{ "id": "2ddc0184-fa5c-43d9-971f-2063eed1f473", "created_at": "2026-04-29T02:21:57.759155Z", "updated_at": "2026-04-29T08:21:38.260994Z", "deleted_at": null, "sha1_hash": "991774ab6b6476c1d435912a17d1630bf5ffdb31", "title": "Latest Cyber Threat Intelligence \u0026 Security Insights", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 291453, "plain_text": "Latest Cyber Threat Intelligence \u0026 Security Insights\r\nArchived: 2026-04-29 02:06:22 UTC\r\nThe geopolitical landscape of 2026 has been fundamentally reshaped by the convergence of kinetic military\r\noperations and systemic digital suppression, a phenomenon most acutely visible in the ongoing tensions between\r\nthe Islamic Republic of Iran, Israel, and the United States. In the wake of Operation Epic Fury—the coordinated\r\nU.S.-Israeli airstrikes on Iranian infrastructure in early 2026—the global community has observed a peculiar\r\ndivergence in the prominence of cyber warfare. While the conflicts in Ukraine and the Gaza Strip have featured\r\nhighly visible, destructive, and persistent cyber campaigns that dominate international headlines, Iran’s cyber\r\nresponse has often appeared muted or recessed into a state of \"digital isolation\". This perceived lack of\r\nprominence is not a reflection of diminished capability—Iran remains a top-tier global cyber power—but is rather\r\nthe result of a deliberate strategic doctrine centered on the National Information Network (NIN) and the systemic\r\nuse of internet blackouts to insulate the regime from external digital and psychological pressure.\r\nThe Mechanics of Digital Sovereignty: Iran’s National Information Network\r\nThe centerpiece of Iran’s defensive cyber strategy is the National Information Network (NIN), a multi-layered\r\ndomestic infrastructure designed to achieve what the regime terms \"digital sovereignty\". Unlike standard internet\r\nfiltering, the NIN is a comprehensive re-engineering of the nation’s telecommunications gateways, allowing the\r\nstate to decouple domestic traffic from the global World Wide Web while maintaining the functionality of essential\r\ninternal services. During the heightened conflict of June 2025, often referred to as the \"Twelve-Day War,\" the\r\nIranian government enacted its most comprehensive internet disruption to date, shifting the entire country toward\r\na full reliance on the NIN. This transition is achieved through a sophisticated array of technical maneuvers,\r\nincluding DNS injection, BGP (Border Gateway Protocol) manipulation, and the nationwide suppression of\r\nspecific transport layer protocols.\r\nThe technical execution of these blackouts follows a regimented, three-stage implementation process designed to\r\nminimize the surface area for external cyberattacks and domestic dissent. In the initial phase, authorities utilize\r\nDeep Packet Inspection (DPI) to perform \"soft throttling,\" deliberately slowing connectivity to external platforms\r\nwhile monitoring traffic patterns for signs of coordinated opposition. As tensions escalate, the state moves to\r\nprotocol suppression, specifically targeting secure and speed-optimized protocols such as HTTP/3 and IPv6. These\r\nprotocols are often blocked nationwide because their encryption and advanced header structures make them\r\ndifficult for state sensors to intercept and analyze. By forcing traffic back to legacy protocols like HTTP/1.x, the\r\nregime ensures that all digital communication remains traceable and manageable within the borders of the NIN.\r\nhttps://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict\r\nPage 1 of 10\n\nThe resilience of the NIN is complicated by \"hardware decay\" and the regime's forced reliance on gray-market\r\nequipment. Due to international sanctions, Iranian network administrators frequently use second-hand or\r\nsmuggled hardware, which leads to an unstable architecture characterized by erratic speeds and frequent DNS\r\nresolution failures even when the network is technically operational. This fragility creates a paradox: while the\r\nNIN acts as a \"digital redoubt\" that protects the state from external cyber intrusions, it also degrades the regime's\r\nown ability to coordinate sophisticated offensive operations from within its borders. During the March 2026\r\nblackouts, nationwide connectivity dropped to between 1 and 4 percent of normal levels, a move intended to\r\ncontrol the internal flow of information but which simultaneously hindered the agility of state-aligned cyber units.\r\nComparative Prominence: The Doctrine of Asymmetric Obscurity\r\nA recurring theme in threat intelligence analysis is the comparison between Iran’s cyber activities and those\r\nobserved in the Russia-Ukraine and Israel-Palestine crises. The consensus among researchers is that while Russia\r\nand Ukraine engage in high-visibility \"total cyber war,\" Iran operates within a framework of \"asymmetric\r\nobscurity\". In Ukraine, cyber warfare is utilized as a precursor and supplement to kinetic invasion, with Russian\r\nunits like Sandworm targeting electric grids, satellite communications, and government databases to cause\r\nimmediate, observable chaos. Similarly, the conflict between Israel and Hamas features highly synchronized\r\ndigital-kinetic strikes, where cyber operations are used to disrupt real-time communications and sensors ahead of\r\nairstrikes.\r\nIn contrast, Iran’s cyber doctrine is shaped by its lack of symmetric conventional options. Because the Iranian\r\nregime cannot match the conventional military power of the United States or Israel, it utilizes cyber as a tool of\r\n\"managed escalation\" and plausible deniability. The perceived lack of prominence in Iranian cyber warfare is a\r\nbyproduct of three primary factors:\r\n1. Defensive Prioritization: Iran views the internet primarily as a vector for \"soft war\" (psychological operations)\r\naimed at regime change. Consequently, its first instinct during a crisis is to shut down the network rather than\r\nproject power through it.\r\n2. Devolved Proxy Ecosystem: To maintain operations during domestic blackouts, Iran relies on a dispersed\r\nnetwork of proxies and hacktivist personas who operate from outside the country. These actors provide a layer of\r\nhttps://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict\r\nPage 2 of 10\n\ninsulation, making their activities appear as grassroots activism rather than state-sponsored warfare.\r\n3. Strategic Timing: Unlike the constant barrage of Russian wiper malware in Ukraine, Iranian actors like\r\nMuddyWater or OilRig often prioritize long-term espionage and \"pre-positioning\" in critical infrastructure. Their\r\nattacks are timed for maximum psychological impact rather than tactical military gain, leading to long periods of\r\napparent inactivity followed by sudden, highly publicized leaks.\r\nThe \"Twelve-Day War\" of 2025 showcased this doctrine in practice. While Israel and pro-Israeli groups like\r\nPredatory Sparrow hit Iranian targets such as the Nobitex crypto exchange and Bank Sepah, Iran’s response\r\nfocused on large-scale DDoS attacks and disinformation campaigns designed to create mass anxiety and portray\r\nthe regime as a victim of Western aggression. This focus on psychological effects over kinetic-like destruction\r\nfurther contributes to the narrative that Iran’s cyber warfare is \"less prominent\" than the infrastructure-level\r\ndestruction seen in Eastern Europe.\r\nMapping the Iranian State-Sponsored Apparatus\r\nThe Iranian cyber ecosystem is a bureaucratized military and intelligence apparatus divided primarily between the\r\nMinistry of Intelligence and Security (MOIS) and the Islamic Revolutionary Guard Corps (IRGC). Each entity\r\nmanages a distinct cluster of Advanced Persistent Threat (APT) groups, each with specialized TTPs and targeting\r\nmandates.\r\nThe Ministry of Intelligence and Security (MOIS): The Espionage Experts\r\nThe MOIS operates under the civil executive branch and focuses primarily on long-term intelligence collection,\r\nregional surveillance, and the targeting of dissidents. Its most active and sophisticated clusters include\r\nMuddyWater and the \"Prince of Persia\" (Infy) group.\r\nMuddyWater (Static Kitten, MERCURY)\r\nMuddyWater is one of Iran’s most prolific actors, characterized by its agility and its ability to maintain operations\r\neven during national internet blackouts. In late 2025 and early 2026, the group was observed utilizing commercial\r\nsatellite internet (Starlink) to maintain Command-and-Control (C2) after the regime severed national fiber-optic\r\nconnectivity. This shift highlights a strategic maturation where MOIS units have decoupled their operational\r\ninfrastructure from the domestic telecom network.\r\nLatest TTPs (2025-2026):\r\nPhishing via Compromised Accounts: The group has moved away from generic lures to using\r\ncompromised legitimate mailboxes within target organizations to send internal spearphishing emails, a\r\ntechnique that boasts a notably high success rate.\r\nInfrastructure Masking: MuddyWater leverages NordVPN exit nodes, specifically in France, to access\r\nand distribute phishing emails, thereby masking the origin of the attack.\r\nLiving off the Land (LotL): The group integrates commercial RMM (Remote Monitoring and\r\nManagement) tools like ScreenConnect, Action1, and PDQ to maintain persistent access without deploying\r\ntraditional malware.\r\nhttps://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict\r\nPage 3 of 10\n\nPrince of Persia (Infy / Sarafraz)\r\nThe actor cluster known as \"Prince of Persia\" has been active for nearly two decades, specializing in high-value\r\nintelligence collection and monitoring dissidents. Recent research in 2025 revealed that the group’s activity is far\r\nmore expansive than previously thought, with multiple malware variants—Foudre and Tonnerre—operating in\r\nparallel.\r\nFoudre (First-Stage Reconnaissance): Version 34, identified in 2025, transitioned from macro-enabled\r\nfiles to Microsoft Excel documents with embedded executables. It drops a loader (Conf8830.dll) and\r\nutilizes a DLL disguised as a camouflage MP4 file to deceive users.\r\nTonnerre (Second-Stage Exploitation): Version 50, detected in September 2025, utilizes the Telegram\r\nAPI for its C2 infrastructure, effectively bypassing traditional network-based monitoring. The use of a\r\nPersian username (@ehsan8999100) within the Telegram C2 group provided rare attribution clues back to\r\nthe Iranian operators.\r\nThe Islamic Revolutionary Guard Corps (IRGC): The Offensive Vanguard\r\nThe IRGC units are the most aggressive in the Iranian apparatus, focusing on critical infrastructure, military\r\ncapability assessment, and high-impact influence operations. The primary groups in this category are OilRig\r\n(APT34) and Charming Kitten (APT35).\r\nAPT34 (OilRig, Earth Simnavaz)\r\nOilRig is characterized by its disciplined, long-term approach to cyber espionage, focusing heavily on energy,\r\ntelecommunications, and government sectors in the Middle East. By 2025, the group had transitioned into a\r\n\"highly mature threat actor,\" moving away from simple malware to modular development and hybrid cloud-based\r\nintrusions.\r\nLatest IOAs and TTPs (2025):\r\nCloud Credential Abuse: OilRig has shifted its focus to the persistent use of hacked Microsoft 365 sites\r\nand compromised Azure accounts to maintain access within target networks.\r\nDNS Tunneling: The group continues to use encrypted HTTPS traffic and DNS tunneling to bypass\r\nperimeter security, allowing their C2 traffic to blend with normal network activity.\r\nModular Malware Arsenal: The group utilizes a suite of specialized tools, including Tonedeaf (HTTP-based backdoor), Helminth (PowerShell implant), and Karkoff (lightweight backdoor for command\r\nexecution).\r\nhttps://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict\r\nPage 4 of 10\n\nAPT35 (Charming Kitten, Phosphorus, Mint Sandstorm)\r\nA massive internal leak in late 2025 provided an unprecedented look at Charming Kitten's operations, revealing it\r\nto be a regimented, quota-driven unit within the IRGC Intelligence Organization. The leaked documents show a\r\nbureaucratized intelligence apparatus with specialized teams for reconnaissance, exploitation, and influence.\r\nTechnical Findings from the 2025 Leak:\r\nCustom Frameworks: The group developed custom phishing frameworks (e.g., HERV) and specialized\r\nFirefox add-ons to steal and replay session cookies, allowing them to bypass MFA on services like Gmail.\r\n* Vulnerability Specialization: Charming Kitten operators utilize detailed playbooks for exploiting\r\nspecific CVEs, with a recent focus on ConnectWise ScreenConnect (CVE-2024-1709) and Ivanti\r\nConnect Secure (CVE-2024-21893).\r\nKPI-Driven Operations: The leak included \"Daily Operational Bookkeeping\" and \"MJD Campaign\r\nReports,\" showing that operators are ranked based on lures sent, credentials captured, and mailbox \"dwell\r\ntimes\".\r\nThe Handala Hack: Psychological Performance vs. Tactical Reality\r\nThe hacktivist persona known as \"Handala\" represents a new generation of ideologically motivated cyber actors\r\nthat function as a bridge between decentralized hacktivism and state-sponsored information warfare. Since its\r\nemergence in late 2023, Handala has focused almost exclusively on Israeli organizations and individuals, pairing\r\nits operations with overt pro-Iranian and pro-Palestinian messaging. However, technical analysis by firms like\r\nKELA and ESET reveals a significant gap between the group’s social media \"dramatics\" and its actual technical\r\neffectiveness.\r\nThe Strategy of Narrative Amplification\r\nHandala’s operations are designed for maximum visibility rather than stealth. Every defaced website or leaked\r\ndataset serves as a message rather than a covert intelligence operation, operating on the principle that \"Visibility =\r\nPower\".\r\nSymbolic Targeting: The group times its operations to coincide with global media narratives or symbolic\r\ndates (e.g., Nakba Day), ensuring that even minor attacks receive international coverage.\r\nhttps://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict\r\nPage 5 of 10\n\nInformation Exaggeration: A hallmark of Handala’s strategy is the use of coordinated posts, hashtags,\r\nand \"victory messages\" that frequently exaggerate the magnitude of their attacks. This tactic is designed to\r\nerode public trust in institutions and instill constant digital unrest.\r\nDebunking the Technical Claims: The Case of the \"iPhone Hacks\"\r\nThe most prominent example of Handala’s dramatic exaggeration occurred in late 2025, when the group claimed\r\nto have fully compromised the iPhones of senior Israeli officials, including former Prime Minister Naftali Bennett\r\nand Tzachi Braverman.\r\nThe Technical Reality: Investigative analysis revealed that the breach was restricted to Telegram account\r\naccess only, likely achieved through SIM swapping or the exploitation of SS7 signaling weaknesses to\r\nintercept one-time passwords (OTPs).\r\nThe Data Mirage: While Handala claimed to have accessed thousands of conversations and intimate\r\nphotos, the leaked materials consisted mostly of empty contact cards automatically generated during\r\nTelegram synchronization. Only approximately 40 conversations contained actual messages, many of\r\nwhich were of limited intelligence value.\r\nWordPress Vulnerabilities: Despite their claims of high sophistication, Handala’s own operational\r\nsecurity was found to be lacking. Their primary leak site ran on WordPress and, at times, left administrative\r\nlogin pages exposed, revealing the user account \"vie6c\" as a primary operator.\r\nCorrelation with Iranian State Interests\r\nWhile Handala presents itself as an independent collective, multiple indicators point to deep ties with the Iranian\r\nMinistry of Intelligence (MOIS).\r\nOverlapping Brands: Reporting associates Handala with several other Iranian-linked \"front\" brands, such\r\nas Banished Kitten, Karma Below, and Homeland Justice, all of which are used to leak data and amplify\r\npsychological impact.\r\nCoordinated Campaigns: In July 2025, Handala targeted five journalists from Iran International, an\r\ninternationally-based news outlet critical of the Iranian regime. The operation, which leaked government\r\nIDs and intimate content, was further amplified by Iranian state news websites and AI chatbots,\r\nhighlighting a coordinated \"hack-and-leak\" ecosystem.\r\nThe 2026 Shift: Geographic Expansion and OT Targeting\r\nhttps://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict\r\nPage 6 of 10\n\nAs the conflict between Israel and Iran transitioned into early 2026, the patterns of Iranian-aligned cyber activity\r\nunderwent a significant shift. No longer confined to the immediate Israel-Iran axis, operations expanded into the\r\nGulf states, and the focus shifted from symbolic web disruptions toward the targeting of Operational Technology\r\n(OT) and critical infrastructure.\r\nThe Expansion into the Gulf\r\nGroups like DieNet, Keymous, and APT IRAN began a systematic campaign against Gulf states perceived as\r\npolitically aligned with Israel or the United States, specifically Jordan, Saudi Arabia, Bahrain, and Kuwait.\r\nJordan as a Primary Target: In March 2026, APT IRAN claimed a month-long intrusion into Jordanian\r\ncritical infrastructure, allegedly manipulating power plant controls to reduce electricity output. DieNet\r\nexpanded this campaign to include the utility and civilian sectors, sharing imagery of accessed industrial\r\ncontrol interfaces.\r\nStrategic Escalation: Keymous declared daily targets across Kuwait and Saudi Arabia, claiming\r\ncompromises of ministries of Finance, Oil, and Education. These attacks are part of a broader \"multi-vector\r\nescalation\" designed to demonstrate that the regional allies of the U.S. and Israel are equally vulnerable to\r\nIranian cyber retaliation.\r\nThe Move Toward OT and Ransomware\r\nA concerning development in 2026 is the convergence of hacktivist personas and destructive capabilities. Groups\r\nthat previously focused on website defacements are now claiming access to PLC (Programmable Logic\r\nController) interfaces and energy monitoring dashboards.\r\nCyber Islamic Resistance: This group shared screenshots allegedly showing access to VeroPoint industrial\r\ncontrol systems, marking a significant escalation from previous campaigns.\r\nPolitical Ransomware: INC Ransomware and Tarnished Scorpius have listed Israeli entities on their\r\nleak sites, claiming \"political\" attacks where the goal is data destruction and reputational damage rather\r\nthan financial profit.\r\nConclusion: The New Frontier of Digital Redoubts\r\nThe landscape of Iranian cyber warfare in 2026 is defined by a strategic paradox: a nation that has achieved\r\nworld-class offensive capabilities while simultaneously embracing a doctrine of digital isolation. The National\r\nInformation Network has successfully transitioned from a domestic censorship tool to a \"digital redoubt\" that\r\nprovides the regime with a unique form of asymmetric protection during kinetic crises. While this strategy results\r\nin a perceived lack of \"prominence\" compared to the overt campaigns of Russia or Israel, it allows Iran to\r\nmaintain a persistent, low-intensity presence on the global digital battlefield through its network of proxies and\r\ndispersed MOIS/IRGC units.\r\nThe prominence of personas like Handala serves a vital function within this doctrine, providing the \"social media\r\ndramatics\" required to project power to a domestic and regional audience, even when the underlying technical\r\nsuccesses are limited. For international organizations and regional governments, the 2026 outlook is clear: the\r\nthreat from Iran is no longer just about espionage, but about the targeting of critical infrastructure across the Gulf\r\nhttps://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict\r\nPage 7 of 10\n\nand the sophisticated use of \"hack-and-leak\" operations to influence global narratives. As Iran continues to adapt\r\nits infrastructure—utilizing Starlink and cloud-based C2 to bypass its own domestic blackouts—the challenge for\r\nthe international community will be to distinguish between the noise of hacktivist dramatics and the silent,\r\nmodular persistence of a maturing cyber power.\r\nWorks cited\r\n1. How Will Cyber Warfare Shape the U.S.-Israel Conflict with Iran?, https://www.csis.org/analysis/how-will-cyber-warfare-shape-us-israel-conflict-iran\r\n2. Iran's Cyber Retaliation Clock Is Ticking: What CISOs Need to Know Right Now - Anomali,\r\nhttps://www.anomali.com/blog/the-cyber-front-of-operation-epic-fury-what-cisos-need-to-know-right-now\r\n3. The Cyber Wars That Weren't | Small Wars Journal by Arizona State University,\r\nhttps://smallwarsjournal.com/2026/01/07/the-cyber-wars-that-werent/\r\n4. Iran's internet shutdown signals a new stage of digital isolation | Chatham House,\r\nhttps://www.chathamhouse.org/2026/01/irans-internet-shutdown-signals-new-stage-digital-isolation\r\n5. The Iranian Cyber Threat | INSS, https://www.inss.org.il/publication/iranian-cyber/\r\n6. From .com to .gov: The internet's inevitable nationalist turn | Internet ...,\r\nhttps://policyreview.info/articles/analysis/internets-inevitable-nationalist-turn\r\n7. Understanding the Israel-Iran Cyber Conflict - University of Hawaiʻi–West Oʻahu,\r\nhttps://westoahu.hawaii.edu/cyber/global-weekly-exec-summary/understanding-the-israel-iran-cyber-conflict/\r\n8. Palo Alto Networks: Iran's internet blackout is reshaping the cyber battlefield | Ctech,\r\nhttps://www.calcalistech.com/ctechnews/article/byqgscef11l\r\n9. Seven Security Scenarios on Russian War in Ukraine for 2025 – 2026: - GLOBSEC,\r\nhttps://www.globsec.org/sites/default/files/2025-10/Seven%20Security%20Scenarios%20Ukraine%202025-\r\n2026%20WEB%20rv.pdf\r\n10. Air Superiority in the Twenty-First Century: Lessons from Iran and Ukraine - CSIS,\r\nhttps://www.csis.org/analysis/air-superiority-twenty-first-century-lessons-iran-and-ukraine\r\n11. OilRig: Iran's Persistent Espionage Arm In Cyberspace - Brandefense, https://brandefense.io/blog/oilrig-apt-2025/\r\n12. SentinelOne Intelligence Brief: Iranian Cyber Activity Outlook,\r\nhttps://www.sentinelone.com/blog/sentinelone-intelligence-brief-iranian-cyber-activity-outlook/ 13. (PDF)\r\nOILRIG (APT34) Advanced Persistent Threat Analysis - ResearchGate,\r\nhttps://www.researchgate.net/publication/388220746_OILRIG_APT34_Advanced_Persistent_Threat_Analysis\r\n14. Inside APT34 (OilRig): Tools, Techniques, and Global Cyber Threats - LevelBlue,\r\nhttps://www.levelblue.com/blogs/levelblue-blog/inside-apt34-oilrig-tools-techniques-and-global-cyber-threats\r\nhttps://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict\r\nPage 8 of 10\n\n15. Iran Cyber Threat Operations | NJCCIC - NJ.gov, https://www.cyber.nj.gov/threat-landscape/nation-state-threat-analysis-reports/iran-cyber-threat-operations\r\n16. Unmasking the Evolving Iranian Prince of Persia | SafeBreach, https://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\n17. Unmasking MuddyWater's New Malware Toolkit Driving ... - Group-IB, https://www.group-ib.com/blog/muddywater-espionage/\r\n18. ESET APT Activity Report Q2 2025–Q3 2025 - WeLiveSecurity, https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2-2025-q3-2025/\r\n19. Critical Update: February 2026 Escalation - DSCI,\r\nhttps://www.dsci.in/files/content/advisory/2026/cyber_threat_advisory-middle_east_conflict.pdf 20. Dark Web\r\nProfile: APT35 - SOCRadar, https://socradar.io/blog/apt-profile-who-is-phosphorus/\r\n21. Threat Intelligence Report: APT35 Internal Leak of Hacking Campaigns Against Lebanon, Kuwait, Turkey,\r\nSaudi Arabia, Korea, and Domestic Iranian Targets - DomainTools Investigations,\r\nhttps://dti.domaintools.com/research/threat-intelligence-report-apt35-internal-leak-of-hacking-campaigns-against-lebanon-kuwait-turkey-saudi-arabia-korea-and-domestic-iranian-targets\r\n22. Data breach: the operations of “Charming Kitten” revealed ..., https://www.gatewatcher.com/en/lab/data-breach-the-operations-of-charming-kitten-revealed/\r\n23. Handala: The Rise Of A Decentralized Pro-Palestinian Hacktivist ..., https://brandefense.io/blog/handala-apt-2025/\r\n24. Handala Leak Shows Telegram Account Risk, Not iPhone Hacks | eSecurity Planet,\r\nhttps://www.esecurityplanet.com/threats/handala-leak-shows-telegram-account-risk-not-iphone-hacks/\r\n25. Handala Hack: Telegram Breach of Israeli Officials - KELA Cyber Threat Intelligence,\r\nhttps://www.kelacyber.com/blog/handala-hack-telegram-breach-israeli-officials/\r\n26. Iran-linked hacker group doxes journalists and amplifies leaked information through AI chatbots - Global\r\nAffairs Canada, https://www.international.gc.ca/transparency-transparence/rapid-response-mechanism-mecanisme-reponse-rapide/iran-hack-piratage-iranien.aspx?lang=eng\r\n27. Cyber Reflections of the U.S. \u0026 Israel-Iran War - SOCRadar, https://socradar.io/blog/cyber-reflections-us-israel-iran-war/\r\nTeam FalconFeeds – Threat Research\r\nShare Article\r\nhttps://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict\r\nPage 9 of 10\n\nSource: https://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict\r\nhttps://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://falconfeeds.io/blogs/the-digital-redoubt-irans-national-information-network-cyber-conflict" ], "report_names": [ "the-digital-redoubt-irans-national-information-network-cyber-conflict" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-29T06:58:57.893292Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-29T06:58:57.892464Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-29T06:58:56.316107Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision", "COBALT MIRAGE", "Agent Serpens" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-29T06:58:57.745497Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450", "MuddyKrill" ], "source_name": "MITRE:MuddyWater", "tools": [ "MuddyViper", "STARWHALE", "LP-Notes", "POWERSTATS", "Rclone", "Out1", "Tsundere Botnet", "PowerSploit", "Small Sieve", "Fooder", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-29T06:58:56.310338Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK51", "Boggy Serpens", "Earth Vetala", "Static Kitten", "COBALT ULSTER", "Mango Sandstorm", "TA450", "TEMP.Zagros", "Seedworm", "G0069" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-29T06:58:57.692044Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "72fea432-77a6-437a-b02d-693e99d81ef9", "created_at": "2024-02-17T02:00:03.861221Z", "updated_at": "2026-04-29T06:58:56.814776Z", "deleted_at": null, "main_name": "BANISHED KITTEN", "aliases": [ "Storm-0842", "Red Sandstorm" ], "source_name": "MISPGALAXY:BANISHED KITTEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f763fd1f-f697-40eb-a082-df6fd3d13cb1", "created_at": "2023-01-06T13:46:38.561288Z", "updated_at": "2026-04-29T06:58:56.246729Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "Operation Mermaid", "Prince of Persia", "Foudre" ], "source_name": "MISPGALAXY:Infy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-29T06:58:56.933227Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-29T06:58:56.187821Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Parastoo", "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-29T06:58:56.199012Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "Blue Echidna", "FROZENBARENTS", "UAC-0113", "UAC-0082", "Quedagh", "TEMP.Noble", "TeleBots", "IRIDIUM", "Seashell Blizzard", "APT44", "VOODOO BEAR", "IRON VIKING", "G0034", "ELECTRUM" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-29T06:58:57.738664Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e", "created_at": "2026-03-16T02:02:50.582318Z", "updated_at": "2026-04-29T06:58:57.590966Z", "deleted_at": null, "main_name": "COASTLIGHT", "aliases": [ "Gonjeshke Darande", "Indra", "Predatory Sparrow" ], "source_name": "Secureworks:COASTLIGHT", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-29T06:58:57.506187Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-29T06:58:58.009074Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "704af71f-d1ed-4252-88a9-d23a17e4b7b4", "created_at": "2026-04-29T02:00:04.621965Z", "updated_at": "2026-04-29T06:58:57.779286Z", "deleted_at": null, "main_name": "VOID MANTICORE", "aliases": [ "VOID MANTICORE", "COBALT MYSTIQUE", "Handala Hack", "Homeland Justice", "Karma", "Karmabelow80", "BANISHED KITTEN", "Red Sandstorm" ], "source_name": "MITRE:VOID MANTICORE", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-29T06:58:58.147234Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-29T06:58:57.501827Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-29T06:58:56.744414Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-29T06:58:57.946937Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-29T06:58:57.484614Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-29T06:58:57.629299Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-29T06:58:57.538371Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-29T06:58:57.579232Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-29T06:58:56.229515Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Cobalt Gypsy", "Helix Kitten", "APT34", "ATK40", "G0049", "EUROPIUM", "TA452", "Earth Simnavaz", "Twisted Kitten", "Crambus", "APT 34", "IRN2", "Evasive Serpens", "Hazel Sandstorm" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0d51a1b-38b1-4cfb-bee0-cad7ad2b9651", "created_at": "2025-05-29T02:00:03.196955Z", "updated_at": "2026-04-29T06:58:57.023155Z", "deleted_at": null, "main_name": "DieNet", "aliases": [ "Shiite_Harvest" ], "source_name": "MISPGALAXY:DieNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-29T06:58:57.99378Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "219ddb41-2ea8-4121-8b63-8c762f7e15df", "created_at": "2023-01-06T13:46:39.384442Z", "updated_at": "2026-04-29T06:58:56.536185Z", "deleted_at": null, "main_name": "Predatory Sparrow", "aliases": [ "Gonjeshke Darande", "Indra" ], "source_name": "MISPGALAXY:Predatory Sparrow", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59c9f31b-e032-44b9-bf3b-4f2cb3d17e39", "created_at": "2022-10-25T16:07:23.734244Z", "updated_at": "2026-04-29T06:58:57.963058Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "APT-C-07", "Infy", "Operation Mermaid", "Prince of Persia" ], "source_name": "ETDA:Infy", "tools": [ "Foudre", "Infy", "Tonnerre" ], "source_id": "ETDA", "reports": null }, { "id": "51e3a492-d98d-4eed-afdc-fa940010aa06", "created_at": "2026-03-24T02:00:04.638479Z", "updated_at": "2026-04-29T06:58:57.155405Z", "deleted_at": null, "main_name": "Cyber Islamic Resistance", "aliases": [], "source_name": "MISPGALAXY:Cyber Islamic Resistance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9fe6924d-bce6-4b56-9717-fe611932baec", "created_at": "2026-03-24T02:00:04.642588Z", "updated_at": "2026-04-29T06:58:57.158595Z", "deleted_at": null, "main_name": "Keymous+", "aliases": [ "keymous", "Keymous Plus" ], "source_name": "MISPGALAXY:Keymous+", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-29T06:58:58.033485Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429317, "ts_updated_at": 1777450898, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/991774ab6b6476c1d435912a17d1630bf5ffdb31.pdf", "text": "https://archive.orkl.eu/991774ab6b6476c1d435912a17d1630bf5ffdb31.txt", "img": "https://archive.orkl.eu/991774ab6b6476c1d435912a17d1630bf5ffdb31.jpg" } }