{
	"id": "7d1bfe7d-a742-4ba3-b3e3-ab35390e3012",
	"created_at": "2026-04-06T00:07:16.396571Z",
	"updated_at": "2026-04-10T13:12:36.313714Z",
	"deleted_at": null,
	"sha1_hash": "a39a5a8ca3b8031aa7d79e733d411c468dbafd58",
	"title": "The Legend of Adwind: A Commodity RAT Saga in Eight Parts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2181351,
	"plain_text": "The Legend of Adwind: A Commodity RAT Saga in Eight Parts\r\nBy Unit 42\r\nPublished: 2019-09-17 · Archived: 2026-04-05 16:46:43 UTC\r\nExecutive Summary\r\nIn early 2012, a developer started selling the first of the Adwind family, Java-based remote access tools (RATs),\r\ncalled “Frutas.” In the ensuing years, it has been rebranded at least seven times. Its other names have included\r\nAdwind, UnReCoM, Alien Spy, JSocket, JBifrost, UnknownRat, and JConnectPro.\r\nThe Adwind RAT family remains prevalent in the wild. Palo Alto Networks has collected over 45,000 samples\r\nfrom the various Adwind iterations. We have observed these samples used in over 2 million attacks against Palo\r\nAlto Networks customers since 2017, highlighting the high impact of this popular commodity RAT.\r\nThe first six iterations of the multi-platform Adwind RAT family have been exhaustively documented, so we will\r\nnot rehash analysis of the RAT itself. This piece describes two hitherto undocumented recent rebrandings:\r\n“Unknown RAT” and “jConnect Pro RAT and clarifies some misconceptions. We have identified the author of this\r\ncommodity malware, demonstrating that ownership of this RAT under its various monikers never actually\r\nchanged.\r\nThis blog post documents Adwind RAT family’s beginning as an alleged science project, evolution to become\r\nwidely available commodity malware, and eventual refinement into a private sale to what appears to be a closed\r\ncustomer base. By developing a technique to isolate cracked versions from licensed samples, we have documented\r\nthe impact of the availability of free, cracked versions, and identified researcher reporting as a repeated catalyst to\r\nrecent rebranding.\r\nA RAT Is Born\r\nOn January 11, 2012, Spanish-language indetectables[.]net forum user “adwind” posts about his new “Frutas Rat”\r\nproject, seen in Figures 1 and 2. A Google translation of the text follows Figure 1.\r\nFigure 1. Adwind announces \"Frutas\"\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 1 of 19\n\n“Fruits Rat [Java] Src Project [Reverse Connection]…\r\nThis is a project that starts yesterday jejeje I upload it for the curious, this project I will continue little by little\r\nbecause I try to do everything myself. Without using 3rd codes\r\nI use Netbeans as an IDE.\r\nDo not ask me why the name of the RAT XD”\r\nFigure 2. Frutas RAT\r\nThrough 2012, he released several updates to Frutas. By December 2012, Adwind had rebranded the free Frutas as\r\nthe paid “Adwind RAT.”\r\nRebrand\r\nFrom early 2013, the renamed Adwind RAT was sold at adwind[.]com[.]mx, shown in Figures 3 and 4 below.\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 2 of 19\n\nFigure 3. adwind[.]com[.]mx 2013\r\nFigure 4. Adwind RAT version 2\r\nOn October 5, 2013, Adwind released “V3.0” and claimed that he would be turning the RAT over to “others,” who\r\nwould also rename the RAT, shown in Figure 5. A Google translation of the text follows the figure.\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 3 of 19\n\nFigure 5. Adwind claims a change of ownership\r\n“Well many know or not but the project already I it will not handle, it will be others that will be called by another\r\nname.”\r\nAdwind also states:\r\n“You judge if it is better than the JRAT :D”\r\nSome researchers have claimed that JRAT and the Adwind RAT family are related. While JRAT is a Java RAT, we\r\nhave determined it is completely different and written by a different author.\r\nSo, why this rebrand? Although we suspect other reasons for renaming in later iterations of this RAT family, it\r\nseems that in this case at least, Adwind’s author is specifically trying to distance his identity from continued\r\ndevelopment and sale of this malware. He may have feared – correctly – that an operational security (OpSec) fail\r\non his part with his Adwind identity might expose his identity and ownership.\r\nUnReCoM RAT\r\nA week after Adwind’s “change of ownership” announcement, on October 12, 2013, The domain unrecom[.]net\r\nwas registered. This site sold the next Adwind family rebrand, “Universal Remote Control Multi Platform”\r\n(UnRemCoM) RAT. The ostensible new management is named at the site as “UnReCom Soft” and elsewhere as\r\n“Lustrosoft.” Figure 6 shows connections to victims in the United States, Spain, and Mexico.\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 4 of 19\n\nFigure 6. UnReCoM RAT\r\nThe site offered a monthly subscription option as well as the ability to purchase the software outright, shown in\r\nFigure 7. Some researchers have suggested that this is a “malware as a service” (MaaS) model. However, while\r\ncommodity malware is often licensed monthly, it isn’t really “as a service” – the user is still wholly responsible for\r\nthe RAT stub building, C2, “crypting” (stub encryption), and spreading/infection. In contrast, the Webmonitor\r\nRAT offered a C2 service that is closer to a MaaS definition.\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 5 of 19\n\nFigure 7. UnReCoM purchase options\r\nThe site boasted the multi-platform RAT client availability, listing Windows XP through 8.1, Mac, Linux, and\r\nAndroid:\r\n“UNRECOM is the only software in the world to take control of all operating systems in one place.. You will have\r\nfull control of your devices in one place.”\r\nIt also disavowed itself as malware, utilizing bizarre logic:\r\n“Unrecom is a malware?\r\nNot, you need install software in both devices for work.”\r\nAlien Spy\r\nAlienspy[.]net was registered June 7, 2014. The reason for this rebrand is unknown. It may be that the author\r\ndeliberately wanted to circumvent having to honor outstanding purchases/subscriptions and created a “new”\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 6 of 19\n\nsoftware to be purchased instead. Alternatively, it might be to avoid reputation issues – complaints about various\r\niterations of the Adwind family, lack of support, and dishonoring of purchases are common on forums:\r\n“Alienspy is NO GOOD, it is the worst RAT ever, don't be fooled, the owner needs a lot of money, he cdan make\r\nyou buy and destroy HWIDS to make you keep purchasing the software, alienspy works sometimes,not all the time,\r\nand have an issues with stability, but the owner is very hungry for cash so watch it, he changed the name of\r\nseveral RATs he created and took many people money, do not trust...”\r\nA customer testimonial proudly featured at the site belies any claim of the software’s use as a legitimate\r\nadministration tool, shown in Figure 8 below.\r\nFigure 8. Testimonial\r\nOn April 8, 2015, Fidelis released a report on Alien Spy. By the end of April, the domain for the next Adwind\r\nfamily rebrand had been registered, and the registrar had suspended alienspy[.]net. The motivation for this rebrand\r\nwas quite obvious, although it seems the author didn’t lose the opportunity to profit from it:\r\n“i was client of alienspy and bought 1 year member but the rat get suspended before my member expire and when\r\ni try to get same discount in the new jsocket i get nothing from the support not even answer to me”\r\nThe continuity between these rebrands is apparent in the Skype profile for Alien Spy, shown below in Figure 9.\r\nFigure 9. Alien Spy Skype profile\r\nJSocket\r\nThe domain for this next rebrand, jsocket[.]org, was registered April 20, 2015 – 12 days after the Fidelis report. As\r\nof August 2019, it was still registered, although the domain hasn’t resolved to an active website since early 2016.\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 7 of 19\n\nFigure 10 shows some noticeable similarities between this site and its predecessor.\r\nFigure 10. Comparison of alienspy[.]net and jsocket[.]org sites\r\nIn February 2016, unsubstantiated rumors that the Adwind author had been arrested circulated on forums.\r\nOn February 8, 2016, Kaspersky published a report on JSocket.\r\nJBifrost\r\nOur actor again responded quickly to the publication of the Kaspersky research on February 8, 2016. A new\r\ndomain, jbifrost[.]com, was registered just two days later, on February 10, and jsocket[.]org, after replacing their\r\nwebsite with a claim of spamming users being banned and legal issues, ceased to resolve after February 13, 2016.\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 8 of 19\n\nFigure 11. JBifrost RAT logo\r\nThis incarnation of the site seemed to drop the loud public advertising in favor of a members-only private site with\r\nforums, sales, and chat.\r\nThe website was reported to have been suspended by the ISP in late-June 2016, and Fortinet published research\r\ninto jBifrost on August 16, 2016.\r\nUnknow(n) RAT\r\nThe actor appears to have taken a little longer in re-establishing his site after the jbifrost[.]com suspension.\r\nUnknowsoft[.]com was registered August 2, 2016, about a month after jbifrost[.]com was suspended during\r\nsummer 2016. Again, this site supported a private members area rather than loud, public advertising.\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 9 of 19\n\nFigure 12. Unknown RAT logo\r\nThe logo used for this rebrand, seen in Figure 12, is essentially unchanged from that of the previous jBifrost,\r\nshown in Figure 11, which wouldn’t be expected had this business actually changed hands and truly rebranded.\r\nThe site was parked by the registrar August 4, 2017 and expired in December 2017. The registrar had previously\r\nsuspended the site in late-September 2016, but the registration of Unknow(n) RAT’s successor domain in\r\nDecember 2016 sets our milestone for the transition to the next rebranding.\r\njConnectPro\r\nThe last known possible website for the Adwind family, jconnectpro[.]info, was registered on December 10, 2016.\r\nThe site helpfully documented the connection and evolution of the malware family, shown in Figure 13.\r\n“AlineSpy \u003e\u003e jSocket \u003e\u003e jBifrost \u003e\u003e UnknownSoftware \u003e\u003e jConnectPro”\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 10 of 19\n\nFigure 13. jconnectpro[.]info\r\nThe jConnect Pro site seen in Figure 13 bore an obvious similarity to the previous Unknown RAT site as shown in\r\nFigure 14. The site was suspended by the ISP in early April 2017.\r\nIt is possible that jconnectpro[.]info was NOT run by Adwind but rather was an imposter, selling a cracked version\r\nof Unknown RAT. Prior to ISP suspension, the Unknown RAT site unknowsoft[.]com posted an announcement\r\nthat they were not taking any new customers, though the software would still operate, shown in Figure 14.\r\n“Unkonown Software is currently unavailable\r\nNot new users or renews in this moment. You can continue to use our software but you will not be allowed to login\r\nin our website.\r\nEach membership of users will continue active until this expire.\r\nEnjoy! And Good luck for ever.\r\nMastermind Team. We can just say good bay for ever.\r\nWe finished our work here since our software was selled to other team of developers. I don’t know if they will\r\ncontinue or not. But we will try to update stub for currents users with active memberships.”\r\nA litany of complaints against purported fakes and scammers followed. Of special note:\r\n“http://jconnectpro[.]info – a FAKE”\r\nThe timeline of RAT rebrand names at the site contains capitalizations in the names that differ from the original\r\nsites.\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 11 of 19\n\nFigure 14. Unknown Software \"unavailable\"\r\nA Cryptic Puzzle\r\nAfter unknownsoft[.]com and jconnectpro[.]info went down, Adwind’s trail went cold. Although this time we\r\nwere unable to find a newly rebranded iteration of Adwind’s RAT, we did find a Java-RAT-specific crypting\r\nservice.\r\nMalware operators use a technique known as “crypting” to avoid signature-based antivirus detection. Crypting\r\nwill modify malware binary files such that they have a new, unique hash value, without altering their functionality.\r\nSuch files are often referred to as “fully undetectable” (FUD).\r\nThere are comparatively few Java-specific commodity RATs, and this crypting service seemed to adopt\r\nUnknownRAT’s name in its branding – UnknownCrypter (unknowncrypter[.]co) (Figure 15).\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 12 of 19\n\nFigure 15. UnknownCrypter\r\nInitial investigation uncovered some Spanish-language artifacts associated with UnknownCrypter. We wondered if\r\nAdwind might be leveraging his Java coding expertise and operating this system himself as a second revenue\r\nstream alongside his RAT.\r\nHowever, our research determined that this was simply a rebranding of the “FUDCrypter” service, operated by a\r\nNigerian individual, not Adwind.\r\nIn our SilverTerrier research of Nigerian cybercrime, we note an increase in the popularity of commodity RATs\r\namong that community. Indeed, our research into leaked customer lists of commodity malware has shown that the\r\nvast majority of the customers are Nigerian. We also observed a burgeoning Nigerian ecosystem around the\r\nvarious aspects of cybercrime, and so a Nigerian-based crypting service should not come as a surprise.\r\nFurther confirming our conclusion that this is not operated by Adwind, the same actor recently launched his own\r\nJavaScript-based RAT called “WSH RAT” with a very different codebase – a competitor to Adwind rather than a\r\nnew iteration of Adwind’s RAT.\r\nCracked\r\nAlthough Adwind apparently no longer sells his RAT on the web or on forums, the question remains: what of all\r\nthe ongoing Adwind-family telemetry do we continue to observe?\r\nCracked copies of Adwind-family malware have been in circulation for several years, through to cracked versions\r\nof Unknown RAT as seen in Figure 16.\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 13 of 19\n\nFigure 16. Cracked Unknown RAT\r\nWe first observed Adwind-family samples add a registry entry for the BullGuard binary “LittleHook.exe” into\r\ntheir anti-antimalware routine on December 5, 2016. This corresponds closely with the ostensible rebranding to\r\njConnectPro, with that domain being registered only five days later.\r\nAlthough we noted earlier that jconnectpro[.]info may potentially not actually belong to Adwind, we are able to\r\nuse this marker to differentiate between “legitimate” and cracked Adwind samples. All known cracked versions of\r\nUnknown RAT predate the above-observed branding and domain change.\r\nSince December 2016, we have collected 14,000 “legitimate” samples, observed in over 600,000 attacks against\r\nPalo Alto Networks customers. Cracked versions of earlier Adwind family RATs seem to be twice as common.\r\nDuring the same period, we found almost 30,000 Adwind samples that did not contain that marker, observed in\r\nover 1.3 million attacks against Palo Alto Networks customers.\r\nGone Dark?\r\nAs we noted earlier, the jConnectPro website was suspended in early April 2017. Unknownsoft[.]com had an\r\n“unavailable” statement at the site, ISP suspensions from 2016, and was finally parked mid-2017. Unlike previous\r\nrebranding, there was no handoff to a new brand as we had observed earlier, via website, Skype, forum, or reports\r\nof emails to customers. There was no “new Adwind” advertising on forums. This begged the question: Has\r\nAdwind finally closed up shop? Is the ongoing Adwind telemetry simply observing cracked versions and legacy\r\nlegitimate samples continuing to be deployed?\r\nWe found that Adwind samples first started setting the registry key “HKLM\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\Image File Execution Options\\ProcessHacker.exe\\debugger , Value:svchost.exe , Type:1” in\r\nsamples starting June 5, 2017. This was two months after the jConnectPro website was suspended, and Unknown\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 14 of 19\n\nSoftware was “unavailable” and the site suspended – the first proof of ongoing development of the RAT\r\nsubsequent to having gone dark.\r\nWe noted some other small changes in file writes in samples around this date, but we have not been able to\r\nidentify any other new functionality in samples observed since June 2017. Samples with these markers continue to\r\nbe observed in the active attacks through September 2019.\r\nA Tale Is Woven\r\nOur analysis of Adwind’s infrastructure throughout the different brands of his RAT found uncommonly good\r\noperational security (OpSec) on his part. WHOIS records were fake and/or anonymized. Domain registrars and\r\nhosting services were distinctly changed with every rebrand. Infrastructure was not reused. No careless\r\nconnections to other activity that might hint at Adwind’s identity were found.\r\nHaving analyzed thousands of actors and their infrastructure, such consistently good OpSec is a rarity. Adwind\r\nattempted not only to hide his identity but, fearing discovery and in order to distance himself from issues with bad\r\nreputation, also attempted to suggest a change of ownership.\r\nIn his attempt to misdirect identification and pretend to have on-sold his business, Adwind inadvertently left a\r\npattern in his OpSec. The very consistency of his OpSec itself is an indicator of it remaining under his control\r\nduring its entire history.\r\nDespite the renaming, the RAT itself really didn’t change significantly over its lifetime. Some new functionality\r\nwas added, but improvements were essentially iterative. No significant changes were noted, as might be expected\r\nwith a new owner/coder, and Java commodity RATs remain comparatively rare.\r\nCare was always taken to ensure a continuity between brands for his customers; the new brand was noted in\r\nforums on the old website, in his Skype profiles (Figure 9), and in emails to existing customers – more care than\r\nmight be expected if it was on-sold to a third party.\r\nDomain moves were always seamless, and rebrands were, on several occasions, clearly triggered by the publishing\r\nof research (Figure 17). Even after the claimed “sale,” UnReCom still had predominant Mexico hosts in\r\nscreenshots (Figure 6).\r\nFigure 17. Timeline of the Adwind RAT family\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 15 of 19\n\nStylistic similarities bridged the different RAT brands – logos (Figures 11 and 12), site content (Figures 13 and 14)\r\nand also as seen above in the jSocket section. In fact, the only “rebrand” that carries doubt that it actually\r\nbelonged to Adwind was jconnectpro[.]info – the timeline has the “unavailable” unknownsoft[.]com overlapping\r\nthe same timeframe and calls jconnectpro[.]info “a FAKE”.\r\nWho Is ‘Adwind’?\r\nAs we noted earlier, Adwind has uncommonly good OpSec, and initially, conclusively identifying him through his\r\ninfrastructure wasn’t possible.\r\nSpanish-language artifacts were obvious early on. The original website selling Adwind was adwind[.]com[.]mx,\r\nand several YouTube videos and screenshots showed a predominance of Mexican host computers (Figure 18).\r\nFigure 18. Mexican host computers in YouTube advertising\r\nThe email address adwind[at]live.com is found in the strings of Frutas samples (Figure 19) and was referenced at\r\na YouTube video promoting Adwind 1.0.\r\nFigure 19. Frutas strings\r\nThis email address is associated with a Skype profile “adwindandres” (Figure 20), which includes the Adwind\r\nlogo.\r\nFigure 20. Skype profile\r\nThat Skype profile was also used at hackforums[.]net to sell early versions of Adwind RAT. It was also the Skype\r\nlisted at the original Adwind website (Figures 3 and 21).\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 16 of 19\n\nFigure 21. Original Adwind site Skype\r\nThe same email address is also found in an academic paper, with the same name “Andres” as noted in the Skype:\r\n“C. M. Andrés is a student from J█████ Autonomous University of T██████ in Mexico in the last semester\r\nof the degree in computer systems; (email: adwind [at]live.com).”\r\nElsewhere the paper mentions his full name.\r\nThe very first historical WHOIS entry for adwind[.]com[.]mx contained a full name and location, which matches\r\nthe name and location in the academic paper. The WHOIS record was changed to fake information shortly\r\nthereafter.\r\nName: Andres A█████ C████████ M█████\r\nCity: C███████\r\nState: T██████\r\nCountry: Mexico\r\nThe full name of Adwind Andrés appears to be unique. Research uncovered other references to him studying\r\ninformation systems at that university.\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 17 of 19\n\nIt also led to his Google Maps reviewer profile (Figure 22). The 4,000+ reviews in that profile, including up until\r\na few weeks prior to publication of this blog post, suggest that Adwind Andrés now resides in C██████,\r\nMexico – a few hours drive from his university.\r\nFigure 22. Google Maps reviews\r\nA Never-Ending Story?\r\nThe ready availability of commodity malware empowers a huge population of unsophisticated threat actors, who\r\nwould otherwise lack the technical ability to code their own malware. Although the author might not financially\r\nbenefit from the spread of cracked versions of the malware, the author is, after all, responsible for its original\r\nexistence.\r\nDistributed since 2012, sale of the Adwind RAT family has resulted in tens of thousands of malware samples in\r\nthe wild and millions of malware attacks.\r\nOver the last eight years, Adwind Andrés has unsuccessfully attempted to hide his identity as the author of this\r\nmalware and distance himself using successive rebrands.\r\nAs he has iteratively continued to improve upon his software, it would seem that he has been driven into a private-customer model. However, to this day, he continues to develop this software, and profit from its sale to malware\r\nactors.\r\nOrganizations with good spam filtering, proper system administration, and up-to-date Windows hosts have a much\r\nlower risk of infection. Palo Alto Networks customers are further protected from this threat. Our threat prevention\r\nplatform detects the Adwind RAT family malware with WildFire and Traps. AutoFocus users can track this\r\nactivity using the Adwind tag.\r\nPalo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report\r\nwith our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections\r\nto their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat\r\nAlliance, visit www.cyberthreatalliance.org.\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 18 of 19\n\nSource: https://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nhttps://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts/"
	],
	"report_names": [
		"the-legend-of-adwind-a-commodity-rat-saga-in-eight-parts"
	],
	"threat_actors": [
		{
			"id": "aa57c036-b3e5-4bc4-83b8-cac8498b6c24",
			"created_at": "2023-01-06T13:46:38.589041Z",
			"updated_at": "2026-04-10T02:00:03.03199Z",
			"deleted_at": null,
			"main_name": "SilverTerrier",
			"aliases": [],
			"source_name": "MISPGALAXY:SilverTerrier",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ecff5c60-4f8b-4d7c-9784-f279eb056518",
			"created_at": "2022-10-25T15:50:23.49538Z",
			"updated_at": "2026-04-10T02:00:05.40672Z",
			"deleted_at": null,
			"main_name": "SilverTerrier",
			"aliases": [
				"SilverTerrier"
			],
			"source_name": "MITRE:SilverTerrier",
			"tools": [
				"NanoCore",
				"Agent Tesla",
				"NETWIRE",
				"DarkComet",
				"Lokibot"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434036,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a39a5a8ca3b8031aa7d79e733d411c468dbafd58.pdf",
		"text": "https://archive.orkl.eu/a39a5a8ca3b8031aa7d79e733d411c468dbafd58.txt",
		"img": "https://archive.orkl.eu/a39a5a8ca3b8031aa7d79e733d411c468dbafd58.jpg"
	}
}