{ "id": "dbc6b3a2-bfb0-4ee8-94d4-6e2f1052cd03", "created_at": "2026-04-06T00:08:47.652094Z", "updated_at": "2026-04-10T03:37:08.612233Z", "deleted_at": null, "sha1_hash": "a10d68dc8ae68d910957e976da3ad428ab33c8bb", "title": "When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54945, "plain_text": "When Threat Actors Fly Under the Radar: Vatet, PyXie and\r\nDefray777\r\nBy Ryan Tracey, Drew Schmitt\r\nPublished: 2020-11-07 ยท Archived: 2026-04-05 22:49:56 UTC\r\n{\r\n\"logs\": {\r\n\"gates\": [\r\n\"\u003cREDACTED\u003e:8443/data\"\r\n],\r\n\"aes_key\": \"THIS_KEY_IS_FOR_INTERNAL_USE_ONLY\",\r\n\"send_attempts\": 10,\r\n\"send_attempts_timeout\": 5\r\n},\r\n\"dirs_keys\": [\"actifio\",\r\n\"aldelo\",\r\n\"altaro\",\r\n\"avamar\",\r\n\"avs\",\r\n\"back-up\",\r\n\"backup\",\r\n\"bank\",\r\n\"bitmessage\",\r\n\"client\",\r\n\"cobaltstrike\",\r\n\"coin\",\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 1 of 18\n\n\"diebold\",\r\n\"filemaker\",\r\n\"htape\",\r\n\"magtek\",\r\n\"ncr\",\r\n\"passw\",\r\n\"payment\",\r\n\"rapid7\",\r\n\"replication\",\r\n\"screenconnect\",\r\n\"swift\",\r\n\"tivoli\",\r\n\"unitrends\",\r\n\"vault\",\r\n\"veeam\",\r\n\"vranger\",\r\n\"wallet\",\r\n\"wincor\"],\r\n\"shell_cmds\": [\"arp -a\",\r\n\"cmdkey /list\",\r\n\"dclist\",\r\n\"gpresult /z\",\r\n\"ipconfig /all\",\r\n\"ipconfig /displaydns\",\r\n\"klist\",\r\n\"manage-bde -status\",\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 2 of 18\n\n\"net config workstation\",\r\n\"net group \\\"domain admins\\\" /domain\",\r\n\"net group \\\"Domain Admins\\\"\",\r\n\"net group \\\"Enterprise Admins\\\"\",\r\n\"net localgroup \\\"administrators\\\"\",\r\n\"net localgroup\",\r\n\"net share\",\r\n\"net use\",\r\n\"net user\",\r\n\"net view /all /domain\",\r\n\"net view /all\",\r\n\"netstat -an\",\r\n\"nltest /domain_trusts /all_trusts\",\r\n\"nltest /domain_trusts\",\r\n\"nslookup -type=any %userdnsdomain%\",\r\n\"qwinsta\",\r\n\"route print\",\r\n\"systeminfo\",\r\n\"tasklist /V\",\r\n\"vssadmin List Shadows\",\r\n\"wmic process\",\r\n\"wmic qfe list\"],\r\n\"dirs\": [\"%ALLDRIVESROOTS%\\\\Alliance\",\r\n\"%APPDATA%\\\\Agama\",\r\n\"%APPDATA%\\\\Armory\",\r\n\"%APPDATA%\\\\B3-CoinV2\",\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 3 of 18\n\n\"%APPDATA%\\\\BeerMoney\",\r\n\"%APPDATA%\\\\Bitcloud\",\r\n\"%APPDATA%\\\\Bitcoin\",\r\n\"%APPDATA%\\\\BitcoinZ\",\r\n\"%APPDATA%\\\\bitconnect\",\r\n\"%APPDATA%\\\\Bither\",\r\n\"%APPDATA%\\\\bitmonero\",\r\n\"%APPDATA%\\\\BlocknetDX\",\r\n\"%APPDATA%\\\\Cybroscoin\",\r\n\"%APPDATA%\\\\Daedalus\",\r\n\"%APPDATA%\\\\DashCore\",\r\n\"%APPDATA%\\\\DeepOnion\",\r\n\"%APPDATA%\\\\DigiByte\",\r\n\"%APPDATA%\\\\Dogecoin\",\r\n\"%APPDATA%\\\\ElectronCash\",\r\n\"%APPDATA%\\\\Electrum\",\r\n\"%APPDATA%\\\\Electrum-LTC\",\r\n\"%APPDATA%\\\\Ember\",\r\n\"%APPDATA%\\\\EmeraldWallet\",\r\n\"%APPDATA%\\\\Ethereum Wallet\",\r\n\"%APPDATA%\\\\Exodus\",\r\n\"%APPDATA%\\\\FairCoin\",\r\n\"%APPDATA%\\\\faircoin2\",\r\n\"%APPDATA%\\\\Florincoin\",\r\n\"%APPDATA%\\\\FORT\",\r\n\"%APPDATA%\\\\GambitCoin\",\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 4 of 18\n\n\"%APPDATA%\\\\GeyserCoin\",\r\n\"%APPDATA%\\\\GreenCoinV2\",\r\n\"%APPDATA%\\\\GridcoinResearch\",\r\n\"%APPDATA%\\\\Gulden\",\r\n\"%APPDATA%\\\\Hush\",\r\n\"%APPDATA%\\\\IOTA Wallet\",\r\n\"%APPDATA%\\\\Komodo\",\r\n\"%APPDATA%\\\\Learncoin\",\r\n\"%APPDATA%\\\\lisk-nano\",\r\n\"%APPDATA%\\\\Litecoin\",\r\n\"%APPDATA%\\\\Minexcoin\",\r\n\"%APPDATA%\\\\mSIGNA_Bitcoin\",\r\n\"%APPDATA%\\\\MultiBitHD\",\r\n\"%APPDATA%\\\\MultiDoge\",\r\n\"%APPDATA%\\\\Neon\",\r\n\"%APPDATA%\\\\NXT\",\r\n\"%APPDATA%\\\\Parity\",\r\n\"%APPDATA%\\\\Particl\",\r\n\"%APPDATA%\\\\Peercoin\",\r\n\"%APPDATA%\\\\pink2\",\r\n\"%APPDATA%\\\\PPCoin\",\r\n\"%APPDATA%\\\\Qtum\",\r\n\"%APPDATA%\\\\RainbowGoldCoin\",\r\n\"%APPDATA%\\\\RoboForm\",\r\n\"%APPDATA%\\\\StartCOIN-v2\",\r\n\"%APPDATA%\\\\straks\",\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 5 of 18\n\n\"%APPDATA%\\\\Stratis\",\r\n\"%APPDATA%\\\\StratisNode\",\r\n\"%APPDATA%\\\\TREZOR Bridge\",\r\n\"%APPDATA%\\\\TrumpCoinV2\",\r\n\"%APPDATA%\\\\VeriCoin\",\r\n\"%APPDATA%\\\\Verium\",\r\n\"%APPDATA%\\\\Viacoin\",\r\n\"%APPDATA%\\\\VivoCore\",\r\n\"%APPDATA%\\\\Xeth\",\r\n\"%APPDATA%\\\\Zcash\",\r\n\"%APPDATA%\\\\ZcashParams\",\r\n\"%APPDATA%\\\\Zetacoin\",\r\n\"%LOCALAPPDATA%\\\\bisq\",\r\n\"%LOCALAPPDATA%\\\\copay\",\r\n\"%LOCALAPPDATA%\\\\programs\\\\zap-desktop\",\r\n\"%LOCALAPPDATA%\\\\RippleAdminConsole\",\r\n\"%LOCALAPPDATA%\\\\StellarWallet\",\r\n\"%PROGRAMDATA%\\\\bitmonero\",\r\n\"%PROGRAMDATA%\\\\electroneum\",\r\n\"%PROGRAMDATA%\\\\Tiger Technology\",\r\n\"%PROGRAMDATA%\\\\tivoli\"],\r\n\"file_find\": {\r\n\"enabled\": 1,\r\n\"patterns\": [\"10-q\",\r\n\"10-sb\",\r\n\"access\",\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 6 of 18\n\n\"avamar\",\r\n\"admin\",\r\n\"attack\",\r\n\"aws\",\r\n\"amazon\",\r\n\"backup\",\r\n\"balance\",\r\n\"bitcoin\",\r\n\"bitlocker\",\r\n\"bribery\",\r\n\"cardholder\",\r\n\"censored\",\r\n\"checking\",\r\n\"clandestine\",\r\n\"compromate\",\r\n\"concealed\",\r\n\"confidential\",\r\n\"contraband\",\r\n\"convict\",\r\n\"credent\",\r\n\"cyber\",\r\n\"disclosure\",\r\n\"engineering\",\r\n\"esxi\",\r\n\"ethereum\",\r\n\"explosive\",\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 7 of 18\n\n\"finance\",\r\n\"fraud\",\r\n\"hidden\",\r\n\"illegal\",\r\n\"infrastruct\",\r\n\"instruction\",\r\n\"investigation\",\r\n\"logins\",\r\n\"marketwired\",\r\n\"military\",\r\n\"n-csr\",\r\n\"nasdaq\",\r\n\"nda\",\r\n\"newswire\",\r\n\"operation\",\r\n\"passport\",\r\n\"passw\",\r\n\"personal\",\r\n\"privacy\",\r\n\"private\",\r\n\"restricted\",\r\n\"routing\",\r\n\"saving\",\r\n\"secret\",\r\n\"security\",\r\n\"spy\",\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 8 of 18\n\n\"statement\",\r\n\"storage\",\r\n\"submarine\",\r\n\"suspect\",\r\n\"tactical\",\r\n\"treason\",\r\n\"username\",\r\n\"vault\",\r\n\"victim\",\r\n\"vsphere\",\r\n\"wallet\",\r\n\"wasabi\",\r\n\"wire\"\r\n],\r\n\"extentions\": [\".doc\",\r\n\".docx\",\r\n\".xls\",\r\n\".xlsx\",\r\n\".pdf\",\r\n\".txt\",\r\n\".rtf\"],\r\n\"gold_masks\": [\"*.rdp\",\r\n\"*.kdbx\",\r\n\"*.vnc\",\r\n\"*.cpp\",\r\n\"*.c\",\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 9 of 18\n\n\"*.sln\",\r\n\"*.vcproj\",\r\n\"*.h\",\r\n\"*.asm\",\r\n\"*cobaltstrike*\",\r\n\"*.ovpn\",\r\n\"*.pcf\",\r\n\"*.conf\"],\r\n\"black_files\": [\"Default.rdp\",\r\n\"Microsoft June\",\r\n\"Release_Note\",\r\n\"Release Note\",\r\n\"desktop.ini\",\r\n\"Microsoft Silverlight\",\r\n\"localhost_access_log\",\r\n\"dd_clwireg.txt\"],\r\n\"black_dirs\": [\"\\\\microsoft\\\\windows\",\r\n\"\\\\gfi\\\\languard\",\r\n\"\\\\microsoft\\\\windows\\\\cookies\",\r\n\"\\\\vmware\\\\vcenterserver\",\r\n\"\\\\autoupdate\\\\cache\",\r\n\"\\\\microsoft office\\\\root\"],\r\n\"max_size\": 5242880\r\n},\r\n\"software\": [\" OPOS\",\r\n\"Aldelo\",\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 10 of 18\n\n\"Actifio\",\r\n\"Alliance WebStation\",\r\n\"Alliance Workstation\",\r\n\"Altaro\",\r\n\"Back-up\",\r\n\"Rapid7\",\r\n\"Backup\",\r\n\"Bank\",\r\n\"Blockchain\",\r\n\"Boot Camp\",\r\n\"Box Sync\",\r\n\"BridgeHead\",\r\n\"CAM Commerce Solutions\",\r\n\"Card Processing\",\r\n\"Cash\",\r\n\"Cisco\",\r\n\"Citrix\",\r\n\"Cloud\",\r\n\"Coin\",\r\n\"Dashlane\",\r\n\"Diskeeper\",\r\n\"Double-Take\",\r\n\"Dropbox\",\r\n\"Elcomsoft\",\r\n\"FileZilla Server\",\r\n\"FortiClient\",\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 11 of 18\n\n\"Fund\",\r\n\"iDrive\",\r\n\"Ledger\",\r\n\"LexisNexis\",\r\n\"LogMeIn\",\r\n\"M262x\",\r\n\"Microsoft Dynamics RMS Store Operations\",\r\n\"Microsoft POS\",\r\n\"vRanger\",\r\n\"Money\",\r\n\"mRemoteNG\",\r\n\"MSR\",\r\n\"Password\",\r\n\"Payment\",\r\n\"Private\",\r\n\"Protect\",\r\n\"PuTTY\",\r\n\"QuickBooks\",\r\n\"Replication\",\r\n\"ScreenConnect\",\r\n\"Shadow\",\r\n\"SII RP-D10\",\r\n\"Storage\",\r\n\"SWIFT\",\r\n\"TeamViewer\",\r\n\"Token\",\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 12 of 18\n\n\"Trade\",\r\n\"Treasury\",\r\n\"Trezor\",\r\n\"Vault\",\r\n\"Unitrends\",\r\n\"VIP Access\",\r\n\"VMware\",\r\n\"Vnc\",\r\n\"VPN\",\r\n\"Wallet\",\r\n\"Withdraw\"],\r\n\"registry\": [\"SOFTWARE\\\\Ammyy\",\r\n\"SOFTWARE\\\\Cppcheck\",\r\n\"SOFTWARE\\\\DASH\",\r\n\"SOFTWARE\\\\Dash\",\r\n\"SOFTWARE\\\\DeterministicNetworks\",\r\n\"SOFTWARE\\\\GitForWindows\",\r\n\"SOFTWARE\\\\GlavSoft LLC.\",\r\n\"SOFTWARE\\\\GnuPG\",\r\n\"SOFTWARE\\\\Hex-Rays\",\r\n\"SOFTWARE\\\\Hex-Rays SA\",\r\n\"SOFTWARE\\\\HexaD\",\r\n\"SOFTWARE\\\\ITarian\",\r\n\"SOFTWARE\\\\LogMeIn Ignition\",\r\n\"SOFTWARE\\\\LogMeIn\",\r\n\"SOFTWARE\\\\MetaQuotes Software\",\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 13 of 18\n\n\"SOFTWARE\\\\Microsoft\\\\ResKit\\\\Robocopy\",\r\n\"SOFTWARE\\\\Nmap\",\r\n\"SOFTWARE\\\\Pulse Secure\",\r\n\"SOFTWARE\\\\PyBitmessage\",\r\n\"SOFTWARE\\\\PyBitmessage\",\r\n\"SOFTWARE\\\\S.W.I.F.T.\",\r\n\"SOFTWARE\\\\ShrewSoft\",\r\n\"SOFTWARE\\\\SimonTatham\",\r\n\"SOFTWARE\\\\SonicWall\",\r\n\"SOFTWARE\\\\TortoiseSVN\",\r\n\"SOFTWARE\\\\Veeam\",\r\n\"SOFTWARE\\\\VisualSVN\",\r\n\"SOFTWARE\\\\Whole Tomato\",\r\n\"SOFTWARE\\\\WinLicense\"],\r\n\"portscan\": {\"Bitcoin\": [8332,8333],\r\n\"DNS\": [53],\r\n\"Elasticsearch\": [9200,9300],\r\n\"FTP\": [21],\r\n\"Horizon Agent\": [22443,4172,9427,32111],\r\n\"HTTP\": [80,5000,9043],\r\n\"HTTPS\": [443,8443,1311,5001,8200],\r\n\"JAVA-RMI\": [34571,1099,1090,1098,1099,4444,11099,47001,47002,10999],\r\n\"MongoDB\": [27017],\r\n\"MSSQL\": [1433],\r\n\"MySQL\": [3306],\r\n\"neo4j\": [7687],\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 14 of 18\n\n\"NetBackup\": [5637],\r\n\"NETBIOS\": [139],\r\n\"Oracle\": [1521],\r\n\"POP3\": [110],\r\n\"POP3s\": [995],\r\n\"PostgreSQL\": [5432],\r\n\"PPTP\": [1723],\r\n\"RADMIN\": [4899],\r\n\"RDP\": [3389],\r\n\"SMTP\": [25],\r\n\"SonicWall-VPN\": [4433],\r\n\"SSH\": [22],\r\n\"Telnet\": [23],\r\n\"Tivoli\": [1500,1581],\r\n\"TOR\": [9050],\r\n\"AcronixBackup\": [9877],\r\n\"vCenter\": [22024,902,903,10080,10443],\r\n\"Veeam\": [9392,9393,9394,9397,9398,9399],\r\n\"VNC\": [5900, 5800],\r\n\"WinRM\": [5985,5986],\r\n\"Zabbix\": [10050,10051],\r\n\"JDWP\": [45000,45001],\r\n\"JMX\": [8686,9012,50500],\r\n\"jBoss\": [11111,4444,4445],\r\n\"Cisco Smart Install\": [4786],\r\n\"HP Data Protector\": [5555,5556],\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 15 of 18\n\n\"GlassFish\": [4848]\r\n}\r\n}\r\ndef_op('PRINT_ITEM', 78)\r\ndef_op('PRINT_NEWLINE', 63)\r\ndef_op('POP_TOP', 85)\r\ndef_op('RETURN_VALUE', 88)\r\ndef_op('ROT_TWO', 29)\r\ndef_op('ROT_THREE', 9)\r\ndef_op('STORE_MAP', 55)\r\ndef_op('INPLACE_ADD', 28)\r\ndef_op('ROT_FOUR', 72)\r\ndef_op('UNARY_POSITIVE', 12)\r\ndef_op('UNARY_NEGATIVE', 64)\r\ndef_op('UNARY_NOT', 66)\r\ndef_op('UNARY_CONVERT', 20)\r\ndef_op('UNARY_INVERT', 65)\r\ndef_op('GET_ITER', 83)\r\ndef_op('BINARY_MULTIPLY', 80)\r\ndef_op('BINARY_POWER', 79)\r\ndef_op('BINARY_DIVIDE', 15)\r\ndef_op('BINARY_MODULO', 76)\r\ndef_op('BINARY_ADD', 84)\r\ndef_op('BINARY_SUBTRACT', 89)\r\ndef_op('BINARY_SUBSCR', 57)\r\ndef_op('BINARY_FLOOR_DIVIDE', 68)\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 16 of 18\n\ndef_op('INPLACE_FLOOR_DIVIDE', 24)\r\ndef_op('INPLACE_DIVIDE', 82)\r\ndef_op('INPLACE_SUBTRACT', 22)\r\ndef_op('INPLACE_MULTIPLY', 13)\r\ndef_op('INPLACE_MODULO', 70)\r\ndef_op('STORE_SUBSCR', 54)\r\ndef_op('DELETE_SUBSCR', 77)\r\ndef_op('BINARY_LSHIFT', 60)\r\ndef_op('BINARY_RSHIFT', 21)\r\ndef_op('BINARY_AND', 3)\r\ndef_op('BINARY_XOR', 73)\r\ndef_op('BINARY_OR', 56)\r\ndef_op('INPLACE_POWER', 23)\r\ndef_op('POP_BLOCK', 2)\r\ndef_op('DUP_TOP', 75)\r\ndef_op('PRINT_ITEM_TO', 5)\r\ndef_op('PRINT_NEWLINE_TO', 11)\r\ndef_op('INPLACE_LSHIFT', 59)\r\ndef_op('INPLACE_RSHIFT', 74)\r\ndef_op('INPLACE_AND', 61)\r\ndef_op('INPLACE_XOR', 27)\r\ndef_op('INPLACE_OR', 71)\r\ndef_op('BREAK_LOOP', 58)\r\ndef_op('WITH_CLEANUP', 19)\r\ndef_op('END_FINALLY', 4)\r\ndef_op('BUILD_CLASS', 87)\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 17 of 18\n\ndef_op('EXEC_STMT', 10)\r\ndef_op('LOAD_LOCALS', 67)\r\ndef_op('IMPORT_STAR', 26)\r\ndef_op('YIELD_VALUE', 25)\r\nSource: https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nhttps://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/" ], "report_names": [ "5" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434127, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a10d68dc8ae68d910957e976da3ad428ab33c8bb.pdf", "text": "https://archive.orkl.eu/a10d68dc8ae68d910957e976da3ad428ab33c8bb.txt", "img": "https://archive.orkl.eu/a10d68dc8ae68d910957e976da3ad428ab33c8bb.jpg" } }