{
	"id": "2fd53938-a95b-4b5b-a5a9-cee9aeb7bd5a",
	"created_at": "2026-04-06T00:08:37.961695Z",
	"updated_at": "2026-04-10T13:12:12.311266Z",
	"deleted_at": null,
	"sha1_hash": "9a7673f139106112ee7f8b7995ca1ac60c53287e",
	"title": "GitHub - MDudek-ICS/TRISIS-TRITON-HATMAN: Repository containting original and decompiled files of TRISIS/TRITON/HATMAN malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67108,
	"plain_text": "GitHub - MDudek-ICS/TRISIS-TRITON-HATMAN: Repository\r\ncontainting original and decompiled files of\r\nTRISIS/TRITON/HATMAN malware\r\nBy MDudek-ICS\r\nArchived: 2026-04-05 19:04:08 UTC\r\nTRISIS / TRITON / HatMan Malware Repository\r\nDescription\r\nThis repository contains original samples and decompiled sources of malware attacking commonly used in\r\nIndustrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers. For more information\r\nscroll to \"Learn More\".\r\nEach organization describing this malware in reports used a different name (TRISIS/TRITON/HatMan). For that\r\nreason, there is no one, common name for it.\r\nFolder original_samples contains original files used by the malware that could be found in the wild:\r\nName MD5 Contains MD5\r\ntrilog.7z 0b4e76e84fa4d6a9716d89107626da9b trilog.exe 6c39c3f4a08d3d78f2eb973a94bd7718\r\nlibrary.7z 76f84d3aee53b2856575c9f55a9487e7 library.zip 0face841f7b2953e7c29c064d6886523\r\nimain.7z d173e8016e73f0f2c17b5217a31153be imain.bin 437f135ba179959a580412e564d3107f\r\ninject.7z 80fdda5ea7eec98bfdd07fec8f644c2d inject.bin 0544d425c7555dc4e9d76b571f31f500\r\nall.7z c382f242f62a3c5f4aab2093f6e0fb2f\r\nAll files\r\nabove\r\n-\r\nAll archives are secured with password: infected\r\nFolder decompiled_code contains decompiled python files, originating from trilog.exe file and library.zip archive\r\ndescribed above:\r\nOrigin Result Method\r\ntrilog.exe script_test.py unpy2exe + uncompyle6\r\nlibrary.zip Files in folder library uncompyle6\r\nhttps://github.com/ICSrepo/TRISIS-TRITON-HATMAN\r\nPage 1 of 3\n\nFolder yara_rules contains yara rules (that I am aware of) detecting this malware:\r\nFile Author\r\nmandiant.yara @itsreallynick (Mandiant)\r\nics-cert.yara DHS/NCCIC/ICS-CERT\r\nics-cert-v2.yara DHS/NCCIC/ICS-CERT (from update B report)\r\nFolder symbolic_execution contains script for running imain.bin with ANGR symbolic execution engine – credits\r\nto @bl4ckic3\r\nWhy Publishing? Isn't it dangerous?\r\nSome people in the community were raising the issue that publishing the samples and decompiled sources might\r\nbe dangerous. I agreed until these were not public. I have found the included files in at least two publicly available\r\nsources, that means anyone can download it if know where to search. What is more, I believe that\r\norganizations/people who could be able to reuse it and have the capability to deploy it in a real attack have already\r\naccessed it long time ago. This repository makes it more accessible for community and academia who might work\r\non improving defense solutions and saves some time on looking for decompilers.\r\nLearn more\r\nTechnical Analysis:\r\nReport by Dragos\r\nReport by Mandiant (FireEye)\r\nReport by ICS-CERT (NCCIC)\r\nReport by ICS-CERT (NCCIC) Update A\r\nReport by ICS-CERT (NCCIC) Update B\r\nWebinar by Dragos (video)\r\nAnalysis by Craftsman Safety Lab (in Chinese)\r\nAnalysis by Midnight Blue\r\nSchneider Electric analysis on S4x18 (video)\r\nMandiant analysis on S4x18 (video)\r\nDragos analysis on S4x18 (video)\r\nAccenture analysis\r\nFireEye analysis of similarities between Triton code and TriStation dlls\r\nDragos presentation from Recon\r\nMarina Krotofil and Jos Wetzels presentation from Defcon\r\n\u003c- +Marina's reponse regarding plagiarism clamis and nice Triton publications timeline\r\nXenotime TTP by Dragos\r\nTriton actor TTP by FireEye\r\nTriton incident response story on S4x19 (video)\r\nhttps://github.com/ICSrepo/TRISIS-TRITON-HATMAN\r\nPage 2 of 3\n\nAttribution\r\nDescription of a group behind - \"Xenotime\"\r\nTriton attribution by FireEye\r\nNews Publications:\r\nAssumption that Aramco was a target\r\nDescription of analysis and information sharing process\r\nHow it was leaked to the Internet\r\nOthers:\r\nAcademic POC attack on Tricon (published a year ahead)\r\nDefense recommendations\r\nFiles compilation times\r\nABB security notification\r\nDetection:\r\nTricotools - A collection of utilities and tools related to the Triconex: TriStation Wireshark dissector and\r\nTriconex Honeypot\r\nTristation LUA dissector\r\nTriton SNORT rules by BSI\r\nAny updates to the repository are warmly welcome\r\nContact:\r\n@dudekmar\r\ncontact(at)marcindudek.com\r\nSource: https://github.com/ICSrepo/TRISIS-TRITON-HATMAN\r\nhttps://github.com/ICSrepo/TRISIS-TRITON-HATMAN\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/ICSrepo/TRISIS-TRITON-HATMAN"
	],
	"report_names": [
		"TRISIS-TRITON-HATMAN"
	],
	"threat_actors": [
		{
			"id": "5fb9f77b-1273-4658-884e-49f5f511dcd7",
			"created_at": "2022-10-25T15:50:23.591795Z",
			"updated_at": "2026-04-10T02:00:05.383475Z",
			"deleted_at": null,
			"main_name": "TEMP.Veles",
			"aliases": [
				"TEMP.Veles",
				"XENOTIME"
			],
			"source_name": "MITRE:TEMP.Veles",
			"tools": [
				"Mimikatz",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c",
			"created_at": "2023-01-06T13:46:39.001286Z",
			"updated_at": "2026-04-10T02:00:03.1772Z",
			"deleted_at": null,
			"main_name": "TEMP.Veles",
			"aliases": [
				"Xenotime",
				"G0088",
				"ATK91"
			],
			"source_name": "MISPGALAXY:TEMP.Veles",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "20012494-3f05-48ce-8c0f-92455e46a4f9",
			"created_at": "2022-10-25T16:07:24.319939Z",
			"updated_at": "2026-04-10T02:00:04.934107Z",
			"deleted_at": null,
			"main_name": "TEMP.Veles",
			"aliases": [
				"ATK 91",
				"G0088",
				"Xenotime"
			],
			"source_name": "ETDA:TEMP.Veles",
			"tools": [
				"Cryptcat",
				"HatMan",
				"Mimikatz",
				"NetExec",
				"PsExec",
				"SecHack",
				"TRISIS",
				"TRITON",
				"Trisis",
				"Triton",
				"Wii"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434117,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a7673f139106112ee7f8b7995ca1ac60c53287e.pdf",
		"text": "https://archive.orkl.eu/9a7673f139106112ee7f8b7995ca1ac60c53287e.txt",
		"img": "https://archive.orkl.eu/9a7673f139106112ee7f8b7995ca1ac60c53287e.jpg"
	}
}