{ "id": "e5e7f602-2f41-4f53-82e1-bb94cb044435", "created_at": "2026-04-06T00:19:12.410212Z", "updated_at": "2026-04-10T03:38:19.829532Z", "deleted_at": null, "sha1_hash": "ba7cfac43a2bb2a0cbba14d6998485ee57eee182", "title": "MAR-10322463-2.v1 - AppleJeus: JMT Trading | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 94438, "plain_text": "MAR-10322463-2.v1 - AppleJeus: JMT Trading | CISA\r\nPublished: 2021-02-17 · Archived: 2026-04-05 20:11:24 UTC\r\nbody#cma-body { font-family: Franklin Gothic Medium, Franklin Gothic, ITC Franklin Gothic, Arial, sans-serif; font-size:\r\n15px; } table#cma-table { width: 900px; margin: 2px; table-layout: fixed; border-collapse: collapse; } div#cma-exercise {\r\nwidth: 900px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size: 18px; } div.cma-header { text-align: center; margin-bottom: 40px; } div.cma-footer { text-align: center; margin-top: 20px; } h2.cma-tlp { background-color: #000; color: #ffffff; width: 180px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size:\r\n18px; float: right; } span.cma-fouo { line-height: 30px; font-weight: bold; font-size: 16px; } h3.cma-section-title { font-size:\r\n18px; font-weight: bold; padding: 0 10px; margin-top: 10px; } h4.cma-object-title { font-size: 16px; font-weight: bold;\r\nmargin-left: 20px; } h5.cma-data-title { padding: 3px 0 3px 10px; margin: 10px 0 0 20px; background-color: #e7eef4; font-size: 15px; } p.cma-text { margin: 5px 0 0 25px !important; word-wrap: break-word !important; } div.cma-section { border-bottom: 5px solid #aaa; margin: 5px 0; padding-bottom: 10px; } div.cma-avoid-page-break { page-break-inside: avoid; }\r\ndiv#cma-summary { page-break-after: always; } div#cma-faq { page-break-after: always; } table.cma-content { border-collapse: collapse; margin-left: 20px; } table.cma-hashes { table-layout: fixed; width: 880px; } table.cma-hashes td{ width:\r\n780px; word-wrap: break-word; } .cma-left th { text-align: right; vertical-align: top; padding: 3px 8px 3px 20px;\r\nbackground-color: #f0f0f0; border-right: 1px solid #aaa; } .cma-left td { padding-left: 8px; } .cma-color-title th, .cma-color-list th, .cma-color-title-only th { text-align: left; padding: 3px 0 3px 20px; background-color: #f0f0f0; } .cma-color-title td,\r\n.cma-color-list td, .cma-color-title-only td { padding: 3px 20px; } .cma-color-title tr:nth-child(odd) { background-color:\r\n#f0f0f0; } .cma-color-list tr:nth-child(even) { background-color: #f0f0f0; } td.cma-relationship { max-width: 310px; word-wrap: break-word; } ul.cma-ul { margin: 5px 0 10px 0; } ul.cma-ul li { line-height: 20px; margin-bottom: 5px; word-wrap:\r\nbreak-word; } #cma-survey { font-weight: bold; font-style: italic; } div.cma-banner-container { position: relative; text-align:\r\ncenter; color: white; } img.cma-banner { max-width: 900px; height: auto; } img.cma-nccic-logo { max-height: 60px; width:\r\nauto; float: left; margin-top: -15px; } div.cma-report-name { position: absolute; bottom: 32px; left: 12px; font-size: 20px; }\r\ndiv.cma-report-number { position: absolute; bottom: 70px; right: 100px; font-size: 18px; } div.cma-report-date { position:\r\nabsolute; bottom: 32px; right: 100px; font-size: 18px; } img.cma-thumbnail { max-height: 100px; width: auto; vertical-align: top; } img.cma-screenshot { margin: 10px 0 0 25px; max-width: 800px; height: auto; vertical-align: top; border: 1px\r\nsolid #000; } div.cma-screenshot-text { margin: 10px 0 0 25px; } .cma-break-word { word-wrap: break-word; } .cma-tag {\r\nborder-radius: 5px; padding: 1px 10px; margin-right: 10px; } .cma-tag-info { background: #f0f0f0; } .cma-tag-warning {\r\nbackground: #ffdead; }\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries\r\nminimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to\r\nstandard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the\r\nTraffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.\r\nSummary\r\nDescription\r\nThis Malware Analysis Report (MAR) is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the\r\nCybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) to highlight the cyber\r\nthreat to cryptocurrency posed by North Korea, formally known as the Democratic People’s Republic of Korea (DPRK), and\r\nprovide mitigation recommendations. Working with U.S. government partners, FBI, CISA, and Treasury assess that Lazarus\r\nGroup—which these agencies attribute to North Korean state-sponsored advanced persistent threat (APT) actors—is\r\ntargeting individuals and companies, including cryptocurrency exchanges and financial service companies, through the\r\ndissemination of cryptocurrency trading applications that have been modified to include malware that facilitates theft of\r\ncryptocurrency.\r\nThis MAR highlights this cyber threat posed by North Korea and provides detailed indicators of compromise (IOCs) used by\r\nthe North Korean government. The U.S. Government refers to malicious cyber activity by the North Korean government as\r\nHIDDEN COBRA. For more information on other versions of AppleJeus and recommended steps to mitigate this threat, see\r\nJoint Cybersecurity Advisory AA21-048A: AppleJeus: Analysis of North Korea's Cryptocurrency Malware at\r\nhttps://www.us-cert.cisa.gov/ncas/alerts/AA21-048A.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\r\nPage 1 of 13\n\nThere have been multiple versions of AppleJeus malware discovered since its initial discovery in August 2018. In most\r\nversions, the malware appears to be from a legitimate-looking cryptocurrency trading company and website, whereby an\r\nunsuspecting individual downloads a third-party application from a website that appears legitimate.\r\nThe U.S. Government has identified AppleJeus malware version—JMT Trading—and associated IOCs used by the North\r\nKorean government in AppleJeus operations.\r\nJMT Trading malware, discovered by a cybersecurity company in October 2019, is a legitimate-looking cryptocurrency\r\ntrading software that is marketed and distributed by a company and website—JMT Trading and jmttrading[.]org,\r\nrespectively—that appear legitimate.\r\nFor a downloadable copy of IOCs, see: MAR-10322463-2.v1.stix.\r\nSubmitted Files (6)\r\n07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542 (jmttrader.msi)\r\n081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6 (JMTTrader.exe)\r\n4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806 (jmttrader_mac.dmg)\r\n7ea6391c11077a0f2633104193ec08617eb6321a32ac30c641f1650c35eed0ea (JMTTrader)\r\n9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641 (CrashReporter.exe)\r\ne352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55 (CrashReporter)\r\nDomains (2)\r\nbeastgoc.com\r\njmttrading.org\r\nFindings\r\n07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542\r\nTags\r\nbackdoordroppertrojan\r\nDetails\r\nName jmttrader.msi\r\nSize 11524608 bytes\r\nType\r\nComposite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Last Printed: Fri Dec 11 11:47:44 20\r\nTime/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Numb\r\n{A2814B39-244E-4899-81F9-F995B8DC1A80}, Number of Words: 2, Subject: JMTTrader, Author: JMT Trading Group LLC, Name o\r\nApplication: Advanced Installer 14.5.2 build 83143, Template: ;1033, Comments: This installer database contains the logic and data req\r\nJMTTrader., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200\r\nMD5 c4aa6f87124320eadc342d2fe7364896\r\nSHA1 4fcc84583126689d03acf69b9fca5632f7d44752\r\nSHA256 07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542\r\nSHA512 51b34ae0a0e9252705206f2d9e87136706f51a70cc110e8493ff1266303ae33f09c1e89f329ae8f776a610c88f155e02afeb63a8bc7762ce30\r\nssdeep 196608:p/5qF8q187MZjfZjowfMjVS9Qkj6YotsEXw6xws8CV/KFmpZ3zyl:B5qCyBfRfMjVS4RXw6EFF\r\nEntropy 7.962353\r\nAntivirus\r\nAhnlab MSI/Dropper\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\r\nPage 2 of 13\n\nAvira TR/Agent.rhbwd\r\nComodo Malware\r\nIkarus Trojan.Win32.Agent\r\nMicrosoft Security Essentials Backdoor:Win32/Stealer.A!MSR\r\nNetGate Trojan.Win32.Malware\r\nSymantec Trojan.Gen.MBT\r\nTrendMicro Backdoo.80EE6F49\r\nTrendMicro House Call Backdoo.80EE6F49\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n07c38ca1e0... Downloaded_From jmttrading.org\r\n07c38ca1e0... Contains 081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6\r\n07c38ca1e0... Contains 9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641\r\nDescription\r\nThis Windows program from the JMTTrade GitHub site is a Windows MSI Installer. The installer looks legitimate and\r\npreviously had a valid digital signature from Comodo (Sectigo). The signature was signed with a code signing certificate\r\npurchased by the same user as the SSL certificate for \"jmttrading.org.\" The installer asks for administrative privileges to run\r\nand while installing \"JMTTrader.exe\" (081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6) in the\r\n“C:\\Program Files (x86)\\JMTTrader” folder, it also installs \"CrashReporter.exe\"\r\n(9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641) in the “C:\\Users\\\r\n\u003cusername\u003e\\AppData\\Roaming\\JMTTrader” folder. Immediately after installation, the installer launches\r\n\"CrashReporter.exe\" with the “Maintain” parameter.\r\nScreenshots\r\nFigure 1 - Screenshot of the JMTTrader Installation.\r\njmttrading.org\r\nTags\r\ncommand-and-control\r\nWhois\r\nWhois for jmttrading.org had the following information on October 11, 2019:\r\nRegistrar: NameCheap\r\nCreated: July 11, 2019\r\nExpires: July 11, 2020\r\nUpdated: September 10, 2019\r\nRelationships\r\njmttrading.org Downloaded_To 4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806\r\njmttrading.org Downloaded_To 07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\r\nPage 3 of 13\n\nDescription\r\nThis site contained a “Download from GitHub” button which takes the user to the JMTTrader GitHub page\r\n(github.com/jmttrading/JMTTrader/releases) where both Windows and OSX versions of JMTTrader were available for\r\ndownload. There are also zip and a tar.gz files containing the source code. JMT Trading has a legitimately signed Sectigo\r\nSSL certificate. The SSL certificate was “Domain Control Validated,\" just as the Celas LLC certificate for AppleJeus variant\r\n1. The domain was registered at the IP address 198.187.29.20 with ASN 22612.\r\n081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6\r\nTags\r\ntrojan\r\nDetails\r\nName JMTTrader.exe\r\nSize 2645744 bytes\r\nType PE32 executable (GUI) Intel 80386, for MS Windows\r\nMD5 70cf78e117359b17f079c128fcead8c8\r\nSHA1 8ec7f4b39f0843e5eae3b8af01578fd8e4432995\r\nSHA256 081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6\r\nSHA512 8e21ea416f4c58743183394a28e347bc5c45f40306a8ffa7eef8403cf340538acf0794fd7bfdf60e120822fae5a21fc0f15de28cdf91d64f8667\r\nssdeep 49152:RHvo5BtSCkrN6DyhGr2W8Ujk4DJX4TnKuwdJg0b:65+rN+8GSog4lX/\r\nEntropy 7.024119\r\nAntivirus\r\nEmsisoft MalCert.A (A)\r\nSophos Mal/BadCert-Gen\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-07-29 03:06:34-04:00\r\nImport Hash 03d73bcb914fff965a82c9d9fe1fb7a1\r\nCompany Name JMT Trading Group\r\nFile Description JMT Trader\r\nInternal Name JMT Trader\r\nLegal Copyright JMT Trading Group (C) 2019\r\nOriginal Filename JMTTrader.exe\r\nProduct Name Automatic Secure Bitcoin Trader Application\r\nProduct Version 1.40.42\r\nPE Sections\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\r\nPage 4 of 13\n\nMD5 Name Raw Size Entropy\nf9a353aa651137f95669fd2b1a50e70b header 1024 3.181420\nd00e20fb387da8ab6898391019288f30 .text 1181696 6.125747\nc7fcd13c45b7c15042b8024839cf18c4 .rdata 1269248 7.095514\n7504000617caec62a5a3221a785a58a8 .data 6144 4.261115\n55550745e0d79ebbad96ac438f26f8a1 .rsrc 13312 7.626081\n8ae8dead88483b69b09b01b024e882a2 .reloc 165376 6.784821\nPackers/Compilers/Cryptors\nRelationships\n081d173942... Contained_Within 07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542\nDescription\nThis file is a 32-bit Windows executable contained within the Windows MSI Installer \"JMTTrader_Win.msi.\" When\nexecuted, \"JMTTrader.exe\" asks for the user’s exchange, and then loads a legitimate cryptocurrency trading platform with\nno signs of malicious activity.\n\"JMTTrader.exe\" is similar in appearance to version 1 and QT Bitcoin Trader. In addition to similar appearance, many\nstrings found in \"JMTTrader.exe\" have QT Bitcoin Trader references and parameters being set to “JMT Trader” including\nbut not limited to:\n--Begin similarities--\nString_ABOUT_QT_BITCOIN_TRADER_TEXT=JMT Trader\nString_ABOUT_QT_BITCOIN_TRADER_TEXT=JMT Trader is a free Open Source project \ndeveloped on pure C++\nQt and OpenSSL.\nQtBitcoinTraderClass\nJuly IGHOR (note: Ighor July is one of the developers of QT Bitcoin Trader)\n--End similarities--\nThe strings also reference the name “Gary Mendez” with email garyhmendez@yahoo.com as the author of\n\"JMTTrader.exe.\" There is also reference to an additional GitHub repository under the name Gary Mendez\n“github.com/garymendez/JMTTrader/issues.\"\nWhile the JMTTrader application is likely a modification of QT Bitcoin Trader, the legitimate QT Bitcoin Trader for\nWindows is not available for download as an MSI, but only as a Windows portable executable. This is a singular file named\n\"QtBitcoinTrader.exe\" and does not install or run any additional programs. The JMTTrader MSI contains \"JMTTrader.exe,\"\nthe modified version of QT Bitcoin Trader, as well as the additional \"CrashReporter.exe\"\n(9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641) executable not included with the original QT\nBitcoin Trader.\nScreenshots\nFigure 2 - Screenshot of the JMTTrader Application.\n9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641\nTags\nbackdoortrojan\nDetails\nName CrashReporter.exe\nSize 609008 bytes\nType PE32 executable (GUI) Intel 80386, for MS Windows\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\nPage 5 of 13\n\nMD5 48971e0e71300c99bb585d328b08bc88\r\nSHA1 ec8d7264953b5e9e416b7e8483954d9907278f2f\r\nSHA256 9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641\r\nSHA512 6a664cd56e2201237bb24c148f39db6878e7cb6bb507290144f4cea327989535dbea64db11de398eee822aae56e873126dc95e2abf736420\r\nssdeep 12288:VhOHEwPzMEoJ1BpfYYPmrv3l1dxs6GWRGuGTi2euRBFXTnn8HPIRlxhD44ENrYAt:zOHEwPzMEoJ1BpfYYPmrv3l1dxs6\r\nEntropy 6.526076\r\nAntivirus\r\nAhnlab Trojan/Win32.Stealer\r\nAntiy Trojan[Backdoor]/Win32.Stealer\r\nAvira TR/Agent.lnumk\r\nBitDefender Gen:Variant.Razy.567005\r\nComodo Malware\r\nESET a variant of Win32/NukeSped.GN trojan\r\nEmsisoft MalCert.A (A)\r\nIkarus Trojan.Win32.Agent\r\nK7 Trojan ( 005597f41 )\r\nLavasoft Gen:Variant.Razy.567005\r\nMicrosoft Security Essentials Backdoor:Win32/Stealer.A!MSR\r\nNANOAV Trojan.Win32.Crypted.gczdoi\r\nNetGate Trojan.Win32.Malware\r\nSophos Troj/APosT-L\r\nSymantec Trojan.Gen.2\r\nSystweak trojan.nukesped\r\nTrendMicro Backdoo.80EE6F49\r\nTrendMicro House Call Backdoo.80EE6F49\r\nVirusBlokAda Backdoor.Agent\r\nZillya! Trojan.NukeSped.Win32.182\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nPE Metadata\r\nCompile Date 2019-10-04 03:22:31-04:00\r\nImport Hash 1513eba25694f99cecbcdc6cb414f6bd\r\nPE Sections\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\r\nPage 6 of 13\n\nMD5 Name Raw Size Entropy\r\ncedc0880c9b0b6fea37e0079f1a4b406 header 1024 2.832478\r\n189feb1b74269eaa7894c984df4268c3 .text 367104 6.351925\r\n03c4cd021cfac8b5a8c0b944712e3217 .rdata 78336 4.408592\r\ncf410dbcdd83eb2426120e72027f119b .data 130048 5.206737\r\nbf619eac0cdf3f68d496ea9344137e8b .rsrc 512 0.000000\r\nfe66dfb20b91197d86cc8bbf0fc7139c .reloc 23040 6.417054\r\nPackers/Compilers/Cryptors\r\nRelationships\r\n9bf8e8ac82... Contained_Within 07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542\r\n9bf8e8ac82... Connected_To beastgoc.com\r\nDescription\r\nThis file is a 32-bit Windows executable contained within the Windows MSI Installer \"JMTTrader_Win.msi.\" Unlike the\r\nfirst version of the malware, \"CrashReporter.exe\" is installed in the “C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\JMTTrader,\"\r\nwhich is a different folder than \"JMTTrader.exe.\" \"CrashReporter.exe\" is heavily obfuscated with the ADVObfuscation\r\nlibrary, which has been renamed “snowman” by the malware writer. ADVObfuscation is described as using C++ 11/14\r\nlanguage to generate, at compile time, obfuscated code without using any external tool and without modifying the compiler\r\nand introduces some form of randomness to generate polymorphic code like the encryption of strings literals and the\r\nobfuscation of calls using finite state machines. Due to this obfuscation, detailed functionality can be difficult to determine\r\nto the extent of the non-obfuscated \"Updater.exe\" binary.\r\nAt launch, \"CrashReporter.exe\" first checks for the “Maintain” parameter and if not found, exits the program to likely evade\r\ndetection in a sandbox environment. The malware collects basic victim information and encrypts the data with the\r\nhardcoded XOR key “X,%`PMk--Jj8s+6=15:20:11.\"\r\nThe encrypted data is sent to “hxxps[:]//beastgoc.com/grepmonux.php” with a multipart form data separator “--\r\nwMKBUqjC7ZMG5A5g.\"\r\nThe malware’s capabilities include reading/writing itself to various directories, querying/writing to the registry, searching for\r\nfiles, extract/decode payload, and terminating processes. \"CrashReporter.exe\" also creates a scheduled SYSTEM task named\r\n\"JMTCrashReporter,\" which runs the \"CrashReporter.exe\" program with the “Maintain” parameter at the login of any user.\r\nScreenshots\r\nFigure 3 - Hard-coded XOR key and XOR encryption.\r\nFigure 4 - Screenshot of the \"JMTCrashReporter\" scheduled task.\r\nbeastgoc.com\r\nTags\r\ncommand-and-control\r\nURLs\r\nhttps[:]//beastgoc.com/grepmonux.php\r\nWhois\r\nWhois information for the domain beastgoc.com on October 11, 2019 was as follows:\r\nRegistrar: NameCheap\r\nCreated Date: July 19, 2019\r\nExpiration Date: July 19, 2020\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\r\nPage 7 of 13\n\nRelationships\r\nbeastgoc.com Connected_From 9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641\r\nbeastgoc.com Connected_From e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55\r\nDescription\r\nThe site \"beastgoc.com\" had as valid digital signature signed by Sectigo. This is a “Domain Control Validated” signature,\r\nwhich is the lowest level of validation. The domain was registered at the IP address 185.228.83.32 with ASN 205406.\r\n4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806\r\nTags\r\nbackdoortrojan\r\nDetails\r\nName jmttrader_mac.dmg\r\nSize 13583316 bytes\r\nType zlib compressed data\r\nMD5 39cdf04be2ed479e0b4489ff37f95bbe\r\nSHA1 74390fba9445188f2489959cb289e73c6fbe58e4\r\nSHA256 4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806\r\nSHA512 d04bc9adbe56414ec2cba134ebf8af42ef79495a89748367464e73c6dd69fd978a194df23a646ff90d45114bf68a93f580cd540ba3b600a652\r\nssdeep 393216:sEFxMIZkTx7Nzm4qbicUC7Gk6RH1NBTtJRr49Hg4pgl:sEFiIYw4u8HxTDOi\r\nEntropy 7.997633\r\nAntivirus\r\nAhnlab Backdoor/OSX.NukeSped\r\nAntiy Trojan/Win32.Casdet\r\nAvira OSX/W97M.CVE-2017-8759.wrdas\r\nBitDefender Trojan.MAC.Lazarus.G\r\nComodo Malware\r\nCyren Trojan.HUJK-1\r\nESET OSX/NukeSped.B trojan\r\nEmsisoft Trojan.MAC.Lazarus.G (B)\r\nIkarus Trojan.Win32.Casdet\r\nLavasoft Trojan.MAC.Lazarus.G\r\nMcAfee OSX/Nukesped.d\r\nMicrosoft Security Essentials Trojan:MacOS/NukeSped.A!MTB\r\nSophos OSX/Lazarus-E\r\nSymantec OSX.Trojan.Gen\r\nTrendMicro Backdoo.6FE2634B\r\nTrendMicro House Call Backdoo.6FE2634B\r\nZillya! Backdoor.Agent.OSX.57\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\r\nPage 8 of 13\n\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n4d6078fc1e... Downloaded_From jmttrading.org\r\n4d6078fc1e... Contains 7ea6391c11077a0f2633104193ec08617eb6321a32ac30c641f1650c35eed0ea\r\n4d6078fc1e... Contains e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55\r\nDescription\r\nThis OSX program from the JMTTrader GitHub is an Apple DMG installer. The OSX program has very similar\r\nfunctionality to the Windows program, but does not have a digital signature. Again, the installer appears to be legitimate and\r\ninstalls both JMTTrader in the “/Applications/JMTTrader.app/Contents/MacOS/” folder and a hidden program named\r\n“.CrashReporter” in the “/Applications/JMTTrader.app/Contents/Resources/” folder. The installer contains a postinstall\r\nscript (see Figure 5).\r\nThis postinstall script has similar functionality to the postinstall script of the first version but has a few additional features. It\r\nstill moves the hidden plist file (.com.jmttrading.plist) to the LaunchDaemons folder, but also changes the file permissions\r\non the plist. Once in the LaunchDaemons folder, this program will be ran on system load as root for every user, which will\r\nlaunch the CrashReporter program with the Maintain parameter.\r\nThe postinstall script also moves the “.CrashReporter” program to a new location “/Library/JMTTrader/CrashReporter” and\r\nmakes it executable. Like CelasTradePro, as the LaunchDaemon will not run automatically after the plist file is moved, the\r\npostinstall script then launches the CrashReporter program with the Maintain parameter and runs it in the background (\u0026).\r\nThe package also has “Developed by Gary Mendez. JMTTrading Group” in the Info.plist properties file.\r\nScreenshots\r\nFigure 5 - Screenshot of the postinstall script included in OSX JMTTrader installer.\r\nFigure 6 - Screenshot of the \"com.jmttrading.plist\" file.\r\n7ea6391c11077a0f2633104193ec08617eb6321a32ac30c641f1650c35eed0ea\r\nTags\r\ntrojan\r\nDetails\r\nName JMTTrader\r\nSize 3585364 bytes\r\nType Mach-O 64-bit x86_64 executable, flags:\u003cNOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES|BINDS_TO_WEAK|PIE\u003e\r\nMD5 ffc2a7073ba362b295357ac6e782634a\r\nSHA1 6d13e85cd812e249ab950ec405e84289de9cfe5e\r\nSHA256 7ea6391c11077a0f2633104193ec08617eb6321a32ac30c641f1650c35eed0ea\r\nSHA512 1d14e41e306816323fcaa54fb7f420148c50fc0388a86178a41ce63c9fc5b1f29d2614d9c8445a13198c6920d4bded3dbf48641ee4795dbef4\r\nssdeep 98304:rDhoAFpEA86GIleAdNH2vFywLw6mkJarN+8GSy:b5HrNiSy\r\nEntropy 6.796243\r\nAntivirus\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\r\nPage 9 of 13\n\nNo matches found.\nYARA Rules\nNo matches found.\nssdeep Matches\nNo matches found.\nRelationships\n7ea6391c11... Contained_Within 4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806\nDescription\nThis OSX sample was contained within Apple DMG Installer \"JMTTrader_Mac.dmg.\" When exexuted, JMTTrader has\nidentical functionality and appearance to the Windows JMTTrader.exe. It asks for the user’s exchange and loads a legitimate\ncryptocurrency trading application with no signs of malicious activity. While the appearance has changed slightly from the\nCelasTradePro application, JMTTrader is close in appearance to both CelasTradePro and QT Bitcoin Trader, and is likely a\nmodification of the OSX QT Bitcoin Trader.\nIn addition to similar appearance, many strings found in JMTTrader have QT Bitcoin Trader references and parameters\nbeing set to “JMT Trader” including but not limited to:\n--Begin similarities--\nString_ABOUT_QT_BITCOIN_TRADER_TEXT=JMT Trader\nString_ABOUT_QT_BITCOIN_TRADER_TEXT=JMT Trader is a free Open Source project \ndeveloped on pure C++\nQt and OpenSSL.\nUser-Agent: Qt Bitcoin Trader v1.40.42\nJuly IGHOR (note: Ighor July is one of the developers of QT Bitcoin Trader)\n--End similarities--\nThe strings also reference the name “Gary Mendez” with email garyhmendez@yahoo.com as the author of JMTTrader.exe.\nThere is also reference to an additional GitHub repository under the name Gary Mendez\n“github.com/garymendez/JMTTrader/issues.\"\nWhile the JMTTrader application is likely a modification of QT Bitcoin Trader, the legitimate QT Bitcoin Trader DMG for\nOSX does not contain the postinstall script nor the plist file which creates a LaunchDaemon. When executed, only\nQTBitcoinTrader will be installed, and no additional programs will be created, installed, or launched.\nIn contrast, the JMTTrader DMG contains the CelasTradePro OSX executable, the modified version of QT Bitcoin Trader,\nas well as the additional CrashReporter OSX executable not included with the original QT Bitcoin Trader.\ne352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55\nTags\ntrojan\nDetails\nName CrashReporter\nSize 39168 bytes\nType Mach-O 64-bit x86_64 executable, flags: MD5 6058368894f25b7bc8dd53d3a82d9146\nSHA1 8644da026f9e8873dd8699bd68c77a25001be726\nSHA256 e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55\nSHA512 d849270a89d8ab52006dd92557d82e9966ecb9a8958a1e84510ef67bc085fa4f6eb7142c0b045e3aa9932e5a270981aba7f3fc147222d9277\nssdeep 384:TgSifNpZ0XMY923gMnldxdzd7tmEtP0lLnXjXZfV:TgTFp8EgMD9WXj\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\nPage 10 of 13\n\nEntropy 2.672204\r\nAntivirus\r\nAhnlab OSX/Agent\r\nAntiy Trojan/Mac.NukeSped\r\nAvira OSX/Agent.qhhyt\r\nBitDefender Trojan.MAC.Agent.DU\r\nClamAV Osx.Malware.Agent-7335874-0\r\nESET OSX/NukeSped.B trojan\r\nEmsisoft Trojan.MAC.Agent.DU (B)\r\nIkarus Trojan.OSX.Agent\r\nLavasoft Trojan.MAC.Agent.DU\r\nMcAfee OSX/Nukesped.a\r\nMicrosoft Security Essentials Trojan:MacOS/NukeSped.A!MTB\r\nNANOAV Trojan.Mac.NukeSped.gdjieu\r\nQuick Heal MacOS.Trojan.39995.GC\r\nSophos OSX/Lazarus-E\r\nSymantec OSX.Trojan.Gen\r\nTrendMicro Trojan.BC5298BA\r\nTrendMicro House Call Trojan.BC5298BA\r\nZillya! Trojan.NukeSped.OSX.2\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\ne352d6ea4d... Contained_Within 4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806\r\ne352d6ea4d... Connected_To beastgoc.com\r\nDescription\r\nThis OSX sample was contained within Apple DMG Installer \"JMTTrader_Mac.dmg.\" CrashReporter likely functions very\r\nsimilarly to the Windows CrashReporter.exe program, but unlike the Windows program, it is not obfuscated. This lack of\r\nobfuscation makes it easier to determine the program’s functionality in detail.\r\nUpon launch, the malware checks for the “Maintain” parameter, and will exit if the parameter is not found, likely to avoid\r\nsandbox analysis.\r\nCrashReporter then creates a randomly generated token (identifier) and collects the binary’s version and process ID to send\r\nto the server. This data is XOR encrypted with the hard-coded key “X,%`PMk--Jj8s+6=\\x02” (last value is a non-printable\r\nASCII character which is hexadecimal \\x02). While the key is different than the XOR key for the Windows sample, the first\r\n16 bytes are the same.\r\nThe encrypted data is sent to the same C2 server as the Windows sample at hxxps[:]//beastgoc.com/grepmonux.php with the\r\nmultipart data form separator “jGzAcN6k4VsTRn9”. CrashReporter also has a hard-coded user-agent string: “Mozilla/5.0\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\r\nPage 11 of 13\n\n(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36” along\r\nwith other hard-coded values sent with the data including “token,\" “query,\" and “mont.jpg.\"\r\nIf CrashReporter receives a response with the HTTP code 200 (successful), it will invoke another function which will wait\r\nfor tasking from the C2 server. When a tasking is received, the function decrypts the data with the same hardcoded XOR key\r\nand processes the tasking. Accepted tasking commands include the following:\r\n--Begin accepted tasking commands--\r\n“exit”: this command will cause CrashReporter to gracefully exit\r\n“up”: this command will upload a file from the C2 server to the infected host\r\n“stand ”: this command will execute commands from the server via the shell using the popen API (the \"popen()\" function\r\nopens a process by creating a bidirectional pipe, forking, and invoking the shell)\r\n--End accepted tasking commands--\r\nThese possible commands from the C2 server gives the remote attacker full control over the OSX system. It is likely that the\r\nfunctionality of the Windows CrashReporter.exe is the same as this OSX malware, as the original AppleJeus had the same\r\nfunctionality on both operating systems.\r\nScreenshots\r\nFigure 7 - Screenshot of the maintain parameter verification in CrashReporter.\r\nFigure 8 - Screenshot of the hard-coded XOR key and XOR encryption.\r\nFigure 9 - Screenshot of various hard-coded values in CrashReporter.\r\nRelationship Summary\r\n07c38ca1e0... Downloaded_From jmttrading.org\r\n07c38ca1e0... Contains 081d1739422bf050755e6af269a717681274821cea8becb0962d4db61869c5d6\r\n07c38ca1e0... Contains 9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641\r\njmttrading.org Downloaded_To 4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806\r\njmttrading.org Downloaded_To 07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542\r\n081d173942... Contained_Within 07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542\r\n9bf8e8ac82... Contained_Within 07c38ca1e0370421f74c949507fc0d21f4cfcb5866a4f9c0751aefa0d6e97542\r\n9bf8e8ac82... Connected_To beastgoc.com\r\nbeastgoc.com Connected_From 9bf8e8ac82b8f7c3707eb12e77f94cd0e06a972658610d136993235cbfa53641\r\nbeastgoc.com Connected_From e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55\r\n4d6078fc1e... Downloaded_From jmttrading.org\r\n4d6078fc1e... Contains 7ea6391c11077a0f2633104193ec08617eb6321a32ac30c641f1650c35eed0ea\r\n4d6078fc1e... Contains e352d6ea4da596abfdf51f617584611fc9321d5a6d1c22aff243aecdef8e7e55\r\n7ea6391c11... Contained_Within 4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806\r\ne352d6ea4d... Contained_Within 4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806\r\ne352d6ea4d... Connected_To beastgoc.com\r\nConclusion\r\nSoon after October 11, 2019, the files on GitHub were updated to clean, non-malicious installers. Then on October 13, 2019,\r\na different cyber security organization published an article detailing the OSX JMTTrader, and soon after the C2\r\n\"beastgoc.com\" went offline. There is not a confirmed sample of the payload to analyze at this point.\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\r\nPage 12 of 13\n\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at 1-844-Say-CISA or CISA Central .\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b" ], "report_names": [ "ar21-048b" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "544ecd2c-82c9-417c-9d98-d1ae395df964", "created_at": "2025-10-29T02:00:52.035025Z", "updated_at": "2026-04-10T02:00:05.408558Z", "deleted_at": null, "main_name": "AppleJeus", "aliases": [ "AppleJeus", "Gleaming Pisces", "Citrine Sleet", "UNC1720", "UNC4736" ], "source_name": "MITRE:AppleJeus", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434752, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba7cfac43a2bb2a0cbba14d6998485ee57eee182.pdf", "text": "https://archive.orkl.eu/ba7cfac43a2bb2a0cbba14d6998485ee57eee182.txt", "img": "https://archive.orkl.eu/ba7cfac43a2bb2a0cbba14d6998485ee57eee182.jpg" } }