{
	"id": "7accd527-1542-4966-8701-f45e2fe697b9",
	"created_at": "2026-04-06T00:10:47.331918Z",
	"updated_at": "2026-04-10T13:11:58.470251Z",
	"deleted_at": null,
	"sha1_hash": "b853f60a4b92439a4047f87df356f609be9e7957",
	"title": "Threat Actor Uses Mythic’s Athena to Target Russian Semis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2292913,
	"plain_text": "Threat Actor Uses Mythic’s Athena to Target Russian Semis\r\nBy cybleinc\r\nPublished: 2023-10-10 · Archived: 2026-04-05 22:58:10 UTC\r\nThreat Actor deploys Mythic’s Athena Agent to target Russian Semiconductor Suppliers\r\nThreat Actor deploys Mythic’s Athena Agent to target Russian Semiconductor\r\nSuppliers\r\nCRIL analyzes Mythic's Athena Agent targeting Russian Semiconductor suppliers via spear-phishing emails.\r\nKey Takeaways\r\nCyble Research and Intelligence Labs (CRIL) recently came across a new spear phishing email targeting a\r\nleading Russian semiconductor supplier.\r\nIn this targeted attack, we observed Threat Actors (TAs) leveraging a Remote Code Execution (RCE)\r\nvulnerability, identified as CVE-2023-38831, to deliver their payload on compromised systems.\r\nThe objective of this attack is to gain complete control over the compromised system using a second-stage\r\npayload known as “Athena,” an agent of the Mythic C2 framework.\r\nThis Agent is equipped with a wide range of pre-installed commands designed to execute various actions on\r\nthe compromised system. These actions include injecting assembly, executing Shellcode, capturing\r\nauthentication details, loading Beacon Object Files (BOFs), and a variety of other functionalities.\r\nThe identity of the Threat Actor responsible for this attack remains unknown, and we currently cannot link\r\nit to any known APT groups.\r\nOverview\r\nOn July 10, 2023, the Group-IB Threat Intelligence unit discovered an undisclosed vulnerability related to ZIP file\r\nprocessing in WinRAR. Rapidly responding to the alert from the Group-IB team, the RARLAB team quickly\r\naddressed this vulnerability. A beta version of the patch was made available on July 20, 2023, and the final updated\r\niteration of WinRAR (version 6.23) was officially released on August 2, 2023.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 1 of 15\n\nOn August 23, Group-IB officially documented their initial detection of DarkMe malware leveraging this\r\nvulnerability (CVE-2023-38831). Moreover, they observed that several other malware families, including\r\nGuLoader and Remcos RAT, were also utilizing the same exploit as a means of delivery, which they have\r\nelaborated on in their blog post.\r\nLater, it was also observed that several malware developers had initiated the sale of exploits on dark web forums.\r\nAn example of such a user is AegisCrypter, who was offering this exploit for $100 on a cybercrime forum, as\r\nshown below.\r\nFigure 1 – TA’s post about the sale of Exploit in CyberCrime Forum\r\nAt the same time, a Proof-of-Concept (POC) for this exploit became publicly available on GitHub. Subsequently,\r\nmultiple TAs began to adopt and integrate this exploit into their toolkits. The image below shows an X (formerly\r\nknown as Twitter) post from a security researcher that reveals White Snake Stealer TAs enhancing their builder to\r\ninclude this WinRAR exploit.\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 2 of 15\n\nFigure 2 – WhiteSnake Stealer Telegram Post (Source: @g0njax)\r\nWe have also observed a YouTube video providing instructions on constructing an njRAT binary using a builder\r\nand utilizing the CVE-2023-38831 vulnerability to generate malicious WinRAR files. The figure below shows a\r\nscreenshot of a YouTube video utilizing this WinRAR vulnerability to deliver njRAT malware.\r\nFigure 3 – YouTube video showing the njRAT builder\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 3 of 15\n\nFurthermore, on August 31, 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) released a\r\nwarning regarding the ongoing misuse of CVE-2023-38831 for cyber-espionage operations directed at Ukrainian\r\nand Central Asian organizations. These activities were linked to the UAC-0063 group, which also operates under\r\nthe name “GhostWriter”.\r\nCRIL has recently identified and analyzed a campaign that is actively distributing various types of malware,\r\nincluding Apanyan Stealer, Murk-Stealer, and AsyncRAT. These malicious payloads are also delivered through this\r\nWinRAR vulnerability.\r\nWhile investigating the increasing number of incidents involving TAs exploiting this WinRAR Vulnerability to\r\ndeliver their payloads, CRIL identified a spear phishing email via VirusTotal on September 27. This phishing\r\nattempt focuses on targeting Russian entities and involves the distribution of a deceptive archive file via an\r\nattachment exploiting the same WinRAR vulnerability (CVE-2023-38831).\r\nThe aforementioned vulnerability allows the WinRAR application to extract and execute the malicious script when\r\na user tries to open a benign file within the archive.\r\nThis capability initiates the download of a malicious executable onto the victim’s system. The downloaded\r\npayload is one of the Mythic Agents known as “Athena”. Athena is a cross-platform agent designed using the\r\ncross-platform version of .NET.\r\nOnce installed on the targeted system, Athena provides TAs with a versatile set of functionalities through its\r\npredefined commands. These commands include both default commands, such as ipconfig, ls, ps, sleep, etc., as\r\nwell as custom commands, such as coff, farmer, crop, and so on.\r\nWe observed that Mythic Agents had been utilized by the APT-36 group in their operations. One such Agent is\r\n“Poseidon.” This Advanced Persistent Threat group, based in Pakistan, is notorious for its targeting of Indian\r\ngovernment organizations, military personnel, and defense contractors.\r\nInitial Infection\r\nCRIL came across a spear-phishing email targeting a leading semiconductor supplier in Russia. It was sent with\r\nthe subject line (translated into English)  “Regarding the Proposal to Incorporate R\u0026D in the 2024-2025 Work\r\nPlan.” The sender’s identity was manipulated to appear as a consultant from the Ministry of Industry and Trade of\r\nRussia. The image below shows this spear-phishing email.\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 4 of 15\n\nFigure 4 – Spear Phishing Email\r\nThe email contains an attachment named “resultati_sovehchaniya_11_09_2023.rar,” which translates to “meeting\r\nresults.” This RAR file contains a PDF file and a folder.\r\nThe PDF file and the folder within the archive have identical names. However, there’s a deliberate addition of a\r\ntrailing space at the end of the PDF file’s name, as highlighted in the image below.\r\nFigure 5 – Contents of the crafted archive file\r\nThe PDF file is benign, and the folder serves as a container for the malicious CMD Script file. The image below\r\ndisplays the malicious CMD file present inside the folder.\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 5 of 15\n\nFigure 6 – Malicious CMD script file\r\nThese characteristics of the RAR file can be related to the known security vulnerability CVE 2023-38831.\r\nTechnical Analysis\r\nVulnerability Name: RARLAB WinRAR Code Execution Vulnerability\r\nCVE ID: CVE-2023-38831\r\nCVSS Version 3.1 Sore: 7.8\r\nSeverity: High\r\nVulnerable WinRAR Version: RARLab WinRAR before 6.23\r\nVulnerability Description: WinRARProcessing error in opening a file in the ZIP archive.\r\nWhen a user attempts to open the benign PDF file within a specially crafted archive that includes trailing spaces in\r\nits name, WinRAR exhibits some unusual behavior. Instead of extracting the intended PDF file, WinRAR also\r\nextracts a malicious CMD script file into the temporary folder. This occurs because both components within the\r\narchive share identical filenames. The image below shows the extracted files.\r\nFigure 7 – WinRAR extracted files in the temp location\r\nAfter extracting these files, WinRAR proceeds to execute the PDF file by providing the PDF file name (with\r\ntrailing space) as one of the parameters in the SHELLEXECUTEINFO structure to the ShellExecute() API. The\r\nimage below shows the PDF file name with the trailing space passed to the ShellExecute() function.\r\nFigure 8 – ShellExecute Function with PDF file name\r\nHowever, due to the added trailing space in the file name, the ShellExecute() function fails to find the exact file\r\nwithin the extracted files path. As a result, it skips the extracted PDF file and, instead, identifies and runs the\r\nmalicious script file with a similar name, “resultati_sovehchaniya_11_09_2023.pdf .cmd“.\r\nThe executed malicious script file contains a Base64-encoded PowerShell script. The image below shows the de-obfuscated content of the Script file.\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 6 of 15\n\nFigure 9 – De-obfuscated PowerShell script\r\nOnce the PowerShell script is executed, it performs the following actions:\r\nThe script attempts to retrieve an identical benign PDF file from the URL\r\n“hxxp://45[.]142[.]212[.]34:80/Resultati_soveschaniya30_08_2023[.]pdf” and saves it in the script’s working\r\ndirectory. Subsequently, the script opens and presents the contents of the benign PDF file. This is done to use the\r\nPDF as a decoy, aiming to divert and confuse users. The image below shows the contents of this PDF file.\r\nFigure 10 – Decoy PDF file\r\nFollowing that, the script proceeds to download a malicious executable file from the URL\r\n“hxxp://45[.]142[.]212[.]34:80/aimp2[.]exe” and saves it with the name “aimp2.exe” in the directory\r\n“AppData\\Local\\Microsoft\\Windows\\Ringtone\\”. The image below shows the open directory that is hosting the\r\nmalicious files utilized in this attack.\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 7 of 15\n\nFigure 11 – Open directory\r\nThen, it schedules a task to run the downloaded executable every 10 minutes using Windows Task Scheduler, with\r\nthe task name “aimp2”, as shown in the image below.\r\nFigure 12 – Task Scheduler entry\r\nFinally, the script proceeds to execute the downloaded executable, which has been identified as the “Athena”, one\r\nof the agents of Mythic C2 Framework.\r\nMythic Agent\r\nMythic is a cross-platform, post-exploit, red teaming framework designed to provide a collaborative and user\r\nfriendly interface for operators with extensive support for a variety of Agents, as shown in the image below.\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 8 of 15\n\nFigure 13 – List of Mythic Agents\r\nMythic provides an advanced web-based C\u0026C interface that allows users or potential TAs to interact with the\r\nabove-mentioned Agent deployed on compromised systems.\r\nIn this specific attack scenario, TAs have employed the Athena Agent, which is developed using a cross-platform\r\nversion of .NET and specifically designed for compatibility with Mythic versions 3.0 and later.\r\nThe file size of the Agent, at 34 MB, is an indicator that it was compiled using the ‘self-contained’ option. This\r\nchoice entails the inclusion of the entire .NET runtime within the binary, resulting in a larger file size. The image\r\nbelow displays all the size-related options utilized during the compilation of the Agent.\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 9 of 15\n\nFigure 14 – Size-related options present in Athena Agent\r\nAthena agent comes with a predefined set of commands, as mentioned below, to execute on the compromised host\r\nand return the output to the remote server.\r\nTask Description\r\narp Performs arp scan\r\ncat Display the contents of a file to the terminal\r\ncd Change working directory\r\ncoff Execute coff file in the agent process\r\ncp Copy a file from one location to another\r\ncrop Drop a file for collecting hashes on a network\r\ndrives View the connected drives on the host\r\nenv Display the environmental variables on the host\r\nfarmer collects NetNTLM hashes in a Windows domain\r\nget-clipboard Display the contents of the user clipboard\r\nget-localgroup Enumerate local groups on a machine\r\nget-sessions Perform an NetSessionEnum on the provided hosts\r\nget-shares Perform an NetShareEnum on the provided hosts\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 10 of 15\n\nhostname Display the machines hostname\r\nifconfig Get IP information of the underlying host\r\nmkdir Create a new directory\r\nmv Move a file from one location to another\r\nnslookup NSLookup a specific host or list of hosts\r\nPatch check and revert AMSI and ETW for x64 process\r\nps Display a process listing on the host\r\npwd Print the working directory\r\nreg Display the contents of the user clipboard\r\nrm Remove a file\r\nscreenshot Captures screenshot\r\nsftp Connect to a host and perform actions using SFTP\r\nshell Execute a shell command with the current default shell\r\nshellcode Execute a shellcode buffer within the agent\r\ntest-port Perform an NetShareEnum on the provided hosts\r\ntimestomp Match the timestamp of a source file to the timestamp of a destination file\r\nuptime View the current uptime values of the host\r\nThe Athena Agent is integrated with the C3 (Custom Command and Control) framework, enabling communication\r\nthrough a variety of C2 channels to connect with the remote server. The image below showcases the available C2\r\nchannels supported by Athena.\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 11 of 15\n\nFigure 15 – C2 Channels supported by Athena Agent\r\nIn this specific case, C3 communications are facilitated via a Discord Channel after the Agent starts sending back\r\nthe victim’s data to the remote server.\r\nConclusion\r\nPhishing emails with malicious attachments continue to be the preferred tactic for threat actors. The use of crafted\r\narchives exploiting the WinRAR vulnerability adds an extra layer of challenge to defense mechanisms.\r\nIn the current threat landscape, vulnerabilities are discovered and patched with remarkable frequency. However,\r\namong the countless vulnerabilities that come and go, there are a select few that persist, defying even the most\r\ndiligent efforts on the part of vendors to eradicate them. The WinRAR vulnerability we’ve discussed in this\r\nanalysis falls into this category—a vulnerability that remains a potent threat even after it has been patched.\r\nFurthermore, the delivery of this powerful Agent allows attackers to take control of compromised systems and\r\nconduct remote monitoring, making it a formidable weapon in the hands of threat actors.\r\nRecommendations\r\nThe initial infection happens via spam emails or phishing websites; thus, enterprises should use security\r\nproducts to detect phishing emails and websites.\r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.  \r\nUpdate WinRAR to the latest update as soon as possible if not patched.\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 12 of 15\n\nMITRE ATT\u0026CK® Techniques\r\nTactic  Technique ID  Procedure\r\nInitial Access\r\n(TA0001)\r\nPhishing (T1566.001)\r\nTAs send spearphishing emails with\r\nmalicious Attachments\r\nExecution \r\n(TA0002)\r\nUser Execution (T1203) Exploitation for Client Execution\r\nExecution \r\n(TA0002)\r\nCommand and Scripting\r\nInterpreter (T1059)\r\ncmd.exe is used to run a CMD malicious\r\nscript file\r\nExecution \r\n(TA0002)\r\nCommand and Scripting\r\nInterpreter (T1059.001)\r\nPowerShell commands are used to\r\ndownload and execute additional\r\npayloads on the system\r\nPersistence\r\n(TA0003)\r\nRegistry Run Keys /\r\nStartup Folder (T1547.001)\r\nMalware adding run entry/Startup for\r\npersistence.\r\nDefense Evasion\r\n(TA0005)\r\nMasquerading  (T1036.006) Adding Space after Filename\r\nDefense Evasion\r\n(TA0005)\r\nMasquerading  (T1036.007) Adding Double File Extension\r\nCollection\r\n(TA0009)\r\nData from Local System\r\n(T1005)\r\nThe malware collects sensitive data from\r\nvictim’s system.\r\nCommand and\r\nControl (TA0011)\r\nApplication Layer Protocol:\r\nWeb Protocols (T1437.001)\r\nCommunicated with C\u0026C server using\r\nHTTP\r\nExfiltration\r\n(TA0010)\r\nExfiltration Over C2\r\nChannel (T1041)\r\nExfiltration Over C2 Channel\r\nIndicators of Compromise (IOCs)\r\nIndicators \r\nIndicator\r\n \r\nType \r\nDescription \r\n0fead8db0ee27f906d054430628bd8fd3b09ca75ff6067720a5b179f6a674c12 SHA256\r\nPhishing\r\nEmail\r\n5261425cf389ed3a77ec5f03f73daf711e80d4918be3f0fba0152b424af7b684 SHA256\r\nMalicious\r\nRAR File\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 13 of 15\n\n07f8af85b8bbfb432d98b398b4393761c37596ee2cf3931564784bd3e8c2b1cc SHA256\r\nMalicious\r\n.cmd File\r\n45[.]142[.]212[.]34 IP Malicious IP\r\n86079a2d12b28a340281453efa0a7fd31c65ead11bab98edd94fe19aaff436eb SHA256\r\nAthena –\r\nMythic\r\nAgent\r\n162[.]159[.]137[.]232 IP\r\nMalicious\r\nDiscord IP\r\n162[.]159[.]129[.]233 IP\r\nMalicious\r\nDiscord IP\r\n162[.]159[.]122[.]233 IP\r\nMalicious\r\nDiscord IP\r\n162[.]159[.]128[.]233 IP\r\nMalicious\r\nDiscord IP\r\n17269514f520cda20ecc78bdb0b3341a97bb03e155640704a87efff832555b14 SHA256\r\nMalicious\r\nRAR File\r\n79c78466d61b05466289f91122d2b7dbd56e895c15fe80d385885f9eddf31ca5 SHA256\r\nMalicious\r\n.cmd File\r\nReferences\r\nhttps://www.mcafee.com/blogs/other-blogs/mcafee-labs/exploring-winrar-vulnerability-cve-2023-38831/\r\nYara Rule\r\nrule Athena_Mythic Agent\r\n{\r\nmeta:\r\nauthor = “Cyble”\r\ndescription = “Detects Agent Athena”\r\ndate = “2023-10-09”\r\nos = “Windows”\r\nthreat_name = “Mythic Athena Agent”  \r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 14 of 15\n\nscan_type = “file”\r\nseverity = 90\r\nreference_sample = “86079a2d12b28a340281453efa0a7fd31c65ead11bab98edd94fe19aaff436eb”\r\nstrings:\r\n$a = “Athena.Commands” ascii wide\r\n$b = “Athena.Handler.Dynamic” ascii wide\r\n$c = “get-clipboard” ascii wide\r\n$d = “get-sessions” ascii wide\r\n$e = “shellcode” ascii wide\r\ncondition:\r\nuint16(0) == 0x5a4d and all of them\r\n}\r\nSource: https://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nhttps://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyble.com/blog/threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers/"
	],
	"report_names": [
		"threat-actor-deploys-mythics-athena-agent-to-target-russian-semiconductor-suppliers"
	],
	"threat_actors": [
		{
			"id": "d0d996a0-98e2-49fd-b55e-97ba053c4ed0",
			"created_at": "2024-07-25T02:00:04.423466Z",
			"updated_at": "2026-04-10T02:00:03.679863Z",
			"deleted_at": null,
			"main_name": "UAC-0063",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0063",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73",
			"created_at": "2023-01-06T13:46:39.195689Z",
			"updated_at": "2026-04-10T02:00:03.243054Z",
			"deleted_at": null,
			"main_name": "Ghostwriter",
			"aliases": [
				"UAC-0057",
				"UNC1151",
				"TA445",
				"PUSHCHA",
				"Storm-0257",
				"DEV-0257"
			],
			"source_name": "MISPGALAXY:Ghostwriter",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "abb24b7b-6baa-4070-9a2b-aa59091097d1",
			"created_at": "2022-10-25T16:07:24.339942Z",
			"updated_at": "2026-04-10T02:00:04.944806Z",
			"deleted_at": null,
			"main_name": "Transparent Tribe",
			"aliases": [
				"APT 36",
				"APT-C-56",
				"Copper Fieldstone",
				"Earth Karkaddan",
				"G0134",
				"Green Havildar",
				"Mythic Leopard",
				"Opaque Draco",
				"Operation C-Major",
				"Operation Honey Trap",
				"Operation Transparent Tribe",
				"ProjectM",
				"STEPPY-KAVACH",
				"Storm-0156",
				"TEMP.Lapis",
				"Transparent Tribe"
			],
			"source_name": "ETDA:Transparent Tribe",
			"tools": [
				"Amphibeon",
				"Android RAT",
				"Bezigate",
				"Bladabindi",
				"Bozok",
				"Bozok RAT",
				"BreachRAT",
				"Breut",
				"CapraRAT",
				"CinaRAT",
				"Crimson RAT",
				"DarkComet",
				"DarkKomet",
				"ElizaRAT",
				"FYNLOS",
				"Fynloski",
				"Jorik",
				"Krademok",
				"Limepad",
				"Luminosity RAT",
				"LuminosityLink",
				"MSIL",
				"MSIL/Crimson",
				"Mobzsar",
				"MumbaiDown",
				"Oblique RAT",
				"ObliqueRAT",
				"Peppy RAT",
				"Peppy Trojan",
				"Quasar RAT",
				"QuasarRAT",
				"SEEDOOR",
				"Scarimson",
				"SilentCMD",
				"Stealth Mango",
				"UPDATESEE",
				"USBWorm",
				"Waizsar RAT",
				"Yggdrasil",
				"beendoor",
				"klovbot",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c68fa27f-e8d9-4932-856b-467ccfe39997",
			"created_at": "2023-01-06T13:46:38.450585Z",
			"updated_at": "2026-04-10T02:00:02.980334Z",
			"deleted_at": null,
			"main_name": "Operation C-Major",
			"aliases": [
				"APT36",
				"APT 36",
				"TMP.Lapis",
				"COPPER FIELDSTONE",
				"Storm-0156",
				"Transparent Tribe",
				"ProjectM",
				"Green Havildar",
				"Earth Karkaddan",
				"C-Major",
				"Mythic Leopard"
			],
			"source_name": "MISPGALAXY:Operation C-Major",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434247,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b853f60a4b92439a4047f87df356f609be9e7957.pdf",
		"text": "https://archive.orkl.eu/b853f60a4b92439a4047f87df356f609be9e7957.txt",
		"img": "https://archive.orkl.eu/b853f60a4b92439a4047f87df356f609be9e7957.jpg"
	}
}