{ "id": "7d930a04-b053-4a42-ad62-3d9b444805d5", "created_at": "2026-04-06T00:17:08.110468Z", "updated_at": "2026-04-10T03:38:06.535159Z", "deleted_at": null, "sha1_hash": "9cf92900a35f6a5d43e061efa252e88b4c014db0", "title": "WIP26 Espionage | Threat Actors Abuse Cloud Infrastructure in Targeted Telco Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2805319, "plain_text": "WIP26 Espionage | Threat Actors Abuse Cloud Infrastructure in\r\nTargeted Telco Attacks\r\nBy Aleksandar Milenkoski\r\nPublished: 2023-02-16 · Archived: 2026-04-05 20:41:01 UTC\r\nBy Aleksandar Milenkoski, Collin Farr, and Joey Chen, in collaboration with QGroup\r\nExecutive Summary\r\nA new threat cluster we track as WIP26 has been targeting telecommunication providers in the Middle\r\nEast.\r\nWe assess it is likely that WIP26 is espionage-related.\r\nWIP26 relies heavily on public Cloud infrastructure in an attempt to evade detection by making malicious\r\ntraffic look legitimate.\r\nWIP26 involves the use of backdoors, dubbed CMD365 and CMDEmber, which abuse Microsoft 365 Mail\r\nand Google Firebase services for C2 purposes.\r\nWIP26 also involves the use of Microsoft Azure and Dropbox instances as data exfiltration and malware\r\nhosting sites.\r\nOverview\r\nIn collaboration with QGroup GmbH, SentinelLABS is monitoring a threat activity we track as WIP26. The threat\r\nactor behind WIP26 has been targeting telecommunication providers in the Middle East. WIP26 is characterized\r\nby the abuse of public Cloud infrastructure – Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox\r\n– for malware delivery, data exfiltration, and C2 purposes.\r\nThe WIP26 activity is initiated by precision targeting of employees through WhatsApp messages that contain\r\nDropbox links to a malware loader. Tricking employees into downloading and executing the loader ultimately\r\nleads to the deployment of backdoors that leverage Microsoft 365 Mail and Google Firebase instances as C2\r\nservers. We refer to these backdoors as CMD365 and CMDEmber, respectively. The main functionality of\r\nCMD365 and CMDEmber is to execute attacker-provided system commands using the Windows command\r\ninterpreter.\r\nThe use of public Cloud infrastructure for C2 purposes is an attempt to make malicious C2 network traffic look\r\nlegitimate and therefore make detection harder for defenders. The CMD365 and CMDEmber samples we\r\nobserved masquerade as utility software, such as a PDF editor or browser, and as software that conducts update\r\noperations. The masquerading attempt involves the use of filenames, application icons, and digital signatures that\r\nindicate existing software vendors.\r\nThis report provides details on the WIP26 threat activity and further context around the use of CMD365 and\r\nCMDEmber.\r\nhttps://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\r\nPage 1 of 12\n\nIntrusion Vector and Activities\r\nThe initial intrusion vector succeeded through sending targeted WhatsApp messages to employees. The messages\r\ncontained Dropbox links to archive files that supposedly contain only documents on poverty issues in the Middle\r\nEast. The archives stored such documents, but also a malware loader ( PDFelement.exe ) masquerading as the\r\nPDFelement application.\r\nThe PDFelement.exe malware loader has an invalid digital signature that indicates the vendor of the PDFelement\r\napplication – Wondershare.\r\nThe digital signature of PDFelement.exe\r\nThe loader deploys the CMD365 backdoor, a .NET executable named Update.exe , and creates a scheduled task\r\nnamed MicrosoftUpdatesA that executes CMD365 at system startup for persistence.\r\nThe MicrosoftUpdatesA scheduled task\r\nhttps://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\r\nPage 2 of 12\n\nThe main functionality of CMD365 is to execute commands from a C2 hosted on a Microsoft 365 Mail instance.\r\nThis capability was used to conduct a variety of activities, such as reconnaissance, privilege escalation, staging of\r\nadditional malware, and data exfiltration.\r\nAmong the malware deployed on compromised machines, we observed another CMD365 sample in addition to\r\nthe Update.exe – EdgeUpdater.exe . Further, we observed CMDEmber samples, which use Google Firebase\r\nRealtime Database instances as C2 servers – .NET executables named Update.exe and Launcher.exe .\r\nThe exfiltrated data included users’ private browser data and reconnaissance information on particular high-value\r\nhosts in the victim’s network. This is a typical precursor to the subsequent targeting of these hosts. The data\r\nexfiltration was orchestrated through the execution of PowerShell commands to transport key data to Microsoft\r\nAzure instances. The threat actor behind WIP26 used the Windows Azure website\r\nsocialmsdnmicrosoft.azurewebsites[.]net as a malware hosting site and akam.azurewebsites[.]net as a\r\ndata exfiltration site.\r\nIn addition to exfiltration, the threat actor utilized the open source tool Chisel masquerading as the Media Player\r\nClassic application with an invalid certificate signed as “Rare Ideas LLC”. This was used to create a TCP tunnel\r\nover HTTP from the IP address 193.29.56[.]122 , an IP that has previously been associated with Cobalt Strike\r\nactivity. This was the first and only direct access attempt that was not from Microsoft 365 Mail or Google Firebase\r\ninstances.\r\nThe figure below gives an overview of the Cloud infrastructure the threat actor behind WIP26 used for initial\r\ninfection and as C2 servers, and exfiltration and malware hosting sites. We informed Google, Microsoft, and\r\nDropbox about the abuse of their infrastructure.\r\nhttps://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\r\nPage 3 of 12\n\nWIP26: Use of Cloud infrastructure\r\nCMD365: Abuse Of Microsoft 365 Mail\r\nCMD365 interacts using the Microsoft Graph API with a Microsoft 365 Mail inbox that has the role of a C2\r\nserver.  An open-source implementation of Graph API usage for C2 communication is the Azure Outlook C2 tool.\r\nThe CMD365 sample Update.exe is a .NET application that masquerades as the legitimate Postman\r\napplication, signed with an invalid signature.\r\nhttps://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\r\nPage 4 of 12\n\nThe digital signature of Update.exe\r\nThe core feature of CMD365 is to execute attacker-provided system commands as standard input to an instance of\r\nthe Windows command interpreter.\r\nCMD365 executes a command\r\nCMD365 issues an HTTP POST request to login.microsoftonline[.]com to authenticate itself to a Microsoft\r\n365 Mail inbox using valid credentials that are hardcoded in the malware. The malware then receives an OAuth\r\nBearer access token that it uses in the further interaction with Microsoft 365.\r\nhttps://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\r\nPage 5 of 12\n\nCMD365 authenticates at Microsoft 365 Mail\r\nCMD365 then creates an inbox folder with a name that is unique for each infected machine. The name is a\r\ncombination of the physical address of the main active network interface on the machine, the machine’s computer\r\nname, and the name of the user in whose context the malware executes. CMD365 collects this information when it\r\nstarts executing.\r\nCMD365 builds a machine-specific inbox folder name\r\nhttps://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\r\nPage 6 of 12\n\nCMD365 creates an inbox folder\r\nCMD365 polls the inbox folder for C2 commands by querying for emails whose subjects start with the keyword\r\nInput . These emails contain C2 input intended for processing by CMD365 on infected machines.\r\nCMD365 polls for C2 commands\r\nThe C2 server and CMD365 exchange encrypted and Base64-encoded data. For data encryption and decryption,\r\nthe malware uses the AES key Xc4u7x!A%D*G-KaPdSr56tp2s5v8y/B? (in string format) and an empty initialization\r\nvector (IV).\r\nCMD365 encrypts data\r\nCMDEmber: Abuse Of Google Firebase\r\nhttps://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\r\nPage 7 of 12\n\nCMDEmber interacts with a Google Firebase Realtime Database instance that has the role of a C2 server. The\r\nCMDEmber sample Launcher.exe is a .NET application that masquerades as the Opera browser and has an\r\ninvalid signature that indicates the Opera Norway software vendor. CMDEmber uses the open-source Firebase\r\nlibrary by Step Up Labs for communicating with the Google Firebase instances.\r\nThe digital signature of Launcher.exe\r\nAs with CMD365, the core feature of CMDEmber is to execute system commands using the Windows command\r\ninterpreter.\r\nWhen executed, CMDEmber connects to the Firebase instance https://gmall-52fb5-default-rtdb.asia-southeast1.firebasedatabase[.]app/ or https://go0gle-service-default-rtdb.firebaseio[.]com , and then\r\nexfiltrates information about the infected machine. The exfiltrated data includes some of the information that the\r\nCMDEmber collects – the computer name, the bitness, name, and ID of the CMDEmber process, the name of the\r\nuser in whose context CMDEmber executes, and the IPv4 and physical addresses of all operational network\r\ninterfaces on the infected machine.\r\nCMDEmber uses the MD5 hash of the Triple DES key Mgirdhgi256HIKnuefsdf!dfgsdfkjsrht (in string format)\r\nto encrypt and decrypt the Base64 data exchanged with the C2.\r\nCMDEmber sends and receives data from the C2 server by issuing HTTP POST and GET requests, respectively.\r\nThe URL paths of these requests contain a unique identifier of each infected machine, which is a combination of\r\nthe ID and bitness of the CMDEmber process, and the physical addresses of the operational network interfaces at\r\nthe victim machine.\r\nhttps://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\r\nPage 8 of 12\n\nCMDEmber exfiltrates machine information\r\nAfter exfiltrating information about the infected machine, CMDEmber polls the Firebase instance for C2\r\ncommands by issuing HTTP GET requests that include the identifier of the infected machine.\r\nCMDEmber polls for C2 commands\r\nThe data that the C2 server and CMDEmber exchange is in JSON format. The Firebase C2 server stores\r\nexchanged data with all infected machines in a JSON-formatted file such that the nodes are the unique identifiers\r\nof the machines:\r\nThe who field indicates the communication direction. The value server marks data sent from the C2\r\nserver to an infected machine, whereas the value client marks data sent in the opposite direction.\r\nThe field data stores the actual data: attacker-provided commands, command outputs, or the information\r\nthat CMDEmber exfiltrates from infected machines.\r\nExfiltrated machine information (obfuscated form)\r\nhttps://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\r\nPage 9 of 12\n\nCommand sent to an infected machine (deobfuscated form)\r\nCommand output from the infected machine (deobfuscated form)\r\nAttribution Analysis\r\nWe assess it is likely this activity is espionage-related. We track this activity as WIP26 – the Work-In-Progress\r\n(WIPxx) designation is used for unattributed activity clusters.\r\nThe initial intrusion vector we observed involved precision targeting: The threat actor sent WhatsApp messages to\r\ntargets with download links to backdoor malware. Further, the targeting of telecommunication providers in the\r\nMiddle East suggests the motive behind this activity is espionage-related. Communication providers are frequent\r\ntargets of espionage activity due to the sensitive data they hold. Finally, evidence suggests that once they\r\nestablished a foothold, the threat actor targeted users’ private information and specific networked hosts of high\r\nvalue.\r\nhttps://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\r\nPage 10 of 12\n\nThe threat actor behind WIP26 activity appears to have made some OPSEC errors. For example, the JSON file\r\nwhere the Google Firebase C2 server stores data exchanged with machines infected by CMDEmber is publicly\r\naccessible at the time of writing, providing further insights into the WIP26 activity.\r\nThe use of public Cloud infrastructure by APT groups is not unheard of. These threat actors continue to innovate\r\nin order to stay stealthy. This includes leveraging public Cloud infrastructure for C2 purposes to blend in and\r\nmake the detection of C2 traffic harder for defenders.\r\nFor example, the North Korean APT 37 (InkySquid) has used the Microsoft Graph API for C2 operations. Further,\r\nsimilar to CMD365, the SIESTAGRAPH backdoor, used in the REF2924 intrusion set targeting the Foreign\r\nAffairs Office of an ASEAN member,  leverages the Microsoft Graph API to access Microsoft 365 Mail for C2\r\ncommunication. Also, the DoNot threat group, which is known for targeting Kashmiri non-profit organizations\r\nand Pakistani government officials, has abused Google Firebase Cloud Messaging to stage malware. Finally,\r\nthreat activity tied to APT28 (Fancy Bear) has leveraged Microsoft OneDrive services for C2 purposes.\r\nConclusions\r\nThe WIP26 activity is a relevant example of threat actors continuously innovating their TTPs in an attempt to stay\r\nstealthy and circumvent defenses. The use of public Cloud infrastructure for malware hosting, data exfiltration,\r\nand C2 purposes aims at making malicious traffic look legitimate. This gives attackers the opportunity to conduct\r\ntheir activities unnoticed. We hope that this report helps to emphasize this tactic in the continuous effort to identify\r\nthreat groups engaged in targeting critical industries.\r\nSentinelLABS continues to track the WIP26 threat cluster to provide further insight into its evolution, future\r\nactivity, and attribution.\r\nIndicators of Compromise\r\nType Value Note\r\nSHA-1 B8313A185528F7D4F62853A44B64C29621627AE7\r\nThe PDFelement.exe\r\nmalware loader\r\nSHA-1 8B95902B2C444BCDCCB8A481159612777F82BAD1\r\nCMD365 sample\r\n(Update.exe)\r\nSHA-1 3E10A3A2BE17DCF8E79E658F7443F6C3C51F8803\r\nCMD365 sample\r\n(EdgeUpdater.exe)\r\nSHA-1 A7BD58C86CF6E7436CECE692DA8F78CEB7BA56A0\r\nCMDEmber sample\r\n(Launcher.exe)\r\nSHA-1 6B5F7659CE48FF48F6F276DC532CD458BF15164C\r\nCMDEmber sample\r\n(Update.exe)\r\nhttps://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\r\nPage 11 of 12\n\nDomain\r\nhttps://gmall-52fb5-default-rtdb.asia-southeast1.firebasedatabase[.]app/Google Firebase instance\r\nused for C2 purposes\r\nDomain https://go0gle-service-default-rtdb.firebaseio[.]com/\r\nGoogle Firebase instance\r\nused for C2 purposes\r\nURL\r\nhttps://graph.microsoft[.]com/beta/users/3517e816-6719-4b16-\r\n9b40-63cc779da77c/mailFolders\r\nMicrosoft 365 Mail\r\nlocation used for C2\r\npurposes\r\nURL https://www.dropbox[.]com/s/6a8u8wlpvv73fe4/\r\nDropbox malware hosting\r\nsite\r\nURL https://www.dropbox[.]com/s/hbc5yz8z116zbi9/\r\nDropbox malware hosting\r\nsite\r\nURL https://socialmsdnmicrosoft.azurewebsites[.]net/AAA/\r\nMicrosoft Azure malware\r\nhosting site\r\nURL https://socialmsdnmicrosoft.azurewebsites[.]net/ABB/\r\nMicrosoft Azure malware\r\nhosting site\r\nURL https://socialmsdnmicrosoft.azurewebsites[.]net/ABB/\r\nMicrosoft Azure malware\r\nhosting site\r\nURL https://socialmsdnmicrosoft.azurewebsites[.]net/AMA/\r\nMicrosoft Azure malware\r\nhosting site\r\nURL https://socialmsdnmicrosoft.azurewebsites[.]net/AS/\r\nMicrosoft Azure malware\r\nhosting site\r\nURL https://akam.azurewebsites[.]net/api/File/Upload\r\nMicrosoft Azure data\r\nexfiltration site\r\nIP\r\naddress\r\n193.29.56[.]122 Chisel C2 server\r\nSource: https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\r\nhttps://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/" ], "report_names": [ "wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "521f07f0-a313-4ce7-9a1c-3c81b74e82d9", "created_at": "2023-02-18T02:04:24.772216Z", "updated_at": "2026-04-10T02:00:04.981398Z", "deleted_at": null, "main_name": "WIP26", "aliases": [], "source_name": "ETDA:WIP26", "tools": [ "CMD365", "CMDEmber" ], "source_id": "ETDA", "reports": null }, { "id": "dbee5a02-e2d6-49d2-9bb5-5a9e93fd1de9", "created_at": "2023-11-07T02:00:07.108976Z", "updated_at": "2026-04-10T02:00:03.411448Z", "deleted_at": null, "main_name": "REF2924", "aliases": [], "source_name": "MISPGALAXY:REF2924", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434628, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9cf92900a35f6a5d43e061efa252e88b4c014db0.pdf", "text": "https://archive.orkl.eu/9cf92900a35f6a5d43e061efa252e88b4c014db0.txt", "img": "https://archive.orkl.eu/9cf92900a35f6a5d43e061efa252e88b4c014db0.jpg" } }