{ "id": "7a42f8e5-6559-45de-8521-946fb6f516ad", "created_at": "2026-04-06T00:19:25.446839Z", "updated_at": "2026-04-10T13:11:27.998482Z", "deleted_at": null, "sha1_hash": "aee408b89b24407e3ad6073f5295173d4f969537", "title": "Monthly news - December 2023", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 70464, "plain_text": "Monthly news - December 2023\r\nBy HeikeRitter\r\nPublished: 2023-12-01 · Archived: 2026-04-05 17:49:33 UTC\r\nBlog Post\r\nMicrosoft Defender XDR Blog\r\n8 MIN READ\r\nMicrosoft Defender XDR\r\nMonthly news\r\nDecember 2023 Edition\r\nThis is our monthly \"What's new\" blog post, summarizing product updates and various new assets we released\r\nover the past month across our Defender products. In this edition, we are looking at all the goodness from\r\nNovember 2023.  \r\nLegend:\r\nProduct\r\nvideos\r\nWebcast\r\n(recordings)\r\nDocs on Microsoft Blogs on Microsoft\r\nGitHub External\r\nProduct\r\nimprovements\r\nPreviews /\r\nAnnouncements\r\nMicrosoft Defender XDR\r\nIntroducing a Unified Security Operations Platform with Microsoft Sentinel and Defender\r\nXDR. An exciting private preview that represents the next step in the SOC protection and efficiency\r\njourney by bringing together the power of Microsoft Sentinel, Microsoft Defender XDR and Microsoft\r\nSecurity Copilot into a unified security operations platform with one experience, one data model and\r\nunified features, all enhanced with more AI, automation, attack disruption and curated\r\nrecommendations. \r\nhttps://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431\r\nPage 1 of 6\n\nIn this video, Rob Lefferts, CVP Microsoft Threat Protection, joins Mechanics host Jeremy Chapman\r\nto discuss how the Defender experience has evolved into a unified security operations platform that\r\ncombines threat detection, prevention, investigation, and response.\r\nIgnite news: XDR in an era of end-user-to-cloud cyberattacks and securing the use of AI. This\r\nblog describes additional exciting Ignite news. \r\nThis Ninja Show episode summarizes the Security announcements:\r\n \r\nPublic preview of Microsoft Defender for Cloud to Defender XDR integration. (Preview)\r\nMicrosoft Defender for Cloud alerts are now integrated in Microsoft Defender XDR. Defender for\r\nCloud alerts are automatically correlated to incidents and alerts in the Microsoft Defender XDR portal\r\nand cloud resource assets can be viewed in the incidents and alerts queues. Learn more about the\r\nDefender for Cloud integration in Microsoft Defender XDR. Learn more on our docs.\r\nGet email notifications for any actions in Defender XDR. This enables the SOC and relevant\r\nstakeholders (e.g., security admins, IT) to receive notifications whenever an automated or manual\r\naction is taken. \r\nIf you missed any of the Virtual Ninja Show episodes, you can watch them all in this YouTube\r\nplaylist.  \r\nUpcoming episodes are listed on the show page: https://aka.ms/NinjaShow\r\nMicrosoft Security Experts\r\nWhat's new in Microsoft Defender Experts for XDR. Learn more about the latest enhancements to\r\nthe Defender Experts for XDR service, including customized managed response, API integration for\r\nthird party SIEM/case management tools, a new Teams app, expedited onboarding, and a new\r\nDefender Experts banner on the Microsoft Defender home page. \r\nDefender Experts for XDR now lets you perform your own readiness assessment when preparing\r\nthe environment for the Defender Experts for XDR service. \r\nDefender Experts for Hunting now lets you generate sample Defender Experts Notifications so you\r\ncan start experiencing the service without having to wait for an actual critical activity to happen in\r\nyour environment. Learn more on our docs. \r\nhttps://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431\r\nPage 2 of 6\n\nMicrosoft Defender for Endpoint\r\nMicrosoft Defender for Identity\r\nIdentity timeline includes more than 30 days of data (Preview). \r\nDefender for Identity is gradually rolling out extended data retentions on identity details to more than\r\n30 days.\r\nThe identity details page Timeline tab, which includes activities from Defender for Identity, Defender\r\nfor Cloud Apps, and Defender for Endpoint, currently includes a minimum of 150 days and is\r\ngrowing. There might be some variation in data retention rates over the next few weeks.\r\nTo view activities and alerts on the identity timeline within a specific time frame, select the default 30\r\ndays and then select Custom range. Filtered data from more than 30 days ago is shown for a maximum\r\nof 7 days at a time.\r\nScreenshot showing the custom time frame filter\r\nMicrosoft Defender for Cloud Apps\r\nNew cloud app catalog category for Generative AI. The Defender for Cloud Apps app catalog now\r\nsupports the new Generative AI category for large language model (LLM) apps, like Microsoft Bing\r\nChat, Google Bard, ChatGPT, and more. Together with this new category, Defender for Cloud Apps\r\nhas added hundreds of generative AI-related apps to the catalog, providing visibility into how\r\ngenerative AI apps are used in your organization and helping you manage them securely. \r\nTest mode for admin users (Preview). As an admin user, you might want to test upcoming proxy bug\r\nfixes before the latest Defender for Cloud Apps release is fully rolled out to all tenants. To help you do\r\nthis, Defender for Cloud Apps now provides a test mode, available from the Admin View toolbar.\r\nGeneral availability for more discovery Shadow IT events with Defender for Endpoint. Defender\r\nfor Cloud Apps can now discover Shadow IT network events detected from Defender for Endpoint\r\ndevices that are working in the same environment as a network proxy. Customers will now see Shadow\r\nIT data from endpoint devices which are behind a network proxy as well. \r\nMicrosoft Defender for Office 365\r\nhttps://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431\r\nPage 3 of 6\n\nCreate and manage simulations using the Graph API in Attack simulation training. The Graph APIs\r\nv1 to create/manage attack simulations is now generally available.\r\nEnhanced Action experience from Email Entity/ Summary Panel. We added the ability for you to\r\ntake multiple actions together. You can take email remediation actions, create submissions, tenant level\r\nblock actions (block senders, domains, files, and URLs), investigative actions, and proposed\r\nremediation from the same panel. \r\nMicrosoft Defender for IoT\r\nMicrosoft Defender Vulnerability Management\r\nAbility to request support for CVE. In case there a CVE which is not supported by Defender\r\nVulnerability Management and is critical for your organization, you have the option to submit CVE\r\nsupport.\r\nTo see the new option, please navigate to 'Weaknesses', search for the CVE. If the CVE is not\r\nsupported, you will have the below option: \r\nBlogs on Microsoft  Security\r\nThreat Analytics Reports / Actor, activity \u0026 technique profiles (Portal access needed)\r\nActivity profile: Lace Tempest exploits SysAid zero-day vulnerability. Beginning October 27,\r\n2023, Microsoft Threat Intelligence observed the ransomware group Lace Tempest (DEV-0950)\r\nperforming attacks on servers running the SysAid IT automation software, where Lace Tempest issued\r\ncommands via the SysAid software to deliver a malware loader. Microsoft notified SysAid of the\r\nactivity, who investigated and determined that there was a zero-day vulnerability in the SysAid on-premises software. SysAid quickly released an update addressing CVE-2023-47246, a path traversal\r\nvulnerability.\r\n \r\nVulnerability profile: CVE-2023-46604 vulnerability in Apache ActiveMQ. CVE-2023-46604 is a\r\ncritical vulnerability in Apache ActiveMQ, an open-source message broker. Exploitation could allow\r\nremote attackers to launch commands. Public exploitation code is available, and Microsoft Threat\r\nIntelligence and other security researchers have identified attacks exploiting this vulnerability to\r\ndeliver HelloKitty ransomware.\r\n \r\nVulnerability profile: CVE-2023-36033 in Windows Desktop Window Manager. CVE-2023-\r\n36033 is an elevation of privilege vulnerability in the Windows Desktop Window Manager (DWM)\r\nCore Library. This vulnerability could allow an adversary with access to a vulnerable environment to\r\ngain unauthorized privileged access. Microsoft released a patch on November 14, 2023.\r\nhttps://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431\r\nPage 4 of 6\n\nTool profile: Impacket. Impacket is a collection of open-source Python classes designed for working\r\nwith network protocols. This tool is maintained by Fortra’s Core Security and has become popular\r\nwith adversaries due to ease of use and wide range of capabilities.\r\n \r\nActor profile: Pearl Sleet. The actor Microsoft tracks as Pearl Sleet (LAWRENCIUM) is a nation\r\nstate activity group based out of North Korea that has been active since at least 2012. Pearl Sleet is\r\nknown to primarily target defectors from North Korea, digital, print and broadcast media, and\r\nreligious organizations, particularly in East Asia. \r\n \r\nVulnerability profile: CVE-2023-22518 vulnerability in Atlassian Confluence Server and Data\r\nCenter. In early November 2023, Microsoft researchers observed the exploitation of CVE-2023-\r\n22518, a pre-authentication vulnerability that affects all unpatched versions of Atlassian Confluence\r\nServer and Data Center. Multiple adversaries have successfully exploited this vulnerability, including\r\nStorm-0062 – an actor Microsoft tracks that has previously been known to attempt exploiting\r\nConfluence vulnerabilities.\r\n \r\nActor profile: Storm-0365. The actor that Microsoft tracks as Storm-0365 (DEV-0365) is an\r\ninfrastructure as a service (IaaS) layer directly managed by, or is in a business relationship with,\r\nPeriwinkle Tempest (also known as Trickbot LLC) for use as command and control (C2) domains and\r\nservers.\r\n \r\nActivity profile: Diamond Sleet supply chain compromise distributes a modified CyberLink\r\ninstaller. Microsoft Threat Intelligence detected a malicious variant of an application developed by\r\nthe multimedia software company CyberLink Corp being downloaded from CyberLink’s\r\ninfrastructure. The malicious file, detected as LambLoad, was developed by the North Korea-based\r\nthreat actor Microsoft tracks as Diamond Sleet (ZINC). \r\n \r\nActivity profile: Iranian MOIS operators opportunistically deploy limited-impact wiper in\r\nresponse to Israel-Hamas war. In late October 2023, operators associated with Storm-0842, an Iran-based group with ties to the Ministry of Intelligence and Security (MOIS), deployed a destructive\r\npayload known as the Bibi wiper, in an Israeli organization. This organization was previously\r\ncompromised by Storm-0861, another Iranian group with ties to the MOIS, suggesting these groups\r\nmight have collaborated. Storm-0842’s use of the Bibi wiper appeared to be part of an opportunistic\r\nattack with limited impact.\r\n \r\nActor profile: Hazel Sandstorm. Hazel Sandstorm is a composite name used to describe several\r\nsubgroups of activity assessed to have ties to Iran’s Ministry of Intelligence and Security (MOIS), the\r\nprimary civilian intelligence agency in Iran. Hazel Sandstorm operators are known to pursue targets in\r\nthe public and private sectors in Europe, the Middle East, and North America. In past operations,\r\nHazel Sandstorm has used a combination of custom and commodity tools in their intrusions, likely as\r\na means of gathering intelligence to support Iranian national objectives.\r\nUpdated Oct 29, 2024\r\nVersion 5.0\r\nhttps://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431\r\nPage 5 of 6\n\nEnjoying the article? Sign in to share your thoughts.\r\nSource: https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431\r\nhttps://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/monthly-news-december-2023/ba-p/3998431" ], "report_names": [ "3998431" ], "threat_actors": [ { "id": "c61fb5f8-fcd6-43e8-8b2d-4e81541589f7", "created_at": "2023-11-14T02:00:07.071699Z", "updated_at": "2026-04-10T02:00:03.440831Z", "deleted_at": null, "main_name": "DEV-0950", "aliases": [ "Lace Tempest" ], "source_name": "MISPGALAXY:DEV-0950", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72fea432-77a6-437a-b02d-693e99d81ef9", "created_at": "2024-02-17T02:00:03.861221Z", "updated_at": "2026-04-10T02:00:03.58886Z", "deleted_at": null, "main_name": "BANISHED KITTEN", "aliases": [ "Storm-0842", "Red Sandstorm" ], "source_name": "MISPGALAXY:BANISHED KITTEN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4db51064-e43e-4495-8e1b-ba6e117e688f", "created_at": "2023-11-05T02:00:08.061541Z", "updated_at": "2026-04-10T02:00:03.394014Z", "deleted_at": null, "main_name": "Storm-0062", "aliases": [ "DarkShadow", "Oro0lxy" ], "source_name": "MISPGALAXY:Storm-0062", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "6b344633-90b3-416a-ae54-fb69dd2f833e", "created_at": "2024-02-02T02:00:04.023636Z", "updated_at": "2026-04-10T02:00:03.528581Z", "deleted_at": null, "main_name": "Pearl Sleet", "aliases": [ "DEV-0215", "LAWRENCIUM" ], "source_name": "MISPGALAXY:Pearl Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434765, "ts_updated_at": 1775826687, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aee408b89b24407e3ad6073f5295173d4f969537.pdf", "text": "https://archive.orkl.eu/aee408b89b24407e3ad6073f5295173d4f969537.txt", "img": "https://archive.orkl.eu/aee408b89b24407e3ad6073f5295173d4f969537.jpg" } }