{ "id": "aa4d9a5e-2eb9-4305-a82f-81ef7848b50e", "created_at": "2026-04-06T00:13:04.873371Z", "updated_at": "2026-04-10T13:12:42.244871Z", "deleted_at": null, "sha1_hash": "9c98623a90c425005261350fe0720b772871f5ac", "title": "Definitive Dossier of Devilish Debug Details — Part One: PDB Paths and Malware | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1666223, "plain_text": "Definitive Dossier of Devilish Debug Details — Part One: PDB Paths and\r\nMalware | Mandiant\r\nBy Mandiant\r\nPublished: 2019-08-29 · Archived: 2026-04-05 16:19:43 UTC\r\nHave you ever wondered what goes through the mind of a malware author? How they build their tools? How they organize\r\ntheir development projects? What kind of computers and software they use? We took a stab and answering some of those\r\nquestions by exploring malware debug information.\r\nWe find that malware developers give descriptive names to their folders and code projects, often describing the capabilities\r\nof the malware in development. These descriptive names thus show up in a PDB path when a malware project is compiled\r\nwith symbol debugging information. Everyone loves an origin story, and debugging information gives us insight into the\r\nmalware development environment, a small, but important keyhole into where and how a piece of malware was born. We\r\ncan use our newfound insight to detect malicious activity based in part on PDB paths and other debug details.\r\nWelcome to part one of a multi-part, tweet-inspired series about PDB paths, their relation to malware, and how they may be\r\nuseful in both defensive and offensive operations.\r\nHuman-Computer Conventions\r\nDigital storage systems have revolutionized our world but in order to make use of our stored data and retrieve it in an\r\nefficient manner, we must organize it sensibly. Users structure directories carefully and give files and folders unique and\r\ndescriptive names. Often users name folders and files based on their content. Computers force users to label and annotate\r\ntheir data based on the data type, role, and purpose. This human-computer convention means that most digital content has\r\nsome descriptive surface area, or descriptive “features” that are present in many files, including malware files.\r\nFireEye approaches detection and hunting from many angles, but on FireEye’s Advanced Practices team, we often like to\r\nflex on “weak signals.” We like to search for features of malware that are not evil in isolation but uncommon or unique\r\nenough to be useful. We create conditional rules that when met are “weak signals” telling us that a subset of data, such as a\r\nfile object or a process, has some odd or novel features. These features are often incidental outcomes of adversary methods,\r\nor modus operandi, that each represent deliberate choices made by malware developers or intrusion operators. Not all these\r\nfeatures were meant to be in there, and they were certainly not intended for defenders to notice. This is especially true for\r\nPDB paths, which can be described as an outcome of the compilation process, a toolmark left in malware that describes the\r\ndevelopment environment.\r\nPDBs\r\nA program database (PDB) file, often referred to as a “symbol file,” is generated upon compilation to store debugging\r\ninformation about an individual build of a program. A PDB may store symbols, addresses, names of functions and resources\r\nand other information that may assist with debugging the program to find the exact source of an exception or error.\r\nMalware is software, and malware developers are software developers. Like any software developers, malware authors often\r\nhave to debug their code and sometimes end up creating PDBs as part of their development process. If they do not spend\r\ntime debugging their malware, they risk their malware not functioning correctly on victim hosts, or not being able to\r\nsuccessfully communicate with their malware remotely.\r\nHow PDB Paths are Made (the birds and the PDBs?)\r\nBut how are PDBs created and connected to programs? Let’s examine the formation of one PDB path through the eyes of a\r\nmalware developer and blogger, the soon-to-be-infamous “smiller.”\r\nSmiller has a lot of programming projects and organizes them in an aptly labeled folder structure on his computer. This\r\nproject is for a shellcode loader embedded in an HTML Application (HTA) file, and the developer stores it quite logically in\r\nthe folder:\r\nD:\\smiller\\projects\\super_evil_stuff\\shellcode\\\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 1 of 25\n\nFigure 1: The simple “Test” project code file “Program.cs” which embeds a piece of shellcode and a launcher executable\r\nwithin an HTML Application (HTA) file\r\nFigure 2: The malicious Visual Studio solution HtaDotnet and corresponding “Test” project folder as seen through Windows\r\nExplorer. The names of the folders and files are suggestive of their functionalities\r\nThe malware author then compiles their “Test” project Visual Studio in a default “Debug” configuration (Figure 3) and\r\nwrites out Test.exe and Test.pdb to a subfolder (Figure 4).\r\nFigure 3: The Visual Studio output of a default compiling configuration\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 2 of 25\n\nFigure 4: Test.exe and Test.pdb are written to a default subfolder of the code project folder\r\nIn the Test.pdb file (Figure 5) there are references to the original path for the source code files along with other binary\r\ninformation for use in debugging.\r\nFigure 5: Test.pdb contains binary debug information and references to the original source code files for use in debugging\r\nDuring the compilation, the linker program associates the PDB file with the built executable by adding an entry into the\r\nIMAGE_DEBUG_DIRECTORY specifying the type of the debug information. In this case, the debug type is CodeView and\r\nso the PDB path is embedded under IMAGE_DEBUG_TYPE_CODEVIEW portion of the file. This enables a debugger to\r\nlocate the correct PDB file Test.pdb while debugging Test.exe.\r\nFigure 6: Test.exe as shown in the PEview utility, which easily parses out the PDB path from the\r\nIMAGE_DEBUG_TYPE_CODEVIEW section of the executable file\r\nPDB Path in CodeView Debug Information\r\nCodeView Structure\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 3 of 25\n\nThe exact format of the debug information may vary depending on compiler and linker and the modernity of one’s software\r\ndevelopment tools. CodeView debug information is stored under IMAGE_DEBUG_TYPE_CODEVIEW in the following\r\nstructure:\r\nType Description\r\nDWORD \"RSDS\" header\r\nGUID 16-byte Globally Unique Identifier\r\nDWORD \"age\" (incrementing # of revisions)\r\nBYTE PDB path, null terminated\r\nFigure 7: Structure of CodeView debug directory information\r\nFull Versus Partial PDB Path\r\nThere are generally two buckets of CodeView PDB paths, those that are fully qualified directory paths and those that are\r\npartially qualified, that specify the name of the PDB file only. In both cases, the name of the PDB file with the .pdb\r\nextension is included to ensure the debugger locates the correct PDB for the program.\r\nA partially qualified PDB path would list only the PDB file name, such as:\r\nTest.pdb\r\nA fully qualified PDB path usually begins with a volume drive letter and a directory path to the PDB file name such as:\r\nD:\\smiller\\projects\\super_evil_stuff\\shellcode\\Test\\obj\\Debug\\Test.pdb\r\nTypically, native Windows executables use a partially qualified PDB path because many of the debug PDB files are publicly\r\navailable on the Microsoft public symbol server, so the fully qualified path is unnecessary in the symbol path (the PDB\r\npath). For the purposes of this research, we will be mostly looking at fully qualified PDB paths.\r\nSurveying PDB Paths in Malware\r\nIn Operation Shadowhammer, which has a myriad of connections to APT41, one sample had a simple, yet descriptive PDB\r\npath: “D:\\C++\\AsusShellCode\\Release\\AsusShellCode.pdb”\r\nThe naming makes perfect sense. The malware was intended to masquerade as Asus Corporation software, and the role of\r\nthe malware was shellcode. The malware developer named the project after the function and role of the malware itself.\r\nIf we accept that the nature of digital data forces developers into these naming conventions, we figured that these\r\nconventions would hold true across other threat actors, malware families, and intrusion operations. FireEye’s Advanced\r\nPractices team loves to take seemingly innocuous features of an intrusion set and determine what about these things is good,\r\nbad and ugly. What is normal, and what is abnormal? What is globally prevalent and what is rare? What are malware authors\r\ndoing that is different from what non-malware developers are doing? What assumptions can we make and measure?\r\nLetting our curiosity take the wheel, we adapted the CodeView debug information structure into a regular expression (Figure\r\n8) and developed Yara rules (Figure 9) to survey our data sets. This helped us identify commonalities and enabled us to see\r\nwhich threat actors and malware families may be “detectable” based only on features within PDB path strings.\r\nFigure 8: A Perl-compatible regular expression (PCRE) adaptation of the PDB7 debug information in an executable to\r\ninclude a specific keyword\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 4 of 25\n\nFigure 9: Template Yara rule to search for executables with PDB files matching a keyword\r\nPDB Path Showcase: Malware Naming Conventions\r\nWe surveyed 10+ million samples in our incident response and malware corpus, and we found plenty of common PDB path\r\nkeywords that seemed to transcend different sources, victims, affected regions, impacted industries, and actor motivations.\r\nTo help articulate the broad reach of malware developer commonalities, we detail a handful of the stronger keywords along\r\nwith example PDB paths, with represented malware families and threat groups where at least one sample has the applicable\r\nkeyword.\r\nPlease note that the example paths and represented malware families and groups are a selection from the total data set, and\r\nnot necessarily correlated, clustered or otherwise related to each other. This is intended to illustrate the wide presence of\r\nPDB paths with keywords and how malware developers, irrespective of origin, targets and motivations often end up using\r\nsome of the same words in their naming. We believe that this commonality increases the surface area of malware and\r\nintroduces new opportunities for detection and hunting.\r\nPDB Path Keyword Prevalence\r\nKeyword\r\nFamilies and Groups\r\nObserved\r\nExample PDB Path\r\nanti\r\nRUNBACK,\r\nHANDSTAMP,\r\nLOKIBOT, NETWIRE,\r\nDARKMOON, PHOTO,\r\nRAWHIDE, DUCKFAT,\r\nHIGHNOON,\r\nDEEPOCEAN, SOGU,\r\nCANNONFODDER\r\nAPT10, APT24, APT41,\r\nUNC589, UNC824,\r\nUNC969, UNC765\r\nH:\\RbDoor\\Anti_winmm\\AppInit\\AppInit\\Release\\AppInit.pdb\r\nattack\r\nMINIASP, SANNY,\r\nDIRTCHEAP,\r\nORCUSRAT\r\nAPT1, UNC776,\r\nUNC251. UNC1131\r\nE:\\C\\Attack\\mini_asp-0615\\attack\\MiniAsp3\\Release\\MiniAsp.pdb\r\nbackdoor\r\nPACMAN,\r\nSOUNDWAVE, PHOTO,\r\nWINERACK, DUALGUN\r\nAPT41, APT34, APT37,\r\nUNC52, UNC1131,\r\nAPT40\r\nY:\\Hack\\backdoor\\3-exe-attack\\temp\\UAC_Elevated\\win32\\UAC_Elevated.pdb\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 5 of 25\n\nbind\r\nSCREENBIND, SEEGAP,\r\nCABLECAR,\r\nUPDATESEE,\r\nSEEDOOR, TURNEDUP,\r\nCABROCK, YABROD,\r\nFOXHOLE\r\nUNC373, UNC510,\r\nUNC875, APT36, APT33,\r\nAPT5, UNC822\r\nC:\\Documents and Settings\\ss\\桌面\\tls\\scr\\bind\\bind\\Release\\bind.pdb\r\nbypass\r\nPOSHC2,\r\nFIRESHADOW,\r\nFLOWERPOT, RYUK,\r\nHAYMAKER,\r\nUPCONTROL, PHOTO,\r\nBEACON, SOGU\r\nAPT10, APT34, APT21,\r\nUNC1289, UNC1450\r\nC:\\Documents and Settings\\Administrator\\桌面\r\n\\BypassUAC.VS2010\\Release\\Go.pdb\r\ndownloader\r\nSPICYBEAN,\r\nGOOSEDOWN,\r\nANTFARM, BUGJUICE,\r\nENFAL, SOURFACE,\r\nKASPER, ELMER,\r\nTWOBALL,\r\nKIBBLEBITS\r\nAPT28, UNC1354,\r\nUNC1077, UNC27,\r\nUNC653, UNC1180,\r\nUNC1031\r\nZ:\\projects\\vs 2012\\Inst DWN and DWN\r\nXP\\downloader_dll_http_mtfs\\Release\\downloader_dll_http_mtfs.pdb\r\ndropper\r\nCITADEL, FIDDLELOG,\r\nSWIFTKICK,\r\nKAYSLICE,\r\nFORMBOOK, EMOTET,\r\nSANNY, FIDDLEWOOD,\r\nDARKNEURON,\r\nURSNIF, RUNOFF\r\nUNC776, UNC1095,\r\nAPT29, APT36, UNC964,\r\nUNC1437, UNC849\r\nD:\\Task\\DDE Attack\\Dropper_Original\\Release\\Dropper.pdb\r\nexploit\r\nTRICKBOT, RUNBACK,\r\nPUNCHOUT, QANAT,\r\nOZONERAT\r\nUNC1030, APT39,\r\nAPT34, FIN6\r\nw:\\modules\\exploits\\littletools\\agent_wrapper\\release\\\r\n12345678901234567890123456789012345678\\wrapper3.pdb\r\nfake\r\nFIRESHADOW\r\nUNC1172, APT39,\r\nUNC822\r\nD:\\Work\\Project\\VS\\house\\Apple\\Apple_20180115\\Release\\FakeRun.pdb\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 6 of 25\n\nfuck\r\nTRICKBOT, CEREAL,\r\nKRYPTONITE,\r\nSUPERMAN\r\nAPT17, UNC208,\r\nUNC276\r\nE:\\CODE\\工程文件\r\n\\20110505_LEVNOhard\\CODE\\AnyRat\\FuckAll'sUI\\bin\\FuckAll.pdb\r\nhack\r\nPHOTO, KILLDEVIL,\r\nNETWIRE, PACMAN,\r\nBADSIGN, TRESOCHO,\r\nBADGUEST, GH0ST,\r\nVIPSHELL\r\nUNC1152, APT40,\r\nUNC78, UNC874,\r\nUNC52, UNC502, APT33,\r\nAPT8\r\nC:\\Users\\Alienware.DESKTOP-MKL3QDN\\Documents\\Hacker\\memorygrabber -\r\nID\\memorygrabber\\obj\\x86\\Debug\\vshost.pdb\r\nhide\r\nFRESHAIR,\r\nDIRTYWORD, GH0ST,\r\nDARKMOON,\r\nFIELDGOAL,\r\nRAWHIDE, DLLDOOR,\r\nTRICKBOT, 008S,\r\nJAMBOX, SOGU,\r\nCANDYSHELL\r\nAPT26, APT40, UNC213,\r\nAPT26, UNC44, UNC53,\r\nUNC282\r\nc:\\winddk\\6001.18002\\work\\hideport\\i386\\HidePort.pdb\r\nhook\r\nGEARSHIFT,\r\nMETASTAGE,\r\nFASTPOS,\r\nHANDSTAMP, FON,\r\nCLASSFON,\r\nWATERFAIRY,\r\nRATVERMIN\r\nUNC842, UNC1197,\r\nUNC1040, UNC969\r\nD:\\รายงาน\\C++ \u0026 D3D \u0026 Hook \u0026 VB.NET \u0026 PROJECT\\Visual Studio\r\n2010\\CodeMaster OnlyTh\\Inject_Win32_2\\Inject Win32\\Inject\r\nWin32\\Release\\OLT_PBFREE.pdb\r\ninject\r\nSKNET, KOADIC,\r\nISMAGENT,\r\nFULLTRUNK,\r\nZZINJECT, ENFAL,\r\nRANSACK,\r\nGEARSHIFT,\r\nLOCKLOAD,\r\nWHIPSNAP, BEACON,\r\nCABROCK,\r\nHIGHNOON, DETECT,\r\nTHREESNEAK,\r\nFOXHOLE\r\nUNC606, APT10, APT34,\r\nAPT41, UNC373, APT31,\r\nAPT34, APT19, APT1,\r\nUNC82, UNC1168,\r\nUNC1149, UNC575\r\nE:\\0xFFDebug\\My Source\\HashDump\\Release\\injectLsa.pdb\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 7 of 25\n\ninstall\r\nFIRESHADOW,\r\nSCRAPMINT,\r\nBRIGHTCOMB,\r\nWINERACK,\r\nSLUDGENUDGE,\r\nANCHOR, EXCHAIN,\r\nKIBBLEBITS, ENFAL,\r\nDANCEPARTY,\r\nSLIMEGRIME,\r\nDRABCUBE, EXCHAIN,\r\nDIMWIT,\r\nTHREESNEAK,\r\nGOOGONE, STEW,\r\nLOWLIGHT,\r\nQUASIFOUR,\r\nCANNONFODDER,\r\nEASYCHAIR,\r\nONETOFOUR,\r\nDEEPOCEAN,\r\nBRIGHTCREST,\r\nLUMBERJACK,\r\nEVILTOSS,\r\nBRIGHTCYAN,\r\nPEKINGDUCK,\r\nSIDEVIEW, BOSSNAIL\r\nUNC869, UNC385,\r\nUNC228, APT5, UNC229,\r\nAPT26, APT37, UNC432,\r\nAPT18, UNC27, APT6,\r\nUNC1172, UNC593,\r\nUNC451, UNC875,\r\nUNC53\r\ni:\\LIE_SHOU\\URL_CURUN-A\\installer\\Release\\jet.pdb\r\nkeylog\r\nLIMITLESS, ZZDROP,\r\nWAVEKEY,\r\nFIDDLEKEYS,\r\nSKIDHOOK,\r\nHAWKEYE, BEACON,\r\nDIZZYLOG,\r\nSOUNDWAVE\r\nAPT37, UNC82,\r\nUNC1095, APT1, APT40\r\nD:\\TASK\\ProgamsByMe(2015.1~)\\MyWork\\Relative\r\nBackdoor\\KeyLogger_ScreenCap_Manager\\Release\\SoundRec.pdb\r\npayload\r\nPOSHC2, SHAKTI,\r\nLIMITLESS, RANSACK,\r\nCATRUNNER,\r\nBREAKDANCE,\r\nDARKMOON,\r\nMETERPRETER,\r\nDHARMA, GAMEFISH,\r\nRAWHIDE, LIGHTPOKE\r\nUNC915, UNC632,\r\nUNC1149, APT28,\r\nUNC878\r\nC:\\Users\\WIN-2-ViHKwdGJ574H\\Desktop\\NSA\\Payloads\\windows\r\nservice cpp\\Release\\CppWindowsService.pdb\r\nshell SOGU, RANSACK,\r\nCARBANAK,\r\nBLACKCOFFEE,\r\nE:\\windows\\dropperNew\\Debug\\testShellcode.pdb\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 8 of 25\n\nSIDEWINDER, PHOTO,\r\nSHIMSHINE,\r\nPILLOWMINT, POSHC2,\r\nPI, METASTAGE,\r\nGH0ST, VIPSHELL,\r\nGAUSS, DRABCUBE,\r\nFINDLOCK,\r\nNEDDYSHELL,\r\nMONOPOD, FIREPIPE,\r\nURSNIF, KAYSLICE,\r\nDEEPOCEAN,\r\nEIGHTONE, DAYJOB,\r\nEXCALIBUR,\r\nNICECATCH\r\nUNC48, UNC1225,\r\nAPT17, UNC1149,\r\nAPT35, UNC251,\r\nUNC521, UNC8,\r\nUNC849, UNC1428,\r\nUNC1374, UNC53,\r\nUNC1215, UNC964,\r\nUNC1217, APT3,\r\nUNC671, UNC757,\r\nUNC753, APT10, APT34,\r\nUNC229, APT18, APT9,\r\nUNC124, UNC1559\r\nsleep\r\nURSNIF, CARBANAK,\r\nPILLOWMINT,\r\nSHIMSHINE, ICEDID\r\nFIN7\r\nO:\\misc_src\\release_priv_aut_v2.2_sleep_DATE\\my\\\r\nsrc\\sdb_test_dll\\x64\\Release\\sdb_test.pdb\r\nspy\r\nDUSTYSKY,\r\nOFFTRACK,\r\nSCRAPMINT, FINSPY,\r\nLOCKLOAD,\r\nWINDOLLAR\r\nFIN7, UNC583, UNC822,\r\nUNC1120\r\nG:\\development\\Winspy\\ntsvc32-93-01-05\\x64\\Release\\ntsvcst32.pdb\r\ntrojan\r\nENFAL,\r\nIMMINENTMONITOR,\r\nMSRIP, GH0ST,\r\nLITRECOLA, DIMWIT\r\nUNC1373, UNC366,\r\nAPT19, UNC1352,\r\nUNC27, APT1, UNC981,\r\nUNC581, UNC1559\r\ne:\\work\\projects\\trojan\\client\\dll\\i386\\Client.pdb\r\nFigure 10: A selection of common keywords in PDB paths with groups and malware families observed and examples\r\nPDB Path Showcase: Suspicious Developer Environment Terms\r\nThe keywords that are typically used to describe malware are strong enough to raise red flags, but there are other common\r\nterms or features in PDB paths that may signal that an executable is compiled in a non-enterprise setting. For example, any\r\nPDB path containing “Users” directory can tell you that the executable was likely compiled on Windows Vista/7/10 and\r\nlikely does not represent an “official” or “commercial” development environment. The term “Users” is much weaker or\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 9 of 25\n\nlower in fidelity than “shellcode” but as we demonstrate below, these terms are indeed present in lots of malware and can be\r\nused for weak detection signals.\r\nPDB Path Term Prevalence\r\nTerm\r\nFamilies and Groups\r\nObserved\r\nExample PDB Path\r\nUsers\r\nABBEYROAD,\r\nAGENTTESLA,\r\nANTFARM, AURORA,\r\nBEACON,\r\nBLACKDOG,\r\nBLACKREMOTE,\r\nBLACKSHADESRAT,\r\nBREAKDANCE,\r\nBROKEYOLK,\r\nBUSYFIB, CAMUBOT,\r\nCARDCAM, CATNAP,\r\nCHILDSPLAY,\r\nCITADEL,\r\nCROSSWALK,\r\nCURVEBALL,\r\nDARKCOMET,\r\nDARKMOON,\r\nDESERTFALCON,\r\nDESERTKATZ,\r\nDISPKILL,\r\nDIZZYLOG, EMOTET,\r\nFIDDLEWOOD,\r\nFIVERINGS,\r\nFLATTOP, FLUXXY,\r\nFOOTMOUSE,\r\nFORMBOOK,\r\nGOLDENCAT, GROK,\r\nGZIPDE, HAWKEYE,\r\nHIDDENTEAR,\r\nHIGHNOTE,\r\nHKDOOR, ICEDID,\r\nICEFOG, ISMAGENT,\r\nKASPER, KOADIC,\r\nLUKEWARM,\r\nLUXNET, MOONRAT,\r\nNANOCORE,\r\nNETGRAIL, NJRAT,\r\nNUTSHELL,\r\nONETOFOUR,\r\nORCUSRAT,\r\nPOISONIVY, POSHC2,\r\nQUASARRAT,\r\nQUICKHOARD,\r\nRADMIN, RANSACK,\r\nRAWHIDE, REMCOS,\r\nREVENGERAT, RYUK,\r\nSANDPIPE,\r\nSANDTRAP,\r\nSCREENTIME,\r\nSEEDOOR,\r\nSHADOWTECH,\r\nSILENTBYTES,\r\nSKIDHOOK,\r\nSLIMCAT,\r\nSLOWROLL, SOGU,\r\nC:\\Users\\Yousef\\Desktop\\MergeFiles\\Loader\r\nv0\\Loader\\obj\\Release\\Loader.pdb\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 10 of 25\n\nSOREGUT,\r\nSOURCANDLE,\r\nTREASUREHUNT,\r\nTRENDCLOUD,\r\nTRESOCHO,\r\nTRICKBOT, TRIK,\r\nTROCHILUS,\r\nTURNEDUP,\r\nTWINSERVE,\r\nUPCONTROL,\r\nUPDATESEE, URSNIF,\r\nWATERFAIRY,\r\nXHUNTER, XRAT,\r\nZEUS\r\nAPT5, APT10, APT17,\r\nAPT33, APT34, APT35,\r\nAPT36, APT37, APT39,\r\nAPT40, APT41, FIN6,\r\nUNC284, UNC347,\r\nUNC373, UNC432,\r\nUNC632, UNC718,\r\nUNC757, UNC791,\r\nUNC824, UNC875,\r\nUNC1065, UNC1124,\r\nUNC1149, UNC1152,\r\nUNC1197, UNC1289,\r\nUNC1295, UNC1340,\r\nUNC1352, UNC1354,\r\nUNC1374, UNC1406,\r\nUNC1450, UNC1486,\r\nUNC1507, UNC1516,\r\nUNC1534, UNC1545,\r\nUNC1562\r\nConsoleApplication\r\nWindowsApplication\r\nWindowsFormsApplication\r\n(Visual Studio default\r\nproject names)\r\nCROSSWALK,\r\nDESERTKATZ,\r\nDIZZYLOG,\r\nFIREPIPE,\r\nHIGHPRIEST,\r\nHOUDINI, HTRAN,\r\nKICKBACK,\r\nLUKEWARM,\r\nMOONRAT,\r\nNIGHTOWL, NJRAT,\r\nORCUSRAT,\r\nREDZONE,\r\nREVENGERAT, RYUK,\r\nSEEDOOR, SLOAD,\r\nSOGU, TRICKBOT,\r\nTRICKSHOW\r\nAPT1, APT34, APT36,\r\nFIN6, UNC251,\r\nUNC729, UNC1078,\r\nUNC1147, UNC1172,\r\nUNC1267, UNC1277,\r\nUNC1289, UNC1295,\r\nUNC1340, UNC1470,\r\nUNC1507\r\nD:\\Projects\\ByPassAV\\ConsoleApplication1\\\r\nRelease\\ConsoleApplication1.pdb\r\nNew Folder\r\nHOMEUNIX,\r\nKASPER, MOONRAT,\r\nc:\\Users\\USA\\Documents\\Visual Studio 2008\\Projects\\New\r\nfolder (2)\\kasper\\Release\\kasper.pdb\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 11 of 25\n\nNANOCORE,\r\nNETWIRE,\r\nOZONERAT,\r\nPOISONIVY,\r\nREMCOS,\r\nSKIDHOOK,\r\nTRICKBOT,\r\nTURNEDUP,\r\nURLZONE\r\nAPT18, APT33, APT36,\r\nUNC53, UNC74,\r\nUNC672, UNC718,\r\nUNC1030, UNC1289,\r\nUNC1340, UNC1559\r\nCopy\r\nDESERTFALCON,\r\nKASPER, NJRAT,\r\nRYUK, SOGU\r\nUNC124, UNC718,\r\nUNC757, UNC1065,\r\nUNC1215, UNC1225,\r\nUNC1289\r\nD:\\dll_Mc2.1mc\\2.4\\2.4.2 xor\\zhu\\dll_Mc -\r\nCopy\\Release\\shellcode.pdb\r\nDesktop AGENTTESLA, AVEO,\r\nBEACON, BUSYFIB,\r\nCHILDSPLAY,\r\nCOATHOOK,\r\nDESERTKATZ,\r\nFIVERINGS,\r\nFLATTOP,\r\nFORMBOOK, GH0ST,\r\nGOLDENCAT,\r\nHIGHNOTE, HTRAN,\r\nIMMINENTMONITOR,\r\nKASPER, KOADIC,\r\nLUXNET, MOONRAT,\r\nNANOCORE,\r\nNETWIRE,\r\nNUTSHELL,\r\nORCUSRAT,\r\nRANSACK,\r\nRUNBACK,\r\nSEEDOOR,\r\nSKIDHOOK,\r\nSLIMCAT,\r\nSLOWROLL, SOGU,\r\nTIERNULL,\r\nTINYNUKE,\r\nTRICKBOT, TRIK,\r\nTROCHILUS,\r\nTURNEDUP,\r\nUPDATESEE,\r\nWASHBOARD,\r\nWATERFAIRY, XRAT\r\nAPT5, APT17, APT26,\r\nAPT33, APT34, APT35,\r\nAPT36, APT41,\r\nUNC53, UNC276,\r\nUNC308, UNC373,\r\nUNC534, UNC551,\r\nC:\\Users\\Develop_MM\\Desktop\\sc_loader\\Release\\sc_loader.pdb\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 12 of 25\n\nUNC572, UNC672,\r\nUNC718, UNC757,\r\nUNC791, UNC824,\r\nUNC875, UNC1124,\r\nUNC1149, UNC1197,\r\nUNC1352\r\nFigure 11: A selection of common terms in PDB paths with groups and malware families observed and examples\r\nPDB Path Showcase: Exploring Anomalies\r\nOutside of keywords and terms, we discovered on a few uncommon (to us) features that may be interesting for future\r\nresearch and detection opportunities.\r\nNon-ASCII Characters\r\nPDB paths with any non-ASCII characters have a high ratio of malware to non-malware in our datasets. The strength of this\r\nsignal is only because of a data bias in our malware corpus and in our client base. However, if this data bias is consistent, we\r\ncan use the presence of non-ASCII characters in a PDB path as a signal that an executable merits further scrutiny. In\r\norganizations that operate primarily in the world of ASCII, we imagine this will be a strong signal. Below we express logic\r\nfor this technique in Yara:\r\nrule ConventionEngine_Anomaly_NonAscii{    meta:        author = \"@stvemillertime\"    strings:        $pcre = /RSDS[\\x00-\r\n\\xFF]{20}[a-zA-Z]:\\\\[\\x00-\\xFF]{0,500}[^\\x00-\\x7F]{1,}[\\x00-\\xFF]{0,500}\\.pdb\\x00/    condition:        (uint16(0) ==\r\n0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $pcre}\r\nMultiple Paths in a Single File\r\nEach compiled program should only have one PDB path. The presence of multiple PDB paths in a single object indicates\r\nthat the object has subfile executables, from which you may infer that the parent object has the capability to “drop” or\r\n“install” other files. While being a dropper or installer is not malicious on its own, having an alternative method of applying\r\nthose classifications to file objects may be of assistance in surfacing malicious activity. In this example, we can also search\r\nfor this capability using Yara:\r\nrule ConventionEngine_Anomaly_MultiPDB_Triple{    meta:        author = \"@stvemillertime\"    strings:        $anchor =\r\n\"RSDS\"        $pcre = /RSDS[\\x00-\\xFF]{20}[a-zA-Z]:\\\\[\\x00-\\xFF]{0,200}\\.pdb\\x00/    condition:        (uint16(0) ==\r\n0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and #anchor == 3 and #pcre == 3}\r\nOutside of a Debug Section\r\nWhen a file is compiled the entry for the debug information is in the IMAGE_DEBUG_DIRECTORY. Similar to seeing\r\nmultiple PDB paths in a single file, when we see debug information inside an executable that does not have a debug\r\ndirectory, we can infer that the file has subfile executables, and is likely has dropper or installer functionality. In this rule, we\r\nuse Yara’s convenient PE module to check the relative virtual address (RVA) of the\r\nIMAGE_DIRECTORY_ENTRY_DEBUG entry, and if it is zero we can presume that there is no debug entry and thus the\r\npresence of a CodeView PDB path indicates that there is a subfile.\r\nrule ConventionEngine_Anomaly_OutsideOfDebug{    meta:        author = \"@stvemillertime\"        description = \"Searching\r\nfor PE files with PDB path keywords, terms or anomalies.\"   strings:        $anchor = \"RSDS\"        $pcre = /RSDS[\\x00-\\xFF]\r\n{20}[a-zA-Z]:\\\\[\\x00-\\xFF]{0,200}\\.pdb\\x00/   condition:        (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) ==\r\n0x00004550 and $anchor and $pcre and pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_DEBUG].virtual_address\r\n== 0}\r\nNulled Out PDB Paths\r\nIn the typical CodeView section, we would see the “RSDS” header, the 16-byte GUID, a 4-byte “age” and then a PDB path\r\nstring. However, we’ve identified a significant number of malware samples where the embedded PDB path area is nulled\r\nout. In this example, we can easily see the CodeView debug structure, complete with header, GUID and age, followed by\r\nnulls to the end of the segment.\r\n00147880: 52 53 44 53 18 c8 03 4e 8c 0c 4f 46 be b2 ed 9e : RSDS...N..OF....00147890: c1 9f a3 f4 01 00 00 00 00 00 00\r\n00 00 00 00 00 : ................001478a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................001478b0: 00 00 00 00\r\n00 00 00 00 00 00 00 00 00 00 00 00 : ................001478c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 : ................\r\nThere are a few possibilities of how and why a CodeView PDB path may be nulled out, but in the case of intentional\r\ntampering, for the purposes of removing toolmarks, the easiest way would be to manually overwrite the PDB path with\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 13 of 25\n\n\\x00s. The risk of manual editing and overwriting via hex editor is that doing so is laborious and may introduce other static\r\nanomalies such as checksum errors.\r\nThe next easiest way is to use a utility designed to wipe out debug artifacts from executables. One stellar example of this is\r\n“peupdate” which is designed not only to strip or fabricate the PDB path information, but can also recalculate the checksum,\r\nand eliminate Rich headers.  Below we demonstrate use of peupdate to clear the PDB path.\r\nFigure 12: Using peupdate to clear the PDB path information from a sample of malware\r\nFigure 13: The peupdate tampered malware as shown in the PEview utility. We see the CodeView section is still present but\r\nthe PDB path value has been cleared out\r\nPDB Path Anomaly Prevalence\r\nAnomaly\r\nFamilies and Groups\r\nObserved\r\nExamples\r\nNon-Ascii\r\nCharacters\r\n008S, AGENTTESLA,\r\nBADSIGN,\r\nBAGELBYTE,\r\nBIRDSEED,\r\nBLACKCOFFEE,\r\nCANNONFODDER,\r\nCARDDROP, CEREAL,\r\nCHILDSPLAY,\r\nCOATHOOK,\r\nCURVEBALL,\r\nDANCEPARTY,\r\nDIMWIT, DIZZYLOG,\r\nEARTHWORM,\r\nEIGHTONE, ELISE,\r\nELKNOT, ENFAL,\r\nEXCHAIN,\r\nFANNYPACK,\r\nFLOWERPOT,\r\nFREELOAD, GH0ST,\r\nGINGERYUM,\r\nGLASSFLAW,\r\nGLOOXMAIL,\r\nI:\\RControl\\小工具\\123\\判断加载着\\Release\\判断加载着.pdb\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 14 of 25\n\nGOLDENCAT,\r\nGOOGHARD,\r\nGOOGONE,\r\nHANDSTAMP,\r\nHELLWOOD,\r\nHIGHNOON, ICEFOG,\r\nISHELLYAHOO,\r\nJAMBOX, JIMA,\r\nKRYPTONITE,\r\nLIGHTSERVER,\r\nLOCKLOAD,\r\nLOKIBOT,\r\nLOWLIGHT,\r\nMETASTAGE,\r\nNETWIRE, PACMAN,\r\nPARITE, POISONIVY,\r\nPIEDPIPER,\r\nPINKTRIP, PLAYNICE,\r\nQUASARRAT,\r\nREDZONE,\r\nSCREENBIND,\r\nSHADOWMASK,\r\nSHORTLEASH,\r\nSIDEWINDER,\r\nSLIMEGRIME, SOGU,\r\nSUPERMAN,\r\nSWEETBASIL,\r\nTEMPFUN,\r\nTRAVELNET,\r\nTROCHILUS, URSNIF,\r\nVIPER,\r\nVIPSHELLAPT1,\r\nAPT2, APT3, APT5,\r\nAPT6, APT9, APT10,\r\nAPT14, APT17, APT18,\r\nAPT20, APT21, APT23,\r\nAPT24, APT24, APT24,\r\nAPT26, APT31, APT33,\r\nAPT41, UNC20,\r\nUNC27, UNC39,\r\nUNC53, UNC74,\r\nUNC78, UNC1040,\r\nUNC1078, UNC1172,\r\nUNC1486, UNC156,\r\nUNC208, UNC229,\r\nUNC237, UNC276,\r\nUNC293, UNC366,\r\nUNC373, UNC451,\r\nUNC454, UNC521,\r\nUNC542, UNC551,\r\nUNC556, UNC565,\r\nUNC584, UNC629,\r\nUNC753, UNC794,\r\nUNC798, UNC969\r\nMulti Path\r\nin Single\r\nFile\r\nAGENTTESLA,\r\nBANKSHOT,\r\nBEACON, BIRDSEED,\r\nBLACKBELT,\r\nBRIGHTCOMB,\r\nBUGJUICE,\r\nCAMUBOT,\r\nCARDDROP, CETTRA,\r\nSingle Sample of\r\nTRICKBOT:D:\\MyProjects\\spreader\\Release\\spreader_x86.pdbD:\\MyProjects\\spreader\\Release\\ssExecutor_\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 15 of 25\n\nCHIPSHOT,\r\nCOOKIECLOG,\r\nCURVEBALL,\r\nDARKMOON,\r\nDESERTFALCON,\r\nDIMWIT, ELISE,\r\nEXTRAMAYO,\r\nFIDDLELOG,\r\nFIDDLEWOOD,\r\nFLUXXY, FON,\r\nGEARSHIFT, GH0ST,\r\nHANDSTAMP,\r\nHAWKEYE,\r\nHIGHNOON, HIKIT,\r\nICEFOG,\r\nIMMINENTMONITOR,\r\nISMAGENT, KASPER,\r\nKAZYBOT,\r\nLIMITLESS,\r\nLOKIBOT,\r\nLUMBERJACK,\r\nMOONRAT,\r\nORCUSRAT,\r\nPLANEDOWN,\r\nPLANEPATCH,\r\nPOSEIDON, POSHC2,\r\nPUBNUBRAT,\r\nPUPYRAT,\r\nQUASARRAT,\r\nRABBITHOLE,\r\nRATVERMIN,\r\nRAWHIDE, REDTAPE,\r\nRYUK, SAKABOTA,\r\nSAMAS, SAMAS,\r\nSEEGAP, SEEKEYS,\r\nSKIDHOOK, SOGU,\r\nSWEETCANDLE,\r\nSWEETTEA,\r\nTRAVELNET,\r\nTRICKBOT,\r\nTROCHILUS,\r\nUPCONTROL,\r\nUPDATESEE,\r\nUROBUROS,\r\nWASHBOARD,\r\nWHITEWALK,\r\nWINERACK,\r\nXTREMERAT,\r\nZXSHELL\r\nAPT1, APT2, APT17,\r\nAPT5, APT20, APT21,\r\nAPT26, APT34, APT36,\r\nAPT37, APT40, APT41,\r\nUNC27, UNC53,\r\nUNC218, UNC251,\r\nUNC432, UNC521,\r\nUNC718, UNC776,\r\nUNC875, UNC878,\r\nUNC969, UNC1031,\r\nUNC1040, UNC1065,\r\nUNC1092, UNC1095,\r\nUNC1166, UNC1183,\r\nUNC1289, UNC1374,\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 16 of 25\n\nUNC1443, UNC1450,\r\nUNC1495\r\nOutside of\r\nDebug\r\nSection\r\nABBEYROAD,\r\nAGENTTESLA,\r\nBEACON,\r\nBLACKSHADESRAT,\r\nCHIMNEYDIP,\r\nCITADEL,\r\nCOOKIECLOG,\r\nCOREBOT,\r\nCRACKSHOT,\r\nDAYJOB,\r\nDIRTCHEAP,\r\nDIZZYLOG,\r\nDUSTYSKY,\r\nEARTHWORM,\r\nEIGHTONE, ELISE,\r\nEXTRAMAYO,\r\nFRONTWHEEL,\r\nGELCAPSULE,\r\nGH0ST, HAWKEYE,\r\nHIGHNOON,\r\nKAYSLICE,\r\nLEADPENCIL,\r\nLOKIBOT,\r\nMETASTAGE,\r\nMETERPRETER,\r\nMURKYTOP,\r\nNUTSHELL,\r\nORCUSRAT,\r\nOUTLOOKDUMP,\r\nPACMAN,\r\nPOISONIVY,\r\nPLANEPATCH, PONY,\r\nPUPYRAT,\r\nRATVERMIN,\r\nSAKABOTA,\r\nSANDTRAP,\r\nSEADADDY,\r\nSEEDOOR,\r\nSHORTLEASH, SOGU,\r\nSOULBOT, TERA,\r\nTIXKEYS,\r\nUPCONTROL,\r\nWHIPSNAP,\r\nWHITEWALK,\r\nXDOOR, XTUNNEL\r\nAPT5, APT6, APT9,\r\nAPT10, APT17, APT22,\r\nAPT24, APT26, APT27,\r\nAPT29, APT30, APT34,\r\nAPT35, APT36, APT37,\r\nAPT40, APT41,\r\nUNC20, UNC27,\r\nUNC39, UNC53,\r\nUNC69, UNC74,\r\nUNC105, UNC124,\r\nUNC125, UNC147,\r\nUNC213, UNC215,\r\nUNC218, UNC227,\r\nUNC251, UNC276,\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 17 of 25\n\nUNC282, UNC307,\r\nUNC308, UNC347,\r\nUNC407, UNC565,\r\nUNC583, UNC587,\r\nUNC589, UNC631,\r\nUNC707, UNC718,\r\nUNC775, UNC776,\r\nUNC779, UNC842,\r\nUNC869, UNC875,\r\nUNC875, UNC924,\r\nUNC1040, UNC1080,\r\nUNC1148, UNC1152,\r\nUNC1225, UNC1251,\r\nUNC1428, UNC1450,\r\nUNC1486, UNC1575\r\nNulled\r\nOut PDB\r\nPaths\r\nHIGHNOON, SANNY,\r\nPHOTO, TERA,\r\nSOYSAUCE, VIPER,\r\nFIDDLEWOOD,\r\nBLACKDOG,\r\nFLUSHSHOW, NJRAT,\r\nLONGCUT\r\nAPT41, UNC776,\r\nUNC229, UNC177,\r\nUNC1267, UNC878,\r\nUNC1511\r\n \r\nFigure 14: A selection of anomalies in PDB paths with groups and malware families observed and examples\r\nPDB Path Showcase: Outliers, Oddities, Exceptions and Other Shenanigans\r\nThe internet is a weird place, and at a big enough scale, you end up seeing things that you never thought you would. Things\r\nthat deviate from the norms, things that shirk the standards, things that utterly defy explanation. We expect PDB paths to\r\nlook a certain way, but we’ve run across several samples that did not, and we’re not always sure why. Many of these samples\r\nbelow may be results of errors, corruption, obfuscation, or various forms of intentional manipulation. We’re demonstrating\r\nthem here to show that if you are attempting PDB path parsing or detection, you need to understand the variety of paths in\r\nthe wild and prepare for shenanigans galore. Each of these examples are from confirmed malware samples.\r\nShenanigan Example PDB Paths\r\nUnicode\r\nerror\r\nText Path: C^\\Users\\DELL\\Desktop\\interne.2.pdb\r\nRaw Path: 435E5C55 73657273 5C44454C 4C5C4465 736B746F 705C696E 7465726E 6598322E 706462\r\nText Path: Cj\\Users\\hacker messan\\Deskto \\Server111.pdb\r\nRaw Path: 436A5C55 73657273 5C686163 6B657220 6D657373 616E5C44 65736B74 6FA05C53 65727665\r\n72313131 2E706462\r\nNothing but\r\nspace\r\nText Path:                                                         \r\nFull Raw: 52534453 7A7F54BF BAC9DE45 89DC995F F09D2327 0A000000 20202020 20202020 20202020\r\n20202020 20202020 20202020 20202020 20202020 20202020 20202020 20202020 20202020 20202020 20202020\r\n20202000\r\nSpaced out\r\nText Path: D:\\                                 .pdb\r\nFull Raw: 52534453 A7FBBBFE 5C41A545 896EF92F 71CD1F08 01000000 443A5C20 20202020 20202020\r\n20202020 20202020 20202020 20202020 20202020 20202020 2E706462 00\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 18 of 25\n\nNothin’ but\r\nnull\r\nText Path: \u003cnull bytes only\u003e\r\nFull Raw: 52534453 97272434 3BACFA42 B2DAEE99 FAB00902 01000000 00000000 00000000 00000000\r\n00000000 00000000 00000000 00000000 00000000 00000000 00000000\r\nRandom\r\ncharacters\r\nText Path: Lmd9knkjasdLmd9knkjasLmd9knkAaGc.pdb\r\nRandom\r\npath\r\nText Path: G:\\givgLxNzKzUt\\TcyaxiavDCiu\\bGGiYrco\\QNfWgtSs\\auaXaWyjgmPqd.pdb\r\nWord soup Text Path: c:\\Busy\\molecule\\Blue\\Valley\\Steel\\King\\enemy\\Himyard.pdb\r\nMixed\r\ndoubles\r\nText Path: C::\\\\QQQQQQQQ\\VVVVVVVVVVVVVVVVV.pdb\r\nShort Text Path: 1.pdb\r\nNo .pdb\r\nText Path: a\r\nFull Raw: 52534453 ED86CA3D 6C677946 822E668F F48B0F9D 01000000 6100\r\nLong and\r\nweird with\r\nrepeated\r\ncharacter\r\nText\r\nPath: ªªªªªªªªªªªªªªªªªªªªtinjs\\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaae.pdb\r\nFull Raw: 52534453 DD947C2F 6B32544C 8C3ACB2E C7C39F45 01000000 AAAAAAAA AAAAAAAA\r\nAAAAAAAA AAAAAAAA AAAAAAAA 74696E6A 735C6161 61616161 61616161 61616161 61616161\r\n61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161 61616161\r\n61616161 61616161 61616161 61616161 652E7064 6200\r\nNo idea\r\nText Path: n:.Lí..×ÖòÒ.\r\nFull Raw: 52534453 5A2D831D CB4DCF1E 4A05F51B 94992AA0 B7CFEE32 6E3AAD4C ED1A1DD7\r\nD6F2D29E 00\r\nForward\r\nslashes and\r\nno drive\r\nletter\r\nText Path: /Users/user/Documents/GitHub/SharpWMI/SharpWMI/obj/Debug/SharpWMI.pdb\r\nNetwork\r\nshare\r\nText path:\r\n\\\\vmware-host\\shared folders\\Decrypter\\Decrypter\\obj\\Release\\Decrypter.pdb\r\nNon-Latin\r\ndrive letter\r\nWe haven’t seen this yet, but it’s only a matter of time until you can have an emoji as a drive letter.\r\nFigure 15: A selection of PDB paths shenanigans with examples\r\nBetwixt Nerf Herders and Elite Operators\r\nThere are many differences between apex threat actors and the rest, even if all successfully perform intrusion operations.\r\nGroups that exercise good OPSEC in some campaigns may have bad OPSEC in others. APT36 has hundreds of leaked PDB\r\npaths, whereas APT30 has a minimal PDB path footprint, while APT38 is a ghost.\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 19 of 25\n\nWhen PDB paths are present, the types of keywords, terms, and other string items present in PDB paths are all on a\r\nspectrum of professionalism and sophistication. On one end we’re seeing “njRAT-FUD 0.3” and “1337 h4ckbot” and on the\r\nother end we’re seeing “minidionis” and “msrstd”.\r\nThe trendy critique of string-based detection goes something like “advanced adversaries would never act so carelessly;\r\nthey’ll obfuscate and evade your naïve and brittle signatures.” In the tables above for PDB path keywords, terms and\r\nanomalies, we think we’ve shown that bona fide APT/FIN groups, state-sponsored adversaries, and the best-of-the-best\r\nattackers do sometimes slip up and give us an opportunity for detection.\r\nLet’s call out some specific examples from boutique malware from some of the more advanced threat groups.\r\nEquation Group\r\nSome Equation Group samples show full PDB paths that indicate that some of the malware was compiled in debug mode on\r\nworkstations or virtual machines used for development.\r\nc:\\users\\rmgree5\\co\\standalonegrok_2.1.1.1\\gk_driver\\gk_sa_driver\\objfre_wnet_amd64\\amd64\\SaGk.pdb\r\nOther Equation Group samples have partially qualified PDB paths that represent something less obvious. These standalone\r\nPDB names may reflect a more tailored, multi-developer environment, where it wouldn’t make sense to specify a fully\r\nqualified PDB path for a single developer system. Instead, the linker is instructed to write only the PDB file name in the\r\nbuilt executable. Still, these PDB paths are unique to their malware samples:\r\ntdip.pdb\r\nvolrec.pdb\r\nmsrstd.pdb\r\nRegin\r\nDeeming a piece of malware a “backdoor” is increasingly passé. Calling a piece of malware an “implant” is the new hotness,\r\nand the general public may be adopting this nouveau nomenclature long after purported Western governments. In this\r\ncomponent of the Regin platform, we see a developer that was way ahead of the curve:\r\nC:\\dev\\k1svn\\dsd\\Implants\\WarriorPride\\production2.0\\package\\E_Wzowski\\Release\\E_Qwerty.pdb\r\nAPT29\r\nLet’s not forget APT29, whose brazen worldwide intrusion sprees often involve pieces of creative, elaborate,\r\nand stealthy malware. APT29 is amongst the better groups at staying quiet, but in thousands of pieces of malware, these\r\nnormally disciplined operators did leak a few PDB paths such as:\r\nc:\\Users\\developer\\Desktop\\unmodified_netimplant\\minidionis\\minidionis\\obj\\Debug\\minidionis.pdb\r\nC:\\Projects\\nemesis-gemina\\nemesis\\bin\\carriers\\ezlzma_x86_exe.pdb\r\nEven when the premier outfits don’t use the glaring keywords, there may still be some string terms, anomalies and unique\r\nvalues present in PDB paths that each represent an opportunity for detection.\r\nConventionEngine\r\nWe extract and index all PDB paths from all executables so we can easily search and spelunk through our data. But not\r\neveryone has it that easy, so we cranked out a quick collection of nearly 100 Yara rules for PDB path keywords, terms and\r\nanomalies that we believe researchers and analysts can use to detect evil. We named this collection of rules\r\n“ConventionEngine” after the industry jokes that security vendors like to talk about their elite detection “engines,” but\r\nbehind the green curtain they’re all just a code spaghetti mess of scripts and signatures, which this absolutely started as.\r\nInstead of tight production “signatures,” you can think of these as “weak signals” or “discovery rules” that are meant to\r\nbuild haystacks of varying size and fidelity for analysts to hunt through. Those rules with a low signal-to-noise ratio (SNR)\r\ncould be fed to automated systems for logging or contextualization of file objects, whereas rules with a higher SNR could be\r\nfed directly to analysts for review or investigation.\r\nOur adversaries are human. They err. And when they do, we can catch them. We are pleased to\r\nrelease ConventionEngine rules for anyone to use in that effort. Together these rules cover samples from over 300 named\r\nmalware families, hundreds of unnamed malware families, 39 different APT and FIN threat groups, and over 200\r\nUNC (uncategorized) groups of activity.\r\nWe hope you can use these rules as templates, or as starting points for further PDB path detection ideas. There’s plenty of\r\nroom for additional keywords, terms, and anomalies. Be advised, whether for detection or hunting or merely for context, you\r\nwill need to tune and add additional logic to each of these rules to make the size of the resulting haystacks appropriate for\r\nyour purposes, your operations and the technology within your organization. When judiciously implemented, we believe\r\nthese rules can enrich analysis and detect things that are missed elsewhere.\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 20 of 25\n\nPDB Paths for Intelligence Teams\r\nGettin' Lucky with APT31\r\nDuring an incident response investigation, we found an APT31 account on Github being used for staging malware files and\r\nfor malware communications. The intrusion operators using this account weren’t shy of putting full code packages right into\r\nthe repositories and we were able to recover actual PDB files associated with multiple malware ecosystems. Using the actual\r\nPDB files, we were able to see the full directory paths of the raw malware source code, representing a considerable\r\nintelligence gain about the malware original development environment. We used what we found in the PDB itself to search\r\nfor other files related to this malware author.\r\nFinding Malware Source Code Using PDBs\r\nMalware PDBs themselves are easier to find than one may think. Sure, sometimes the authors are kind enough to leave\r\neverything up on Github. But there are some other occasions too: sometimes malware source code will get inadvertently\r\nflagged by antivirus or endpoint detection and response (EDR) agents; sometimes malware source code will be left in open\r\ndirectories; and sometimes malware source code will get uploaded to the big malware repositories.\r\nYou can find malware source code by looking for things like Visual Studio solution files, or simply with Yara rules looking\r\nfor PDB files in archives that have some non-zero detection rate or other metadata that raises the likelihood that some\r\ncomponent in the archive is indeed malicious.\r\nrule PDB_Header_V2\r\n{\r\n meta:\r\n author=\"@stvemillertime\"\r\n description = \"This looks for PDB files based on headers.\r\n strings:\r\n //$string = \"Microsoft C/C++ program database 2.00\"\r\n $hex = {4D696372 6F736F66 7420432F 432B2B20 70726F67 72616D20 64617461 62617365 20322E30 300D0A}\r\n condition:\r\n $hex at 0\r\nrule PDB_Header_V7\r\n{\r\n meta:\r\n author=\"@stvemillertime\"\r\n description = \"This looks for PDB files based on headers.\r\n strings:\r\n //$string = \"Microsoft C/C++ MSF 7.00\"\r\n $hex = {4D696372 6F736F66 7420432F 432B2B20 4D534620 372E3030}\r\n condition:\r\n $hex at 0\r\n}\r\nPDB Paths for Offensive Teams\r\nFireEye has confirmed individual attribution to bona fide threat actors and red teamers based in part on leaked PDB paths in\r\nmalware samples. The broader analyst community often uses PDB paths for clustering and pivoting to related malware\r\nfamilies and while building a case for attribution, tracking, or pursuit of malware developers. Naturally, red team and\r\noffensive operators should be aware of the artifacts that are left behind during the compilation process and abstain from\r\ncompiling with symbol generation enabled – basically, remember to practice good OPSEC on your implants. That said, there\r\nis an opportunity for creating artificial PDB paths should one wish to intentionally introduce this artifact.\r\nMaking PDB Paths Appear More “Legitimate”\r\nOne notable differentiator between malware and non-malware is that malware is typically not developed in an “enterprise”\r\nor “commercial” software development setting. The difference here is that in large development settings, software engineers\r\nare working on big projects together through productivity tools, and the software is constantly updated and rebuilt through\r\nautomated “continuous integration” (CI) or “continuous delivery” (CD) suites such as Jenkins and TeamCity.  This means\r\nthat when PDB paths are present in legitimate enterprise software packages, they often have toolmarks showing their\r\ncompile path on a CI/CD build server.\r\nHere are some examples of PDB paths of legitimate software executables built in a CI/CD environment:\r\nD:\\Jenkins\\workspace\\QA_Build_5_19_ServerEx_win32\\_buildoutput\\ServerEx\\Win32\\Release\\_symbols\\keysvc.pdb\r\nD:\\bamboo-agent-home\\xml-data\\build-dir\\MC-MCSQ1-JOB1\\src\\MobilePrint\\obj\\x86\\Release\\MobilePrint.pdb\r\nC:\\TeamCity\\BuildAgent\\work\\714c88d7aeacd752\\Build\\Release\\cs.pdb\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 21 of 25\n\nWe do not discount the fact that some malware developers are using CI/CD build environments. We know that some threat\r\nactors and malware authors are indeed adopting contemporary enterprise development processes, but malware PDBs like\r\nthis example are extraordinarily rare:\r\nc:\\users\\builder\\bamboo~1\\xml-data\\build-~1\\trm-pa~1\\agent\\window~1\\rootkit\\Output\\i386\\KScan.pdb\r\nSpecifying Custom PDB Paths in Visual Studio\r\nSpecifying a custom path for a PDB file is not uncommon in the development world. An offensive or red team operator may\r\nwish to specify a fake PDB path and can do so easily using compiler linking options.\r\nAs our example malware author “smiller” learns and hones their tradecraft, they may adopt a stealthier approach and choose\r\nto include one of those more “legitimate” looking PDB paths in new malware compilations.\r\nTake smiller’s example malware project located at the path:\r\nD:\\smiller\\projects\\offensive_loaders\\shellcode\\hello\\hellol\\\r\nFigure 16: hellol.cpp code shown in Visual Studio with debug build information\r\nThis project compiled in Debug configuration by default places both the hellol.exe file and the hellol.pdb file under\r\nD:\\smiller\\projects\\offensive_loaders\\shellcode\\hello\\hellol\\Debug\\\r\nFigure 17: hellol.exe and hellol.pdb, compiled by debug configuration default into its resident folder\r\nIt’s easy to change the properties of this project and manually specify the generation path of the PDB file. From the Visual\r\nStudio taskbar, select Project \u003e Properties, then in the side pane select Linker \u003e Debugging and fill the option box for\r\n“Generate Program Database File.” This option accepts Visual Studio macros so there is plenty of flexibility for scripting\r\nand creating custom build configurations for falsifying or randomizing PDB paths.\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 22 of 25\n\nFigure 18: hellol project Properties showing defaults for the PDB path\r\nFigure 19: hellol project Properties now showing a manually specified path for the (fake) PDB path\r\nWhen we examine the raw ConsoleApplication1.exe, we can see at the byte level that the linker has included debug\r\ninformation in the executable specifying our designated PDB path, which of course is not real. Or if built at the command\r\nline, you could specify /PDBALTPATH which can create a PDB file name that is does not rely on the file structure of the\r\nbuild computer.\r\nFigure 20: Rebuilt hellol.exe as seen through the PEview utility, which shows us the fake PDB path in the\r\nIMAGE_DEBUG_TYPE_CODEVIEW directory of the executable\r\nAn offensive or red team operator could intentionally include a PDB path in a piece of malware, making the executable\r\nappear to be compiled on a CI/CD server which could help the malware fly under the radar. Additionally, an operator could\r\ninclude a PDB path or strings associated with a known malware family or threat group to confound analysts. Why not throw\r\nin a small homage to one of your favorite malware operators or authors, such as the infamous APT33\r\npersona xman_1365_x? Or perhaps throw in a “\\Homework\\CS1101\\” to make the activity seem more academic? For\r\nwhatever reason, if there is PDB manipulation to be done, it is generally doable with common software development tools.\r\nThe Glory and the Nothing of a (Malware) Name\r\nIn the context of PDB paths and malware author naming conventions, it is important to acknowledge the interdependent\r\n(and often circular) nature of “offense” and “defense.” Which came first, a defender calling a piece of malware a “trojan” or\r\na malware author naming their code project a “trojan”? Some malware is inspired by prior work. An author names a code\r\nproject “MIMIKATZ”, and years later there are hundreds of related projects and scripts with derivative names.\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 23 of 25\n\nAlthough definitions may vary, we see that both the offensive and defensive sides characterize the functionality or role of a\r\npiece of malware using much of the same vernacular and inspiration. We suspect this began with “virus” and that the array\r\nof granular, descriptive terms will continue to grow as public discourse advances the malware taxonomy. Who would have\r\nsuspected that how we talked about malware would ultimately lead to the possibility detecting it? After all, would a rootkit\r\nby any other name be as evil? Somewhere, a scholar is beaming with wonder at the intersection of malware and linguistics.\r\nConclusions\r\nIf by now you’re thinking this is all kind of silly, don’t worry, you’re in good company. PDB paths are indeed a wonky\r\nattribute of a file. The mere presence of these paths in an executable is by no means evil, yet when these paths are present in\r\npieces of malware, they usually represent acts of operational indiscretion. The idea of detecting malware based on PDB\r\npaths is kind of like detecting a robber based on what type of hat a person is wearing, if they’re wearing one at all.\r\nWe have been historically successful in using PDB paths mostly as an analytical pivot, to help us cluster malware\r\nfamilies and track malware developers. When we began to study PDB paths holistically, we noticed that many malware\r\nauthors were using many of the same naming conventions for their folders and project files. They were naming their\r\nmalware projects after the functionality of the malware itself, and they routinely label their projects with unique, descriptive\r\nlanguage.\r\nWe found that many malware authors and operators leaked PDB paths that described the functionality of the malware itself\r\nand gave us insight into the development environment. Furthermore, outside of the descriptors of the malware development\r\nfiles and environment, when PDB files are present, we identified anomalies that help us identify files that are more likely to\r\nbe circumstantially interesting. There is room for red team and offensive operators to improve their tradecraft by falsifying\r\nPDB paths for purposes of stealth or razzle-dazzle.\r\nWe remain optimistic that we can squeeze some juice from PDB paths when they are present. A survey of about 2200 named\r\nmalware families (including all samples from 41 APT and 10 FIN groups and a couple million other uncategorized\r\nexecutables) shows that PDB paths are present in malware about five percent of the time. Imagine if you could have a\r\ndetection “backup plan” for five plus percent of malware, using a feature that is itself inherently non-malicious. That’s kind\r\nof cool, right?\r\nFuture Work on Scaling PDB Path Classification\r\nOur ConventionEngine rule pack for PDB path keyword, term and anomaly detection has been fun and found tons of\r\nmalware that would have otherwise been missed. But there are a lot of PDB paths in malware that do not have such obvious\r\nkeywords, and so our manual, cherry-picking, and extraordinarily laborious approach doesn’t scale.\r\nStay tuned for the next part of our blog series! In Part Deux, we explore scalable solutions for PDB path feature\r\ngeneralization and approaches for classification. We believe that data science approaches will better enable us to surface\r\nPDB paths with unique and interesting values and move towards a classification solution without any rules whatsoever.\r\nRecommended Reading and Resources\r\nInspiring Research\r\nhttp://www.hexacorn.com/blog/2013/05/08/and-the-most-popular-windows-account-for-compiling-malware-is/\r\nhttps://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/\r\nhttps://www.mandiant.com/resources/reports/apt41-double-dragon-dual-espionage-and-cyber-crime-operation\r\nDebugging and Symbols\r\nhttps://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/symbols\r\nhttps://docs.microsoft.com/en-us/windows/win32/dxtecharts/debugging-with-symbols\r\nhttp://www.debuginfo.com/articles/debuginfomatch.html\r\nDebug Directory and CodeView\r\nhttps://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_debug_directory\r\nhttps://github.com/dotnet/corefx/blob/master/src/System.Reflection.Metadata/specs/PE-COFF.md\r\nDebugging and Visual Studio\r\nhttps://docs.microsoft.com/en-us/cpp/build/reference/debug-generate-debug-info?view=vs-2019\r\nhttps://docs.microsoft.com/en-us/visualstudio/debugger/specify-symbol-dot-pdb-and-source-files-in-the-visual-studio-debugger?view=vs-2019\r\nhttps://docs.microsoft.com/en-us/visualstudio/debugger/remote-debugging?view=vs-2019\r\nPDB File Structure\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 24 of 25\n\nhttps://github.com/microsoft/microsoft-pdb\r\nhttps://docs.microsoft.com/en-us/windows/win32/debug/symbol-files\r\nhttps://github.com/microsoft/microsoft-pdb/blob/master/docs/ExternalResources.md\r\nhttp://www.godevtool.com/Other/pdb.htm\r\nPDB File Tools\r\nPeupdate: http://bytepointer.com/tools/index.htm#peupdate\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nhttps://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html\r\nPage 25 of 25", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" ], "report_names": [ "definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d", "created_at": "2025-08-07T02:03:24.741594Z", "updated_at": "2026-04-10T02:00:03.653394Z", "deleted_at": null, "main_name": "COBALT HICKMAN", "aliases": [ "APT39 ", "Burgundy Sandstorm ", "Chafer ", "ITG07 ", "Remix Kitten " ], "source_name": "Secureworks:COBALT HICKMAN", "tools": [ "MechaFlounder", "Mimikatz", "Remexi", "TREKX" ], "source_id": "Secureworks", "reports": null }, { "id": "abd17060-62f6-4743-95e8-3f23c82cc229", "created_at": "2022-10-25T15:50:23.428772Z", "updated_at": "2026-04-10T02:00:05.365894Z", "deleted_at": null, "main_name": "Putter Panda", "aliases": [ "Putter Panda", "APT2", "MSUpdater" ], "source_name": "MITRE:Putter Panda", "tools": [ "pngdowner", "3PARA RAT", "4H RAT", "httpclient" ], "source_id": "MITRE", "reports": null }, { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1aead86d-0c57-4e3b-b464-a69f6de20cde", "created_at": "2023-01-06T13:46:38.318176Z", "updated_at": "2026-04-10T02:00:02.925424Z", "deleted_at": null, "main_name": "DAGGER PANDA", "aliases": [ "UAT-7290", "Red Foxtrot", "IceFog", "RedFoxtrot", "Red Wendigo", "PLA Unit 69010" ], "source_name": "MISPGALAXY:DAGGER PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6241b9be-9c59-4164-a7f2-c45844b14a56", "created_at": "2023-01-06T13:46:38.321506Z", "updated_at": "2026-04-10T02:00:02.926657Z", "deleted_at": null, "main_name": "APT24", "aliases": [ "PITTY PANDA", "G0011", "Temp.Pittytiger" ], "source_name": "MISPGALAXY:APT24", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d512e7c-f6a7-47b5-b440-4968c299deaf", "created_at": "2023-01-06T13:46:38.344772Z", "updated_at": "2026-04-10T02:00:02.9359Z", "deleted_at": null, "main_name": "APT20", "aliases": [ "VIOLIN PANDA", "TH3Bug", "Crawling Taurus" ], "source_name": "MISPGALAXY:APT20", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1c97ccfd-1888-492c-b7b9-bb52c4c3809b", "created_at": "2023-01-06T13:46:38.940529Z", "updated_at": "2026-04-10T02:00:03.152806Z", "deleted_at": null, "main_name": "Operation ShadowHammer", "aliases": [], "source_name": "MISPGALAXY:Operation ShadowHammer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a9ee8219-1882-4b1b-bac8-641b1603787d", "created_at": "2022-10-25T15:50:23.78263Z", "updated_at": "2026-04-10T02:00:05.351155Z", "deleted_at": null, "main_name": "APT30", "aliases": [ "APT30" ], "source_name": "MITRE:APT30", "tools": [ "SHIPSHAPE", "FLASHFLOOD", "NETEAGLE" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null }, { "id": "274f04ff-fae8-4e90-bcf5-3e391a860cd5", "created_at": "2023-12-08T02:00:05.75114Z", "updated_at": "2026-04-10T02:00:03.493837Z", "deleted_at": null, "main_name": "UNC215", "aliases": [], "source_name": "MISPGALAXY:UNC215", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "13bedce4-3115-4563-afd5-068e3930e68e", "created_at": "2023-01-06T13:46:38.623775Z", "updated_at": "2026-04-10T02:00:03.042652Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "KEYHOLE PANDA", "BRONZE FLEETWOOD", "TEMP.Bottle", "Mulberry Typhoon", "Poisoned Flight" ], "source_name": "MISPGALAXY:APT5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dabb6779-f72e-40ca-90b7-1810ef08654d", "created_at": "2022-10-25T15:50:23.463113Z", "updated_at": "2026-04-10T02:00:05.369301Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ], "source_name": "MITRE:APT1", "tools": [ "Seasalt", "ipconfig", "Cachedump", "PsExec", "GLOOXMAIL", "Lslsass", "PoisonIvy", "WEBC2", "Mimikatz", "gsecdump", "Pass-The-Hash Toolkit", "Tasklist", "xCmd", "pwdump" ], "source_id": "MITRE", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "30ed778d-15b3-484e-a90b-e1e05b36a42f", "created_at": "2023-01-06T13:46:38.290626Z", "updated_at": "2026-04-10T02:00:02.91411Z", "deleted_at": null, "main_name": "APT30", "aliases": [ "G0013" ], "source_name": "MISPGALAXY:APT30", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a080173e-7141-4d46-831d-a5f15ebef31a", "created_at": "2023-01-06T13:46:38.629955Z", "updated_at": "2026-04-10T02:00:03.044597Z", "deleted_at": null, "main_name": "APT26", "aliases": [ "JerseyMikes", "TURBINE PANDA", "BRONZE EXPRESS", "TECHNETIUM", "Taffeta Typhoon" ], "source_name": "MISPGALAXY:APT26", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "468b7acd-895c-4c93-b572-b42f4035b4d4", "created_at": "2023-01-06T13:46:38.265636Z", "updated_at": "2026-04-10T02:00:02.902436Z", "deleted_at": null, "main_name": "APT2", "aliases": [ "MSUpdater", "4HCrew", "SearchFire", "TG-6952", "G0024", "PLA Unit 61486", "PUTTER PANDA" ], "source_name": "MISPGALAXY:APT2", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7b039cc0-33b6-495a-b4ca-649d096b993d", "created_at": "2023-01-06T13:46:38.482654Z", "updated_at": "2026-04-10T02:00:02.99265Z", "deleted_at": null, "main_name": "APT22", "aliases": [ "G0039", "Suckfly", "BRONZE OLIVE", "Group 46" ], "source_name": "MISPGALAXY:APT22", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784", "created_at": "2023-01-06T13:46:38.953463Z", "updated_at": "2026-04-10T02:00:03.159523Z", "deleted_at": null, "main_name": "APT31", "aliases": [ "JUDGMENT PANDA", "BRONZE VINEWOOD", "Red keres", "Violet Typhoon", "TA412" ], "source_name": "MISPGALAXY:APT31", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "0e03175d-b1fe-4d4e-bd3a-a8c0feb5eb43", "created_at": "2023-01-06T13:46:38.705578Z", "updated_at": "2026-04-10T02:00:03.073956Z", "deleted_at": null, "main_name": "APT6", "aliases": [ "1.php Group" ], "source_name": "MISPGALAXY:APT6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d", "created_at": "2023-01-06T13:46:38.883911Z", "updated_at": "2026-04-10T02:00:03.132231Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "COBALT HICKMAN", "G0087", "Radio Serpens", "TA454", "ITG07", "Burgundy Sandstorm", "REMIX KITTEN" ], "source_name": "MISPGALAXY:APT39", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "c6604303-a1c8-4e59-ba12-5da5c0bc6877", "created_at": "2023-01-06T13:46:38.312359Z", "updated_at": "2026-04-10T02:00:02.923025Z", "deleted_at": null, "main_name": "APT14", "aliases": [ "ANCHOR PANDA", "QAZTeam" ], "source_name": "MISPGALAXY:APT14", "tools": [ "Backdoor.Win32.PoisonIvy", "Gen:Trojan.Heur.PT", "Torn RAT", "Anchor Panda", "Gh0st Rat", "Gh0stRat, GhostRat", "Poison Ivy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "7f177406-ec53-4a0e-83b8-9876130c9e73", "created_at": "2024-08-28T02:02:09.350152Z", "updated_at": "2026-04-10T02:00:04.69275Z", "deleted_at": null, "main_name": "APT9", "aliases": [], "source_name": "ETDA:APT9", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "699b7efc-322d-489d-818d-823fac028124", "created_at": "2023-01-06T13:46:39.404825Z", "updated_at": "2026-04-10T02:00:03.315524Z", "deleted_at": null, "main_name": "APT9", "aliases": [ "NIGHTSHADE PANDA", "Red Pegasus", "Group 27" ], "source_name": "MISPGALAXY:APT9", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55", "created_at": "2024-04-24T02:00:49.599348Z", "updated_at": "2026-04-10T02:00:05.303948Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "APT5", "Mulberry Typhoon", "BRONZE FLEETWOOD", "Keyhole Panda", "UNC2630" ], "source_name": "MITRE:APT5", "tools": [ "Tasklist", "PoisonIvy", "RAPIDPULSE", "PcShare", "Mimikatz", "SLOWPULSE", "SLIGHTPULSE", "Skeleton Key", "gh0st RAT", "PULSECHECK", "netstat" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5d9dfc61-6138-497a-b9da-33885539f19c", "created_at": "2022-10-25T16:07:23.720008Z", "updated_at": "2026-04-10T02:00:04.726002Z", "deleted_at": null, "main_name": "Icefog", "aliases": [ "ATK 23", "Dagger Panda", "Icefog", "Red Wendigo" ], "source_name": "ETDA:Icefog", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "Dagger Three", "Fucobha", "Icefog", "Javafog", "POISONPLUG.SHADOW", "RoyalRoad", "ShadowPad Winnti", "XShellGhost" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "1d63fba2-f042-41ca-8a72-64c6e737d295", "created_at": "2025-08-07T02:03:24.643647Z", "updated_at": "2026-04-10T02:00:03.719558Z", "deleted_at": null, "main_name": "BRONZE OLIVE", "aliases": [ "APT22 ", "Barista", "Group 46 ", "Suckfly " ], "source_name": "Secureworks:BRONZE OLIVE", "tools": [ "Angryrebel", "DestroyRAT", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "254f2fab-5834-4d90-9205-d80e63d6d867", "created_at": "2023-01-06T13:46:38.31544Z", "updated_at": "2026-04-10T02:00:02.924166Z", "deleted_at": null, "main_name": "APT21", "aliases": [ "HAMMER PANDA", "TEMP.Zhenbao", "NetTraveler" ], "source_name": "MISPGALAXY:APT21", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "6b6155e4-94ec-4909-b908-550afe758ad6", "created_at": "2022-10-25T15:50:23.365074Z", "updated_at": "2026-04-10T02:00:05.2978Z", "deleted_at": null, "main_name": "APT39", "aliases": [ "APT39", "ITG07", "Remix Kitten" ], "source_name": "MITRE:APT39", "tools": [ "NBTscan", "MechaFlounder", "Remexi", "CrackMapExec", "pwdump", "Mimikatz", "Windows Credential Editor", "Cadelspy", "PsExec", "ASPXSpy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "47a8f6c7-5b29-4892-8f47-1d46be71714f", "created_at": "2025-08-07T02:03:24.599925Z", "updated_at": "2026-04-10T02:00:03.720795Z", "deleted_at": null, "main_name": "BRONZE FLEETWOOD", "aliases": [ "APT5 ", "DPD ", "Keyhole Panda ", "Mulberry Typhoon ", "Poisoned Flight ", "TG-2754 " ], "source_name": "Secureworks:BRONZE FLEETWOOD", "tools": [ "Binanen", "Comfoo", "Gh0st RAT", "Isastart", "Leouncia", "Marade", "OrcaRAT", "PCShare", "Protux", "Skeleton Key", "SlyPidgin", "VinSelf" ], "source_id": "Secureworks", "reports": null }, { "id": "578e92ed-3eda-45ef-b4bb-b882ec3dbb62", "created_at": "2025-08-07T02:03:24.604463Z", "updated_at": "2026-04-10T02:00:03.798481Z", "deleted_at": null, "main_name": "BRONZE GENEVA", "aliases": [ "APT30 ", "BRONZE STERLING ", "CTG-5326 ", "Naikon ", "Override Panda ", "RADIUM ", "Raspberry Typhoon" ], "source_name": "Secureworks:BRONZE GENEVA", "tools": [ "Lecna Downloader", "Nebulae", "ShadowPad" ], "source_id": "Secureworks", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "ea34919f-9093-4e34-b9de-a37ab9b4d5c4", "created_at": "2022-10-25T16:07:24.35727Z", "updated_at": "2026-04-10T02:00:04.952883Z", "deleted_at": null, "main_name": "UNC215", "aliases": [], "source_name": "ETDA:UNC215", "tools": [ "AdFind", "CHINACHOPPER", "China Chopper", "FOCUSFJORD", "HighShell", "HyperBro", "HyperSSL", "HyperShell", "Mimikatz", "NBTscan", "ProcDump", "PsExec", "SEASHARPEE", "SinoChopper", "SysUpdate", "TwoFace", "WHEATSCAN", "WinRAR", "certutil", "certutil.exe", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434384, "ts_updated_at": 1775826762, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9c98623a90c425005261350fe0720b772871f5ac.pdf", "text": "https://archive.orkl.eu/9c98623a90c425005261350fe0720b772871f5ac.txt", "img": "https://archive.orkl.eu/9c98623a90c425005261350fe0720b772871f5ac.jpg" } }