{ "id": "95adc6f1-d991-4cc2-991c-c876cca5595b", "created_at": "2026-04-06T00:12:52.179379Z", "updated_at": "2026-04-10T13:12:02.577454Z", "deleted_at": null, "sha1_hash": "a87fb56e56cef8a1d86093b9b24585f575ce2661", "title": "APT trends report Q2 2022", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 70951, "plain_text": "APT trends report Q2 2022\r\nBy GReAT\r\nPublished: 2022-07-28 · Archived: 2026-04-02 12:16:50 UTC\r\nFor five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly\r\nsummaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence\r\nresearch; and they provide a representative snapshot of what we have published and discussed in greater detail in\r\nour private APT reports. They are designed to highlight the significant events and findings that we feel people\r\nshould be aware of.\r\nThis is our latest installment, focusing on activities that we observed during Q2 2022.\r\nReaders who would like to learn more about our intelligence reports or request more information on a specific\r\nreport, are encouraged to contact intelreports@kaspersky.com.\r\nOn January 24, a hash for sophisticated Solaris SPARC malware was posted on Twitter. The complex, modular\r\ncyber-espionage platform rivals EquationDrug, Remsec, and Regin in complexity. We identified a Windows\r\nvariant of this sample using the same string encryption algorithm, internal modules, and functionalities. The\r\nimplant is a complex framework internally called SBZ. It supports multiple exfiltration methods and complicated\r\nnetworking infrastructure, including addressing, redirection, and routing. SBZ probably refers to\r\nSTRAITBIZZARE, a cyber-espionage platform used by the Equation Group. It is also interesting to note the\r\noverlap between the Interface IDs from the DanderSpritz samples from the ShadowBrokers’ dump “Lost in\r\nTranslation” and the Interface IDs in the framework we were able to correlate. Our two private reports provided\r\ntechnical information on the Windows and SPARC variants respectively.\r\nIn late 2021, we encountered a malicious DXE driver incorporated into several UEFI firmware images that were\r\nflagged by our firmware scanner (integrated into Kaspersky products at the start of 2019). The malicious driver\r\ncorresponded to the Compatibility Support Module (CSM), used to facilitate a legacy boot sequence from the\r\nMaster Boot Record (MBR). This module was modified in such a way as to spawn an infection chain alongside\r\nthe benign execution logic, culminating in the deployment of malicious kernel mode shellcode intended to stage\r\nthe execution of an additional payload from an external server, which we were unable to fully retrieve. An\r\ninvestigation into the malicious UEFI component, which we named CosmicStrand, showed that a variant of it was\r\nin fact previously described by another security vendor. The samples that we found initially seemed to have used a\r\ndifferent infrastructure and only contained slight modifications, constituting a newer variant of the malware. Our\r\ntelemetry indicates that both variants were found in a limited set of PCs and were probably receiving a response\r\nfrom the respective C2 servers within limited timeframes, allowing us to assess with low-to-medium confidence\r\nthat the implant was used in a targeted manner and could have been leveraged by an advanced actor for an\r\nundetermined purpose. The set of targets was limited and appeared to be computers belonging to victims in China,\r\nVietnam, Russia and Iran.\r\nRussian-speaking activity\r\nhttps://securelist.com/apt-trends-report-q2-2022/106995/\r\nPage 1 of 6\n\nIn March, Proofpoint published a blog post about a new spear-phishing campaign related to the war in Ukraine,\r\ntentatively attributed to the Russian-speaking actor UNC1151 (aka TA445 and Ghostwriter). Based on their\r\nfindings, the attack was related to the current situation in Ukraine. The attackers sent spear-phishing emails to\r\nEuropean government workers responsible for managing transportation and population movement in Europe, with\r\nthe aim of infecting them with the Sunseed Trojan. Our investigation of this activity led us to discover other\r\nrelated campaigns targeting a wide range of entities located in Central Asia, Europe and the Americas since at\r\nleast May 2020. We found links to previously observed cybercrime activities, new, formerly unknown samples\r\nused by the attackers during post-exploitation activities, a wealth of recent information about C2 infrastructure\r\nand the latest samples distributed to compromise victims.\r\nChinese-speaking activity\r\nOn March 22, Volexity released a blog post related to new activity targeting a Tibetan minority, attributed to Storm\r\nCloud, a threat actor we track under the name Holy Water. The post described a multi-platform malware family\r\ndubbed GIMMICK, affecting both Windows and macOS machines, with variants developed in multiple\r\nprogramming languages (.NET, Delphi, ObjectiveC), all using an identical C2 protocol based on Google Drive.\r\nAfter looking at this campaign, we provided additional IoCs and analysis of the components used in these attacks.\r\nWe detected new activity, starting in March, from the threat actor behind ExCone and DexCone. We observed\r\nartefacts related to a new wave of spear-phishing attacks against targets in Russia that use information about the\r\ncrisis in Ukraine to lure victims into opening a malicious document. The email is just the first step of a multi-stage\r\ninfection process that leads to the installation of a new tiny variant of the Pangolin Trojan. Pangolin is private\r\nmalware we discovered in 2021, exclusively used by ZexCone, the threat actor behind ExCone and DexCone. We\r\nalso found a fully-fledged version of the Pangolin Trojan, including new commands.\r\nMiddle East\r\nRecently, researchers at SEKOIA.IO released a report covering a cluster of domains they believe to be part of a\r\nmalicious infrastructure they dubbed BananaSulfate. This infrastructure is of particular interest as it appears to be\r\nrapidly expanding and changing, with dozens of domains registered so far, and is active for short periods of time\r\nonly. Moreover, as pointed out by SEKOIA.IO, the domain names suggest they may be part of an attack targeting\r\nmultiple platforms, since the domains masquerade as legitimate services in Windows, iOS and Android operating\r\nsystems. Lastly, certain similarities between this infrastructure and those we observed in previous reports suggest\r\ntthis may be renewed activity by the threat actor we call Karkadann/Piwiks.\r\nSoutheast Asia and Korean Peninsula\r\nIn January, Kimsuky, a prolific and active Korean-speaking threat actor, attacked a media company and a think-tank in South Korea. Based on our telemetry, the actor initiated the attack by sending a spear-phishing email\r\ncontaining a macro-embedded Word document. Various examples of different Word documents were uncovered,\r\neach showing different decoy content related to geo-political issues on the Korean Peninsula. The actor also took\r\nadvantage of the HTML application file format to infect the victim using a Hangeul decoy document. After the\r\ninitial infection, a Visual Basic script was delivered to the victim. As part of this process, the actor abused a\r\nlegitimate blog service to host a malicious script with an encoded format. The implanted VBS file is capable of\r\nhttps://securelist.com/apt-trends-report-q2-2022/106995/\r\nPage 2 of 6\n\nreporting information about infected computers and downloading additional payloads with an encoded format.\r\nThe final stage is an infected Windows executable. Finally, the delivered malware is capable of stealing\r\ninformation from the victim, such as file lists, user keystrokes, and login credentials stored in web browsers. The\r\nactor apparently stole sensitive information to leverage its attack. We discovered log files from the attacker’s\r\ninfrastructure containing numerous IP addresses of more potential victims. Our research revealed multiple\r\noverlaps with old Kimsuky malware: this group has used its original malware code and scripts for a long time.\r\nHowever, the infection scheme has been evolving continuously. In this instance, a legitimate blog service was\r\nused to reduce suspicion; and infection stages were added to verify the victims. One interesting thing we observed\r\nin our research is that the actor used a compromised computer in a victim’s network as its malware testing\r\nenvironment.\r\nLazarus is currently one of the most active groups, with the defense industry and financial institutions being the\r\nprimary targets. As a result of our continuous endeavors to track this actor’s activity, we have now discovered two\r\nadditional operations from the group. DeathNote, which is under the Lazarus umbrella, is a sophisticated malware\r\ncluster actively used by this group, and most recently observed when the Lazarus group attacked a software\r\nvendor and think-tank. Since then, we have discovered several entities in South Korea that were infected with\r\nsimilar malware in February. However, the infection scheme was slightly updated in these cases as the actor added\r\nwAgent malware in its delivery procedure.\r\nSince late 2021, we have been detecting new attack campaigns from the SideCopy threat actor, which we believe\r\nto be a subgroup of TransparentTribe. The attacks targeted Indian and Afghan victims and, while some of the\r\nattacks had a more complicated attack chain, they all involved sophisticated techniques, such as different stages of\r\nHTA scripts with encrypted/obfuscated malicious payloads, memory-resident malware and, in most cases, DLL\r\nside-loading to execute the NightFury backdoor. We have identified a number of scenarios among these attacks\r\nthat either started from a ZIP archive containing a malicious LNK file or a Word document with a malicious VBA\r\nmacro. The final payloads of these attacks include Crimson RAT, ReverseRAT and the NightFury backdoor. The\r\nattackers used compromised websites to host the initial HTA scripts and their own servers as C2 for different\r\nbackdoor and RAT samples, as well as download servers for downloader modules. Our private report provides an\r\nanalysis of the attack infrastructure and the malware components involved in these attacks.\r\nWe discovered a highly active campaign, starting in March 2022, targeting stock and cryptocurrency investors in\r\nSouth Korea. Based on the domain naming scheme, we call this campaign NaiveCopy. The actor used\r\ncryptocurrency-related contents or complaints from law enforcement as lure themes. The infection chains involved\r\nremote template injection, spawning a malicious macro which starts a multi-stage infection procedure making use\r\nof Dropbox. Finally, after beaconing the victim’s host information, the malware attempts to fetch the final stage\r\npayload. Luckily, we had a chance to acquire the final stage payload, which consists of several modules for\r\nexfiltrating sensitive information from the victim. As a result of analyzing the final payload, we found additional\r\nsamples used a year ago. At that time, the threat actor used an Excel document and Windows executable file for\r\nthe initial infection vector. The final payload used in 2021 had different structures, but it had many overlaps with\r\nprevious versions. Based on this finding, we confirmed that this campaign had lasted for at least a year. We\r\nworked closely with KrCERT and ISP vendors to shut down the attacker’s infrastructure, preventing additional\r\ninfections. In terms of attribution, we can’t find any precise connection to known threat actors, though we do\r\nhttps://securelist.com/apt-trends-report-q2-2022/106995/\r\nPage 3 of 6\n\nbelieve that they are familiar with the Korean language and utilized a similar tactic to steal the login credentials\r\nfor a renowned Korean portal that has been used by the Konni group.\r\nStarting from January 2022, TransparentTribe (aka PROJECTM and MYTHIC LEOPARD) started new waves of\r\nattacks against government workers in India to perform espionage activities. The threat actor launched different\r\nattacks in which targets were lured into visiting fake websites designed to appear as official repositories for\r\nKavach, a two-factor authentication application mandatory for some government employees in India. People were\r\ntypically tricked into downloading and executing fake installers that validate the victims and download a new\r\nTrojan that we have dubbed AREA51. This Trojan is used to perform another validation and recognize relevant\r\nvictims to infect with other malware. During our investigation, we saw the attacker use AREA51 to deploy a new\r\nversion of MumbaiRAT, a new CrimsonRAT variant and PeppyRAT. We also discovered a fake website used to\r\ndistribute a fake Kavach installer for Linux. The implant is a simple downloader that downloads and executes\r\nPoseidon, a post-exploitation tool for Linux and macOS that can be used with the Mythic post-exploitation\r\nframework.\r\nOther interesting discoveries\r\nThe malicious disruption of KA-SAT-based internet services in February may have been an attempt to specifically\r\nhinder communications of Ukrainian military forces and security services. We were able to identify several\r\nconfiguration and sensitive information disclosure vulnerabilities that would have allowed an attacker to gain\r\naccess to private Viasat management network segments, as well as to remotely execute code or change\r\nconfiguration on CPE systems. We analyzed the publicly available wiper malware, CosmosWiper, that was\r\nsubmitted to an online multi-scanner service on March 15; and we believe with medium-to-high confidence that it\r\nhas been leveraged to disrupt some KA-SAT customer CPE systems. Researchers believe that the malware used to\r\nwipe the Viasat satellite broadband modems could be linked to VPNFilter10.\r\nIn February, we discovered a new SilentMarten campaign targeting Kyrgyzstan government entities. This was the\r\nfirst time we had observed the technique of putting shellcode into Windows event logs, allowing the “fileless”\r\nlast-stage Trojan to be hidden from the file system. The dropper saves the shellcode into the Key Management\r\nSystem (KMS) event source’s information events with a specific category ID and incremented message IDs.\r\nAnother technique is the use of a C2 domain name that mimics a legitimate one. The name, “eleed”, belongs to a\r\nregional ERP/ECM product, that really is in use on target systems. The threat actor takes their initial\r\nreconnaissance into consideration when developing the next malicious stages. They provided a lot of anti-detection decryptors, using different compilers: Microsoft’s cl.exe, GCC under MinGW and a recent version of\r\nGo. They also decided not to stick to just one last-stage Trojan: there are HTTP and named pipe-based ones too.\r\nAlong with the aforementioned custom modules, several commercial pen-testing tools were used, such as Cobalt\r\nStrike and NetSPI (ex-SilentBreak). In September 2021 we observed SilentBreak’s toolset, but in other regions –\r\nthe Middle East and North Africa. Attention to the event logs isn’t limited to storing shellcodes. Droppers also\r\npatch Windows Native API functions to make the infection process stealthier. Also, some modules are signed with\r\na Fast Invest digital certificate; we believe this was issued by the threat actor, because our telemetry doesn’t show\r\nany legitimate software signed with it beyond the malicious code used in this campaign.\r\nWe recently identified SessionManager, a poorly detected malicious IIS module that, starting in late March 2021,\r\nhas been used against NGOs and government organizations in Africa, South America, Asia, Europe, Russia and\r\nhttps://securelist.com/apt-trends-report-q2-2022/106995/\r\nPage 4 of 6\n\nthe Middle East. We believe, with medium-to-high confidence, that the module has been deployed thanks to\r\nprevious exploitation of ProxyLogon-type vulnerabilities on Exchange servers. We believe, with low confidence,\r\nthat SessionManager might be used by the GELSEMIUM threat actor, based on an overlap in victimology and the\r\nuse of OwlProxy.\r\nWe first reported DeathStalker’s VileRAT campaign in August 2020. While continuing to track associated\r\nactivities, we noted that the threat actor still regularly updates its malware and preceding infection chains.\r\nDeathStalker’s main tactics remain consistent, but the threat actor is continuously making efforts to evade\r\ndetection. We recently identified new infection documents that ultimately deliver updated VileRAT samples, and\r\nprovided fresh indicators and knowledge about these campaigns in a private report.\r\nIn recent years, the number of hack-and-leak incidents has steadily increased, with this becoming a popular tool\r\nfor both APTs and cybercriminals. In the case of APTs, these leaks are mainly used to tarnish a target’s image and\r\ncompromise their reputation. For instance, back in 2016, Democratic National Committee chairwoman Debbie\r\nWasserman Schultz resigned following an extensive email leak from WikiLeaks. For cybercriminals, leaks are\r\ntypically used in conjunction with ransomware attacks, where a company’s data is encrypted and held for ransom.\r\nSince the beginning of the war in Ukraine, various cybercriminal groups (e.g., Conti) have expressed their support\r\nfor the parties involved in the conflict, muddying the separation between state-sponsored and cybercriminal\r\noperations. Similarly, we have seen a spike in the number of hacktivist activities related to the conflict, ranging\r\nfrom DDoS attacks to doxxing and hack-and-leak operations. We recently came upon several such operations that\r\nare interesting in the context of the Russo-Ukrainian war. This report looks at several websites likely associated\r\nwith APTs and hacktivists.\r\nIn a private report that differs somewhat from our usual format, we published a comprehensive review of modern\r\nransomware Techniques, Tactics and Procedures (TTPs). The report combined the efforts of multiple teams at\r\nKaspersky – our Threat Research Team, the Global Emergency Response Team (GERT) and Global Research and\r\nAnalysis Team (GReAT). We also used best practices from the Escal Institute of Advanced Technologies (SANS),\r\nthe National Cybersecurity Centers and the National Institute of Standards and Technology (NIST). The report\r\ndraws on our statistics to select the most popular groups, analyzes in detail the attacks they have perpetrated, and\r\nemploys data described in MITRE ATT\u0026CK to identify a large number of shared TTPs. By tracking all the groups\r\nand detecting attacks, we see that the core techniques remain the same throughout the cyber kill-chain. The attack\r\npatterns thus revealed are not accidental, because this class of attack requires the hackers to go through certain\r\nstages, such as penetrating the corporate network or the victim’s computer, delivering malware, further discovery,\r\naccount hijacking, deleting shadow copies, removing backups, and, ultimately, achieving their objective.\r\nFinal thoughts\r\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a\r\nmeans of gaining a foothold in a target organization or compromising an individual’s device, others refresh their\r\ntoolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key\r\ndevelopments of APT groups.\r\nHere are the main trends that we’ve seen in Q2 2022:\r\nhttps://securelist.com/apt-trends-report-q2-2022/106995/\r\nPage 5 of 6\n\nGeo-politics continues to be one of the drivers of APT development. Unsurprisingly, we continue to see\r\nattacks centered around the war in Ukraine. We have seen a spike in “hacktivist” attacks, ranging from\r\nDDoS attacks to doxxing and hack-and-leak operations. Cybercriminals are also seeking to exploit the\r\nconflict. Moreover, we have also seen threat actors exploit the war as a theme to lure potential victims into\r\nrunning malicious code.\r\nAs underlined by our report on the NaiveCopy campaign targeting stock and cryptocurrency investors in\r\nSouth Korea, financial gain remains one of the ongoing motives behind APT attacks.\r\nIn our APT annual review 2021, we highlighted two cases where attackers had developed UEFI implants;\r\nand predicted the further growth of low-level attacks. This quarter we reported yet another malicious UEFI\r\ncomponent, CosmicStrand.\r\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it\r\nshould be borne in mind that, while we strive to continually improve, there is always the possibility that other\r\nsophisticated attacks may fly under our radar.\r\nDisclaimer: when referring to APT groups as Russian-speaking, Chinese-speaking or other-“speaking”\r\nlanguages, we refer to various artefacts used by the groups (such as malware debugging strings, comments found\r\nin scripts, etc.) containing words in these languages, based on the information we obtained directly or which is\r\notherwise publicly known and reported widely. The use of certain languages does not necessarily indicate a\r\nspecific geographic relation but rather points to the languages that the developers behind these APT artefacts use.\r\nSource: https://securelist.com/apt-trends-report-q2-2022/106995/\r\nhttps://securelist.com/apt-trends-report-q2-2022/106995/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/apt-trends-report-q2-2022/106995/" ], "report_names": [ "106995" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "5e034014-1f6e-424d-adfa-49557e655e08", "created_at": "2024-02-06T02:00:04.118601Z", "updated_at": "2026-04-10T02:00:03.572699Z", "deleted_at": null, "main_name": "Karkadann", "aliases": [ "Piwiks" ], "source_name": "MISPGALAXY:Karkadann", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "f7aa6029-2b01-4eee-8fe6-287330e087c9", "created_at": "2022-10-25T16:07:23.536763Z", "updated_at": "2026-04-10T02:00:04.646542Z", "deleted_at": null, "main_name": "Deceptikons", "aliases": [ "DeathStalker", "Deceptikons" ], "source_name": "ETDA:Deceptikons", "tools": [ "EVILNUM", "Evilnum", "Janicab", "PowerPepper", "Powersing", "VileRAT" ], "source_id": "ETDA", "reports": null }, { "id": "2d4d2356-8f9e-464d-afc6-2403ce8cf424", "created_at": "2023-01-06T13:46:39.290101Z", "updated_at": "2026-04-10T02:00:03.275981Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "狼毒草" ], "source_name": "MISPGALAXY:Gelsemium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8f6bd9b8-e46e-4c3b-9a08-41fee319f273", "created_at": "2022-10-25T16:07:23.747959Z", "updated_at": "2026-04-10T02:00:04.735963Z", "deleted_at": null, "main_name": "Karkadann", "aliases": [], "source_name": "ETDA:Karkadann", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "77874718-7ad2-4d15-9831-10935ab9bcbe", "created_at": "2022-10-25T15:50:23.619911Z", "updated_at": "2026-04-10T02:00:05.349462Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Gelsemium" ], "source_name": "MITRE:Gelsemium", "tools": [ "Gelsemium", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b5550c4e-943a-45ea-bf67-875b989ee4c4", "created_at": "2022-10-25T16:07:23.675771Z", "updated_at": "2026-04-10T02:00:04.707782Z", "deleted_at": null, "main_name": "Gelsemium", "aliases": [ "Operation NightScout", "Operation TooHash" ], "source_name": "ETDA:Gelsemium", "tools": [ "ASPXSpy", "ASPXTool", "Agentemis", "BadPotato", "CHINACHOPPER", "China Chopper", "Chrommme", "Cobalt Strike", "CobaltStrike", "FireWood", "Gelsemine", "Gelsenicine", "Gelsevirine", "JuicyPotato", "OwlProxy", "Owowa", "SAMRID", "SessionManager", "SinoChopper", "SpoolFool", "SweetPotato", "WolfsBane", "cobeacon", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "33eef76c-a6fa-4855-a77e-9a1e92fe8474", "created_at": "2023-11-21T02:00:07.393519Z", "updated_at": "2026-04-10T02:00:03.477407Z", "deleted_at": null, "main_name": "Storm Cloud", "aliases": [], "source_name": "MISPGALAXY:Storm Cloud", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434372, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a87fb56e56cef8a1d86093b9b24585f575ce2661.pdf", "text": "https://archive.orkl.eu/a87fb56e56cef8a1d86093b9b24585f575ce2661.txt", "img": "https://archive.orkl.eu/a87fb56e56cef8a1d86093b9b24585f575ce2661.jpg" } }