{ "id": "0f391d16-eba7-4f91-b001-20badd2c0bee", "created_at": "2026-04-06T00:18:44.230307Z", "updated_at": "2026-04-10T03:38:20.263968Z", "deleted_at": null, "sha1_hash": "b778366df855e4231e263aaaaca7ffe12865aba9", "title": "BeaverTail (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 117697, "plain_text": "BeaverTail (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 17:22:29 UTC\r\nBeaverTail is a JavaScript malware primarily distributed through NPM packages. It is designed for information\r\ntheft and to load further stages of malware, specifically a multi-stage Python-based backdoor known as\r\nInvisibleFerret. BeaverTail targets cryptocurrency wallets and credit card information stored in the victim's web\r\nbrowsers. Its code is heavily obfuscated to evade detection. Threat actors can either upload malicious NPM\r\npackages containing BeaverTail to GitHub or inject BeaverTail code into legitimate NPM projects. Researchers\r\nhave identified additional Windows and macOS variants, indicating that the BeaverTail malware family is likely\r\nstill under development.\r\n2026-03-11 ⋅ Microsoft ⋅ Microsoft Defender Experts, Microsoft Defender Security Research Team\r\nContagious Interview: Malware delivered through fake developer job interviews\r\nBeaverTail OtterCookie StoatWaffle InvisibleFerret PylangGhost GolangGhost 2026-02-25 ⋅ Abstract Security ⋅\r\nContagious Interview: Evolution of VS Code and Cursor Tasks Infection Chains - Part 1\r\nBeaverTail PylangGhost GolangGhost 2026-02-19 ⋅ GitLab ⋅ Oliver Smith\r\nGitLab Threat Intelligence Team reveals North Korean tradecraft\r\nBeaverTail OtterCookie 2026-01-20 ⋅ Abstract Security ⋅ Abstract Security Threat Research Organization\r\nContagious Interview: Tracking the VS Code Tasks Infection Vector\r\nBeaverTail InvisibleFerret 2026-01-13 ⋅ Security Alliance ⋅ Security Alliance\r\nVS Code Tasks Abuse by Contagious Interview (DPRK)\r\nBeaverTail InvisibleFerret 2026-01-11 ⋅ Red Asgard ⋅ Red Asgard\r\nHunting Lazarus: Inside the Contagious Interview C2 Infrastructure\r\nBeaverTail InvisibleFerret 2025-12-17 ⋅ Recorded Future ⋅ Insikt Group\r\nPurpleBravo’s Targeting of the IT Software Supply Chain\r\nBeaverTail InvisibleFerret PylangGhost GolangGhost 2025-11-28 ⋅ OpenSourceMalware ⋅ OpenSourceMalware\r\n\"Contagious Interview\" campaign abuses Microsoft VSCode tasks to drop malware and gain persistence\r\nBeaverTail InvisibleFerret 2025-11-13 ⋅ NVISO Labs ⋅ Bart Parys, Efstratios Lontzetidis, Stef Collart\r\nContagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery\r\nBeaverTail OtterCookie InvisibleFerret Beavertail TsunamiKit 2025-10-20 ⋅ Medium Deriv-Tech ⋅ Shantanu Ghumade\r\nHow a fake AI recruiter delivers five staged malware disguised as a dream job\r\nBeaverTail OtterCookie InvisibleFerret 2025-10-16 ⋅ Cisco Talos ⋅ Michael Kelley, Vanja Svajcer\r\nBeaverTail and OtterCookie evolve with a new Javascript module\r\nBeaverTail OtterCookie InvisibleFerret 2025-10-10 ⋅ Socket ⋅ Kirill Boychenko\r\nNorth Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads\r\nBeaverTail InvisibleFerret 2025-09-25 ⋅ ESET Research ⋅ Matěj Havránek, Peter Kálnai\r\nDeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception\r\nBeaverTail OtterCookie InvisibleFerret PylangGhost AkdoorTea GolangGhost Tropidoor TsunamiKit 2025-09-25 ⋅\r\nVirus Bulletin ⋅ Matěj Havránek, Peter Kálnai\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail\r\nPage 1 of 4\n\nDeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception\r\nBeaverTail OtterCookie InvisibleFerret PylangGhost AkdoorTea GolangGhost Tropidoor TsunamiKit 2025-09-17 ⋅\r\nGitLab ⋅ GitLab\r\nTech Note - BeaverTail variant distributed via malicious repositories and ClickFix lure\r\nBeaverTail OtterCookie BeaverTail InvisibleFerret Beavertail GolangGhost 2025-08-27 ⋅ Anthropic ⋅ Anthropic\r\nAnthropic - Threat Intelligence Report: August 2025\r\nBeaverTail OtterCookie GolangGhost InvisibleFerret GolangGhost 2025-08-11 ⋅ nimanthadeshappriya.com ⋅ Nimantha\r\nDeshappriya\r\nFrom Colombo to Pyongyang\r\nBeaverTail BeaverTail Beavertail 2025-07-14 ⋅ Socket ⋅ Kirill Boychenko\r\nContagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader\r\nBeaverTail InvisibleFerret 2025-06-24 ⋅ Socket ⋅ Socket\r\nAnother Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages\r\nBeaverTail InvisibleFerret 2025-06-03 ⋅ ANY.RUN ⋅ ANY.RUN\r\nOtterCookie: Analysis of Lazarus Group Malware Targeting Finance and Tech Professionals\r\nBeaverTail OtterCookie InvisibleFerret 2025-05-12 ⋅ ESET Research ⋅ ESET Research\r\nESET APT Activity Report Q4 2024–Q1 2025\r\nBeaverTail InvisibleFerret GolangGhost 2025-05-07 ⋅ NTT Security ⋅ Masaya Motoda, Rintaro Koike\r\nAdditional Features of OtterCookie Malware Used by WaterPlum\r\nBeaverTail OtterCookie InvisibleFerret 2025-04-24 ⋅ Silent Push ⋅ Silent Push\r\nContagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of\r\nMalware: BeaverTail, InvisibleFerret, and OtterCookie\r\nBeaverTail OtterCookie FrostyFerret GolangGhost InvisibleFerret GolangGhost 2025-04-23 ⋅ Trend Micro ⋅ Feike\r\nHacquebord, Stephen Hilt\r\nRussian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations\r\nBeaverTail FrostyFerret GolangGhost InvisibleFerret GolangGhost WageMole 2025-04-11 ⋅ Bitso Quetzal Team ⋅ Mauro\r\nEldritch\r\nInterview with the Chollima\r\nBeaverTail OtterCookie InvisibleFerret 2025-04-04 ⋅ Socket ⋅ Socket\r\nLazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads\r\nBeaverTail InvisibleFerret 2025-04-02 ⋅ ASEC ⋅ ASEC\r\nBeaverTail and Tropidoor Malware Distributed via Recruitment Emails\r\nBeaverTail Tropidoor 2025-03-31 ⋅ Aikido ⋅ Charlie Eriksen\r\nMalware hiding in plain sight: Spying on North Korean Hackers\r\nBeaverTail 2025-02-20 ⋅ ESET Research ⋅ ESET Research\r\nDeceptiveDevelopment targets freelance developers\r\nBeaverTail InvisibleFerret 2025-02-13 ⋅ Recorded Future ⋅ Recorded Future\r\nInside the Scam: North Korea’s IT Worker Threat\r\nBeaverTail OtterCookie InvisibleFerret 2025-02-07 ⋅ ⋅ SI-CERT ⋅ SI-CERT\r\nSI-CERT TZ016 / BeaverTail \u0026 InvisibleFerret\r\nBeaverTail InvisibleFerret 2025-02-05 ⋅ Bitdefender ⋅ Alina Bizga, Andrei ANTON-AANEI, Ionuț-Alexandru Baltariu\r\nLazarus Group Targets Organizations with Sophisticated LinkedIn Recruiting Scam\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail\r\nPage 2 of 4\n\nBeaverTail InvisibleFerret tsunami 2025-01-29 ⋅ SecurityScorecard ⋅ SecurityScorecard STRIKE Team\r\nOperation Phantom Circuit: North Korea’s Global Data Exfiltration Campaign\r\nBeaverTail InvisibleFerret 2025-01-29 ⋅ Socket ⋅ Kirill Boychenko, Peter van der Zee\r\nNorth Korean APT Lazarus Targets Developers with Malicious npm Package\r\nBeaverTail InvisibleFerret 2024-12-24 ⋅ ⋅ NTT Security Holdings ⋅ NTT Security Holdings\r\nContagious Interview Uses New Malware Otter Cookie\r\nBeaverTail OtterCookie InvisibleFerret 2024-11-26 ⋅ Arxiv ⋅ Alessio Di Santo\r\nLazarus Group Targets Crypto-Wallets and Financial Data while employing new Tradecrafts\r\nBeaverTail InvisibleFerret tsunami TsunamiKit 2024-11-14 ⋅ eSentire ⋅ eSentire\r\nBored BeaverTail \u0026 InvisibleFerret Yacht Club – A Lazarus Lure Pt.2\r\nBeaverTail InvisibleFerret 2024-11-14 ⋅ Palo Alto ⋅ Unit 42\r\nFake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack\r\nBeaverTail InvisibleFerret WageMole 2024-11-04 ⋅ Israel National Cyber Directorate (INCD) ⋅ Israel National Cyber Directorate\r\n(INCD)\r\nDeep Drive Analysis of the BeaverTail Infostealer\r\nBeaverTail 2024-11-04 ⋅ Zscaler ⋅ Zscaler\r\nFrom Pyongyang to Your Payroll: The Rise of North Korean Remote Workers in the West\r\nBeaverTail InvisibleFerret WageMole 2024-10-29 ⋅ SecurityScorecard ⋅ SecurityScorecard STRIKE Team\r\nThe Job Offer That Wasn’t: How We Stopped an Espionage Plot\r\nBeaverTail InvisibleFerret 2024-10-29 ⋅ ⋅ Macnica ⋅ Hiroshi Takeuchi\r\nJob Offer from the North: Contagious Interview for Software Developers\r\nBeaverTail InvisibleFerret 2024-10-24 ⋅ Datadog ⋅ Datadog\r\nTenacious Pungsan: A DPRK threat actor linked to Contagious Interview\r\nBeaverTail InvisibleFerret 2024-10-17 ⋅ Github (ssrdio) ⋅ Gregor Spagnolo\r\nAnalysis of BeaverTail \u0026 InvisibleFerret activity\r\nBeaverTail InvisibleFerret 2024-09-10 ⋅ Stacklok ⋅ Stacklok\r\nDependency hijacking: Dissecting North Korea’s new wave of DeFi-themed open source attacks targeting\r\ndevelopers\r\nBeaverTail InvisibleFerret 2024-09-04 ⋅ Group-IB ⋅ Sharmine Low\r\nAPT Lazarus: Eager Crypto Beavers, Video calls and Games\r\nBeaverTail BeaverTail InvisibleFerret Beavertail 2024-07-31 ⋅ Securonix ⋅ Securonix\r\nResearch Update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to\r\nTarget Software Developers via Social Engineering\r\nBeaverTail 2024-07-15 ⋅ Objective-See ⋅ Patrick Wardle\r\nThis Meeting Should Have Been an Email: A DPRK stealer, dubbed BeaverTail, targets users via a trojanized\r\nmeeting app\r\nBeaverTail BeaverTail InvisibleFerret 2024-05-10 ⋅ ⋅ Qianxin Threat Intelligence Center ⋅ Threat Intelligence Center\r\nRecruitment trap for blockchain practitioners: Analysis of suspected Lazarus (APT-Q-1) stealing operations\r\nBeaverTail 2024-03-24 ⋅ Securonix ⋅ Securonix\r\nAnalysis of DEV#POPPER: New Attack Campaign Targeting Software Developers Likely Associated With North\r\nKorean Threat Actors\r\nBeaverTail 2023-11-21 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail\r\nPage 3 of 4\n\nHacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean\r\nThreat Actors\r\nBeaverTail InvisibleFerret WageMole\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.beavertail" ], "report_names": [ "js.beavertail" ], "threat_actors": [ { "id": "32e2c6f9-a1f5-42bc-ac1d-5d9dc301cf0e", "created_at": "2025-08-07T02:03:25.078429Z", "updated_at": "2026-04-10T02:00:03.811418Z", "deleted_at": null, "main_name": "NICKEL ALLEY", "aliases": [ "CL-STA-0240 ", "Purplebravo Recorded Future", "Storm-1877 ", "Tenacious Pungsan " ], "source_name": "Secureworks:NICKEL ALLEY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434724, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b778366df855e4231e263aaaaca7ffe12865aba9.pdf", "text": "https://archive.orkl.eu/b778366df855e4231e263aaaaca7ffe12865aba9.txt", "img": "https://archive.orkl.eu/b778366df855e4231e263aaaaca7ffe12865aba9.jpg" } }