{ "id": "dde0e99d-eaaa-4cbe-bdac-4e77325d702d", "created_at": "2026-04-06T00:18:52.268412Z", "updated_at": "2026-04-10T03:36:37.043431Z", "deleted_at": null, "sha1_hash": "b3e5c608b7fba1f36722b8622aae8c71af5b5db9", "title": "Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1984181, "plain_text": "Black Basta Ransomware | Attacks Deploy Custom EDR Evasion\r\nTools Tied to FIN7 Threat Actor\r\nBy Antonio Cocomazzi\r\nPublished: 2022-11-03 · Archived: 2026-04-05 17:05:11 UTC\r\nBy Antonio Cocomazzi and Antonio Pirozzi\r\nExecutive Summary\r\nSentinelLABS researchers describe Black Basta operational TTPs in full detail, revealing previously\r\nunknown tools and techniques.\r\nSentinelLABS assesses it is highly likely the Black Basta ransomware operation has ties with FIN7.\r\nBlack Basta maintains and deploys custom tools, including EDR evasion tools.\r\nSentinelLABS assess it is likely the developer of these EDR evasion tools is, or was, a developer for FIN7.\r\nBlack Basta attacks use a uniquely obfuscated version of ADFind and exploit PrintNightmare, ZeroLogon\r\nand NoPac for privilege escalation.\r\nOverview\r\nBlack Basta ransomware emerged in April 2022 and went on a spree breaching over 90 organizations by Sept\r\n2022. The rapidity and volume of attacks prove that the actors behind Black Basta are well-organized and well-resourced, and yet there has been no indications of Black Basta attempting to recruit affiliates or advertising as a\r\nRaaS on the usual darknet forums or crimeware marketplaces. This has led to much speculation about the origin,\r\nidentity and operation of the Black Basta ransomware group.\r\nOur research indicates that the individuals behind Black Basta ransomware develop and maintain their own toolkit\r\nand either exclude affiliates or only collaborate with a limited and trusted set of affiliates, in similar ways to other\r\n‘private’ ransomware groups such as Conti, TA505, and Evilcorp.\r\nSentinelLABS’ full report provides a detailed analysis of Black Basta’s operational TTPs, including the use of\r\nmultiple custom tools  likely developed by one or more FIN7 (aka Carbanak) developers. In this post, we\r\nsummarize the report’s key findings.\r\nRead the Full Report\r\nBlack Basta’s Initial Access Activity\r\nSentinelLABS began tracking Black Basta operations in early June after noticing overlaps between ostensibly\r\ndifferent cases. Along with other researchers, we noted that Black Basta infections began with Qakbot delivered\r\nby email and macro-based MS Office documents, ISO+LNK droppers and .docx documents exploiting the\r\nMSDTC remote code execution vulnerability, CVE-2022-30190.\r\nhttps://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/\r\nPage 1 of 8\n\nOne of the interesting initial access vectors we observed was an ISO dropper shipped as “Report Jul 14 39337.iso”\r\nthat exploits a DLL hijacking in calc.exe . Once the user clicks on the “Report Jul 14 39337.lnk” inside the ISO\r\ndropper, it runs the command\r\ncmd.exe /q /c calc.exe\r\ntriggering the DLL hijacking inside the calc binary and executing a Qakbot DLL, WindowsCodecs.dll .\r\nQakbot obtains a persistent foothold in the victim environment by setting a scheduled task which references a\r\nmalicious PowerShell stored in the registry, acting as a listener and loader.\r\nThe powershell.exe process continues to communicate with different servers, waiting for an operator to send a\r\ncommand to activate the post-exploitation capability.\r\nWhen an operator connects to the backdoor, typically hours or days after the initial infection, a new explorer.exe\r\nprocess is created and a process hollowing is performed to hide malicious activity behind the legitimate process.\r\nThis injection operation occurs every time a component of the Qakbot framework is invoked or for any arbitrary\r\nprocess run manually by the attacker.\r\nEnter the Black Basta Operator\r\nManual reconnaissance is performed when the Black Basta operator connects to the victim through the Qakbot\r\nbackdoor.\r\nReconnaissance utilities used by the operator are staged in a directory with deceptive names such as “Intel” or\r\n“Dell”, created in the root drive C:\\ .\r\nThe first step in a Black Basta compromise usually involves executing a uniquely obfuscated version of the\r\nAdFind tool, named AF.exe .\r\ncmd /C C:\\intel\\AF.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName \u003e C:\\intel\r\nThis stage also often involves the use of two custom .NET assemblies loaded in memory to perform various\r\ninformation gathering tasks. These assemblies are not obfuscated and the main internal class names, “Processess”\r\nand “GetOnlineComputers”, provide a good clue to their functions. Black Basta operators have been observed\r\nusing SharpHound and BloodHound frameworks for AD enumeration via LDAP queries. The collector is also run\r\nin memory as a .NET assembly.\r\nFor network scanning, Black Basta uses the SoftPerfect network scanner, netscan.exe . In addition, the WMI\r\nservice is leveraged to enumerate installed security solutions.\r\nwmic /namespace:\\\\root\\SecurityCenter2 PATH AntiVirusProduct GET /value\r\nwmic /namespace:\\\\root\\SecurityCenter2 PATH AntiSpywareProduct GET /value\r\nwmic /namespace:\\\\root\\SecurityCenter2 PATH FirewallProduct GET /value\r\nhttps://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/\r\nPage 2 of 8\n\nBlack Basta Privilege Escalation Techniques\r\nBeyond the reconnaissance stage, Black Basta attempts local and domain level privilege escalation through a\r\nvariety of exploits. We have seen the use of ZeroLogon (CVE-2020-1472), NoPac (CVE-2021-42287, CVE-2021-\r\n42278) and PrintNightmare (CVE-2021-34527).\r\nThere are two versions of the ZeroLogon exploit in use: an obfuscated version dropped as zero22.exe and a non-obfuscated version dropped as zero.exe . In one intrusion, we observed the Black Basta operator exploiting the\r\nPrintNightmare vulnerability and dropping spider.dll as the payload. The DLL creates a new admin user with\r\nusername “Crackenn” and password “*aaa111Cracke”:\r\nReversed code for spider.dll\r\nThe DLL first sets the user and password into a struct (userInfo) then calls the NetUserAdd Win API to create a\r\nuser with a never-expiring password. It then adds “Administrators” and “Remote Desktop Users” groups to that\r\naccount. Next, spider.dll creates the RunTimeListen.exe process, which runs the SystemBC (aka Coroxy)\r\nbackdoor, described below.\r\nAt this stage, Black Basta operators cover their tracks by deleting the added user and the DLL planted with the\r\nPrintNightmare exploit.\r\nRemote Admin Tools\r\nBlack Basta operators have a number of RAT tools in their arsenal.\r\nThe threat actor has been observed dropping a self-extracting archive containing all the files needed to run the\r\nNetsupport Manager application, staged in the C:\\temp folder with the name Svvhost.exe . Execution of the\r\nfile extracts all installation files into:\r\nhttps://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/\r\nPage 3 of 8\n\nC:\\Users\\[USER]\\AppData\\Roaming\\MSN\\\r\nArchive of installation files for Netsupport Manager dropped by Black Basta\r\nThe RAT is then executed through a run.bat script.\r\nContent of run.bat script\r\nIn other cases, we have observed the usage of Splashtop, GoToAssist, Atera Agent as well as SystemBC, which\r\nhas been used by different ransomware operators as a SOCKS5 TOR proxy for communications, data exfiltration,\r\nand the download of malicious modules.\r\nBlack Basta Lateral Movement\r\nThe Black Basta actor has been seen using different methods for lateral movement, deploying different batch\r\nscripts through psexec towards different machines in order to automate process and services termination and to\r\nimpair defenses. Ransomware has also been deployed through a multitude of machines via psexec.\r\nIn the most recent Black Basta incidents we observed, a batch file named SERVI.bat was deployed through\r\npsexec on all the endpoints of the targeted infrastructure. This script was deployed by the attacker to kill\r\nservices and processes in order to maximize the ransomware impact, delete the shadow copies and kill certain\r\nsecurity solutions.\r\nhttps://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/\r\nPage 4 of 8\n\nPartial content of SERVI.bat\r\nImpair Defenses\r\nIn order to impair the host’s defenses prior to dropping the locker payload, Black Basta targets installed security\r\nsolutions with specific batch scripts downloaded into the Windows directory.\r\nIn order to disable Windows Defender, the following scripts are executed:\r\n\\Windows\\ILUg69ql1.bat\r\n\\Windows\\ILUg69ql2.bat\r\n\\Windows\\ILUg69ql3.bat\r\nThe batch scripts found in different intrusions also appear to have a naming convention: ILUg69ql followed by a\r\ndigit.\r\npowershell -ExecutionPolicy Bypass -command \"New-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsof\r\npowershell -ExecutionPolicy Bypass -command \"Set-MpPreference -DisableRealtimeMonitoring 1\"\r\npowershell -ExecutionPolicy Bypass Uninstall-WindowsFeature -Name Windows-Defender\r\nAccording to the official documentation, the DisableAntiSpyware parameter disables the Windows Defender\r\nAntivirus in order to deploy another security solution. The DisableRealtimeMonitoring is used to disable real\r\ntime protection and then Uninstall-WindowsFeature -Name Windows-Defender to uninstall Windows Defender.\r\nhttps://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/\r\nPage 5 of 8\n\nBlack Basta and the FIN7 Connection\r\nIn multiple Black Basta incidents, the threat actors made use of a custom defense impairment tool. Analysis\r\nshowed that this tool was used in incidents from 3rd June 2022 onwards and found exclusively in Black Basta\r\nincidents. Based on this evidence, we assess it is highly likely that this tool is specific to the Black Basta’s group\r\narsenal.\r\nOur investigation led us to a further custom tool, WindefCheck.exe , an executable packed with UPX. The\r\nunpacked sample is a binary compiled with Visual Basic. The main functionality is to show a fake Windows\r\nSecurity GUI and tray icon with a “healthy” system status, even if Windows Defender and other system\r\nfunctionalities are disabled.\r\nThe fake Windows Security GUI WindefCheck.exe\r\nAnalysis of the tool led us to further samples, one of which was packed with an unknown packer. After unpacking,\r\nwe identified it as the BIRDDOG backdoor, connecting to a C2 server at 45[.]67[.]229[.]148 . BIRDDOG, also\r\nknown as SocksBot, is a backdoor that has been used in multiple operations by the FIN7 group.\r\nFurther, we note that the IP address 45[.]67[.]229[.]148 is hosted on “pq.hosting”, the bullet proof hosting\r\nprovider of choice used by FIN7 when targeting victims.\r\nWe discovered further samples on public malware repositories packed with the same packer but compiled about\r\ntwo months before the BIRDDOG packed sample. Unpacking one of these samples revealed it to be a Cobalt\r\nStrike DNS beacon connecting to the domain “jardinoks.com”.\r\nhttps://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/\r\nPage 6 of 8\n\nComparison of the samples suggests that the packer used for the BIRDDOG backdoor is an updated version of the\r\npacker used for the Cobalt Strike DNS beacon.\r\nLeft: Cobalt Strike DNS beacon; Right: BIRDDOG backdoor\r\nWe assess it is likely the threat actor developing the impairment tool used by Black Basta is the same actor with\r\naccess to the packer source code used in FIN7 operations, thus establishing for the first time a possible connection\r\nbetween the two groups.\r\nUncovering Further Ties Between Black Basta and FIN7\r\nhttps://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/\r\nPage 7 of 8\n\nFIN7 is a financially motivated group that has been active since 2012 running multiple operations targeting\r\nvarious industry sectors. The group is also known as “Carbanak”,  the name of the backdoor they used, but there\r\nwere different groups that also used the same malware and which are tracked differently.\r\nInitially, FIN7 used POS (Point of Sale) malware to conduct financial frauds. However, since 2020 they switched\r\nto ransomware operations, affiliating to REvil, Conti and also conducting their own operations: first as Darkside\r\nand later rebranded as BlackMatter.\r\nAt this point, it’s likely that FIN7 or an affiliate began writing tools from scratch in order to disassociate their new\r\noperations from the old. Based on our analysis, we believe that the custom impairment tool described above is one\r\nsuch tool.\r\nCollaboration with other third party researchers provided us with a plethora of data that further supports our\r\nhypothesis. In early 2022, the threat actor appears to have been conducting detection tests and attack simulations\r\nusing various delivery methods for droppers, Cobalt Strike and Meterpreter C2 frameworks, as well as custom\r\ntools and plugins. The simulated activity was observed months later in the wild during attacks against live victims.\r\nAnalysis of these simulations also provided us with a few IP addresses which we believe to be attributed to the\r\nthreat actor.\r\nThe SentinelLABS full report describes these activities in detail.\r\nAttribution of the Threat Actor: FIN7\r\nWe assess it is highly likely the BlackBasta ransomware operation has ties with FIN7. Furthermore, we assess it is\r\nlikely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7.\r\nConclusion\r\nThe crimeware ecosystem is constantly expanding, changing, and evolving. FIN7 (or Carbanak) is often credited\r\nwith innovating in the criminal space, taking attacks against banks and PoS systems to new heights beyond the\r\nschemes of their peers.\r\nAs we clarify the hand behind the elusive Black Basta ransomware operation, we aren’t surprised to see a familiar\r\nface behind this ambitious closed-door operation. While there are many new faces and diverse threats in the\r\nransomware and double extortion space, we expect to see the existing professional criminal outfits putting their\r\nown spin on maximizing illicit profits in new ways.\r\nRead the Full Report\r\nSource: https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/\r\nhttps://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/" ], "report_names": [ "black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434732, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b3e5c608b7fba1f36722b8622aae8c71af5b5db9.pdf", "text": "https://archive.orkl.eu/b3e5c608b7fba1f36722b8622aae8c71af5b5db9.txt", "img": "https://archive.orkl.eu/b3e5c608b7fba1f36722b8622aae8c71af5b5db9.jpg" } }