{ "id": "789f132d-11b8-4f16-878f-9b7164757931", "created_at": "2026-04-06T00:10:59.740097Z", "updated_at": "2026-04-10T03:36:36.826855Z", "deleted_at": null, "sha1_hash": "aa964bbeb3b40fbdd5be5aa0960c00706c0c7f60", "title": "New modular downloaders fingerprint systems - Part 3: CobInt | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1007803, "plain_text": "New modular downloaders fingerprint systems - Part 3: CobInt |\r\nProofpoint US\r\nBy September 11, 2018 Proofpoint Staff\r\nPublished: 2018-09-11 · Archived: 2026-04-05 17:10:38 UTC\r\nOverview\r\nProofpoint researchers discovered two new modular downloaders this summer: Marap [1] and AdvisorsBot [2],\r\nboth of which were noteworthy for their small footprints, stealthy infections, and apparent focus on\r\nreconnaissance. We have also observed an actor commonly known as Cobalt Gang (or Group) using another new\r\ndownloader that shares many of these characteristics since early 2018. Group-IB named this malware “CobInt”\r\nand released a report on its use by Cobalt Gang in May [3]. While we noticed that Cobalt Gang appeared to stop\r\nusing CobInt as a first-stage downloader around the time researchers at Group-IB published their findings, they\r\nhave since returned to using the downloader as of July. Arbor Networks also recently released a blog post detailing\r\nsome of the renewed CobInt activity [4]. In this post, we describe recent activity that we have observed and\r\nanalyze the multi-stage CobInt malware in detail.\r\nCampaign Analysis\r\nOn August 2, 2018, we observed messages with the subject “Подозрение на мошенничество” (Translated from\r\nRussian: “Suspicion of fraud”) purporting to be from “Interkassa” using a sender email address with a lookalike\r\ndomain “denis[@]inter-kassa[.]com”. The messages contained two URLs. The first linked to a macro document\r\nthat ultimately installed the More_eggs downloader [5], while the second linked directly to the CobInt stage 1\r\nexecutable. This campaign was also detailed in Arbor’s report [4].\r\nOn August 14, 2018, we observed messages spoofing the Single Euro Payments Area (SEPA) with lookalike\r\nsender domains sepa-europa[.]com or sepa-europa[.]info and subjects such as “notification”, “letter”, “message”,\r\nand “notice”. The messages (Figure 1) contained:\r\n1. A Microsoft Word attachment (sepa rules.doc) -- a ThreadKit [6] exploit document that would exploit\r\nCVE-2017-8570, CVE-2017-11882, or CVE-2018-0802 -- to execute the embedded CobInt Stage 1\r\npayload.\r\n2. In some cases, URLs linking directly to the CobInt downloader.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nPage 1 of 13\n\nFigure 1: Example message from August 14\r\nOn August 16, 2018, we observed messages purporting to be from Alfa Bank using a lookalike domain\r\naifabank[.]com and subjects such as “Fraud Control”, “Фрауд” (Translates to “Fraud”), “Предотвращение\r\nхищения” (Translates to “Prevention of theft“), and “Блокирование транзакций” (Translates to “Transaction\r\nBlocking”). The messages (Figure 2) contain URLs linking to a hosted ThreadKit exploit document that would\r\nexploit CVE-2017-8570, CVE-2017-11882, or CVE-2018-0802, to execute the embedded CobInt Stage 1.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nPage 2 of 13\n\nFigure 2: Example message from August 16, with stolen branding\r\nOn September 4, 2018, we observed messages purporting to be from Raiffeisen Bank using lookalike sender\r\ndomains ralffeisen[.]com and subjects such as “Fraudulent transaction”, “Wire Transfer Fraud”, and “Request for\r\ndata”. The messages (Figure 3) contained a Microsoft Word attachment that used a relationship object to\r\ndownload an external VBscript file containing an exploit for CVE-2018-8174 leading to the execution of CobInt\r\nstage 1.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nPage 3 of 13\n\nFigure 3: Example message from the September 4 campaign\r\nMalware Analysis\r\nCobInt is a downloader malware written in C. Its name is based on the association of the malware with the\r\n“Cobalt Group” threat actor and an internal DLL name of “int.dll” used in some of the samples. The malware can\r\nbe broken up into three stages: an initial downloader that downloads the main component, the main component\r\nitself, and various additional modules.\r\nStage 1: Basic Downloader\r\nThe first stage is a basic downloader with the purpose of downloading the main CobInt component. As with other\r\ndownloaders we have examined recently, its functionality is disguised by the use of Windows API function\r\nhashing (an implementation of the hashing algorithm in Python is available on Github [7]).\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nPage 4 of 13\n\nThe command and control (C\u0026C) host and URI are stored as encrypted strings. The encryption algorithm is a\r\nbasic XOR with a 4-byte key that changes from sample to sample (an IDA Pro Python script that extracts and\r\ndecrypts the strings from a memory dump is available on Github [8]). In the analyzed sample (from August 14)\r\nthe C\u0026C host and URI were “rietumu[.]me” and “xaczkajeieypiarll” respectively.\r\nThe next stage is downloaded via HTTPS and an example of request and response data is shown in Figures 4 and\r\n5.\r\nFigure 4: Stage 1 HTTPS request\r\nFigure 5: Stage 1 HTTPS response data\r\nThe response data is encrypted using three layers (a Python script that decrypts the response is available on Github\r\n[9]):\r\n1. A character-based substitution cipher\r\n2. Base64 encoding\r\n3. XOR using the same XOR key as used for string encryption\r\nThe decrypted data contains a DLL, which is CobInt’s main component. Stage 1 finishes by loading and executing\r\nthe DLL.\r\nStage 2: Main Component\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nPage 5 of 13\n\nThe main component downloads and executes various modules from its C\u0026C. C\u0026C hosts are stored in a 64-byte\r\nchunk of encrypted data. They can be decrypted by XORing with a 64-byte XOR key (an IDA Pro Python script\r\nthat can extract and decrypt the hosts from a memory dump is available on Github [10]). C\u0026C hosts are pipe\r\ndelimited, but at the time of publication we have not seen more than one host specified in the encrypted text. In\r\nthe analyzed sample, the C\u0026C host was the same as the stage 1 C\u0026C: rietumu[.]me.\r\nThe malware uses HTTPS to communicate with the C\u0026C server. An example command poll request is shown in\r\nFigure 6.\r\nFigure 6: Stage 2 HTTPS command poll request\r\nThe C\u0026C URI is similar to the stage 1 URI, but instead of being hardcoded, the URI is generated for each request.\r\nThe URI generation encodes information that is likely used as a “bot ID” to identify the victim:\r\nA random 4- to 10-byte XOR key is generated\r\nThe following data is hashed with the algorithm shown in Figure 7 below:\r\nHash of the MAC Address (same algorithm as in Figure 7)\r\nCurrent process ID\r\nUnknown argument (hardcoded to 0x01)\r\nThe hashed data is XOR-encoded using the randomly generated XOR key\r\nThe following data is organized into a binary structure:\r\nRandom XOR key length\r\nRandom XOR key\r\nXOR-encoded hashed data\r\nThe entire structure is XOR-encoded with the 64-byte XOR key used in the C\u0026C host obfuscation\r\nThe binary data is encoded into characters using an unknown encoding algorithm\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nPage 6 of 13\n\nFigure 7: Hash function used in various parts of stage 2\r\nAn example of response data is shown in Figure 8.\r\nFigure 8: Stage 2 HTTPS response data\r\nThe response is meant to look like an HTML file by including various HTML tags (a creative way to potentially\r\nmake analysts and tools overlook it), but, in fact, contains encrypted data. It can be decrypted using the following\r\nprocess (Python scripts that perform the decryption are available on Github [11]):\r\nRemove HTML tags\r\nConvert all text to lowercase\r\nRemove all characters that are not “a-z”\r\nConvert the characters into binary data via an unknown decoding algorithm\r\nXOR decrypt the binary data with the embedded 64-byte XOR key used in C\u0026C host decryption\r\nPerform a second round of XOR decryption using the following key:\r\nXOR key length is indicated by the last byte of data\r\nXOR key is the last “X” bytes of data (excluding length byte), where “X” is the length of the key\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nPage 7 of 13\n\nA decrypted response contains the following structure:\r\nCommand (BYTE)\r\nCommand ID (DWORD)\r\nCommand data\r\nWe have identified four commands that may be sent to the malware from the C\u0026C:\r\n1. Load/execute module\r\n2. Stop polling C\u0026C\r\n3. Execute function set by module (at the time of publication we have not seen how this functionality is used)\r\n4. Update C\u0026C polling wait time\r\nStage 3: Modules\r\nCommand 1 above implements the main functionality of CobInt: to download and execute additional modules.\r\nThe data for this command is organized in the following binary structure:\r\nModule hash (see Figure 7 above) (DWORD)\r\nModule length (DWORD)\r\nModule\r\nEntry point (DWORD)\r\nUnknown DWORD passed to module\r\nUnknown remaining data passed to module\r\nModules are loaded as shellcode and begin executing at the indicated entry point. The code at the entry point XOR\r\ndecrypts itself with a 4-byte XOR key that changes from module to module (see Figure 8). Once decrypted, the\r\nmodule turns into a DLL.\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nPage 8 of 13\n\nFigure 9: Example of module decrypting itself into a DLL\r\nWhen the module DLL is executed, an “operations” function is also passed to it from the main component that\r\ndefines two operations:\r\n1. Queue data in the main component to be sent to the C\u0026C server\r\n2. Register a function to be executed by command 3 (at the time of publication we have not seen how this\r\nfunctionality is used)\r\nModule responses and error messages are queued up and sent to the C\u0026C server during the next command poll\r\nrequest. If there are any messages to be sent during the command poll, the HTTPS request is switched from GET\r\nto POST and the message is included as POST data. Message data is formatted in the following binary structure:\r\nModule hash\r\nResponse/error code\r\nData length\r\nData\r\nRandom 32- or 64-byte XOR key\r\nThe message is encrypted in 3 layers:\r\n1. First four components are XOR-encrypted using the randomly generated XOR key\r\n2. The entire structure is XOR-encrypted using the embedded 64-byte XOR key used in C\u0026C host encryption\r\n3. The binary data is converted to characters using an unknown encoding algorithm\r\nAt the time of publication we have observed two modules being sent from a C\u0026C server, whose function was to:\r\n1. Send a screenshot to the C\u0026C\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nPage 9 of 13\n\n2. Send a list of running process names to the C\u0026C\r\nWe assume then that, following the reconnaissance actions above, threat actors would deploy additional modules\r\nto infected systems of interest.\r\nConclusion\r\nCobInt provides additional evidence that threat actors -- from newer players we featured in our AdvisorsBot blog\r\nto established actors like TA505 and Cobalt Group-- are increasingly looking to stealthy downloaders to initially\r\ninfect systems and then only install additional malware on systems of interest. As defenses improve across the\r\nboard, threat actors must innovate to improve the returns on their investments in malware and infection vectors,\r\nmaking this approach consistent with the “follow the money” theme we have associated with a range of\r\nfinancially motivated campaigns over the years. This appears to be the latest trend as threat actors look to increase\r\ntheir effectiveness and differentiate final payloads based on user profiles.\r\nReferences\r\n[1] https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap\r\n[2] https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-\r\nadvisorsbot\r\n[3] https://www.group-ib.com/blog/renaissance\r\n[4] https://asert.arbornetworks.com/double-the-infection-double-the-fun/\r\n[5] https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/\r\n[6] https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware\r\n[7] https://github.com/EmergingThreats/threatresearch/blob/master/cobint/stage1_func_hashes.py\r\n[8] https://github.com/EmergingThreats/threatresearch/blob/master/cobint/stage1_decrypt_str.py\r\n[9] https://github.com/EmergingThreats/threatresearch/blob/master/cobint/stage1_decrypt_response.py\r\n[10] https://github.com/EmergingThreats/threatresearch/blob/master/cobint/stage2_decrypt_str.py\r\n[11] https://github.com/EmergingThreats/threatresearch/blob/master/cobint/stage2_decrypt_response.py\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nPage 10 of 13\n\nhxxps://download[.]outlook-368[.]com/Document00591674.doc URL\r\nDownload URL\r\nto Macro\r\nDocument\r\n(August 2)\r\nhxxp://sepa-europa[.]eu/transactions/id02082018.jpg URL\r\nDownload URL\r\nto CobInt Stage\r\n1 (August 2)\r\nhxxp://sepa-europa[.]eu/document.scr URL\r\nDownload URL\r\nto CobInt Stage\r\n1 (August 2)\r\n6ca3fc2924214dbf14ba63dde2edb1e5045a405c3370a624c1bb785f1dc0e8ff SHA256\r\nMacro\r\nDocument\r\n(August 2)\r\n5859a21be4ca9243f6adf70779e6986f518c3748d26c427a385efcd3529d8792 SHA256\r\nCobInt Stage 1\r\n(August 2)\r\nibfseed[.]com Host\r\nCobInt C\u0026C\r\n(August 2)\r\n0367554ce285a3622eb5ca1991cfcb98b620d0609c07cf681d9546e2bf1761c4 SHA256\r\nThreadKit\r\nAttachment\r\n(August 14)\r\nhxxps://sepacloud[.]eu/file/Documents/document_78219.jpg URL\r\nCobInt Stage 1\r\nDownload URL\r\n(August 14)\r\nhxxps://sepa-cloud[.]com/file/Documents/document_78219.jpg URL\r\nCobInt Stage 1\r\nDownload URL\r\n(August 14)\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nPage 11 of 13\n\nhxxps://sepa-cloud[.]com/file/Documents/document_78219.scr URL\r\nCobInt Stage 1\r\nDownload URL\r\n(August 14)\r\ndad7b4bfe0a1adc5ca04cd572f4e6979e64201d51d26472539c0241a76a50f28 SHA256\r\nCobInt Stage 1\r\n(August 14)\r\nrietumu[.]me Host\r\nCobInt C\u0026C\r\n(August 14)\r\n2f7b5219193541ae993f5cf87a1f6c07705aaa907354a6292bc5c8d8585e8bd1 SHA256\r\nCobInt Stage 2\r\n(August 14)\r\n1fc24f89f1d27addd422c99a163cedc97497b76b5240da3b5f58096025bbe383 SHA256\r\nDecrypted\r\nScreenshot\r\nModule (August\r\n14)\r\nab73ad1ef898e25052c500244a754aa9964dff7fd173b903d1230a9e8d91596f SHA256\r\nDecrypted Get\r\nProcess Names\r\nModule\r\n(September 4)\r\nhxxps://aifa-bank[.]com/documents/2018/fraud/fraud_16082018.doc URL\r\nDownload URL\r\nto ThreadKit\r\nDocument\r\n(August 16)\r\neb9d34aba286471a147488ea82eec9902034f9f1cf75c4fa1c7dd40815a493d8 SHA256\r\nThreadKit\r\nDocument\r\n(August 16)\r\n8263e0db727be2660f66e2e692b671996c334400d83e94fc0355ec0949dce05c SHA256\r\nCobInt Stage 1\r\n(August 16)\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nPage 12 of 13\n\nclick-alfa[.]com Host\r\nCobInt C\u0026C\r\n(August 16)\r\n5d29b89e9ee14261c1b556bbc66650488b590f311173aef641e178ba735e6e0d SHA256\r\nExploit\r\nDocument\r\n(September 4)\r\nhxxps://raifeisen[.]co/invoice/id/305674567 URL\r\nDownload URL\r\nto CVE-2018-\r\n8174 VBS\r\n(September 4)\r\n9c0ddfcfb8d1e64332fa7420f690e65a6c4ecbeef6395f4c7645da51098962cc SHA256\r\nCVE-2018-8174\r\nVBS\r\n(September 4)\r\nactivrt[.]com Host\r\nCobInt C\u0026C\r\n(September 4)\r\nET and ETPRO Suricata/Snort Signatures\r\n2832437 || ETPRO TROJAN Observed Malicious SSL Cert (cobint Downloader)\r\n2832171 || ETPRO TROJAN Observed Malicious SSL Cert (cobint Module CnC)\r\nSource: https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nhttps://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint" ], "report_names": [ "new-modular-downloaders-fingerprint-systems-part-3-cobint" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "220e1e99-97ab-440a-8027-b672c5c5df44", "created_at": "2022-10-25T16:47:55.773407Z", "updated_at": "2026-04-10T02:00:03.649501Z", "deleted_at": null, "main_name": "GOLD KINGSWOOD", "aliases": [ "Cobalt Gang ", "Cobalt Spider " ], "source_name": "Secureworks:GOLD KINGSWOOD", "tools": [ "ATMSpitter", "Buhtrap", "Carbanak", "Cobalt Strike", "CobtInt", "Cyst", "Metasploit", "Meterpreter", "Mimikatz", "SpicyOmelette" ], "source_id": "Secureworks", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434259, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa964bbeb3b40fbdd5be5aa0960c00706c0c7f60.pdf", "text": "https://archive.orkl.eu/aa964bbeb3b40fbdd5be5aa0960c00706c0c7f60.txt", "img": "https://archive.orkl.eu/aa964bbeb3b40fbdd5be5aa0960c00706c0c7f60.jpg" } }