{ "id": "45cc553e-60d7-4887-90bc-11a87a10f07e", "created_at": "2026-04-06T00:22:30.071339Z", "updated_at": "2026-04-10T13:12:04.030161Z", "deleted_at": null, "sha1_hash": "a6400050e83a0571c5df8b7feff2617213a3439d", "title": "Lazarus KillDisks Central American casino", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 12022123, "plain_text": "Lazarus KillDisks Central American casino\r\nBy Anton CherepanovPeter Kálnai\r\nArchived: 2026-04-02 10:41:39 UTC\r\nOur analysis shows that the cybercriminals behind the attack against an online casino in Central America, and\r\nseveral other targets in late-2017, were most likely the infamous Lazarus hacking group. In all of these incidents\r\nthe attackers utilized similar toolsets, including KillDisk; the disk-wiping tool that was executed on compromised\r\nmachines.\r\nLazarus toolset\r\nThe Lazarus Group was first identified in Novetta’s report Operation Blockbuster in February 2016; US‑CERT\r\nand the FBI call this group Hidden Cobra. These cybercriminals rose into prominence with the infamous case of\r\ncyber-sabotage against Sony Pictures Entertainment.\r\nSome of the past attacks attributed to the Lazarus Group attracted the interest of security researchers who relied on\r\nNovetta et al’s white papers with hundreds of pages describing the tools used in the attacks - the Polish and\r\nMexican banks; the WannaCryptor outbreak; phishing campaigns against US defense contractors, etc – and\r\nprovides grounds for the attribution of these attacks to the Lazarus Group.\r\nhttps://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/\r\nPage 1 of 11\n\nNote that the Lazarus toolset (i.e. the collection of all files that are considered by the security industry as\r\nfingerprints of the group’s activity) is quite broad, and we believe there are numerous subgroups. Unlike toolsets\r\nused by some other cybercriminal groups, none of the source code of any Lazarus tools has ever been disclosed in\r\na public leak.\r\nOn top of custom tools, the Lazarus Group also leverages projects that are either available from GitHub or\r\nprovided commercially.\r\nLazarus tools in casino attack\r\nIn this section, we review some of the tools that were detected on numerous servers and endpoints in the network\r\nof an online casino in Central America. These were used in conjunction with the destructive KillDisk samples\r\ndescribed later.  We explain why we believe they are linked to Lazarus. ESET detects known Lazarus malware as\r\nWin32/NukeSped or Win64/NukeSped.\r\nAlmost all of these tools are designed to run as a Windows service. Administrator privileges are necessary to\r\nachieve this, which means the attackers expected to have to have those privileges at the time of tool design or\r\ncompilation.\r\nTCP backdoor\r\nWin64/NukeSped.W is a console application that is installed in the system as a service. One of the initial\r\nexecution steps is dynamically resolving the required DLL names, on the stack:\r\nhttps://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/\r\nPage 2 of 11\n\nLikewise, procedure names of Windows APIs are constructed dynamically. In this particular sample, they are\r\nvisible in plaintext; in other past samples that we’ve analyzed they were base64-encoded, encrypted or resolved on\r\nthe stack character by character:\r\nhttps://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/\r\nPage 3 of 11\n\nBoth are typical traits of Lazarus malware. Another typical Lazarus backdoor characteristic is also seen in this\r\nbackdoor: it listens on a specific port that it ensures is not blocked by the firewall:\r\nThe backdoor supports 20 commands whose functionality is similar to previously analyzed Lazarus samples (note\r\nthat the command names here did not originate from the attackers but were created by an ESET malware analyst):\r\nhttps://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/\r\nPage 4 of 11\n\nIt creates several files on the file system. The listening port is stored in a text file named %WINDOWS%\\Temp\\p.\r\nThe file %WINDOWS%\\Temp\\perflog.evt contains a list of paths of binary files to be injected, executed or\r\nwritten to the Registry depending upon the beginning character:\r\nIn case of the “+” option, the output data of cmd.exe /c \"%s 2\u003e\u003e %s\" (or cmd.exe /c \"%s \u003e\u003e %s 2\u003e\u00261\") is logged\r\nto %WINDOWS%\\Temp\\perflog.dat.\r\nSession hijacker\r\nWin64/NukeSped.AB is a console application that creates a process as another currently–logged-in user on the\r\nvictim’s system (similar to command number 17 from the previously described TCP backdoor).\r\nIt is a Themida-protected variant of a sample described by Kaspersky. In our case, it was installed as\r\nC:\\Users\\public\\ps.exe. It accepts three parameters.\r\nA static look shows the same file properties in both these samples: the same PE compilation timestamp, identical\r\nRich Header linker data (indicating that the linker was Visual Studio 2010 (10.00)), and part of the resources\r\nversion info matches:\r\nhttps://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/\r\nPage 5 of 11\n\nWhile the PE timestamp and the resources are stolen from the legitimate Microsoft PREVHOST.EXE file from\r\nWindows 7 SP1, the linker data was not: the original Microsoft file was compiled and linked by Visual Studio\r\n2008 (9.00).\r\nOur consequent, dynamic analysis confirmed that this file – found in the compromised casino’s network – is\r\nrelated to the session hijacker used in the Polish and Mexican attacks.\r\nLoader/installer\r\nThis is a simple command line tool accepting several switches. Its purpose is to work with processes\r\n(injecting/killing a process by PID or by name), services (terminating/reinstalling a service) or files\r\n(drop/remove). Its exact functionality depends on the parameters.\r\nKillDisk variants\r\nKillDisk is a generic detection name that ESET uses for destructive malware with disk wiping capabilities, such as\r\ndamaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine\r\nunusable. Although all KillDisk malware has similar functionality, as a generic detection, individual samples do\r\nnot necessarily have strong code similarities or relationships. Such generic malware detections usually have many\r\n“sub-families”, distinguished by the detection suffix (e.g. Win32/KillDisk.NBO in this case). Sub-family variants\r\nthat do have strong code similarities, are sometimes seen separate cyberattacks and thus can help us make\r\nconnections, as here. Other cases, for example the directed cyberattacks against high-value targets in Ukraine in\r\nDecember 2015 and December 2016, also employed KillDisk malware, but those samples were from different\r\nKillDisk sub-families, so are most likely unrelated to these attacks.\r\nIn the Central American online casino case, we detected two variants of Win32/KillDisk.NBO in their network.\r\nThis malware was detected on over 100 machines in the organization. There are several possible explanations for\r\nits deployment, with the attackers covering their tracks after an espionage operation, or its direct use for extortion\r\nor sabotage, being the most probable. In any case, the impact against a single organization is large.\r\nhttps://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/\r\nPage 6 of 11\n\nBased on our telemetry, the simultaneous use of the detected Win32/KillDisk.NBO variants, and the other known\r\nLazarus malware on the targeted network, we are confident this KillDisk malware was deployed by Lazarus,\r\nrather than by another, unrelated attacker.\r\nOur analysis of these two Win32/KillDisk.NBO variants revealed that they share many code similarities. Further,\r\nthey are almost identical to the KillDisk variant used against financial organizations in Latin America, as\r\ndescribed by Trend Micro.\r\nIn this online casino case, the KillDisk variants’ path was typically: C:\\Windows\\Temp\\dimens.exe\r\nThe actual embedded payload is injected into the system process werfault.exe:\r\nOne of the variants was protected using the commercial PE protector VMProtect in its 3rd generation, which made\r\nunpacking it trickier. The attackers most likely did not buy a VMProtect license but have rather used leaked or\r\npirated copies available on the Internet. Using protectors is common for the Lazarus group: during the Polish and\r\nMexican attacks in February 2017, they made use of Enigma Protector and some of the Operation Blockbuster\r\nsamples, reported by Palo Alto Networks, used an older version of VMProtect.\r\nCommon Lazarus format strings\r\nAmong numerous typical characteristics that let us attribute the samples and attacks to Lazarus, one worth\r\npointing out for the sake of other researchers is format strings. The table below lists formatting strings found in the\r\naforementioned samples, as well as in many TCP backdoors linked with Lazarus:\r\nhttps://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/\r\nPage 7 of 11\n\nFormat String Lazarus Attack / Report\r\ncmd.exe /c \"%s 2\u003e\u003e %s\"\r\ncmd.exe /c \"%s \u003e\u003e %s 2\u003e\u00261\"\r\nThis case - online casino in  Central\r\nAmerica\r\ncm%sx%s\"%s%s %s\" 2\u003e%s\r\nOperation Blockbuster \u0026\r\nWannaCryptor outbreak\r\nc%s.e%sc \"%s \u003e %s 2\u003e\u00261\"\r\n%sd.e%sc \"%s \u003e %s 2\u003e\u00261\"\r\nOperation Blockbuster - The Sequel\r\n%s%s%s \"%s \u003e %s 2\u003e\u00261\"\r\nmd.e\r\nxe /c\r\nOperation Blockbuster - The Saga\r\n%sd.e%sc \"%s \u003e %s\" 2\u003e\u00261\r\n%sd.e%sc n%ssh%srewa%s ad%s po%sop%sing T%s %d\r\n\"%s\"\r\nOperation Blockbuster\r\n%s /c \"%s\" \u003e%s 2\u003e\u00261 Operation Blockbuster\r\ncmd.exe /c \"%s\" \u003e %s 2\u003e\u00261 The Polish and Mexican case\r\nBy itself, this might not seem to be a convincing clue, but checking these format strings against all the malware\r\nsamples ever collected by ESET, the only results are from samples in suspected Lazarus operations. Hence, we\r\nconclude that these format strings represent a relevant, static characteristic of the Lazarus Group’s modus\r\noperandi.\r\nAdditional tools\r\nThere are (at least) two widely available tools that the attackers in the online casino case also used.\r\nBrowser Password Dump\r\nThis shady tool serves the purpose of recovering passwords from popular web browsers. However, it is a tool from\r\nDecember 2014, which uses old, well-known techniques. Nevertheless, it can be used effectively on the current,\r\nlatest versions of Google Chrome (64.0.3282.186), Chromium (67.0.3364.0), Microsoft Edge (41.16299.15.0) and\r\nMicrosoft Internet Explorer (11.0.9600.17843). It does not work against recent versions of Firefox or Opera.\r\nhttps://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/\r\nPage 8 of 11\n\nMimikatz\r\nThese attackers also used a modified version of the infamous open-source tool Mimikatz, which is used for\r\nextracting Windows credentials. It accepts one parameter – the name of the file in which to store the output. If no\r\nparameter is given then the output file is called ~Temp1212.tmp located in the same directory as Mimikatz. The\r\noutput contains hashes of the Windows credentials of currently logged-in users. This tool is commonly used by\r\nvarious APT groups and cybercriminals, for example by the Telebots group in the massive DiskCoder.C (aka\r\nNotPetya) outbreak, or in Operation Buhtrap.\r\nhttps://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/\r\nPage 9 of 11\n\nInfection vector\r\nMost of the tools described above are downloaded and installed onto victim systems by malicious droppers and\r\nloaders active in the initial stage of the attack. Moreover, we have seen indicators that the attackers leveraged\r\nremote access tools, such as Radmin 3 and LogMeIn, in order to control machines remotely.\r\nConclusion\r\nThis recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset\r\nare recompiled with every attack (we didn’t see these exact samples anywhere else). The attack itself was very\r\ncomplex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal\r\nlittle from their dynamics.\r\nUtilizing KillDisk in the attack scenario most likely served one of two purposes: the attackers covering their tracks\r\nafter an espionage operation, or it was used directly for extortion or cyber-sabotage. In any case, the fact that\r\nESET products detected the malware on over 100 endpoints and servers in the organization signifies a large-scale\r\neffort of the attackers.\r\nSpecial thanks to Dávid Gábriš and Robert Lipovský.\r\nImage Credit: © Julliane Nova \r\nSAMPLES #colspan#\r\n429B750D7B1E3B8DFC2264B8143E97E5C32803FF Win32/KillDisk.NBO\r\n7DFE5F779E46855B32612D168B9CC5334F25B5F6 Win32/KillDisk.NBO\r\n5042C16076AE6346AF8CF2B40553EEEEA98D5321\r\nWin64/NukeSped.W trojan\r\n(VMProtect-ed)\r\n7C55572E8573D08F3A69FB15B7FEF10DF1A8CB33\r\nWin64/NukeSped.W trojan\r\n(Themida-protected)\r\nE7FDEAB60AA4203EA0FF24506B3FC666FBFF759F\r\nWin64/NukeSped.Z trojan\r\n(Themida-protected)\r\n18EA298684308E50E3AE6BB66D7321A5CE664C8E\r\nWin64/NukeSped.Z trojan\r\n(VMProtect-ed)\r\n8826D4EDBB00F0A45C23567B16BEED2CE18B1B6A\r\nWin64/NukeSped.AB trojan\r\n(Themida-protected)\r\n325E27077B4A71E6946735D32224CA0421140EF4\r\nWin64/Riskware.Mimikatz.A\r\napplication\r\nhttps://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/\r\nPage 10 of 11\n\nSAMPLES #colspan#\r\nD39311C74DEB60C736982C1AB74D6684DD1E1264\r\nWin32/SecurityXploded.T\r\n(VMProtect-ed)\r\nE4B763B4E74DE3EF24DB6F19108E70C494CD18C9\r\nWin32/SecurityXploded.T\r\n(Themida-protected)\r\nSource: https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/\r\nhttps://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "MITRE", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/" ], "report_names": [ "lazarus-killdisk-central-american-casino" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "01d569b1-f089-4a8f-8396-85078b93da26", "created_at": "2023-01-06T13:46:38.411615Z", "updated_at": "2026-04-10T02:00:02.963422Z", "deleted_at": null, "main_name": "BuhTrap", "aliases": [], "source_name": "MISPGALAXY:BuhTrap", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb", "created_at": "2022-10-25T16:07:23.427162Z", "updated_at": "2026-04-10T02:00:04.594113Z", "deleted_at": null, "main_name": "Buhtrap", "aliases": [ "Buhtrap", "Operation TwoBee", "Ratopak Spider", "UAC-0008" ], "source_name": "ETDA:Buhtrap", "tools": [ "AmmyyRAT", "Buhtrap", "CottonCastle", "FlawedAmmyy", "NSIS", "Niteris EK", "Nullsoft Scriptable Install System", "Ratopak" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434950, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a6400050e83a0571c5df8b7feff2617213a3439d.pdf", "text": "https://archive.orkl.eu/a6400050e83a0571c5df8b7feff2617213a3439d.txt", "img": "https://archive.orkl.eu/a6400050e83a0571c5df8b7feff2617213a3439d.jpg" } }