{ "id": "9b274dbe-0de2-4fc9-8660-25c0b00bcea4", "created_at": "2026-04-06T00:13:47.935432Z", "updated_at": "2026-04-10T13:13:02.938058Z", "deleted_at": null, "sha1_hash": "ba7603e42ca013c6ad18e8e8ee61394ae67a08c9", "title": "CTO at NCSC Summary: week ending October 29th", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 637683, "plain_text": "CTO at NCSC Summary: week ending October 29th\r\nBy Ollie Whitehouse\r\nPublished: 2025-04-12 · Archived: 2026-04-02 12:01:57 UTC\r\nWelcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes\r\nit in, but the best bits do.\r\nFirstly, welcome to the new home but same format for those that have followed here from the old Substack. As I’ve\r\nmoved roles we had to move due to me working for the UK Government. A quick thank you to the NCSC’s\r\ncommunications, legal and policy teams who made all the magic happen very quickly. Be sure to check out the bottom of\r\nthe legal language.\r\nOperationally this week you will see two things have been driving the agenda - the Okta breach (see reporting below) and\r\nthe at scale router compromises. Clean up around the latter continues…\r\nIn the high-level this week:\r\nThe (US) National Cyber Incident Response Plan (NCIRP) - CISA is leading an effort to update the National Cyber\r\nIncident Response Plan (NCIRP) by the end of 2024, as directed in the 2023 National Cybersecurity Strategy\r\nCYBERCOM executes internal coordinated defensive cyber activity - Focusing distinctly on DoD networks and\r\nsystems, CYBERCOM globally deployed defensive cyber professionals to search for, identify, mitigate, and publicly\r\nshare known malware and associated variations targeting DoD-network infrastructure. INCCA provides defensive\r\ncyber teams with an opportunity to improve processes, readiness, and coordination with our broader unified action\r\npartners.\r\nEuropean Council sets out vision for protecting fundamental rights in the digital world - The text reaffirms that\r\nfundamental rights apply equally online and offline and that everyone should have the opportunity and support to\r\nacquire basic digital skills in order to be able to comprehend and exercise their rights.\r\nJustice Department Announces Court-Authorized Action to Disrupt Illicit Revenue Generation Efforts of Democratic\r\nPeople’s Republic of Korea Information Technology Workers - North Koreans getting remote jobs in US firms\r\nrelated North Korean programmers used a hosted laptop to freelance online, says FBI\r\nMeasures taken following the unprecedented cyber-attack on the ICC - As part of broader assessment into potential\r\nactions by threat actors, the Court has also identified that disinformation campaigns targeting the ICC and its\r\nofficials may be anticipated to be launched in an effort to tarnish the ICC image and delegitimize its activities.\r\nAdditionally we had France condemns the cyber attack against the International Criminal Court - It also\r\nstrongly condemns the criminal proceedings initiated in Russia against the Court’s staff – the President, First\r\nVice-President, Prosecutor, judges preparing cases for trial who are involved in the situation in Ukraine, and\r\na trial judge.\r\nProtecting Civilians Against Digital Threats During Armed Conflict: Recommendations to states, belligerents, tech\r\ncompanies, and humanitarian organizations - The Board's final report presents 4 guiding principles and a set of 25\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 1 of 14\n\nconcrete recommendations addressed to belligerents, states, tech companies, and humanitarian organizations to\r\nprevent or mitigate digital threats to civilian populations.\r\nThe Economics of Ransomware Attacks on Integrated Supply Chain Networks - we show that by targeting one firm\r\nin the network the criminals can potentially hold multiple firms to ransom - something to consider from this.\r\nSummary of the threat targeting local (French) authorities - From January 2022 to June 2023, ANSSI handled 187\r\nincidents in this area. If the profit objective is, by far, the primary motivation of attackers who target local\r\nauthorities, the latter can however be the subject of attacks for the purposes of destabilization, or even compromise\r\nlinked to state espionage operations .\r\nChina\r\nThis is the state of generative AI in China - Domestically, Chinese companies are facing a particularly\r\ncomplex regulatory landscape, characterized by rapidly evolving rules and standards for the development and\r\ndeployment of generative AI products. China’s internet regulators are well ahead of their counterparts in the\r\nU.S. in pursuing “vertical” regulatory approaches to AI in general and generative AI in particular, issuing\r\ninterim regulations on generative AI in July.\r\nFull text of Xi Jinping's keynote speech at 3rd Belt and Road Forum for Int'l Cooperation - Fifth, advancing\r\nscientific and technological innovation. China will continue to implement the Belt and Road Science,\r\nTechnology and Innovation Cooperation Action Plan, hold the first Belt and Road Conference on Science and\r\nTechnology Exchange, increase the number of joint laboratories built with other parties to 100 in the next five\r\nyears, and support young scientists from other countries to work on short-term programs in China. At this\r\nForum, China will put forward the Global Initiative for Artificial Intelligence (AI) Governance.\r\nHow Do The Chinese Ciphers Compare with NIST Standards? - slow is the answer but that could be due to\r\nlack of hardware acceleration.\r\nChina crackdown on cyber scams in Southeast Asia nets thousands but leaves networks intact - Regional and\r\nChinese authorities have netted thousands of people in a crackdown, but experts say they are failing to root\r\nout the local elites and criminal networks that are bound to keep running the schemes.\r\nArtificial intelligence\r\nFrontier AI: capabilities and risks – discussion paper - published by the UK including the Annex B: Safety and\r\nSecurity Risks of Generative Artificial Intelligence to 2025\r\nUK’s DSIT opens AI Fairness Innovation Challenge - The Department for Science, Innovation, and\r\nTechnology (DSIT) has launched a competition offering £400,000 for investment in projects to tackle bias and\r\ndiscrimination in AI.\r\nDecomposing Language Models Into Understandable Components - using a large language model to generate\r\nshort descriptions of the small model's features, which we score based on another model's ability to predict a\r\nfeature's activations based on that description\r\nMicrosoft announces A$5 billion investment in computing capacity and capability to help Australia seize the\r\nAI era - In addition, Microsoft will collaborate with the Australian Signals Directorate (ASD) on an initiative\r\ncalled the Microsoft-Australian Signals Directorate Cyber Shield (MACS), aimed at improving protection\r\nfrom cyber threats for Australian residents, businesses and government entities.\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 2 of 14\n\nEuropean Data Protection Supervisor Opinion 44/2023 on the Proposal for Artificial Intelligence Act in the\r\nlight of legislative developments - the EDPS reiterates that AI systems already in use at the date of\r\napplicability of the AI Act, including AI systems which are components of EU large-scale IT systems, should\r\nnot be exempted from the scope of the AI Act. Instead, they should comply with the AI Act requirements from\r\nits date of applicability.\r\nCyber proliferation\r\nIntellexa: Irish-linked spyware used in 'brazen attacks' - The Irish government is set to investigate a digital\r\nsurveillance alliance that has been accused of letting its smartphone spyware \"run wild across the world\",\r\nBBC News NI understands.\r\nIsraeli Cyber Arms and Intelligence Firms Like NSO Aiding Israeli Efforts - From facial recognition to open\r\nsource intelligence and offensive cyber, firms such as NSO, Rayzone and others like AnyVision helped map\r\nand track hostages, casualties\r\nReflections this week are how liberating it is to move to an organisation (the NCSC) who work on true national strategic\r\nintent. I knew I would find it fulfilling but some of the opportunities (and challenges) which I have had exposure to in the\r\nfirst week along with the clear sense of mission make it truly motivating..\r\nOn the interesting job/role front (thanks to those sending me these):\r\nOperational and Cyber Resilience Manager at the Financial Conduct Authority in the UK\r\nPrincipal Cyber Advisor to the Secretary of the Navy in the USA\r\nEnjoying this? Don’t get via e-mail? Subscribe:\r\nThink someone else would benefit? Share:\r\nShare\r\nAttribution is by others.\r\nHave a lovely Thursday\r\nOllie\r\nWho is doing what to whom and how.\r\nSome data as to the scale of this challenge..\r\nTo date in 2023, more than 100 companies across 18 industries had access to their IT infrastructure, cloud\r\nenvironments, networks, or applications sold on Russian hacking forums.\r\nhttps://flare.io/learn/resources/blog/threat-spotlight-initial-access-brokers-on-russian-hacking-forums/\r\nInsider threat personified by this reporting from our friends in Ukraine.\r\nthe group includes traitor officers of the former Security Service of Ukraine Dept. in the Autonomous Republic of\r\nCrimea, who started ministering to Russian federal security back in 2014.\r\nhttps://cip.gov.ua/en/news/rosiiske-ugrupuvannya-gamaredon-suttyevo-zbilshilo-kilkist-kiberoperacii-prote-voni-ne-taki-uspishni-yak-ranishe\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 3 of 14\n\nMatthieu Faou gives us reporting that shows this threat actor has continued the trend of exploiting web vulnerabilities in\r\nemail servers via email.\r\nExploitation of the XSS vulnerability, assigned CVE-2023-5631, can be done remotely by sending a specially\r\ncrafted email message.\r\nWe believe with low confidence that Winter Vivern is linked to MoustachedBouncer, a sophisticated Belarus-aligned group that we first published about in August, 2023.\r\nhttps://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/\r\nBit of a pulse check on activity from the Hermit Kingdom..\r\nThe Kimsuky group’s activities in August 2023 showed a notable surge in the BabyShark type, while the activities\r\nof other types were relatively low.\r\nhttps://asec.ahnlab.com/en/57938/\r\nCanadian government reporting on Chinese activity in country.\r\nGlobal Affairs Canada’s (GAC) Rapid Response Mechanism (RRM) Canada has detected a ‘Spamouflage’\r\ncampaign connected to the People’s Republic of China. Beginning in early August 2023 and accelerating in scale\r\nover the September long-weekend, a bot network left thousands of comments in English and French on the\r\nFacebook and X/Twitter accounts of Canadian Members of Parliaments (MPs).\r\nhttps://www.canada.ca/en/global-affairs/news/2023/10/rapid-response-mechanism-canada-detects-spamouflage-campaign-targeting-members-of-parliament.html\r\nhttps://www.aspistrategist.org.au/ccp-using-information-operations-to-harass-canadian-politicians/\r\nI mistakenly missed this reporting off last week on Iranian activity against regional governments.\r\nThe Iranian Crambus espionage group (aka OilRig, APT34) staged an eight-month-long intrusion against a\r\ngovernment in the Middle East between February and September 2023. During the compromise, the attackers\r\nstole files and passwords and, in one case, installed a PowerShell backdoor (dubbed PowerExchange) that was\r\nused to monitor incoming mails sent from an Exchange Server in order to execute commands sent by the attackers\r\nin the form of emails, and surreptitiously forwarded results  to the attackers. Malicious activity occurred on at\r\nleast 12 computers and there is evidence that the attackers deployed backdoors and keyloggers on dozens more.\r\nIn addition to deploying malware, the attackers made frequent use of the publicly available network\r\nadministration tool Plink to configure port-forwarding rules on compromised machines, enabling remote access\r\nvia the Remote Desktop Protocol (RDP). There is also evidence the attackers modified Windows firewall rules in\r\norder to enable remote access.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/crambus-middle-east-government\r\nPwC report suggests that someone is doing data collection.\r\nBetween 2022 and 2023, the threat actor has conducted strategic web compromises to embed JavaScript\r\nwhich fingerprints website visitors and captures victim user location, device information, and time of\r\nvisits. Targeting of these attacks have focused primarily on the maritime, shipping and logistics sectors,\r\nwith some victims being served follow-on malware which we have named IMAPLoader.\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 4 of 14\n\nIMAPLoader is a .NET malware that has the ability to fingerprint victim systems using native Windows\r\nutilities and acts as a downloader for further payloads. It uses email as a C2 channel and is able to execute\r\npayloads extracted from email attachments and is executed via new service deployments.\r\nWe have previously observed Yellow Liderc developing .NET malware which uses similar email-based C2\r\nchannels and hard-coded commands to gain information about the victim’s environment; however,\r\nIMAPLoader is executed via an injection technique known as 'AppDomain Manager Injection', a technique\r\nwe have not observed Yellow Liderc using before.\r\nhttps://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html\r\nRegional tensions with commodity tradecraft but able to invest in retooling. These regional players are more symptomatic of\r\nwider trends.\r\n[We] assess with high confidence that YoroTrooper, an espionage-focused threat actor first active in June\r\n2022, likely consists of individuals from Kazakhstan based on their use of Kazakh currency and fluency in\r\nKazakh and Russian. The actor also appears to have a defensive interest in the website of the Kazakhstani\r\nstate-owned email service and has rarely targeted Kazakh entities.\r\nYoroTrooper attempts to obfuscate the origin of their operations, employing various tactics to make its\r\nmalicious activity appear to emanate from Azerbaijan, such as using VPN exit nodes local to that region. \r\nYoroTrooper’s targeting appears to be focused on Commonwealth of Independent States (CIS) countries,\r\nand the operators have compromised multiple state-owned websites and accounts belonging to government\r\nofficials of these countries between May and August 2023.\r\nOur findings also indicate that, in addition to commodity and custom malware, YoroTrooper continues to\r\nrely heavily on phishing emails that direct victims to credential harvesting sites.\r\nRecent retooling efforts by YoroTrooper demonstrate a conscious effort to move away from commodity\r\nmalware and increasingly rely on new custom malware spanning across different platforms such as\r\nPython, PowerShell, GoLang and Rust.\r\nhttps://blog.talosintelligence.com/attributing-yorotrooper/\r\nReporting out of Japan which highlights the need for focus around DNS domain name security and what happens when it\r\ngoes wrong.\r\na case of domain hijacking in which a domain used in Japan was illegally transferred to another registrar. This\r\ntime, we will introduce an example of such an attack.\r\nThe attacker then used the stolen credentials to log into the registrar's legitimate site and proceed to transfer the\r\ndomain to another registrar. Furthermore, although the domain administrator was using the domain transfer lock\r\nfunction for the target domain, the attacker himself released the domain transfer lock. In the process of unlocking\r\nthe domain transfer lock, an email is sent to the contact email address to confirm the user's intention, and the\r\nemail is used to approve the request, but this email address has also been changed by the attacker.\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 5 of 14\n\nhttps://blogs-jpcert-or-jp.translate.goog/ja/2023/10/domain-hijacking.html?_x_tr_sl=auto\u0026_x_tr_tl=en\u0026_x_tr_hl=en-US\u0026_x_tr_pto=wapp\r\nFirst North Korea and now others, the intent here is interesting and something to be aware of. It will be interesting to see\r\nhow LinkedIn respond given what appears to be an uptick in activity over the platform.\r\n[We] observed a malicious campaign that employs LinkedIn messages as a vector for executing identity theft\r\nattacks. In this campaign, compromised LinkedIn accounts are utilized to send messages to users with the aim of\r\ncompromising their accounts by illicitly procuring their cookies, session data, and browser credentials.\r\nThe malware employed in these attacks has been positively identified as a member of the DuckTail family. This\r\nmalware variant also possesses an automated functionality, enabling it to execute Facebook Business hijacking\r\nattacks, thereby providing the attackers with access to the email associated with any potential Facebook Business\r\naccount owned by the victim.\r\nThe observed attacks have targeted professionals belonging to various Italian companies, especially in the\r\ntechnology sector. The attackers have shown a preference for focusing on personnel from the sales and finance\r\ndepartments of the targeted companies.\r\nhttps://blog.cluster25.duskrise.com/2023/10/25/the-duck-is-hiring\r\nTim Berghoff provides further reporting which hints at the challenges around compromised advertising accounts. We have\r\nseen they have been used in cyber operations by a range of actors.\r\nCriminals hijack business accounts on Facebook and run their own advertising campaigns in someone else's name\r\nand at the expense of those affected. This quickly results in thousands of euros in damages for the actual account\r\nholders - not to mention the damage to their reputation.\r\nhttps://www.gdatasoftware.com/blog/2023/10/37814-meta-hijacked-malicious-ads\r\nThe takeaway from this reporting is that Gitlab was used for malicious payload hosting.\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 6 of 14\n\nhttps://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39\r\nHow we find and understand the latent compromises within our environments.\r\nMatthew provides a good end-to-end walkthrough on how to recover the payload and analyse it using a variety of tools.\r\nMore who learn this, the more we automate and more cost we can impose.\r\nI will demonstrate a process for decoding a simple .hta loader used to load cobalt strike shellcode. We will\r\nperform initial analysis using a text editor, and use CyberChef to extract embedded shellcode. From here we will\r\nvalidate the shellcode using an emulator (SpeakEasy) and perform some basic analysis using Ghidra.\r\nhttps://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/\r\nJiacen Xu, Xiaokui Shu and Zhou Li bring some science to the application of machine learning in detection. This type of\r\nevidenced based work is very important as we wrestle with various claims of efficacy.\r\nGraph security analytics (GSA) that can model the complex communication patterns between\r\nusers/hosts/processes have been extensively developed and deployed. Among the techniques that power GSAs,\r\nUnsupervised Network Representation Learning (UNRL) is gaining traction, which learns a latent graph\r\nrepresentation, i.e., node embedding, and customizes it for different downstream tasks. Prominent advantages\r\nhave been demonstrated by UNRL-based GSAs, as UNRL trains a detection model in an unsupervised way and\r\nexempts the model developers from the duty of feature engineering. In this paper, we revisit the designs of\r\nprevious UNRL-based GSAs to understand how they perform in real-world settings. We found their performance\r\nis questionable on large-scale, noisy log datasets like LANL authentication dataset, and the main reason is that\r\nthey follow the standard UNRL framework that trains a generic model in an attack-agnostic way. We argue that\r\ngeneric attack characteristics should be considered, and propose Argus, a UNRL-based GSA with new encoder\r\nand decoder designs. Argus is also designed to work on discrete temporal graphs (DTG) to exploit the graph\r\ntemporal dynamics. Our evaluation of two large-scale datasets, LANL and OpTC, shows it can outperform the\r\nstate-of-the-art approaches by a large margin.\r\nhttps://www.computer.org/csdl/proceedings-article/sp/2024/313000a012/1RjE9Q5gQrm\r\nHow we proactively defend our environments.\r\n7-layer zero trust solution from China which provides an interesting insight to interpretation and adoption of the concept.\r\nIn order to improve the robustness of the intranet and simplify complex internal port policies, Baidu has launched\r\nthe exploration of zero-trust architecture in recent years, and recently completed the implementation of zero-trust\r\non the 7th layer of the office network. Implementing a zero-trust gateway will usually encounter several key\r\nissues. For example, in terms of technical solutions, it is necessary to ensure the stability of the gateway and delay\r\nin response to requests; in terms of operational solutions, it is necessary to design a grayscale process to solve the\r\nresistance from the business line and the business relationship. line to build trust and more.\r\nhttps://mp-weixin-qq-com.translate.goog/s/5utSjmXrh5enrAvJmJLFvQ?\r\n_x_tr_sl=auto\u0026_x_tr_tl=en\u0026_x_tr_hl=en\u0026_x_tr_pto=wapp\r\nDefensive advice from the French Government in the guide of ANSSI - Tres Bon!\r\nANSSI regularly notes that compromises of information systems (IS) based on an Active Directory (AD) result\r\nfrom the application of poor administration practices and insufficient partitioning. These compromises often start\r\nwith attacks that target workstations. The attackers then exploit weaknesses in the IS to carry out so-called lateral\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 7 of 14\n\nmovements and gradually increase their privileges until they obtain total control of the AD. At this level of control\r\nof the AD, an attacker is able to set up back doors which provide him with persistent control of the IS, that is to\r\nsay also of the organization's business processes and data.\r\nhttps://cyber-gouv-fr.translate.goog/publications/recommandations-pour-ladministration-securisee-des-si-reposant-sur-ad?\r\n_x_tr_sl=auto\u0026_x_tr_tl=en\u0026_x_tr_hl=en-US\u0026_x_tr_pto=wapp\r\nhttps://www.cert.ssi.gouv.fr/uploads/ad_checklist.html\r\nJared Atkinson walks us through an every growing training serious on practical detection engineering - it really is a rich\r\nsource of learnings.\r\nIn this article, I hope to demonstrate how the operational layer IS the appropriate layer of analysis for those\r\ninterested in creating behavioral detection analytics.\r\nNote: In this context, a behavioral detection analytic is one that focuses on what the malware does\r\ninstead of what the malware is. It decouples the action from the actor. This is not to say that detecting\r\nknown bad malware based on what it is, is a bad idea; we simply are attempting to take the next logical\r\nstep.\r\nhttps://posts.specterops.io/on-detection-tactical-to-functional-f37c9b0b8874\r\nChrome as Apple has with Private Relay is starting to experiment with IP address protection. Matter of when and not if.\r\nIP Protection will be opt-in initially. This will help ensure that there is user control over privacy\r\ndecisions and that Google can monitor behaviors at lower volumes. \r\nIt will roll out in a phased manner. Like all of our privacy proposals, we want to ensure that we learn\r\nas we go and we recognize that there may also be regional considerations to evaluate. \r\nWe are using a list based approach and only domains on the list in a third-party context will be\r\nimpacted. We are conscious that these proposals may cause undesired disruptions for legitimate use cases\r\nand so we are just focused on the scripts and domains that are considered to be tracking users. \r\nhttps://groups.google.com/a/chromium.org/g/blink-dev/c/9s8ojrooa_Q?pli=1\r\nMISP to the rescue\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 8 of 14\n\nFirst it was reported there was a dip in the number of implants. Turns out the threat actor upgraded their implant to evade the\r\ndetection techniques. We can take from this that threat actors read public reporting. This also shows the value of good threat\r\nresearch..\r\nInvestigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to\r\ndo an extra header check. Thus, for a lot of devices, the implant is still active, but now only responds if the correct\r\nAuthorization HTTP header is set.\r\nhttps://github.com/fox-it/cisco-ios-xe-implant-detection\r\nOlaf Hartong gives the world a massive powerup with this capability. This is quality defensive research and engineering\r\nincarnate.\r\nFalconHound is a blue team multi-tool. It allows you to utilize and enhance the power of BloodHound in a more\r\nautomated fashion. It is designed to be used in conjunction with a SIEM or other log aggregation tool.\r\nOne of the hardest releationships to gather for BloodHound is the local group memberships and the session\r\ninformation. As blue teamers we have this information readily available in our logs. FalconHound can be used to\r\ngather this information and add it to the graph, allowing it to be used by BloodHound.\r\nThis is just an example of how FalconHound can be used. It can be used to gather any information that you have\r\nin your logs or security tools and add it to the BloodHound graph.\r\nhttps://github.com/FalconForceTeam/FalconHound\r\nHow they got in and what they did.\r\nThis is a rather interesting breach involving the support portal and then data uploaded to that portal enabling breaches of\r\nclients. The clients impacted are the ones who detected it. All the report follows, but lots of lessons learnt here.\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 9 of 14\n\nOkta Security has identified adversarial activity that leveraged access to a stolen credential to access Okta's\r\nsupport case management system.\r\nhttps://sec.okta.com/harfiles\r\nOctober 2, 2023 – Detected and remediated identity centric attack on an in-house Okta administrator\r\naccount and alerted Okta\r\nOctober 3, 2023 – Asked Okta support to escalate to Okta security team given initial forensics pointing to a\r\ncompromise within Okta support organization\r\nOctober 11, 2023 and October 13, 2023 – Held Zoom sessions with Okta security team to explain why we\r\nbelieved they might be compromised\r\nOctober 19, 2023 – Okta security leadership confirmed they had an internal breach, and BeyondTrust was\r\none of their affected customers.\r\nhttps://www.beyondtrust.com/blog/entry/okta-support-unit-breach\r\nOn Wednesday, October 18, 2023, we discovered attacks on our system that we were able to trace back to Okta –\r\nthreat actors were able to leverage an authentication token compromised at Okta to pivot into Cloudflare’s Okta\r\ninstance.\r\nhttps://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/\r\nWe detected suspicious activity on our Okta instance related to their Support System incident. After a thorough\r\ninvestigation, we concluded that no 1Password user data was accessed\r\nhttps://blog.1password.com/okta-incident/\r\nOur attack surface.\r\nNon-admin arbitrary memory read/write is possible and one to add to the list.\r\nAn improper privilege management in the AMD Radeon™ Graphics driver may allow an authenticated attacker to\r\ncraft an IOCTL request to gain I/O control over arbitrary hardware ports or physical addresses resulting in a\r\npotential arbitrary code execution.\r\nhttps://www.amd.com/en/resources/product-security/bulletin/amd-sb-6009.html\r\nAttack capability, techniques and trade-craft.\r\nOffensive use by threat actors in 3..2..\r\nBounceBack is a powerful, highly customizable and configurable reverse proxy with WAF functionality for\r\nhiding your C2/phishing/etc infrastructure from blue teams, sandboxes, scanners, etc. It uses real-time traffic\r\nanalysis through various filters and their combinations to hide your tools from illegitimate visitors.\r\nThe tool is distributed with preconfigured lists of blocked words, blocked and allowed IP addresses.\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 10 of 14\n\nhttps://github.com/D00Movenok/BounceBack\r\nBeau Bullock \u0026 Steve Borosh show attackers really do think in graphs and the value of doing so..\r\nWe built a post-compromise toolset called GraphRunner for interacting with the Microsoft Graph API. It\r\nprovides various tools for performing reconnaissance, persistence, and pillaging of data from a Microsoft Entra\r\nID (Azure AD) account. Below are some of the main features. At the end of the blog post, make sure to take a\r\npeek at the potential attack path scenarios we have laid out. There are a few in there we think may be quite\r\ninteresting to both offensive and defensive security team members.\r\nhttps://www.blackhillsinfosec.com/introducing-graphrunner/\r\nElliot Killick refines this known techniques which we can expect to see adopted by the various post compromise\r\nframeworks and others.\r\nWhile mostly being a decisive technique, DLL hijacking has always had one huge disadvantage in the way that it\r\nexecutes our third-party code once loaded into the process. It's known as Loader Lock, and when our third-party\r\ncode is run, it's subject to all its strict limitations. These include creating processes, doing network I/O, calling\r\nregistry functions, creating graphical windows, loading additional libraries, and much more. Trying to do any of\r\nthese things under Loader Lock will likely crash or hang the application.\r\n[We] cleanly workaround Loader Lock but, in the end, disable it outright. Plus, coming up with some stable\r\nmitigation \u0026 detection mechanisms defenders can use to help guard against DLL hijacking.\r\nhttps://elliotonsecurity.com/perfect-dll-hijacking/\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 11 of 14\n\nOur latest post in the SaaS attacks matrix series is focused on external phishing via Slack. Unlike email, IM apps\r\nand the messages within them are typically more trusted by employees, making social engineering via Slack a\r\njuicy target.\r\nhttps://pushsecurity.com/blog/slack-phishing-for-initial-access/\r\nWhat is being exploited.\r\nFurther insight which has led to over 10,000 routers being compromised. The lesson here is that actors read intel reporting\r\nand will in some situations respond as they did here by updating their implants to evade.\r\nThe attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a\r\nlocal user and password combination. This allowed the user to log in with normal user access.\r\nThe attacker then exploited another component of the web UI feature, leveraging the new local user to elevate\r\nprivilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue.\r\nCVE-2023-20198 has been assigned a CVSS Score of 10.0.\r\nCVE-2023-20273 has been assigned a CVSS Score of 7.2.\r\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z\r\nNCSC put out a UK specific alert 'xploitation of Cisco IOS XE vulnerabilities affecting UK organisations:\r\nhttps://www.ncsc.gov.uk/news/cisco-ios-xe-vulnerabilities\r\nWhen you can leak session cookies authentication can be bypassed so this is a serious vulnerability which we know is now\r\nbeing actively scanned for.\r\nWe could clearly see a lot of leaked memory immediately following the JSON payload. While a lot of it was null\r\nbytes, there was some suspicious looking information in the response.\r\nhttps://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966\r\nhttps://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966\r\nFirst reported as being exploited by China, now exploitable by all threat actors..\r\nThis module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP\r\nparameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for Java\r\nobjects to be modified at run time. The exploit will create a new administrator user and upload a malicious\r\nplugins to get arbitrary code execution. All versions of Confluence between 8.0.0 through to 8.3.2, 8.4.0 through\r\nto 8.4.2, and 8.5.0 through to 8.5.1 are affected.\r\nhttps://github.com/rapid7/metasploit-framework/pull/18461\r\nDylan Evans shows an example of Intelligent Platform Management Interface exploitation here. IPMI is important as it\r\nincludes KVM over IP, remote virtual media and out-of-band embedded web-server interface functionality etc. The worry is\r\nalso it also won’t be protected by EDR etc.\r\nThis tool exploits the vulnerability detailed in CVE-2013-4786, which allows unauthorized users to retrieve salted\r\npassword hashes from IPMI devices via the RAKP (Remote Authentication Key Protocol) mechanism. This is\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 12 of 14\n\nachieved by initiating an IPMI 2.0 RAKP authentication process with a cipher suite that enables 'None'\r\nauthentication, allowing the retrieval of salted password hashes\r\nhttps://github.com/fin3ss3g0d/CosmicRakp\r\nLow level tooling and techniques for attack and defence researchers…\r\nExcellent work here to extend Yara to support powerful memory scanning.\r\nallows Yara rules to query memory protection for live process memory. This allows writing conditions like for any\r\ni in (1..#a) : ( memory.Protection(@a[i]) \u0026 memory.EXECUTE == memory.EXECUTE) for strings that should\r\nonly match on executable memory.\r\nhttps://github.com/VirusTotal/yara/pull/1991\r\nThis is an exciting analysis framework which should accelerate some analysis techniques.\r\nSHAREM is intended to be the ultimate Windows shellcode tool, with support to emulate over 20,000 WinAPIs,\r\nvirtually all user-mode Windows syscalls, and SHAREM provides numerous new features. SHAREM was\r\nreleased on September 29, 2022. SHAREM contains an emulator, a disassembler, timeless debugging, brute-force\r\ndeobfuscation, and many other features. SHAREM's emulator can also display complete structures (or even\r\nstructures within structures) and it can allow encoded shellcode to deobfuscate itself. SHAREM logs output from\r\nall WinAPIs and Windows syscalls analyzed, and it also breaks each into many categories and subcategories.\r\nSHAREM's complete code coverage also allows it to discover unreachable functionality.\r\nhttps://github.com/Bw3ll/sharem\r\nImpressive project with material utility for malware analysts.\r\nRun Mac OS X in Docker with near-native performance! X11 Forwarding! iMessage security research! iPhone\r\nUSB working! macOS in a Docker container!\r\nConduct Security Research on macOS using both Linux \u0026 Windows!\r\nhttps://github.com/sickcodes/Docker-OSX\r\nSome other small (and not so small) bits and bobs which might be of interest.\r\nAggregate reporting\r\nmacOS Malware 2023\r\nCommon Abuses on Mastodon: A Primer\r\nScaling up prime factorization with self-organizing gates: A memcomputing approach\r\nHack.lu 2023: Introduction To Cyberwarfare: Theory And Practice\r\nArtificial intelligence\r\nBeyond Memorization: Violating Privacy Via Inference with Large Language Models\r\nnbdefense: Secure Jupyter Notebooks and Experimentation Environment\r\nmodelscan: Protection against Model Serialization Attacks\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 13 of 14\n\nrebuff: LLM Prompt Injection Detector\r\nBooks\r\nNone this week\r\nEvents\r\nHITB2023HKT - Main Track videos\r\nThe BlueHat Podcast: BlueHat Oct 23 Day 1 Keynote: John Lambert\r\nFinally on the video front this week The British Hacker That Joined ISIS\r\nUnless stated otherwise, reference to third parties or their websites should not be taken as endorsement of any kind by the\r\nNCSC. The NCSC has no control over the contents of third party websites and accepts no responsibility for them or any\r\nconsequences that might arise from their use. Should you hold any concerns about this newsletter, please contact us at\r\nenquiries@ncsc.gov.uk. This newsletter is subject to the NCSC website terms and conditions which can be found at\r\nhttps://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat\r\nyour personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.\r\nSource: https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nhttps://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october" ], "report_names": [ "cto-at-ncsc-summary-week-ending-october" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "23226bab-4c84-4c65-a8d1-7ac10c44b172", "created_at": "2023-04-27T02:04:45.463683Z", "updated_at": "2026-04-10T02:00:04.980143Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA473", "TAG-70", "UAC-0114", "UNC4907" ], "source_name": "ETDA:Winter Vivern", "tools": [ "APERETIF" ], "source_id": "ETDA", "reports": null }, { "id": "c416152c-d268-40a3-8887-01d2ec452b7c", "created_at": "2023-04-27T02:04:45.481771Z", "updated_at": "2026-04-10T02:00:04.987067Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Silent Lynx" ], "source_name": "ETDA:YoroTrooper", "tools": [ "Loda", "Loda RAT", "LodaRAT", "Meterpreter", "Nymeria", "Warzone", "Warzone RAT" ], "source_id": "ETDA", "reports": null }, { "id": "821cb2ce-472c-438f-943d-19cf23204d9a", "created_at": "2023-11-01T02:01:06.683709Z", "updated_at": "2026-04-10T02:00:05.39433Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [ "MoustachedBouncer" ], "source_name": "MITRE:MoustachedBouncer", "tools": [ "SharpDisco" ], "source_id": "MITRE", "reports": null }, { "id": "7d9d90f3-001e-4adc-8a77-8f93b5d02b01", "created_at": "2023-09-07T02:02:47.575324Z", "updated_at": "2026-04-10T02:00:04.770856Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [], "source_name": "ETDA:MoustachedBouncer", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e6704f3c-15d7-4e1d-b5a8-e33e7e9bd925", "created_at": "2023-11-04T02:00:07.660461Z", "updated_at": "2026-04-10T02:00:03.385093Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "TA-473", "UAC-0114", "TA473", "TAG-70" ], "source_name": "MISPGALAXY:Winter Vivern", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2", "created_at": "2023-04-26T02:03:02.969306Z", "updated_at": "2026-04-10T02:00:05.341127Z", "deleted_at": null, "main_name": "CURIUM", "aliases": [ "CURIUM", "Crimson Sandstorm", "TA456", "Tortoise Shell", "Yellow Liderc" ], "source_name": "MITRE:CURIUM", "tools": [ "IMAPLoader" ], "source_id": "MITRE", "reports": null }, { "id": "322248d6-4baf-4ada-af8e-074bc6c10132", "created_at": "2023-11-05T02:00:08.072145Z", "updated_at": "2026-04-10T02:00:03.397406Z", "deleted_at": null, "main_name": "YoroTrooper", "aliases": [ "Comrade Saiga", "Salted Earth", "Sturgeon Fisher", "ShadowSilk", "Silent Lynx", "Cavalry Werewolf", "SturgeonPhisher" ], "source_name": "MISPGALAXY:YoroTrooper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "0e74afe0-92c3-4fca-93a4-d8e51180e105", "created_at": "2023-08-11T02:00:11.229735Z", "updated_at": "2026-04-10T02:00:03.37095Z", "deleted_at": null, "main_name": "MoustachedBouncer", "aliases": [], "source_name": "MISPGALAXY:MoustachedBouncer", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "a20598c1-894c-4173-be6e-64a1ce9732bd", "created_at": "2024-11-01T02:00:52.652891Z", "updated_at": "2026-04-10T02:00:05.375678Z", "deleted_at": null, "main_name": "Winter Vivern", "aliases": [ "Winter Vivern", "TA473", "UAC-0114" ], "source_name": "MITRE:Winter Vivern", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434427, "ts_updated_at": 1775826782, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba7603e42ca013c6ad18e8e8ee61394ae67a08c9.pdf", "text": "https://archive.orkl.eu/ba7603e42ca013c6ad18e8e8ee61394ae67a08c9.txt", "img": "https://archive.orkl.eu/ba7603e42ca013c6ad18e8e8ee61394ae67a08c9.jpg" } }