{ "id": "013c0fd1-e537-469b-b075-5c65a15e6e2e", "created_at": "2026-04-06T00:18:02.83774Z", "updated_at": "2026-04-12T02:22:01.981487Z", "deleted_at": null, "sha1_hash": "ad168d768823c2d2bd4bcf8625ff7ab62f6f1d9e", "title": "Diavol - A New Ransomware Used By Wizard Spider? | Fortinet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1555225, "plain_text": "Diavol - A New Ransomware Used By Wizard Spider? | Fortinet\r\nPublished: 2021-07-01 · Archived: 2026-04-05 14:56:11 UTC\r\nFortiGuard Labs Threat Research Report\r\nAffected Platforms:               Windows\r\nImpact:                                   Data encryption, Data destruction\r\nThreat Severity:                     Critical\r\nDiavol Introduction \r\nAt the beginning of June, FortiEDR prevented a ransomware attack that had targeted one of our customers. After\r\nsuccessfully stopping the attack, we were able to isolate two suspicious files that, at the time, were not found on\r\nVirusTotal: locker.exe and locker64.dll. In the timeline of the attack, locker.exe was deployed a day before locker64.dll.\r\nWhile we were able to identify locker64.dll to be a Conti (v3) ransomware, locker.exe appeared to be entirely different. So,\r\nlet’s say hello to a new ransomware family.\r\nIn this blog, we’ll dive into the inner workings of Diavol and its possible attribution to the criminal group known as Wizard\r\nSpider.\r\nFirst Encounter with Diavol\r\nThe ransomware drops a ransom note in a text format in every folder it goes over, as can be seen in figure 1.\r\nFigure 1: The dropped \"README_FOR_DECRYPT.txt\" ransom note.\r\nAccording to the note, the authors claim they stole data from the victim’s machine, though we did not find a sample that was\r\ncapable of performing that. This is either a bluff or a placeholder for future capabilities. Browsing to the URL led to us a\r\nwebsite, seen in figures 2 and 3, from which we derived the name for the ransomware.\r\nhttps://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider\r\nPage 1 of 9\n\nFigures 2 and 3: Diavol’s website using Tor browser.\r\nAs part of a rather unique encryption procedure, Diavol operates using user-mode Asynchronous Procedure Calls (APCs)\r\nwithout a symmetric encryption algorithm. Usually, ransomware authors aim to complete the encryption operation in the\r\nshortest amount of time. Asymmetric encryption algorithms are not the obvious choice as they significantly slower than\r\nsymmetric algorithms.\r\nTechnical Analysis\r\nlocker.exe is a 32-bit executable compiled with Microsoft Visual C/C++ Compiler. The timestamp 2021-04-30 15:58:15 on\r\nthe file supports the hypothesis that this ransomware is relatively new.\r\nUpon execution, Diavol starts by checking the command line arguments:\r\n\"-p\": path to a file with a list of paths to scan first for files.\r\n\"-log\": path to a log file.\r\n\"-m\": mode: net or local.\r\n             net - encrypt network shares only.\r\n             local - encrypt local drives only and ignore network shares.\r\n\"-h\": path to a file that contains specific hosts (names and IPs) to enumerate for shares.\r\n\"-s\": IP address that the initial register message will be sent to. Overrides the hardcoded address.\r\nThe following command-line parameters were observed in the incident:\r\n-p \"C:\\b.txt\" -m local -log \"C:\\programdata\\log.txt\"\r\nThe log file lists files that were encrypted.\r\nThe authors didn’t remove the path to the debugging information file, unfortunately it didn’t divulge sensitive or\r\nincriminating details about the ransomware authors:\r\nD:\\Development\\Master\\onion\\locker.divided\\LockMainDIB\\Release\\LockMainDIB.pdb\r\nWhile Diavol is not packed nor has any anti-disassembly tricks, it does use an interesting anti-analysis technique to\r\nobfuscate its code. Its main routines are kept in bitmap images, which are stored in the PE resource section. Before calling\r\neach routine, it copies the bytes from the bitmap to a global buffer that has execute permissions.\r\nhttps://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider\r\nPage 2 of 9\n\nFigure 4: Diavol’s internals routines stored as bitmaps.\r\nThe imports used by each routine are also stored in the resource section under \"OFFSET\", with the same names as the\r\nbitmaps.\r\nFigure 5: Diavol’s imports data for the REGISTER routines.\r\nDiavol has 14 different routines stored as bitmaps. They are called in the following order:\r\nFigure 6: Diavol’s execution flow for invoking routines from the resource section.\r\n· Create an identifier for the victim:\r\nThe GENBOTID routine creates a unique identifier of the infected machine. It is composed of the following:\r\n\u003cNetBIOS_computer_name\u003e + \u003cusername\u003e + “_W” + \u003cOS major version in hex\u003e + \u003cOS minor version in hex\u003e + \u003cOS\r\nbuild number in hex\u003e + “.” + \u003crandom_GUID_bytes in hex\u003e\r\n· Initialize configuration:\r\nThe SHAPELISTS routine copy the hardcoded configuration from the PE’s .data section. The configuration begins with the\r\n“STATIC_DATA” string and holds many unicode strings:\r\n- Base64 encoded RSA public key.\r\n- Server address for the initial registration.\r\n- Group ID for the initial registration.\r\n- List of excluded file extensions, file names and paths.\r\n- List of process names to terminate.\r\n- List of service names to stop.\r\n- List of paths to enumerate files.\r\n- List of filenames to delete.\r\n- Ransom note (in reverse).\r\nhttps://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider\r\nPage 3 of 9\n\n· Register with the C\u0026C server and update configuration:\r\nThe REGISTER payload uses the WinINet API to send a request to a server and returns the response status code. Diavol\r\nissues the C\u0026C server a POST request to the hxxp://\u003cserver_address\u003e/BnpOnspQwtjCA/register URL with the following\r\nheaders:\r\nUser-Agent: \"Agent\"\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nThe body of the request is:\r\ncid=\u003cunique_victim_id\u003e\u0026group=\r\n\u003cgroup_id_from_config\u003eip_local1=111.111.111.111\u0026ip_local2=222.222.222.222\u0026ip_external=2.16.7.12\r\nIf the server returns status success, the ransomware will attempt to get an updated configuration from the C\u0026C server. Since\r\nthe “-s” command-line parameter was not provided, and as the configured address is 127.0.0.1 (localhost), the ransomware\r\ndidn’t register itself or retrieve configuration updates.\r\nThe FROMNET routine sends a request to the server using the WinINet API as well and returns the data from the response.\r\nTo get an updated configuration and override the hardcoded values, the ransomware sends HTTP GET requests using the\r\nsame headers as before, to: \r\nhxxp://173[.]232[.]146[.]118/Bnyar8RsK04ug/\u003cunique_victim_id\u003e/qqq123/\u003cobject_name\u003e\r\nThe following objects are supported:\r\n- /key - base64 encoded RSA public key.\r\n- /services - list of services to stop.\r\n- /priority - list of paths to scan for files for the first time.\r\n- /ignore - list of file extensions, filenames and paths to exclude.\r\n- /ext - list of file extensions to include.\r\n- /wipe - list of filenames to delete if they are found while enumerating the filesystem.\r\n- /landing - ransomware note.\r\nInspecting the network traffic to 173.232.146.118 showed that the HTTP Cookie header contains the string “diavol_session”.\r\nFigure 7: Network traffic to Diavol’s C\u0026C server.\r\n· Stop services and processes:\r\nTo maximize its effect on the target machine and to encrypt as many files as possible, the ransomware terminates running\r\nprocesses that can lock access to valuable files, such as databases, office applications, financial\\accounting software, web\r\nservers, and virtual machines.\r\nSERVPROC terminates services using the Service Control Manager (SCM) API. This API requires administrator\r\npermissions, which suggests the attackers are aware of this requirement and have taken appropriate steps beforehand. \r\nThe sample attempts to stop the following services:\r\nsqlservr.exe, sqlmangr.exe, RAgui.exe, QBCFMonitorService.exe, supervise.exe, fdhost.exe, Culture.exe, RTVscan.exe, Defwatch.exe, wxServerView.exe, s\r\nGDscan.exe, QBW32.exe, QBDBMgr.exe, qbupdate.exe,axlbridge.exe, 360se.exe, 360doctor.exe, QBIDPService.exe, wxServer.exe, httpd.exe, fdlauncher.e\r\njava.exe, wdswfsafe.exe.\r\nIn addition, the malware developers don’t check to see if the API calls are successful.\r\nhttps://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider\r\nPage 4 of 9\n\nFigure 8: Disassembly of SCM API calls to stop services.\r\nKILLPR use CreateToolhelp32Snapshot, Process32First and Process32Next APIs to enumerate the running processes in the\r\nsystem.\r\nThe sample attempts to terminate the following list of processes:\r\nDefWatch, ccEvtMgr, ccSetMgr, SavRoam, dbsrv12, sqlservr, sqlagent, Intuit.QuickBooks.FCS, dbeng8, sqladhlp, QBIDPService, Culserver, RTVscan, \r\nvmware-usbarbitator64, vmware-converter, VMAuthdService, VMnetDHCP, VMUSBArbService, VMwareHostd, sqlbrowser, SQLADHLP, sqlwriter, msmdsrv,\r\ntomcat6, QBCFMonitorServicechrome.exe, outlook.exe, chrome.exe.\r\nThe authors of Diavol made some mistakes in their hardcoded configuration. For starters, SERVPROC gets the list of the\r\nprocess names to terminate instead of service names to stop, and vice versa. The services list appears to include items that\r\nhave nothing to do with services, like \"winword.exe\". In the processes list, only the last three items look like actual process\r\nnames, while even one of them is wrong (\"QBCFMonitorServicechrome.exe\" looks like a concatenation of\r\n“QBCFMonitorService” and “chrome.exe”).\r\n· Initialize encryption key:\r\nRSAINIT initializes the RSA public key used for encryption with the standard WinCrypt API.\r\n· Find all drives to encrypt:\r\nENMDSKS gets all the local drives in the system using GetLogicalDriveStrings API and checks to ensure they are not in the\r\nexclusions list. This routine will be skipped if the mode command-line parameter (“-m”) is set to “net”.\r\nThe default list of the excluded file extensions, file names and paths is:\r\n*.exe, *.sys, *.dll, *.lock64, *readme_for_decrypt.txt, *locker.txt, *unlocker.txt, %WINDIR%\\, %PROGRAMFILES%\\, %PROGRAMW6432%\\, %TEMP%\r\nSMBFAST and SMB routines enumerate available network shares for access.\r\nSMBFAST will only be called if the “-h” parameter is present. This routine scans for accessible network shares on specific\r\nhosts.\r\nSMB scans for accessible network shares on hosts found in the ARP table. Note that this routine will be skipped if the mode\r\ncommand-line parameter (“-m”) is set to “local”.\r\n· Find files to encrypt:\r\nFINDFILES traverses the file and directories in a given path. This routine is invoked multiple times:\r\n- Depending on the “-p” command-line or hardcoded configuration.\r\n- According to ENMDSKS results.\r\n- According to SMBFAST results.\r\n- According to SMB results.\r\nhttps://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider\r\nPage 5 of 9\n\nFirst, the routine checks to see if the given file or folder is not in the exclusion list. Then the routine determines whether the\r\ncurrent item is in the list of files to delete. If not, it queues an APC on the current thread that gets the path to the item as an\r\nargument.\r\nFigure 9: Disassembly of the file system traversal.\r\n· Prevent recovery by deleting shadow copies:\r\nVSSMOD drops and executes wscpy.exe in the current working directory, depending on the OS version (Windows Server\r\n2003 or Vista and newer) and architecture (32 or 64-bit). Deleting the shadow copies snapshots is performed using\r\nthe IVssBackupComponents COM object to call the DeleteSnapshots method.\r\nThe dropped binaries are also kept in plaintext in the resource section under \"TEXT”. These binaries contained a PDB\r\nreference source file that was used to compile the malware binary:\r\nD:\\Projects\\Repository\\LockCry.divided\\WipeShadowCopies64\\RelNoCRT\\WipeShadowCopies64.pdb\r\nD:\\Projects\\Repository\\LockCry.divided\\WipeShadowCopies64\\x64\\RelNoCRT\\WipeShadowCopies64.pdb\r\nD:\\Development\\Master\\onion\\locker.divided\\WipeShadowCopies64\\RelNoCRT_Win2003\\WipeShadowStorageWin2003_32.pdb\r\nD:\\Development\\Master\\onion\\locker.divided\\WipeShadowCopies64\\x64\\RelNoCRT_Win2003\\WipeShadowStorageWin2003_64.pdb\r\n· Encryption:\r\nAs mentioned before, FINDFILES will queue an APC object with a file or directory path. For the APC to get executed, the\r\nmain function calls SleepEx API in its final steps to set the thread to an alertable state.\r\nThe APC routine checks if the argument is directory and will create the “README_FOR_DECRYPT.txt” ransom note\r\nregardless of whether the files in the directory were encrypted. If the argument is a file, the ENCDEFILE routine will be\r\ncalled.\r\nFigure 10: Disassembly of the APC routine checking the parameter type.\r\nUnlike most other ransomwares, Diavol does not use any symmetric encryption but only RSA to encrypt the files.\r\nENCDEFILE checks the file size. If it is less than 2,000,000 bytes, then only up to the first 11,700 bytes will be encrypted.\r\nIf the file size is equal or greater than 2,000,000 bytes, then just the first 1,170,000 bytes will be encrypted.\r\nEach block of 11,700 bytes is split into ten chunks of 117 bytes each, and each chunk is encrypted using CryptEncrypt API.\r\n117 plaintext bytes then become 128 bytes of ciphertext. Therefore, 11,700 bytes become 12,800 bytes following the\r\nencryption. Diavol overwrites the file and writes 11,700 encrypted bytes at the chunk’s original offset and appends the 1,100\r\nremaining bytes to the end of the file.\r\nFinally, ENCDEFILE calls MoveFile API and appends a “.lock64” extension to the filename.\r\nhttps://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider\r\nPage 6 of 9\n\nOnce all APCs are dequeued and completed, the thread returns following the call to SleepEx. \r\n· Change the desktop wallpaper:\r\nBefore the process terminates, CHNGDESK is invoked.\r\nFirst, it captures the desktop window and sets the background color to black. It then writes \"All your files are encrypted! For\r\nmore information see “README-FOR-DECRYPT.txt\" with DrawText API to a bitmap image and saves it as \"encr.bmp\" in\r\nthe public pictures folder. Finally, it changes the desktop wallpaper to the new image using the SystemParametersInfoAPI\r\nwith the SPI_SETDESKWALLPAPER flag.\r\nFigure 11: Desktop wallpaper after being changed.\r\nConnections to Conti and Egregor\r\nAs Diavol was deployed in conjunction with the Conti ransomware in this attack, albeit on different machines, we tried to\r\nsee if there’s any correlation between them.\r\nStarting with the command-line parameters, the ones used by Diavol are nearly identical to those of Conti and used for the\r\nsame functionality: log file, encrypt local drives or network shares, and scan specific hosts for network shares. In addition,\r\nDiavol and Conti both operate similarly with asynchronous I/O operations when queuing the file paths for encryption.\r\nThere also might be a link between Diavol and Egregor ransomware. Some lines in the ransom note are identical, as can be\r\nseen in figure 12, although this is not reliable as it could simply be a red herring that Diavol’s authors planted.\r\nSome have reported a link between Wizard Spider, the threat actor behind Conti, and Twisted Spider, the threat actor behind\r\nEgregor. Allegedly, these gangs cooperate on various operations. They are also both notoriously known for double\r\nransoming their victims (data theft and encryption).\r\nFigure 12: Diavol’s ransom note above Egregor’s ransom note.\r\nSummary\r\nIn this blog, we presented a complete analysis of the new ransomware family - Diavol.\r\nCurrently, the source of the intrusion is unknown. The parameters used by the attackers, along with the errors in the\r\nhardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully\r\naccustomed to. \r\nAs the attack progressed, we found more Conti payloads named locker.exe in the network, strengthening the possibility the\r\nthreat actor is indeed Wizard Spider. Despite a few similarities between Diavol, Conti, and other related ransomware, it’s\r\nhttps://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider\r\nPage 7 of 9\n\nstill unclear, however, whether there’s a direct link between them. And, there are a couple of major differences from attacks\r\npreviously attributed to Wizard Spider \u0026 Co., namely:\r\n- No checks and balances to ensure the payload will not execute on Russian victims.\r\n- No clear evidence of double extortion in the environment was found.\r\nFortinet Solutions\r\nFortiEDR detects and blocks the Diavol and Conti ransomwares attacks out-of-the-box without any prior knowledge or\r\nspecial configuration. It does this using its post-execution prevention engine to identify malicious activities, such as\r\nencrypting files or wiping the shadow copy, and then blocking them in real-time, as can be seen in figures 13 and 14:\r\nFigure 13: FortiEDR blocking Diavol ransomware.\r\nFigure 14: FortiEDR blocking Conti ransomware.\r\nThe FortiGuard AntiVirus service is supported by, and the FortiGuard AntiVirus engine is included in\r\nFortinet’s FortiGate, FortiMail, FortiClient, and FortiEDR solutions. FortiGuard AntiVirus has coverage in place for the\r\nfollowing samples:\r\n85ec7f5ec91adf7c104c7e116511ac5e7945bcf4a8fdecdcc581e97d8525c5ac (Diavol, locker.exe)\r\nW32/Malicious_Behavior.VEX\r\n426ba2acf51641fb23c2efe686ad31d6398c3dd25c2c62f6ba0621455a3f7178 (Conti v3,\r\nlocker64.dll) W64/BazarLoader.AD!tr\r\n4bfd58d4e4a6fe5e91b408bc190a24d352124902085f9c2da948ad7d79b72618 (Conti, locker.exe) W32/Conti.F!tr.ransom\r\nAll network IOCs have been added to the FortiGuard WebFiltering blocklist.\r\nIn addition, as part of our membership in the Cyber Threat Alliance, details of this threat were shared in real time with other\r\nAlliance members to help create better protections for customers.\r\nAppendix A: MITRE ATT\u0026CK Techniques\r\nID Description\r\nT1027 Obfuscated Files or Information\r\nT1082 System Information Discovery\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nT1489 Service Stop\r\nT1562.001 Impair Defenses: Disable or Modify Tools\r\nT1135 Network Share Discovery\r\nhttps://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider\r\nPage 8 of 9\n\nT1490 Inhibit System Recovery\r\nT1559.001 Inter-Process Communication: Component Object Model\r\nT1486 Data Encrypted for Impact\r\nT1485 Data Destruction\r\nAppendix B: IOCs\r\nFile Hashes (SHA256)\r\n85ec7f5ec91adf7c104c7e116511ac5e7945bcf4a8fdecdcc581e97d8525c5ac (Diavol, locker.exe)\r\n426ba2acf51641fb23c2efe686ad31d6398c3dd25c2c62f6ba0621455a3f7178 (Conti v3, locker64.dll)\r\n4bfd58d4e4a6fe5e91b408bc190a24d352124902085f9c2da948ad7d79b72618 (Conti, locker.exe)\r\nFile Names\r\nlocker.exe\r\nlocker64.dll\r\nwscpy.exe\r\nencr.bmp\r\nREADME_FOR_DECRYPT.txt\r\nFile Paths\r\n%PUBLIC%\\Pictures\\encr.bmp\r\nIPs\r\n173[.]232[.]146[.]118\r\nURLs\r\nhxxp://\u003cserver_address\u003e//BnpOnspQwtjCA/register \r\nhxxp://173[.]232[.]146[.]118/Bnyar8RsK04ug/\r\nDomains\r\nr2gttyb5vqu6swf5[.]onion\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nLearn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or\r\nabout the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more\r\nabout FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and\r\nServices portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider\r\nhttps://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider" ], "report_names": [ "diavol-new-ransomware-used-by-wizard-spider" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-12T02:00:03.223185Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "Storm-0193", "Trickbot LLC", "UNC2053", "FIN12", "Periwinkle Tempest", "Pistachio Tempest", "DEV-0237", "Storm-0230" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-12T02:00:04.890068Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-12T02:00:03.45005Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-12T02:00:04.35979Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-12T02:00:03.280583Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER", "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-12T02:00:04.962362Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434682, "ts_updated_at": 1775960521, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ad168d768823c2d2bd4bcf8625ff7ab62f6f1d9e.pdf", "text": "https://archive.orkl.eu/ad168d768823c2d2bd4bcf8625ff7ab62f6f1d9e.txt", "img": "https://archive.orkl.eu/ad168d768823c2d2bd4bcf8625ff7ab62f6f1d9e.jpg" } }