{ "id": "5193dda9-53fd-4d1b-9a73-1e27a92d8840", "created_at": "2026-04-06T00:15:15.812782Z", "updated_at": "2026-04-10T03:35:34.593458Z", "deleted_at": null, "sha1_hash": "be033bb6c213f5f93a462e48043ffaa6274b822e", "title": "Zloader (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 252736, "plain_text": "Zloader (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 23:40:15 UTC\r\nThis family describes the (initially small) loader, which downloads Zeus OpenSSL.\r\nIn June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9\r\n(e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (-\u003e\r\nZeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded.\r\nThe initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added,\r\ne.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added,\r\nwhich blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may\r\nbe related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.\r\nPlease note that IBM X-Force decided to call win.zloader/win.zeus_openssl \"Zeus Sphinx\", after mentioning it as\r\n\"a new version of Zeus Sphinx\" in their initial post in August 2016. Malpedia thus lists the alias \"Zeus XSphinx\"\r\nfor win.zeus_openssl - the X to refer to IBM X-Force.\r\n2024-12-10 ⋅ Zscaler ⋅ ThreatLabZ research team\r\nInside Zloader’s Latest Trick: DNS Tunneling\r\nGhostSocks Zloader 2024-12-04 ⋅ Rapid7 ⋅ Tyler McGraw\r\nBlack Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware\r\nBlack Basta Cobalt Strike DarkGate SystemBC Zloader 2024-07-29 ⋅ Mandiant ⋅ Ashley Pearson, Jake Nicastro, Joseph\r\nPisano, Josh Murchie, Joshua Shilko, Raymond Leong\r\nUNC4393 Goes Gently into the SILENTNIGHT\r\nBlack Basta QakBot sRDI SystemBC Zloader UNC3973 UNC4393 2024-04-29 ⋅ Zscaler ⋅ Santiago Vicente\r\nZloader Learns Old Tricks\r\nZloader 2024-02-14 ⋅ K7 Security ⋅ Sudeep Waingankar\r\nZloader Strikes Back\r\nZloader 2024-01-19 ⋅ Zscaler ⋅ Ismael Garcia Perez, Santiago Vicente\r\nZloader: No Longer Silent in the Night\r\nZloader 2023-07-29 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt\r\nUnknown powershell backdoor with ties to new Zloader\r\nZloader 2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Fortra, HEALTH-ISAC, Microsoft\r\nCracked Cobalt Strike (1:23-cv-02447)\r\nBlack Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit\r\nMount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader 2023-02-27 ⋅ PRODAFT Threat Intelligence ⋅\r\nPRODAFT\r\nRIG Exploit Kit: In-Depth Analysis\r\nDridex IcedID ISFB PureCrypter Raccoon RecordBreaker RedLine Stealer Royal Ransom Silence SmokeLoader\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zloader\r\nPage 1 of 6\n\nZloader 2022-08-10 ⋅ Avast Decoded ⋅ Threat Research Team\r\nAvast Q2/2022 Threat Report: Farewell to Conti, Zloader, and Maldocs; Hello Resurrection of Raccoon Stealer,\r\nand more Ransomware Attacks\r\nConti Raccoon RecordBreaker Zloader Caramel Tsunami 2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel\r\nAn inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure\r\nRiltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki\r\nPassword Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP\r\nTinyNuke Vidar Zloader 2022-06-24 ⋅ Palo Alto Networks Unit 42 ⋅ Mark Lim, Riley Porter\r\nThere Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various\r\nMalware Families\r\nBazarBackdoor Zloader 2022-06-02 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani\r\nZloader Malware Analysis - 1. Unpacking First stage.\r\nZloader 2022-04-25 ⋅ VinCSS ⋅ m4n0w4r, Tran Trung Kien\r\n[RE026] A Deep Dive into Zloader - the Silent Night\r\nZloader 2022-04-25 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Loïc Castel, Yonatan Gidnian\r\nTHREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your\r\nSystems\r\nFAKEUPDATES Zloader 2022-04-20 ⋅ CISA ⋅ CISA\r\nAlert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure\r\nVPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader\r\nTrickBot Triton Zloader Killnet 2022-04-20 ⋅ CISA ⋅ Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber\r\nSecurity (CCCS), CISA, FBI, Government Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA\r\nAA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure\r\nVPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader\r\nTrickBot Triton Zloader 2022-04-14 ⋅ Avast Decoded ⋅ Vladimir Martyanov\r\nZloader 2: The Silent Night\r\nISFB Raccoon Zloader 2022-04-13 ⋅ UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ⋅\r\nUNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA\r\nCourt order for taking down Zloader Infrastructure\r\nZloader 2022-04-13 ⋅ Microsoft ⋅ Amy Hogan-Burney\r\nNotorious cybercrime gang’s botnet disrupted\r\nRyuk Zloader 2022-04-13 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team\r\nDismantling ZLoader: How malicious ads led to disabled security tools and ransomware\r\nBlackMatter Cobalt Strike DarkSide Ryuk Zloader 2022-04-13 ⋅ ESET Research ⋅ Jean-Ian Boutin, Tomáš Procházka\r\nESET takes part in global operation to disrupt Zloader botnets\r\nCobalt Strike Zloader 2022-03-14 ⋅ CrowdStrike ⋅ Falcon OverWatch Team\r\nFalcon OverWatch Threat Hunting Uncovers Ongoing NIGHT SPIDER Zloader Campaign\r\nZloader 2022-01-19 ⋅ Sophos ⋅ Colin Cowie, Mat Gangwer, Sophos MTR Team, Stan Andic\r\nZloader Installs Remote Access Backdoors and Delivers Cobalt Strike\r\nCobalt Strike Zloader 2022-01-11 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt\r\nSigned DLL campaigns as a service\r\nBATLOADER Cobalt Strike ISFB Zloader 2022-01-05 ⋅ Check Point ⋅ Golan Cohen\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zloader\r\nPage 2 of 6\n\nCan You Trust a File’s Digital Signature? New Zloader Campaign exploits Microsoft’s Signature Verification\r\nputting users at risk\r\nZloader 2021-11-03 ⋅ Team Cymru ⋅ tcblogposts\r\nWebinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the\r\nValue of Threat Reconnaisance\r\nDoppelDridex IcedID QakBot Zloader 2021-10-19 ⋅ Cisco ⋅ Artsiom Holub\r\nSTRRAT, ZLoader, and HoneyGain\r\nSTRRAT Zloader 2021-10-18 ⋅ Ali Aqeel\r\nZLoader Reversing\r\nZloader 2021-09-29 ⋅ Trend Micro ⋅ Trend Micro\r\nZloader Campaigns at a Glance\r\nZloader 2021-09-29 ⋅ Trend Micro ⋅ Trend Micro\r\nZloader Campaigns at a Glance (IOCs)\r\nZloader 2021-09-13 ⋅ SentinelOne ⋅ Antonio Cocomazzi, Antonio Pirozzi\r\nHide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms\r\nZloader 2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel\r\nThe State of SSL/TLS Certificate Usage in Malware C\u0026C Communications\r\nAdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex\r\nFindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT\r\nRockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader 2021-07-08 ⋅ McAfee ⋅ Kiran\r\nRaj, Kishan N.\r\nZloader With a New Infection Technique\r\nZloader 2021-06-23 ⋅ K7 Security ⋅ Lokesh J\r\nJava Plug-Ins Delivering Zloader\r\nZloader 2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak\r\nA Deep Dive into Packing Software CryptOne\r\nCobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader 2021-05-14 ⋅\r\nGuidePoint Security ⋅ Drew Schmitt\r\nFrom ZLoader to DarkSide: A Ransomware Story\r\nDarkSide Cobalt Strike Zloader 2021-05-11 ⋅ Mal-Eats ⋅ mal_eats\r\nCampo, a New Attack Campaign Targeting Japan\r\nAnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader 2021-05-10 ⋅ Mal-Eats ⋅\r\nmal_eats\r\nOverview of Campo, a new attack campaign targeting Japan\r\nAnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader 2021-04-21 ⋅ PhishLabs ⋅ Jessica Ellis\r\nZLoader Dominates Email Payloads in Q1\r\nZloader 2021-04-19 ⋅ Cybleinc ⋅ cybleinc\r\nZLoader Returns Through Spelevo Exploit Kit \u0026 Phishing Campaign\r\nZloader 2021-04-12 ⋅ PTSecurity ⋅ PTSecurity\r\nPaaS, or how hackers evade antivirus software\r\nAmadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot\r\nRaccoon RTM SmokeLoader Zloader 2021-03-29 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zloader\r\nPage 3 of 6\n\nZloader email campaign using MHTML to download and decrypt XLS\r\nZloader 2021-03-23 ⋅ Quick Heal ⋅ Anjali Raut\r\nZloader: Entailing Different Office Files\r\nZloader 2021-03-17 ⋅ HP ⋅ HP Bromium\r\nThreat Insights Report Q4-2020\r\nAgent Tesla BitRAT ComodoSec Dridex Emotet Ficker Stealer Formbook Zloader 2021-03-10 ⋅ ⋅ NTT Security ⋅ Hiroki\r\nHada\r\n日本を標的としたPseudoGateキャンペーンによるSpelevo Exploit Kitを用いた攻撃について\r\nZloader 2021-03-05 ⋅ Forcepoint ⋅ Kurt Natvig, Robert Neumann\r\nAdvancements in Invoicing - A highly sophisticated way to distribute ZLoader\r\nZloader 2021-03-01 ⋅ Group-IB ⋅ Oleg Skulkin, Roman Rezvukhin, Semyon Rogachev\r\nRansomware Uncovered 2020/2021\r\nRansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot\r\nRansomEXX REvil Ryuk SDBbot TrickBot Zloader 2021-02-23 ⋅ PhishLabs ⋅ Jessica Ellis\r\nSurge in ZLoader Attacks Observed\r\nZloader 2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2021 Global Threat Report\r\nRansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide\r\nDoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker\r\nMespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT\r\nRagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST\r\nSunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER\r\nSOLAR SPIDER VIKING SPIDER 2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández\r\nDe ataque con Malware a incidente de Ransomware\r\nAvaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire\r\nDownloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX\r\nREvil Ryuk SDBbot SmokeLoader TrickBot Zloader 2020-12-23 ⋅ 0xC0DECAFE ⋅ Thomas Barabosch\r\nDetect RC4 in (malicious) binaries\r\nSmokeLoader Zloader 2020-12-21 ⋅ Cisco Talos ⋅ JON MUNSHAW\r\n2020: The year in malware\r\nWolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT\r\nNanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader 2020-11-20 ⋅ ZDNet ⋅ Catalin\r\nCimpanu\r\nThe malware that usually installs ransomware and you need to remove right away\r\nAvaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx\r\nMegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader 2020-11-18 ⋅ Sophos ⋅ Sophos\r\nSOPHOS 2021 THREAT REPORT Navigating cybersecurity in an uncertain world\r\nAgent Tesla Dridex TrickBot Zloader 2020-11-16 ⋅ Malwarebytes ⋅ Threat Intelligence Team\r\nMalsmoke operators abandon exploit kits in favor of social engineering scheme\r\nZloader Malsmoke 2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nFake Microsoft Teams updates lead to Cobalt Strike deployment\r\nCobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader 2020-11-06 ⋅ ⋅ LAC WATCH ⋅ Ishikawa, Matsumoto,\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zloader\r\nPage 4 of 6\n\nTakagen\r\n分析レポート:Emotetの裏で動くバンキングマルウェア「Zloader」に注意\r\nEmotet Zloader 2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst\r\nTweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK\r\nCobalt Strike Ryuk Zloader 2020-10-28 ⋅ SophosLabs Uncut ⋅ Anand Ajjan, Bill Kearny, Brett Cove, Elida Leite, Gabor\r\nSzappanos, Peter Mackenzie, Sean Gallagher, Syed Shahram\r\nHacks for sale: inside the Buer Loader malware-as-a-service\r\nBuer Ryuk Zloader 2020-10-21 ⋅ ⋅ Alyac ⋅ Alyac\r\nZLoader 악성코드, 사업 정지 경고로 위장해 유포중\r\nZloader 2020-10-07 ⋅ CrowdStrike ⋅ The Falcon Complete Team\r\nDuck Hunting with Falcon Complete: Analyzing a Fowl Banking Trojan, Part 2\r\nQakBot Zloader 2020-09-24 ⋅ Click All the Things! Blog ⋅ Jamie Arndt\r\nzLoader XLM Update: Macro code and behavior change\r\nZloader 2020-09-02 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Holger Unterbrink\r\nSalfram: Robbing the place without removing your name tag\r\nAve Maria ISFB SmokeLoader Zloader 2020-08-19 ⋅ SecurityLiterate ⋅ Kyle Cucci\r\nChantay’s Resume: Investigating a CV-Themed ZLoader Malware\r\nZloader 2020-08-14 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez\r\nTweet on Zloader infection leading to Cobaltstrike Installation\r\nCobalt Strike Zloader 2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2020\r\nAdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT Stealer\r\nLoki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer Remcos\r\nZloader 2020-07-22 ⋅ SentinelOne ⋅ Jason Reaves, Joshua Platt\r\nEnter the Maze: Demystifying an Affiliate Involved in Maze (SNOW)\r\nISFB Maze TrickBot Zloader 2020-06-24 ⋅ Morphisec ⋅ Arnold Osipov\r\nObfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex\r\nDridex ISFB QakBot Zloader 2020-06-19 ⋅ Click All the Things! Blog ⋅ Jamie\r\nzloader: VBA, R1C1 References, and Other Tomfoolery\r\nZloader 2020-06-19 ⋅ Yet Another Security Blog ⋅ Michael Weber\r\nFurther Evasion in the Forgotten Corners of MS-XLS\r\nZloader 2020-06-11 ⋅ Nullteilerfrei Blog ⋅ Lars Wallenborn\r\nAPI Hashing in the Zloader malware\r\nZloader 2020-06-02 ⋅ Lastline Labs ⋅ James Haughom, Stefano Ortolani\r\nEvolution of Excel 4.0 Macro Weaponization\r\nAgent Tesla DanaBot ISFB TrickBot Zloader 2020-05-24 ⋅ Nullteilerfrei Blog ⋅ Lars Wallenborn\r\nZloader String Obfuscation\r\nZloader 2020-05-21 ⋅ Malwarebytes ⋅ hasherezade, prsecurity\r\nThe “Silent Night” Zloader/Zbot\r\nZloader 2020-05-20 ⋅ Proofpoint ⋅ Dennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team\r\nZLoader Loads Again: New ZLoader Variant Returns\r\nZloader 2020-05-12 ⋅ Yet Another Security Blog ⋅ Michael Weber\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zloader\r\nPage 5 of 6\n\nEvading Detection with Excel 4.0 Macros and the BIFF8 XLS Format\r\nZloader 2020-04-26 ⋅ Johannes Bader's Blog ⋅ Johannes Bader\r\nThe DGA of Zloader\r\nZloader 2020-04-07 ⋅ Youtube (DissectMalware) ⋅ Malwrologist\r\nMalware Analysis in Action - Episode 2\r\nZloader 2020-03-30 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nBanking Malware Spreading via COVID-19 Relief Payment Phishing\r\nZloader 2020-03-30 ⋅ IBM ⋅ Amir Gandler, Limor Kessem\r\nZeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy\r\nZeus OpenSSL Zloader 2020-03-13 ⋅ Comae ⋅ Matt Suiche\r\nYet Another Active Email Campaign With Malicious Excel Files Identified\r\nZloader 2018-09-06 ⋅ int 0xcc blog ⋅ Raashid Bhat\r\nDissecting DEloader malware with obfuscation\r\nZloader 2017-06-15 ⋅ Limor Kessem\r\nZeus Sphinx Pushes Empty Configuration Files — What Has the Sphinx Got Cooking?\r\nZloader 2017-01-26 ⋅ SecurityIntelligence ⋅ Limor Kessem\r\nAround the World With Zeus Sphinx: From Canada to Australia and Back\r\nZloader 2017-01-26 ⋅ Malwarebytes ⋅ Malwarebytes Labs\r\nZbot with legitimate applications on board\r\nZloader 2016-09-22 ⋅ Forcepoint ⋅ Nicholas Griffin\r\nZeus Delivered by DELoader to Defraud Customers of Canadian Banks\r\nZloader 2016-06-21 ⋅ Fortinet ⋅ Floser Bacurio, Roland Dela Paz\r\nThe Curious Case of an Unknown Trojan Targeting German-Speaking Users\r\nZloader\r\n[TLP:WHITE] win_zloader_auto (20251219 | Detects win.zloader.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zloader\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader" ], "report_names": [ "win.zloader" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "99d9dd87-91c3-4371-9943-0a1c9c3cd99c", "created_at": "2022-10-25T16:07:23.277763Z", "updated_at": "2026-04-10T02:00:04.514755Z", "deleted_at": null, "main_name": "Solar Spider", "aliases": [], "source_name": "ETDA:Solar Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e227b757-7032-4a99-b119-1bfda2ebd543", "created_at": "2023-01-06T13:46:39.21663Z", "updated_at": "2026-04-10T02:00:03.248543Z", "deleted_at": null, "main_name": "SOLAR SPIDER", "aliases": [], "source_name": "MISPGALAXY:SOLAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1f6ae238-765f-4495-9d54-6a7883d7a319", "created_at": "2022-10-25T16:07:24.573456Z", "updated_at": "2026-04-10T02:00:05.037738Z", "deleted_at": null, "main_name": "TA511", "aliases": [ "MAN1", "Moskalvzapoe" ], "source_name": "ETDA:TA511", "tools": [ "Agentemis", "Chanitor", "Cobalt Strike", "CobaltStrike", "Ficker Stealer", "Hancitor", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90ec9cb-9959-455d-b558-4bafef64d645", "created_at": "2022-10-25T16:07:24.222081Z", "updated_at": "2026-04-10T02:00:04.903184Z", "deleted_at": null, "main_name": "Sphinx", "aliases": [ "APT-C-15" ], "source_name": "ETDA:Sphinx", "tools": [ "AnubisSpy", "Backdoor.Oldrea", "Bladabindi", "Fertger", "Havex", "Havex RAT", "Jorik", "Oldrea", "PEACEPIPE", "njRAT", "yellowalbatross" ], "source_id": "ETDA", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "908cf62e-45cd-492b-bf12-d0902e12fece", "created_at": "2024-08-20T02:00:04.543947Z", "updated_at": "2026-04-10T02:00:03.68848Z", "deleted_at": null, "main_name": "UNC4393", "aliases": [ "Storm-1811", "CURLY SPIDER", "STAC5777" ], "source_name": "MISPGALAXY:UNC4393", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "8143b0d6-bfa0-43cc-b45f-dbcf4728741c", "created_at": "2025-05-29T02:00:03.230052Z", "updated_at": "2026-04-10T02:00:03.880481Z", "deleted_at": null, "main_name": "Malsmoke", "aliases": [], "source_name": "MISPGALAXY:Malsmoke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50fd5da4-c2f3-4a35-aebe-14f86fd567cb", "created_at": "2025-03-04T02:00:02.997969Z", "updated_at": "2026-04-10T02:00:03.813132Z", "deleted_at": null, "main_name": "UNC3973", "aliases": [], "source_name": "MISPGALAXY:UNC3973", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "542cf9d0-9c68-428c-aff8-81b6f59dc985", "created_at": "2023-02-15T02:01:49.554105Z", "updated_at": "2026-04-10T02:00:03.347115Z", "deleted_at": null, "main_name": "Moskalvzapoe", "aliases": [ "MAN1", "TA511" ], "source_name": "MISPGALAXY:Moskalvzapoe", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b", "created_at": "2024-02-02T02:00:04.032871Z", "updated_at": "2026-04-10T02:00:03.532955Z", "deleted_at": null, "main_name": "Caramel Tsunami", "aliases": [ "SOURGUM", "Candiru" ], "source_name": "MISPGALAXY:Caramel Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434515, "ts_updated_at": 1775792134, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/be033bb6c213f5f93a462e48043ffaa6274b822e.pdf", "text": "https://archive.orkl.eu/be033bb6c213f5f93a462e48043ffaa6274b822e.txt", "img": "https://archive.orkl.eu/be033bb6c213f5f93a462e48043ffaa6274b822e.jpg" } }