nPage 2 of 10\n\nBazarCall campaigns began in February 2021 and have continued on a near-weekly basis in recent months,\r\nalthough X-Force has observed a decrease in the rate of new BazarCall campaigns by late summer 2021.\r\nHive0105 has been a consistent and effective payload distributer for ITG23. These crafty campaigns often lead to\r\ndata exfiltration and ransomware deployments. The two groups apparently work closely together to convert more\r\nattempts into actual infections for ITG23.\r\nBazarCall campaigns vary in themes. Each BazarCall campaign begins with emails sent to a list of targets bearing\r\na theme designed to persuade them to contact a call center to address the matter in the email, which is typically a\r\nsubscription or prize for which they will soon be charged.\r\nIn order to avoid the charges, the target is provided a phone number to call. Unlike typical malware distribution\r\ncampaigns, there are no malicious attachments or URLs in the email, which is likely a technique that Hive0105\r\nemploys to bypass security controls designed to identify emails with malicious attachments or links.\r\nThemes in recent months have ranged from cash-back discounts to in-demand concert tickets. Upon contacting a\r\nfraudulent call center representative, the target is directed to a fake website for which the domain address is\r\ncrafted to resemble the theme described in the email. Multiple domains are typically set up for each theme, and\r\nthey are often created, used and discarded within a matter of hours to confound the ability of security researchers\r\nand defenders to quickly identify, analyze and block the sites.\r\nFigure 1: BazarCall email lure with phone number to call malicious call center\r\nhttps://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\r\nPage 3 of 10\n\nDuring the course of the conversation with the fraudulent call center representative, the target is also directed to\r\nenter information, such as a customer number located in the email, to access their account on the website and\r\nultimately download a malicious Excel file to confirm the transaction.\r\nWhen the file is run and macros enabled, these Excel documents download a malicious payload, most often\r\nBazarLoader but occasionally Trickbot. These payloads typically download and install Cobalt Strike to continue\r\nan attack that leads to data exfiltration and a Conti ransomware infection.\r\nITG23 partners with spam powerhouse Hive0106 aka TA551\r\nPerhaps the most important development in the distribution schemes of Trickbot and BazarLoader payloads is\r\nITG23’s partnership with the spamming affiliate that X-Force tracks as Hive0106. Also known as TA551, Shathak\r\nand UNC2420, this is another financially motivated threat group partnering with elite cybercrime gangs.\r\nReportedly active since 2016, Hive0106 previously had distributed payloads such as Valak, IcedID and QakBot.\r\nThe group began distributing Trickbot with the ‘zev’ gtag at the end of June 2021 and switched to BazarLoader by\r\nmid-to-late July 2021. In September and October, Hive0106 also resumed distributing Trickbot using the ‘zem’\r\nand ‘zvs’ gtags, respectively. ITG23 operatives are working with the threat actor Zeus on matters related to these\r\ncampaigns, from which the ‘zev,’ ‘zem’ and ‘zvs’ gtag names may be derived.\r\nIn a page taken out of business email compromise (BEC) scam books, Hive0106 campaigns begin with email\r\nlures sent to recipients of existing email threads, stolen from email clients during prior infections. The emails\r\ninclude the email thread subject line but not the entire thread. Within the email is an archive file containing a\r\nmalicious attachment and password.\r\nhttps://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\r\nPage 4 of 10\n\nFigure 2: Hive0106 email lure dated August 2021\r\nDuring these recent Trickbot and BazarLoader campaigns, the malicious document drops an HTML application\r\n(HTA) file when macros are enabled. HTA files contain hypertext code and may also contain VBScript or JScript\r\nscripts, both of which are often used in boobytrapped macros. The HTA file then downloads Trickbot or\r\nBazarLoader, which has subsequently been observed downloading Cobalt Strike.\r\nHive0106 uses newly created malicious domains to host the payloads for these infection campaigns.\r\nExample:\r\nHive0107 shifts to Trickbot and BazarLoader deliveries\r\nThis summer, ITG23 also partnered with another prominent affiliate that X-Force tracks as Hive0107 to distribute\r\nTrickbot and BazarLoader. The group previously had been spotted distributing IcedID in early 2021.\r\nX-Force and Cylera analysts observed Hive0107 with occasional distribution campaigns of the Trickbot malware\r\ndetected mid-May through mid-July 2021. Those used the gtag ‘mod.’ After that period, Hive0107 switched\r\nentirely to delivering BazarLoader. IBM’s analysis of Quad9’s Domain Name System (DNS) data indicates that\r\nthe group primarily targets organizations in the United States and, to a lesser extent, Canada and Europe.\r\nHive0107 is known for using customer contact forms on organization websites to send malicious links to\r\nunwitting employees. The group typically enters information into these contact forms — probably using\r\nautomated methods — informing the targeted organization that it has illegally used copyrighted images and\r\nincludes a link to their evidence.\r\nThe links are hosted on well-known, legitimate cloud storage services and file drives that most organizations use.\r\nThe content often includes provocative language threatening legal action and fines if the images are not removed\r\n— pressure tactics to compel the recipient to click on the link.\r\nStarting in late August 2021, Hive0107 began using a new ruse, informing the targeted company that its website\r\nhas been performing distributed denial of service (DDoS) attacks on its servers and providing a link with the\r\nsupposed evidence and how to ‘fix’ the problem.\r\nLegitimate email services abused by Hive0107 are then used to deliver the content entered into the customer\r\ninquiry form via email to staff within the targeted organization. This technique might allow Hive0107 to bypass\r\nsome security measures since the email would arrive from a known sender.\r\nhttps://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\r\nPage 5 of 10\n\nFigure 3: Hive0107 ‘Stolen Images Evidence’ lure, July 2021\r\nhttps://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\r\nPage 6 of 10\n\nFigure 4: Hive0107 link to download malicious JScript downloader\r\nClicking on the link downloads a ZIP archive containing a malicious JScript (JS) downloader titled ‘Stolen Images\r\nEvidence.js’ or ‘DDoS attack proof and instructions on how to fix it.js.’ The JS file contacts a URL on newly\r\ncreated domains to download BazarLoader, which has been observed subsequently downloading Cobalt Strike and\r\na PowerShell script to exploit the PrintNightmare vulnerability (CVE-2021-34527).\r\nThese BazarLoader samples have also been observed downloading Trickbot. IBM suspects that access achieved\r\nthrough these Hive0107 campaigns is ultimately used to initiate a ransomware attack.\r\nExample:\r\nMultiple additional campaigns delivering Trickbot, BazarLoader\r\nBeyond the ones mentioned so far, X-Force and Cylera analysts have observed a number of additional campaigns\r\non a weekly basis delivering Trickbot and, to a lesser extent, BazarLoader. The vast majority of the Trickbot\r\ncampaigns since June 2021 use the ‘rob’ gtag, although researchers have also seen a small number of campaigns\r\nusing the ‘sat,’ ‘soc1’ and ‘fat1’ gtags. These campaigns use malicious Microsoft Office, Microsoft Shortcut\r\n(LNK) and JS downloaders delivered as email attachments.\r\nhttps://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\r\nPage 7 of 10\n\nX-Force suspects these malicious carrier files are commercial and sourced from other malware suppliers. In some\r\ncases, IBM saw these files deliver other malware with no relationship to ITG23, such as the Zeppelin ransomware.\r\nResearchers are not certain as to whether ITG23 itself controls the delivery of these malicious emails using\r\ndedicated personnel or whether they are independently distributed by other affiliates, such as Hive0106 and\r\nHive0107. Some of these campaigns may be delivered by threat actors using the handles ‘Netwalker’ and ‘Cherry,’\r\nwho are believed to be working within the ITG23 organization and earlier this year delivered Trickbot using the\r\ngtags ‘net’ and ‘che.’ Below are descriptions of three of these campaigns.\r\nJScript downloaders\r\nBeginning in mid-July and for approximately a month, X-Force and Cylera analysts observed the use of a heavily\r\nobfuscated JS downloader to deliver primarily Trickbot payloads with the ‘rob’ gtag. Prior to their use, these\r\npayloads were delivered by malicious Excel documents. Analysts suspect the JS files were delivered as an email\r\nattachment, possibly contained within a ZIP archive.\r\nExecuted with wscript, the JS file decodes and runs a PowerShell (PS) script that contacts an initial URL from\r\nwhich it downloads and executes a second PS script — ‘wscript’ is the Windows Script Host that provides an\r\nenvironment in which users can execute scripts in a variety of languages that use object models to perform tasks.\r\nThe second PS script then downloads and executes Trickbot or, occasionally, BazarLoader from a final URL.\r\nThe majority of the initial URLs were hosted on IP addresses or compromised domains. The final URLs\r\ncontaining the payload were at times hosted on the same or different IP addresses or compromised domains. Many\r\nof the campaigns from late July to early August 2021 hosted the payload on a document management solution that\r\nenables customers to create a publicly accessible link to hosted documents. Similar to hosting malware on cloud\r\nservers, abusing a legitimate document management service is more likely to bypass some security controls.\r\nExample:\r\nExcel downloaders\r\nIn mid-August 2021, IBM observed the resumption of Excel downloaders to deliver Trickbot payloads with the\r\n‘rob’ gtag. One such campaign from August 2021 made use of email lures purporting to come from an automotive\r\nparts provider, containing a malicious Excel file using 4.0 macros. Excel 4.0 macro, also known as XLM 4.0\r\nmacro, is a benign record-and-playback feature of Microsoft Excel that was introduced back in 1992. When run,\r\nthe Excel document downloads and executes a Trickbot payload with gtag rob122.\r\nhttps://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\r\nPage 8 of 10\n\nFigure 5: Email lure distributing Trickbote\r\nExample:\r\nShortcut file downloaders\r\nIn September 2021, X-Force and Cylera analysts identified campaigns delivering Trickbot using Microsoft\r\nShortcut (LNK) files. These campaigns leverage emails that contain a malicious URL that downloads an archive\r\nfile containing a LNK file. When executed, the LNK file downloads and executes Trickbot with the ‘rob’ gtag.\r\nSome of these LNK files use the ‘curl’ command-line tool to download the malicious payload; ‘curl’ is most often\r\nused in command lines or scripts to transfer data, for example:\r\nExample:\r\nTrickBot campaigns correlate with increase in Conti ransomware\r\nThe increase in Trickbot and BazarLoader deliveries since June 2021 likely led to a corresponding increase in\r\nConti ransomware attacks this summer. As noted above, BazarLoader and Trickbot deliveries are often followed\r\nby ransomware attacks, including attacks with Conti. The Cybersecurity and Infrastructure Security Agency\r\n(CISA) as of late September observed an increase in the use of Conti ransomware, issuing an advisory about rising\r\nrisks.\r\nA threat bazar on the rise\r\nITG23 started out aggressively back in 2016 and has become a cybercrime staple in the East European threat actor\r\narena. In 2021, the group has repositioned itself among the top of the cybercriminal industry, a trend IBM expects\r\nto continue into next year.\r\nhttps://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\r\nPage 9 of 10\n\nThe group already has demonstrated its ability to maintain and update its malware and infrastructure, despite the\r\nefforts of law enforcement and industry groups to take it down. ITG23 has also adapted to the ransomware\r\neconomy through the creation of the Conti ransomware-as-a-service (RaaS) and the use of its BazarLoader and\r\nTrickbot payloads to gain a foothold for ransomware attacks. This latest development demonstrates the strength of\r\nits connections within the cybercriminal ecosystem and its ability to leverage these relationships to expand the\r\nnumber of organizations infected with its malware.\r\nRecommendations\r\nRansomware and extortion go hand in hand nowadays.\r\nIf you are charged with securing your organizational networks, here are some tips from X-Force to reduce the\r\nchance of infection.\r\nEstablish and maintain backup routines, including offline backups. Ensure you have backup redundancy\r\nstored separately from network zones attackers could access with read-only access. The availability of\r\neffective backups is a significant differentiator for organizations and can support recovery from a\r\nransomware attack.\r\nImplement a strategy to prevent unauthorized data theft, especially as it applies to uploading large amounts\r\nof data to legitimate cloud storage platforms that attackers can abuse.\r\nEmploy user behavior analytics to identify potential security incidents. When triggered, assume a breach\r\nhas taken place. Audit, monitor and quickly act on suspected abuse related to privileged accounts and\r\ngroups.\r\nEmploy multifactor authentication on all remote access points into an enterprise network — with particular\r\ncare given to secure or disable remote desktop protocol (RDP) access. Multiple ransomware attacks have\r\nbeen known to exploit weak RDP access to gain initial entry into a network.\r\nSource: https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\r\nhttps://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/" ], "report_names": [ "trickbot-gang-doubles-down-enterprise-infection" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38", "created_at": "2023-01-06T13:46:39.487358Z", "updated_at": "2026-04-10T02:00:03.344509Z", "deleted_at": null, "main_name": "BazarCall", "aliases": [ "BazzarCall", "BazaCall" ], "source_name": "MISPGALAXY:BazarCall", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433984, "ts_updated_at": 1775826756, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/981062d3bac04408fd21d4a1598b2fe8331db337.pdf", "text": "https://archive.orkl.eu/981062d3bac04408fd21d4a1598b2fe8331db337.txt", "img": "https://archive.orkl.eu/981062d3bac04408fd21d4a1598b2fe8331db337.jpg" } }