{ "id": "2383fedf-79db-414d-97a5-0a0050e83e99", "created_at": "2026-04-06T00:09:44.039049Z", "updated_at": "2026-04-10T03:37:50.087215Z", "deleted_at": null, "sha1_hash": "b47bb337408cc269bdfc8818c0a35e468f9b60d5", "title": "Open Source Malware - Sharing is caring?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2772103, "plain_text": "Open Source Malware - Sharing is caring?\r\nArchived: 2026-04-05 22:31:53 UTC\r\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 1 of 26\n\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 2 of 26\n\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 3 of 26\n\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 4 of 26\n\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 5 of 26\n\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 6 of 26\n\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 7 of 26\n\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 8 of 26\n\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 9 of 26\n\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 10 of 26\n\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 11 of 26\n\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 12 of 26\n\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 13 of 26\n\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 14 of 26\n\nMore Related Content\r\nPDF\r\nHow to protect your business from Wannacry Ransomware\r\nPPTX\r\nMalware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...\r\nPDF\r\nWannacry | Technical Insight and Lessons Learned\r\nPPTX\r\nBlackhat USA 2014 - The New Scourge of Ransomware\r\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 15 of 26\n\nPDF\r\nRansomware: Wannacry\r\nPPT\r\nWannacry\r\nPPTX\r\nShamoon attacks - Destructive malware targeting Middle East organizations\r\nPPTX\r\nDragonfly: Western energy sector targeted by sophisticated attack group\r\nWhat's hot\r\nPPT\r\nProtecting Your organization from WannaCry Ransomware\r\nPPT\r\nWannacry-A Ransomware Attack\r\nPPTX\r\nITPG Secure on WannaCry\r\nPPTX\r\nRansomware 2017: New threats emerge\r\nPDF\r\nHunting Layered Malware by Raul Alvarez\r\nPPTX\r\nDissecting Cryptowall\r\nPPTX\r\nThreat landscape update: June to September 2017\r\nPPTX\r\nMMW April 2016 Ransomware Resurgence\r\nPPTX\r\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 16 of 26\n\nWannaCry Ransomware\r\nPPTX\r\nWannacry\r\nPDF\r\nCSF18 - Guarding Against the Unknown - Rafael Narezzi\r\nMore from Christopher Doman\r\nPDF\r\nMinimizing Permissions for Cloud Forensics_ A Practical Guide for Tightening ...\r\nPDF\r\nCloudgrep - Blackhat Aresenal - cloudgrep searches cloud storage\r\nPDF\r\nCloud Detection \u0026 Response - GCP - Google Cloud\r\nPDF\r\nCloud Detection \u0026 Response - Azure - Details\r\nPDF\r\nCloud Detection \u0026 Response - AWS - Details\r\nPDF\r\nCloud Detection \u0026 Response - Vendors.pdf\r\nPDF\r\nCloud Detection \u0026 Response - Solutions -\r\nPDF\r\nCloud Detection \u0026 Response Tools - Cloud Detection and Response (CDR) tools a...\r\nPDF\r\nCloud Detection \u0026 Response - Definitions.pdf\r\nPDF\r\nFive Reasons Why You Need Cloud Investigation \u0026 Response Automation\r\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 17 of 26\n\nPDF\r\nAzure Incident Response Cheat Sheet.pdf\r\nPDF\r\nAWS Incident Response Cheat Sheet.pdf\r\nPDF\r\nA New Perspective on Resource-Level Cloud Forensics\r\nPDF\r\nCloud Forensics Tools\r\nPDF\r\nCloud Forensics and Incident Response Training.pdf\r\nPDF\r\nAWS Guard Duty Forensics \u0026 Incident Response.pdf\r\nPDF\r\nEKS Forensics \u0026 Incident Response.pdf\r\nPDF\r\nAWS IAM Forensics \u0026 Incident Response\r\nPDF\r\nAWS Forensics \u0026 Incident Response\r\nPDF\r\nLambda Forensics \u0026 Incident Response.pdf\r\nOpen Source Malware - Sharing is caring?\r\n1.\r\n3.\r\n4.\r\n5.\r\n6.\r\n13.\r\n16.\r\n21.\r\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 18 of 26\n\nYou'll never beable to find me. Police will never be able to find me. I've been doing this for five years now\r\nand haven't been caught yet. Best Buy will have no ability to undo the encryption. Hell, even the NSA\r\nprobably couldn't undo it.\r\n28.\r\n29.\r\nMagic Ransomware –EDA2 variant All your files is encrypted with strong encryption. To unlock your files\r\nyou must pay 1 to address bitcoin: 1LXFUhLtEnJYTo2YyMhdUCBaHcgc6LaLfR\r\n31.\r\n32.\r\n36.\r\n37.\r\n43.\r\n44.\r\n45.\r\n“hidden tear maybe used only for educational purposes” Open Source license? Wassenaar?\r\n47.\r\n48.\r\n49.\r\n“It appears thatthe ransomware took advantage of the published Python source … SMB structures found in\r\nthe ransomware are identical to the published ones. … most likely without even understanding how the\r\nEternalBlue exploit actually works” Via BAE WannaCry\r\n52.\r\n54.\r\nAll components werecarefully analysed for hidden functionality and vulnerabilities\r\n55.\r\n58.\r\nMany thanks to @eset@trendmicro @kaspersky @bleepingcomputer for screenshots used here and\r\neveryone else who there wasn’t space to credit in the slides\r\n59.\r\nEditor's Notes\r\n#2 - 1 minute Hey thanks for coming to the talk My name is Chris Doman, I’m work on Alienvaults threat\r\nintel platform called OTX You might also know me from another project called threatcrowd. I won’t bother\r\nwith an introduction, but I’ll just say that I started in the industry thanks to the cyber security challenge\r\nwho have a booth here today The talk today is on open source malware – I thought it’d fit nicely with\r\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 19 of 26\n\nBsides topic of sharing is caring Obviously like all software open source has been abused for a long time –\r\nbut there seems to be growth in a couple of areas So to illustrate these threats – I’m going to tell a couple of\r\nstories today ___ ___ Deleted text: They gradually improved these open source programs to make them\r\nmore subtle however, and these days they use their own almost entirely custom toolset Though twenty\r\nyears on there are still some shadows of that 1990s phrack code in there today And by open source I mean\r\nwhere the source is available for everyone to use – mostly when made available by the authors, but also\r\nleaked source code is a pretty big deal too\r\n#3 1 minute Guess? So who here wants to guess what this news clip is about? Yup it’s the attacks in\r\nChristmas 2015 against ukranian power stations by a group known as Sandworm. There were also attempts\r\nagainst Kiev’s Boryspol airport and potentially the train network too, though thankfully those failed. This\r\nwas a pretty big event – 250,000 people left without power on christmas eve. The power companies\r\nrecovered pretty quickly by going to manual operation. Access for some time The group that did this had\r\nbeen gaining access to the networks for some time. They did similar attacks taking TV stations offline\r\nduring Ukranian elections a few months earlier. And the US government warned about the same group over\r\na year earlier when they found them exploring power stations in the US. The attackers tripped circuit\r\nbreakers by connecting to SCADA consoles with stolen VPN credentials. It was reported the power\r\noperators could actually see the attackers taking stuff down on the SCADA screens in front of them, but\r\nthey were locked out so they couldn’t do anything\r\nhttps://www.eenews.net/assets/2016/07/19/document_ew_02.pdf\r\n#4 - 2 minutes So the group behind these are a pretty typical example of medium capability, likely state-linked attackers Custom Developed They have their own 0-days – one was for powerpoint to deliver black\r\nenergy. Another was for remote access to Generel Electric SCADA software. KillDisk was used against file\r\nservers. In one case it also took out part of a SCADA system that was running Windows. Commercial Stuff\r\nIn terms of commercial stuff – they used remote admin tools like teamviewer and legit tools like RDP to\r\nblend into the network BlackEnergy is the malware this group is known for – and indeed sometimes the\r\ngroup are just referred to as BlackEnergy Blackenergy has a really weird history, it could kind of it in any\r\nof these categories. Version 1 was commercially sold for $700 for the source code, though its now freely\r\navailable. It was used in DDoS attacks in the Russia-Georgia conflict in 2008. Version 2 was commercially\r\navailable again, and used by this group and others. Version 3 is used just by this group. Sandworm made\r\ngreat use of open source tools: Open Source ReDuh proxies tcp traffic over http – so you can run all your\r\ntools on networks with a strict firewall Weevely is a webshell Dropbear is an unfortunately named SSH\r\nserver And DSE fix allows you to run unsigned drivers on Windows Tools for the job So as you might\r\nexpect they use whatever tools they need for the job. They cherry pick open source tools to augment their\r\ncapabilities as they need it – and that’s typical of most groups that don’t have the resources to custom\r\ndesign everything. Attribution It can also help blur the attribution. For example WannaCry has code\r\noverlaps with North Korean malware – you won’t get those kinds of hints with something open source\r\nThese middle capability groups have been where the growth in open source seems to be recently. Theres an\r\nIranian group called Newscaster and a Russian group called Fancy Bear that have been using customised\r\nversions of the open source BeeF browser exploitation framework recently in watering holes. In the case of\r\nFancy Bear that has meant using it in the place of an exploit kit that they had already built themselves They\r\ncan quickly adapt the source to their needs, and operators can quickly pick up new tools when their custom\r\nmain toolset is either too easily detected or attributed In contrast Low skilled attackers have always needed\r\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 20 of 26\n\nfree or open source software. But there is a big jump in low quality criminals taking advantage of things\r\nlike open source ransomware to gain funds The danger here is they then re-invest their stolen cash into\r\nother attacks And at the other end- Another far more capable Russian group called Turla started out in the\r\n90s using source code taken, pretty much exclusively, from Phrack magazine – but they now have their\r\nown platforms. - They do some crazy stuff with using satellite connections for command and control and\r\nother very clever things to evade detection\r\n#5 - 40 seconds There were follow up attacks a couple of weeks later, perhaps trying to regain lost access\r\nThis time instead of their beloved blackenergy malware, they were using something called Gcat Gcat is an\r\nopen source backdoor that uses gmail for command and control. Perhaps Sandworm were concerned that\r\nblackenergy was being too easily detected. Or perhaps they didn’t want the targets to know it was the same\r\npeople behind these later attacks. It was still obvious though as they hadn’t changed their macro code that\r\ndelivered the malware. The author of Gcat was understandably a little upset about this, and it’s no longer\r\ndevelopent To be clear- I’m not in anyway saying the author of Gcat is responsible for these attacks. There\r\nare plenty of rats out there to choose form and he happened to have written one that was pretty reliable --\r\nand pretty hard to detect.\r\n#6 - 1 minute – Shorten this? But it does make you worry about the worst case Here are a bunch of videos\r\non how to use freely available tools - like njRat - to hack into people’s computers Now obviously there are\r\ntons of videos like this on Youtube- but what’s different here is that the author claims affiliation at points to\r\neither Al Qaeda or ISIS. I’m not sure how seriously to take this guy, given he seems confused about which\r\ncompeting terrorist organisation he’s in. But it does make you worry about the kind of worst cases.\r\nInterestingly - I think he hosted these videos on the internet archive as Youtube and Facebook took down\r\nhis earlier videos In terms of how this information is shared – the internet archive is a stretched charity –\r\nthey didn’t have time to reply to my email about this. That’s probably why the internet archive is banned in\r\nRussia for hosting terrorist content. That might also be why it was used by Russia to host the files they\r\nstole from President Macrons campaign team - during the recent french elections. Similiarly if Github\r\nstarted blocking open source Rats from having a home – they’d just be hosted somewhere else.\r\n#7 30 seconds Fast forward a year to December 2016 – and ESET reported on new attacks mostly targeting\r\nthe finance sector in Ukraine By now Sandworm had re-tooled and were using a custom backdoor again.\r\nThis time it looked like a Gcat inspired backdoor that instead uses Telegram for command and control\r\nThey’d built their own tunneling software to replace Reduh – you can see the help file there And they’d\r\nalso upgraded their KillDisk malware to leave this scary desktop background -\r\n#8 - 5 seconds There you are – inspired by Mr Robot apparently\r\n#9 15 seconds - And this is still going on– more attacks were reported this Christmas And - stock footage\r\nreally is taking it to the extreme - isnt it? Not only is he wearing a hoodie in the dark – but he’s also staring\r\nat a roomful of anonymous masks\r\n#10 - 30 seconds So Mirai is very well known – some guy wrote a worm that infects internet of things\r\ndevices to build a botnet Which was then used for DDoS attacks He lots of attention after launching the\r\nbiggest ever DDoS attack against Krebs – and at that point he decided to open source it I think the reason\r\nhe released it onto Hackforums was probably to get some of the heat off him If a ton of script kiddies are\r\nalso using your malware, it’s a bit harder to tie you to a particular attack\r\n#11 - 30 seconds Since then someone has modified the Mirai source code added the ability to exploit some\r\nvulnerabilities in more home routers Lots of mirai attacks are still going on – someone recently use one to\r\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 21 of 26\n\ntry and knock malware techs WannaCry sinkhole off Interestingly there’s also a worm called Hajime that is\r\ninspired by Mirai but far better built – that goes round closing security holes in internet of things devices\r\n#12 - 10 seconds So hidden tear is a pretty well known piece of open source ransomware I’ve seen a few\r\narticles on it already – so you may not know it already But I havent seen anything that covers all the ups\r\nand downs of the story\r\n#13 - 1 minute So it was released by Utku, who I believe was a university student at the time So you might\r\nask – why would you create open source ransomware? He said he released it as an educational tool so\r\npeople could understand how ransomware works better The disclaimer said it was for educational use only\r\nAn article said it was to impress a girl – the later version called Eda was apparently named after her It was\r\nnamed a ransomware honeypot, and later implied it was to get bad actors to use a weak crypto\r\nimplementation I think it was probably just curiosity and a bit of self publicity to get into the industry.\r\nWhich I’ve certainly released tools for before, just with less risky consequences The code itself is pretty\r\nmuch what you’d expect – a few hundred lines of Visual basic that encrypts files only within one folder\r\n#14 - 10 seconds Some people suggested he should add a backdoor, though he chose not to And users\r\ndiscussing the code on Reddit pointed out a number of potential issues with the implementation of the\r\nencryption I’ll go into those in a bit\r\n#15 10 seconds Of course - It didn’t take long before real world ransomware started to take advantage of\r\nHiddenTear This was one of the first – it infected users of a website in Paraguay\r\n#16 - 10 seconds Utku saw the report and offered to help get the victims their files back\r\n#17 - 1 minute So I mentioned some issues with the implementation of the crypto in HiddenTear earlier\r\nThe key is generated from the system time It uses a call to Environment.TickCount - a 32 bit integer – so it\r\nonly has about 2 billion values On a modern machine that could be brute forceable in it self But the other\r\nweakness is that this value is the time that HiddenTear started. So all you need to do is get the time the first\r\nfile got encrypted, within a certain window of time. So that’s how Utku broke his own crypto. He\r\nattempted to decrypt a file that he knew the contents of until he’d found the key. This flaw was\r\nactually pointed out by other users, and was inspired by Bitdefender’s decryption of Linux Encoder In that\r\ncase it didn’t work a lot of the time – because Linux Encoder is so dumb it often encrypts files in multiple\r\nrounds or simply accidentally deletes them – rendering them unrecoverable\r\n#18 -15 seconds After HiddenTear Utku later released an improved Most of the crypto flaws were removed\r\n– and he added features such as setting the desktop background\r\n#19 - 15 seconds So – lets say that you want to play Far Cry And I can it does look pretty fun, looking at\r\nthis dude with antlers on his head But unfortunately you’ll have to pay 39 pounds and 99 pence – that’s a\r\nlot of money\r\n#20 -20 seconds So naturally you’ll want to Google for a crack So the first result in Google when looking\r\nfor a crack is this youtube video - Google makes sure that Youtube ranks well in search results And it’s\r\ngreat that these two lovely people are going to give you Farcry for free - You can probably see where this is\r\ngoing\r\n#21 - 5 seconds But oh no – they lied Actually the crack just installs this ransomware – based on eda2\r\n#22 -15 seconds The worst thing about this ransomware is the ransom note the guy gives user sis really\r\narrogant You’ll never be able to find me (Voice) Even the NSA cant get your files back\r\n#23 - 20 seconds So Utku to the rescue again He saw users on the bleeping computer forums reporting\r\nthey’d lost their files in the ransomware attack And he logged into the command and control server using a\r\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 22 of 26\n\nbackdoor he’d secretly left in Eda2 I’ve got to say – in the UK I think this might be a violation of the\r\ncomputer misuse act\r\n#24 - 25 seconds Of course it wasn’t long before someone made a fork that improved on EDA2 They\r\nimproved the security of the encryption and added some other features They said they made it for law\r\nenforcement… If anyone here is from law enforcement perhaps they can thank them\r\n#25 - 10 seconds Empinel – the author of Stolich – actually missed the backdoor in EDA2 at first but other\r\nusers let them know and they then removed it\r\n#26 - 10 seconds So, lets say you want to play minecraft… You can probably see where this is going\r\n#27 - 20 seconds Oh no – it’s a backdoored minecraft installer I’m not sure how to pronounce this Either\r\nLaughing My Ass Off at You? Or LmaoxUs But yeah this is based on Stolich\r\n#28 - 60 seconds This all happened a few months ago, but he’s only removed the code from Github a\r\ncouple of weeks ago Of course, forks are still available on github so the code is still available for anyone to\r\nfind I was surprised when I looked into this to find the guy that forked EDA2 and wrote Stolich is only 13\r\nyears old So I give him a bit of a pass given hes only 13. Maybe when he’s older he can try to stop\r\nransomware instead, which is a much harder job. And the other point here is that stuff stays with you. The\r\nline at the bottom is a very immature - disclaimer from a password cracker I wrote ad open sourced when I\r\nwas the same age as this guy I was a teenager then but all the tutorials and zines I used to write as a kid are\r\nstill floating around in various places\r\n#30 - 10 seconds Here’s a another piece of ransomware - called Magic - that is forked from EDA2\r\n#31 - 30 seconds The good guys took down the command and control server – but that also meant that the\r\ndecryption keys were lost and the backdoor wouldnt work The malware author offered to provide a backup\r\nhe had made of the keys But only if Utuk took down the source code for HiddenTear and Eda2 It isnt clear\r\njust why he wanted HiddenTear taking down, perhaps having openly available ransomware was hurting his\r\nbusiness ____ https://www.utkusen.com/blog/project-eda2-is-abandoned-due-to-magic-ransomware-incident.html I removed all the files and commits of Eda2 project. Since nobody is discovered the backdoor\r\nof Eda2, I won’t reveal it right now. Because we may deal with new Eda2 implementations in future. I’m\r\nsorry, I failed this time.\r\n#32 - 15 seconds So Utku took the code for them down Looking at the commit logs though, he did have\r\nenough time to upgrade the logo to EDA2 first But thankfully the attacker did give the encryption keys\r\nback so people could get their files ___ http://news.softpedia.com/news/ransomware-author-blackmails-security-researcher-who-refuses-to-give-in-499437.shtml UPDATE: After further discussions, the\r\nblackmail attempt turned into full-on negotiations, but Utku Sen and the ransomware operator have come\r\nto an agreement. Utku will take down the Hidden Tear repository in three days while the author of the\r\nMagic ransomware will provide all the encryption keys for free for the next 15 days. Victims should email\r\nthe ransomware operator at viper1990@safe-mail.net.\r\n#33 - 25 seconds So even though the code is removed from the original Github repository – it’s still\r\navailable via: - The Commit history - Forks – you can see some up here -There are Improved versions too\r\nPorts – you can see one person decided to port it to C++ for some reason And also other malware inspired\r\nby the overall design decisions in HiddenTear\r\n#34 - 20 seconds And there have been a ton of ransomware attacks using the Hidden Tear and EDA2 code\r\nYou can see here some of them…. “Don’t Download Random Shit on the Internet” one says up there..\r\nSounds like good advice And it looks like Santa Claus is getting stoned for some reason… I dunno\r\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 23 of 26\n\n#35 -5 seconds Yep some more\r\n#36 - 45 seconds And more … most of these were pulled in the last couple of weeks by the way A big\r\nshout out to both Trend Micro and Bleeping Computer who reported on many of those, which saved me\r\nhaving to spend too long trawling through VirusTotal to find samples They are easy to find though –\r\nantivirus detections are pretty accurate and the code is easy to signature My favourite is this guy at the\r\nfront – This is Microsoft Vindows Support – you have the Zeus Wirus! I tried the number by the way, it no\r\nlonger works\r\n#37 That phone number no longer works, but this is from a newer scam that sill does, in case you’d like to\r\ntalk to them\r\n#38 - 5 seconds This one plays the Harry potter theme tune to you\r\n#39 - 10 seconds This one just deletes all your files… so you cant get them back\r\n#40 - 15 seconds This one…. Does it look familiar? This variant came out the same time as WannaCry It’s\r\na bit like those insects that impersonate more dangerous ones so they don’t get eaten\r\n#41 - 15 seconds You’ve probably heard of this one Requires you to play a weird anime game and get a\r\ncertain score to get your files back Which is strange The author later apologised and released a tool to get\r\npeoples files back\r\n#42 - 5 seconds This one doesn’t actually ask for any money, says its just to educate people about\r\nransomware, and gives you your files back for free\r\n#43 - 20 seconds This one probably scares me the most – its ransomware as a service You pay $175 dollars\r\nand then you have a platform to spread ransomware from it includes a HiddenTear variant It’s a very low\r\ncost entry into ransomware for criminals, and the money they make might get reinvested in more attacks\r\n#44 - 25 seconds So this is a great map of all the ransomware families F-Secure tagged over time I meant\r\nto highlight which ones were based on hiddentear- but it was taking too long When I was counting it was\r\nlooking to be around 1 in 5, which is a pretty high amount Of course this doesn’t take into account how\r\nmuch each variant spread So something like Locky, which is custom developed, is underrepresented here\r\n#45 - 25 seconds Trend Micro have some numbers – these are the unique families based on Hidden Tear\r\nthat they’re seeing Again this doesn’t take into account how widely those families are being seen though\r\nThis goes up to March – look at the samples we’re getting I’d guess it’s stayed pretty stable between March\r\nand May\r\n#46 - 20 seconds I’ve always found it funny seeing disclaimers like “for educational use only” As far as I\r\ncan tell these mean nothing Also I’ve read, though I am definitely not a lawyer myself, That Open source\r\nlicense means you cant dictate usage And again from what I’ve read the Wassenaar treaty on arms control\r\ndoesn’t apply to open source software\r\n#47 - 30 seconds And finally, 2sec who these days is probably best known as Malware Tech’s mate Made\r\nthis poll- Do people think open source ransomware is a good thing? He got pretty much 50/50 – so as a\r\nrough show of hands Put your hands up if you think open source ransowmare is a good idea And bad? ….\r\nAnyway – so that’s hiddentear\r\n#48 15 seconds So – the next section is mostly on leaked source code. It’s not open source in the sense that\r\nthere isn’t a license explicitly allowing you to use the code – but then if you’re deploying malware you’re\r\nprobably not to bothered about license anyway\r\n#49 - 1 minute Probably the most famous leaked code is from shadow brokers They leaked a bunch of\r\nexploits and tools allegedly stolen from the NSA This was actually taken down when first republished onto\r\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 24 of 26\n\ngithub, from somewhere else And it wasn’t taken down because of the exploits It was taken down because\r\nthey included the auction message from the shadow brokers – and you’re not allowed to ask for cash on\r\nGithub To be fair Github has got a pretty hard job deciding what to allow or not For example they don’t\r\nallow compiled malware But they do allow you to host scripts that can you can run as is So I’ve seen on\r\nincident response jobs, attackers running powershell mimikatz straight off of github.com And that’s a pain\r\nto detect at the network level without ssl terminators So you just see an encrypted connection to\r\nGithub.com Its also a pain to stop with application whitelisting as it’s not an executable though there’s\r\nplenty you can do to detect malicious powershell usage\r\n#50 - 50 seconds One of these exploits is EternalBlue – the SMB version 1 exploit made famous by its\r\nabuse in WannaCry The exploit was leaked back in April, and some people were playing with it when it\r\ncame out But WannaCry didn’t happen until a month after those exploits were released An analysis by\r\nBAE showed that WannaCry used an easier to use version of the exploit - Developed just a couple of days\r\nbefore WannaCry spread to Github If they hadn’t released this version of the exploit – would WannaCry\r\nhave still happened? And now its in metasploit… And whenever things end up in metasploit – you quickly\r\nsee that code being reused in malware\r\n#51 - 80 seconds This is leaked source code from Fancy bear or APT28 Funnily enough there’s a good\r\nchance these are the same guys behind Shadow Brokers, - So what goes around - comes around They left\r\ntwo of their command and control servers open so anyone could grab the source code Also in terms of\r\nsharing is caring A journalist leaked the analysis that one of the security guys at Google had done on this\r\nmalware And that’s a whole other side of sharing is caring – on the defensive side- that I don’t have time to\r\ncover in this talk The product that I work on, OTX, we have problems with getting the sharing right. We\r\nreally want users to share information on attacks there, but we’ve also had plenty of cases of people using\r\nour platform to leak vendors private threat intelligence reports And some of that is pretty sensitive- both\r\ncommercially because we don’t want people stealing other peoples intellectual property But more\r\nimportantly because if attackers see there’s a private report on their malware, clearly they will change how\r\nthey operate and then we won’t be able to detect them anymore ___ Journalist leaked Google report –\r\nsharing is caring – tlp amber\r\n#52 - 45 seconds Hacking team are a very controversial surveillance company They sell exploits and\r\nmalware to law enforcement But they also have a habit of not only selling to regimes that would use it for\r\nthings like counter terrorism, but also to places where they use it against dissidents and journalists that\r\ncriticse the government So someone hacked them and put all their stuff on Github… The exploits were\r\nused almost immediately Pirated versions of HackingTeams malware has been seen in targeted attacks by\r\nRussian nationalists. They’re quite a low capability group but pretty dangerous When Putin talks about\r\nnationalist hackers it could be these guys he means – but these aren’t the group that are impacting elections\r\n#53 - 50 seconds Shadowserver did a really nice analysis of how two of the Hacking team leaked exploits\r\nwere packaged up and used by some groups based in China It looks like there was one central development\r\nshop - or quartermaster, that packaged up the exploits then shared them with various other China based\r\ngroups And this is something you see a lot with targeted attacks I saw something similar when looking at\r\ngroups that used a Chinese exploit framework, which is a frankenstein of various open source bits of code,\r\nand is distributed from one central development shop\r\n#54 - 35 seconds So Carberp was a banking trojan that made many millions of pounds a few years ago It\r\nwas built by about 25 programmers who all worked remotely, they were paid a couple of thousand dollars\r\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 25 of 26\n\nto write modules to extend the trojan Most worked around the black sea, which is a hot bed for this kind of\r\nhigh end cyber crime It’s always interesting to see whose behind a big operation like this – you can see one\r\nof the ringleaders getting arrested here -hes not having a good day He lives in Moscow and made the\r\nmistake of targeting a ton of Russian banks And what happened after these guys were arrested is pretty\r\nmuch the same as what happened with the Zeus banking malware The code was soon being sold on forums\r\nby people who had access, and finally it got leaked enough it was freely available ___ Show video from\r\nhttps://life.ru/t/%D0%BD%D0%BE%D0%B2%D0%BE%D1%81%D1%82%D0%B8/86143 Summarise\r\nhttps://krebsonsecurity.com/tag/carberp/ https://www.welivesecurity.com/2012/07/02/all-carberp-botnet-organizers-arrested/ http://translate.google.com/translate?sl=ru\u0026tl=en\u0026js=n\u0026prev=_t\u0026hl=en\u0026ie=UTF-8\u0026eotf=1\u0026u=http%3A%2F%2Fwww.kommersant.ua%2Fdoc%2F2160535\u0026act=url\u0026act=url\u0026act=url\r\n#55 2 minutes And it seems that everyone uses Carberp! Both Carberp and Zeus are used as the basis for\r\nmost banking malware sold on forums today - To the extent that people selling malware advertise if their\r\nmalware isn’t based on Zeus and Carberp – because they are now so easy to detect Sofacy or APT28 use it\r\nin some of their code, together with Metasploit - They are a very well resourced organisation, but it makes\r\nsense for them to develop as quickly as possible given they have a remit to hack thousands of people every\r\nyear It was pretty well reported on that Wikileaks leaked what is apparently CIA tools and malware\r\nrecently One of the things in that massive dump is a backdoor which uses parts of Carberp Its nice to see\r\nthem saving tax payer money They also say that they’ve carefully vetted the code for vulnerabilities and\r\nbackdoors, which is quite hard to do The quote here comments that making Carberp, which previously cost\r\n$40k, available to everyone is like “handing a bazooka to a child” - Which makes you wonder what the\r\ncomparison would be for making entire NSA and CIA entire platforms, worth many millions of pounds,\r\nfreely available is like Maybe its more like handing a nuke to a child, and that’s why we have things like\r\nWannaCry\r\n#56 - 10 seconds So are there some upsides to all this open source malware and leaked code being\r\navailable to anyone?\r\n#57 - 15 seconds As mentioned earlier, when everyone bases their malware on the same code base it can\r\nmake it easier to detect Most HiddenTear variants are detected pretty trivially as HiddenTear There are\r\npackers and obfuscators though that can make the job more difficult\r\n#58 - 40 seconds For one thing having the source code for Carberp made it easier to find vulnerabilties And\r\nlooking at it some of the code is actually pretty terrible So it didn’t take long before researchers found they\r\ncould remotely take control of Carberp command and control servers And whilst people can fork Carberp\r\nand fix these holes – I havent seen anyone do it. I guess it’s hard to get the many eyes advantages of open\r\nsource when there’s not a central active developer for leaked code So up here on the screen are some\r\ncommand and control servers that Xylitol took over\r\n#59 10 - And finally I didn’t have space on the slides to thank everyone whose screenshots and research I\r\nused, so many thanks to them\r\n#60 20 - So – that’s it Any questions?\r\nSource: https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nhttps://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring\r\nPage 26 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring" ], "report_names": [ "open-source-malware-sharing-is-caring" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a7d4fe31-d92f-425a-ba8c-c70219f52fb8", "created_at": "2022-10-25T15:50:23.466009Z", "updated_at": "2026-04-10T02:00:05.250808Z", "deleted_at": null, "main_name": "Frankenstein", "aliases": [ "Frankenstein" ], "source_name": "MITRE:Frankenstein", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "6bad0c51-0d2b-4f04-b355-f88c960db813", "created_at": "2025-08-07T02:03:24.546734Z", "updated_at": "2026-04-10T02:00:03.691101Z", "deleted_at": null, "main_name": "ALUMINUM THORN", "aliases": [ "Frankenstein ", "WIRTE " ], "source_name": "Secureworks:ALUMINUM THORN", "tools": [ "FruityC2", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434184, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b47bb337408cc269bdfc8818c0a35e468f9b60d5.pdf", "text": "https://archive.orkl.eu/b47bb337408cc269bdfc8818c0a35e468f9b60d5.txt", "img": "https://archive.orkl.eu/b47bb337408cc269bdfc8818c0a35e468f9b60d5.jpg" } }