{ "id": "d5e0c84a-dd2f-446b-83fc-82720ba9d2d7", "created_at": "2026-04-06T00:07:27.279421Z", "updated_at": "2026-04-10T03:38:20.460194Z", "deleted_at": null, "sha1_hash": "9eb4757ac315cbff68a8dbaa5363f43ef38bd62f", "title": "Operation Phantom Circuit: North Korea's Global Data Exfiltration Campaign - SecurityScorecard", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3844467, "plain_text": "Operation Phantom Circuit: North Korea's Global Data\r\nExfiltration Campaign - SecurityScorecard\r\nArchived: 2026-04-05 20:32:02 UTC\r\nIn December 2024, a routine software update concealed a global threat. Attackers from the Lazarus Group, based\r\nin North Korea, infiltrated trusted development tools, compromising hundreds of victims worldwide. This\r\nsophisticated campaign, code-named “Phantom Circuit,” targeted cryptocurrency and technology developers,\r\nemploying advanced obfuscation techniques through proxy servers in Hasan, Russia.\r\nSTRIKE’s investigation of ‘Phantom Circuit’ revealed a critical shift in Lazarus Group tactics: embedding\r\nmalware directly into trusted applications. “This approach allows widespread impact and long-term access while\r\nevading detection,” explains Ryan Sherstobitoff, Senior Vice President of Research and Threat Intelligence at\r\nSTRIKE.\r\nInvestigation\r\nSTRIKE’s investigation began with Operation 99, uncovering the Lazarus Group’s use of command-and-control\r\n(C2) servers. These servers, active since September 2024, formed the backbone of an elaborate infrastructure to\r\nmanage and exfiltrate stolen data, which we discovered based on our analysis of netflow data provided by Team\r\nCymru in combination with SecurityScorecard STRIKE team threat intelligence data feeds.\r\nCampaign Start Date September 2024\r\nPrimary Function Communication with infected systems over port 1224\r\nHidden Layer\r\nAdministrative platform accessible via port 1245, featuring a hidden React web\r\napplication and Node.js API.\r\nPurpose Remotely organize and manage stolen data globally.\r\nInfrastructure\r\nSophistication\r\nDemonstrated advanced planning and technical expertise, surpassing typical\r\nexpectations for cybercriminal operations.\r\n“These servers included a complete administrative platform for managing compromised systems worldwide,”\r\nSherstobitoff explains. “This infrastructure demonstrated a level of planning and sophistication that surpassed\r\nexpectations.”\r\nhttps://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nPage 1 of 13\n\nRead the full report here\r\nInfrastructure and Operation\r\nThe Lazarus Group employed a network of servers and tools to conduct this operation. Their infrastructure\r\nfeatured command-and-control servers, spoofed domains, and persistent remote management sessions. By\r\nembedding malware into trusted development tools, the attackers ensured widespread compromise while\r\nmaintaining stealth.\r\nSTRIKE documented several key C2 servers central to the operation. Their role was serving payloads and\r\ncollecting data from victims\r\nServer IP Active Period Role\r\n94.131.9.32 January 2025 Latest command-and-control (C2) server.\r\n185.153.182.241 Dec 2024 December Campaigns\r\n86.104.74.51 November 2024 Spoofed domain: sageskills-uk[.]com.\r\n5.253.43.122 December 2024 December Campaigns\r\nThe Evidence Chain\r\nSTRIKE observed a layered infrastructure in the operation, with traffic originating from North Korean IP\r\naddresses and passing through a network of VPNs and proxies. These connections routed traffic through Oculus\r\nProxy nodes in Hasan, Russia, before reaching command-and-control servers. This deliberate design ensured\r\nanonymity and evasion at every step.\r\n1. Initial Connection: North Korean IP addresses, including 175.45.178.130, 175.45.176.27, 175.45.178.14,\r\n175.45.178.9, 175.45.178.11, and 175.45.178.10, were the starting points of the operation.\r\n2. VPN Obfuscation: These IPs connected to Astrill VPN endpoints, including 70.39.70.196,\r\n204.188.233.68, 45.58.143.196, 70.39.70.197, and 199.115.99.62, to hide their true origin.\r\n3. Proxy Relay: Traffic was routed through the Oculus Proxy network, specifically IPs 83.234.227.49,\r\n83.234.227.50, 83.234.227.51, and 83.234.227.53, registered to Sky Freight Limited in Hasan, Russia.\r\nThese proxies served as an additional layer of anonymity.\r\n4. Command and Control Servers: The proxied connections ultimately reached the C2 infrastructure\r\nhosted on Stark Industries servers. These servers handled communications with compromised systems\r\nand managed exfiltrated data.\r\n5. Data Exfiltration to Dropbox: From the C2 servers, stolen data was uploaded to Dropbox, where the\r\nattackers stored and organized the exfiltrated information for further use.\r\nhttps://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nPage 2 of 13\n\nThis meticulously designed infrastructure allowed the Lazarus Group to maintain persistent access, evade\r\ndetection, and securely exfiltrate sensitive information while concealing their operations at every step.\r\nThis pattern repeated consistently, demonstrating a deliberate and structured approach to obfuscating the attackers’\r\ntrue origin. Persistent RDP sessions, some lasting up to 10 days, allowed attackers to maintain direct access to\r\ncompromised systems, posing significant risks to data integrity and system recovery.\r\nhttps://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nPage 3 of 13\n\nThe Scale of Compromise\r\nOperation Phantom Circuit unfolded in three waves, compromising over 1,500 systems worldwide:\r\nNovember 2024: Targeted 181 developers, primarily in European technology sectors.\r\nDecember 2024: Expanded to hundreds of developers globally, with major hotspots in India (284 victims)\r\nand Brazil (32 victims).\r\nJanuary 2025: Added 233 more victims, including 110 systems in India’s technology sector alone.\r\nThe attackers exfiltrated critical data, including development credentials, authentication tokens, browser-stored\r\npasswords, and system information. Once collected by the C2 servers, the data was transferred to Dropbox, where\r\nit was organized and stored. Persistent connections to Dropbox highlighted the attackers’ systematic approach,\r\nwith some servers maintaining active sessions for over five hours.\r\nhttps://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nPage 4 of 13\n\nVictims from November 2024 campaign (connections made to c2)\r\nVictims from December 2024 campaign (connections made to c02)\r\nhttps://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nPage 5 of 13\n\nVictims from January 2025 campaign (connections made to co2)\r\nVictims from January 2025 campaign (connections made to co2)\r\nInside the Attack Infrastructure\r\nhttps://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nPage 6 of 13\n\nThe Lazarus Group’s administrative platform showcased their advanced capabilities in managing stolen data. This\r\ncustom-built panel was designed to search, filter, and organize exfiltrated information with precision, emphasizing\r\nefficiency and control.\r\nKey Features of the Platform:\r\nSystem Tracking: Monitoring device details, including PC names, operating systems, and configurations.\r\nCredential Management: Collecting URLs, browser-stored credentials, and authentication tokens for\r\nexploitation.\r\nActivity Logs: Tracking timestamps for victim interactions to streamline operations.\r\nSTRIKE’s analysis revealed that the administrative platform was a robust system powered by modern\r\nframeworks. The backend, built on Node.js, exposed multiple API endpoints that provided granular operational\r\ncontrol. Static analysis of files such as Config.js and App.js revealed the attackers’ ability to interact with these\r\nendpoints and manage stolen data systematically.\r\nModern Infrastructure Design\r\nThe use of React and Node.js demonstrated the Lazarus Group’s shift toward scalable, modern attack\r\ninfrastructures. This integration of advanced management tools into their command-and-control (C2) servers\r\nhighlighted a high level of planning and technical expertise.\r\nhttps://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nPage 7 of 13\n\nApplication Structure\r\nA closer examination of the platform’s structure uncovered several layers of functionality:\r\nhttps://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nPage 8 of 13\n\nHidden Pages and Access Points:\r\nAnalyzing App.js revealed detailed information about hidden page paths secured behind a login wall. These pages\r\nfacilitated precise control over compromised systems, enabling operators to manage data efficiently.\r\nVictim Data Management:\r\nThe Info page, while inaccessible during the analysis, was determined to retrieve and display exfiltrated victim\r\ndata. A closer examination of the server’s JavaScript files revealed its functionality, including the ability to collect\r\nhttps://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nPage 9 of 13\n\nand manage:\r\nPC Names and URLs\r\nPasswords and Credentials\r\nSystem Configuration Details\r\nData Flow:\r\nThe backend was designed to extract and filter data from implants via the /keys API endpoint, allowing operators\r\nto search for specific information and organize data for further use.\r\n“The level of precision and customization in this platform is troubling,” adds Sherstobitoff. “It shows a deliberate\r\neffort to manage stolen data at scale while evading detection.”\r\nhttps://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nPage 10 of 13\n\nBy embedding these advanced tools into their infrastructure, the Lazarus Group demonstrated a sophisticated\r\napproach to global cyber operations, maintaining control over compromised systems and stolen data with minimal\r\nrisk of exposure.\r\nImpact on Global Development\r\nThe Lazarus Group’s campaign targeted applications used in cryptocurrency and authentication systems,\r\nembedding malware into trusted software packages. Developers unknowingly included these compromised\r\npackages in their projects, introducing malicious code into production environments.\r\nSTRIKE observed the attackers exfiltrating sensitive development credentials, authentication tokens, and system\r\nconfiguration details. After collection by the C2 servers, the data was transferred to Dropbox as a final step, where\r\nit was stored and organized. Persistent connections to Dropbox highlight the methodical nature of their operations;\r\nfor instance, one server maintained active sessions for over five hours.\r\nThis campaign is consistent with North Korea’s documented use of cyberattacks to fund state programs. Between\r\n2017 and 2023, reports estimate that North Korea generated $1.7 billion from cryptocurrency thefts, underscoring\r\nthe need for global organizations to verify software dependencies and monitor their development environments.\r\nThe Russian Proxy Connection\r\nThe use of Oculus proxies that are hosted on assets in Sky Freight’s proxy end-points in Russia played a critical\r\nrole in Lazarus’s obfuscation strategy. Five IP addresses—83.234.227.49 through 83.234.227.53—routed traffic\r\nbetween VPN exits and the C2 servers.\r\nOSINT information attributes this infrastructure to the Oculus Proxy service, a commercial service used by the\r\nattackers to route traffic through. By leveraging legitimate proxy networks, Lazarus added a layer of legitimacy to\r\ntheir operations, further complicating detection efforts.\r\nSeveral endpoints within the same network range were linked to a case reported last year, where an individual had\r\ndirect interactions with North Korean state actors. These actors were disguising themselves as recruiters or job\r\nsourcers. STRIKE managed to trace the proxy IPs back to some of the same Astrill VPNs associated with the\r\nPhantom Circuit operation.\r\nAdditionally, we observed that one Astrill VPN (present in Phantom Circuit), which connected to one of the\r\nproxies referenced in last year’s case, could also be traced back to Pyongyang, specifically to the IPs\r\n175.45.176.68 and 175.45.178.10.\r\nAnalysis of Competing Hypotheses (ACH)\r\nSTRIKE applied the CIA’s Analysis of Competing Hypotheses (ACH) methodology to assess the origins of the\r\n“Phantom Circuit” campaign. The evaluation considered multiple scenarios, with evidence strongly supporting\r\nLazarus Group as the primary actor.\r\nHypotheses Evaluated:\r\nhttps://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nPage 11 of 13\n\n1. H1: Lazarus Group (North Korea) is responsible.\r\n2. H2: A non-state actor is impersonating Lazarus.\r\n3. H3: Multiple actors collaborated, with Lazarus playing a partial role.\r\n4. H4: Misattribution due to similar tactics and techniques.\r\nFindings:\r\nSTRIKE identified direct links to North Korean IPs and tactics consistent with Lazarus, including supply\r\nchain compromises and a focus on cryptocurrency theft.\r\nThe campaign’s scale and custom tools reflect capabilities aligned with state-sponsored groups rather than\r\nindependent actors.\r\nNo evidence suggested collaboration with or impersonation by other groups.\r\nBased on this analysis, STRIKE attributes “Phantom Circuit” to the Lazarus Group with high confidence, aligning\r\nwith their historical focus on cryptocurrency theft to fund state programs.\r\nDefending Against Supply Chain Attacks\r\nOperation Phantom Circuit highlights the critical need for organizations to secure their software supply chains.\r\nSTRIKE recommends the following measures to mitigate risks:\r\nPackage Verification: Validate the integrity of software updates using cryptographic checksums or\r\nsignatures.\r\nNetwork Monitoring: Analyze connections to uncommon ports, such as 1224 and 1245, associated with\r\nmalicious activity.\r\nProxy Detection: Identify and block suspicious proxy usage, particularly from commercial services linked\r\nto malicious campaigns.\r\nDevelopment Tool Audits: Regularly review and update development tools to identify and mitigate\r\nvulnerabilities.\r\nRemote Access Scrutiny: Monitor for persistent Remote Desktop Protocol (RDP) sessions that could\r\nindicate unauthorized access.\r\nThese practices emphasize the importance of proactive security measures in protecting critical development\r\nenvironments from evolving threats.\r\nContact STRIKE for Incident Response\r\nIf you suspect your organization has been impacted by Operation Phantom Circuit, Operation 99, or similar\r\nLazarus activities, contact the STRIKE Incident Response team immediately. Our experts provide:\r\nRapid Containment: Minimize damage and halt ongoing breaches.\r\nForensic Analysis: Understand how attackers gained access and what data was affected.\r\nStrategic Guidance: Strengthen your security posture against evolving threats.\r\nProactively Mitigate Supply Chain Risks\r\nhttps://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nPage 12 of 13\n\nTo protect your organization from future supply chain attacks, SecurityScorecard’s Supply Chain Detection and\r\nResponse (SCDR) solution offers the tools to:\r\nMonitor and assess your software supply chain for vulnerabilities.\r\nDetect suspicious activity across your development pipelines.\r\nReceive actionable insights to prevent advanced threats like “Phantom Circuit.”\r\nTake control of your supply chain security today. Contact us for assistance or to learn more about SCDR and\r\nincident response services.\r\nFor STRIKE media inquiries, contact us here.\r\nSource: https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nhttps://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/\r\nPage 13 of 13\n\n https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/ \nVictims from November 2024 campaign (connections made to c2)\nVictims from December 2024 campaign (connections made to c02)\n Page 5 of 13\n\n https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/ \nVictims from January 2025 campaign (connections made to co2)\nVictims from January 2025 campaign (connections made to co2)\nInside the Attack Infrastructure \n Page 6 of 13\n\n https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/ \nApplication Structure \nA closer examination of the platform’s structure uncovered several layers of functionality:\n Page 8 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/" ], "report_names": [ "operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434047, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9eb4757ac315cbff68a8dbaa5363f43ef38bd62f.pdf", "text": "https://archive.orkl.eu/9eb4757ac315cbff68a8dbaa5363f43ef38bd62f.txt", "img": "https://archive.orkl.eu/9eb4757ac315cbff68a8dbaa5363f43ef38bd62f.jpg" } }