{ "id": "449a7943-b544-4ef9-ae55-97764486b5fc", "created_at": "2026-04-06T00:08:32.070359Z", "updated_at": "2026-04-10T03:37:49.84026Z", "deleted_at": null, "sha1_hash": "c070c2a38373f0f5fcb121bbc87f1a02c338d144", "title": "Staying ahead of threat actors in the age of AI | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78107, "plain_text": "Staying ahead of threat actors in the age of AI | Microsoft Security\r\nBlog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2024-02-14 · Archived: 2026-04-05 14:33:09 UTC\r\nMarch 2026 update: Microsoft Threat Intelligence published new research about AI as tradecraft: How threat\r\nactors operationalize AI.\r\nOver the last year, the speed, scale, and sophistication of attacks has increased alongside the rapid development\r\nand adoption of AI. Defenders are only beginning to recognize and apply the power of generative AI to shift the\r\ncybersecurity balance in their favor and keep ahead of adversaries. At the same time, it is also important for us to\r\nunderstand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today\r\nwe are publishing research on emerging threats in the age of AI, focusing on identified activity associated with\r\nknown threat actors, including prompt-injections, attempted misuse of large language models (LLM), and fraud.\r\nOur analysis of the current use of LLM technology by threat actors revealed behaviors consistent with attackers\r\nusing AI as another productivity tool on the offensive landscape. You can read OpenAI’s blog on the research\r\nhere. Microsoft and OpenAI have not yet observed particularly novel or unique AI-enabled attack or abuse\r\ntechniques resulting from threat actors’ usage of AI. However, Microsoft and our partners continue to study this\r\nlandscape closely.\r\nThe objective of Microsoft’s partnership with OpenAI, including the release of this research, is to ensure the safe\r\nand responsible use of AI technologies like ChatGPT, upholding the highest standards of ethical application to\r\nprotect the community from potential misuse. As part of this commitment, we have taken measures to disrupt\r\nassets and accounts associated with threat actors, improve the protection of OpenAI LLM technology and users\r\nfrom attack or abuse, and shape the guardrails and safety mechanisms around our models. In addition, we are also\r\ndeeply committed to using generative AI to disrupt threat actors and leverage the power of new tools, including\r\nMicrosoft Copilot for Security, to elevate defenders everywhere.\r\nA principled approach to detecting and blocking threat actors\r\nThe progress of technology creates a demand for strong cybersecurity and safety measures. For example, the\r\nWhite House’s Executive Order on AI requires rigorous safety testing and government supervision for AI systems\r\nthat have major impacts on national and economic security or public health and safety. Our actions enhancing the\r\nsafeguards of our AI models and partnering with our ecosystem on the safe creation, implementation, and use of\r\nthese models align with the Executive Order’s request for comprehensive AI safety and security standards.\r\nIn line with Microsoft’s leadership across AI and cybersecurity, today we are announcing principles shaping\r\nMicrosoft’s policy and actions mitigating the risks associated with the use of our AI tools and APIs by nation-state\r\nhttps://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/\r\nPage 1 of 8\n\nadvanced persistent threats (APTs), advanced persistent manipulators (APMs), and cybercriminal syndicates we\r\ntrack.\r\nThese principles include:   \r\nIdentification and action against malicious threat actors’ use: Upon detection of the use of any\r\nMicrosoft AI application programming interfaces (APIs), services, or systems by an identified malicious\r\nthreat actor, including nation-state APT or APM, or the cybercrime syndicates we track, Microsoft will take\r\nappropriate action to disrupt their activities, such as disabling the accounts used, terminating services, or\r\nlimiting access to resources.           \r\nNotification to other AI service providers: When we detect a threat actor’s use of another service\r\nprovider’s AI, AI APIs, services, and/or systems, Microsoft will promptly notify the service provider and\r\nshare relevant data. This enables the service provider to independently verify our findings and take action\r\nin accordance with their own policies.\r\nCollaboration with other stakeholders: Microsoft will collaborate with other stakeholders to regularly\r\nexchange information about detected threat actors’ use of AI. This collaboration aims to promote collective,\r\nconsistent, and effective responses to ecosystem-wide risks.\r\nTransparency: As part of our ongoing efforts to advance responsible use of AI, Microsoft will inform the\r\npublic and stakeholders about actions taken under these threat actor principles, including the nature and\r\nextent of threat actors’ use of AI detected within our systems and the measures taken against them, as\r\nappropriate.\r\nMicrosoft remains committed to responsible AI innovation, prioritizing the safety and integrity of our technologies\r\nwith respect for human rights and ethical standards. These principles announced today build on Microsoft’s\r\nResponsible AI practices, our voluntary commitments to advance responsible AI innovation and the Azure\r\nOpenAI Code of Conduct. We are following these principles as part of our broader commitments to strengthening\r\ninternational law and norms and to advance the goals of the Bletchley Declaration endorsed by 29 countries.\r\nMicrosoft and OpenAI’s complementary defenses protect AI platforms\r\nBecause Microsoft and OpenAI’s partnership extends to security, the companies can take action when known and\r\nemerging threat actors surface. Microsoft Threat Intelligence tracks more than 300 unique threat actors, including\r\n160 nation-state actors, 50 ransomware groups, and many others. These adversaries employ various digital\r\nidentities and attack infrastructures. Microsoft’s experts and automated systems continually analyze and correlate\r\nthese attributes, uncovering attackers’ efforts to evade detection or expand their capabilities by leveraging new\r\ntechnologies. Consistent with preventing threat actors’ actions across our technologies and working closely with\r\npartners, Microsoft continues to study threat actors’ use of AI and LLMs, partner with OpenAI to monitor attack\r\nactivity, and apply what we learn to continually improve defenses. This blog provides an overview of observed\r\nactivities collected from known threat actor infrastructure as identified by Microsoft Threat Intelligence, then\r\nshared with OpenAI to identify potential malicious use or abuse of their platform and protect our mutual\r\ncustomers from future threats or harm.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/\r\nPage 2 of 8\n\nRecognizing the rapid growth of AI and emergent use of LLMs in cyber operations, we continue to work with\r\nMITRE to integrate these LLM-themed tactics, techniques, and procedures (TTPs) into the MITRE ATT\u0026CK®\r\nframework or MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems)\r\nknowledgebase. This strategic expansion reflects a commitment to not only track and neutralize threats, but also to\r\npioneer the development of countermeasures in the evolving landscape of AI-powered cyber operations. A full list\r\nof the LLM-themed TTPs, which include those we identified during our investigations, is summarized in the\r\nappendix.\r\nSummary of Microsoft and OpenAI’s findings and threat intelligence\r\nThe threat ecosystem over the last several years has revealed a consistent theme of threat actors following trends\r\nin technology in parallel with their defender counterparts. Threat actors, like defenders, are looking at AI,\r\nincluding LLMs, to enhance their productivity and take advantage of accessible platforms that could advance their\r\nobjectives and attack techniques. Cybercrime groups, nation-state threat actors, and other adversaries are\r\nexploring and testing different AI technologies as they emerge, in an attempt to understand potential value to their\r\noperations and the security controls they may need to circumvent. On the defender side, hardening these same\r\nsecurity controls from attacks and implementing equally sophisticated monitoring that anticipates and blocks\r\nmalicious activity is vital.\r\nWhile different threat actors’ motives and complexity vary, they have common tasks to perform in the course of\r\ntargeting and attacks. These include reconnaissance, such as learning about potential victims’ industries, locations,\r\nand relationships; help with coding, including improving things like software scripts and malware development;\r\nand assistance with learning and using native languages. Language support is a natural feature of LLMs and is\r\nattractive for threat actors with continuous focus on social engineering and other techniques relying on false,\r\ndeceptive communications tailored to their targets’ jobs, professional networks, and other relationships.\r\nImportantly, our research with OpenAI has not identified significant attacks employing the LLMs we monitor\r\nclosely. At the same time, we feel this is important research to publish to expose early-stage, incremental moves\r\nthat we observe well-known threat actors attempting, and share information on how we are blocking and\r\ncountering them with the defender community.\r\nWhile attackers will remain interested in AI and probe technologies’ current capabilities and security controls, it’s\r\nimportant to keep these risks in context. As always, hygiene practices such as multifactor authentication (MFA)\r\nand Zero Trust defenses are essential because attackers may use AI-based tools to improve their existing\r\ncyberattacks that rely on social engineering and finding unsecured devices and accounts.\r\nThe threat actors profiled below are a sample of observed activity we believe best represents the TTPs the industry\r\nwill need to better track using MITRE ATT\u0026CK® framework or MITRE ATLAS™ knowledgebase updates.\r\nForest Blizzard \r\nForest Blizzard (STRONTIUM) is a Russian military intelligence actor linked to GRU Unit 26165, who has\r\ntargeted victims of both tactical and strategic interest to the Russian government. Their activities span across a\r\nvariety of sectors including defense, transportation/logistics, government, energy, non-governmental organizations\r\nhttps://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/\r\nPage 3 of 8\n\n(NGO), and information technology. Forest Blizzard has been extremely active in targeting organizations in and\r\nrelated to Russia’s war in Ukraine throughout the duration of the conflict, and Microsoft assesses that Forest\r\nBlizzard operations play a significant supporting role to Russia’s foreign policy and military objectives both in\r\nUkraine and in the broader international community. Forest Blizzard overlaps with the threat actor tracked by\r\nother researchers as APT28 and Fancy Bear.\r\nForest Blizzard’s use of LLMs has involved research into various satellite and radar technologies that may pertain\r\nto conventional military operations in Ukraine, as well as generic research aimed at supporting their cyber\r\noperations. Based on these observations, we map and classify these TTPs using the following descriptions:\r\nLLM-informed reconnaissance: Interacting with LLMs to understand satellite communication protocols,\r\nradar imaging technologies, and specific technical parameters. These queries suggest an attempt to acquire\r\nin-depth knowledge of satellite capabilities.\r\nLLM-enhanced scripting techniques: Seeking assistance in basic scripting tasks, including file\r\nmanipulation, data selection, regular expressions, and multiprocessing, to potentially automate or optimize\r\ntechnical operations.\r\nMicrosoft observed engagement from Forest Blizzard that were representative of an adversary exploring the use\r\ncases of a new technology. All accounts and assets associated with Forest Blizzard have been disabled.\r\nEmerald Sleet\r\nEmerald Sleet (THALLIUM) is a North Korean threat actor that has remained highly active throughout 2023.\r\nTheir recent operations relied on spear-phishing emails to compromise and gather intelligence from prominent\r\nindividuals with expertise on North Korea. Microsoft observed Emerald Sleet impersonating reputable academic\r\ninstitutions and NGOs to lure victims into replying with expert insights and commentary about foreign policies\r\nrelated to North Korea. Emerald Sleet overlaps with threat actors tracked by other researchers as Kimsuky and\r\nVelvet Chollima.\r\nEmerald Sleet’s use of LLMs has been in support of this activity and involved research into think tanks and\r\nexperts on North Korea, as well as the generation of content likely to be used in spear-phishing campaigns.\r\nEmerald Sleet also interacted with LLMs to understand publicly known vulnerabilities, to troubleshoot technical\r\nissues, and for assistance with using various web technologies. Based on these observations, we map and classify\r\nthese TTPs using the following descriptions:\r\nLLM-assisted vulnerability research: Interacting with LLMs to better understand publicly reported\r\nvulnerabilities, such as the CVE-2022-30190 Microsoft Support Diagnostic Tool (MSDT) vulnerability\r\n(known as “Follina”).\r\nLLM-enhanced scripting techniques: Using LLMs for basic scripting tasks such as programmatically\r\nidentifying certain user events on a system and seeking assistance with troubleshooting and understanding\r\nvarious web technologies.\r\nLLM-supported social engineering: Using LLMs for assistance with the drafting and generation of\r\ncontent that would likely be for use in spear-phishing campaigns against individuals with regional\r\nexpertise.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/\r\nPage 4 of 8\n\nLLM-informed reconnaissance: Interacting with LLMs to identify think tanks, government\r\norganizations, or experts on North Korea that have a focus on defense issues or North Korea’s nuclear\r\nweapon’s program.\r\nAll accounts and assets associated with Emerald Sleet have been disabled.\r\nCrimson Sandstorm\r\nCrimson Sandstorm (CURIUM) is an Iranian threat actor assessed to be connected to the Islamic Revolutionary\r\nGuard Corps (IRGC). Active since at least 2017, Crimson Sandstorm has targeted multiple sectors, including\r\ndefense, maritime shipping, transportation, healthcare, and technology. These operations have frequently relied on\r\nwatering hole attacks and social engineering to deliver custom .NET malware. Prior research also identified\r\ncustom Crimson Sandstorm malware using email-based command-and-control (C2) channels. Crimson Sandstorm\r\noverlaps with the threat actor tracked by other researchers as Tortoiseshell, Imperial Kitten, and Yellow Liderc.\r\nThe use of LLMs by Crimson Sandstorm has reflected the broader behaviors that the security community has\r\nobserved from this threat actor. Interactions have involved requests for support around social engineering,\r\nassistance in troubleshooting errors, .NET development, and ways in which an attacker might evade detection\r\nwhen on a compromised machine. Based on these observations, we map and classify these TTPs using the\r\nfollowing descriptions:\r\nLLM-supported social engineering: Interacting with LLMs to generate various phishing emails,\r\nincluding one pretending to come from an international development agency and another attempting to lure\r\nprominent feminists to an attacker-built website on feminism. \r\nLLM-enhanced scripting techniques: Using LLMs to generate code snippets that appear intended to\r\nsupport app and web development, interactions with remote servers, web scraping, executing tasks when\r\nusers sign in, and sending information from a system via email.\r\nLLM-enhanced anomaly detection evasion: Attempting to use LLMs for assistance in developing code\r\nto evade detection, to learn how to disable antivirus via registry or Windows policies, and to delete files in\r\na directory after an application has been closed.\r\nAll accounts and assets associated with Crimson Sandstorm have been disabled.\r\nCharcoal Typhoon\r\nCharcoal Typhoon (CHROMIUM) is a Chinese state-affiliated threat actor with a broad operational scope. They\r\nare known for targeting sectors that include government, higher education, communications infrastructure, oil \u0026\r\ngas, and information technology. Their activities have predominantly focused on entities within Taiwan, Thailand,\r\nMongolia, Malaysia, France, and Nepal, with observed interests extending to institutions and individuals globally\r\nwho oppose China’s policies. Charcoal Typhoon overlaps with the threat actor tracked by other researchers as\r\nAquatic Panda, ControlX, RedHotel, and BRONZE UNIVERSITY.\r\nIn recent operations, Charcoal Typhoon has been observed interacting with LLMs in ways that suggest a limited\r\nexploration of how LLMs can augment their technical operations. This has consisted of using LLMs to support\r\ntooling development, scripting, understanding various commodity cybersecurity tools, and for generating content\r\nhttps://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/\r\nPage 5 of 8\n\nthat could be used to social engineer targets. Based on these observations, we map and classify these TTPs using\r\nthe following descriptions:\r\nLLM-informed reconnaissance: Engaging LLMs to research and understand specific technologies,\r\nplatforms, and vulnerabilities, indicative of preliminary information-gathering stages.\r\nLLM-enhanced scripting techniques: Utilizing LLMs to generate and refine scripts, potentially to\r\nstreamline and automate complex cyber tasks and operations.\r\nLLM-supported social engineering: Leveraging LLMs for assistance with translations and\r\ncommunication, likely to establish connections or manipulate targets.\r\nLLM-refined operational command techniques: Utilizing LLMs for advanced commands, deeper\r\nsystem access, and control representative of post-compromise behavior.\r\nAll associated accounts and assets of Charcoal Typhoon have been disabled, reaffirming our commitment to\r\nsafeguarding against the misuse of AI technologies.\r\nSalmon Typhoon\r\nSalmon Typhoon (SODIUM) is a sophisticated Chinese state-affiliated threat actor with a history of targeting US\r\ndefense contractors, government agencies, and entities within the cryptographic technology sector. This threat\r\nactor has demonstrated its capabilities through the deployment of malware, such as Win32/Wkysol, to maintain\r\nremote access to compromised systems. With over a decade of operations marked by intermittent periods of\r\ndormancy and resurgence, Salmon Typhoon has recently shown renewed activity. Salmon Typhoon overlaps with\r\nthe threat actor tracked by other researchers as APT4 and Maverick Panda.\r\nNotably, Salmon Typhoon’s interactions with LLMs throughout 2023 appear exploratory and suggest that this\r\nthreat actor is evaluating the effectiveness of LLMs in sourcing information on potentially sensitive topics, high\r\nprofile individuals, regional geopolitics, US influence, and internal affairs. This tentative engagement with LLMs\r\ncould reflect both a broadening of their intelligence-gathering toolkit and an experimental phase in assessing the\r\ncapabilities of emerging technologies.\r\nBased on these observations, we map and classify these TTPs using the following descriptions:\r\nLLM-informed reconnaissance: Engaging LLMs for queries on a diverse array of subjects, such as global\r\nintelligence agencies, domestic concerns, notable individuals, cybersecurity matters, topics of strategic\r\ninterest, and various threat actors. These interactions mirror the use of a search engine for public domain\r\nresearch.\r\nLLM-enhanced scripting techniques: Using LLMs to identify and resolve coding errors. Requests for\r\nsupport in developing code with potential malicious intent were observed by Microsoft, and it was noted\r\nthat the model adhered to established ethical guidelines, declining to provide such assistance.\r\nLLM-refined operational command techniques: Demonstrating an interest in specific file types and\r\nconcealment tactics within operating systems, indicative of an effort to refine operational command\r\nexecution.\r\nLLM-aided technical translation and explanation: Leveraging LLMs for the translation of computing\r\nterms and technical papers.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/\r\nPage 6 of 8\n\nSalmon Typhoon’s engagement with LLMs aligns with patterns observed by Microsoft, reflecting traditional\r\nbehaviors in a new technological arena. In response, all accounts and assets associated with Salmon Typhoon have\r\nbeen disabled.\r\nIn closing, AI technologies will continue to evolve and be studied by various threat actors. Microsoft will continue\r\nto track threat actors and malicious activity misusing LLMs, and work with OpenAI and other partners to share\r\nintelligence, improve protections for customers and aid the broader security community.\r\nAppendix: LLM-themed TTPs\r\nUsing insights from our analysis above, as well as other potential misuse of AI, we’re sharing the below list of\r\nLLM-themed TTPs that we map and classify to the MITRE ATT\u0026CK® framework or MITRE ATLAS™\r\nknowledgebase to equip the community with a common taxonomy to collectively track malicious use of LLMs\r\nand create countermeasures against:\r\nLLM-informed reconnaissance: Employing LLMs to gather actionable intelligence on technologies and\r\npotential vulnerabilities.\r\nLLM-enhanced scripting techniques: Utilizing LLMs to generate or refine scripts that could be used in\r\ncyberattacks, or for basic scripting tasks such as programmatically identifying certain user events on a\r\nsystem and assistance with troubleshooting and understanding various web technologies.\r\nLLM-aided development: Utilizing LLMs in the development lifecycle of tools and programs, including\r\nthose with malicious intent, such as malware.\r\nLLM-supported social engineering: Leveraging LLMs for assistance with translations and\r\ncommunication, likely to establish connections or manipulate targets.\r\nLLM-assisted vulnerability research: Using LLMs to understand and identify potential vulnerabilities in\r\nsoftware and systems, which could be targeted for exploitation.\r\nLLM-optimized payload crafting: Using LLMs to assist in creating and refining payloads for deployment\r\nin cyberattacks.\r\nLLM-enhanced anomaly detection evasion: Leveraging LLMs to develop methods that help malicious\r\nactivities blend in with normal behavior or traffic to evade detection systems.\r\nLLM-directed security feature bypass: Using LLMs to find ways to circumvent security features, such as\r\ntwo-factor authentication, CAPTCHA, or other access controls.\r\nLLM-advised resource development: Using LLMs in tool development, tool modifications, and strategic\r\noperational planning.\r\nLearn more\r\nRead the sixth edition of Cyber Signals, spotlighting how we are protecting AI platforms from emerging threats\r\nrelated to nation-state cyberthreat actors: Navigating cyberthreats and strengthening defenses in the era of AI.\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nhttps://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/\r\nPage 7 of 8\n\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn at\r\nhttps://www.linkedin.com/showcase/microsoft-threat-intelligence, and on X (formerly Twitter)\r\nat https://twitter.com/MsftSecIntel.\r\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat\r\nlandscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.\r\nSource: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/\r\nhttps://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/" ], "report_names": [ "staying-ahead-of-threat-actors-in-the-age-of-ai" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "19935e32-f1a5-462d-8934-8b1c3bf3b5f2", "created_at": "2022-10-25T16:07:23.36465Z", "updated_at": "2026-04-10T02:00:04.565476Z", "deleted_at": null, "main_name": "Aquatic Panda", "aliases": [ "G0143" ], "source_name": "ETDA:Aquatic Panda", "tools": [ "Agentemis", "Bladabindi", "Cobalt Strike", "CobaltStrike", "Fishmaster", "JollyJellyfish", "Jorik", "cobeacon", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "84a3dd71-1d65-4997-80fc-7fbe55b267f2", "created_at": "2023-04-26T02:03:02.969306Z", "updated_at": "2026-04-10T02:00:05.341127Z", "deleted_at": null, "main_name": "CURIUM", "aliases": [ "CURIUM", "Crimson Sandstorm", "TA456", "Tortoise Shell", "Yellow Liderc" ], "source_name": "MITRE:CURIUM", "tools": [ "IMAPLoader" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a0effeb-3ee2-4a67-9a9f-ef5c330b1c3a", "created_at": "2023-09-07T02:02:47.827633Z", "updated_at": "2026-04-10T02:00:04.873323Z", "deleted_at": null, "main_name": "RedHotel", "aliases": [ "Operation FishMedley", "RedHotel", "TAG-22" ], "source_name": "ETDA:RedHotel", "tools": [ "Agentemis", "BIOPASS", "BIOPASS RAT", "BleDoor", "Brute Ratel", "Brute Ratel C4", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "POISONPLUG.SHADOW", "RbDoor", "RibDoor", "RouterGod", "ShadowPad Winnti", "SprySOCKS", "Spyder", "Winnti", "XShellGhost", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "68cc6e37-f16d-4995-a75b-5e8e2a6cbb3d", "created_at": "2024-05-01T02:03:07.943593Z", "updated_at": "2026-04-10T02:00:03.795229Z", "deleted_at": null, "main_name": "BRONZE EDISON", "aliases": [ "APT4 ", "DarkSeoul", "Maverick Panda ", "Salmon Typhoon ", "Sodium ", "Sykipot ", "TG-0623 ", "getkys" ], "source_name": "Secureworks:BRONZE EDISON", "tools": [ "Gh0st RAT", "Wkysol", "ZxPortMap" ], "source_id": "Secureworks", "reports": null }, { "id": "d4ac28d1-66eb-4f2d-9f9b-a72394349fd0", "created_at": "2023-01-06T13:46:38.667954Z", "updated_at": "2026-04-10T02:00:03.061447Z", "deleted_at": null, "main_name": "APT4", "aliases": [ "PLA Navy", "MAVERICK PANDA", "BRONZE EDISON", "SODIUM", "Salmon Typhoon" ], "source_name": "MISPGALAXY:APT4", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "6fbff48b-7a3e-4e54-ac22-b10f11e32337", "created_at": "2022-10-25T16:07:23.318008Z", "updated_at": "2026-04-10T02:00:04.539063Z", "deleted_at": null, "main_name": "APT 4", "aliases": [ "APT 4", "Bronze Edison", "Maverick Panda", "Salmon Typhoo", "Sodium", "Sykipot", "TG-0623", "Wisp Team" ], "source_name": "ETDA:APT 4", "tools": [ "Getkys", "Sykipot", "Wkysol", "XMRig" ], "source_id": "ETDA", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "b5b24083-7ba6-44cc-9d11-a6274e2eee00", "created_at": "2022-10-25T16:07:24.337332Z", "updated_at": "2026-04-10T02:00:04.94285Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Cobalt Fireside", "Crimson Sandstorm", "Cuboid Sandstorm", "Curium", "Devious Serpens", "Houseblend", "Imperial Kitten", "Marcella Flores", "Operation Fata Morgana", "TA456", "Yellow Liderc" ], "source_name": "ETDA:Tortoiseshell", "tools": [ "IMAPLoader", "Infostealer", "IvizTech", "LEMPO", "MANGOPUNCH", "SysKit", "get-logon-history.ps1", "liderc", "stereoversioncontrol" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null }, { "id": "ba3eea09-ce30-4cfa-ae3a-b5992c4b81f8", "created_at": "2022-10-25T15:50:23.441443Z", "updated_at": "2026-04-10T02:00:05.263145Z", "deleted_at": null, "main_name": "Aquatic Panda", "aliases": [ "Aquatic Panda" ], "source_name": "MITRE:Aquatic Panda", "tools": [ "Wevtutil", "Winnti for Windows", "njRAT", "Cobalt Strike", "ShadowPad", "Winnti for Linux" ], "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434112, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c070c2a38373f0f5fcb121bbc87f1a02c338d144.pdf", "text": "https://archive.orkl.eu/c070c2a38373f0f5fcb121bbc87f1a02c338d144.txt", "img": "https://archive.orkl.eu/c070c2a38373f0f5fcb121bbc87f1a02c338d144.jpg" } }