{ "id": "55db86be-20ff-4ece-bd4d-faa33deb4f46", "created_at": "2026-04-06T00:22:28.200888Z", "updated_at": "2026-04-10T03:36:36.625386Z", "deleted_at": null, "sha1_hash": "a96602666feba404c2ded406edfb55b5ad26c31b", "title": "#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 562874, "plain_text": "#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362\r\nMOVEit Vulnerability | CISA\r\nPublished: 2023-06-07 · Archived: 2026-04-05 18:27:12 UTC\r\n1. Take an inventory of assets and data, identifying authorized and unauthorized devices and software.\r\n2. Grant admin privileges and access only when necessary, establishing a software allow list that only executes\r\nlegitimate applications.\r\n3. Monitor network ports, protocols, and services, activating security configurations on network infrastructure devices\r\nsuch as firewalls and routers\r\n4. Regularly patch and update software and applications to their latest versions, and conduct regular vulnerability\r\nassessments.\r\nUpdated June 16, 2023\r\nThis CSA is being re-released to remove old Fortra GoAnywhere Campaign IP addresses and to add new IP\r\naddresses. See the update below.\r\nEnd of Update\r\nSUMMARY\r\nNote: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for\r\nnetwork defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware\r\nadvisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of\r\ncompromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all\r\n#StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.\r\nThe Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing\r\nthis joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as\r\nJune 2023.\r\nAccording to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began\r\nexploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software's managed file\r\ntransfer (MFT) solution known as MOVEit Transfer. Internet-facing MOVEit Transfer web applications were infected with a\r\nweb shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar\r\nspates of activity, TA505 conducted zero-day-exploit-driven campaigns against Accellion File Transfer Appliance (FTA)\r\ndevices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023.\r\nFBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce\r\nthe likelihood and impact of CL0P ransomware and other ransomware incidents.\r\nDownload the PDF version, STIX and JSON file for this report:\r\nTECHNICAL DETAILS\r\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 13. See MITRE ATT\u0026CK for Enterprise\r\n for all referenced tactics and techniques.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 1 of 19\n\nAppearing in February 2019, and evolving from the CryptoMix ransomware variant, CL0P was leveraged as a Ransomware\r\nas a Service (RaaS) in large-scale spear-phishing campaigns that used a verified and digitally signed binary to bypass system\r\ndefenses. CL0P was previously known for its use of the ‘double extortion’ tactic of stealing and encrypting victim data,\r\nrefusing to restore victim access and publishing exfiltrated data on Tor via the CL0P^_-LEAKS website. In 2019, TA505\r\nactors leveraged CL0P ransomware as the final payload of a phishing campaign involving a macro-enabled document that\r\nused a Get2 malware dropper for downloading SDBot and FlawedGrace. In recent campaigns beginning 2021, CL0P\r\npreferred to rely mostly on data exfiltration over encryption.\r\nBeyond CL0P ransomware, TA505 is known for frequently changing malware and driving global trends in criminal malware\r\ndistribution. Considered to be one of the largest phishing and malspam distributors worldwide, TA505 is estimated to have\r\ncompromised more than 3,000 U.S.-based organizations and 8,000 global organizations.\r\nTA505 has operated:\r\nA RaaS and has acted as an affiliate of other RaaS operations,\r\nAs an initial access broker (IAB), selling access to compromised corporate networks,\r\nAs a customer of other IABs,\r\nAnd as a large botnet operator specializing in financial fraud and phishing attacks.\r\nIn a campaign from 2020 to 2021, TA505 used several zero-day exploits to install a web shell named DEWMODE on\r\ninternet-facing Accellion FTA servers. Similarly, the recent exploitation of MOVEit Transfer, a SQL injection vulnerability\r\nwas used to install the web shell, which enabled TA505 to execute operating system commands on the infected server and\r\nsteal data.\r\nIn late January 2023, the CL0P ransomware group launched a campaign using a zero-day vulnerability, now catalogued\r\nas CVE-2023-0669, to target the GoAnywhere MFT platform. The group claimed to have exfiltrated data from the\r\nGoAnywhere MFT platform that impacted approximately 130 victims over the course of 10 days. Lateral movement into the\r\nvictim networks from the GoAnywhere MFT was not identified, suggesting the breach was limited to the GoAnywhere\r\nplatform itself. Over the next several weeks, as the exfiltrated data was parsed by the group, ransom notes were sent to\r\nupper-level executives of the victim companies, likely identified through open source research. The ransom notes threatened\r\nto publish the stolen files on the CL0P data leak site if victims did not pay the ransom amount.\r\nFigure 1: CL0P Ransom Note\r\nHello, this is the CL0P hacker group. As you may know, we recently carried out a hack, which was reported in the news\r\non site [redacted].\r\nWe want to inform you that we have stolen important information from your GoAnywhere MFT resource and have\r\nattached a full list of files as evidence.\r\nWe deliberately did not disclose your organization and wanted to negotiate with you and your leadership first. If you\r\nignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50 thousand\r\nunique visitors per day. You can read about us on [redacted] by searching for CLOP hacker group.\r\nYou can contact us using the following contact information:x\r\nunlock@rsv-box[.]com\r\nand\r\nunlock@support-mult[.]com\r\nCL0P’s toolkit contains several malware types to collect information, including the following:\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 2 of 19\n\nFlawedAmmyy /FlawedGrace remote access trojan (RAT) collects information and attempts to communicate\r\nwith the Command and Control (C2) server to enable the download of additional malware components [T1071 ],\r\n[T1105 ].\r\nSDBot RAT propagates the infection, exploiting vulnerabilities and dropping copies of itself in removable drives\r\nand network shares [T1105 ]. It is also capable of propagating when shared though peer-to-peer (P2P) networks.\r\nSDBot is used as a backdoor [T1059.001 ] to enable other commands and functions to be executed in the\r\ncompromised computer. This malware uses application shimming for persistence and to avoid detection [T1546.011\r\n].\r\nTruebot is a first-stage downloader module that can collect system information and take screenshots [T1113 ],\r\ndeveloped and attributed to the Silence hacking group. After connecting to the C2 infrastructure, Truebot can be\r\ninstructed to load shell code [T1055 ] or DLLs [T1574.002 ], download additional modules [T1129 ], run them,\r\nor delete itself [T1070 ]. In the case of TA505, Truebot has been used to download FlawedGrace or Cobalt Strike\r\nbeacons.\r\nCobalt Strike is used to expand network access after gaining access to the Active Directory (AD) server [T1018\r\n].\r\nDEWMODE is a web shell written in PHP designed to target Accellion FTA devices and interact with the underlying\r\nMySQL database and is used to steal data from the compromised device [1505.003 ].\r\nLEMURLOOT is a web shell written in C# designed to target the MOVEit Transfer platform. The web shell\r\nauthenticates incoming http requests via a hard-coded password and can run commands that will download files from\r\nthe MOVEit Transfer system, extract its Azure system settings, retrieve detailed record information, create, insert, or\r\ndelete a particular user. When responding to the request, the web shell returns data in a gzip compressed format.\r\nCVE-2023-34362 MOVEIT TRANSFER VULNERABILITY\r\nMOVEit is typically used to manage an organization’s file transfer operations and has a web application that supports\r\nMySQL, Microsoft SQL Server, and Azure SQL database engines. In May 2023, the CL0P ransomware group exploited a\r\nSQL injection zero-day vulnerability CVE-2023-34362 to install a web shell named LEMURLOOT on MOVEit Transfer\r\nweb applications [T1190 ] [1 ]. Lemurloot was used as a method of persistence, information gathering and data stealing\r\nin CVE-2023-34362. The webshell imports multiple libraries including “MOVEit.DMZ.ClassLib,”\r\n“MOVEit.DMZ.Application.Files,” and “MOVEit.DMZ.Application.Users” to interact with MOVEit managed file transfer\r\nsoftware. The web shell was initially observed with the name human2.aspx in an effort to masquerade as the legitimate\r\nhuman.aspx file present as part of MOVEit Transfer software. Upon installation, the web shell creates a random 36\r\ncharacter password to be used for authentication. The web shell interacts with its operators by awaiting HTTP requests\r\ncontaining a header field named X-siLock-Comment, which must have a value assigned equal to the password established\r\nupon the installation of the web shell. After authenticating with the web shell, operators pass commands to the web shell that\r\ncan:\r\nRetrieve Microsoft Azure system settings, Azure Blob Storage, Azure Blob Storage account, Azure Blob key, and\r\nAzure Blob Container using the following query:\r\n“select f.id, f.instid, f.folderid, filesize, f.Name as Name, u.LoginName as uploader, fr.FolderPath ,\r\nfr.name as fname from folders fr, files f left join users u on f.UploadUsername = u.Username where\r\nf.FolderID = fr.ID” (Figure 2).\r\nEnumerate the underlying SQL database.\r\nStore a string sent by the operator and then retrieve a file with a name matching the string from the MOVEit Transfer\r\nsystem.\r\nCreate a new administrator privileged account with a randomly generated username and LoginName and RealName\r\nvalues set to “Health Check Service.”\r\nDelete an account with LoginName and RealName values set to ‘Health Check Service.’\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 3 of 19\n\nFigure 2 – Lemurloot webshell code that interacts with Azure\r\nProgress Software announced the discovery of CVE-2023-34362 MOVEit Transfer vulnerability and issued guidance on\r\nknown affected versions, software upgrades, and patching. Based on evidence of active exploitation, CISA added this\r\nvulnerability to the Known Exploited Vulnerabilities (KEVs) Catalog on June 2, 2023. This MOVEit Transfer critical\r\nvulnerability exploit impacts the following versions of the software [2 ]:\r\nMOVEit Transfer 2023.0.0\r\nMOVEit Transfer 2022.1.x\r\nMOVEit Transfer 2022.0.x\r\nMOVEit Transfer 2021.1.x\r\nMOVEit Transfer 2021.0.x\r\nMOVEit Transfer 2020.1.x\r\nMOVEit Transfer 2020.0.x\r\nDue to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect\r\nto see widespread exploitation of unpatched software services in both private and public networks. For IOCs related to the\r\nMOVEit campaign, see table 2.\r\nDETECTION METHODS\r\nBelow, are open source deployable YARA rules that may be used to detect malicious activity of the MOVEit Transfer Zero\r\nDay Vulnerability. For more information, visit GitHub or the resource section of this CSA. [1 ] [3 ]:\r\nrule CISA_10450442_01 : LEMURLOOT webshell communicates_with_c2 remote_access\r\n{\r\n meta:\r\n Author = \"CISA Code \u0026 Media Analysis\"\r\n Incident = \"10450442\"\r\n Date = \"2023-06-07\"\r\n Last_Modified = \"20230609_1200\"\r\n Actor = \"n/a\"\r\n Family = \"LEMURLOOT\"\r\n Capabilities = \"communicates-with-c2\"\r\n Malware_Type = \"webshell\"\r\n Tool_Type = \"remote-access\"\r\n Description = \"Detects ASPX webshell samples\"\r\n SHA256_1 = \"3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b\"\r\n strings:\r\n $s1 = { 4d 4f 56 45 69 74 2e 44 4d 5a }\r\n $s2 = { 25 40 20 50 61 67 65 20 4c 61 6e 67 75 61 67 65 3d }\r\n $s3 = { 4d 79 53 51 4c }\r\n $s4 = { 41 7a 75 72 65 }\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 4 of 19\n\n$s5 = { 58 2d 73 69 4c 6f 63 6b 2d }\r\ncondition:\r\n all of them\r\n}\r\nrule M_Webshell_LEMURLOOT_DLL_1 {\r\n meta:\r\n disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n description = \"Detects the compiled DLLs generated from human2.aspx LEMURLOOT payloads.\"\r\n sample = \"c58c2c2ea608c83fad9326055a8271d47d8246dc9cb401e420c0971c67e19cbf\"\r\n date = \"2023/06/01\"\r\n version = \"1\"\r\n strings:\r\n $net = \"ASP.NET\"\r\n $human = \"Create_ASP_human2_aspx\"\r\n $s1 = \"X-siLock-Comment\" wide\r\n $s2 = \"X-siLock-Step3\" wide\r\n $s3 = \"X-siLock-Step2\" wide\r\n $s4 = \"Health Check Service\" wide\r\n $s5 = \"attachment; filename={0}\" wide\r\n condition:\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and\r\n filesize \u003c 15KB and\r\n $net and\r\n (\r\n ($human and 2 of ($s*)) or\r\n (3 of ($s*))\r\n )\r\n}\r\nrule M_Webshell_LEMURLOOT_1 {\r\n meta:\r\n disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n description = \"Detects the LEMURLOOT ASP.NET scripts\"\r\n md5 = \"b69e23cd45c8ac71652737ef44e15a34\"\r\n sample = \"cf23ea0d63b4c4c348865cefd70c35727ea8c82ba86d56635e488d816e60ea45x\"\r\n date = \"2023/06/01\"\r\n version = \"1\"\r\n strings:\r\n $head = \"\u003c%@ Page\"\r\n $s1 = \"X-siLock-Comment\"\r\n $s2 = \"X-siLock-Step\"\r\n $s3 = \"Health Check Service\"\r\n $s4 = /pass, \\\"[a-z0-9]{8}-[a-z0-9]{4}/\r\n $s5 = \"attachment;filename={0}\"\r\n condition:\r\n filesize \u003e 5KB and filesize \u003c 10KB and\r\n (\r\n ($head in (0..50) and 2 of ($s*)) or\r\n (3 of ($s*))\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 5 of 19\n\n)\r\n}\r\nrule MOVEit_Transfer_exploit_webshell_aspx {\r\n meta:\r\n date = \"2023-06-01\"\r\n description = \"Detects indicators of compromise in MOVEit Transfer exploitation.\"\r\n author = \"Ahmet Payaslioglu - Binalyze DFIR Lab\"\r\n hash1 = \"44d8e68c7c4e04ed3adacb5a88450552\"\r\n hash2 = \"a85299f78ab5dd05e7f0f11ecea165ea\"\r\n reference1 =\r\n\"https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/\"\r\n reference2 = \"https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/\"\r\n reference3 = \"https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643\"\r\n verdict = \"dangerous\"\r\n mitre = \"T1505.003\"\r\n platform = \"windows\"\r\n search_context = \"filesystem\"\r\n \r\n strings:\r\n $a1 = \"MOVEit.DMZ\"\r\n $a2 = \"Request.Headers[\\\"X-siLock-Comment\\\"]\"\r\n $a3 = \"Delete FROM users WHERE RealName='Health Check Service'\"\r\n $a4 = \"set[\\\"Username\\\"]\"\r\n $a5 = \"INSERT INTO users (Username, LoginName, InstID, Permission, RealName\"\r\n $a6 = \"Encryption.OpenFileForDecryption(dataFilePath, siGlobs.FileSystemFactory.Create()\"\r\n $a7 = \"Response.StatusCode = 404;\"\r\n condition:\r\n \r\n filesize \u003c 10KB\r\n and all of them\r\n}\r\nrule MOVEit_Transfer_exploit_webshell_dll {\r\n meta:\r\n date = \"2023-06-01\"\r\n description = \"Detects indicators of compromise in MOVEit Transfer exploitation.\"\r\n author = \"Djordje Lukic - Binalyze DFIR Lab\"\r\n hash1 = \"7d7349e51a9bdcdd8b5daeeefe6772b5\"\r\n hash2 = \"2387be2afe2250c20d4e7a8c185be8d9\"\r\n reference1 =\r\n\"https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/\"\r\n reference2 = \"https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/\"\r\n reference3 = \"https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643\"\r\n verdict = \"dangerous\"\r\n mitre = \"T1505.003\"\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 6 of 19\n\nplatform = \"windows\"\r\nsearch_context = \"filesystem\"\r\n \r\n strings:\r\n $a1 = \"human2.aspx\" wide\r\n $a2 = \"Delete FROM users WHERE RealName='Health Check Service'\" wide\r\n $a3 = \"X-siLock-Comment\" wide\r\n condition:\r\n \r\n uint16(0) == 0x5A4D and filesize \u003c 20KB\r\n and all of them\r\n}\r\nIf a victim rebuilds the web server but leaves the database intact, the CL0P user accounts will still exist and can be used for\r\npersistent access to the system.\r\nVictims can use the following SQL query to audit for active administrative accounts, and should validate that only intended\r\naccounts are present.\r\nSELECT * FROM [\u003cdatabase name\u003e].[dbo].[users] WHERE Permission=30 AND Status='active' and Deleted='0'\r\nMOVEit Campaign Indicators of Compromise\r\nFiles Hash\r\nLEMURLOOT\r\nWeb Shell\r\ne.g. human2.aspx\r\n0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9\r\n0ea05169d111415903a1098110c34cdbbd390c23016cd4e179dd9ef507104495\r\n110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286\r\n1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2\r\n2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5\r\n2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59\r\n348e435196dd795e1ec31169bd111c7ec964e5a6ab525a562b17f10de0ab031d\r\n387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a\r\n38e69f4a6d2e81f28ed2dc6df0daf31e73ea365bd2cfc90ebc31441404cca264\r\n3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b\r\n3ab73ea9aebf271e5f3ed701286701d0be688bf7ad4fb276cb4fbe35c8af8409\r\n3c0dbda8a5500367c22ca224919bfc87d725d890756222c8066933286f26494c\r\n4359aead416b1b2df8ad9e53c497806403a2253b7e13c03317fc08ad3b0b95bf\r\n48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a\r\n58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166\r\n5b566de1aa4b2f79f579cdac6283b33e98fdc8c1cfa6211a787f8156848d67ff\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 7 of 19\n\nFiles Hash\r\n6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d\r\n702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0\r\n769f77aace5eed4717c7d3142989b53bd5bac9297a6e11b2c588c3989b397e6b\r\n7c39499dd3b0b283b242f7b7996205a9b3cf8bd5c943ef6766992204d46ec5f1\r\n93137272f3654d56b9ce63bec2e40dd816c82fb6bad9985bed477f17999a47db\r\n98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8\r\n9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead\r\n9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a\r\na1269294254e958e0e58fc0fe887ebbc4201d5c266557f09c3f37542bd6d53d7\r\na8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986\r\nb1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272\r\nb5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03\r\nb9a0baf82feb08e42fa6ca53e9ec379e79fbe8362a7dac6150eb39c2d33d94ad\r\nbdd4fa8e97e5e6eaaac8d6178f1cf4c324b9c59fc276fd6b368e811b327ccf8b\r\nc56bcb513248885673645ff1df44d3661a75cfacdce485535da898aa9ba320d4\r\nc77438e8657518221613fbce451c664a75f05beea2184a3ae67f30ea71d34f37\r\ncec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621\r\ncf23ea0d63b4c4c348865cefd70c35727ea8c82ba86d56635e488d816e60ea45\r\nd477ec94e522b8d741f46b2c00291da05c72d21c359244ccb1c211c12b635899\r\nd49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195\r\ndaaa102d82550f97642887514093c98ccd51735e025995c2cc14718330a856f4\r\ne8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e\r\nea433739fb708f5d25c937925e499c8d2228bf245653ee89a6f3d26a5fd00b7a\r\ned0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c\r\nf0d85b65b9f6942c75271209138ab24a73da29a06bc6cc4faeddcb825058c09d\r\nfe5f8388ccea7c548d587d1e2843921c038a9f4ddad3cb03f3aa8a45c29c6a2f\r\nGoAnywhere Campaign Indicators of Compromise\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 8 of 19\n\nFiles Hash Descripti\r\nlarabqFa.exe\r\nQboxdv.dll\r\n0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca66293a58a4c3 Truebot\r\n%TMP%\\7ZipSfx.000\\Zoom.exe\r\n \r\n1285aa7e6ee729be808c46c069e30a9ee9ce34287151076ba81a0bea0508ff7e\r\nSpawns a\r\nPowerShe\r\nsubproces\r\nwhich\r\nexecutes a\r\nmalicious\r\nDLL file\r\n%TMP%\\7ZipSfx.000\\ANetDiag.dll 2c8d58f439c708c28ac4ad4a0e9f93046cf076fc6e5ab1088e8943c0909acbc4\r\nObfuscate\r\nmalware\r\nwhich als\r\nuses long\r\nsleeps and\r\ndebug\r\ndetection\r\nevade\r\nanalysis\r\nAVICaptures.dll a8569c78af187d603eecdc5faec860458919349eef51091893b705f466340ecd Truebot\r\nkpdphhajHbFerUr.exe\r\ngamft.dll\r\nc042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c Truebot\r\ndnSjujahur.exe\r\nPxaz.dll\r\nc9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd6047bec27a29d Truebot\r\n7ZSfxMod_x86.exe\r\nZoomInstaller.exe\r\nZoom.exe\r\nd5bbcaa0c3eeea17f12a5cc3dbcaffff423d00562acb694561841bcfe984a3b7\r\nFake Zoo\r\ninstaller -\r\nTruebot\r\nupdate.jsp eb9f5cbe71f9658d38fb4a7aa101ad40534c4c93ee73ef5f6886d89159b0e2c2\r\nJava Serv\r\nPages (JS\r\nweb shell\r\nwith some\r\nbase64\r\nobfuscatio\r\n%TMP%\\\r\n\u003cfolder\u003e\\extracted_at_0xe5c8f00.exe\r\nf2f08e4f108aaffaadc3d11bad24abdd625a77e0ee9674c4541b562c78415765\r\nEmploys\r\nsandbox\r\ndetection\r\nand string\r\nobfuscatio\r\n- appears\r\nbe a\r\ncollection\r\nof C# hac\r\ntools\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 9 of 19\n\nFiles Hash Descripti\r\nUhfdkUSwkFKedUUi.exe\r\ngamft.dll\r\nff8c8c8bfba5f2ba2f8003255949678df209dbff95e16f2f3c338cfa0fd1b885 Truebot\r\nEmail Address Description\r\nunlock@rsv-box[.]com CL0P communication email\r\nunlock@support-mult[.]com CL0P communication email\r\nrey14000707@gmail[.]com Login/Download\r\ngagnondani225@gmail[.]com Email\r\nMalicious Domain\r\nhttp://hiperfdhaus[.]com\r\nhttp://jirostrogud[.]com\r\nhttp://qweastradoc[.]com\r\nhttp://qweastradoc[.]com/gate.php\r\nhttp://connectzoomdownload[.]com/download/ZoomInstaller.exe\r\nhttps://connectzoomdownload[.]com/download/ZoomInstaller.exe\r\nhttp://zoom[.]voyage/download/Zoom.exe\r\nhttp://guerdofest[.]com/gate.php\r\nCertificate\r\nName\r\nStatus Date Valid Thumbprint Serial Number\r\nSavas\r\nInvestments\r\nPTY LTD\r\nValid Issuer: Sectigo\r\nPublic Code Signing\r\nCA R36\r\n10/7/2022 -\r\n10/7/2023\r\n8DCCF6AD21A58226521\r\nE36D7E5DBAD133331C181\r\n00-82-D2-24-32-3E-FA-65-06-0B-64- 1F-51-FA-DF-EF-02\r\nMOVEit Campaign Infrastructure\r\nIP Addresses\r\nMay/June 2023\r\n104.194.222[.]107\r\n146.0.77[.]141\r\n146.0.77[.]155\r\n146.0.77[.]183\r\n148.113.152[.]144\r\n162.244.34[.]26\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 10 of 19\n\nMOVEit Campaign Infrastructure\r\nIP Addresses\r\nMay/June 2023\r\n162.244.35[.]6\r\n179.60.150[.]143\r\n185.104.194[.]156\r\n185.104.194[.]24\r\n185.104.194[.]40\r\n185.117.88[.]17\r\n185.162.128[.]75\r\n185.174.100[.]215\r\n185.174.100[.]250\r\n185.181.229[.]240\r\n185.181.229[.]73\r\n185.183.32[.]122\r\n185.185.50[.]172\r\n188.241.58[.]244\r\n193.169.245[.]79\r\n194.33.40[.]103\r\n194.33.40[.]104\r\n194.33.40[.1]64\r\n198.12.76[.]214\r\n198.27.75[.]110\r\n206.221.182[.]106\r\n209.127.116[.]122\r\n209.127.4[.]22\r\n209.222.103[.]170\r\n45.227.253[.]133\r\n45.227.253[.]147\r\n45.227.253[.]50\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 11 of 19\n\nMOVEit Campaign Infrastructure\r\nIP Addresses\r\nMay/June 2023\r\n45.227.253[.]6\r\n45.227.253[.]82\r\n45.56.165[.]248\r\n5.149.248[.]68\r\n5.149.250[.]74\r\n5.149.250[.]92\r\n5.188.86[.]114\r\n5.188.86[.]250\r\n5.188.87[.]194\r\n5.188.87[.]226\r\n5.188.87[.]27\r\n5.252.23[.]116\r\n5.252.25[.]88\r\n5.34.180[.]205\r\n62.112.11[.]57\r\n62.182.82[.]19\r\n62.182.85[.]234\r\n66.85.26[.]215\r\n66.85.26[.]234\r\n66.85.26[.]248\r\n79.141.160[.]78\r\n79.141.160[.]83\r\n84.234.96[.]104\r\n84.234.96[.]31\r\n89.39.104[.]118\r\n89.39.105[.]108\r\n91.202.4[.]76\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 12 of 19\n\nMOVEit Campaign Infrastructure\r\nIP Addresses\r\nMay/June 2023\r\n91.222.174[.]95\r\n91.229.76[.]187\r\n93.190.142[.]131\r\nUpdated June 16, 2023\r\nFortra GoAnywhere\r\n High Confidence and Temporal\r\nIP Addresses\r\nJanuary/June\r\n92.118.36[.]249\r\n5.34.180[.]48\r\n185.33.86[.]225\r\n148.113.159[.]213\r\n15.235.13[.]184\r\n82.117.252[.]141\r\n185.80.52[.]230\r\n91.222.174[.]68\r\n5.34.178[.]31\r\n185.104.194[.]134\r\n5.34.178[.]28\r\n185.81.113[.]156\r\n5.34.178[.]30\r\n77.83.197[.]66\r\n193.42.38[.]196\r\n209.222.98[.]25\r\n106.75.139[.]199\r\n79.141.166[.]119\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 13 of 19\n\nFortra GoAnywhere\r\n High Confidence and Temporal\r\nIP Addresses\r\nJanuary/June\r\n185.117.88[.]2\r\n79.141.160[.]78\r\n185.33.87[.]126\r\n82.117.252[.]142\r\n15.235.83[.]73\r\n81.56.49[.]148\r\n96.44.181[.]131\r\n192.42.116[.]191\r\n213.121.182[.]84\r\n104.200.72[.]149\r\n152.57.231[.]216\r\n142.44.212[.]178\r\n54.39.133[.]41\r\n76.117.196[.]3\r\n24.3.132[.]168\r\n166.70.47[.]90\r\n208.115.199[.]25\r\n216.144.248[.]20\r\n173.254.236[.]131\r\n3.101.53[.]11\r\n54.184.187[.]134\r\n100.21.161[.]34\r\n44.206.3[.]111\r\n75.101.131[.]237\r\n20.47.120[.]195\r\n198.137.247[.]10\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 14 of 19\n\nEnd of Update\r\nMITRE ATT\u0026CK TECHNIQUES\r\nSee tables below for referenced CL0P tactics and techniques used in this advisory.\r\nTable 1. ATT\u0026CK Techniques for Enterprise: Initial Access\r\nInitial Access    \r\nTechnique Title ID Use\r\nExploit Public-Facing ApplicationT1190\r\nCL0P ransomware group exploited the zero-day vulnerability CVE-2023-34362\r\naffecting MOVEit Transfer software; begins with a SQL injection to infiltrate the\r\nMOVEit Transfer web application.\r\nPhishing\r\nT1566 CL0P actors send a large volume of spear-phishing emails to employees of an\r\norganization to gain initial access.\r\nTable 2. ATT\u0026CK Techniques for Enterprise: Execution\r\nExecution    \r\nTechnique Title ID Use\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nT1059.001 CL0P actors use SDBot as a backdoor to enable other commands and\r\nfunctions to be executed in the compromised computer.\r\nCommand and Scripting\r\nInterpreter\r\nT1059.003 CL0P actors use TinyMet, a small open-source Meterpreter stager to\r\nestablish a reverse shell to their C2 server.\r\nShared Modules T1129 CL0P actors use Truebot to download additional modules.\r\nTable 3. ATT\u0026CK Techniques for Enterprise: Persistence\r\nPersistence    \r\nTechnique Title ID Use\r\nServer Software Component:\r\nWeb Shell\r\nT1505.003 DEWMODE is a web shell designed to interact with a MySQL\r\ndatabase, and is used to exfiltrate data from the compromised network.\r\nEvent Triggered Execution:\r\nApplication Shimming\r\nT1546.011 CL0P actors use SDBot malware for application shimming for\r\npersistence and to avoid detection.\r\nTable 4. ATT\u0026CK Techniques for Enterprise: Privilege Escalation\r\nPrivilege Escalation     \r\nTechnique Title ID Use\r\nExploitation for Privilege\r\nEscalation\r\nT1068 CL0P actors were gaining access to MOVEit Transfer databases prior to\r\nescalating privileges within compromised network.\r\nTable 5. ATT\u0026CK Techniques for Enterprise: Defense Evasion\r\nDefense Evasion    \r\nTechnique Title ID Use\r\nProcess Injection T1055 CL0P actors use Truebot to load shell code.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 15 of 19\n\nDefense Evasion    \r\nIndicator Removal T1070\r\nCL0P actors delete traces of Truebot malware after it is\r\nused.\r\nHijack Execution Flow: DLL Side-LoadingT1574.002\r\nCL0P actors use Truebot to side load DLLs.\r\nTable 6. ATT\u0026CK Techniques for Enterprise: Discovery\r\nDiscovery    \r\nTechnique Title ID Use\r\nRemote System\r\nDiscovery\r\nT1018 CL0P actors use Cobalt Strike to expand network access after gaining access to the\r\nActive Directory (AD) servers.\r\nTable 7. ATT\u0026CK Techniques for Enterprise: Lateral Movement\r\nLateral Movement    \r\nTechnique Title ID Use\r\nRemote Services:\r\nSMB/Windows Admin\r\nShares\r\nT1021.002\r\nCL0P actors have been observed attempting to compromise the AD\r\nserver using Server Message Block (SMB) vulnerabilities with follow-on Cobalt Strike activity.\r\nRemote Service Session\r\nHijacking: RDP Hijacking\r\nT1563.002\r\nCL0P ransomware actors have been observed using Remote Desktop\r\nProtocol (RDP) to interact with compromised systems after initial\r\naccess.\r\nTable 8. ATT\u0026CK Techniques for Enterprise: Collection\r\nCollection    \r\nTechnique Title ID Use\r\nScreen Capture T1113 CL0P actors use Truebot to take screenshots in effort to collect sensitive data.\r\nTable 9. ATT\u0026CK Techniques for Enterprise: Command and Control\r\nCommand and\r\nControl\r\n   \r\nTechnique Title ID Use\r\nApplication Layer\r\nProtocol\r\nT1071 CL0P actors use FlawedAmmyy remote access trojan (RAT) to communicate with\r\nthe Command and Control (C2).\r\nIngress Tool\r\nTransfer\r\nT1105\r\nCL0P actors are assessed to use FlawedAmmyy remote access trojan (RAT) to the\r\ndownload of additional malware components.\r\nCL0P actors use SDBot to drop copies of itself in removable drives and network\r\nshares.\r\nTable 10. ATT\u0026CK Techniques for Enterprise: Exfiltration\r\nExfiltration    \r\nTechnique Title ID Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 16 of 19\n\nExfiltration    \r\nExfiltration Over C2 Channel T1041 CL0P actors exfiltrate data for C2 channels.\r\nMITIGATIONS\r\nThe authoring agencies recommend organizations implement the mitigations below to improve their organization’s security\r\nposture in response to  threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance\r\nGoals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a\r\nminimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST\r\nbased the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful\r\nthreats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including\r\nadditional recommended baseline protections to reduce the risk of compromise by CL0P ransomware.\r\nReduce threat of malicious actors using remote access tools by:\r\nAuditing remote access tools on your network to identify currently used and/or authorized software.\r\nReviewing logs for execution of remote access software to detect abnormal use of programs running as a\r\nportable executable [CPG 2.T].\r\nUsing security software to detect instances of remote access software only being loaded in memory.\r\nRequiring authorized remote access solutions only be used from within your network over approved remote\r\naccess solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).\r\nBlocking both inbound and outbound connections on common remote access software ports and protocols\r\nat the network perimeter.\r\nImplement application controls to manage and control execution of software, including allowlisting remote access\r\nprograms.\r\nApplication controls should prevent installation and execution of portable versions of unauthorized remote\r\naccess and other software. A properly configured application allowlisting solution will block any unlisted\r\napplication execution. Allowlisting is important because antivirus solutions may fail to detect the execution of\r\nmalicious portable executables when the files use any combination of compression, encryption, or\r\nobfuscation.\r\nStrictly limit the use of RDP and other remote desktop services. If RDP is necessary, rigorously apply best\r\npractices, for example [CPG 2.W]:\r\nAudit the network for systems using RDP.\r\nClose unused RDP ports.\r\nEnforce account lockouts after a specified number of attempts.\r\nApply phishing-resistant multifactor authentication (MFA).\r\nLog RDP login attempts.\r\nDisable command-line and scripting activities and permissions [CPG 2.N].\r\nRestrict the use of PowerShell, using Group Policy, and only grant to specific users on a case-by-case basis.\r\nTypically, only those users or administrators who manage the network or Windows operating systems (OSs) should\r\nbe permitted to use PowerShell [CPG 2.E].\r\nUpdate Windows PowerShell or PowerShell Core to the latest version and uninstall all earlier PowerShell\r\nversions. Logs from Windows PowerShell prior to version 5.0 are either non-existent or do not record enough detail\r\nto aid in enterprise monitoring and incident response activities [CPG 1.E, 2.S, 2.T].\r\nReview domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts\r\n[CPG 4.C].\r\nAudit user accounts with administrative privileges and configure access controls according to the principle of\r\nleast privilege [CPG 2.E].\r\nReduce the threat of credential compromise via the following:\r\nPlace domain admin accounts in the protected users’ group to prevent caching of password hashes locally.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 17 of 19\n\nRefrain from storing plaintext credentials in scripts.\r\nImplement time-based access for accounts set at the admin level and higher [CPG 2.A, 2.E].\r\nIn addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit\r\npotential adversarial use of common system and network discovery techniques and to reduce the impact and risk of\r\ncompromise by ransomware or data extortion actors: \r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a\r\nphysically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).\r\nMaintain offline backups of data and regularly maintain backup and restoration (daily or weekly at minimum). By\r\ninstituting this practice, an organization limits the severity of disruption to its business practices [CPG 2.R].\r\nRequire all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to\r\ncomply with National Institute for Standards and Technology (NIST) standards for developing and managing\r\npassword policies.\r\nUse longer passwords consisting of at least eight characters and no more than 64 characters in length [CPG\r\n2.B].\r\nStore passwords in hashed format using industry-recognized password managers.\r\nAdd password user “salts” to shared login credentials.\r\nAvoid reusing passwords [CPG 2.C].\r\nImplement multiple failed login attempt account lockouts [CPG 2.G].\r\nDisable password “hints.”\r\nRefrain from requiring password changes more frequently than once per year.\r\nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent password\r\nresets. Frequent password resets are more likely to result in users developing password “patterns” cyber\r\ncriminals can easily decipher.\r\nRequire administrator credentials to install software.\r\nRequire multifactor authentication for all services to the extent possible, particularly for webmail, virtual private\r\nnetworks, and accounts that access critical systems [CPG 2.H].\r\nKeep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and\r\ncost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching\r\nknown exploited vulnerabilities in internet-facing systems [CPG 1.E].\r\nSegment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of\r\nransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary\r\nlateral movement [CPG 2.F].\r\nIdentify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a\r\nnetworking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network\r\ntraffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are\r\nparticularly useful for detecting lateral connections as they have insight into common and uncommon network\r\nconnections for each host [CPG 3.A].\r\nInstall, regularly update, and enable real time detection for antivirus software on all hosts.\r\nDisable unused ports [CPG 2.V].\r\nConsider adding an email banner to emails received from outside your organization [CPG 2.M].\r\nDisable hyperlinks in received emails.\r\nEnsure all backup data is encrypted, immutable (i.e., ensure backup data cannot be altered or deleted), and covers\r\nthe entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].\r\nVALIDATE SECURITY CONTROLS\r\nIn addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization’s\r\nsecurity program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise framework in this advisory.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 18 of 19\n\nThe authoring authorities of this CSA recommend testing your existing security controls inventory to assess how they\r\nperform against the ATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see table 2).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by this\r\nprocess.\r\nRESOURCES\r\nStopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources\r\nand alerts.\r\nResource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC)\r\nJoint Ransomware Guide.\r\nNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment .\r\nREFERENCE\r\n[1] Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft | Mandiant\r\n[2] MOVEit Transfer Critical Vulnerability (May 2023) - Progress Community\r\n[3] MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response (huntress.com)\r\nREPORTING\r\nThe FBI is seeking any information that can be shared, to include boundary logs showing communication to and from\r\nforeign IP addresses, a sample ransom note, communications with CL0P group actors, Bitcoin wallet information, decryptor\r\nfiles, and/or a benign sample of an encrypted file. The FBI and CISA do not encourage paying ransom as payment does not\r\nguarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional\r\norganizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.\r\nRegardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly\r\nreport ransomware incidents to a local FBI Field Office, report the incident to the FBI Internet Crime Complaint Center\r\n(IC3) at ic3.gov, or CISA at cisa.gov/report.\r\nDISCLAIMER\r\nThe information in this report is being provided “as is” for informational purposes only. CISA and the FBI do not endorse\r\nany commercial product or service, including any subjects of analysis. Any reference to specific commercial products,\r\nprocesses, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement,\r\nrecommendation, or favoring by CISA or the FBI.\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a" ], "report_names": [ "aa23-158a" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434948, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a96602666feba404c2ded406edfb55b5ad26c31b.pdf", "text": "https://archive.orkl.eu/a96602666feba404c2ded406edfb55b5ad26c31b.txt", "img": "https://archive.orkl.eu/a96602666feba404c2ded406edfb55b5ad26c31b.jpg" } }