{
	"id": "53d2f525-aef3-4269-83a4-db4579b4596d",
	"created_at": "2026-04-06T00:20:54.152316Z",
	"updated_at": "2026-04-10T03:30:46.16071Z",
	"deleted_at": null,
	"sha1_hash": "bf2c3d7aeff8bbd995105ddf38b8d2f274ebc2e0",
	"title": "DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 100782,
	"plain_text": "DEV-0196: QuaDream’s “KingsPawn” malware used to target civil\r\nsociety in Europe, North America, the Middle East, and Southeast\r\nAsia | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-04-11 · Archived: 2026-04-05 17:03:08 UTC\r\nApril 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned\r\naround the theme of weather. DEV-0196 is now tracked as Carmine Tsunami.\r\nTo learn more about this evolution, how the new taxonomy represents the origin, unique traits, and impact of\r\nthreat actors, and a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat\r\nactor naming taxonomy.\r\nMicrosoft Threat Intelligence analysts assess with high confidence that a threat group tracked by Microsoft as\r\nDEV-0196 is linked to an Israel-based private sector offensive actor (PSOA) known as QuaDream. QuaDream\r\nreportedly sells a platform they call REIGN to governments for law enforcement purposes. REIGN is a suite of\r\nexploits, malware, and infrastructure designed to exfiltrate data from mobile devices.  \r\nIn this blog, Microsoft analyzes DEV-0196, discusses technical details of the actor’s iOS malware, which we call\r\nKingsPawn, and shares both host and network indicators of compromise that can be used to aid in detection.\r\nOver the course of our investigation into DEV-0196, Microsoft collaborated with multiple partners. One of those\r\npartners, Citizen Lab of the University of Toronto’s Munk School, identified at least five civil society victims of\r\nthe DEV-0196 malware that included journalists, political opposition figures, and a non-government organisation\r\n(NGO) worker, in North America, Central Asia, Southeast Asia, Europe, and the Middle East. Furthermore,\r\nCitizen Lab was able to identify operator locations for QuaDream systems in the following countries: Bulgaria,\r\nCzechia, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates, and Uzbekistan. Read the\r\nCitizen Lab report here.\r\nMicrosoft is sharing information about DEV-0196 with our customers, industry partners, and the public to\r\nimprove collective knowledge of how PSOAs operate and raise awareness about how PSOAs facilitate the\r\ntargeting and exploitation of civil society. For more info, read Standing up for democratic values and protecting\r\nstability of cyberspace.\r\nDEV-0196: A private-sector offensive actor based in Israel\r\nPSOAs, which Microsoft also refers to as cyber mercenaries, sell hacking tools or services through a variety of\r\nbusiness models, including access as a service. In access as a service, the actor sells full end-to-end hacking tools\r\nthat can be used by the purchaser in cyber operations. The PSOA itself is not involved in any targeting or running\r\nof the operations.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/\r\nPage 1 of 13\n\nMicrosoft Threat Intelligence analysts assess with high confidence that DEV-0196 uses this model, selling\r\nexploitation services and malware to governments. It’s not directly involved in targeting. Microsoft also assesses\r\nwith high confidence that DEV-0196 is linked to an Israel-based private company called QuaDream. According to\r\nthe Israeli Corporations Authority, QuaDream, under the Israeli name מ“בע קוודרים, was incorporated in August\r\n2016. The company has no website, and there is little public reporting about the company, with a few notable\r\nexceptions.\r\nQuaDream came to international attention in a 2022 Reuters report, which cited a company brochure that\r\ndescribed the REIGN platform and a list of capabilities, the report also notably suggested that QuaDream used a\r\nzero-click iOS exploit that leveraged the same vulnerability seen in NSO Group’s ForcedEntry exploit. An earlier\r\nreport by Israeli news outlet Haaretz, also citing a QuaDream brochure, revealed that QuaDream did not sell\r\nREIGN directly to customers but instead did so through a Cypriot company. Haaretz also reported that Saudi\r\nArabia’s government was among QuaDream’s clients, as was the government of Ghana. However, Haaretz could\r\nnot confirm allegations made in the Ghanian press and repeated in the Israeli press that QuaDream employees\r\nwere among 14 Israeli tech workers from different companies who travelled to Accra, Ghana in 2020 to meet with\r\nthe incumbent administration three months prior to the presidential election for the purposes of a special project\r\nrelating to it.\r\nQuaDream was mentioned in a December 2022 report from Meta, which reportedly took down 250 accounts\r\nassociated with the company. According to the report, Meta observed QuaDream testing its ability to exploit iOS\r\nand Android mobile devices with the intent “to exfiltrate various types of data including messages, images, video\r\nand audio files, and geolocation.”\r\nTechnical investigation: DEV-0196 malware\r\nMicrosoft Threat Intelligence analysts assess with high confidence that the malware, which we call KingsPawn, is\r\ndeveloped by DEV-0196 and therefore strongly linked to QuaDream. We assess with medium confidence that the\r\nmobile malware we associate with DEV-0196 is part of the system publicly discussed as REIGN.\r\nThe captured samples targeted iOS devices, specifically iOS 14, but there were indications that some of the code\r\ncould also be used on Android devices. Since the malware sample targets iOS 14, some of the techniques used in\r\nthis sample may no longer work or be relevant on newer iOS versions. However, we assess it’s highly likely that\r\nDEV-0196 will have updated their malware, targeting newer versions to account for this. Analysis of the malware\r\nrevealed that it is split into multiple components. The sections below focus on two of those components: a monitor\r\nagent and the main malware agent.\r\nMonitor agent\r\nThe monitor agent is a native Mach-O file written in Objective-C. It is responsible for reducing the forensic\r\nfootprint of the malware to prevent detection and hinder investigations. It has multiple techniques to do this, one\r\nof which is monitoring various directories, such as /private/var/db/analyticsd/ and\r\n/private/var/mobile/Library/Logs/CrashReporter, for any malware execution artifacts or crash-related files. Once\r\nthese artifacts or files are identified, the monitor agent deletes them.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/\r\nPage 2 of 13\n\nThe monitor agent is also in charge of managing the various processes and threads spawned on behalf of the\r\nmalware to avoid artifacts created from unexpected process crashes. The agent uses the waitpid function to\r\nmonitor all child processes that are spawned, and the child process IDs are added to a tracking list. The monitor\r\nagent attempts to safely shut down tracked child processes by calling sigaction with the SIGTSTP parameter, if\r\nsigaction returns successfully this means the child process is reachable and a SIGKILL command is sent to kill it.\r\nThis avoids sending a kill command to a non-existent PID, which can leave error messages and artifacts behind.\r\nMain agent\r\nThe main agent is also a native Mach-O file. However, it is written in Go, a highly portable language, which was\r\nlikely chosen because it allows compilation across multiple platforms, reducing development effort.\r\nThis agent includes capabilities to:\r\nGet device information (such as iOS version and battery status)\r\nWi-Fi information (such as SSID and airplane mode status)\r\nCellular information (such as carrier, SIM card data, and phone number)\r\nSearch for and retrieve files\r\nUse the device camera in the background\r\nGet device location\r\nMonitor phone calls\r\nAccess the iOS keychain\r\nGenerate an iCloud time-based one-time password (TOTP)\r\nIt achieves some of these functionalities, for example the surreptitious camera use, by leveraging two key binaries,\r\ntccd and mediaserverd, a technique described by ZecOps. The name tccd stands for Transparency, Consent, and\r\nControl (TCC) Daemon, and the process manages the access permissions for various peripherals such as the\r\ncamera and microphone. Normally, users are met with a pop-up prompt from the tccd process, alerting them that\r\nsomething has requested access to the camera, microphone, or other peripheral, and the user is required to either\r\nallow or deny it. In this compromise scenario, the agent injects itself into the tccd binary, which allows the agent\r\nto spawn both new processes and threads as part of the exploitation process, and also allows it to bypass any tccd\r\nprompts on the device meaning the user would be unaware of camera compromise. In concert with tccd, the agent\r\nalso provisions itself permission to run in the background via mediaserverd. This binary handles the interface that\r\nother apps interact with when utilizing the camera. For more details on iOS process injection, tccd and other\r\nsystem components, see Jonathan Levin’s macOS and iOS internals books and blog.\r\nThe techniques used in the main agent include a PMAP bypass, an Apple Mobile File Integrity (AMFI) bypass,\r\nand a sandbox escape. PMAP is one of the mechanisms that works with the Page Protection Layer (PPL) to\r\nprevent unsigned code from running on iOS devices. AMFI is a protection mechanism comprised of multiple\r\ncomponents including a kernel extension, AppleFileMobileIntegrity.kext, as well as userland daemon, amfid. The\r\nsandbox limits access to system resources and user data via an entitlements system. Although PMAP, PPL, AMFI,\r\nand the sandbox have been hardened over the years, advanced attackers attempt to circumvent these protection\r\nmechanisms in order to run unsigned code.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/\r\nPage 3 of 13\n\nThe agent also creates a secure channel for XPC messaging by creating a nested app extension called fud.appex.\r\nXPC messaging allows the agent to query various system binaries for sensitive device information, such as\r\nlocation details. Although there is a legitimate binary called fud on iOS devices that is part of the Mobile\r\nAccessory updater service, fud.appex is not part of a legitimate Apple service. The agent creates the malicious app\r\nextension inside the folder /private/var/db/com.apple.xpc.roleaccountd.staging/PlugIns/. The primary reason for\r\nperforming XPC messaging from within this application extension is to establish a covert channel that enables the\r\nagent to avoid being monitored. This nested directory technique means that the XPC service is registered such a\r\nway that it is only visible to the app extension itself, so any external monitoring by other applications and system\r\nprocesses is far more difficult. Upon unhooking and restoring tccd to its original state, the entire PlugIns folder is\r\nremoved to further hide any artifacts of its existence.\r\nIn their blog, Citizen Lab discusses the presence of likely malicious calendar events on devices compromised by\r\nDEV-0196’s malware, so another notable function of the main agent is that it contains specific code to remove\r\nevents from the device’s calendar. The agent searches all calendar events from two years prior to the current time\r\nand up to the furthest possible allowed future time, removing any events that are tied to a given email address as\r\nthe “organizer”. The agent also removes the email address from the idstatuscache.plist, which is a database\r\ncontaining records of the first contact of the device with other iCloud accounts. This list would contain the email\r\naddress that sent the malicious calendar invitation, as well as a time stamp of the original interaction, such as\r\nwhen the invite was received.\r\nThere is additional functionality within the agent to cover its tracks by removing artifacts of location monitoring\r\nfrom the locationd process’ records. To first query locations from locationd, the agent must register a client that\r\ncommunicates with locationd via XPC messaging. The locationd process then stores a record of these connections\r\nin /private/var/root/Library/Caches/locationd/clients.plist. The malicious agent searches for items in the client\r\nplist that have a suffix of subridged, and then removes them, which indicates that the name of their location\r\nmonitoring client likely ends in that word. This is another example of malicious activity attempting to masquerade\r\nas benign system processes, since subridged is the name of a legitimate Apple binary, a part of the\r\nSoftwareUpdateBridge Framework.\r\nTechnical investigation: DEV-0196 infrastructure\r\nMicrosoft developed unique network detections that could be used to fingerprint DEV-0196’s infrastructure on the\r\ninternet. The group heavily utilized domain registrars and inexpensive cloud hosting providers that accepted\r\ncryptocurrency as payment. They tended to only use a single domain per IP address and domains were very rarely\r\nreused across multiple IP addresses. Many of the observed domains were deployed using free Let’s Encrypt SSL\r\ncertificates, while others used self-signed certificates designed to blend in with normal Kubernetes deployments.\r\nWe have included network-based indicators at the end of this post for detection purposes. Often, threat actors\r\nemploy domains that carry country-specific TLDs or themes that align with the location of intended targets.\r\nNotably, our list of DEV-0196 domains includes domains strongly associated with some countries that Citizen Lab\r\nhas identified as locations of victims, countries where QuaDream platforms were operating, or both. To be clear,\r\nthe identification of victims of the malware in a country doesn’t necessarily mean that an entity in that country is a\r\nDEV-0196 customer, as international targeting is common.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/\r\nPage 4 of 13\n\nPrevention and detection\r\nPreventing exploitation of mobile devices by advanced actors who potentially have zero-click exploits is difficult.\r\nThere are also significant challenges in detecting an attack on mobile devices, both during and after the\r\ncompromise. This section discusses some methods for minimizing the risk of malicious actors compromising\r\nmobile devices, and then provides some indicators of compromise we associate with DEV-0196 activity.\r\nBasic cyber hygiene is important in helping prevent mobile device compromise. Specific best practices include\r\nkeeping the device’s software updated to the latest version, enabling automatic software updates if available, using\r\nanti-malware software, and being vigilant about not clicking links in any unexpected or suspicious messages.\r\nIf you believe you may be targeted by advanced attackers and use an iOS device, we recommend enabling\r\nLockdown Mode. Lockdown Mode offers enhanced security for iOS devices by reducing the attack surface\r\navailable to threat actors.\r\nSentinel detections\r\nMicrosoft Sentinel customers can use the TI Mapping analytic to automatically match the malicious domain\r\nindicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently\r\ndeployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have\r\nthe analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:\r\nhttps://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy.\r\nIn addition, customers can access the shared indicators in a structured format via GitHub so that they can be\r\nintegrated into custom analytics and other queries:\r\nhttps://github.com/microsoft/mstic/blob/master/RapidReleaseTI/Indicators.csv.\r\nIndicators of compromise (IOCs)\r\nHost-based indicators\r\nThese host-based indicators are indicative of DEV-0196 activity; however, they shouldn’t be used solely as\r\nattribution since other actors may also use the same or similar TTPs.\r\nThe file existing, or process activity from, /private/var/db/com.apple.xpc.roleaccountd.staging/subridged\r\nThe file existing, or process activity from, com.apple.avcapture\r\nThe folder /private/var/db/com.apple.xpc.roleaccountd.staging/PlugIns/fud.appex/ existing, or having activity\r\ndetected from the folder.\r\nNetwork indicators\r\nBased on the results of our C2 investigation, Microsoft Threat Intelligence associate the following domains with\r\nDEV-0196 activity. The dates the domains were first detected as likely in use is given, along with the last seen\r\nactive date.\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/\r\nPage 5 of 13\n\nDomain First active Last active\r\nfosterunch[.]com 2022-05-30 CURRENT\r\nwomnbling[.]com 2022-05-30 CURRENT\r\nzebra-arts[.]com 2022-05-31 CURRENT\r\npennywines[.]com 2022-08-19 CURRENT\r\nchoccoline[.]com 2022-08-19 CURRENT\r\nlateparties[.]com 2022-09-15 CURRENT\r\nfoundurycolletive[.]com 2022-11-07 CURRENT\r\njungelfruitime[.]com 2022-11-09 CURRENT\r\ngameboysess[.]com 2022-11-09 CURRENT\r\nhealthcovid19[.]com 2022-11-10 CURRENT\r\ncodingstudies[.]com 2022-11-16 CURRENT\r\nhoteluxurysm[.]com 2022-11-18 CURRENT\r\nnewz-globe[.]com 2022-11-23 CURRENT\r\nhotalsextra[.]com 2022-11-23 CURRENT\r\nnordmanetime[.]com 2022-11-23 CURRENT\r\nfullaniimal[.]com 2022-11-23 CURRENT\r\nwikipedoptions[.]com 2022-11-23 CURRENT\r\nredanddred[.]com 2022-11-23 CURRENT\r\nwhiteandpiink[.]com 2022-12-02 CURRENT\r\nagronomsdoc[.]com 2022-12-02 CURRENT\r\nnutureheus[.]com 2022-12-02 CURRENT\r\ntimeeforsports[.]com 2022-12-15 CURRENT\r\ntreerroots[.]com 2022-12-15 CURRENT\r\nunitedyears[.]com 2022-12-15 CURRENT\r\neccocredit[.]com 2022-12-16 CURRENT\r\necologitics[.]com 2022-12-19 CURRENT\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/\r\nPage 6 of 13\n\nclimatestews[.]com 2022-12-19 CURRENT\r\naqualizas[.]com 2022-12-19 CURRENT\r\nbgnews-bg[.]com 2022-12-20 CURRENT\r\nmikontravels[.]com 2022-12-23 CURRENT\r\ne-gaming[.]online 2022-12-23 CURRENT\r\ntransformaition[.]com 2022-12-23 CURRENT\r\nbetterstime[.]com 2022-12-23 CURRENT\r\ngoshopeerz[.]com 2022-12-23 CURRENT\r\ncountshops[.]com 2022-12-23 CURRENT\r\ninneture[.]com 2022-12-23 CURRENT\r\nshoppingeos[.]com 2022-12-23 CURRENT\r\nmwww[.]ro 2023-01-05 CURRENT\r\nrentalproct[.]com 2023-01-05 CURRENT\r\nbcarental[.]com 2023-01-05 CURRENT\r\nkikocruize[.]com 2023-01-05 CURRENT\r\nelvacream[.]com 2023-01-10 CURRENT\r\npachadesert[.]com 2023-01-12 CURRENT\r\nrazzodev[.]com 2023-02-06 CURRENT\r\nwombatcash[.]com 2023-02-06 CURRENT\r\nglobepayinfo[.]com 2023-02-06 CURRENT\r\njob4uhunt[.]com 2023-02-08 CURRENT\r\nctbgameson[.]com 2023-02-08 CURRENT\r\nadeptary[.]com 2023-02-08 CURRENT\r\nhinterfy[.]com 2023-02-08 CURRENT\r\nbiznomex[.]com 2023-02-08 CURRENT\r\ncareerhub4u[.]com 2023-02-08 CURRENT\r\nfuriamoc[.]com 2023-02-08 CURRENT\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/\r\nPage 7 of 13\n\nmotorgamings[.]com 2023-02-08 CURRENT\r\naniarchit[.]com 2023-02-08 CURRENT\r\nskyphotogreen[.]com 2023-02-26 CURRENT\r\ndatacentertime[.]com 2023-02-26 CURRENT\r\nstylelifees[.]com 2023-02-26 CURRENT\r\nkidzlande[.]com 2023-03-01 CURRENT\r\nhomelosite[.]com 2023-03-01 CURRENT\r\nzooloow[.]com 2023-03-01 CURRENT\r\nstudiesutshifts[.]com 2023-03-01 CURRENT\r\ncodingstudies[.]com 2023-03-08 CURRENT\r\nlondonistory[.]com 2023-03-16 CURRENT\r\nbestteamlife[.]com 2023-03-16 CURRENT\r\nnewsandlocalupdates[.]com 2023-03-16 CURRENT\r\nyouristores[.]com 2023-03-16 CURRENT\r\nzooloow[.]com 2023-02-26 2023-03-04\r\nkidzlande[.]com 2023-02-26 2023-03-04\r\nhomelosite[.]com 2023-02-26 2023-03-04\r\nstudiesutshifts[.]com 2023-02-26 2023-03-04\r\ndatacentertime[.]com 2022-11-07 2023-02-25\r\nhomelosite[.]com 2022-11-09 2023-02-25\r\nzooloow[.]com 2022-11-10 2023-02-25\r\nkidzlande[.]com 2022-11-10 2023-02-25\r\nstudiesutshifts[.]com 2022-11-10 2023-02-25\r\nstylelifees[.]com 2022-11-11 2023-02-25\r\nskyphotogreen[.]com 2022-11-11 2023-02-25\r\ngardenearthis[.]com 2023-01-11 2023-02-25\r\nfullstorelife[.]com 2023-01-11 2023-02-25\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/\r\nPage 8 of 13\n\nincollegely[.]org 2022-05-24 2023-01-20\r\nshoplifys[.]com 2022-05-26 2023-01-20\r\nthetimespress[.]com 2022-06-24 2023-01-20\r\nstudyshifts[.]com 2022-06-24 2023-01-20\r\ncodinerom[.]com 2022-07-10 2023-01-20\r\ngamingcolonys[.]com 2022-07-17 2023-01-20\r\nkidzalnd[.]org 2022-07-17 2023-01-20\r\nwildhour[.]store 2022-07-26 2023-01-20\r\nwilddog[.]site 2022-07-26 2023-01-20\r\ngarilc[.]com 2022-07-26 2023-01-20\r\nrunningandbeyond[.]org 2022-08-04 2023-01-20\r\nfullmoongreyparty[.]org 2022-08-04 2023-01-20\r\ngreenrunners[.]org 2022-08-04 2023-01-20\r\nsunsandlights[.]com 2022-08-09 2023-01-20\r\ntechpowerlight[.]com 2022-08-16 2023-01-20\r\ngamezess[.]com 2022-08-29 2023-01-20\r\nplanningly[.]org 2022-08-29 2023-01-20\r\nluxario[.]org 2022-09-03 2023-01-20\r\nvinoneros[.]com 2022-09-03 2023-01-20\r\ni-reality[.]online 2022-09-07 2023-01-20\r\nstyleanature[.]com 2022-09-07 2023-01-20\r\nplanetosgame[.]com 2022-12-12 2023-01-20\r\nkidsfunland[.]org 2022-07-29 2023-01-19\r\nfullstorelife[.]com 2022-11-11 2023-01-09\r\nlocaltallk[.]store 2022-01-26 2022-12-20\r\nallplaces[.]online 2022-01-26 2022-12-20\r\nsunclub[.]site 2022-01-26 2022-12-20\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/\r\nPage 9 of 13\n\nthenewsfill[.]com 2022-05-26 2022-12-20\r\nwellnessjane[.]org 2022-05-26 2022-12-20\r\nmeehealth[.]org 2022-05-27 2022-12-20\r\ngameizes[.]com 2022-07-20 2022-12-20\r\nplayozas[.]com 2022-07-20 2022-12-20\r\nfoodyplates[.]com 2022-07-20 2022-12-20\r\ndesignaroo[.]org 2022-08-29 2022-12-20\r\ndesignspacing[.]org 2022-08-29 2022-12-20\r\nstockstiming[.]org 2022-09-01 2022-12-20\r\nhoteliqo[.]com 2022-09-01 2022-12-20\r\nprojectoid[.]org 2022-09-01 2022-12-20\r\nstudy-search[.]com 2022-09-01 2022-12-20\r\ntokenberries[.]com 2022-09-03 2022-12-20\r\nrecovery-plan[.]org 2022-09-07 2022-12-20\r\ndeliverystorz[.]com 2022-09-07 2022-12-20\r\nforestaaa[.]com 2022-10-04 2022-12-20\r\naddictmetui[.]com 2022-10-20 2022-12-20\r\nearthyouwantiis[.]com 2022-10-20 2022-12-20\r\nzedforme[.]com 2022-10-20 2022-12-20\r\nforestaaa[.]com 2022-10-28 2022-12-20\r\nnavadatime[.]com 2022-11-10 2022-12-15\r\ncareers4ad[.]com 2022-11-13 2022-12-15\r\ngardenearthis[.]com 2022-11-07 2022-12-14\r\nstudyreaserch[.]com 2022-11-09 2022-12-14\r\nnovinite[.]biz 2022-08-31 2022-12-10\r\nagronomsdoc[.]com 2022-11-16 2022-11-28\r\nwhiteandpiink[.]com 2022-11-16 2022-11-28\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/\r\nPage 10 of 13\n\nnutureheus[.]com 2022-11-18 2022-11-28\r\ndressuse[.]com 2022-09-18 2022-11-20\r\niwoodstor[.]xyz 2022-09-18 2022-11-20\r\nteachlearning[.]org 2022-09-18 2022-11-20\r\nsubcloud[.]online 2022-09-21 2022-11-20\r\nmonvesting[.]com 2022-09-21 2022-11-20\r\nelektrozi[.]com 2022-09-21 2022-11-20\r\nhoteluxurysm[.]com 2022-11-09 2022-11-14\r\nhopsite[.]online 2022-11-13 2022-11-14\r\nbikersrental[.]com 2022-05-24 2022-11-13\r\ntakestox[.]com 2022-05-24 2022-11-13\r\nsidelot[.]org 2022-05-24 2022-11-13\r\npowercodings[.]com 2022-08-21 2022-11-13\r\nnaturemeter[.]org 2022-08-21 2022-11-13\r\ntakebreak[.]io 2022-10-12 2022-11-13\r\nfullstorelife[.]com 2022-11-07 2022-11-10\r\nnoraplant[.]com 2022-11-09 2022-11-09\r\nforestaaa[.]com 2022-10-04 2022-11-07\r\ngoodsforuw[.]com 2022-10-26 2022-11-07\r\nstayle[.]co 2022-10-26 2022-11-07\r\needloversra[.]online 2022-10-28 2022-11-07\r\nsevensdfe[.]com 2022-11-03 2022-11-07\r\ndsudro[.]com 2022-11-03 2022-11-07\r\ngameboysess[.]com 2022-11-07 2022-11-07\r\nsseamb[.]com 2022-10-26 2022-11-06\r\nhealthcovid19[.]com 2022-11-04 2022-11-06\r\nnoraplant[.]com 2022-11-04 2022-11-06\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/\r\nPage 11 of 13\n\nfullstorelife[.]com 2022-11-04 2022-11-06\r\ndatacentertime[.]com 2022-11-04 2022-11-05\r\nrecover-your-body[.]xyz 2022-01-06 2022-11-02\r\nreloadyourbrowser[.]info 2022-07-05 2022-11-02\r\ncomeandpet[.]me 2022-07-05 2022-11-02\r\nbrushyourteeth[.]online 2022-07-05 2022-11-02\r\ndigital-mar[.]com 2022-08-10 2022-11-02\r\nretailmark[.]net 2022-08-16 2022-11-02\r\ndsudro[.]com 2022-10-04 2022-11-02\r\nstudysliii[.]com 2022-10-26 2022-11-02\r\nhomeigardens[.]com 2022-09-07 2022-10-29\r\nstayle[.]co 2022-10-20 2022-10-24\r\nstudysliii[.]com 2022-10-20 2022-10-24\r\ngoodsforuw[.]com 2022-10-20 2022-10-24\r\ndsudro[.]com 2022-10-20 2022-10-24\r\nsseamb[.]com 2022-10-20 2022-10-24\r\nsevensdfe[.]com 2022-10-20 2022-10-24\r\nkoraliowe[.]com 2022-04-05 2022-10-13\r\ntopuprr[.]com 2022-04-05 2022-10-13\r\nzeebefg[.]com 2022-04-05 2022-10-12\r\ntakebreak[.]io 2022-06-21 2022-10-11\r\nforestaaa[.]com 2022-10-03 2022-10-03\r\nteachlearning[.]org 2022-09-18 2022-09-18\r\nnewsbuiltin[.]online 2022-09-15 2022-09-17\r\njyfa[.]xyz 2022-09-15 2022-09-17\r\nmonvesting[.]com 2022-07-19 2022-09-15\r\nteachlearning[.]org 2022-07-19 2022-09-15\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/\r\nPage 12 of 13\n\nelektrozi[.]com 2022-07-20 2022-09-15\r\nthepila[.]com 2022-09-15 2022-09-15\r\nthegreenlight[.]xyz 2022-01-11 2022-09-14\r\ngosport24[.]com 2022-01-11 2022-09-14\r\nclassiccolor[.]live 2022-01-11 2022-09-11\r\nshoeszise[.]xyz 2022-02-24 2022-09-11\r\ncleanitgo[.]info 2022-02-24 2022-09-11\r\nsetclass[.]live 2022-02-24 2022-09-11\r\nwhite-rhino[.]online 2022-04-14 2022-09-11\r\nspace-moon[.]com 2022-04-14 2022-09-11\r\nenrollering[.]com 2022-05-24 2022-09-11\r\nnewslocalupdates[.]com 2022-08-19 2022-09-11\r\nnewsbuiltin[.]online 2022-09-11 2022-09-11\r\nbeendos[.]com 2022-04-14 2022-09-10\r\nlinestrip[.]online 2022-07-01 2022-09-07\r\nsunnyweek[.]site 2022-07-01 2022-09-07\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-e\r\nurope-north-america-the-middle-east-and-southeast-asia/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/\r\nPage 13 of 13\n\ngameboysess[.]com sseamb[.]com 2022-11-07 2022-10-26 2022-11-07 2022-11-06\nhealthcovid19[.]com 2022-11-04 2022-11-06\nnoraplant[.]com 2022-11-04 2022-11-06\n Page 11 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2023/04/11/dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia/"
	],
	"report_names": [
		"dev-0196-quadreams-kingspawn-malware-used-to-target-civil-society-in-europe-north-america-the-middle-east-and-southeast-asia"
	],
	"threat_actors": [
		{
			"id": "b8c7c542-43ed-498c-af6b-b4b5f0c75724",
			"created_at": "2024-02-02T02:00:04.026045Z",
			"updated_at": "2026-04-10T02:00:03.529714Z",
			"deleted_at": null,
			"main_name": "Carmine Tsunami",
			"aliases": [
				"DEV-0196",
				"QuaDream"
			],
			"source_name": "MISPGALAXY:Carmine Tsunami",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434854,
	"ts_updated_at": 1775791846,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf2c3d7aeff8bbd995105ddf38b8d2f274ebc2e0.pdf",
		"text": "https://archive.orkl.eu/bf2c3d7aeff8bbd995105ddf38b8d2f274ebc2e0.txt",
		"img": "https://archive.orkl.eu/bf2c3d7aeff8bbd995105ddf38b8d2f274ebc2e0.jpg"
	}
}