{ "id": "0660526d-31ca-422e-bf1c-b7715c74bea3", "created_at": "2026-04-06T03:36:48.067956Z", "updated_at": "2026-04-10T13:11:50.555522Z", "deleted_at": null, "sha1_hash": "b82cba59de8cf6c6118650ae9d63281d1fd87836", "title": "CLAMBLING - A New Backdoor Base On Dropbox (EN)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1030978, "plain_text": "CLAMBLING - A New Backdoor Base On Dropbox (EN)\r\nBy Talent-Jump\r\nPublished: 2020-02-17 · Archived: 2026-04-06 02:51:35 UTC\r\n#DRBControl  #Malware  #APT  #IncidentResponse  Post on Feb 17 2020\r\nBy Theo Chen, Zero Chen\r\n中文版本\r\nIn July 2019, one of our customer’s company suffering the APT attack and we start the investigation immediately.\r\nDuring the investigation we found a brand new backdoor sample, which implements lots of features by using\r\nDropbox API, using Dropbox like a C\u0026C server. After the reverse engineering, we extract the Dropbox token used\r\nby the sample, dig into Dropbox folder, and reveal the whole functional structure.\r\nThe report is co-authored with Trend Micro.\r\nKenney Lu, Daniel Lunghi, Cedric Pernet, and Jamz Yaneza. (17 February 2020). Trend Micro.\r\n“Operation DRBControl - Uncovering A Cyberespionage Campaign Targeting Gambling Companies In\r\nSoutheast Asia”\r\nFirst Stage Infection\r\nThe threat actor uses Windows Defender Core Process MsMpEng.exe which has a legal digital signature to load\r\nthe malicious DLL file. Load the shellcode from the payload file then release the final malicious executable to\r\ncomplete the first stage infection.\r\nDuring the investigation, we found a total of 8 different loader’s filenames [Appendix 1] renamed from\r\nMsMpEng.exe and placed at C:\\ProgramData\\Microsoft in its separated folder. The loader is just called the\r\nfunction ServiceCrtMain imported from mpsvc.dll .\r\nThe malicious DLL file mpsvc.dll has two types [Appendix 2]. The older type will try to read shellcode from\r\npayload file English.rtf , decode and decompress the content using RtlDecompressBuffer to release the final\r\nexecutable (Figure 1).\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 1 of 20\n\nFigure 1. Older type\r\nof mpsvc.dll\r\nThe newer one has a different way to start the infection. There is a piece of shellcode hard-coded in the\r\nmpsvc.dll , after decoding the shellcode from mpsvc.dll , it will inject and execute to load the shellcode from\r\nmpsvc.mui (Figure 2), which will release the final executable and inject into the process.\r\nFigure 2. Newer type of mpsvc.dll\r\nBoth of these two types of mpsvc.dll will release a full functional backdoor, which can connect to the C\u0026C\r\nserver. But the final executable released by a newer type of mpsvc.dll has some upgrade, including the function\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 2 of 20\n\nto interact with Dropbox API. The following article will focus on the malicious executable released by the newer\r\ntype of mpsvc.dll .\r\nThe hardcoded shellcode in a newer type of mpsvc.dll will first allocate 0x80000 bytes of memory space.\r\nGetting the current module’s full path and replace the extension dll to mui and read the shellcode in this mui\r\nfile, then jump to the base address of mui file plus its first byte. (Figure 3)\r\nFigure 3. Decoded shellcode in mpsvc.dll\r\nIn the end, the shellcode in mpsvc.mui has another different piece of hard-coded bytes, which will decompress\r\nby RtlDecompressBuffer to the final malicious executable (Figure 4).\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 3 of 20\n\nFigure 4.\r\nThe final malicious executable in buffer.\r\nSample Analysis\r\nThe final malicious executable sample we extracted has numerous features. Here is the analysis of some major\r\nfunctions.\r\nBypass UAC\r\nThis sample can bypass UAC via .NET. It is not a new technique which was disclosed in 2017 [1], the threat actor\r\nonly changes the GUID to 9BA94120-7E02-46ee-ADC6-10640B04F93B (Figure 5) and specify the location of DLL\r\nfile which will load by the .NET application in the elevated process.\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 4 of 20\n\nFigure 5. Code snippet of bypass UAC.\r\nPersistence\r\nThere are two ways to persist. Register as a startup program in\r\nHKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run if it has no privileged (Figure 6).\r\nOtherwise, it will register itself as a system service (Figure 7).\r\nFigure 6. Register as a start program.\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 5 of 20\n\nFigure 7. Register as a system service.\r\nInformation Gathering\r\nIt will collect some basic information like IP address, hostname, username, OS version and so on. Also, it will\r\nsearch the registry key’s value HKEY_CURRENT_USER\\\\Software\\\\Bitcoin\\\\Bitcoin-Qt and try to look for the\r\nwallet address if exist (Figure 8). All of this information will upload to Dropbox as %Y-%m-%d %H-%M-%S.log ,\r\nbelow is a file sample:\r\nLan IP: x.x.x.x\r\nComputer: WIN-XXXXXX\r\nUserName: Administrator\r\nOS: Win10(X64)\r\nVersion: 8.0\r\nBit: Not Found !!!\r\nExist: NO\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 6 of 20\n\nFigure 8. Code snippet of information gathering.\r\nRecording Features\r\nThis sample acquired three types of recording features, including key-log, clipboard log, and screen recording.\r\nThe screen recording file naming format is [%y-%m-%d] %H-%M-%S.avi . The key-log and clipboard log will\r\nencode by different key and salt, then save as \u003chash\u003e.pas for key-log and \u003chash\u003e.log for clipboard log (Figure\r\n9).\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 7 of 20\n\nFigure 9. Code snippet of key log encoding.\r\nConnect to C\u0026C Server\r\nThis sample can also connect to a specific C\u0026C server and send back data by using a fake HTTP POST request\r\n(Figure 10).\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 8 of 20\n\nFigure 10. Code snippet of preparing for fake POST request.\r\nRTTI Information\r\nThe RTTI information remaining, here is the full class name list we got:\r\nCHPAvi\r\nCHPCmd\r\nCHPExplorer\r\nCHPHttp\r\nCHPKeyLog\r\nCHPNet\r\nCHPPipe\r\nCHPPlugin\r\nCHPProcess\r\nCHPProxy\r\nCHPRegedit\r\nCHPScreen\r\nCHPService\r\nCHPTcp\r\nCHPTelnet\r\nCHPUdp\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 9 of 20\n\nInteract With Dropbox\r\nDuring reverse engineering, we found that the Dropbox API token with 64 characters is hardcoded in stack string\r\n(Figure 11).\r\nFigure 11. Code snippet for the first 24 characters of Dropbox API token.\r\nBesides connecting to the C\u0026C server, this sample can also upload \u0026 download with Dropbox API. Especially\r\nwhen the log file is uploaded, it will try to download bin.asc and check the file has fake GIF file header or\r\nnot. If everything is correct, it will continue to the custom decoding phase, which will calculate with an array of\r\nbytes hard-coded in the sample, to release the inject payload (Figure 12).\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 10 of 20\n\nFigure 12. Code snippet of interaction with Dropbox API.\r\nInside of Dropbox Folder\r\nAfter we got the Dropbox token, we can now dig into Dropbox by using official API, for example, list the account\r\ninformation which creates this token, list the full file and folder information.\r\nIn the Dropbox, the folder structure like this:\r\n/\u003cunique_hash\u003e/%Y-%m-%d\\ %H:%M:%S.log\r\n/\u003cunique_hash\u003e/bin.asc\r\n/codex64bin.asc\r\n/codex86bin.asc\r\n/x64bin.asc\r\n/x86bin.asc\r\nEach infected victim has its folder named by unique hash /[0-9A-z]/ , this hash is generated by machine key and\r\nsome other information. %Y-%m-%d\\ %H:%M:%S.log is the log file upload by the victim. *.asc is the file upload\r\nby the threat actor. For example, bin.asc is the payload download by the victim when the log file is upload\r\nsucceeds.\r\nSort out the log file on Dropbox, we can get the full list of infected computers (Figure 13).\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 11 of 20\n\nFigure 13. The list\r\nof infected computers.\r\nSecond Stage Infection\r\nAfter the first infection stage completed, it will persistent itself as a system service or autorun program. Collecting\r\ninformation and establish a connection to the C\u0026C server. The most interesting part is each time when the log file\r\nis upload succeeds, it will try to download bin.asc from each computer’s unique folder. Most of bin.asc we\r\ncaptured is requesting the victim to download x64bin.asc file from Dropbox.\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 12 of 20\n\nFurther analysis of x64bin.asc , we found the second Dropbox API token, its purpose is different from the first\r\none. Now the threat actor is ready to use Dropbox as another C\u0026C server with the full backdoor feature.\r\nThe second infection stage’s sample has some bonus features including the ability to interact with Dropbox, the\r\ncommand code mapping show as below:\r\nCommand Code Action\r\n2 ListDrives\r\n3 ListFiles\r\n4 ExecuteFile\r\n5 ManageFile\r\n6 UploadFile\r\n7 DownloadFile\r\n8 OpenTerminal\r\nIn these commands, there are three different files, each of these file has specific filename and purpose:\r\neLHgZNBH : The status file, upload to Dropbox at regular intervals.\r\nyasHPHFJ : The command file, containing command and arguments.\r\ncsaujdnc : The execution result of the command.\r\nThe status file eLHgZNBH contain the basic information about victim and timestamp, upload to Dropbox at regular\r\nintervals. Whenever status file upload succeeds, it will try to download the command file yasHPHFJ if it existed.\r\nExtract the command code and arguments from yasHPHFJ then execute the command and upload the execution\r\nresult to Dropbox as csaujdnc (Figure 14).\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 13 of 20\n\nFigure 14. Flow of three files interact with Dropbox\r\nBy using this control flow, the threat actor can use Dropbox as a C\u0026C server to control the victim’s computer\r\neven the fixed connection between the specific C\u0026C server’s IP address has been found and blocked. Unless we\r\nblock content.dropboxapi.com and api.dropboxapi.com , otherwise we can not isolate the infected computer.\r\nThe Dropbox API remain the detail of each file and folder, for example this is a file information return by\r\nDropbox API:\r\n{\r\n '.tag': 'file',\r\n 'name': 'Secret_File.txt',\r\n 'path_lower': '/secret_file.txt',\r\n 'path_display': '/Secret_File.txt',\r\n 'id': 'id:\u003cUNIQUE_FILE_ID\u003e',\r\n 'client_modified': '2019-07-21T02:45:42Z',\r\n 'server_modified': '2019-07-21T02:53:04Z',\r\n 'rev': '[0-9a-f]{6,}',\r\n 'size': 125,\r\n 'is_downloadable': True,\r\n 'content_hash': '\u003cSHA256_HASH\u003e'\r\n}\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 14 of 20\n\nIt contains the server_modified timestamp even with history revision file id, we can use rev to list the full\r\nhistory of this file and download it. Sort out this information and the command code mapping, we can now list the\r\nfull command executed on each computer and its arguments. Here is two computers’ execution list (Figure 15 \u0026\r\n16).\r\nFigure 15. Real command execution list from one victim.\r\nFigure 16. Another real command execution list.\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 15 of 20\n\nAccording to these record, the threat actor follows almost the same action on every infected computer. First,\r\ndownload additional attack programs from Dropbox, like mimikatz or other UAC bypass tools. Second, search\r\nthe high-value file including private source code, config file, database, and the key-log / clipboard log. Upload all\r\nof these files to Dropbox for further searching. Last but not least, infiltrate the company intranet or even the cloud\r\nservice.\r\nCombining all decoded yasHPHFJ files, we can show the threat actor’s approximate working hours (Figure 17).\r\nFigure 17. The threat actor’s approximate working hours.\r\nConclusion\r\nWe start to monitor the Dropbox for each token and parse the infected computer’s list, here we can see the infected\r\ncomputer’s number from July 2019 to September 2019 this two month (Figure 18 \u0026 19).\r\nFigure 18. Dropbox A (first token): infected computer’s number.\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 16 of 20\n\nFigure 19. Dropbox B (second token): infected computer’s number.\r\nWe got nearly 200 infected computers at the highest peak from Dropbox A, alone with nearly 80 computers from\r\nDropbox B. Both of these static has a drop at August 21, 2019, the threat actor clear the Dropbox folder for some\r\nreason. Monitoring ends on September 20, 2019, all tokens we got are revoked by the threat actor.\r\nDuring these two months, we got five different Dropbox token. Each of these tokens has its purpose. The first two\r\ntokens are the major one we discuss in this article, others are more like for testing.\r\nFrom the first infection stage, established the connection between the C\u0026C server and Dropbox at the same time.\r\nIf the IP address of the C\u0026C server been blocked, it can still have limited control from Dropbox. Once it\r\ncompleted the second infection stage, Dropbox is turning into a second channel C\u0026C server which has full remote\r\ncontrol features (Figure 20). Steal the data and infiltrate the whole company. This method is not complex but very\r\nuseful.\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 17 of 20\n\nFigure 20. The whole interaction flow from infection to interact with Dropbox.\r\nAppendix\r\n1. Loader\r\n33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a\r\nmsmpeng.exe (PE32)\r\n99042e895b6c2ea80f3ba65563a12c8eba882e3ad6a21dd8e799b0112c75ddd2\r\nrsoplicy.exe (PE32+)\r\nDRM.exe (PE32+)\r\nFirewall.exe (PE32+)\r\nKaspe.exe (PE32+)\r\nRSoPProv.exe (PE32+)\r\nVideo.exe (PE32+)\r\nWinDRM.exe (PE32+)\r\n2. DLL \u0026 Payload File\r\nmpsvc.dll\r\na58946c10c8325040634f7cd04429b9f1e3715767d0c8aec46b7cba8975e6a69\r\ne18af309ecc3bc93351b9fa13a451e8b55b71d9edcc4232bc53eb1092bdfa859\r\nEnglish.rtf\r\n52c147c8eadb58d3580b39c023ce4a90dacce76ee5c30c56c56ea39939a56b52\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 18 of 20\n\nb5546d4931a0316abd4018c982558ed808b4d0a60233ac18bee601fa09d95ee6\r\ndd0399970d2dbb5ab8b5869e2fafb83194c992f27bbb244adce35e2fe6ef0d28\r\nmpsvc.mui\r\n0693713f995285e8bd99ebfca2c4f0f1a8e824dafb5a99693442a9256df06e02\r\n24ebd398be23135a2d8aa7000c2b6a534448b87aa5708b8546089630a8035f7e\r\n56758c25e3b00957c6f7f76fcea5d0598eff7eda98c63f50b51d1c28f267ac8f\r\n96282a625a31b6bf646c6e01ad20de96fd63c345881a9c91190940121580059d\r\n99663b9ba27a36ff9fc64b72213e933067ee0cde38b39d20ae4326a37185811d\r\n9dd1d21e9431cfe25709a8f26ec0f605ed19cf64ca1922e97fad7b7f2d2e82ea\r\nb226c8e85a7b1a6d4d29d42fc84bc7f3a32335fc7ba44b455a7716d706660873\r\ne716506cf54f48d77382d8955512184b45dd7d0b58c22e32424c56d38db24360\r\nOther IoCs\r\nDrop Files\r\n37286285cb0f8305bd23a693b2e7ace71538e4c0b9f13ee6ca4e9e9419657813\r\nb3581e8611f5838fc205f66bc5ca5edddb0fd895e97ebf8f0c7220cb102ae14b\r\n79928578cdd646a9724bc6851a1ee77820c81a3100788d62885f9d92b6814085\r\n7602e2932a10f3750a5d6236f6c1662047d4475c6e1fe6c57118c6620a083cb3\r\n5b5aff8869ba7f1d3f6ad7711e801b031aedeff287a0dcb8f8ae6d6e4eb468af\r\n412260ab5d9b2b2aa4471b953fb67ddc1a0fe90c353e391819ca7ac1c6d3146f\r\nc6064fb44733b5660557e223598d0e4d5c4448ad20b29e41bef469cb5df77da0\r\n4c08bc1a2f5384c5306edc6f23e4249526517eb21a88763c8180a582438dfa31\r\na58f2fea8c74c1d25090014c7366db224102daa6c798fcdfb7168b569b7d5ca2\r\nd201e726fd2a2f4b55ea5ca95f0429d74e2efb918c7c136d55ef392ceac854d6\r\n5713907c01db40cf54155db19c0c44c046b2c676a492d5ba13d39118c95139bf\r\nd72c3f5f2f291f7092afd5a0fcaceaf2eaae44d057c9b3b27dd53f2048ed6175\r\nd62ddac7c4aa152cf6f988db6c7bd0c9dcffa2e890d354b7e9db7f3b843fd270\r\n28d2637139231c78a6493cd91e8f0d10891cfeb6c5e758540515faa29f54b6b2\r\n39e69ab52f073f966945fdab214f63368f71175a7ccbea199fae32d51fa6a4e7\r\n260b64e287d13d04f1f38d956c10d9fdd3cfbff6ba0040a52223fa41605bb975\r\nc425b73be7394032aa8e756259ebf3662c000afaa286c3d7d957891026f3cbb4\r\n28d19a23d167db3e1282f1c6039bcda6556798be054994a55e60116827dd0bf1\r\nc3c1fc6aabbb49d0ee281ba4fc1529d2b9832a67b18e08ce14dbf0e361e5bd85\r\nfc865a720cb808354923092bac04ab6a75e20ea92db5a343af07365c0cd2b72a\r\n24f501141af5bf059509145e165302dd7087b1d1c2136bc5e4403f01435f250e\r\nee5f7e6ad4a344f40b9babada1654ea22333bb5150cfd26bfc239ead28b6528c\r\nca26a34153972cc73c63d3a9aadd3b12ba35ecdc6e39025b75be56b00c20e0ae\r\n1951c79f280692a43b7c7cafd45c3f5d7f4f841ae104a6cad814fab4641c79f2\r\nd5129308ee83a852e6a320ca68c8e66ed6d1eb4ec584dd0c8b5f313a56c49a15\r\nIP\r\n103.230.15.130\r\n104.168.196.80\r\n104.168.196.85\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 19 of 20\n\n104.168.196.88\r\n139.180.194.173\r\n167.179.115.228\r\n207.148.73.58\r\n43.228.126.172\r\n43.228.126.56\r\n45.32.101.238\r\n45.32.111.228\r\n45.77.41.49\r\n47.75.248.237\r\n66.42.60.107\r\nDomains\r\nfn.shopingchina.net\r\noffice.support.googldevice.com\r\nsafe.mircosofdevice.com\r\nserver.correomasivochile.com\r\nsrv2.mkt-app.com\r\nstore.microsoftbetastore.com\r\nupdate.mircosotfdefender.com\r\nReferences\r\n1. UAC bypass via elevated .NET applications\r\n2. Dropbox for HTTP Developers\r\n3. https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia\r\nSource: https://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nhttps://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/" ], "report_names": [ "CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en" ], "threat_actors": [ { "id": "e254cf33-e7f5-407b-a8a1-1a856a9f1c71", "created_at": "2025-01-21T02:00:03.599871Z", "updated_at": "2026-04-10T02:00:03.804511Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "MISPGALAXY:Operation DRBControl", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d2910b0-9fea-46a2-84e6-a043b1e023e4", "created_at": "2022-10-25T16:07:23.946958Z", "updated_at": "2026-04-10T02:00:04.80291Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "ETDA:Operation DRBControl", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775446608, "ts_updated_at": 1775826710, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b82cba59de8cf6c6118650ae9d63281d1fd87836.pdf", "text": "https://archive.orkl.eu/b82cba59de8cf6c6118650ae9d63281d1fd87836.txt", "img": "https://archive.orkl.eu/b82cba59de8cf6c6118650ae9d63281d1fd87836.jpg" } }