{ "id": "47ad072e-68bd-44bd-8d97-2cc818e5dc72", "created_at": "2026-04-06T00:08:33.259575Z", "updated_at": "2026-04-10T13:12:07.67162Z", "deleted_at": null, "sha1_hash": "c000b4a2a24600da3c961113e0bed49591ac405b", "title": "Magic Hound, APT 35, Cobalt Illusion, Charming Kitten", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 137906, "plain_text": "Magic Hound, APT 35, Cobalt Illusion, Charming Kitten\r\nArchived: 2026-04-05 23:06:55 UTC\r\n APT group: Magic Hound, APT 35, Cobalt Illusion, Charming Kitten\r\nNames\r\nMagic Hound (Palo Alto)\r\nAPT 35 (Mandiant)\r\nCobalt Illusion (SecureWorks)\r\nCobalt Mirage (SecureWorks)\r\nCharming Kitten (CrowdStrike)\r\nTEMP.Beanie (FireEye)\r\nTimberworm (Symantec)\r\nTarh Andishan (Cylance)\r\nTA453 (Proofpoint)\r\nPhosphorus (Microsoft)\r\nTunnelVision (SentinelOne)\r\nUNC788 (FireEye)\r\nYellow Garuda (PWC)\r\nEducated Manticore (Check Point)\r\nMint Sandstorm (Microsoft)\r\nBallistic Bobcat (ESET)\r\nCharmingCypress (Volexity)\r\nAgent Serpens (Palo Alto)\r\nG0058 (MITRE)\r\nG0059 (MITRE)\r\nCountry Iran\r\nSponsor State-sponsored, Islamic Revolutionary Guard Corps (IRGC)\r\nMotivation Information theft and espionage\r\nFirst seen 2012\r\nDescription Magic Hound is an Iranian-sponsored threat group operating primarily in the Middle\r\nEast that dates back as early as 2014. The group behind the campaign has primarily\r\ntargeted organizations in the energy, government, and technology sectors that are\r\neither based or have business interests in Saudi Arabia.\r\nMagic Hound has 2 subgroups:\r\n1. Subgroup: DEV-0270, Nemesis Kitten\r\n2. Subgroup: TA455, Smoke Sandstorm\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bb9b25ed-9ddc-4f65-bd01-ab8d6efc34ac\r\nPage 1 of 8\n\nThis group appears to be the evolvement of Cutting Kitten, TG-2889.\nThere is some infrastructure overlap with Rocket Kitten, Newscaster, NewsBeef,\nITG18 and APT 42.\nObserved\nSectors: Defense, Education, Energy, Financial, Government, Healthcare, IT,\nManufacturing, NGOs, Oil and gas, Technology, Telecommunications and that are\neither based or have business interests in Saudi Arabia, and ClearSky, HBO, civil\nand human rights activists and journalists.\nCountries: Afghanistan, Belgium, Brazil, Canada, Egypt, France, Iran, Iraq, Israel,\nJordan, Kuwait, Morocco, Pakistan, Saudi Arabia, Spain, Syria, Turkey, UAE, UK,\nUSA, Venezuela, Yemen and Gaza.\nTools used\n7-Zip, AnvilEcho, BASICSTAR, BlackSmith, ChromeHistoryView, CommandCam,\nCWoolger, DistTrack, DownPaper, FireMalv, FRP, Ghambar, GoProxy, Havij,\nHYPERSCRAPE, Leash, Matryoshka RAT, MediaPl, Mimikatz, MischiefTut,\nMPKBot, NETWoolger, NOKNOK, PINEFLOWER, PowerLess Backdoor,\nPOWERSTAR, RATHOLE, PsList, PupyRAT, Sponsor, sqlmap, TDTESS,\nWinRAR.\nOperations performed\nMid-2014\nOperation “Thamar Reservoir”\nThis report reviews an ongoing cyber-attack campaign dating back to\nmid-2014. Additional sources indicate it may date as far back as 2011.\nWe call this campaign Thamar Reservoir, named after one of the\ntargets, Thamar E. Gindin, who exposed new information about the\nattack and is currently assisting with the investigation.\n2016\nUnit 42 has discovered a persistent attack campaign operating\nprimarily in the Middle East dating back to at least mid-2016 which\nwe have named Magic Hound. This appears to be an attack campaign\nfocused on espionage. Based upon our visibility it has primarily\ntargeted organizations in the energy, government, and technology\nsectors that are either based or have business interests in Saudi\nArabia. The adversaries appear to have evolved their tactics and\ntechniques throughout the tracked time-period, iterating through a\ndiverse toolset across different waves of attacks.\nJan 2017 PupyRAT campaign\nSecureWorks Counter Threat Unit (CTU) researchers analyzed a\nphishing campaign that targeted a Middle Eastern organization in\nearly January 2017. Some of messages were sent from legitimate\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bb9b25ed-9ddc-4f65-bd01-ab8d6efc34ac\nPage 2 of 8\n\nemail addresses belonging to several Middle Eastern organizations.\n2017\nIn early 2017, SecureWorks Counter Threat Unit (CTU) researchers\nobserved phishing campaigns targeting several entities in the Middle\nEast and North Africa (MENA), with a focus on Saudi Arabian\norganizations. The campaigns delivered PupyRAT, an open-source\ncross-platform remote access Trojan.\nJun 2018\nImpersonating ClearSky, the security firm that uncovered its\ncampaigns\nIranian cyberespionage group Charming Kitten, which has been\noperating since 2014, has impersonated the cybersecurity firm that\nexposed its operations and campaigns. Israeli firm ClearSky Security\nsaid the group managed to copy its official website hosted on a\nsimilar-looking domain – clearskysecurity[.]net.\nClearSky’s actual website is Clearskysec.com.\nAug 2017\nBreach of HBO\nOn August 7 a small treasure trove of HBO content was posted\npublicly to the web by a hacker who is now demanding a $6 million\npayment to stop any further release of data. The hacker who goes by\nMr. Smith posted five scripts for Game of Thrones and a month’s\nworth of email from HBO Vice President for Film Programming\nLeslie Cohen along with some other corporate information, according\nto the Associated Press.\nOct 2018\nThe Return of The Charming Kitten\nIn this campaign, hackers have targeted individuals who are involved\nin economic and military sanctions against the Islamic Republic of\nIran as well as politicians, civil and human rights activists and\njournalists around the world.\nOur review in Certfa demonstrates that the hackers – knowing that\ntheir victims use two-step verification – target verification codes and\nalso their email accounts such as Yahoo! And Gmail.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bb9b25ed-9ddc-4f65-bd01-ab8d6efc34ac\nPage 3 of 8\n\nJul 2019\nIn August, the campaign has progressed, and unlike July, it seems like\nthe APT group is now expanding its activities toward influential\npublic figures around the world, rather than academic researchers\nstate organizations.\nAug 2019\nIn a 30-day period between August and September, the Microsoft\nThreat Intelligence Center (MSTIC) observed Phosphorus making\nmore than 2,700 attempts to identify consumer email accounts\nbelonging to specific Microsoft customers and then attack 241 of\nthose accounts.\nJan 2020\nFake Interview: The New Activity of Charming Kitten\nJun 2020\nAPT35 ‘Charming Kitten' discovered in a pre-infected environment\nJul 2020\nStarting July 2020, we have identified a new TTP of the group,\nimpersonating “DeutscheWelle” and the “Jewish Journal” using\nemails alongside WhatsApp messages as their main platform to\napproach the target and convince them to open a malicious link.\nAug 2020\nNew cyberattacks targeting U.S. elections\nLate 2020\nOperation “BadBlood”\nBadBlood: TA453 Targets US and Israeli Medical Research Personnel\nin Credential Phishing Campaigns\nLate 2020\nWould’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound\nby Expectations\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bb9b25ed-9ddc-4f65-bd01-ab8d6efc34ac\nPage 4 of 8\n\nDec 2020\nDuring the Christmas holidays and the beginning of the new year, the\nCharming Kitten group, the Iranian state-backed hackers, have begun\na targeted phishing campaign of espionage against different\nindividuals to collect information.\nJan 2021\nOperation “SpoofedScholars”\nTA453, an Iranian-state aligned actor, masqueraded as British\nscholars to covertly target individuals of intelligence interest to the\nIranian government in what Proofpoint has dubbed Operation\nSpoofedScholars.\nLate 2021\nPowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell\nBackdoor for Espionage\nDec 2021\nIranian Spear Phishing Operation Targets Former Israeli Foreign\nMinister, Former US Ambassador to Israel, Former Israeli Army\nGeneral and Three other High-Profile Executives\nDec 2021\nLog4Shell attacks expand to nation-state groups from China, Iran,\nNorth Korea, and Turkey\nDec 2021\nNew Iranian APT data extraction tool\nJan 2022\nAPT35 exploits Log4j vulnerability to distribute new modular\nPowerShell toolkit\nJan 2022\nCOBALT MIRAGE Conducts Ransomware Operations in U.S.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bb9b25ed-9ddc-4f65-bd01-ab8d6efc34ac\nPage 5 of 8\n\nFeb 2022\nIranian-Aligned Threat Actor “TunnelVision” Actively Exploiting\nVMware Horizon\nEarly 2022\nTracing State-Aligned Activity Targeting Journalists, Media\nMay 2022\nIranian Threat Actor Continues to Develop Mass Exploitation Tools\nMay 2022\nOperation “Sponsoring Access”\nSponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike\nbackdoor\nJun 2022\nOpsec Mistakes Reveal COBALT MIRAGE Threat Actors\nMid 2022\nTA453 Uses Multi-Persona Impersonation to Capitalize on FOMO\n2023\nNation-state threat actor Mint Sandstorm refines tradecraft to attack\nhigh-value targets\n2023\nCharmingCypress: Innovating Persistence\nMar 2023\nIranian Hackers Target Women Involved in Human Rights and\nMiddle East Politics\nMar 2023 Educated Manticore – Iran Aligned Threat Actor Targeting Israel via\nImproved Arsenal of Tools\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bb9b25ed-9ddc-4f65-bd01-ab8d6efc34ac\nPage 6 of 8\n\nMay 2023\nMicrosoft: Iranian hacking groups join Papercut attack spree\nMay 2023\nCharming Kitten Updates POWERSTAR with an InterPlanetary Twist\nAug 2023\nIranian cyber spies are targeting dissidents in Germany, warns\nintelligence service\nNov 2023\nNew TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs\nJul 2024\nBest Laid Plans: TA453 Targets Religious Figure with Fake Podcast\nInvite Delivering New BlackSmith Malware Toolset\nFeb 2025\nIranian Cyber Actors Impersonate Model Agency in Suspected\nEspionage Operation\nJun 2025\nEducated Manticore Reemerges: Iranian Spear-Phishing Campaign\nTargeting High-Profile Figures\nCounter operations\nFeb 2019\nFormer U.S. Counterintelligence Agent Charged With Espionage on\nBehalf of Iran; Four Iranians Charged With a Cyber Campaign\nTargeting Her Former Colleagues\nMar 2019\nMicrosoft slaps down 99 APT35/Charming Kitten domains\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bb9b25ed-9ddc-4f65-bd01-ab8d6efc34ac\nPage 7 of 8\n\nOct 2021\nCountering threats from Iran\nEarly 2022\nWe took action against a group of hackers from Iran, known in the\nsecurity industry as UNC788.\nSep 2022\nTreasury Sanctions IRGC-Affiliated Cyber Actors for Roles in\nRansomware Activity\n\u003e\nAug 2024\nTaking Action Against Malicious Accounts in Iran\nInformation\nMITRE ATT\u0026CK\nLast change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bb9b25ed-9ddc-4f65-bd01-ab8d6efc34ac\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bb9b25ed-9ddc-4f65-bd01-ab8d6efc34ac\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bb9b25ed-9ddc-4f65-bd01-ab8d6efc34ac" ], "report_names": [ "showcard.cgi?u=bb9b25ed-9ddc-4f65-bd01-ab8d6efc34ac" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "82f54603-89e0-4f5a-8df9-eae0c3a90d70", "created_at": "2022-10-25T16:07:23.745406Z", "updated_at": "2026-04-10T02:00:04.734764Z", "deleted_at": null, "main_name": "ITG18", "aliases": [], "source_name": "ETDA:ITG18", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48", "created_at": "2022-10-25T16:07:23.84296Z", "updated_at": "2026-04-10T02:00:04.762229Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "DEV-0270", "DireFate", "Lord Nemesis", "Nemesis Kitten", "Yellow Dev 23", "Yellow Dev 24" ], "source_name": "ETDA:DEV-0270", "tools": [ "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "WmiExec" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f778366-a4a7-42f1-ab1e-362aa065ee4f", "created_at": "2022-10-25T16:07:23.362157Z", "updated_at": "2026-04-10T02:00:04.562925Z", "deleted_at": null, "main_name": "APT 42", "aliases": [ "GreenBravo" ], "source_name": "ETDA:APT 42", "tools": [ "BROKEYOLK", "CHAIRSMACK", "CORRUPT KITTEN", "DOSTEALER", "GORBLE", "Ghambar", "MAGICDROP", "PINEFLOWER", "POWERPOST", "SILENTUPLOADER", "TABBYCAT", "TAMECAT", "VBREVSHELL", "VINETHORN" ], "source_id": "ETDA", "reports": null }, { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "49f1ada0-181f-4e89-a449-e6bc13c8c6b1", "created_at": "2022-10-25T15:50:23.561511Z", "updated_at": "2026-04-10T02:00:05.382592Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "Threat Group 2889", "TG-2889" ], "source_name": "MITRE:Cleaver", "tools": [ "Net Crawler", "PsExec", "TinyZBot", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d0e8337e-16a7-48f2-90cf-8fd09a7198d1", "created_at": "2023-03-04T02:01:54.091301Z", "updated_at": "2026-04-10T02:00:03.356317Z", "deleted_at": null, "main_name": "APT42", "aliases": [ "UNC788", "CALANQUE" ], "source_name": "MISPGALAXY:APT42", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ae26d287-8ba7-447e-9391-cf13c02d7481", "created_at": "2023-03-04T02:01:54.0962Z", "updated_at": "2026-04-10T02:00:03.357189Z", "deleted_at": null, "main_name": "TA453", "aliases": [], "source_name": "MISPGALAXY:TA453", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaef3218-1f8c-4767-b1ff-da7a6662acc0", "created_at": "2023-03-04T02:01:54.110909Z", "updated_at": "2026-04-10T02:00:03.359871Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "Nemesis Kitten", "Storm-0270" ], "source_name": "MISPGALAXY:DEV-0270", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "47fa514e-15a8-4adb-a782-e2ffb12944d8", "created_at": "2024-04-24T02:00:49.644637Z", "updated_at": "2026-04-10T02:00:05.423196Z", "deleted_at": null, "main_name": "UNC788", "aliases": [ "UNC788" ], "source_name": "MITRE:UNC788", "tools": [ "HilalRAT" ], "source_id": "MITRE", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "786139da-4139-49d0-9685-e249c5f89f25", "created_at": "2024-12-30T02:01:48.731055Z", "updated_at": "2026-04-10T02:00:04.763086Z", "deleted_at": null, "main_name": "TA455", "aliases": [ "Bohrium", "DEV-0056", "Operation Iranian Dream Job", "Smoke Sandstorm", "TA455", "UNC1549", "Yellow Dev 13" ], "source_name": "ETDA:TA455", "tools": [ "LIGHTRAIL", "MINIBIKE", "SlugResin", "SnailResin" ], "source_id": "ETDA", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "65ab58e8-770d-4405-bd4c-55903100585b", "created_at": "2024-11-16T02:00:03.814784Z", "updated_at": "2026-04-10T02:00:03.77413Z", "deleted_at": null, "main_name": "TA455", "aliases": [], "source_name": "MISPGALAXY:TA455", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9663cdbf-646e-4579-881a-a8ebc3aabf63", "created_at": "2023-01-06T13:46:38.360862Z", "updated_at": "2026-04-10T02:00:02.942852Z", "deleted_at": null, "main_name": "Cutting Kitten", "aliases": [ "ITsecTeam" ], "source_name": "MISPGALAXY:Cutting Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b0261705-df2e-4156-9839-16314250f88a", "created_at": "2023-01-06T13:46:38.373617Z", "updated_at": "2026-04-10T02:00:02.947842Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm", "TEMP.Beanie", "Operation Woolen Goldfish" ], "source_name": "MISPGALAXY:Rocket Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0dc20eeb-81e3-48ef-9a12-7b38fdcf07b1", "created_at": "2025-09-20T02:04:46.693616Z", "updated_at": "2026-04-10T02:00:03.735806Z", "deleted_at": null, "main_name": "COBALT SMOKEY", "aliases": [ "Nimbus Manticore ", "Smoke Sandstorm ", "Subtle Snail ", "TA455 ", "UNC1549 " ], "source_name": "Secureworks:COBALT SMOKEY", "tools": [ "LIGHTRAIL", "MINIBIKE", "MINIBUS" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null }, { "id": "1efe328c-7bda-49d8-82bf-852d220110ae", "created_at": "2026-01-22T02:00:03.661882Z", "updated_at": "2026-04-10T02:00:03.917703Z", "deleted_at": null, "main_name": "Educated Manticore", "aliases": [], "source_name": "MISPGALAXY:Educated Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "217c588a-5896-4335-b9ec-a516ae2f9a7e", "created_at": "2022-10-25T16:07:23.513775Z", "updated_at": "2026-04-10T02:00:04.635263Z", "deleted_at": null, "main_name": "Cutting Kitten", "aliases": [ "Cutting Kitten", "G0003", "Operation Cleaver", "TG-2889" ], "source_name": "ETDA:Cutting Kitten", "tools": [ "CsExt", "DistTrack", "IvizTech", "Jasus", "KAgent", "Logger Module", "MANGOPUNCH", "MPK", "MPKBot", "Net Crawler", "NetC", "PVZ-In", "PVZ-Out", "Pupy", "PupyRAT", "PvzOut", "Shamoon", "SynFlooder", "SysKit", "TinyZBot", "WndTest", "pupy", "zhCat", "zhMimikatz" ], "source_id": "ETDA", "reports": null }, { "id": "8faa11f5-2a14-479c-9ea8-3779e6de9749", "created_at": "2022-10-25T15:50:23.814205Z", "updated_at": "2026-04-10T02:00:05.308465Z", "deleted_at": null, "main_name": "Ajax Security Team", "aliases": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ], "source_name": "MITRE:Ajax Security Team", "tools": [ "sqlmap", "Havij" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434113, "ts_updated_at": 1775826727, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c000b4a2a24600da3c961113e0bed49591ac405b.pdf", "text": "https://archive.orkl.eu/c000b4a2a24600da3c961113e0bed49591ac405b.txt", "img": "https://archive.orkl.eu/c000b4a2a24600da3c961113e0bed49591ac405b.jpg" } }