{
	"id": "88d1d261-056a-4cd3-8baa-0b987237f85f",
	"created_at": "2026-04-06T00:18:31.352576Z",
	"updated_at": "2026-04-10T13:13:06.023707Z",
	"deleted_at": null,
	"sha1_hash": "bd07eb086ff8031efacb49cb6fafb26204b540fa",
	"title": "Sowing Discord: Reaping the benefits of collaboration app abuse",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1850642,
	"plain_text": "Sowing Discord: Reaping the benefits of collaboration app abuse\r\nBy Nick Biasini\r\nPublished: 2021-04-07 · Archived: 2026-04-05 16:04:15 UTC\r\nWednesday, April 7, 2021 08:06\r\nAs telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to\r\ntake advantage of the changes to employee workflows.\r\nAttackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and\r\nevade organizational defenses.\r\nCollaboration platforms enable adversaries to conduct campaigns using legitimate infrastructure that may\r\nnot be blocked in many network environments.\r\nRATs, information stealers, internet-of-things malware and other threats are leveraging collaboration\r\nplatforms for delivery, component retrieval and command and control communications.\r\nExecutive summary\r\nAbuse of collaboration applications is not a new phenomenon and dates back to the early days of the internet. As\r\nnew platforms and applications gain in popularity, attackers often develop ways to use them to achieve their\r\nmission objectives. Communications platforms like Telegram, Signal, WhatsApp and others have been abused\r\nover the past several years to spread malware, used for command and control communications, and otherwise\r\nleveraged for nefarious purposes.\r\nAs the COVID-19 pandemic spread across the globe in 2020, organizations made significant changes to their\r\nwork routines across virtually every industry. One major shift was the move to remote working arrangements\r\nwhich coincided with increased reliance on new interactive communications platforms like Discord and Slack.\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 1 of 18\n\nWhile both of these platforms have existed for some time, recent changes to employee workflows have led to an\r\nincreased reliance upon them for conducting business. In many cases, these platforms provide rich environments\r\nthat can be used for communication and collaboration professionally and personally. As the pandemic continued,\r\nwe observed several threat actors changing their tactics, techniques and procedures to compensate for these new\r\nenterprise workflows. We previously described how many threat actors began taking advantage of public interest\r\nin COVID-19 related information here and here. Over the past year, we have also observed a significant increase\r\nin the abuse of many of these collaboration platforms to facilitate malware attacks against various organizations.\r\nAttackers are looking to spread ransomware via these rooms and use the platforms to spread traditional malspam\r\nlures used to infect victims.\r\nCollaboration platforms for malware distribution\r\nAttackers are increasingly abusing the communications platforms that many organizations use to facilitate\r\nemployee communications. This allows them to circumvent perimeter security controls and maximize infection\r\ncapabilities. Over the past year, adversaries are increasingly relying on these platforms as part of the infection\r\nprocess. In this blog, we will describe how these platforms are being used across three major phases of malware\r\nattacks:\r\nDelivery\r\nComponent retrieval\r\nC2 and data exfiltration These platforms provide an attractive option for hosting malicious content,\r\nexfiltrating sensitive information, and otherwise facilitating malicious attacks. In many cases, these\r\nplatforms may be required for legitimate corporate activity and, as such, hosting malicious contents or\r\nusing them to collect sensitive information may allow attackers to bypass content filtering mechanisms.\r\nThe use of applications like Discord and Slack may also provide an additional means to perform the social\r\nengineering required to convince potential victims to open malicious attachments. Potential targets who see a link\r\nin a chat room they're used to interacting in on a regular basis may be more likely to open any files that are\r\nattached to those rooms or click on links that seem like they're from colleagues. These rooms may also provide a\r\ndirect communications pathway between adversaries and employees that can be abused to facilitate the delivery\r\nprocess. This itself is not a new phenomena — Discord's been used in the past to deliver the Thanatos\r\nransomware. More recently, this mechanism has been used to deliver a variety of RATs, stealers and other\r\nmalware including:\r\nAgent Tesla\r\nAsyncRAT\r\nFormbook\r\nJSProxRAT\r\nLimeRAT\r\nLokibot\r\nNanocore RAT\r\nPhoenix Keylogger\r\nRemcos\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 2 of 18\n\nWSHRAT Let's look at ways these platforms are now being used throughout the attack lifecycle.\r\nMalware delivery\r\nSome of these apps, including Discord, support file attachments, which makes them a target for adversaries. And\r\nif these apps are being used in a corporate environment, they become more attractive to adversaries. One of the\r\nkey challenges associated with malware delivery is making sure that the files, domains, or systems don't get taken\r\ndown or blocked. By leveraging these chat applications that are likely allowed, they are removing several of those\r\nhurdles and greatly increase the likelihood that the attachment reaches the end user. Since these files are uploaded\r\nand linked via a URL, there are a lot of different ways they can get these links in front of users. These can include\r\nmore traditional means like URLs in emails, but they can be sent via any messaging or chat service. They could\r\nalso link to websites or be placed in any number of places. The versatility of having a malicious URL that is\r\nhosted on a domain unlikely to get blocked is obviously attractive to malicious actors.\r\nOn many collaboration platforms such as Discord and Slack, files are transmitted between users by attaching them\r\nin channels. Files are stored within the Content Delivery Network (CDN) that the platform provider operates,\r\nallowing server members to access these files as they appeared when they were originally attached. As an\r\nexample, this is what it looks like when a file is uploaded directly to a channel in a Discord server:\r\nWhen files are uploaded and stored within the Discord CDN, they can be accessed using the hardcoded CDN URL\r\nby any system, regardless of whether Discord has been installed, simply by browsing to the CDN URL where the\r\ncontent is hosted.\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 3 of 18\n\nThis functionality is not specific to Discord. Other collaboration platforms like Slack have similar features. Files\r\ncan be uploaded to Slack, and users can create external links that allow the files to be accessed, regardless of\r\nwhether the recipient even has Slack installed.\r\nOnce an external link has been created, the file is now accessible in much the same way as files uploaded to\r\nDiscord.\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 4 of 18\n\nAdversaries have begun taking advantage of this functionality, using it to host their malicious content and then\r\ndirecting victims to the content using the CDN location within various formats like malspam emails. Over the\r\ncourse of 2020, we observed an increase in the volume of malicious email campaigns containing links to files\r\nhosted across these CDNs. The graph below shows the volume of emails observed using this technique to\r\nfacilitate the delivery of various files used to initiate malware infections on victim systems.\r\nThe delivery of malicious content in this manner offers two attractive mechanisms that attackers can leverage to\r\nevade defenses.\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 5 of 18\n\n1. The content is delivered over HTTPS, meaning that the communications are encrypted between the\r\nendpoint accessing the content and the Discord CDN delivering it.\r\n2. A natural byproduct of the compression process is obfuscation of the contents of the compressed archive. It\r\nis easy to see why this is an attractive mechanism to adversaries. A variety of different file types have been\r\nobserved being delivered in this manner. In most cases, these files are compressed archives. Over the past\r\n12 months, we have observed a variety of compression algorithms used, including uncommon formats such\r\nas LZH. Below is a list of several of the most common compression types we have observed leveraged\r\nacross these campaigns.\r\nACE\r\nGZ\r\nIMG\r\nISO\r\nLZH\r\nRAR\r\nTAR\r\nZIP\r\n7Z The graph below shows a breakdown of how frequently each type of compression was used throughout\r\nthese malspam campaigns.\r\nIn most cases, the emails themselves are consistent with what we have grown accustomed to seeing from malspam\r\nin recent years. Many of the emails purport to be associated with various financial transactions and contain links\r\nto files claiming to be invoices, purchase orders and other documents of interest to potential victims.\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 6 of 18\n\nThe message above was one of the stranger examples we found. It was a COVID-themed email purportedly from\r\nthe World Health Organization (WHO) requesting the target download a new COVID prevention document. This\r\ndocument was hosted on Discord for some reason. When we followed the link, we found a ZIP file containing a\r\nbatch, or .bat, file. This batch file then downloaded a word document from Google Drive. When opened, the\r\ndocument triggered a macro that activated on close that went out and downloaded the Nymaim trojan from a\r\ncompromised website. This is an incredibly convoluted infection process that involved multiple services,\r\nincluding Discord and Google Drive, but also required the victim to open multiple files before the final infection\r\noccurred.\r\nOne additional thing to note is the wide variety of languages we found when looking at the email messages\r\nleveraging Discord, including English, Spanish, French, German and Portuguese. One example of the German\r\nlanguage campaigns we saw is shown below.\r\nIn this example, the sender offers a 30 percent deposit in the attachment. However, the attachment is actually an\r\nimage made to look like an attachment. The message source provides some additional insight into what the\r\nadversary wants to accomplish.\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 7 of 18\n\nThe bolded text shows that the image is actually a link to an ISO file being hosted on Discord. When the user\r\nclicks the image thinking they are opening it locally, it will be downloaded using a web browser. The ISO file,\r\nwhen downloaded, contained a PE32 payload named \"30 Percento,pdf .exe\", which resulted in the download of\r\nthe Formbook malware. What is additionally confusing, and potentially lazy on the actor's part, is the filename\r\nitself. The email is in German but the attachment uses the Italian word \"percento\" and not \"prozent,\" to mean\r\n\"percent,\" as would be expected if the file were named in German. These are just a few of the many examples we\r\nfound abusing Discord, most of which were the usual invoice, shipping and fax campaigns we observe constantly.\r\nAs previously mentioned, the hyperlinks present within these emails typically point to compressed archives hosted\r\nwithin the CDNs of various collaboration platforms like Discord and Slack. These compressed archives contain\r\nPE32 files, JavaScript droppers and other malicious components that are used to initiate the infection process,\r\nretrieve additional payloads, provide remote access capabilities for adversaries, and gather sensitive information\r\nthat can be exfiltrated and subsequently monetized by adversaries.\r\nComponent retrieval\r\nWe also observed adversaries leveraging CDNs for the retrieval of additional malicious content during and after\r\nthe initial infection process occurs. In many malware infections nowadays, the initial executable or script\r\ndelivered to victims is the first part of a multi-stage infection process that often includes the delivery of additional\r\nbinaries that function as modules to carry out various portions of the malware's overall functionality.\r\nWe observed several instances of these CDNs being used to host malicious binaries that are pulled down during\r\nvarious phases of the infection process. Various examples of this behavior can be identified across malware\r\nrepositories. For example, simply searching for samples that reach out to the Discord CDN results in almost\r\n20,000 results in VirusTotal.\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 8 of 18\n\nThis technique was frequently used across malware distribution campaigns associated with RATs, stealers and\r\nother types of malware typically used to retrieve sensitive information from infected systems. In one example, the\r\nfirst stage payload was responsible for retrieving an ASCII blob from the Discord CDN as shown in the screenshot\r\nbelow.\r\nThe data that is retrieved from the Discord CDN is then converted and the final payload is injected into a remote\r\nprocess, in this case created from \"C:\\Program Files (x86)\\Internet Explorer\\ieinstal.exe\".\r\nThe final malware in this instance was Remcos, a commercially available RAT that is frequently used by attackers\r\nto gain unauthorized access to systems.\r\nAs is common with Remcos infections, the malware communicated with a C2 and exfiltrated data via an attacker-controlled DDNS server. The attackers achieved persistence through the creation of registry run entries to invoke\r\nthe malware following system restarts.\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 9 of 18\n\nAnother example of this behavior was observed across AsyncRAT campaigns. In this instance, the initial malware\r\ndownloader took the form of a Microsoft Word document titled \"Word_Nitro_Kodlari\", likely purporting to be\r\nassociated with Discord Nitro codes — access to a premium version of the service — a common theme across the\r\nvarious malware campaigns we analyzed. In this case, the Word document did not contain any visible contents\r\nwhen opened, but contained embedded macros.\r\nThe Word document contains a macro that executes when the document is opened. This macro is shown below.\r\nThis macro deobfuscates and executes PowerShell that is responsible for retrieving the next stage payload.\r\nIn this case, the payload was AsyncRAT hosted within the Discord CDN. An example of the payload retrieval can\r\nbe found in the screenshot below:\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 10 of 18\n\nAnother way that we've seen Discord abused is payloads being retrieved from threat actors leveraging active\r\nexploitation of vulnerabilities. One of the larger botnets that is active today is Mirai, which is constructed\r\nprimarily of internet-of-things (IoT) devices that overwhelmingly run Linux. This botnet is well known and has\r\nbeen associated with a variety of DDoS and other campaigns. Mirai may be the most well known, but they are not\r\nthe only botnet or threat operating in this space, including Qbot. This IoT variant of Qbot behaves much like other\r\nIoT malicious threats providing capabilities to conduct DDoS attacks, download additional payloads, or be used as\r\nprocessing power for things like SSH brute forcing.\r\nWe recently saw an uptick in what appeared to be Mirai activity, but upon further inspection, it was actually the\r\nIoT-focused QBot variant that affects multiple operating systems. The piece that drew our attention was where the\r\nx86 version was being stored.\r\nThese types of commands should look familiar to anyone who has been hunting Mirai activity and is consistent\r\nwith the other campaigns we've seen before that have been taking advantage of an unauthenticated command\r\nexecution vulnerability in YARN. What makes this applicable to our current investigation is yet another abuse of\r\nDiscord to share or distribute malware, in this case the x86 version of Qbot. This shows yet another avenue\r\nadversaries can take advantage of Discord to distribute malware, even to non-standard operating systems like\r\nLinux, and more specifically, IoT devices.\r\nC2 and data exfiltration\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 11 of 18\n\nDiscord and Slack are also platforms that are being leveraged for the exfiltration of sensitive information and the\r\ntransmission of information from infected systems. In many cases, this activity is conducted via the Discord API\r\nwhich provides a robust mechanism that adversaries can take advantage of. Let's take a look at how the Discord\r\nAPI is being used by attackers and some examples of what sort of malware is using it.\r\nWebhooks\r\nMalware samples that abuse Discord typically rely on the webhook functionality of the Discord API for C2\r\ncommunications. Webhooks were designed for sending alerts or automated messages to a specified Discord server,\r\ncommonly integrated with other services such as GitHub or DataDog. Webhooks are essentially a URL that a\r\nclient can send a message to, which in turn posts that message to the specified channel — all without using the\r\nactual Discord application.\r\nWebhooks can be used for more than just C2 communications. However, any data can be sent to a webhook,\r\nallowing for data exfiltration. Using the webhook functionality to exfiltrate data has several benefits, the most\r\napparent being ease of use. The other important advantage to webhooks is the use of the Discord domain for\r\nexfiltration over HTTPS, allowing the attacker to blend in with other Discord network traffic. The format of a\r\nwebhook would appear fairly innocuous to most users:\r\nThe versatility and accessibility of Discord webhooks makes them a clear choice for some threat actors. With\r\nmerely a few stolen access tokens, an attacker can employ a truly effective malware campaign infrastructure with\r\nvery little effort. The level of anonymity is too tempting for some threat actors to pass up.\r\nStatus updates\r\nIn some cases, we observed malware leveraging Discord to send alerts to the attacker when new systems are\r\ninfected. In one example, the malware was communicating via Discord to alert the attacker that a new system was\r\navailable and providing the details where the system was attempting to communicate to establish a C2 channel. In\r\nthis case, the adversaries used the Portmap service for C2 communications. As highlighted in previous\r\npublications here and here, Portmap is a common mechanism used by attackers to obfuscate their C2\r\ninfrastructure.\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 12 of 18\n\nSystem enumeration\r\nIn many cases, malware uses the Discord API to send information about the infected system back to the attacker,\r\nsimilar to what is seen in post-compromise C2 traffic during the bot registration process. One example of this was\r\nobserved where the attacker was executing WMI commands on the system, then transmitting the command-line\r\noutput to the attacker's Discord server, line-by-line, using the Webhook API.\r\nFirst, the malware writes a batch file and an executable called \"DiscordSendWebhook\" into the %TEMP%\r\ndirectory on the infected system. An example of one of the batch files is shown below.\r\nNext, the malware executes the batch file, and writes the output of the various commands into text-based log files.\r\nIt then sends the contents of the log files to the attacker using \"DiscordSendWebhook.exe\" which was previously\r\ncreated and executed.\r\nThe example below shows one of the API requests made by the infected system. This process repeats for each line\r\nin the WMI command output.\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 13 of 18\n\nThis demonstrates how abusing the Discord API can provide robust C2 functionality for adversaries making use of\r\nit in their malware. Additionally, this removes the cost of running the C2 server infrastructure independently and\r\nminimizes the resources required to facilitate this activity.\r\nPay2Decrypt ransomware\r\nWe also observed ransomware samples leveraging the Discord API for different purposes including bot\r\nregistration, data exfiltration and post-infection C2 communications. One example is with a series of campaigns\r\nassociated with LEAKGAP, a variant of Pay2Decrypt ransomware that communicates with the attacker using\r\nDiscord Webhooks. During the infection process, the system is registered with the attacker's Discord instance\r\nusing an API request/response similar to the one shown in the screenshot below.\r\nStatus updates regarding the malware's operation on the infected system are also sent back to the attacker using\r\nthe same API.\r\nFollowing successful infection, the data stored on the system is no longer available to the victim and the following\r\nransom note is displayed.\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 14 of 18\n\nNew samples that are leveraging the Discord API for C2 communications are being observed regularly, with some\r\nRATs being designed specifically to facilitate remote access to infected systems using this same mechanism. This\r\ntrend will likely continue as more attackers leverage these channels to blend in with legitimate network traffic and\r\nevade detection in corporate environments.\r\nToken stealing  \r\nOne of the most critical tasks while operating a malware campaign is to stay anonymous. One of the most\r\neffective ways to remain anonymous while abusing Discord is to hijack another user's account.\r\nA Discord access token is a unique alphanumeric string that is generated for each user and is essentially the \"key\"\r\nto that user's account. If another party were to have access to this token it would allow them to have full control\r\nover that account.\r\nAt the time of writing, Discord does not implement client verification to prevent impersonation by way of a stolen\r\naccess token. This has led to a large amount of Discord token stealers being implemented and distributed on\r\nGitHub and other forums. In many cases, the token stealers pose as useful utilities related to online gaming, as\r\nDiscord is one of the most prevalent chat and collaboration platforms in use in the gaming community. Below is a\r\nnon-exhaustive list of some token stealers hosted on GitHub at the time of this writing:\r\nhttps://github.com/notkohlrexo/Discord-Token-Stealer\r\nhttps://github.com/Cazcez/AnarchyGrabber\r\nhttps://github.com/iklevente/WebhookDiscordTokenGrabber\r\nhttps://github.com/Itroublve/Token-Browser-Password-Stealer-Creator\r\nhttps://github.com/wodxgod/Discord-Token-Grabber These token stealers are written in several different\r\nlanguages including C# and Python. They can be implemented in script form or a compiled binary,\r\ndepending on the attacker's choice of language. Creating these stealers is relatively easy as the process for\r\nstealing the access token is very simple. All that is required for stealing a token is locating it in the\r\nappropriate directory, and sending it back to the attacker via a webhook, as discussed in the \"Webhooks\"\r\nsection above. Additionally, well-known information stealers like Masslogger have been observed\r\nimplementing Discord token-stealing.\r\nOnce a token has been stolen, the attacker now has the ability to impersonate its owner. Typically, these\r\ncompromised accounts are used in a malware campaign to add a level of anonymity to the operation. Common\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 15 of 18\n\nabuses of stolen accounts include uploading payloads to the Discord CDN, social engineering of other users and\r\ngenerating webhooks.\r\nGrowtopia-themed stealer in action.\r\nConclusion\r\nMalicious threat actors are always trying to find new and effective ways to get malware executing on systems and\r\none of the biggest challenges is distribution. As chat apps like Discord, Slack and many others rise in popularity,\r\norganizations need to assess how these applications can be abused by adversaries and how many of them should\r\nbe allowed to operate inside your enterprise. As we've shown repeatedly in this blog, these types of applications\r\nrequire content delivery networks (CDNs) to ensure their content is available to people everywhere and malicious\r\nactors have noticed. It's likely the abuse of these chat apps will only increase in the near and long term. As more\r\napplications become available and some rise and fall in popularity, new avenues will continually be opened for\r\nadversaries.\r\nAs defenders, we need to decide what chat applications are allowed and why, while clearly communicating to\r\nmanagement the risk associated with each. If you don't use a chat app internally for business purposes, it may be\r\nworth considering blocking some of the domains that can be abused for content delivery or putting other\r\nmitigations in place to help reduce the risk. We've continually seen adversaries evolve from including attachments\r\ndirectly in email, to hosting it on their own infrastructure, to using filing sharing services, and now abusing chat\r\napplications and that is just from email based threats. The name of the game is getting malware onto end systems\r\nand as we've seen repeatedly the bad guys will do whatever is necessary to achieve these goals.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 16 of 18\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed\r\nin this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP\r\nfor free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nCisco Secure Email Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nThreat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nIndicators of Compromise (IOCs)\r\nThe following indicators of compromise have been observed as being associated with malware campaigns.\r\nHashes (SHA256)\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 17 of 18\n\nA list of the SHA256 hashes of files associated with these malware campaigns can be found here.\r\nDomains\r\nA list of the domains associated with these malware campaigns can be found here.\r\nSource: https://blog.talosintelligence.com/collab-app-abuse/\r\nhttps://blog.talosintelligence.com/collab-app-abuse/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/collab-app-abuse/"
	],
	"report_names": [
		"collab-app-abuse"
	],
	"threat_actors": [
		{
			"id": "9041c438-4bc0-4863-b89c-a32bba33903c",
			"created_at": "2023-01-06T13:46:38.232751Z",
			"updated_at": "2026-04-10T02:00:02.888195Z",
			"deleted_at": null,
			"main_name": "Nitro",
			"aliases": [
				"Covert Grove"
			],
			"source_name": "MISPGALAXY:Nitro",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a2b44a04-a080-4465-973d-976ce53777de",
			"created_at": "2022-10-25T16:07:23.911791Z",
			"updated_at": "2026-04-10T02:00:04.786538Z",
			"deleted_at": null,
			"main_name": "Nitro",
			"aliases": [
				"Covert Grove",
				"Nitro"
			],
			"source_name": "ETDA:Nitro",
			"tools": [
				"AngryRebel",
				"Backdoor.Apocalipto",
				"Chymine",
				"Darkmoon",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"Moudour",
				"Mydoor",
				"PCClient",
				"PCRat",
				"Poison Ivy",
				"SPIVY",
				"Spindest",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434711,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bd07eb086ff8031efacb49cb6fafb26204b540fa.pdf",
		"text": "https://archive.orkl.eu/bd07eb086ff8031efacb49cb6fafb26204b540fa.txt",
		"img": "https://archive.orkl.eu/bd07eb086ff8031efacb49cb6fafb26204b540fa.jpg"
	}
}