{ "id": "a1c8efc4-fd4d-4d5e-be3c-ba9ee9e89b36", "created_at": "2026-04-06T00:07:29.84958Z", "updated_at": "2026-04-10T03:38:20.532812Z", "deleted_at": null, "sha1_hash": "a522d2101053a161a47393d1eac37385ef77c9a4", "title": "Lazarus Expands Malicious npm Campaign: 11 New Packages Add ...", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 522320, "plain_text": "Lazarus Expands Malicious npm Campaign: 11 New Packages Add\r\n...\r\nArchived: 2026-04-05 13:28:02 UTC\r\nSecure your dependencies with us\r\nSocket proactively blocks malicious open source packages in your code.\r\nInstall\r\nNorth Korean threat actors behind the Contagious Interview operation have expanded their presence in the npm\r\necosystem, publishing additional malicious packages that deliver the previously identified BeaverTail malware\r\nand introducing new packages with remote access trojan (RAT) loader functionality. These latest samples employ\r\nhexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation\r\nin the threat actors’ obfuscation techniques.\r\nhttps://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket\r\nPage 1 of 7\n\nThe threat group’s objectives remain unchanged: to compromise developer systems, steal sensitive credentials or\r\nfinancial assets, and maintain access to compromised environments. The Contagious Interview threat actors\r\ncontinue to create new npm accounts and deploy malicious code across platforms like the npm registry, GitHub,\r\nand Bitbucket, demonstrating their persistence and showing no signs of slowing down.\r\nMalicious Campaign Proliferation#\r\nThe threat actors broadened their campaign by publishing new malicious npm packages under previously\r\nidentified aliases – alextucker0519 , edan0831 , and hottblaze – as well as newly created accounts, including\r\ntaras_lakhai , mvitalii , wishorn , and crouch626 . Each package posed as a utility for arrays, logging,\r\ndebugging, or event and API handling. As of this writing, the npm registry has suspended all accounts (and\r\nassociated packages) besides taras_lakhai . We have reported this account and petitioned for its removal, along\r\nwith all GitHub and Bitbucket repositories and user profiles associated with any of the identified accounts. In\r\ntotal, the 11 additional malicious packages identified in this expanded campaign have been downloaded over\r\n5,600 times.\r\nBefore the account alextucker0519 was suspended following the discovery of the malicious package array-empty-validator , it had published an additional malicious package, empty-array-validator , which\r\ncommunicated with a separate command and control (C2) server at 144.172.87[.]27 on port 1224 .\r\ntaras_lakhai and mvitalii , two newly identified accounts, use the same IP and port combination to connect\r\nto a C2 server at 45.61.151[.]71 on port 1224 . The shared infrastructure links these two accounts as part of\r\nthe same threat activity. The taras_lakhai account published a malicious package twitterapis , which uses\r\nthis endpoint — matching the infrastructure previously observed in malicious packages from the mvitalii\r\naccount.\r\nSecurityScorecard researchers identified infrastructure linked to the Lazarus Group during their investigation of\r\nthe Contagious Interview operation. One of the packages published by wishorn , a newly created npm account,\r\nuses the same obfuscated C2 IP address — 185.153.182[.]241 on port 1224 — within the dev-debugger-vite package. This account also published two additional malicious packages, snore-log and core-pino ,\r\nreinforcing its connection to the broader Lazarus-led campaign.\r\nBeyond common infrastructure, the identified packages from newly created accounts also share structural\r\nhallmarks with previously attributed Lazarus operations. These packages consistently implement tight loops that\r\nscan up to 200 browser profile directories for Brave, Chrome, and Opera, and attempt to extract private keys from\r\nSolana’s id.json file. Exfiltration occurs silently through HTTP POST requests to C2 servers linked to known\r\nLazarus infrastructure. The scripts exhibit hallmark traits of the group’s tooling: layered obfuscation, multi-stage\r\npayload delivery, and repeated use of BeaverTail — an infostealer that targets browser data, macOS keychain, and\r\ncryptocurrency wallets. Several packages also reference InvisibleFerret as a second-stage backdoor, retrieved from\r\nthe same C2 endpoints used in earlier campaigns.\r\nFrom GitHub to Bitbucket#\r\nhttps://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket\r\nPage 2 of 7\n\nUnlike earlier Lazarus-linked packages that occasionally referenced GitHub repositories, the packages events-utils , icloud-cod (published by the mvitalii account), and the previously identified react-event-dependency (published by the elondavid account) were linked to Bitbucket repositories. Based on the observed\r\ntimelines, the threat actors create these repositories before publishing their corresponding malicious npm\r\npackages. The threat actor behind the alextucker0519 account uploaded the malicious code to their GitHub\r\nrepository on March 11, 2025, and published the empty-array-validator npm package containing the same code\r\nthe following day, on March 12, 2025. This sequencing likely serves to establish a façade of legitimacy – giving\r\nunsuspecting developers the impression that the package is actively maintained simply because it links to a live\r\ncode repository.\r\nMalicious JavaScript file icloud-cod.js hosted on Bitbucket\r\nThe malicious package icloud-cod linked to a Bitbucket repository hosted within a directory named\r\neiwork_hire – a detail that may reflect further efforts to legitimize the threat actors’ Contagious Interview\r\noperations, which lure unsuspecting developers with fake job offers to gain access to their systems for financial\r\nand other illicit objectives.\r\nExpanded Payloads and Obfuscation#\r\nThe npm account crouch626 published four malicious packages: cln-logger , node-clog , consolidate-log ,\r\nand consolidate-logger . The first two packages, cln-logger and node-clog , featured distinct code\r\nstructures and employed a different obfuscation technique from the others. In contrast, consolidate-log and\r\nconsolidate-logger both communicated with the same C2 server at 144.172.87[.]27 on port 1224 ,\r\nconsistent with earlier findings. This divergence indicates that the threat actors are deploying multiple malware\r\nvariants within the same broader campaign, potentially to diversify payload delivery and evade detection.\r\nBelow are defanged code snippets from the cln-logger package demonstrating the new obfuscation and\r\nmalicious code with inline comments explaining key functions and objectives.\r\nhttps://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket\r\nPage 3 of 7\n\n// Decodes obfuscated hex-encoded strings into readable text\r\n// (e.g., function names, URLs)\r\n// Used to hide malicious strings from static analysis tools and manual review\r\nfunction g(h) {\r\n return h.replace(/../g, match =\u003e String.fromCharCode(parseInt(match, 16)));\r\n}\r\nThe code defines a helper function g(h) that replaces every two hexadecimal characters with their ASCII\r\nequivalents. This mechanism conceals key strings such as require , axios , get , and a remote URL, making\r\nthem less obvious during an inspection.\r\nconst hl = [\r\n g('72657175697265'), // \"require\" — dynamic module import\r\n g('6178696f73'), // \"axios\" — HTTP client\r\n g('676574'), // \"get\" — HTTP GET method\r\n g('68747470...613662'), // C2 URL — hxxps://mocki[.]io/v1/32f16c80-602a-4c80-80af-32a9b8220a6b\r\n g('7468656e'), // \"then\" — handles async response\r\n];\r\nThis array decodes critical JavaScript keywords and a remote URL hidden in hex to evade detection. Once\r\nresolved, it enables the script to fetch and execute code from a C2 server.\r\nUnlike cln-logger , which connects to mocki[.]io , the node-clog package references\r\nm21gk[.]wiremockapi[.]cloud/g/api/880 , decoded from the obfuscated string\r\n68747470733a2f2f6d3231676b2e776972656d6f636b6170692e636c6f75642f672f6170692f383830 .\r\nThis obfuscation tactic is also used by another identified account, wishorn , in its snore-log and core-pino\r\npackages. The former references the endpoint ip-api-server[.]vercel[.]app/api/ipcheck/703 , while the latter\r\nuses ip-check-api[.]vercel[.]app/api/ipcheck/703 . This suggests the threat actors are rotating staging\r\ninfrastructure or maintaining multiple redundant C2 endpoints while reusing the same loader pattern.\r\nConsistently throughout these identified packages, the malicious code functions as a remote access trojan (RAT)\r\nloader, relying on obfuscation and dynamic payload execution to evade detection and deliver second-stage\r\nmalware. The scripts encode critical strings in hexadecimal and decode them with String.fromCharCode ,\r\neffectively concealing module names and C2 URLs. This obfuscation technique undermines both automated\r\nscanners and manual code audits, masking the true functionality and intent of the malware.\r\nOutlook and Recommendations#\r\nThe recent expanded malicious campaign tied to the Lazarus Group demonstrates a sustained and adaptable threat\r\nto software supply chains. Far from slowing down, the advanced persistent threat (APT) group is diversifying its\r\ntactics — publishing new malware under fresh aliases, hosting payloads in both GitHub and Bitbucket\r\nrepositories, and reusing core components like BeaverTail and InvisibleFerret alongside newly observed\r\nRAT/loader variant. These packages exhibit not only reused infrastructure and targeting logic but also redundant\r\nhttps://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket\r\nPage 4 of 7\n\nC2 endpoints and varied obfuscation styles, underscoring the threat group’s intent to ensure resilience and evade\r\nautomated detection and manual audits.\r\nOrganizations must assume that targeted infiltration campaigns like Contagious Interview will persist and continue\r\nto evolve. Developers — particularly those working in open source, DevOps, and infrastructure engineering roles\r\n— remain high-value targets due to their access and trust within broader environments. As such, proactive defense\r\nmust become foundational to software development practices.\r\nTo mitigate these risks, we recommend embedding multiple layers of supply chain security throughout the\r\ndevelopment lifecycle. This includes automated dependency audits, contextual scanning of third-party packages,\r\nand close scrutiny of packages with limited download history or unverifiable maintainers. Monitoring for unusual\r\ndependency changes and blocking outbound traffic to known or suspicious C2 endpoints can help contain threats\r\nbefore they escalate.\r\nSocket’s security tooling is purpose-built to address these challenges. The Socket GitHub App provides real-time\r\nscanning of pull requests, flagging suspicious or malicious packages before they are merged. The Socket CLI tool\r\nsurfaces red flags during npm installations, helping teams catch dangerous code early. Meanwhile, the Socket\r\nbrowser extension alerts users to suspicious packages upon download or viewing. Integrating these tools into\r\ndevelopment pipelines empowers organizations to detect and prevent malware proactively, reducing exposure to\r\nContagious Interview-style supply chain attacks.\r\nIndicators of Compromise (IOCs)#\r\nMalicious npm Packages and Download Count\r\nempty-array-validator (129)\r\ntwitterapis (102)\r\ndev-debugger-vite (1,606)\r\nsnore-log (1,904)\r\ncore-pino (483)\r\nevents-utils (133)\r\nicloud-cod (145)\r\ncln-logger (308)\r\nnode-clog (213)\r\nconsolidate-log (297)\r\nconsolidate-logger (291)\r\nThreat Actor Identifiers\r\nnpm Aliases and Email Addresses:\r\ntaras_lakhai — kevintracy516@gmail[.]com\r\nmvitalii — mvitalii206@gmail[.]com\r\nwishorn — starlancer555@gmail[.]com\r\ncrouch626 — crouchtomy@gmail[.]com\r\nhttps://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket\r\nPage 5 of 7\n\nGitHub Accounts:\r\nlukobogdan47\r\naustin-a3\r\nBitbucket Accounts:\r\nEzra Walmsley\r\nRaymundo Curiel\r\nMalicious GitHub Repositories\r\nhttps://github.com/lukobogdan47/empty-array-validator\r\nhttps://github.com/austin-a3/twitterapis\r\nMalicious Bitbucket Repositories\r\nhttps://bitbucket.org/events-utils/launch-events-utils/src/master/\r\nCommand and Control (C2) Endpoints\r\n144.172.87[.]27\r\n45.61.151[.]71\r\n185.153.182[.]241\r\nmocki[.]io/v1/32f16c80-602a-4c80-80af-32a9b8220a6b\r\nm21gk[.]wiremockapi[.]cloud/g/api/880\r\nip-api-server[.]vercel[.]app/api/ipcheck/703\r\nip-check-api[.]vercel[.]app/api/ipcheck/703\r\nMITRE ATT\u0026CK Techniques\r\nT1195.002 — Supply Chain Compromise: Compromise Software Supply Chain\r\nT1608.001 — Stage Capabilities: Upload Malware\r\nT1204.002 — User Execution: Malicious File\r\nT1059.007 — Command and Scripting Interpreter: JavaScript\r\nT1027.013 — Obfuscated Files or Information: Encrypted/Encoded File\r\nT1546.016 — Event Triggered Execution: Installer Packages\r\nT1005 — Data from Local System\r\nT1082 — System Information Discovery\r\nT1083 — File and Directory Discovery\r\nT1217 — Browser Information Discovery\r\nT1555.003 — Credentials from Password Stores: Credentials from Web Browsers\r\nT1555.001 — Credentials from Password Stores: Keychain\r\nT1041 — Exfiltration Over C2 Channel\r\nT1105 — Ingress Tool Transfer\r\nT1119 — Automated Collection\r\nT1657 — Financial Theft\r\nhttps://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket\r\nPage 6 of 7\n\nSource: https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket\r\nhttps://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket" ], "report_names": [ "lazarus-expands-malicious-npm-campaign-11-new-packages-add-malware-loaders-and-bitbucket" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434049, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a522d2101053a161a47393d1eac37385ef77c9a4.pdf", "text": "https://archive.orkl.eu/a522d2101053a161a47393d1eac37385ef77c9a4.txt", "img": "https://archive.orkl.eu/a522d2101053a161a47393d1eac37385ef77c9a4.jpg" } }