{ "id": "69ecd401-3c15-4923-a424-bc76815dbeae", "created_at": "2026-04-06T00:19:20.880581Z", "updated_at": "2026-04-10T13:12:16.52315Z", "deleted_at": null, "sha1_hash": "ba448afdf3a54ecc6adf1e1756a10272b64e5e79", "title": "Risky Biz News: Doppelganger gets a kick in the butt from Uncle Sam", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3180279, "plain_text": "Risky Biz News: Doppelganger gets a kick in the butt from Uncle\r\nSam\r\nBy Catalin Cimpanu\r\nPublished: 2024-09-06 · Archived: 2026-04-02 10:57:51 UTC\r\nThis newsletter is brought to you by GreyNoise. You can subscribe to an audio version of this newsletter as a\r\npodcast by searching for \"Risky Business News\" in your podcatcher or subscribing via this RSS feed. On Apple\r\nPodcasts:\r\nRisky Biz News: Doppelganger gets a kick in the butt from Uncle Sam\r\nA short podcast updating listeners on the security news of the last few days, as prepared by Catalin\r\nCimpanu and read by Claire Aird. You can find the newslett\r\nApple Podcasts\r\nThe US government orchestrated its largest crackdown against Russia's disinformation apparatus on Wednesday,\r\ncoming out with indictments, sanctions, visa restrictions, site takedowns, and rewards for information on some of\r\nthe individuals involved.\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 1 of 22\n\nUS officials have formally accused the Kremlin of interfering again in the US Presidential Election, mainly\r\nthrough the work of several of its entities pushing to promote Donald Trump and the Republican Party.\r\nThe actions hit well-known purveyors of Russian propaganda, such as Doppelganger, Structura, RRN, SDA, and\r\neven RT (formerly Russia Today).\r\nSome names might be familiar, some might not. Below, we're gonna aggregate some of the US actions, grouped\r\nby the major players, and the reasons behind them.\r\nRossiya Segodnya (RT's parent company)\r\nThe organization that took the brunt of Wednesday's crackdown was Rossiya Segodnya, Russia's largest media\r\ngroup and the parent company for multiple state-funded news organizations such as RT, RIA Novosti, TV-Novosti,\r\nRuptly, and Sputnik.\r\nThe Department of Justice indicted two RT employees with conspiracy to violate the Foreign Agents Registration\r\nAct (FARA) and conspiracy to commit money laundering.\r\nOfficials say RT's Digital Media Projects Manager Konstantin Kalashnikov and one of his employees, Elena\r\nAfanasyeva, secretly paid over $10 million to a Tennessee-based online content creation company to produce\r\nRussian propaganda for US audiences under the guise of a grassroots movement.\r\nOfficials didn't name the company, but extensive details they left in court documents point the finger at TENET\r\nMedia, the employer of several right-wing content creators such as Tim Pool, Benny Johnson, Dave Rubin, and\r\nLauren Southern.\r\n\"In order to carry out RT's secret influence campaign in the United States, Kalashnikov and Afanasyeva\r\noperated under covert identities at U.S. Company-1. Posing as an outside editor, Kalashnikov edited\r\nU.S. Company-1 content, monitored U.S. Company-1's funding and hiring, and introduced Afanasyeva\r\nas a member of his purported editing team. Using the fake personas Helena Shudra and Victoria Pesti,\r\nAfanasyeva posted and directed the posting by U.S. Company-1 of hundreds of videos. Afanasyeva also\r\ncollected information from and gave instructions to U.S. Company-1 staff. For example, after the\r\nMarch 22, 2024, terrorist attack on a music venue in Moscow, Afanasyeva asked one of U.S. Company-1's founders to blame Ukraine and the United States for the attack, writing: 'I think we can focus on the\r\nUkraine/U.S. angle. . . . [T]he mainstream media spread fake news that ISIS claimed responsibility for\r\nthe attack yet ISIS itself never made such statements. All terrorists are now detained while they were\r\nheading to the border with Ukraine which makes it even more suspicious why they would want to go to\r\nUkraine to hide.'\"\r\nOfficials said RT and one of TENET's founders deceived the creators about the source of their funding, statements\r\nechoed by the content creators themselves on social media once the indictment went live.\r\nHowever, when you're getting between $100,000 to $400,000 per video, you may not want to ask those questions\r\nand play-pretend deceived once you get caught.\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 2 of 22\n\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 3 of 22\n\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 4 of 22\n\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 5 of 22\n\nKalashnikov and Afanasyeva were two of six RT executives who were also sanctioned. The Treasury didn't play\r\naround with words in their press release and just said the quiet part out loud, accusing RT staff of working on\r\nbehalf of the Russian Federal Security Service (FSB).\r\nThe State Department also followed through and has classified Rossiya Segodnya and its subsidiaries as\r\nunregistered Russian government \"foreign missions.\"\r\nThe classification comes with visa restrictions for its staff and the obligation to notify the State Department of any\r\nproperty or personnel working within the US—or face larger penalties.\r\nDoppelganger cluster\r\nThe DOJ also seized 32 domains that typosquatted the names of legitimate news outlets and hosted Kremlin\r\npropaganda.\r\nOfficials linked the domains to a threat actor the cybersecurity industry has been tracking for years as\r\nDoppelganger.\r\nThe DOJ says three Russian companies operated and published content on the domains:\r\nSocial Design Agency (SDA)\r\nStructura National Technology (Structura)\r\nAutonomous Non-Profit Organization Dialog (ANO Dialog)\r\nUS officials say the companies were \"operating under the direction and control of the Russian Presidential\r\nAdministration, and in particular First Deputy Chief of Staff of the Presidential Executive Office Sergei\r\nVladilenovich Kiriyenko.\"\r\nThe indictment basically confirms previous research that claimed that Russia's disinformation efforts were\r\ncontrolled directly from Putin's Kremlin staff and executed through the FSB, GRU, and a slew of private\r\ncontractors across the globe.\r\nOfficials say the recent domains were used to publish disinformation in the hopes of influencing the outcome of\r\nthe US Presidential election—and the DOJ went as far as publishing internal notes from different Doppelganger\r\ncampaigns:\r\nGood Old USA Project: Attachments 8A, 8B\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 6 of 22\n\nThe Guerilla Media Campaign: Attachments 9A, 9B\r\nU.S. Social Media Influencers Network Project: Attachments 10A, 10B\r\nThe campaigns focused on using a wide variety of topics to divide the American public and then gently push them\r\ntoward the preferred Kremlin candidate.\r\nThe US sanctioned ANO Dialog and its Director Vladimir Grigoryevich Tabak, a man they say held several\r\npositions within the Russian Presidential Administration.\r\nSDA and Structura didn't get away. The Treasury previously sanctioned them in March for their influence\r\noperations targeting Latin America, where they tried to sway elections towards preferred Kremlin candidates, tried\r\nto portray Russia as a \"champion against neocolonialization,\" and ran their typical \"US bad, NATO bad, Russia\r\ngood\" content meant to prevent any type of aid or support for Ukraine.\r\nAs for the recent sanctions, this marks the first official attribution of the Doppelganger group to ANO Dialog.\r\nThe Treasury sanctions specifically link ANO Dialog to the creation of \"War on Fakes\" and \"Reliable Recent\r\nNews\" (RRN)—two major clusters of Doppelganger activity over the past years.\r\nThese clusters registered websites designed to look like legitimate Western news sources and then published\r\ncontent with misleading facts favorable to the Kremlin. Officials say the group often used AI and deepfakes and\r\nrelied on other influencers, social media ads, and bot networks to boost their content as authentic.\r\nThis is where the handoff between Doppelganger and RT took place, with Doppelganger producing the content\r\nand RT working on amplifying it.\r\nThis week's revelations also shed some light on the mysterious attribution from July, when the DOJ took down a\r\nTwitter bot network and claimed it was operated by an editor-in-chief from RT's Moscow headquarters. The\r\nattribution kinda didn't make sense at the time, but makes more sense after this week, with that botnet being just\r\nanother tool used by RT to boost Doppelganger's garbage.\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 7 of 22\n\nRaHDit hacktivist group\r\nAnd last, the US has also imposed sanctions on Aleksey Alekseyevich Garashchenko, Anastasia Igorevna\r\nYermoshkina, and Aleksandr Vitalyevich Nezhentsev.\r\nOfficials say the three are behind a pro-Kremlin hacktivist group known as RaHDit (Russian Angry Hackers Did\r\nIt).\r\nThe group has a history of launching cyberattacks against Russia's opponents, leaking data, and, as of recently,\r\ndisseminating disinformation with the goal of influencing elections across multiple countries.\r\nThe US Treasury says Garashchenko founded the group while working for the FSB. He now allegedly works with\r\n\"members of the Russian intelligence and security services, members of the Russian Presidential Administration,\r\nand employees from RT\" to direct the group's activity.\r\nYermoshkina and Nezhentsev help Garashchenko manage the group, and Nezhentsev is allegedly also a developer\r\nof cyber and surveillance tools for the FSB.\r\nWhile other Russian hacktivist groups have been more visible in the media, the State Department seems to view\r\nRaHDit as a major threat for some reason. We suspect it's because the group is actually capable of orchestrating\r\nactual intrusions and successful hack-and-leak operations, known to be more effective in swaying public opinions\r\n—as opposed to the army of useless Russian hacktivists that can barely run a 5-minute DDoS attack properly.\r\nBecause of this, the State Department is now offering a reward of up to $10 million or relocation to the US for\r\nanyone willing to share information on the group.\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 8 of 22\n\nBreaches, hacks, and security incidents\r\nIran paid ransom to save citizen data: The Iranian government pushed a local company to pay a ransom and\r\navoid hackers publishing the data of millions of citizens online. The ransom is related to a cyberattack that hit a\r\nsoftware company providing services to Iran's Central Bank. A hacking group known as IRLeaks is believed to\r\nhave hacked the company and stole data on customers of 20 Iranian banks. The data is believed to be extremely\r\nsensitive, containing everything for personal information to credit card numbers for millions of Iranians.\r\nAccording to Politico Europe, the hackers wanted $10 million not to publish the files. They settled for $3 million\r\nafter the regime forced the company to pay, fearing a collapse of its financial system.\r\nLatvia DDoS attacks: Latvian officials say they've been the target of DDoS attacks after announcing a new aid\r\npackage for Ukraine. They've blamed it on Russian and Belarussian hackers. [Additional coverage in LSM]\r\nPlanned Parenthood ransomware attack: The Montana office of the Planned Parenthood organization has shut\r\ndown its IT systems after a ransomware attack this week. A ransomware gang named RansomHub took credit for\r\nthe intrusion and is now threatening to release almost 100GB of data from the non-profit. This marks the second\r\ntime Planned Parenthood has suffered a ransomware attack after a similar incident at its LA office in 2021.\r\n[Additional coverage in PCMag]\r\nCisco web shop incident: A credit card e-skimmer was found in Cisco's official web shop. [Additional coverage\r\nin BleepingComputer]\r\nWazirX unrecoverable funds: Indian cryptocurrency exchange WazirX says that 43% of customer funds lost in a\r\nrecent hack are unlikely to be recovered. The sum represents nearly $100 million of the $230 million WazirX lost\r\nin July. The platform says it's undergoing a restructuring process and is looking for new investors to help cover the\r\nlosses. The revelation that the funds are lost for good comes a month after WazirX announced a controversial plan\r\nto distribute the loss across all accounts instead of covering it from its reserve. [Additional coverage in CNBC-TV18]\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 9 of 22\n\nPenpie crypto-heist: A threat actor has stolen $27 million worth of cryptocurrency assets from the Penpie DeFi\r\nplatform. The hack took place on Tuesday and caused the platform's PNP token to lose 40% of its value. Penpie\r\nhas asked the attacker to return the stolen funds, promising not to file a legal action and let them keep a small\r\nportion under the guise of a bug bounty reward. [Additional coverage in CoinTelegraph]\r\nGeneral tech and privacy\r\nTelegram removes deepfake pr0n in KOR: Instant messaging service Telegram has removed multiple channels\r\nhosting deepfake porn of local South Korean women. The company apologized for its late response to the police's\r\nrequest and provided authorities with a dedicated email where they can report future crimes. It's a surprise how\r\nresponsive to law enforcement investigations a platform can get after you arrest its CEO. [Additional coverage in\r\nYonhap News]\r\nTwitter looking for new security personnel: X, formerly known as Twitter, is looking to hire new security staff\r\nto help moderate content and secure the platform. According to TechCrunch, the company has posted over two\r\ndozen job openings for its safety and cybersecurity teams. The new hiring spree comes two years after Elon Musk\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 10 of 22\n\nfired most of the site's trust, safety and security teams. The new hiring spree comes after troll farms ran wild and\r\nTwitter went without adequate content moderation staff for most of the 2024 election cycle.\r\nRust in Google products: Google has published more details about how it plans to use more Rust code in its\r\nproducts, especially for its core infrastructure.\r\nInternet Archive loses appeal: The Internet Archive has lost its appeal against French book publishing group\r\nHachette and will have to remove free e-books from its service. [Additional coverage in Wired]\r\nCoda leaves Russia: Another Western IT company has now left Russia after new US sanctions—this time it's the\r\nCoda collaboration workspace.\r\nTikTok ban public opinion: The Pew Research Center has published a report on the public views of a possible\r\nTikTok ban.\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 11 of 22\n\nGovernment, politics, and policy\r\nCISA drops online content moderation: CISA has stopped advising social media companies on what type of\r\nelection-related content they need to remove from their platforms. CISA Director Jen Easterly told reporters in a\r\nbriefing this week that content moderation is not part of the agency's roles. The agency has taken a step back after\r\nseveral Republican-led states sued the agency for working with social media companies to remove disinformation\r\nfrom their platforms. Easterly says that for this election cycle, CISA will focus on the security of the election\r\ninfrastructure itself and less on disinformation campaigns. [Additional coverage in CyberScoop]\r\nRural hospital support: The White House says that roughly 350 of the 1,800 small and rural hospitals across the\r\nUS are now using free cybersecurity resources provided by private sector partners. The resources were made\r\navailable in June as part of the Biden Administration's response to the Change Healthcare cyberattack. These\r\nincluded free training, assessments, and consulting, and access to discounted security tools. [Additional coverage\r\nin NextGov]\r\nColombia to investigate spyware abuses: Colombian President Gustavo Petro has asked the country's attorney\r\ngeneral to investigate the previous government for the purchase and use of the Pegasus spyware. Petro says the\r\nprevious regime paid $11 million to buy access to the Pegasus platform and then used it to spy on political rivals\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 12 of 22\n\nand journalists. The move comes after Poland has made strides in investigating the previous government for its\r\nuse of the Pegasus spyware. Meanwhile, the current re-elected Greek ruling government has absolved itself for\r\nusing a different spyware tool to spy on political rivals. [Additional coverage in Reuters]\r\nRussia threatens ISPs: Russia's communications watchdog Roskomnadzor has warned local IPSs to implement\r\nits YouTube block or face losing their license. [Additional coverage in Forbes]\r\nRussia looking at \"droppers\" law: The Russian government is preparing a bill to criminalize \"droppers,\" a term\r\nused to describe individuals who provide intermediary accounts where fraudsters can store stolen funds. Officials\r\nhave not decided on the jail time droppers could face but said individuals working as part of larger groups will see\r\nharsher penalties. The bill is expected by the end of the year. [Additional coverage in TASS]\r\nIn this Risky Business News sponsor interview, Catalin Cimpanu talks with Andrew Morris, founder of security\r\nfirm GreyNoise. Andrew introduces Plasma, a new GreyNoise product that can allow customers to deploy custom\r\nGreyNoise sensors anywhere they want—on perimeters, on internal networks, on DMZs, or anywhere else.\r\nSponsored: GreyNoise launches private preview of Plasma sensors\r\nIn this Risky Business News sponsor interview, Catalin Cimpanu talks with Andrew Morris,\r\nfounder of security firm GreyNoise. Andrew introduces Plasma, a new Gre\r\nApple Podcasts\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 13 of 22\n\nCybercrime and threat intel\r\nMan charged for AI music and bot fraud scheme: The US government has charged a North Carolina man for a\r\nnovel scheme that defrauded music streaming platforms. Michael Smith created hundreds of thousands of songs\r\nusing AI tools, uploaded the songs on popular streaming platforms, and used online bot accounts to stream his\r\nown music. The scheme began in 2018 and Smith allegedly had help from a music promoter and the CEO of a\r\nmusic company. Officials say the group made over $10 million in royalty payments from platforms like Amazon\r\nMusic, Apple Music, Spotify, and YouTube Music. Smith is the second person to be charged for defrauding\r\nstreaming platforms after Danish authorities sentenced a local man to 18 months in prison for a similar scheme.\r\nGermany dismantles NWO harassment group: German police has charged and raided the homes of ten\r\nindividuals who are part of an online harassment group known as New World Order (NWO). The group used an\r\nonline chatroom to select targets and directed members to attack victims on social media with hateful comments\r\nor insults. NWO also organized swatting events to disrupt the streams of online creators. It also social-engineered\r\npublic authorities and private companies to obtain personal data, which they later used to harass and dox their\r\nvictims.\r\nTwo BEC scammers sentenced: The US Department of Justice has sentenced two Nigerian men two prison for\r\ntheir roles in a major BEC scam that stole millions from US businesses. Ebuka Raphael Umeti was sentenced to\r\nten years in prison, while his co-conspirator Franklin Ifeanyichukwu Okwonna received a five-year and three\r\nmonths prison sentence. The court also ordered each to pay $5 million in restitution to their victims. According to\r\ncourt documents, the duo used phishing emails to infect victims with malware, downloaded victim data, and used\r\nthe stolen information to redirect wire transfers to their accounts.\r\nPredator returns: The company behind the Predator commercial spyware has established new infrastructure in\r\nmultiple countries despite facing ongoing sanctions from the US government. According to Recorded Future, the\r\nnew infrastructure appears to suggest the spyware is being used to target entities in Angola and the Democratic\r\nRepublic of the Congo. Recorded Future's findings come a day after the Atlantic Council published a report on the\r\nstate of the surveillance market. The report found that the recent US crackdown on spyware vendors has had a\r\nminimal impact. [Atlantic Council interactive map of known surveillance market players]\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 14 of 22\n\nSextortion with home photos: There's a new sextortion scam going around that uses the victim's name and\r\nphotos of their house, usually taken from online mapping apps like Google Maps. [Additional coverage in\r\nKrebsOnSecurity]\r\nHacker on hacker crime: Security firm Veriti has found that a threat actor infected other hackers with an\r\ninfostealer by sharing a free tool that could check the validity of OnlyFans credentials. It's happened a bunch of\r\ntimes before, but this never gets old.\r\n#FreeDurov campaign: Check Point, just like CyberKnow last week, looks at the hacktivist groups responding\r\nwith DDoS attacks to France's arrest of Telegram CEO Pavel Durov.\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 15 of 22\n\nYandex browser abuse: Security firm Dr.Web has published a report on a spear-phishing attack that\r\ncompromised a Russian rail freight operator in March this year and abused a novel technique to gain persistence\r\non an infected host via the Yandex browser app itself.\r\nPyPI Revival Hijacking: Threat actors are using a technique named Revival Hijacking to re-register deleted\r\npackage names and deliver malware to projects where the old packages are still used. The technique has been\r\nobserved being used in the wild on the Python Package Index (PyPI). Security firm JFrog says it reported the\r\nattacks to the PyPI team in June, but administrators have not yet removed the ability to re-register deleted package\r\nnames. JFrog says that more than 22,000 Python libraries reference and still load deleted packages, exposing\r\nthemselves to attacks.\r\nMalware technical reports\r\nLATAM trojans: Trend Micro reports that two banking trojans named Mekotio and BBTok are having a\r\nresurgence across Latin America.\r\n\"Mekotio's latest variant suggests the gang behind it is broadening their target, while BBTok is seen\r\nabusing MSBuild.exe to evade detection. Cybercriminals behind these known banking Trojans are using\r\njudicial-related phishing emails apart from the tried and tested business lures to target victims. Our\r\ninvestigation of Mekotio suggests that cybercriminals are likely to expand their targets beyond the Latin\r\nAmericas.\"\r\nAZORult: ANY.RUN has published a technical report on the AZORult infostealer.\r\nSpyAgent: McAfee has published a report on SpyAgent, a new Android malware campaign seeking to collect\r\ncredentials for cryptocurrency accounts. The campaign has primarily targeted Korea and uses OCR to retrieve\r\nseed phrases from crypto wallets.\r\nAkira ransomware: Hunt \u0026 Hackett researchers look at some of the technical oddities used by the Akira\r\nransomware. More precisely, the report looks at Akira's abuse of Restart Manager—a Windows API designed for\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 16 of 22\n\ninstallers and updaters to temporarily shut down applications that lock specific files.\r\nFog ransomware: Adlumin researchers have published a report on the new Fog ransomware strain.\r\nMallox ransomware: The Mallox ransomware has slowly become one of the most active ransomware gangs over\r\nthe past year. Security Kaspersky says it identified more than 700 different Mallox samples in 2023 alone. The\r\ngroup has continued to actively develop its code and is now also recruiting new affiliates for its RaaS program.\r\nMallox is primarily known for using MSSQL and PostgreSQL database servers as initial entry points for its\r\nattacks. Their main tactics include exploiting unpatched database vulnerabilities or launching brute-force attacks\r\nagainst admin accounts.\r\nGreyNoise founder Andrew Morris demonstrates how people use the GreyNoise sensor network to find threats and\r\ndetect attacks.\r\nAPTs, cyber-espionage, and info-ops\r\nUS charges GRU cyber unit members: The US government has charged five officers from a Russian military\r\ncyber unit involved in cyberattacks against Ukraine and NATO countries. Officials say the group launched the\r\nWhisperGate data-wiping malware ahead of Russia's invasion of Ukraine. The malware destroyed Ukrainian\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 17 of 22\n\ngovernment systems in an attempt to delay its response to Russian invasion forces. The five allegedly worked with\r\na sixth suspect, a Russian civilian the DOJ charged at the end of June. Officials say the five suspects are part of\r\nUnit 29155 in Russia's GRU military intelligence agency. The unit is considered one of the GRU's best and has\r\nalso been involved in attempted coups, assassinations, and sabotage missions. The US State Department is also\r\noffering a $10 million reward for information on the unit and its members.\r\nRussia targets Ukraine's military mobile apps: Suspected Russian hackers are targeting Ukrainian soldiers with\r\nSignal phishing messages in an attempt to install malware on their phones. The malware was hidden in malicious\r\nversions of Eyes and GRISELDA, two mobile apps used by the Ukrainian Army. The purpose of the attacks is to\r\nsteal authentication data to access military systems, as well as to exfiltrate the device's GPS coordinates. CERT-UA has linked the attack to a group it tracks as UAC-0210.\r\nConfucius: Researchers with the Anheng Information Hunting Lab have published a report detailing a recent\r\ncampaign linked to the Confucius APT group and utilizing a load of commodity tooling.\r\nKonni: South Korean security firm Genians looks at a Konni APT campaign targeting Russia and South Korea.\r\nLazarus: Group-IB has put out a report on recent Lazarus social-engineering campaigns targeting developers at\r\ngaming and crypto companies.\r\n\"They show no signs of easing their efforts, with their campaign targeting job seekers extending into\r\n2024 and to the present day. Their attacks have become increasingly creative, and they are now\r\nexpanding their reach across more platforms.\"\r\nEarth Lusca's KTLVdoor: Trend Micro has published a write-up on KTLVdoor, a new backdoor used by the\r\nEarth Lusca APT. The backdoor is written in Go specifically for the multi-platform support.\r\n\"The scale of the attack campaign is significant, with over 50 C\u0026C servers found hosted at a China-based company; it remains unclear whether the entire infrastructure is exclusive to Earth Lusca or\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 18 of 22\n\nshared with other threat actors.\"\r\nTropic Trooper: A suspected Chinese APT group has hacked an online platform that published studies on human\r\nrights in the Middle East for the sole purpose of stealing research about the Israel-Hamas conflict. The attack was\r\nthe work of Tropic Trooper, a Chinese APT active since 2011 and also known as KeyBoy and Pirate Panda.\r\nKaspersky says that based on its analysis, the online platform was the sole target, and the group went to great\r\nlengths to maintain access once it was discovered.\r\nChinese recon tools: The Natto Thoughts team has put together a summary of the open-source and custom\r\nreconnaissaince tools used by Chinese threat actors in their operations. See fancy table below.\r\nVulnerabilities, security research, and bug bounty\r\nChrome zero-day PoC: A security researcher going by Mistymntncop has released a PoC exploit for CVE-2024-\r\n5274, a Chrome zero-day that Google patched back in May.\r\nWindows zero-day: QiAnXin has published a report on CVE-2024-30051, a now-patched Windows zero-day that\r\nwas abused in the wild by the now-defunct Qakbot botnet.\r\nGatekeeper flaws: Jamf researchers have published a review of recent techniques to bypass macOS Gatekeeper\r\nand deploy malware.\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 19 of 22\n\nAnother LiteSpeed bug: Patchstack has published details on CVE-2024-44000, another bug in the LiteSpeed\r\nWordPress caching plugin that can be used to hijack admin-level accounts. The first one was CVE-2024-28000,\r\npatched two weeks ago. The older one exploited a user ID function while this new one exploits a bug that lets\r\nattackers extract admin cookies from the plugin's debug feature.\r\nAndroid Security Bulletin: Google has released the Android security updates for September 2024. This month,\r\nthe company has patched a zero-day tracked as CVE-2024-32896, which Google says may be \"under limited,\r\ntargeted exploitation.\" Google initially patched this for Pixel devices in June and has now backported the fix for\r\nthe general Android population.\r\nCisco security updates: Cisco has released five security advisories for various products. One of them is a default\r\nadmin account. Another one has a public exploit available.\r\nZyxel security updates: Zyxel has released three security updates to address nine vulnerabilities across routers,\r\nfirewalls, and WiFi access points.\r\nVeeam security updates: Backup service Veeam has released security updates for 18 vulnerabilities.\r\nApache OFBiz security update: The Apache OFBiz ERP has released a security update to fix CVE-2024-45195,\r\na new pre-auth RCE. See Rapid7 write-up for more details. The chances of this getting exploited are high since it's\r\nrelated to other OFBiz RCEs that are already being exploited in the wild.\r\nInfosec industry\r\nNew tool—RedInfraCraft: CyberWarFare Labs has released RedInfraCraft, a tool to automate the deployment of\r\nred team infrastructure, such as C2s, phishing, and payload distribution servers.\r\nThreat/trend reports: Cloudflare, Gen Digital, IANS, Positive Technologies, and Team Cymru have recently\r\npublished reports covering infosec industry threats and trends. From the IANS report:\r\n\"Nearly two-thirds of CISOs have reported receiving increased security budgets this year. An IANS\r\nResearch survey found that budgets grew by 8% from 2023's numbers, but the growth rate is half of\r\nwhat it used to be at the start of the decade. Adjusted for inflation, IANS says the real increase is\r\nactually only 5%. The positive trend is that security budgets now account for more in a company's IT\r\nspending, rising from 8.6% in 2020 to 13.2% in 2024.\"\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 20 of 22\n\nRisky Business Podcasts\r\nIn this edition of Between Two Nerds, Tom Uren and The Grugq talk to Alex Joske, author of a book about how the\r\nChinese Ministry of State Security (MSS) has shaped Western perceptions of China. They discuss the MSS's\r\nposition in the Chinese bureaucracy, its increasing role in cyber espionage, its use of contractors, and the PRC's\r\nvulnerability disclosure laws.\r\nIn this podcast, Tom Uren and Patrick Gray discuss Russia's use of exploits from commercial spyware vendors.\r\nBought through a front, or stolen with other bugs? The also discuss Iran's counter-intelligence innovations—if you\r\napply for a job that's very clearly an Israeli front, then perhaps you're not that trustworthy after all?\r\nRisky Business is now on YouTube with video versions of our main podcasts. Below is our latest weekly show with\r\nPat and Adam at the helm!\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 21 of 22\n\nSource: https://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nhttps://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/\r\nPage 22 of 22\n\nwhat it used actually only to be at the start 5%. The positive of the decade. Adjusted trend is that security for inflation, budgets IANS now account says the real increase for more in a is company's IT\nspending, rising from 8.6% in 2020 to 13.2% in 2024.\"\n Page 20 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/" ], "report_names": [ "risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4", "created_at": "2025-08-07T02:03:25.096857Z", "updated_at": "2026-04-10T02:00:03.659118Z", "deleted_at": null, "main_name": "NICKEL JUNIPER", "aliases": [ "Konni", "OSMIUM ", "Opal Sleet " ], "source_name": "Secureworks:NICKEL JUNIPER", "tools": [ "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-10T02:00:03.563647Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b43c8747-c898-448a-88a9-76bff88e91b5", "created_at": "2024-02-02T02:00:04.058535Z", "updated_at": "2026-04-10T02:00:03.545252Z", "deleted_at": null, "main_name": "Opal Sleet", "aliases": [ "Konni", "Vedalia", "OSMIUM" ], "source_name": "MISPGALAXY:Opal Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-10T02:00:05.309426Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "99c72af2-9b8a-412d-840b-09a9d54dec81", "created_at": "2024-09-20T02:00:04.583095Z", "updated_at": "2026-04-10T02:00:03.699949Z", "deleted_at": null, "main_name": "IRLeaks", "aliases": [], "source_name": "MISPGALAXY:IRLeaks", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9a11c31f-ebed-4b8d-9a5a-b3c842bfe293", "created_at": "2024-09-20T02:00:04.58523Z", "updated_at": "2026-04-10T02:00:03.700883Z", "deleted_at": null, "main_name": "RaHDit", "aliases": [ "Russian Angry Hackers Did It" ], "source_name": "MISPGALAXY:RaHDit", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434760, "ts_updated_at": 1775826736, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba448afdf3a54ecc6adf1e1756a10272b64e5e79.pdf", "text": "https://archive.orkl.eu/ba448afdf3a54ecc6adf1e1756a10272b64e5e79.txt", "img": "https://archive.orkl.eu/ba448afdf3a54ecc6adf1e1756a10272b64e5e79.jpg" } }