{ "id": "19c74e96-c9df-4c24-b57a-8b24798866d7", "created_at": "2026-04-06T02:12:48.079737Z", "updated_at": "2026-04-10T03:31:23.858391Z", "deleted_at": null, "sha1_hash": "bb1da248ee627240404e4921d042e5324d258955", "title": "ShrinkLocker Malware: Abusing BitLocker to Lock Your Data | Splunk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9347515, "plain_text": "ShrinkLocker Malware: Abusing BitLocker to Lock Your Data |\r\nSplunk\r\nBy Splunk Threat Research Team, Teoderick Contreras\r\nPublished: 2024-09-05 · Archived: 2026-04-06 02:09:11 UTC\r\nShrinkLocker is one of newly identified ransomware strains that exploits BitLocker, a legitimate Windows feature,\r\nto encrypt targeted volume or data. Unlike typical ransomware that uses custom encryption methods,\r\nShrinkLocker abuses BitLocker to create a secure boot partition, locking users out of their data unless a ransom is\r\npaid. This tactic not only complicates decryption efforts but also highlights the evolving methods ransomware\r\ndevelopers use to compromise and secure their grip on targeted systems.\r\nIn May 2024, Bleeping Computer and Kaspersky shared blogs showing their analysis for this ransomware strain,\r\noffering insights into its operation and impact. Unfortunately, we were unable to obtain the specific samples they\r\nanalyzed and referenced in their blogs.\r\nHowever, the Splunk Threat Research Team managed to acquire other samples of ShrinkLocker. Using these\r\nsamples, we were able to conduct analysis and extract its tactics and techniques. This allowed us to develop and\r\ntest detection methods that help our customers effectively protect against this evolving threat. Our findings and\r\nmethodologies are documented in this blog to aid the cybersecurity community in combating ShrinkLocker\r\neffectively.\r\nTactics And Techniques\r\nReconnaissance\r\nThis malware begins its operation by determining the operating system of the compromised or targeted host. It\r\nachieves this by executing a Windows Management Instrumentation (WMI) Commandline query: SELECT *\r\nFROM Win32_OperatingSystem. The malware then evaluates whether the operating system matches any of the\r\nfollowing versions:\r\nWindows XP\r\nWindows 2000\r\nWindows 2003\r\nWindows Vista\r\nIf the operating system is one of the above, the malware proceeds to delete a specific script file located at\r\nC:\\Programdata\\Microsoft\\Windows\\Templates\\disk.vbs.\r\nAs illustrated in Figure 01, the two sample variants of this malware exhibit different behaviors. One variant\r\nperforms an additional check by querying the DomainDNSName of the compromised host using the\r\nADSystemInfo object. This check ensures that the malware is operating within the intended target domain. If the\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 1 of 15\n\ndomain name matches the target criteria, the malware proceeds with its malicious activities, otherwise it will exit\r\nits main function.\r\nFigure 01: OS and DOmainDNSName Checking\r\nDefense Evasion\r\nModify Registry (T1112)\r\nAs part of its payload, this malware modifies or adds registry entries related to Remote Desktop Protocol (RDP)\r\nconnections, smart card authentication, and Trusted Platform Module (TPM) settings. These changes are intended\r\nto manipulate system configurations to suit the malware's objectives, potentially compromising security measures\r\nand data destruction. The chart below lists the specific registry entries that the malware modifies.\r\nThe code block below illustrates the script code of the ShrinkLocker malware. In addition to modifying the\r\nregistry entries listed above, it also attempts to install BitLocker using either the ServerManagerCmd command or\r\nPowerShell.\r\n# install Bitlocker via ServerManagerCmd\r\nServerManagerCmd -install BitLocker -allSubFeatures\r\n# install Bitlocker via powershell\r\npowershell.exe -Command Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 2 of 15\n\nThis technique is unique in that it checks for the object ID of 266, which helps determine if BitLocker feature is\r\nenabled:\r\n## checking of bitlocker feature\r\nSELECT * FROM Win32_ServerFeature where ID = 266\r\nFigure 02: Registry Modification\r\nAfter satisfying its initial conditions for execution, the ShrinkLocker malware performs additional checks on the\r\noperating system. Specifically, if it identifies the system as Windows Server 2008 or Windows 7, the malware\r\nproceeds to tamper with BitLocker encryption settings by disabling key protectors associated with the encryption\r\nkeys. This action aims to undermine BitLocker's security measures and facilitate the deletion of encryption keys,\r\nthereby compromising the integrity of encrypted data.\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 3 of 15\n\nFigure 03: Deletion of BitLocker Encryption Key\r\nImpact\r\nData Encrypted for Impact (T1486)\r\nAs part of its data destruction and encryption process, ShrinkLocker checks if the BitLocker Drive Encryption\r\nTools service (BDESVC) is running on the compromised host by using a WMIC query. If the service is not\r\nrunning, ShrinkLocker attempts to start it.\r\nFigure 04: BitLocker Service Checking\r\nData Destruction (T1485)\r\nDepending on the operating system check, as illustrated in Figure 05 (applicable to either Windows Server 2008 or\r\nWindows Server 2012), the ShrinkLocker malware initiates a destructive payload aimed at compromising the data\r\nintegrity of the host system. If the DriveType is identified as 3 (Fixed Drive), the malware proceeds with the\r\nfollowing sequence of actions:\r\n1. Data Destruction Preparation\r\nInitially, ShrinkLocker retrieves and records essential information about the primary boot partition, including the\r\nDisk Index. This information is crucial for subsequent operations involving disk resizing.\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 4 of 15\n\n2. Disk Resizing Process\r\nUsing the WMIC query results to identify local or fixed drives, the malware proceeds to shrink each non-boot\r\npartition by 100MB using the diskpart utility. This operation creates a 100MB unallocated space partition\r\nadjacent to the boot volume.\r\n3. Partition Formatting and Drive Letter Assignment\r\nUpon successful resizing, ShrinkLocker formats the newly allocated partitions and assigns drive letters to\r\nfacilitate access and potential further manipulation of these partitions.\r\nFigure 05: Disk Resizing and Shrinking\r\nTo ensure system bootability after partition modification, the malware employs the BCDBboot utility. It reinstalls\r\nthe necessary boot files using the previously saved drive letter of the boot volume, thereby configuring the new\r\nprimary partitions for boot operation.\r\nThese actions collectively aim to disrupt system functionality and compromise data integrity on the infected\r\nmachine. By resizing partitions, creating unallocated space, and reconfiguring boot files, ShrinkLocker seeks to\r\nrender the system unstable and potentially irreparable, posing significant challenges for recovery and forensic\r\nanalysis efforts.\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 5 of 15\n\nFigure 06: BCDBoot Setup\r\nDefacement (T1491)\r\nFigure 07 depicts the code snippet from the ShrinkLocker malware, illustrating how it modifies the disk label on\r\nthe compromised host. This alteration includes embedding an email address through which the user can potentially\r\ncontact the attacker to discuss file recovery options.\r\nFigure 07: Modify Disk Label\r\nAfter modifying the ShrinkLocker malware code, Figure 08 shows the modified disk label in Splunk Attack Range\r\nduring our analysis and testing.\r\nFigure 08: Modify Disk Label\r\nExfiltration\r\nExfiltration Over C2 Channel (T1041)\r\nShrinkLocker generates a random encryption key using a combination of system parameters from the\r\ncompromised host, including TotalUsedSpace, TotalFreeSpace, FreeMemory, network information, and current\r\ntimestamp. Figure 09 illustrates the function employed by ShrinkLocker for generating this encryption key.\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 6 of 15\n\nFigure 09: Generate Encryption Key\r\nThrough modifications of the ShrinkLocker malware code, the Splunk Threat Research Team was able to print one\r\nof the potential encryption keys based on the Splunk Attack Range test lab we used during our analysis.\r\nFigure 10: Example of Encryption Key\r\nFigure 11 illustrates how ShrinkLocker utilizes trycloudflare, a free one-time trial Cloudflare domain, as a\r\ncommand and control server (C2). This technique has been utilized since at least August 2023, per\r\nBleepingComputer. It sends system information as a beacon along with the encryption key to this domain.\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 7 of 15\n\nFigure 11: C2 Communication\r\nIndicator Removal (T1070)\r\nAfter executing its full payload on the compromised host, ShrinkLocker displays a notable defensive measure by\r\nattempting to erase its tracks. Figure 12 shows a section of the ShrinkLocker code dedicated to removing various\r\nindicators of its presence.\r\nThe malware initiates the following actions:\r\n1. Deletion of Windows PowerShell Audit Logs: ShrinkLocker targets and removes logs associated with\r\nPowerShell, aiming to obscure any traces of its PowerShell-based activities.\r\n2. Deletion of All Firewall Rules: The malware systematically eliminates all existing firewall rules.\r\n3. Deletion of Scheduled Tasks: Specifically, tasks named 'Disk' and 'Copy' are targeted for deletion. These\r\ntasks may have been utilized by ShrinkLocker for regular operations or as part of its persistence\r\nmechanism. Removing them helps the malware evade detection and hinder forensic analysis efforts.\r\nFigure 12: Defense Evasion - Indicator Removal\r\nSimulation\r\nThe Splunk Threat Research Team has developed tools and Atomic Red Team tests designed to help blue teamers\r\nand defenders strengthen their defenses against this type of threat. These atomic simulations are invaluable for\r\nensuring the effectiveness of detection mechanisms and for fine-tuning them to enhance their accuracy.\r\nThe use of these atomic tests allows security teams to validate their detection capabilities and identify areas for\r\nimprovement.\r\nBelow is a table listing the atomic tests relevant to this threat:\r\nSecurity Content\r\nWindows Modify Registry on Smart Card Group Policy\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 8 of 15\n\nThis detection is developed to detect suspicious registry modifications targeting the \"scforceoption\" key. Altering\r\nthis key enforces smart card login for all users, potentially disrupting normal access methods. Unauthorized\r\nchanges to this setting could indicate an attempt to restrict access or force a specific authentication method,\r\npossibly signifying malicious intent to manipulate system security protocols.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Registry.registry_path= \"*\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\scforceoption*\"\r\nRegistry.registry_value_data=\"0x00000001\"\r\n by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.actio\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nFigure 13: Smart Card Group Policy Detections\r\nWindows Modify Registry Configure BitLocker\r\nThis detection is developed to detect suspicious registry modifications targeting BitLocker settings. The malware\r\nShrinkLocker alters various registry keys to change how BitLocker handles encryption, potentially bypassing\r\nTPM requirements, enabling BitLocker without TPM and enforcing specific startup key and PIN configurations.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where (Registry.registry_path= \"*\\\\Policies\\\\Microsoft\\\\FVE\\\\*\" Registry.registry_value_name IN(\"EnableBDEWith\r\n (Registry.registry_path= \"*\\\\Policies\\\\Microsoft\\\\FVE\\\\*\" Registry.registry_value_name IN(\"UsePIN\", \"UsePartia\r\n by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.actio\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 9 of 15\n\nFigure 14: Configure BitLocker Detections\r\nWindows Modify Registry Disable Remote Desktop Protocol\r\nThis detection is developed to detect suspicious registry modifications that disable Remote Desktop Protocol\r\n(RDP) by altering the \"fDenyTSConnections\" key. Changing this key's value to 1 prevents remote connections,\r\nwhich can disrupt remote management and access.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=E\r\n where Registry.registry_path= \"*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections*\" Registry.registry_value_data=\r\n by Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_data Registry.actio\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nFigure 15: Disable RDP Detections\r\nSuspicious WevUtil Usage\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 10 of 15\n\nThe following detection identifies the usage of wevtutil.exe with parameters for clearing event logs such as\r\nApplication, Security, Setup, Trace, or System. It leverages data from Endpoint Detection and Response (EDR)\r\nagents, focusing on process names and command-line arguments. This activity is significant because clearing\r\nevent logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations.\r\n| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_tim\r\n where Processes.process_name=wevtutil.exe Processes.process IN (\"* cl *\", \"*clear-log*\", \"* -cl *\") Processes.\r\n by Processes.parent_process_name Processes.parent_process Processes.process Processes.process_guid Processes.p\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n |`security_content_ctime(lastTime)`\r\nFigure 16: Suspicious wevtutil Usage Detections\r\nScheduled Task Deleted Or Created via CMD\r\nThis detection focuses on identifying the creation or deletion of scheduled tasks using the schtasks.exe utility with\r\nthe corresponding command-line flags (-create or -delete), which could indicate malicious intent or unauthorized\r\nsystem manipulation. This technique has been notably associated with threat actors like Dragonfly and the\r\nSUNBURST attack against SolarWinds.\r\n| tstats `security_content_summariesonly` count values(Processes.process)\r\n as process values(Processes.parent_process) as parent_process min(_time) as firstTime\r\n max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe\r\n (Processes.process=*delete* OR Processes.process=*create*) by Processes.user Processes.process_name\r\n Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 11 of 15\n\nFigure 17: Create or Delete Scheduled Tasks Detections\r\nWindows Delete or Modify System Firewall\r\nThe following detection identifies 'netsh' processes that delete or modify firewall configurations. It leverages data\r\nfrom EDR agents, focusing on command-line executions containing specific keywords. This activity is significant\r\nbecause it can indicate malware attempting to alter firewall settings to evade detection or remove traces.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where `process_netsh` Processes.process = \"* firewall *\" Processes.process = \"* del*\"\r\n by Processes.parent_process Processes.parent_process_name Processes.process_name Processes.process_id Processe\r\n | `drop_dm_object_name(\"Processes\")`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nFigure 18: Delete or Modify System Firewall Detections\r\nWindows Modify Registry to Add or Modify Firewall Rule\r\nThe following detection identifies a potential addition or modification of firewall rules, signaling possible\r\nconfiguration changes or security policy adjustments. It tracks commands such as “netsh advfirewall firewall add\r\nrule” and “netsh advfirewall firewall set rule,” which may indicate attempts to alter network access controls.\r\nMonitoring these actions ensures the integrity of firewall settings and helps prevent unauthorized network access.\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 12 of 15\n\n| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry\r\n WHERE Registry.registry_path= \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolic\r\n BY _time span=1h Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.regis\r\n | `drop_dm_object_name(Registry)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nFigure 19: Add or Modify Firewall Rule Detections\r\nWscript Or Cscript Suspicious Child Process\r\nThis detection identifies a suspicious spawned process by WScript or CScript process. This technique was\r\ncommonly used by adversaries and malware to execute different LOLBIN, other scripts like PowerShell or spawn\r\na suspended process to inject its code as a defense evasion. This technique may detect a normal script that uses\r\nseveral application tools that are in the list of the child process it detects, but it can also be a good pivot and\r\nindicator that a script may execute suspicious code.\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)\r\n as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name\r\n IN (\"cscript.exe\", \"wscript.exe\") Processes.process_name IN (\"regsvr32.exe\", \"rundll32.exe\",\"winhlp32.exe\",\"ce\r\n by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process\r\n Processes.process_name Processes.process Processes.process_id Processes.parent_process_id\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 13 of 15\n\nFigure 20: Wscript Or Cscript Suspicious Child Process Detections\r\nWindows Modify Registry Delete Firewall Rules\r\nThe following detection identifies a potential deletion of firewall rules, indicating a possible security breach or\r\nunauthorized access attempt. It identifies actions where firewall rules are removed using commands like “netsh\r\nadvfirewall firewall delete rule,” which can expose the network to external threats by disabling critical security\r\nmeasures. Monitoring these activities helps maintain network integrity and prevent malicious attacks.\r\n`sysmon` EventCode=12 TargetObject = \"*\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\Firewal\r\n| rename Computer as dest\r\n| rename User as user\r\n| stats count min(_time) as firstTime max(_time) as lastTime by EventCode EventType TargetObject Image user des\r\n| `security_content_ctime(firstTime)`\r\n| `security_content_ctime(lastTime)`\r\nFigure 21: Modify Registry to Delete Firewall Rules Detections\r\nIOC\r\nLearn More\r\nThis blog helps security analysts, blue teamers and Splunk customers identify ShrinkLocker malware by enabling\r\nthe community to discover related tactics, techniques, and procedures used by threat actors and adversaries. You\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 14 of 15\n\ncan implement the detections in this blog using the Enterprise Security Content Updates app or the Splunk\r\nSecurity Essentials app. To view the Splunk Threat Research Team's complete security content repository, visit\r\nresearch.splunk.com.\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on\r\nSlack.\r\nContributors\r\nWe would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team\r\nfor their contributions: Michael Haag, Jose Hernandez, Lou Stella, Bhavin Patel, Rod Soto, Eric McGinnis,\r\nPatrick Bareiss and Gowthamaraj Rajendran.\r\nReferences\r\nhttps://github.com/dsccommunity/xBitlocker/issues/51\r\nhttps://securelist.com/ransomware-abuses-bitlocker/112643/\r\nSource: https://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nhttps://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.splunk.com/en_us/blog/security/shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html" ], "report_names": [ "shrinklocker-malware-abusing-bitlocker-to-lock-your-data.html" ], "threat_actors": [ { "id": "649b5b3e-b16e-44db-91bc-ae80b825050e", "created_at": "2022-10-25T15:50:23.290412Z", "updated_at": "2026-04-10T02:00:05.257022Z", "deleted_at": null, "main_name": "Dragonfly", "aliases": [ "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear", "Ghost Blizzard" ], "source_name": "MITRE:Dragonfly", "tools": [ "MCMD", "Impacket", "CrackMapExec", "Backdoor.Oldrea", "Mimikatz", "PsExec", "Trojan.Karagany", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441568, "ts_updated_at": 1775791883, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb1da248ee627240404e4921d042e5324d258955.pdf", "text": "https://archive.orkl.eu/bb1da248ee627240404e4921d042e5324d258955.txt", "img": "https://archive.orkl.eu/bb1da248ee627240404e4921d042e5324d258955.jpg" } }