{ "id": "2f7e4ce6-d049-4c5f-a380-5c0aeb88472c", "created_at": "2026-04-06T00:14:50.650815Z", "updated_at": "2026-04-10T03:30:33.795335Z", "deleted_at": null, "sha1_hash": "bc564f2e5dc0adcfbf0645fd7bb6d6d13894880e", "title": "Some URL shortener services distribute Android malware, including banking or SMS trojans", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2701215, "plain_text": "Some URL shortener services distribute Android malware,\r\nincluding banking or SMS trojans\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 21:30:20 UTC\r\nWe hope you already know that you shouldn’t click on just any URLs. You might be sent one in a message;\r\nsomebody might insert one under a social media post or you could be provided with one on basically any website.\r\nUsers or websites providing these links might use URL shortener services. These are used to shorten long URLs,\r\nhide original domain names, view analytics about the devices of visitors, or in some cases even monetize their\r\nclicks.\r\nMonetization means that when someone clicks on such a link, an advertisement, such as the examples in Figure 1,\r\nwill be displayed that will generate revenue for the person who generated the shortened URL. The problem is that\r\nsome of these link shortener services use aggressive advertising techniques such as scareware ads: informing users\r\ntheir devices are infected with dangerous malware, directing users to download dodgy apps from the Google Play\r\nstore or to participate in shady surveys, delivering adult content, offering to start premium SMS service\r\nsubscriptions, enabling browser notifications, and making dubious offers to win prizes.\r\nWe've even seen link shortener services pushing “calendar” files to iOS devices and distributing Android malware\r\n– indeed, we discovered one piece of malware we named Android/FakeAdBlocker, which downloads and executes\r\nadditional payloads (such as banking trojans, SMS trojans, and aggressive adware) received from its C\u0026C server.\r\nBelow we describe the iOS calendar-event-creating downloads and how to recover from them, before spending\r\nmost of the blogpost on a detailed analysis of the distribution of Android/FakeAdBlocker and, based on our\r\ntelemetry, its alarming number of detections. This analysis is mainly focused on the functionality of the adware\r\npayload and, since it can create spam calendar events, we have included a brief guide detailing how to\r\nautomatically remove them and uninstall Android/FakeAdBlocker from compromised devices.\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 1 of 22\n\nFigure 1. Examples of shady aggressive advertisements\r\nDistribution\r\nContent displayed to the victim from monetized link shorteners can differ based on the running operating system.\r\nFor instance, if a victim clicked on the same link on a Windows device and on a mobile device, a different website\r\nwould be displayed on each device. Besides websites, they could also offer an iOS device user to download an\r\nICS calendar file, or an Android device user to download an Android app. Figure 2 outlines options we have seen\r\nin the campaign analyzed here.\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 2 of 22\n\nFigure 2. Malware distribution process\r\nWhile some advertisements and Android applications served by these monetized shortened links are legitimate, we\r\nobserved that the majority lead to shady or unwanted behavior.\r\niOS targets\r\nOn iOS devices, besides flooding victims with unwanted ads, these websites can create events in victims’\r\ncalendars by automatically downloading an ICS file. As the screenshots in Figure 3 show, victims must first tap\r\nthe subscribe button to spam their calendars with these events. However, the calendar name “Click OK To\r\nContinue (sic)” is not revealing the true content of those calendar events and only misleads the victims into\r\ntapping the Subscribe and Done button.\r\nThese calendar events falsely inform victims that their devices are infected with malware, hoping to induce\r\nvictims to click on the embedded links, which lead to more scareware advertisements.\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 3 of 22\n\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 4 of 22\n\nFigure 3. Scam website requests user to subscribe to calendar events on iOS platform\r\nAndroid targets\r\nFor victims on Android devices, the situation is more dangerous because these scam websites might initially\r\nprovide the victim with a malicious app to download and afterwards proceed with visiting or downloading the\r\nactual expected content searched for by the user.\r\nThere are two scenarios for Android users that we observed during our research. In the first one, when the victim\r\nwants to download an Android application other than from Google Play, there is a request to enable browser\r\nnotifications from that website, followed by a request to download an application called adBLOCK app.apk. This\r\nmight create the illusion that this adBLOCK app will block displayed advertisements in the future, but the\r\nopposite is true. This app has nothing to do with the legitimate adBLOCK application available from the official\r\nsource.\r\nWhen the user taps on the download button, the browser is redirected to a different website where the user is\r\napparently offered an ad-blocking app named adBLOCK, but ends up downloading Android/FakeAdBlocker. In\r\nother words, the victim’s tap or click is hijacked and used to download a malicious application. If the victim\r\nreturns to the previous page and taps on the same download button, the correct legitimate file that the intended\r\nvictim wanted is downloaded onto the device. You can watch one of the examples in the video below.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 5 of 22\n\nIn the second Android scenario, when the victims want to proceed with downloading the requested file, they are\r\nshown a web page describing the steps to download and install an application with the name Your File Is Ready\r\nTo Download.apk. This name is obviously misleading; the name of the app is trying to make the user think that\r\nwhat is being downloaded is the app or a file they wanted to access. You can see the demonstration in the video\r\nbelow.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nIn both cases, a scareware advertisement or the same Android/FakeAdBlocker trojan is delivered via a URL\r\nshortener service. Such services employ the Paid to click (PTC) business model and act as intermediaries between\r\ncustomers and advertisers. The advertiser pays for displaying ads on the PTC website, where part of that payment\r\ngoes to the party that created the shortened link. As stated on one of these link shortening websites in the privacy\r\npolicy section, these ads are via their advertising partners and they are not responsible for delivered content or\r\nvisited websites.\r\nOne of the URL shortener services states in its terms of service that users should not create shortened links to\r\ntransmit files that contain viruses, spyware, adware, trojans or other harmful code. To the contrary, we have\r\nobserved that their ad partners are doing it.\r\nTelemetry\r\nBased on our detection data, Android/FakeAdBlocker was spotted for the first time in September 2019. Since\r\nthen, we have been detecting it under various threat names. From the beginning of this year till July 1st, we have\r\nseen more than 150,000 instances of this threat being downloaded to Android devices.\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 6 of 22\n\nFigure 4. ESET detection telemetry for Android/FakeAdBlocker\r\nFigure 5. Top ten countries by proportion of Android/FakeAdBlocker detections (January 1st – July 1st 2021)\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 7 of 22\n\nAndroid/FakeAdBlocker analysis\r\nAfter downloading and installing Android/FakeAdBlocker, the user might realize that, as seen in Figure 6, it has a\r\nwhite blank icon and, in some cases, even has no app name.\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 8 of 22\n\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 9 of 22\n\nFigure 6. App icon of Android/FakeAdBlocker\r\nAfter its initial launch, this malware decodes a base64-encoded file with a .dat extension that is stored in the\r\nAPK’s assets. This file contains C\u0026C server information and its internal variables.\r\nFigure 7. Decoded config file from APK assets\r\nFrom its C\u0026C server it will request another configuration file. This has a binary payload embedded, which is then\r\nextracted and dynamically loaded.\r\nFigure 8. Android/FakeAdBlocker downloads an additional payload\r\nFor most of the examples we have observed, the this payload was responsible for displaying out-of-context ads.\r\nHowever, in hundreds of cases, different malicious payloads were downloaded and executed. Based on our\r\ntelemetry, the C\u0026C server returned different payloads based on the location of the device. The Cerberus banking\r\ntrojan was downloaded to devices in Turkey, Poland, Spain, Greece and Italy. It was disguised as Chrome,\r\nAndroid Update, Adobe Flash Player, Update Android, or Google Guncelleme app (guencelleme is Turkish for\r\n“update” so the name of the app is Google Update). In Greece we have also seen the Ginp banking trojan being\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 10 of 22\n\ndownloaded. The same malware family variant of SMS trojan was distributed in the Middle East. Besides these\r\ntrojans, Bitdefender Labs also identified the TeaBot (also known as Anatsa) banking trojan being downloaded as a\r\npayload by Android/FakeAdBlocker. Payloads are downloaded to external media storage in the files subdirectory\r\nof the parent app package name using various app names. A list of payload APK names is included in the IoCs\r\nsection.\r\nThe emerging fact that the C\u0026C server can at any time distribute different malicious payloads makes this threat\r\nunpredictable. Since all aforementioned trojans have already been analyzed, we will continue with the analysis of\r\nthe adware payload that was distributed to more than 99% of the victims. The adware payload bears many code\r\nsimilarities with the downloader so we are classifying both in the same Android/FakeAdBlocker malware family.\r\nAlthough the payloads download in the background, the victim is informed about actions happening on the mobile\r\ndevice by the activity displayed saying file is being downloaded. Once everything is set up, the\r\nAndroid/FakeAdBlocker adware payload asks the victim for permission to draw over other apps, which will later\r\nresult in it creating fake notifications to display advertisements in the foreground, and for permission to access the\r\ncalendar.\r\nFigure 9. Activity shown after start\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 11 of 22\n\nFigure 10. Permission request to control what is displayed in foreground\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 12 of 22\n\nFigure 11. Permission request to edit calendar events\r\nAfter all permissions are enabled, the payload silently starts to create events in Google Calendar for upcoming\r\nmonths.\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 13 of 22\n\nFigure 12. Scareware calendar events created by malware (above) and detail (below)\r\nIt creates eighteen events happening every day, each of them lasts 10 minutes. Their names and descriptions\r\nsuggest that the victim’s smartphone is infected, user data is exposed online or that a virus protection app is\r\nexpired. Descriptions of each event include a link that leads the victim to visit a scareware advertisement website.\r\nThat website again claims the device has been infected and offers the user to download shady cleaner applications\r\nfrom Google Play.\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 14 of 22\n\nFigure 13. Titles and descriptions of the events (left) and the reminder displayed by one of them (right)\r\nAll the event title names and their descriptions can be found the malware’s code. Here are all scareware event\r\ntexts created by the malware, verbatim. If you find one of these in your Google Calendar, you are or were most\r\nlikely a victim of this threat.\r\n⚠ Hackers may try to steal your data!\r\nBlock ads, viruses and pop-ups on YouTube, Facebook, Google, and your favorite websites. CLICK THE LINK\r\nBELOW TO BLOCK ALL ADS\r\n⚠ YOUR Device can be infected with A VIRUS ⚠\r\nBlock ads, viruses and pop-ups on YouTube, Facebook, Google, and your favorite websites. CLICK THE LINK\r\nBELOW TO BLOCK ALL ADS\r\n☠️Severe Viruses have been found recently on Android devices\r\nBlock ads, viruses and pop-ups on YouTube, Facebook, Google, and your favorite websites. CLICK THE LINK\r\nBELOW TO BLOCK ALL ADS\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 15 of 22\n\n🛑 Your Phone is not Protected ?! Click To Protect it!\r\nIt's 2021 and you haven't found a way to protect your Device? Click below to fix this!\r\n⚠ Android Virus Protection Expired ?! Renew for 2021\r\nWe have all heard stories about people who got exposed to malware and expose their data at risk. Don’t be silly,\r\nprotect yourself now by clicking below!\r\n⚠ You May Be Exposed Online Click To Fix!\r\nHackers can check where you live by checking your device's IP while you are at home. Protect yourself by\r\ninstalling a VPN. Protect your self by clicking below.\r\n✅ Clear Your Device from Malicious Attacks!\r\nYour Device is not invincible from viruses. Make sure that it is free from infection and prevent future attacks. Click\r\nthe link below to start scanning!\r\n⚠ Viruses Alert - Check Protection NOW\r\nHackers and practically anyone who want it can check where you live by breaking into your device. Protect your\r\nself by clicking below.\r\n☠️ Viruses on your Device?! CLEAN THEM NOW\r\nIt's 2021 and you haven't found a way to protect your Device? Click below to fix this!\r\n️ Click NOW to Protect your Priceless Data!\r\nYour identity and other important information can be easily stolen online without the right protection. VPN can\r\neffectively avoid that from happening. Click below to avail of that needed protection.\r\n⚠ You Are Exposed Online, Click To Fix!\r\nHackers can check where you live by checking your device's IP while you are at home. Protect yourself by\r\ninstalling a VPN. Protect your self by clicking below.\r\n🧹 Clean your Phone from potential threats, Click Now.\r\nGoing online exposes you to various risks including hacking and other fraudulent activities. VPN will protect you\r\nfrom these attacks. Make your online browsing secured by clicking the link below.\r\n🛑 Your Phone is not Protected! Click To Protect it!\r\nIt's 2021 and you haven't found a way to protect your iPhone? Click below to fix this!\r\n⚠ YOUR Device can be infected with A VIRUS ⚠\r\nBlock ads, viruses and pop-ups on YouTube, Facebook, Google, and your favorite websites. CLICK THE LINK\r\nBELOW TO BLOCK ALL ADS\r\n⚠ You May Be Exposed Online Click To Fix!\r\nHackers can check where you live by checking your device's IP while you are at home. Protect yourself by\r\ninstalling a VPN. Protect your self by clicking below.\r\n☠️Severe Viruses have been found recently on Android devices\r\nBlock ads, viruses and pop-ups on YouTube, Facebook, Google, and your favorite websites. CLICK THE LINK\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 16 of 22\n\nBELOW TO BLOCK ALL ADS\r\n☠️ Viruses on your Device?! CLEAN THEM NOW\r\nIt's 2021 and you haven't found a way to protect your Device? Click below to fix this!\r\n⚠ Android Virus Protection Expired ?! Renew for 2021\r\nWe have all heard stories about people who got exposed to malware and expose their data at risk. Don’t be silly,\r\nprotect yourself now by clicking below!\r\nBesides flooding the calendar with scam events, Android/FakeAdBlocker also randomly displays full screen\r\nadvertisements within the mobile browser, pops up scareware notifications and adult advertisements, and displays\r\na Messenger-like “bubble” in the foreground mimicking a received message with a scammy text next to it.\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 17 of 22\n\nFigure 14. Examples of displayed scareware ads\r\nClicking on any of these would lead the user to a website with further scareware content that suggests that the\r\nvictim install cleaners or virus removers from Google Play. We have already written about similar shady apps\r\nimpersonating security software in 2018.\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 18 of 22\n\nUninstall process\r\nTo identify and remove Android/FakeAdBlocker, including its dynamically loaded adware payload, you need to\r\nfirst find it among your installed applications, by going to Settings -\u003e Apps. Because the malware doesn’t have an\r\nicon or an app name (see Figure 15), it should be easy to spot. Once located, tap it once to select it and then tap on\r\nUninstall button and confirm the request to remove the threat.\r\nFigure 15. Manual uninstallation of malware\r\nHow to automatically remove spam events\r\nUninstalling Android/FakeAdBlocker will not remove the spam events it created in your calendar. You can remove\r\nthem manually; however, it would be a tedious job. This task can also be done automatically, using an app. During\r\nour tests we successfully removed all these events using a free app available from the Google Play store called\r\nCalendar Cleanup. A problem with this app is that it removes only past events. Because of that, to remove\r\nupcoming events, temporarily change the current time and date in the settings of the device to be the day after the\r\nlast spam event created by the malware. That would make all these events expired and Calendar Cleanup can then\r\nautomatically remove them all.\r\nIt is important to state that this app removes all events, not just the ones created by the malware. Because of that,\r\nyou should carefully select the targeted range of days.\r\nOnce the job is done, make sure to reset the current time and date.\r\nConclusion\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 19 of 22\n\nBased on our telemetry, it appears that many users tend to download Android apps from outside of Google Play,\r\nwhich might lead them to download malicious apps delivered through aggressive advertising practices that are\r\nused to generate revenue for their authors. We identified and demonstrated this vector of distribution in the videos\r\nabove. Android/FakeAdBlocker downloads malicious payloads provided by its operator’s C\u0026C server; in most\r\ncases, after launch these hide themselves from user view, deliver unwanted scareware or adult content\r\nadvertisements and create spam calendar events for upcoming months. Trusting these scareware ads might cost\r\ntheir victims money either by sending premium rate SMS messages, subscribing to unnecessary services, or\r\ndownloading additional and often malicious applications. Besides these scenarios, we identified various Android\r\nbanking trojans and SMS trojans being downloaded and executed.\r\nIoCs\r\nHash Detection name\r\nB0B027011102B8FD5EA5502D23D02058A1BFF1B9 Android/FakeAdBlocker.A\r\nE51634ED17D4010398A1B47B1CF3521C3EEC2030 Android/FakeAdBlocker.B\r\n696BC1E536DDBD61C1A6D197AC239F11A2B0C851 Android/FakeAdBlocker.C\r\nC\u0026Cs\r\nemanalyst[.]biz\r\nmmunitedaw[.]info\r\nommunite[.]top\r\nrycovernmen[.]club\r\nransociatelyf[.]info\r\nschemics[.]club\r\nomeoneha[.]online\r\nsityinition[.]top\r\nfceptthis[.]biz\r\noftongueid[.]online\r\nhoneiwillre[.]biz\r\neaconhop[.]online\r\nssedonthep[.]biz\r\nfjobiwouldli[.]biz\r\nofferanda[.]biz\r\nFile paths of downloaded payloads\r\n/storage/emulated/0/Android/data/com.intensive.sound/files/Download/updateandroid.apk\r\n/storage/emulated/0/Android/data/com.intensive.sound/files/Download/Chrome05.12.11.apk\r\n/storage/emulated/0/Android/data/com.intensive.sound/files/Download/XXX_Player.apk\r\n/storage/emulated/0/Android/data/com.confidential.pottery/files/Download/Google_Update.apk\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 20 of 22\n\n/storage/emulated/0/Android/data/com.confidential.pottery/files/Download/System.apk\r\n/storage/emulated/0/Android/data/com.confidential.pottery/files/Download/Android-Update.5.1.apk\r\n/storage/emulated/0/Android/data/com.cold.toothbrush/files/Download/Android_Update.apk\r\n/storage/emulated/0/Android/data/com.cold.toothbrush/files/Download/chromeUpdate.apk\r\n/storage/emulated/0/Android/data/com.cold.toothbrush/files/Download/FreeDownloadVideo.apk\r\n/storage/emulated/0/Android/data/com.anaconda.brave/files/Download/MediaPlayer.apk\r\n/storage/emulated/0/Android/data/com.anaconda.brave/files/Download/GoogleChrome.apk\r\n/storage/emulated/0/Android/data/com.dusty.bird/files/Download/Player.apk\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 9 of the ATT\u0026CK framework.\r\nTactic ID Name Description\r\nInitial Access\r\nT1476\r\nDeliver Malicious\r\nApp via Other\r\nMeans\r\nAndroid/FakeAdBlocker can be downloaded from third-party websites.\r\nT1444\r\nMasquerade as\r\nLegitimate\r\nApplication\r\nAndroid/FakeAdBlocker impersonates legitimate AdBlock\r\napp.\r\nPersistence\r\nT1402\r\nBroadcast\r\nReceivers\r\nAndroid/FakeAdBlocker listens for the\r\nBOOT_COMPLETED broadcast, ensuring that the app’s\r\nfunctionality will be activated every time the device starts.\r\nT1541\r\nForeground\r\nPersistence\r\nAndroid/FakeAdBlocker displays transparent notifications\r\nand pop-up advertisements.\r\nDefense\r\nEvasion\r\nT1407\r\nDownload New\r\nCode at Runtime\r\nAndroid/FakeAdBlocker downloads and executes an APK\r\nfilefiles from a malicious adversary server.\r\nT1406\r\nObfuscated Files or\r\nInformation\r\nAndroid/FakeAdBlocker stores base64-encoded file in\r\nassets containing config file with C\u0026C server.\r\nT1508\r\nSuppress\r\nApplication Icon\r\nAndroid/FakeAdBlocker’s icon is hidden from its victim’s\r\nview.\r\nCollection T1435\r\nAccess Calendar\r\nEntries\r\nAndroid/FakeAdBlocker creates scareware events in\r\ncalendar.\r\nCommand\r\nAnd Control\r\nT1437\r\nStandard\r\nApplication Layer\r\nProtocol\r\nAndroid/FakeAdBlocker communicates with C\u0026C via\r\nHTTPS.\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 21 of 22\n\nTactic ID Name Description\r\nImpact T1472\r\nGenerate\r\nFraudulent\r\nAdvertising\r\nRevenue\r\nAndroid/FakeAdBlocker generates revenue by\r\nautomatically displaying ads.\r\nSource: https://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nhttps://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/\r\nPage 22 of 22\n\nFigure 4. ESET https://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/ detection telemetry for Android/FakeAdBlocker \nFigure 5. Top ten countries by proportion of Android/FakeAdBlocker detections (January 1st-July 1st 2021)\n Page 7 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/" ], "report_names": [ "url-shortener-services-android-malware-banking-sms-trojans" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434490, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bc564f2e5dc0adcfbf0645fd7bb6d6d13894880e.pdf", "text": "https://archive.orkl.eu/bc564f2e5dc0adcfbf0645fd7bb6d6d13894880e.txt", "img": "https://archive.orkl.eu/bc564f2e5dc0adcfbf0645fd7bb6d6d13894880e.jpg" } }