{ "id": "2e1cfb35-6dc2-42b3-955e-6834d7e4a512", "created_at": "2026-04-06T00:14:05.32047Z", "updated_at": "2026-04-10T03:35:56.63602Z", "deleted_at": null, "sha1_hash": "999a58f4885de2a605df5b78e3fa379d7df02a88", "title": "Nanocore RAT (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 202149, "plain_text": "Nanocore RAT (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 14:41:42 UTC\r\nNanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by\r\nnumerous criminal actors as well as by nation state threat actors.\r\n2025-02-27 ⋅ Medium b.magnezi ⋅\r\nNanoCore Malware Analysis\r\nNanocore RAT 2024-09-03 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nAdvanced Cyberchef Techniques - Defeating Nanocore Obfuscation With Math and Flow Control\r\nNanocore RAT 2024-05-14 ⋅ Check Point Research ⋅ Antonis Terefos, Tera0017\r\nFoxit PDF “Flawed Design” Exploitation\r\nRafel RAT Agent Tesla AsyncRAT DCRat DONOT Nanocore RAT NjRAT Pony Remcos Venom RAT XWorm\r\n2023-10-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2023\r\nFluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar\r\nRAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar 2023-10-12 ⋅ Cluster25 ⋅\r\nCluster25 Threat Intel Team\r\nCVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting\r\nOperations\r\nAgent Tesla Crimson RAT Nanocore RAT SmokeLoader 2023-09-21 ⋅ Medium shaddy43 ⋅ Shayan Ahmed Khan\r\nSecrets of commercial RATs! NanoCore dissected\r\nNanocore RAT 2023-04-10 ⋅ Check Point ⋅ Check Point\r\nMarch 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious\r\nOneNote Files\r\nAgent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee 2023-02-03 ⋅ Cloudsek ⋅\r\nDeepanjli Paulraj, Pavan Karthick M\r\nThreat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware\r\nAlfonso Stealer Bandit Stealer Cameleon Fabookie Lumma Stealer Nanocore RAT Panda Stealer RecordBreaker\r\nRedLine Stealer Stealc STOP Vidar zgRAT 2023-01-09 ⋅ YouTube (Embee Research) ⋅ Embee_research\r\nMalware Analysis - VBS Decoding With Cyberchef (Nanocore Loader)\r\nNanocore RAT 2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2022\r\nFluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password\r\nStealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars\r\nTofsee Vjw0rm 2022-08-30 ⋅ Medium the_abjuri5t ⋅ John F\r\nNanoCore RAT Hunting Guide\r\nNanocore RAT 2022-08-17 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nDarkTortilla Malware Analysis\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\r\nPage 1 of 5\n\nAgent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer 2022-08-17 ⋅ ⋅ 360 ⋅ 360 Threat\r\nIntelligence Center\r\nKasablanka organizes attacks against political groups and non-profit organizations in the Middle East\r\nSpyNote Loda Nanocore RAT NjRAT 2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\n.NET Stubs: Sowing the Seeds of Discord (PureCrypter)\r\nAberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer\r\nFormbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine\r\nStealer WhisperGate 2022-05-12 ⋅ Morphisec ⋅ Hido Cohen\r\nNew SYK Crypter Distributed Via Discord\r\nAsyncRAT Ave Maria Nanocore RAT NjRAT Quasar RAT RedLine Stealer 2022-04-26 ⋅ Trend Micro ⋅ Lord Alfred\r\nRemorin, Ryan Flores, Stephen Hilt\r\nHow Cybercriminals Abuse Cloud Tunneling Services\r\nAsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT 2022-04-15 ⋅ Center for Internet Security ⋅ CIS\r\nTop 10 Malware March 2022\r\nMirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus 2022-03-27 ⋅ Medium M3H51N ⋅\r\nM3H51N\r\nMalware Analysis — NanoCore Rat\r\nNanocore RAT 2022-03-01 ⋅ VirusTotal ⋅ VirusTotal\r\nVirusTotal's 2021 Malware Trends Report\r\nAnubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus\r\nRAT 2022-02-08 ⋅ Intel 471 ⋅ Intel 471\r\nPrivateLoader: The first step in many malware schemes\r\nDridex Kronos LockBit Nanocore RAT NjRAT PrivateLoader Quasar RAT RedLine Stealer Remcos\r\nSmokeLoader STOP Tofsee TrickBot Vidar 2022-02-07 ⋅ RiskIQ ⋅ RiskIQ\r\nRiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates\r\nAsyncRAT BitRAT Nanocore RAT 2022-01-12 ⋅ Cisco ⋅ Chetan Raghuprasad, Vanja Svajcer\r\nNanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure\r\nAsyncRAT Nanocore RAT NetWire RC 2021-12-13 ⋅ RiskIQ ⋅ Jordan Herman\r\nRiskIQ: Connections between Nanocore, Netwire, and AsyncRAT and Vjw0rm dynamic DNS C2 infrastructure\r\nAsyncRAT Nanocore RAT NetWire RC Vjw0rm 2021-11-29 ⋅ Trend Micro ⋅ Jaromír Hořejší\r\nCampaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites\r\nAsyncRAT Azorult Nanocore RAT NjRAT RedLine Stealer Remcos 2021-10-27 ⋅ Proofpoint ⋅ Joe Wise, Selena Larson\r\nNew Threat Actor Spoofs Philippine Government, COVID-19 Health Data in Widespread RAT Campaigns\r\nNanocore RAT Remcos TA2722 2021-09-20 ⋅ Trend Micro ⋅ Aliakbar Zahravi, William Gamazo Sanchez\r\nWater Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads\r\nAve Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT 2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel\r\nThe State of SSL/TLS Certificate Usage in Malware C\u0026C Communications\r\nAdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex\r\nFindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT\r\nRockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader 2021-07-12 ⋅ Cipher Tech\r\nSolutions ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\r\nPage 2 of 5\n\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password\r\nStealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos 2021-07-12 ⋅ IBM ⋅ Claire\r\nZaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki Password\r\nStealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos 2021-05-05 ⋅ Zscaler ⋅\r\nAniruddha Dolas, Manohar Ghule, Mohd Sadique\r\nCatching RATs Over Custom Protocols Analysis of top non-HTTP/S threats\r\nAgent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT\r\nRemcos 2021-04-21 ⋅ Talos ⋅ Vanja Svajcer\r\nA year of Fajan evolution and Bloomberg themed campaigns\r\nMASS Logger Nanocore RAT NetWire RC Revenge RAT XpertRAT 2021-03-11 ⋅ Trustwave ⋅ Diana Lopera\r\nImage File Trickery Part II: Fake Icon Delivers NanoCore\r\nNanocore RAT 2021-02-25 ⋅ Intezer ⋅ Intezer\r\nYear of the Gopher A 2020 Go Malware Round-Up\r\nNiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim\r\nNjRAT Quasar RAT WellMess Zebrocy 2020-12-21 ⋅ Cisco Talos ⋅ JON MUNSHAW\r\n2020: The year in malware\r\nWolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT\r\nNanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader 2020-12-10 ⋅ US-CERT ⋅ FBI,\r\nMS-ISAC, US-CERT\r\nAlert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data\r\nPerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim\r\nREvil Ryuk Zeus 2020-11-18 ⋅ G Data ⋅ G-Data\r\nBusiness as usual: Criminal Activities in Times of a Global Pandemic\r\nAgent Tesla Nanocore RAT NetWire RC Remcos 2020-09-18 ⋅ Symantec ⋅ Threat Hunter Team\r\nElfin: Latest U.S. Indictments Appear to Target Iranian Espionage Group\r\nNanocore RAT 2020-09-17 ⋅ FBI ⋅ FBI\r\nFBI PIN Number 20200917-001: IRGC-Associated Cyber Operations Against US Company Networks\r\nMimiKatz Nanocore RAT 2020-09-10 ⋅ Medium mariohenkel ⋅ Mario Henkel\r\nDecrypting NanoCore config and dump all plugins\r\nNanocore RAT 2020-08-26 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team\r\nThreat Actor Profile: TA2719 Uses Colorful Lures to Deliver RATs in Local Languages\r\nAsyncRAT Nanocore RAT TA2719 2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2020\r\nAdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer\r\nLoki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos\r\nZloader 2020-06-07 ⋅ Zero2Automated Blog ⋅ 0verfl0w_\r\nDealing with Obfuscated Macros, Statically - NanoCore\r\nNanocore RAT 2020-05-26 ⋅ CrowdStrike ⋅ Guillermo Taibo\r\nWeaponized Disk Image Files: Analysis, Trends and Remediation\r\nNanocore RAT 2020-05-14 ⋅ 360 Total Security ⋅ kate\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\r\nPage 3 of 5\n\nVendetta - new threat actor from Europe\r\nNanocore RAT Remcos 2020-04-15 ⋅ Zscaler ⋅ Sudeep Singh\r\nMultistage FreeDom loader used in Aggah Campaign to spread Nanocore and AZORult\r\nAzorult Nanocore RAT 2020-04-04 ⋅ MalwareInDepth ⋅ Myrtus 0x0\r\nNanocore \u0026 CypherIT\r\nNanocore RAT 2020-04-01 ⋅ Cisco ⋅ Andrea Kaiser, Shyam Sundar Ramaswami\r\nNavigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors\r\nAzorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot 2020-03-20 ⋅\r\nBitdefender ⋅ Liviu Arsene\r\n5 Times More Coronavirus-themed Malware Reports during March\r\nostap HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos 2020-02-13 ⋅ Talos ⋅\r\nEdmund Brumaghin, Nick Biasini\r\nThreat actors attempt to capitalize on coronavirus outbreak\r\nEmotet Nanocore RAT Parallax RAT 2020-01-19 ⋅ 360 ⋅ kate\r\nBayWorld event, Cyber Attack Against Foreign Trade Industry\r\nAzorult Formbook Nanocore RAT Revenge RAT 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nCOBALT TRINITY\r\nPOWERTON pupy Imminent Monitor RAT Koadic Nanocore RAT NetWire RC PoshC2 APT33 2019-09-26 ⋅\r\nProofpoint ⋅ Bryan Campbell, Jeremy Hedges, Proofpoint Threat Insight Team\r\nNew WhiteShadow downloader uses Microsoft SQL to retrieve malware\r\nWhiteShadow Agent Tesla Azorult Crimson RAT Formbook Nanocore RAT NetWire RC NjRAT Remcos 2019-09-\r\n19 ⋅ NSHC ⋅ ThreatRecon Team\r\nHagga of SectorH01 continues abusing Bitly, Blogger and Pastebin to deliver RevengeRAT and NanoCore\r\nNanocore RAT Revenge RAT 2019-08-25 ⋅ Github (threatland) ⋅ ThreatLand\r\nNanocor Sample\r\nNanocore RAT 2019-05-05 ⋅ GoggleHeadedHacker Blog ⋅ Jacob Pimental\r\nUnpacking NanoCore Sample Using AutoIT\r\nNanocore RAT 2019-03-27 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team\r\nElfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.\r\nDarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33\r\n2019-03-27 ⋅ Symantec ⋅ Security Response Attack Investigation Team\r\nElfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.\r\nDarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33 2018-08-02 ⋅ Palo Alto Networks Unit 42 ⋅\r\nDavid Fuertes, Josh Grunzweig, Kyle Wilhoit, Robert Falcone\r\nThe Gorgon Group: Slithering Between Nation State and Cybercrime\r\nLoki Password Stealer (PWS) Nanocore RAT NjRAT Quasar RAT Remcos Revenge RAT 2018-02-26 ⋅ Bleeping\r\nComputer ⋅ Catalin Cimpanu\r\nNanocore RAT Author Gets 33 Months in Prison\r\nNanocore RAT 2017-09-20 ⋅ FireEye ⋅ Jacqueline O’Leary, Josiah Kimble, Kelli Vanderlee, Nalani Fraser\r\nInsights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive\r\nMalware\r\nDROPSHOT Nanocore RAT NetWire RC SHAPESHIFT TURNEDUP APT33\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\r\nPage 4 of 5\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore" ], "report_names": [ "win.nanocore" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "40451441-a311-494f-8025-fdbad7a527d4", "created_at": "2024-02-06T02:00:04.114318Z", "updated_at": "2026-04-10T02:00:03.571851Z", "deleted_at": null, "main_name": "TA2719", "aliases": [], "source_name": "MISPGALAXY:TA2719", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "d4135989-e577-4133-bdae-a24243c832a4", "created_at": "2023-11-05T02:00:08.068657Z", "updated_at": "2026-04-10T02:00:03.396218Z", "deleted_at": null, "main_name": "Kasablanka", "aliases": [], "source_name": "MISPGALAXY:Kasablanka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "8259735e-8dd0-462f-80ff-c265fa839b76", "created_at": "2024-02-06T02:00:04.110337Z", "updated_at": "2026-04-10T02:00:03.57093Z", "deleted_at": null, "main_name": "TA2722", "aliases": [ "Balikbayan Foxes" ], "source_name": "MISPGALAXY:TA2722", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "0dbd3195-22ca-47c4-a3f1-aa058b06a1d9", "created_at": "2022-10-25T16:07:24.269634Z", "updated_at": "2026-04-10T02:00:04.917125Z", "deleted_at": null, "main_name": "TA2722", "aliases": [ "Balikbayan Foxes" ], "source_name": "ETDA:TA2722", "tools": [ "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "3a0cfbbc-2acf-4cc8-afe1-1859679c522c", "created_at": "2022-10-25T16:07:24.373716Z", "updated_at": "2026-04-10T02:00:04.963615Z", "deleted_at": null, "main_name": "Vendetta", "aliases": [ "TA2719" ], "source_name": "ETDA:Vendetta", "tools": [ "AsyncRAT", "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "ReZer0", "Remcos", "RemcosRAT", "Remvio", "RoboSki", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434445, "ts_updated_at": 1775792156, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/999a58f4885de2a605df5b78e3fa379d7df02a88.pdf", "text": "https://archive.orkl.eu/999a58f4885de2a605df5b78e3fa379d7df02a88.txt", "img": "https://archive.orkl.eu/999a58f4885de2a605df5b78e3fa379d7df02a88.jpg" } }