{ "id": "edbb6d6d-ab3e-42fd-9184-ff9dcf431f4f", "created_at": "2026-04-06T00:09:26.775651Z", "updated_at": "2026-04-10T03:37:04.41646Z", "deleted_at": null, "sha1_hash": "98deb617978df37908b1ed1a79baa0e3610c360a", "title": "Remcos (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 325303, "plain_text": "Remcos (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 16:17:57 UTC\r\nRemcos\r\naka: RemcosRAT, Remvio, Socmer\r\nActor(s): APT33, The Gorgon Group, UAC-0050\r\nVTCollection     URLhaus          \r\nRemcos (acronym of Remote Control \u0026 Surveillance Software) is a commercial Remote Access Tool to remotely\r\ncontrol computers.\r\nRemcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes,\r\nbut has been used in numerous hacking campaigns.\r\nRemcos, once installed, opens a backdoor on the computer, granting full access to the remote user.\r\nRemcos is developed by the cybersecurity company BreakingSecurity.\r\nReferences\r\n2026-03-04 ⋅ EG-FinCirt ⋅\r\nRemcos RAT Operations: How Attackers Gain and Maintain Control\r\nRemcos\r\n2026-01-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update July to December 2025\r\nCoper FluBot Joker Aisuru Mirai AsyncRAT BianLian Cobalt Strike DCRat Havoc Latrodectus PureLogs\r\nStealer Quasar RAT Remcos Rhadamanthys Sliver ValleyRAT Venom RAT Vidar XWorm\r\n2026-01-12 ⋅ Securonix ⋅ Aaron Beardslee, Akshay Gaikwad, Shikha Sangwan\r\nSHADOW#REACTOR – Text-Only Staging, .NET Reactor, and In-Memory Remcos RAT Deployment\r\nRemcos\r\n2025-12-19 ⋅ cyble ⋅ Cyble\r\nStealth in Layers: Unmasking the Loader used in Targeted Email Campaigns\r\nDCRat Katz Stealer PhantomVAI PureLogs Stealer Remcos XWorm\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nPage 1 of 13\n\n2025-11-26 ⋅ Intrinsec ⋅ CTI Intrinsec, David Sardinha\r\nTrouble in the air: A spree of campaigns targeting the aerospace industry in Russia\r\nDarkWatchman CloudEyE Formbook PhantomCore Remcos\r\n2025-11-10 ⋅ Genians ⋅ Genians\r\nState-Sponsored Remote Wipe Tactics Targeting Android Devices\r\nQuasar RAT Remcos\r\n2025-10-15 ⋅ Kaspersky ⋅ Noushin Shabab, Ye Jin\r\nMysterious Elephant: a growing threat\r\nRemcos\r\n2025-08-26 ⋅ Recorded Future ⋅ Insikt Group\r\nTAG-144’s Persistent Grip on South American Organizations\r\nAsyncRAT BitRAT DCRat LimeRAT NjRAT PureCrypter Quasar RAT Remcos\r\n2025-07-14 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2025\r\nCoper FluBot Hook Joker Mirai AsyncRAT BianLian BumbleBee Chaos Cobalt Strike DanaBot DCRat\r\nHavoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver ValleyRAT\r\nWarmCookie XWorm\r\n2025-06-02 ⋅ Aryaka Networks ⋅ bikash dash, varadharajan krishnasamy\r\nRemcos on the Wire: Analyzing Network Artifacts and C2 Command Structures\r\nRemcos\r\n2025-04-03 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nThreat actors leverage tax season to deploy tax-themed phishing campaigns\r\nBrute Ratel C4 CloudEyE Latrodectus Remcos Storm-0249\r\n2025-03-28 ⋅ Intrinsec ⋅ David Sardinha\r\nFrom espionage to PsyOps: Tracking operations and bulletproof providers of UACs in 2025\r\nsLoad NetSupportManager RAT Remcos SmokeLoader\r\n2025-03-28 ⋅ Cisco Talos ⋅ Guilherme Venere\r\nGamaredon campaign abuses LNK files to distribute Remcos backdoor\r\nRemcos\r\n2025-03-11 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nBlind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks\r\nAsyncRAT NjRAT Quasar RAT Remcos\r\n2025-03-10 ⋅ Check Point Research ⋅ Check Point Research\r\nBlind Eagle: …And Justice for All\r\nRemcos\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nPage 2 of 13\n\n2025-02-21 ⋅ SonicWall ⋅ SonicWall\r\nRemcos RAT Targets Europe: New AMSI and ETW Evasion Tactics Uncovered\r\nRemcos\r\n2025-01-30 ⋅ Recorded Future ⋅ Insikt Group\r\nTAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base\r\nRhysida KongTuke MintsLoader Broomstick Remcos Rhysida WarmCookie\r\n2025-01-10 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update July to December 2024\r\nCoper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot\r\nDCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc\r\n2025-01-03 ⋅ Nimantha Deshappriya\r\nRATs on the island (Remote Access Trojans in Sri Lanka's Cybersecurity Landscape)\r\nAsyncRAT Quasar RAT Remcos\r\n2024-11-08 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nNew Campaign Uses Remcos RAT to Exploit Victims\r\nRemcos\r\n2024-07-29 ⋅ loginsoft ⋅ Saharsh Agrawal\r\nBlue Screen Mayhem: When CrowdStrike's Glitch Became Threat Actor's Playground\r\nDaolpu HijackLoader Remcos\r\n2024-07-09 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2024\r\nCoper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT\r\nQakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver\r\n2024-06-06 ⋅ Medium b.magnezi ⋅ 0xMrMagnezi\r\nRemcos RAT Analysis\r\nRemcos\r\n2024-05-14 ⋅ Check Point Research ⋅ Antonis Terefos, Tera0017\r\nFoxit PDF “Flawed Design” Exploitation\r\nRafel RAT Agent Tesla AsyncRAT DCRat DONOT Nanocore RAT NjRAT Pony Remcos Venom RAT\r\nXWorm\r\n2024-05-10 ⋅ Elastic ⋅ Cyril François, Samir Bousseaden\r\nDissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part Four\r\nRemcos\r\n2024-05-03 ⋅ Elastic ⋅ Cyril François, Samir Bousseaden\r\nDissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part Three\r\nRemcos\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nPage 3 of 13\n\n2024-04-30 ⋅ Elastic ⋅ Cyril François, Samir Bousseaden\r\nDissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part Two\r\nRemcos\r\n2024-04-24 ⋅ Elastic ⋅ Cyril François, Samir Bousseaden\r\nDissecting REMCOS RAT: An in- depth analysis of a widespread 2024 malware, Part One\r\nRemcos\r\n2024-04-15 ⋅ Positive Technologies ⋅ Aleksandr Badaev, Kseniya Naumova\r\nSteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world\r\nLokiBot 404 Keylogger Agent Tesla CloudEyE Formbook Remcos XWorm\r\n2024-03-26 ⋅ K7 Security ⋅ Vigneshwaran P\r\nUnknown TTPs of Remcos RAT\r\nRemcos\r\n2024-03-01 ⋅ Logpoint ⋅ Nischal khadgi\r\nA Comprehensive Overview on Stealer Malware Families\r\nAgent Tesla Formbook RedLine Stealer Remcos Vidar\r\n2024-02-28 ⋅ Security Intelligence ⋅ Golo Mühr, Ole Villadsen\r\nX-Force data reveals top spam trends, campaigns and senior superlatives in 2023\r\n404 Keylogger Agent Tesla Black Basta DarkGate Formbook IcedID Loki Password Stealer (PWS) Pikabot\r\nQakBot Remcos\r\n2024-02-21 ⋅ Medium b.magnezi ⋅ 0xMrMagnezi\r\nMalware Analysis — Remcos RAT\r\nRemcos\r\n2024-01-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q4 2023\r\nFluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer\r\nMeterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys\r\nSliver\r\n2024-01-03 ⋅ Uptycs ⋅ Karthickkumar Kathiresan, Shilpesh Trivedi\r\nUkraine Targeted by UAC-0050 Using Remcos RAT Pipe Method for Evasion\r\nRemcos\r\n2023-12-07 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nUAC-0050 mass cyberattack using RemcosRAT/MeduzaStealer against Ukraine and Poland (CERT-UA#8218)\r\nMeduza Stealer Remcos\r\n2023-11-23 ⋅ Infosec Writeups ⋅ Osama Ellahi\r\nMalware analysis Remcos RAT- 4.9.2 Pro\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nPage 4 of 13\n\nRemcos\r\n2023-11-22 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nPractical Queries for Malware Infrastructure - Part 3 (Advanced Examples)\r\nBianLian Xtreme RAT NjRAT QakBot RedLine Stealer Remcos\r\n2023-11-14 ⋅ SOC Prime ⋅ Veronika Telychko\r\nRemcos RAT Detection: UAC-0050 Hackers Launch Phishing Attacks Impersonating the Security Service of\r\nUkraine\r\nRemcos UAC-0050\r\n2023-10-27 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nRemcos Downloader Analysis - Manual Deobfuscation of Visual Basic and Powershell\r\nRemcos\r\n2023-10-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2023\r\nFluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot\r\nQuasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar\r\n2023-09-19 ⋅ Checkpoint ⋅ Alexey Bukhteyev, Arie Olshtein\r\nUnveiling the Shadows: The Dark Alliance between GuLoader and Remcos\r\nCloudEyE Remcos\r\n2023-07-11 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2023\r\nHydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT\r\nQakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee\r\n2023-07-08 ⋅ Gi7w0rm\r\nCloudEyE — From .lnk to Shellcode\r\nCloudEyE Remcos\r\n2023-05-16 ⋅ CyberRaiju ⋅ Jai Minton\r\nRemcos RAT - Malware Analysis Lab\r\nRemcos\r\n2023-04-13 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nThreat actors strive to cause Tax Day headaches\r\nCloudEyE Remcos\r\n2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q1 2023\r\nFluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT\r\nQakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nPage 5 of 13\n\n2023-04-10 ⋅ Check Point ⋅ Check Point\r\nMarch 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute\r\nMalicious OneNote Files\r\nAgent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee\r\n2023-03-27 ⋅ Zscaler ⋅ Meghraj Nandanwar, Satyam Singh\r\nDBatLoader: Actively Distributing Malwares Targeting European Businesses\r\nDBatLoader Remcos\r\n2023-03-16 ⋅ Trend Micro ⋅ Cedric Pernet, Jaromír Hořejší, Loseway Lu\r\nIPFS: A New Data Frontier or a New Cybercriminal Hideout?\r\nAgent Tesla Formbook RedLine Stealer Remcos\r\n2023-02-22 ⋅ SOC Prime ⋅ Daryna Olyniychuk\r\nNew Phishing Attack Detection Attributed to the UAC-0050 and UAC-0096 Groups Spreading Remcos\r\nSpyware\r\nRemcos UAC-0050\r\n2023-02-21 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nCyber attack of the group UAC-0050 (UAC-0096) using the Remcos program (CERT-UA#6011)\r\nRemcos UAC-0050\r\n2023-02-06 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nUAC-0050 cyber attack against the state bodies of Ukraine using the program for remote control and\r\nsurveillance Remcos (CERT-UA#5926)\r\nRemcos UAC-0050\r\n2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein\r\nFollowing the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware\r\nAgent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer\r\n(PWS) Maze NetWire RC Remcos REvil TrickBot\r\n2023-01-24 ⋅ Trellix ⋅ Daksh Kapur, John Fokker, Robert Venal, Tomer Shloman\r\nCyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by Russia-linked Gamaredon Activity\r\nAndromeda Formbook Houdini Remcos\r\n2022-11-21 ⋅ Malwarebytes ⋅ Malwarebytes\r\n2022-11-21 Threat Intel Report\r\n404 Keylogger Agent Tesla Formbook Hive Remcos\r\n2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2022\r\nFluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password\r\nStealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars\r\nTofsee Vjw0rm\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nPage 6 of 13\n\n2022-09-22 ⋅ Morphisec ⋅ Morphisec Labs\r\nWatch Out For The New NFT-001\r\nEternity Stealer Remcos\r\n2022-08-29 ⋅ Soc Investigation ⋅ BalaGanesh\r\nRemcos RAT New TTPS - Detection \u0026 Response\r\nRemcos\r\n2022-08-21 ⋅ Perception Point ⋅ Igal Lytzki\r\nBehind the Attack: Remcos RAT\r\nRemcos\r\n2022-08-04 ⋅ ConnectWise ⋅ Stu Gonzalez\r\nFormbook and Remcos Backdoor RAT by ConnectWise CRU\r\nFormbook Remcos\r\n2022-07-20 ⋅ Sophos ⋅ Colin Cowie, Gabor Szappanos\r\nOODA: X-Ops Takes On Burgeoning SQL Server Attacks\r\nMaoloa Remcos TargetCompany\r\n2022-05-05 ⋅ Github (muha2xmad) ⋅ Muhammad Hasan Ali\r\nAnalysis of MS Word to drop Remcos RAT | VBA extraction and analysis | IoCs\r\nRemcos\r\n2022-04-12 ⋅ HP ⋅ Patrick Schläpfer\r\nMalware Campaigns Targeting African Banking Sector\r\nCloudEyE Remcos\r\n2022-04-06 ⋅ Fortinet ⋅ Xiaopeng Zhang\r\nThe Latest Remcos RAT Driven By Phishing Campaign\r\nRemcos\r\n2022-03-30 ⋅ Morphisec ⋅ Hido Cohen\r\nNew Wave Of Remcos RAT Phishing Campaign\r\nRemcos\r\n2022-03-25 ⋅ Trustwave ⋅ Trustwave SpiderLabs\r\nCyber Attackers Leverage Russia-Ukraine Conflict in Multiple Spam Campaigns\r\nRemcos\r\n2022-03-07 ⋅ ASEC ⋅ ASEC\r\nDistribution of Remcos RAT Disguised as Tax Invoice\r\nRemcos\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nPage 7 of 13\n\n2022-03-04 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nRussia-Ukraine war exploited as lure for malware distribution\r\nAgent Tesla Remcos\r\n2022-03-04 ⋅ Bitdefender ⋅ Alina Bizga\r\nBitdefender Labs Sees Increased Malicious and Scam Activity Exploiting the War in Ukraine\r\nAgent Tesla Remcos\r\n2022-02-28 ⋅ ⋅ ASEC ⋅ ASEC\r\nRemcos RAT malware disseminated by pretending to be tax invoices\r\nRemcos\r\n2022-02-18 ⋅ SANS ISC ⋅ Xavier Mertens\r\nRemcos RAT Delivered Through Double Compressed Archive\r\nRemcos\r\n2022-02-14 ⋅ Morphisec ⋅ Arnold Osipov, Hido Cohen\r\nJourney of a Crypto Scammer - NFT-001\r\nAsyncRAT BitRAT Remcos\r\n2022-02-08 ⋅ Itay Migdal\r\nRemcos Analysis\r\nRemcos\r\n2022-02-08 ⋅ Intel 471 ⋅ Intel 471\r\nPrivateLoader: The first step in many malware schemes\r\nDridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos\r\nSmokeLoader STOP Tofsee TrickBot Vidar\r\n2022-01-28 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)\r\nRemcos RAT\r\nRemcos\r\n2022-01-13 ⋅ muha2xmad ⋅ Muhammad Hasan Ali\r\nUnpacking Remcos malware\r\nRemcos\r\n2022-01-10 ⋅ splunk ⋅ Splunk Threat Research Team\r\nDetecting Malware Script Loaders using Remcos: Threat Research Release December 2021\r\nRemcos\r\n2022-01-02 ⋅ Medium amgedwageh ⋅ Amged Wageh\r\nAutomating The Analysis Of An AutoIT Script That Wraps A Remcos RAT\r\nRemcos\r\n2021-11-29 ⋅ Trend Micro ⋅ Jaromír Hořejší\r\nCampaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nPage 8 of 13\n\nAsyncRAT Azorult Nanocore RAT NjRAT RedLine Stealer Remcos\r\n2021-11-23 ⋅ HP ⋅ Patrick Schläpfer\r\nRATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild\r\nAdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos\r\n2021-11-23 ⋅ Morphisec ⋅ Arnold Osipov, Hido Cohen\r\nBabadeda Crypter targeting crypto, NFT, and DeFi communities\r\nBabadeda BitRAT LockBit Remcos\r\n2021-11-11 ⋅ splunk ⋅ Splunk Threat Research Team\r\nFIN7 Tools Resurface in the Field – Splinter or Copycat?\r\nJSSLoader Remcos\r\n2021-10-27 ⋅ Proofpoint ⋅ Joe Wise, Selena Larson\r\nNew Threat Actor Spoofs Philippine Government, COVID-19 Health Data in Widespread RAT Campaigns\r\nNanocore RAT Remcos TA2722\r\n2021-10-06 ⋅ ESET Research ⋅ Martina López\r\nTo the moon and hack: Fake SafeMoon app drops malware to spy on you\r\nRemcos\r\n2021-10-01 ⋅ HP ⋅ HP Wolf Security\r\nThreat Insights Report Q3 - 2021\r\nSTRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm\r\n2021-09-15 ⋅ Telsy ⋅ Telsy\r\nREMCOS and Agent Tesla loaded into memory with Rezer0 loader\r\nAgent Tesla Remcos\r\n2021-09-13 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nAPT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs\r\nAsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos\r\n2021-09-13 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nAPT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)\r\nAsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos\r\n2021-08-04 ⋅ ⋅ ASEC ⋅ ASEC\r\nS/W Download Camouflage, Spreading Various Kinds of Malware\r\nRaccoon RedLine Stealer Remcos Vidar\r\n2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research \u0026 Intelligence Team\r\nOld Dogs New Tricks: Attackers Adopt Exotic Programming Languages\r\nelf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nPage 9 of 13\n\n2021-07-19 ⋅ Malwarebytes ⋅ Erika Noerenberg\r\nRemcos RAT delivered via Visual Basic\r\nRemcos\r\n2021-07-12 ⋅ IBM ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki\r\nPassword Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos\r\n2021-07-12 ⋅ Cipher Tech Solutions ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki\r\nPassword Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos\r\n2021-05-13 ⋅ Anomali ⋅ Gage Mele, Tara Gould\r\nThreat Actors Use MSBuild to Deliver RATs Filelessly\r\nRemcos\r\n2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Manohar Ghule, Mohd Sadique\r\nCatching RATs Over Custom Protocols Analysis of top non-HTTP/S threats\r\nAgent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar\r\nRAT Remcos\r\n2021-03-18 ⋅ Cybereason ⋅ Daniel Frank\r\nCybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware\r\nNetWire RC Remcos\r\n2021-03-16 ⋅ Morphisec ⋅ Nadav Lorber\r\nTracking HCrypt: An Active Crypter as a Service\r\nAsyncRAT LimeRAT Remcos\r\n2021-02-18 ⋅ PTSecurity ⋅ PTSecurity\r\nhttps://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/\r\nPoet RAT Gravity RAT Ketrican Okrum OopsIE Remcos RogueRobinNET RokRAT SmokeLoader\r\n2021-01-13 ⋅ Bitdefender ⋅ Janos Gergo Szeles\r\nRemcos RAT Revisited: A Colombian Coronavirus-Themed Campaign\r\nRemcos\r\n2021-01-11 ⋅ ESET Research ⋅ Matías Porolli\r\nOperation Spalax: Targeted malware attacks in Colombia\r\nAgent Tesla AsyncRAT NjRAT Remcos\r\n2020-12-07 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team\r\nCommodity .NET Packers use Embedded Images to Hide Payloads\r\nAgent Tesla Loki Password Stealer (PWS) Remcos\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nPage 10 of 13\n\n2020-11-18 ⋅ G Data ⋅ G-Data\r\nBusiness as usual: Criminal Activities in Times of a Global Pandemic\r\nAgent Tesla Nanocore RAT NetWire RC Remcos\r\n2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2020\r\nAdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT\r\nStealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer\r\nRemcos Zloader\r\n2020-07-13 ⋅ Github (1d8) ⋅ 1d8\r\nRemcos RAT Macro Dropper Doc\r\nRemcos\r\n2020-06-11 ⋅ Talos Intelligence ⋅ Joe Marshall, Kendall McKay\r\nTor2Mine is up to their old tricks — and adds a few new ones\r\nAzorult Remcos\r\n2020-05-20 ⋅ Zscaler ⋅ Amandeep Kumar, Rohit Chaturvedi\r\nLatest Version of Amadey Introduces Screen Capturing and Pushes the Remcos RAT\r\nAmadey Remcos\r\n2020-05-14 ⋅ 360 Total Security ⋅ kate\r\nVendetta - new threat actor from Europe\r\nNanocore RAT Remcos\r\n2020-05-14 ⋅ SophosLabs ⋅ Markel Picado\r\nRATicate: an attacker’s waves of information-stealing malware\r\nAgent Tesla BetaBot BlackRemote Formbook Loki Password Stealer (PWS) NetWire RC NjRAT Remcos\r\n2020-04-02 ⋅ Cisco Talos ⋅ Vanja Svajcer\r\nAZORult brings friends to the party\r\nAzorult Remcos\r\n2020-03-20 ⋅ Bitdefender ⋅ Liviu Arsene\r\n5 Times More Coronavirus-themed Malware Reports during March\r\nostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos\r\n2020-03-18 ⋅ Proofpoint ⋅ Axel F, Sam Scholten\r\nCoronavirus Threat Landscape Update\r\nAgent Tesla Get2 ISFB Remcos\r\n2019-10-21 ⋅ Fortinet ⋅ Chris Navarrete, Xiaopeng Zhang\r\nNew Variant of Remcos RAT Observed In the Wild\r\nRemcos\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nPage 11 of 13\n\n2019-09-26 ⋅ Proofpoint ⋅ Bryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team\r\nNew WhiteShadow downloader uses Microsoft SQL to retrieve malware\r\nWhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos\r\n2019-09-07 ⋅ Dissecting Malware ⋅ Marius Genheimer\r\nMalicious RATatouille\r\nRemcos\r\n2019-08-22 ⋅ Youtube (OALabs) ⋅ Sergei Frankoff\r\nRemcos RAT Unpacked From VB6 With x64dbg Debugger\r\nRemcos\r\n2019-08-15 ⋅ Trend Micro ⋅ Aliakbar Zahravi\r\nAnalysis: New Remcos RAT Arrives Via Phishing Email\r\nRemcos\r\n2019-07-01 ⋅ Talos Intelligence ⋅ Holger Unterbrink\r\nRATs and stealers rush through “Heaven’s Gate” with new loader\r\nAgent Tesla HawkEye Keylogger Remcos\r\n2019-06-19 ⋅ Check Point ⋅ Kobi Eisenkraft, Moshe Hayun\r\nCheck Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany\r\nRemcos\r\n2019-05-08 ⋅ VMRay ⋅ Francis Montesino\r\nGet Smart with Enhanced Memory Dumping in VMRay Analyzer 3.0\r\nRemcos\r\n2019-03-27 ⋅ Symantec ⋅ Security Response Attack Investigation Team\r\nElfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.\r\nDarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33\r\n2019-03-27 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team\r\nElfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.\r\nDarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP\r\nAPT33\r\n2018-08-22 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Eric Kuhla, Holger Unterbrink, Lilia Gonzalez Medina\r\nPicking Apart Remcos Botnet-In-A-Box\r\nRemcos\r\n2018-08-02 ⋅ Palo Alto Networks Unit 42 ⋅ David Fuertes, Josh Grunzweig, Kyle Wilhoit, Robert Falcone\r\nThe Gorgon Group: Slithering Between Nation State and Cybercrime\r\nLoki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT\r\n2018-03-02 ⋅ KrabsOnSecurity ⋅ Mr. Krabs\r\nAnalysing Remcos RAT’s executable\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nPage 12 of 13\n\nRemcos\r\n2018-03-01 ⋅ My Online Security ⋅ My Online Security\r\nFake order spoofed from Finchers ltd Sankyo-Rubber delivers Remcos RAT via ACE attachments\r\nRemcos\r\n2018-01-23 ⋅ RiskIQ ⋅ Yonathan Klijnsma\r\nEspionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors\r\nRemcos\r\n2017-12-22 ⋅ Malware Traffic Analysis ⋅ Brad Duncan\r\nMALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT\r\nRemcos\r\n2017-07-01 ⋅ Secrary Blog ⋅ lasha\r\nRemcos RAT\r\nRemcos\r\n2017-02-14 ⋅ Fortinet ⋅ Floser Bacurio, Joie Salvio\r\nREMCOS: A New RAT In The Wild\r\nRemcos\r\nYara Rules\r\n[TLP:WHITE] win_remcos_auto (20251219 | Detects win.remcos.)\r\n[TLP:WHITE] win_remcos_w0   (20230906 | Detects strings present in remcos rat Samples.)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.remcos\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos" ], "report_names": [ "win.remcos" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "64d750e4-67db-4461-bae2-6e75bfced852", "created_at": "2022-10-25T16:07:24.01415Z", "updated_at": "2026-04-10T02:00:04.839502Z", "deleted_at": null, "main_name": "Operation Spalax", "aliases": [], "source_name": "ETDA:Operation Spalax", "tools": [ "AsyncRAT", "Bladabindi", "Jorik", "Remcos", "RemcosRAT", "Remvio", "Socmer", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "316b23b5-e097-4dc6-8b1c-d096860c6c16", "created_at": "2022-10-25T16:07:24.290801Z", "updated_at": "2026-04-10T02:00:04.924688Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "ETDA:TA558", "tools": [ "AZORult", "AsyncRAT", "Bladabindi", "ExtRat", "Jorik", "Loda", "Loda RAT", "LodaRAT", "Nymeria", "PuffStealer", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Rultazo", "Socmer", "Vengeance Justice Worm", "Vjw0rm", "Xtreme RAT", "XtremeRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "0d07b30c-4393-4071-82fb-22f51f7749e0", "created_at": "2022-10-25T16:07:24.097096Z", "updated_at": "2026-04-10T02:00:04.865146Z", "deleted_at": null, "main_name": "RATicate", "aliases": [], "source_name": "ETDA:RATicate", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "BetaBot", "BlackRAT", "BlackRemote", "Bladabindi", "CloudEyE", "ForeIT", "Formbook", "GuLoader", "Jorik", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NSIS", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Neurevt", "Nullsoft Scriptable Install System", "Origin Logger", "Recam", "Remcos", "RemcosRAT", "Remvio", "Socmer", "ZPAQ", "njRAT", "vbdropper", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "8259735e-8dd0-462f-80ff-c265fa839b76", "created_at": "2024-02-06T02:00:04.110337Z", "updated_at": "2026-04-10T02:00:03.57093Z", "deleted_at": null, "main_name": "TA2722", "aliases": [ "Balikbayan Foxes" ], "source_name": "MISPGALAXY:TA2722", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f5339d7c-473e-4b49-b44c-189b4f72b585", "created_at": "2024-12-28T02:01:54.8259Z", "updated_at": "2026-04-10T02:00:04.778045Z", "deleted_at": null, "main_name": "Mysterious Elephant", "aliases": [ "APT-K-47" ], "source_name": "ETDA:Mysterious Elephant", "tools": [ "ORPCBackdoor" ], "source_id": "ETDA", "reports": null }, { "id": "7e7782b0-8b0b-4e92-b58a-c696b6d70ea1", "created_at": "2025-05-29T02:00:03.18524Z", "updated_at": "2026-04-10T02:00:03.843199Z", "deleted_at": null, "main_name": "Storm-0249", "aliases": [ "DEV-0249" ], "source_name": "MISPGALAXY:Storm-0249", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4390d8ec-605d-493a-81ee-d5ef80c07046", "created_at": "2025-05-29T02:00:03.223467Z", "updated_at": "2026-04-10T02:00:03.873701Z", "deleted_at": null, "main_name": "TAG-124", "aliases": [ "LandUpdate808" ], "source_name": "MISPGALAXY:TAG-124", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "a2e59183-d83f-47aa-adf9-97925d8e6452", "created_at": "2023-12-08T02:00:05.762162Z", "updated_at": "2026-04-10T02:00:03.496538Z", "deleted_at": null, "main_name": "UAC-0050", "aliases": [], "source_name": "MISPGALAXY:UAC-0050", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0dbd3195-22ca-47c4-a3f1-aa058b06a1d9", "created_at": "2022-10-25T16:07:24.269634Z", "updated_at": "2026-04-10T02:00:04.917125Z", "deleted_at": null, "main_name": "TA2722", "aliases": [ "Balikbayan Foxes" ], "source_name": "ETDA:TA2722", "tools": [ "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "cf91b389-9602-45c0-8d6b-c61d14800f54", "created_at": "2023-01-06T13:46:39.448277Z", "updated_at": "2026-04-10T02:00:03.332604Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "MISPGALAXY:TA558", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0cfbbc-2acf-4cc8-afe1-1859679c522c", "created_at": "2022-10-25T16:07:24.373716Z", "updated_at": "2026-04-10T02:00:04.963615Z", "deleted_at": null, "main_name": "Vendetta", "aliases": [ "TA2719" ], "source_name": "ETDA:Vendetta", "tools": [ "AsyncRAT", "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "ReZer0", "Remcos", "RemcosRAT", "Remvio", "RoboSki", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434166, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/98deb617978df37908b1ed1a79baa0e3610c360a.pdf", "text": "https://archive.orkl.eu/98deb617978df37908b1ed1a79baa0e3610c360a.txt", "img": "https://archive.orkl.eu/98deb617978df37908b1ed1a79baa0e3610c360a.jpg" } }