{ "id": "a126f7d8-a6b8-4293-a75a-030ade19fbf4", "created_at": "2026-04-06T00:20:16.499836Z", "updated_at": "2026-04-10T03:37:36.950095Z", "deleted_at": null, "sha1_hash": "a848825ae64f3d888335369ab3aca1e2102c2848", "title": "Iran Cyber Threat Overview", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 722630, "plain_text": "Iran Cyber Threat Overview\r\nBy Maxime A.\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2023-06-05 · Archived: 2026-04-05 15:54:21 UTC\r\nThis blogpost aims at understanding and contextualising cyber malicious activities associated with Iran-nexus\r\nintrusions sets over the 2022-2023 period. It does not establish an exhaustive list of campaigns or reported\r\nintrusion sets, but rather offer a strategic analysis pertaining to the Iranian cyber threat. Information cut-off date is\r\n5 May 2023.\r\nCONTEXT\r\nThe Islamic Republic of Iran does not publicly communicate on their cyber offensive doctrine. However, the\r\nobserved use of their capabilities shows pragmatic cyber operations pursuing three strategic objectives that align\r\nwith Iran’s geopolitical objectives. \r\nFirst objective relates to Iran’s domestic stability. Cyber operations are used to maintain and support the regime\r\nby surveilling political dissidents, journalists and activists seen as potential vectors of foreign influence. Second\r\nobjective pertains to national territory protection, based on a perceived military and cyber threat level\r\noriginating from enemies (USA, Israel, Saudi Arabia), leveraging strategic cyber espionage operations to collect\r\nintelligence about adversarial intentions. Third objective applies to foreign policy, Iran operates cyber operations\r\nas a tool to promote and secure its regional influence. \r\nIran was, and still is, a target of multiple reported cyber operations. This aspect is important for a better\r\nunderstanding of the Iranian cyber strategy , as Iran often conducts retaliation operations. The origin of Iranian\r\nuse of offensive cyber operations is related to two main events, the 2009 Green Movement where civilians\r\nprotested the reelection of President Ahmadinedjad; and Stuxnet detection in 2010, a malware allegedly\r\ndeveloped by the USA and Israeli services to damage nuclear centrifuge machines. Iranian leaders likely perceived\r\nthe necessity for the surveillance of the Internet, specifically social media, to maintain the stability of the regime,\r\nand realised the potential of offensive cyber operations, both as a target and as an instigator. \r\nSince 2022 and throughout 2023, the Islamic Republic faces heightened geopolitical challenges, potentially\r\ninfluencing its strategy for cyber operations. The election of Ebrahim Raisi as Iranian president in August 2021\r\nbrought back to power radical conservatives that impacted the negotiations to recover the Joint Comprehensive\r\nPlan of Action (JCPOA) nuclear deal, increasing political confrontation between Teheran and western countries,\r\nalso fueled by the supply of Iranian weapons to Russia in the context of the Russo-Ukrainian conflict. Iran suffers\r\nfrom domestic instability, both economically – 2022 inflation rate was near to 50% – and politically with the\r\nlongstanding and widespread Mahsa Amini civilian protests from September 2022 to February 2023. Lastly, in\r\nApril 2023, Tehran and Riyad announced they will resume their diplomatic relations that were cut off from\r\n2016, an initiative facilitated by China.\r\nIRANIAN CYBER OFFENSIVE ORGANISATION\r\nhttps://blog.sekoia.io/iran-cyber-threat-overview/\r\nPage 1 of 9\n\nIran presents a cyber offensive capability mostly operated by the two main intelligence and security services, the\r\nIslamic Revolutionary Guard Corps (IRCG) and the Ministry of Intelligence (MOIS). \r\nIslamic Revolutionary Guard Corps\r\nThe IRCG is a branch of the Iranian Armed Forces, founded after the 1979 Iranian Revolution as an ideologically-driven militia responsible for the protection of the Islamic Republic political system. IRGC key positions are\r\nappointed by the Supreme leader of the Islamic Republic presently Ali Khamenei, guaranteeing a direct reporting\r\nto him, thus bypassing the President’s office. IRGC can be seen as a military elite corps with specific missions,\r\nincluding ground, aerospace, naval and cyberspace forces. IRGC includes the Basij militia, a paramilitary\r\nvolunteer militia, and the Qods special force. Both substructures were reported leveraging cyber offensive\r\noperations. \r\nhttps://blog.sekoia.io/iran-cyber-threat-overview/\r\nPage 2 of 9\n\nFew open-source information can be found on IRGC internal cyber organisation. Sekoia.io TDR analysts\r\nestablished a partial organisational diagram from leaked data, available at the end of the post.\r\nActive intrusion sets associated to IRGC – APT35, APT42, Nemesis Kitten and Cotton Sandstorm (ex-NEPTUNIUM) – mainly focus on targets linked to foreign government, military, energy, maritime transportation\r\nand research entities (think tanks, NGOs, academics) working on Iran and Middle-East subject matters. They\r\nconduct cyber operations using social media spear phishing techniques as initial vector and aiming at strategic\r\nobjectives including espionage, sabotage, information operations and, to a lesser extent, lucrative. \r\nSekoia.io, along with some cybersecurity vendors, consider APT35 as a cluster assessed to be operated by\r\nIRGC-Intelligence Organisation (IRGC-IO) composed of multiple aliases or subgroups such as Charming\r\nKitten, ITG18, TA453, Cobalt Mirage, including APT42, a newly exposed intrusion set focused on individuals\r\nworking for NGOs and think tanks. Sekoia.io assess Nemesis Kitten is also part of APT35 cluster. \r\nMinistry of Intelligence\r\nThe Ministry of Intelligence of the Islamic Republic of Iran (MOIS in english, or VEVAK for its farsi acronym),\r\nis the main foreign intelligence service. MOIS is the successor of SAVAK, the intelligence service from the\r\nprevious Shah’s regime. It is responsible for both foreign operations and domestic surveillance. Its missions\r\noften overlap with IRGC to which the relations are competitive. \r\nMOIS is responsible for signals intelligence and collecting information from electronic communications.\r\nContrary to IRGC, the Ministry of Intelligence reports to the President, not the Supreme Leader. If both structures\r\naim at protecting the regime, MOIS is assessed to be more technical and less ideology-driven than IRGC\r\nleaders.\r\nActive intrusion sets associated to MOIS – MuddyWater, Oilrig (aka APT34), Hexane, Agrius and the newly\r\nexposed DarkBit (aka DEV-1084) – mainly focus on sectors such as government, energy, telecommunications,\r\nmaritime transportation. They carry offensive operations with espionage, sabotage and influence purposes.\r\nhttps://blog.sekoia.io/iran-cyber-threat-overview/\r\nPage 3 of 9\n\nMuddyWater, Oilrig and Hexane are likely directly operated by MOIS operatives as some techniques, tactiques\r\nand procedures (TTPs) overlap, or operational tempo coordination were observed by Sekoia.io analysts. It is not\r\nclear whether DarkBit (aka DEV-1084) is a subgroup of MuddyWater, or a newly observed intrusion set\r\nconducting post-intrusion and destructive operations.\r\nContractors, private firms and universities associated to Iran cyber operations\r\nIran cyber organisations were reported contracting private companies and institutes linked to universities to\r\nconduct domestic and foreign cyber offensive operations. This contracting system is used for both highly technical\r\nattacks and for domestic social media influence operations. \r\nNemesis Kitten, an intrusion set associated with the APT35 cluster, is operated by two private companies working\r\ntogether, Afkar System and Najee Technologies, assessed by the US Treasury to be contracted by IRGC-IO. Both\r\ncompanies were observed conducting strategic espionage activities as well as lucrative ransomware campaigns.\r\nIt is not clear whether the lucrative activities are part of an IRGC-IO mandate, or are leveraged by the companies\r\nfor their own profit.\r\nAnother example of private contractors is Emennet Pasargad, a private company associated with Cotton\r\nSandstrom (ex-NEPTUNIUM) intrusion set and assessed to conduct espionage and ideology-driven influence\r\noperations on behalf of the IRGC-Electronic Warfare and Cyber Defense Organisation. \r\nThe Ministry of Intelligence also uses contractors, notably Ravin Academy, a company co-founded in 2019 by\r\nMOIS’ members Seyed Mojtaba Mostafavi and Farzin Karimi, both MuddyWater and Oilrig ex-managers, to\r\ntrain and recruit offensive operators for the MOIS.\r\nSekoia.io is aware of former contractors such as Mabna Institute, Rana Institute, ITSecTeam, Ashiyane Security\r\nTeam or Shadid Beheshti University, all involved in the past with Iran cyber operations. Intrusion sets associated\r\nwith those contractors were not observed as active in the 2022-2023 period.\r\nOBJECTIVES OF IRAN CYBER OPERATIONS\r\nStrategic espionage and domestic cyber surveillance\r\nIran conducts cyber operations aiming at intelligence collection for strategic purposes, essentially targeting\r\nneighbouring states, in particular Iran’s geopolitical rivals such as Israel, Saudi Arabia and arabic Gulf\r\ncountries, a continued focus observed in all operations since 2011. For instance, the intrusion set Oilrig was\r\nobserved targeting the Jordan foreign Ministry in March 2022 using the group’s Saitama backdoor, a malware\r\ndetected in multiple Middle East entities in the same period. Due to the strategic nature of espionage operations,\r\nfew details on the scope of the compromission or impacted interest resources are available in open source\r\npublications.\r\nDomestic surveillance is also a strong focus for Iran-nexus intrusion sets. Among the ones Sekoia.io follows, at\r\nleast four were observed carrying out domestic surveillance (APT35, APT42, Domestic Kitten and MuddyWater).\r\nIn October 2022, ESET documented a newly discovered malware (FurrBall) used by Domestic Kitten, an\r\nintrusion set active since at least 2016 and conducting a longstanding mobile surveillance operation against\r\nIranian citizens. It is worth noting that domestic surveillance shows a particular focus on mobile espionage.\r\nhttps://blog.sekoia.io/iran-cyber-threat-overview/\r\nPage 4 of 9\n\nAnother illustrative example is the detection of TelegramGrabber malware used by APT35, detailed by PWC in\r\nAugust 2022, as all victims’ mobile numbers contained the Iranian country code and Farsi was the main language\r\nseen in victim databases.\r\nDestructive cyber operations \r\nIran is known to conduct destructive operations as the first documented Iran cyber attack, Shamoon 2012,\r\nleveraged a destructive wiper that had a strong impact on the Saudi company Saudi Aramco. The attack was later\r\ninterpreted as a retaliation on a US ally for the Stuxnet operation.\r\nIn 2022-2023, Iran-nexus intrusion sets continue to conduct destructive campaigns with an operational\r\nevolution : the use of hacktivist fronts claiming responsibility and justifying the operation. In July 2022, a front\r\nnamed HomeLand Justice claimed credit for the disruptive and destructive activity that impacted the Albanian\r\ngovernment. The operation was assessed to be conducted by intrusion sets, mainly Oilrig and Hexane, operating\r\non behalf of the Ministry of Intelligence.\r\nThe DarkBit personna is another example. In February 2023, MuddyWater conducted an operation targeting\r\nTechnion Israel Institute of Technology based in Haifa, with a false ransomware operation masquerading a\r\ndestructive operation, using a front named “DarkBit group”. According to Microsoft, two intrusion sets\r\nconducted the operation. MuddyWater carried the initial intrusion and handed off access to the DarkBit intrusion\r\nset (aka DEV-1084) which conducted extensive reconnaissance, established persistence, and moved laterally to\r\nfinally launch a destructive command. \r\nIt is worth noting that this is the first time a distinct intrusion set is used for post-intrusion and destructive\r\nactivity. Sekoia.io TDR analysts assess the use of fronts blurring for destructive operations will likely pursue\r\nand increase, given the general increase of front use by Iran-nexus intrusion sets, notably to conduct information\r\noperations.\r\nIranian information operations\r\nInformation operations (info ops) led by Iranian actors increased significantly in 2022 and 2023, contributing to\r\nIran’s geopolitical objectives to promote and secure its regional influence.\r\nAmong the multiple intrusion sets leveraging info ops, Cotton Sandstorm (ex-NEPTUNIUM) is the most active.\r\nAccording to the US Treasury, Cotton Sandstorm is operated by Emennet Pasargad, an Iran-based private\r\ncompany operating on behalf of the IRGC-Electronic Warfare and Cyber Defense Organisation (IRGC-EWCD).\r\nThe group was first indicted in 2020 for an information operation targeting Donald Trump’s close staff in order to\r\ncompromise his Twitter account and influence the 2020 US presidential election against his reelection. \r\nIn January 2023, Cotton Sandstorm conducted an info ops targeting French satirical newspaper Charlie Hebdo,\r\nperceived as insulting Islam, leading to an exfiltration of customers data. In February 2023, the same group\r\nimpersonated Al-Toufan, a persona that claimed a defacement campaign targeting Bahrain’s news website, likely\r\nto fuel Shia Islam majority protests against a Sunni government aligned with Saudi Arabia. Other reported info\r\nops impacted Israel, inciting the Palestinian resistance or promoting counter-narrative against the normalisation of\r\nArab-Israeli diplomacy. Each info ops conducted by Cotton Sandstorm was amplified by fake social media\r\naccounts relaying their narrative.\r\nhttps://blog.sekoia.io/iran-cyber-threat-overview/\r\nPage 5 of 9\n\nSekoia.io assess Iran-nexus intrusion sets Agrius, Oilrig and in particular Cotton Sandstorm, will continue and\r\nincrease information operations leveraging fronts, targeting Iran geopolitical adversary neighboring countries\r\nsuch as Gulf Cooperation Council members and Israel. \r\nIran-originating lucrative operations\r\nFew intrusion sets were reported conducting lucrative operations, however both of them, Fox Kitten and Nemesis\r\nKitten, are suspected to be operated by private firms contracted by IRGC. \r\nAs previously mentioned, Nemesis Kitten is operated by two private companies contracted by IRGC and Sekoia.io\r\nconsiders the group as part of the APT35 cluster. In May 2022, Nemesis Kitten was accused by the US CISA to\r\nconduct a long term ransomware and crypto-mining campaign exploiting the Log4J 1-day vulnerability\r\nimpacting multiple US public entities. For Sekoia.io it remains unclear whether this lucrative activity was part of\r\nthe alleged IRGC mandate or a tolerated initiative conducted by Afkar System and Najee Technology as a side\r\nactivity.\r\nGEOGRAPHICAL AND ECONOMIC VICTIMOLOGY\r\nMost impacted sectors\r\nEnergy – The energy sector is an historic target for Iran. Over time, IRGC-associated APT33 leveraged the\r\ndestructive malware Shamoon for multiple operations (2012, 2018, 2020), impacting Saudi Aramco, the most\r\nimportant economic asset for Saudi Arabia, one of Iran regional rivals. Energy is still a major target for Iran-nexus\r\nintrusion sets, yet few recent (2022-2023) open-source cases are available due to the strategic nature of impacted\r\nentities. In April 2023, Microsoft published about IRGC-associated APT35, described as an intrusion set capable\r\nof direct targeting of US critical infrastructure including energy companies and a major US utility and gas entity.\r\nTelecommunications – Since the end of 2021, the telecommunications sector is increasingly impacted by Iran-nexus intrusion sets. Recently, in January 2023, Microsoft identified a MuddyWater spear phishing campaign\r\naiming at employees of Middle-East telecom operators, which concurs with Talos’ findings of MuddyWater\r\ninterests for an Armenian Internet service provider. Such focus was also shared by Hexane, which conducted an\r\nespionage campaign targeting telecom operators based in Saudi Arabia, Tunisia, Morocco and Israel early 2022.\r\nSekoia.io assess this focus is possibly related to the MOIS SIGINT mandate, as this sector is mostly impacted by\r\nMOIS-associated intrusion sets. \r\nMaritime-transportation – In 2022, the transportation sector and in particular maritime transportation were\r\nimpacted by Iran cyber operations. Since at least July 2022, APT35 conducted an espionage operation targeting\r\nemployees of an Egypt-based shipping and marine services companies. At the same time, UNC3890, an\r\nintrusion set Sekoia.io assess part of APT35 cluster, focused on Israel entities including maritime shipping\r\ncompanies. Earlier, in December 2021, Microsoft reported on Iran-nexus DEV-0343, an intrusion set notably\r\ntargeting Persian Gulf ports of entry and global maritime transportation companies with business presence in the\r\nMiddle East. Sekoia.io assess with high confidence the maritime-transportation sector is a primary target for\r\nIRGC-associated intrusion sets, as the Persian Gulf and the Hormuz strait are critical areas supposed to fall in the\r\nIRGC mandate. \r\nhttps://blog.sekoia.io/iran-cyber-threat-overview/\r\nPage 6 of 9\n\nCritical infrastructure – According to multiple US agencies assessment pertaining to cyber threats, Iran-nexus\r\nintrusion sets are able to impact US critical infrastructures. However, very few infrastructure targeting can be\r\nobserved in open source, apart from an Iran-originated operation aiming to disrupt and allegedly tamper with\r\nIsrael’s water supply in June 2020. \r\nIndividuals linked to NGOs, think tanks and universities\r\nSekoia.io TDR analysts observe a trend in targeting individuals conducting research related to Middle-East and\r\nIran affairs, whether they are academics, NGOs members or employees of western-funded think tanks. Among\r\nothers, APT42, an intrusion set part of the APT35 cluster, focuses only on such targets, such as Human Rights\r\nWatch staff members and activists, or an American political commentator expert on sanctions and counter-terrorist\r\nfinancing policy. Of note, Sekoia.io observe advanced social engineering is central for initial intrusion,\r\nspecifically when considering the social profiling, creation of fake profiles or progressive contacting.\r\nMost impacted regions\r\nAs a continuation of previous observations pertaining to Iran cyber threats, every Iran-nexus intrusion set\r\nincludes Middle-East targeting, and nearly all of them aim at targeting Israel. However, most open source\r\npublications pertaining to cyber operations targeting the Middle-East do not specifically detail impacted\r\ncountries. This lack of granularity does not allow an exact representation of impacted states.\r\nOn a second position comes the USA, a country where reported operations originating from Iran increased over\r\nthe 2022-2023 period. Some cybersecurity vendors’ analysis, to which Sekoia.io concurs, assess IRGC-associated\r\nintrusion sets such as APT35 are now less bounded in their operations targeting the USA. Other regions, such as\r\nthe European Union or the Balkans, are less but still impacted, as we observed with the disruptive and destructive\r\nactivity that impacted the Albanian government. Of note, the consequences of the operation on Albania show\r\nthe impact Iran can have on moderately cyber protected countries.\r\nIRAN CYBER THREAT RECENT EVOLUTION\r\nIran-nexus intrusion sets seem to increase their technical skills and operational reactivity to publicly disclosed\r\nvulnerabilities. Some of them were also observed as reactive to public reporting, namely Oilrig when its tactics,\r\ntechniques and procedures (TTPs) were partially leaked on a Telegram channel named Lab Dookhtegan in May\r\n2020. An operational activity takeover from Oilrig to Hexane was perceptible, suggesting operators swap from\r\ntwo groups associated to MOIS. In 2023, APT35 showed a rapid exploitation of publicly disclosed\r\nvulnerabilities CVE-2022-47966 and CVE-2022-47986, exploiting them between one to five days after they\r\nbecame public. Before 2023, the group often required weeks to weaponize exploits for vulnerabilities like\r\nProxyshell and Log4Shell, according to Microsoft.\r\nActive collaboration between intrusion sets associated to the same structure was perceptible in 2022, as\r\nobserved with the disruptive and destructive campaign on Albania involving participation of Hexane, Oilrig and at\r\nleast 3 other less-known intrusion sets, all assessed to be operated by MOIS. Sekoia.io assess it is plausible that\r\nsuch cooperation is facilitated by initiatives like Ravin Academy, already mentioned in this report, which allow\r\noperators and TTPs exchange among MOIS-associated intrusion sets. Plaid Rain (ex-POLONIUM) is another\r\nexemple, the Lebanon-based intrusion set active since early 2022 is suspected of coordination with other actors\r\nhttps://blog.sekoia.io/iran-cyber-threat-overview/\r\nPage 7 of 9\n\naffiliated with MOIS, based on TTPs and victimology overlap. If confirmed, a collaboration with a Lebanese\r\ngroup would be coherent with the links Iranian intelligence services share with Shia political groups such as\r\nHezbollah, now including cyber intelligence.\r\nCONCLUSION\r\nSekoia.io assess Iran cyber threat will likely continue to grow in the next years as its technical and operational\r\ncapabilities advance while the country is increasingly in a geopolitical confrontation with Israel, Western countries\r\nand allies due to a return of the ultraconservatives to power.\r\nThe geopolitical confrontation is likely to carry on against Gulf Cooperation Council members as well, including\r\nSaudi Arabia despite the normalisation of diplomatic relations between Riyad and Tehran. Indeed, before 2016,\r\ndiplomatic relations did not prevent Iran and Saudi Arabia to indirectly confront in the Yemeni civil war nor\r\ncontain Iran to conduct major cyber destructive operations toward Saudi Aramco.\r\nIran-nexus intrusion sets will highly likely continue to use cyber personna fronts, either to cover destructive\r\nactivity and / or to amplify information operations aimed at contributing to securing Iran regional influence and to\r\nlegitimise the Islamic Republic’s narrative against its geopolitical adversaries. \r\nThe targeting of Middle-East telecom operators and maritime transportation sectors by respectively MOIS\r\nand IRGC is likely to continue, probably as part of a pre-positioning strategy in the event of an open conflict\r\nwhere Persian Gulf navigation and telecommunications would be critical for Iran.\r\nAppendix – IRGC partial organisational diagram from leaked data\r\nThank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please\r\ncontact us on tdr[at]sekoia.io\r\nFeel free to read other TDR analysis here :\r\nhttps://blog.sekoia.io/iran-cyber-threat-overview/\r\nPage 8 of 9\n\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nAPT CTI Iran\r\nShare this post:\r\nSource: https://blog.sekoia.io/iran-cyber-threat-overview/\r\nhttps://blog.sekoia.io/iran-cyber-threat-overview/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://blog.sekoia.io/iran-cyber-threat-overview/" ], "report_names": [ "iran-cyber-threat-overview" ], "threat_actors": [ { "id": "640fc3dc-433d-4244-a85a-21d5135498b2", "created_at": "2025-08-07T02:03:24.71289Z", "updated_at": "2026-04-10T02:00:03.688893Z", "deleted_at": null, "main_name": "COBALT AZTEC", "aliases": [ "DEV-1084 ", "GOLD AZTEC", "Storm-1084 " ], "source_name": "Secureworks:COBALT AZTEC", "tools": [ "DarkBit ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "82f54603-89e0-4f5a-8df9-eae0c3a90d70", "created_at": "2022-10-25T16:07:23.745406Z", "updated_at": "2026-04-10T02:00:04.734764Z", "deleted_at": null, "main_name": "ITG18", "aliases": [], "source_name": "ETDA:ITG18", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48", "created_at": "2022-10-25T16:07:23.84296Z", "updated_at": "2026-04-10T02:00:04.762229Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "DEV-0270", "DireFate", "Lord Nemesis", "Nemesis Kitten", "Yellow Dev 23", "Yellow Dev 24" ], "source_name": "ETDA:DEV-0270", "tools": [ "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "WmiExec" ], "source_id": "ETDA", "reports": null }, { "id": "d866a181-c427-43df-9948-a8010a8fdad6", "created_at": "2022-10-27T08:27:13.080609Z", "updated_at": "2026-04-10T02:00:05.303153Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "POLONIUM", "Plaid Rain" ], "source_name": "MITRE:POLONIUM", "tools": [ "CreepyDrive", "CreepySnail" ], "source_id": "MITRE", "reports": null }, { "id": "6cfeba14-c84e-4606-88b9-c7a7689c450f", "created_at": "2022-10-25T16:07:24.06766Z", "updated_at": "2026-04-10T02:00:04.857565Z", "deleted_at": null, "main_name": "Polonium", "aliases": [ "G1005", "Incendiary Jackal", "Plaid Rain" ], "source_name": "ETDA:Polonium", "tools": [ "CreepyDrive", "CreepySnail", "DeepCreep", "FlipCreep", "MegaCreep", "PapaCreep", "TechnoCreep" ], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "eaef3218-1f8c-4767-b1ff-da7a6662acc0", "created_at": "2023-03-04T02:01:54.110909Z", "updated_at": "2026-04-10T02:00:03.359871Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "Nemesis Kitten", "Storm-0270" ], "source_name": "MISPGALAXY:DEV-0270", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "c4cd33a4-3ec0-4a21-b20f-99d3b7cc6525", "created_at": "2024-01-09T02:00:04.205662Z", "updated_at": "2026-04-10T02:00:03.511121Z", "deleted_at": null, "main_name": "Gray Sandstorm", "aliases": [ "DEV-0343" ], "source_name": "MISPGALAXY:Gray Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-10T02:00:04.527895Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "42e41377-c64c-4be9-87a0-ee903e4b9055", "created_at": "2023-01-06T13:46:38.950322Z", "updated_at": "2026-04-10T02:00:03.158476Z", "deleted_at": null, "main_name": "Silent Librarian", "aliases": [ "Mabna Institute", "TA407", "TA4900", "Yellow Nabu", "COBALT DICKENS" ], "source_name": "MISPGALAXY:Silent Librarian", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "0321f048-2313-42dd-b10c-08a99ae98f2a", "created_at": "2024-02-02T02:00:04.06752Z", "updated_at": "2026-04-10T02:00:03.54849Z", "deleted_at": null, "main_name": "Storm-1084", "aliases": [ "DEV-1084" ], "source_name": "MISPGALAXY:Storm-1084", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "44d5df14-6a25-41d6-a54c-7c7ebac358cf", "created_at": "2023-01-06T13:46:38.817312Z", "updated_at": "2026-04-10T02:00:03.111227Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "Bouncing Golf", "APT-C-50" ], "source_name": "MISPGALAXY:Domestic Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f8fdc3fb-e38e-44a2-87a8-ae11d93b9e02", "created_at": "2023-11-05T02:00:08.088979Z", "updated_at": "2026-04-10T02:00:03.402497Z", "deleted_at": null, "main_name": "UNC3890", "aliases": [], "source_name": "MISPGALAXY:UNC3890", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-10T02:00:03.664754Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b7823339-891d-4ded-b01d-1f142a88bc64", "created_at": "2023-01-06T13:46:39.381591Z", "updated_at": "2026-04-10T02:00:03.308737Z", "deleted_at": null, "main_name": "POLONIUM", "aliases": [ "GREATRIFT", "INCENDIARY JACKAL", "Plaid Rain", "UNC4453" ], "source_name": "MISPGALAXY:POLONIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-10T02:00:05.357255Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-10T02:00:03.509338Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-10T02:00:03.619131Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "0b212c43-009a-4205-a1f7-545c5e4cfdf8", "created_at": "2025-04-23T02:00:55.275208Z", "updated_at": "2026-04-10T02:00:05.270553Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "APT42" ], "source_name": "MITRE:APT42", "tools": [ "NICECURL", "TAMECAT" ], "source_id": "MITRE", "reports": null }, { "id": "9663cdbf-646e-4579-881a-a8ebc3aabf63", "created_at": "2023-01-06T13:46:38.360862Z", "updated_at": "2026-04-10T02:00:02.942852Z", "deleted_at": null, "main_name": "Cutting Kitten", "aliases": [ "ITsecTeam" ], "source_name": "MISPGALAXY:Cutting Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "f5869c6f-6789-4a43-8ffd-e0a76c127754", "created_at": "2025-08-07T02:03:24.774081Z", "updated_at": "2026-04-10T02:00:03.654593Z", "deleted_at": null, "main_name": "COBALT OBELISK", "aliases": [ "ChaoticOrchestra ", "Cotton Sandstorm ", "Haywire Kitten ", "Marnanbridge " ], "source_name": "Secureworks:COBALT OBELISK", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7ba9e3e3-1cef-4e20-be7e-95f05e8295d7", "created_at": "2022-10-25T16:07:23.821494Z", "updated_at": "2026-04-10T02:00:04.759302Z", "deleted_at": null, "main_name": "Mabna Institute", "aliases": [ "Academic Serpens", "Cobalt Dickens", "G0122", "Mabna Institute", "Silent Librarian", "TA407", "TA4900", "Yellow Nabu" ], "source_name": "ETDA:Mabna Institute", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "30f6ddb3-f5aa-4b78-a1a5-e37c42b2c560", "created_at": "2022-10-25T16:07:23.544297Z", "updated_at": "2026-04-10T02:00:04.64999Z", "deleted_at": null, "main_name": "Domestic Kitten", "aliases": [ "APT-C-50", "Bouncing Golf", "G0097" ], "source_name": "ETDA:Domestic Kitten", "tools": [ "FurBall", "GolfSpy" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "07131850-5161-48b8-98be-6b0271d44d0e", "created_at": "2024-01-23T13:22:35.085803Z", "updated_at": "2026-04-10T02:00:03.521854Z", "deleted_at": null, "main_name": "Cotton Sandstorm", "aliases": [ "Emennet Pasargad", "Holy Souls", "MARNANBRIDGE", "NEPTUNIUM", "HAYWIRE KITTEN" ], "source_name": "MISPGALAXY:Cotton Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434816, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a848825ae64f3d888335369ab3aca1e2102c2848.pdf", "text": "https://archive.orkl.eu/a848825ae64f3d888335369ab3aca1e2102c2848.txt", "img": "https://archive.orkl.eu/a848825ae64f3d888335369ab3aca1e2102c2848.jpg" } }