{
	"id": "1cb536d4-aa4f-4bd2-b5a5-e6e8de6c11db",
	"created_at": "2026-04-06T00:14:24.686863Z",
	"updated_at": "2026-04-10T13:12:41.223724Z",
	"deleted_at": null,
	"sha1_hash": "c07e03f37c1154b3e212dd78902b0c27c075f9c4",
	"title": "Inside Trickbot, Russia’s Notorious Ransomware Gang",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 142582,
	"plain_text": "Inside Trickbot, Russia’s Notorious Ransomware Gang\r\nBy Matt Burgess\r\nPublished: 2022-02-01 · Archived: 2026-04-05 12:45:40 UTC\r\nWhen the phones and computer networks went down at Ridgeview Medical Center’s three hospitals on October\r\n24, 2020, the medical group resorted to a Facebook post to warn its patients about the disruption. One local\r\nvolunteer-run fire department said ambulances were being diverted to other hospitals; officials reported patients\r\nand staff were safe. The downtime at the Minnesota medical facilities was no technical glitch; reports quickly\r\nlinked the activity to one of Russia’s most notorious ransomware gangs.\r\nThousands of miles away, just two days later members of the Trickbot cybercrime group privately gloated over\r\nwhat easy targets hospitals and health care providers make. “You see, how fast, hospitals and centers reply,”\r\nTarget, a key member of the Russia-linked malware gang, boasted in messages to one of their colleagues. The\r\nexchange is included in previously unreported documents, seen by WIRED, that consist of hundreds of messages\r\nsent between Trickbot members and detail the inner workings of the notorious hacking group. “Answers from the\r\nrest, [take] days. And from the ridge immediately the answer flew in,” Target wrote.\r\nAs Target typed, members of Trickbot were in the middle of launching a huge wave of ransomware attacks against\r\nhospitals across the United States. Their aim: to force hospitals busy responding to the surging Covid-19 pandemic\r\nto quickly pay ransoms. The series of attacks prompted urgent warnings from federal agencies, including the\r\nCybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation. “Fuck clinics in the usa\r\nthis week,” Target said as they gave the instruction to start targeting a list of 428 hospitals. “There’s gonna be a\r\npanic.”\r\nThe documents seen by WIRED include messages between senior members of Trickbot, dated from the summer\r\nand autumn of 2020, and expose how the group planned to expand its hacking operations. They lay bare key\r\nmembers’ aliases and show the ruthless attitude of members of the criminal gang.\r\nThe messages were sent in the months before and shortly after US Cyber Command disrupted much of Trickbot’s\r\ninfrastructure and temporarily stopped the group’s work. Since then the group has scaled up its operations and\r\nevolved its malware, and it continues to target businesses around the world. While Russia’s Federal Security\r\nService has recently arrested members of the REvil ransomware gang—following diplomatic efforts between\r\npresidents Joe Biden and Vladimir Putin—Trickbot’s inner circle has so far been left relatively unscathed.\r\nYou’ve read your last free article.\r\nhttps://www.wired.co.uk/article/trickbot-malware-group-internal-messages\r\nPage 1 of 5\n\nThe intersection of technology, power, and culture. Start your free trial and get access to 5 all-new premium\r\nnewsletters—cancel anytime.\r\nSTART FREE TRIAL\r\nAlready a subscriber? Sign In\r\nThe intersection of technology, power, and culture. Start your free trial and get access to 5 all-new premium\r\nnewsletters START FREE TRIAL\r\nThe Trickbot group evolved from the banking trojan Dyre around the end of 2015, when Dyre’s members were\r\narrested. The gang has grown its original banking trojan to become an all-purpose hacking toolkit; individual\r\nmodules, which operate like plugins, allow its operators to deploy Ryuk and Conti ransomware, while other\r\nfunctions enable keylogging and data collection. “I don't know any other malware families that have so many\r\nmodules or extended functionalities,” says Vlad Pasca, a senior malware analyst at security company Lifars who\r\nhas decompiled Trickbot’s code. That sophistication has helped the gang, also known as Wizard Spider, collect\r\nmillions of dollars from victims.\r\nA core team of around half a dozen criminals sits at the heart of Trickbot’s operations, according to the documents\r\nreviewed by WIRED and security experts who track the group. Each member has their own specialities, such as\r\nmanaging teams of coders or heading up ransomware deployments. At the head of the organization is Stern. (Like\r\nall the monikers used in this story, the real-world name, or names, behind the handles are unknown. They are,\r\nhowever, the identities the group uses when talking to each other.)\r\n“He is the boss of Trickbot,” says Alex Holden, who is CEO of cybersecurity firm Hold Security and has\r\nknowledge of the workings of the gang. Stern acts like a CEO of the Trickbot group and communicates with other\r\nmembers who are at a similar level. They may also report to others who are unknown, Holden says. “Stern does\r\nnot get into the technical side as much,” he says. “He wants reports. He wants more communication. He wants to\r\nmake high-level decisions.”\r\nhttps://www.wired.co.uk/article/trickbot-malware-group-internal-messages\r\nPage 2 of 5\n\nOn August 20, 2020, the chat logs—provided by a cybersecurity source with knowledge of the group—show\r\nTarget briefing Stern on how the group would expand in the coming weeks. “There will be 6 offices for sure and\r\n50-80 people by the end of September,” Target said in one of a flurry of 19 messages. These offices are believed to\r\nbe based in Russia’s second-largest city, Saint Petersburg. Kimberly Goody, director of cybercrime analysis at\r\nsecurity firm Mandiant, says the group “most likely” has a significant presence there. Current estimates say\r\nTrickbot has anywhere from 100 to 400 members, making it one of the largest cybercrime groups in existence.\r\nMessages between Target and Stern show that in mid-2020 the group was spending money on three main areas.\r\nTwo offices—“one main and one new for training”—were being used for the current operators’ expenses and\r\nexpansion. “Hacker offices,” where 20-plus people worked, would be used for interviews, equipment, servers, and\r\nhiring, Target said. And finally, there would be an office for “programmers” and their equipment. “A good team\r\nleader has already been hired, and he will help gather the team,” Target continued. “I’m sure that everything will\r\npay off, so I’m not nervous.”\r\nThroughout the conversations viewed by WIRED, the group makes various references to “senior managers”\r\nworking as part of Trickbot and its businesslike structure. “There is generally a core team of developers,” Goody\r\nexplains. “There's a manager who oversees development work, and they have coders that work under them on\r\nspecific projects.” Members of the group are encouraged to propose ideas, such as new scripts or malware, that\r\ndevelopers could work on, Goody says, and generally the lower-level workers don’t talk to their senior colleagues.\r\nMost of the group’s internal conversations, according to various sources—including US court documents—happen\r\nthrough instant messages on Jabber servers.\r\nA gang member going by the moniker Professor oversees much of the ransomware deployment work, Goody says.\r\n“Professor, who we believe also goes by the name Alter, seems to be a relatively significant player in terms of\r\nmanaging these specific ransomware deployment operations,” Goody says, “as well as requesting development of\r\nspecific tools that would help enable those.” She adds that Professor has been linked to Conti ransomware\r\noperations in the last year and “appears to lead multiple sub-teams or has multiple team leaders” that report to\r\nthem.\r\nThat wouldn’t be the only working relationship Trickbot’s team has with outside parties. In the conversations seen\r\nby WIRED, Target says the group will “learn to collaborate” with those behind the Ryuk ransomware, indicating\r\nthat the two organizations are largely separate. And while the Trickbot group hasn’t been linked to hacking\r\noperations run by the Russian state—such as the activities of Sandworm—the core members of the gang make\r\nreference to Kremlin-backed activities. Stern mentioned setting up an office “for government topics” in July 2020.\r\nIn response, Professor said the hacking group Cozy Bear is “working their way down the list” of potential Covid-19 targets.\r\nIn one set of internal conversations, Target answers questions from a group member who is concerned about being\r\ncaught. The person is worried that colleagues could expose their locations, through leaking their IP addresses,\r\nwhen they don’t use a VPN to mask their whereabouts. Target says IP address exposure shouldn’t be a problem:\r\n“Here it is guaranteed that no one will touch you and you are probably not going to fly somewhere anyway.”\r\nPrior to the REvil arrests, the Kremlin and Russian authorities spent years allowing ransomware groups believed\r\nto be based in the country to operate with relative impunity. “There seems to be very deliberate separation and\r\nhttps://www.wired.co.uk/article/trickbot-malware-group-internal-messages\r\nPage 3 of 5\n\nnon-attacks of any Russian interests by Trickbot, Ryuk, Emotet, and Conti because they don’t want confrontation\r\nwith the government,” Holden says. However, not all of Trickbot’s members are in Russia. The conversations\r\namong the group viewed by WIRED reveal at least two members appear to be based in Belarus—during the\r\nsummer of 2020 when Belarus shut down the internet Stern said that one member, a coder called Hof, would not\r\nbe online until “the internet problem in Belarus is solved.”\r\nThese exchanges likely comprise only a small element of the group’s interactions. Some details of TrickBot’s\r\ninner workings were also revealed in June and October 2021, when the US Department of Justice unsealed and\r\nunredacted charges against two alleged Trickbot members, Alla Witte and Vladimir Dunaev. The indictment,\r\nwhich also covers other unnamed members of the Trickbot group, focuses on the group’s hacking and money\r\nlaundering but also provides snippets of conversations. Goody says some private communication channels can\r\ncontain dozens of members of the group.\r\nCoders and developers recruited by Trickbot are drawn in from job postings on dark web forums but also on open\r\nweb Russian-language freelancer websites, the DOJ indictment says. While many of the job ads are hiding in plain\r\nsight, they don’t explicitly say successful applicants will be working for one of the world’s most ruthless\r\ncybercriminal groups. One job ad the indictment points to calls for someone who is an experienced reverse\r\nengineer and knows the coding language C++. The ad, which has long-since expired, says the job was focused\r\naround web browsers on Windows, involved working remotely, and had a budget of $7,000. A long-term position\r\nwould potentially be possible if the work was completed successfully, the ad says.\r\nHolden says Trickbot uses multiple layers during its hiring process in an effort to weed out those without the\r\ntechnical skills needed, and also cybersecurity companies trying to gather intelligence. Anyone applying for work\r\nhas to pass an initial screening before moving on to tough skills tests, he says. “The questions are very complex\r\ntechnologically,” he explains. Goody adds that penetration testers working for the group can be paid $1,500 per\r\nmonth, plus a cut of ransoms that are paid.\r\nDuring the recruitment process, Holden says, it is “acknowledged” that these aren’t everyday roles. Holden says\r\nhe has seen ads that tell potential recruits they will be working for a startup involved in bug bounties, and that\r\nmost of its funding comes from abroad. “The majority understand that this is blackhat and asking for the\r\ncommercial target,” Trickbot conversations within the DOJ indictment say, referring to criminal hacking activities.\r\n“We need to stop communicating with idiots.”\r\nThe two alleged members of Trickbot named by the DOJ—Witte and Dunaev—were arrested by law enforcement\r\noutside of Russia. Witte, a 55-year-old Latvian national who lived in Suriname, was arrested in June 2021 while\r\ntraveling to Miami and is charged with 19 counts that range from identity theft to bank fraud. She’s accused of\r\nbeing one of Trickbot’s malware developers and allegedly exposed herself after hosting Trickbot’s malware on her\r\npersonal domain name. Dunaev, 38, was extradited from the Republic of Korea to Ohio in October 2021 and is\r\nalso accused of developing Trickbot’s malware.\r\nDespite the arrests and wider ransomware crackdowns in Russia, the Trickbot group has not exactly gone into\r\nhiding. Toward the end of last year, the group boosted its operations, says Limor Kessem, an executive security\r\nadvisor at IBM Security. “They're trying to infect as many people as possible by contracting out the infection,” she\r\nsays. Since the start of 2022, the IBM security team has seen Trickbot increase its efforts to evade security\r\nhttps://www.wired.co.uk/article/trickbot-malware-group-internal-messages\r\nPage 4 of 5\n\nprotections and conceal its activity. The FBI also formally linked the use of the Diavol ransomware to Trickbot at\r\nthe beginning of the year. “Trickbot doesn't seem to be targeting very specifically; I think what they have is\r\nnumerous affiliates working with them, and whoever brings the most money is welcome to stay,” Limor says.\r\nHolden too says he has seen evidence that Trickbot is ramping up its operations. “Last year they invested more\r\nthan $20 million into their infrastructure and growth of their organization,” he explains, citing internal messages\r\nhe has seen. This money, he says, is being spent on everything Trickbot does. “Staffing, technology,\r\ncommunications, development, extortion” are all getting extra investment, he says. The move points to a future\r\nwhere—after the takedown of REvil—the Trickbot group may become the primary Russia-linked cybercrime\r\ngang. “You expand in the hope of getting that money back in spades,” Holden says. “It’s not like they are planning\r\nto close the shop. It’s not like they are planning to downsize or run and hide.”\r\nMore Great WIRED Stories\r\n📩 The latest on tech, science, and more: Get our newsletters!\r\nThe quest to trap CO2 in stone—and beat climate change\r\nThe trouble with Encanto? It twerks too hard\r\nHere's how Apple's iCloud Private Relay works\r\nThis app gives you a tasty way to fight food waste\r\nSimulation tech can help predict the biggest threats\r\n️ Explore AI like never before with our new database\r\n✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses\r\nto smart speakers\r\nSource: https://www.wired.co.uk/article/trickbot-malware-group-internal-messages\r\nhttps://www.wired.co.uk/article/trickbot-malware-group-internal-messages\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.wired.co.uk/article/trickbot-malware-group-internal-messages"
	],
	"report_names": [
		"trickbot-malware-group-internal-messages"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f6f91e1c-9202-4497-bf22-9cd5ef477600",
			"created_at": "2023-01-06T13:46:38.86765Z",
			"updated_at": "2026-04-10T02:00:03.12735Z",
			"deleted_at": null,
			"main_name": "WIZARD SPIDER",
			"aliases": [
				"TEMP.MixMaster",
				"GOLD BLACKBURN",
				"DEV-0193",
				"UNC2053",
				"Pistachio Tempest",
				"DEV-0237",
				"Storm-0230",
				"FIN12",
				"Periwinkle Tempest",
				"Storm-0193",
				"Trickbot LLC"
			],
			"source_name": "MISPGALAXY:WIZARD SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e",
			"created_at": "2024-06-04T02:03:07.956135Z",
			"updated_at": "2026-04-10T02:00:03.689959Z",
			"deleted_at": null,
			"main_name": "IRON HEMLOCK",
			"aliases": [
				"APT29 ",
				"ATK7 ",
				"Blue Kitsune ",
				"Cozy Bear ",
				"The Dukes",
				"UNC2452 ",
				"YTTRIUM "
			],
			"source_name": "Secureworks:IRON HEMLOCK",
			"tools": [
				"CosmicDuke",
				"CozyCar",
				"CozyDuke",
				"DiefenDuke",
				"FatDuke",
				"HAMMERTOSS",
				"LiteDuke",
				"MiniDuke",
				"OnionDuke",
				"PolyglotDuke",
				"RegDuke",
				"RegDuke Loader",
				"SeaDuke",
				"Sliver"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e",
			"created_at": "2024-06-04T02:03:07.799286Z",
			"updated_at": "2026-04-10T02:00:03.606456Z",
			"deleted_at": null,
			"main_name": "GOLD BLACKBURN",
			"aliases": [
				"ITG23 ",
				"Periwinkle Tempest ",
				"Wizard Spider "
			],
			"source_name": "Secureworks:GOLD BLACKBURN",
			"tools": [
				"BazarLoader",
				"Buer Loader",
				"Bumblebee",
				"Dyre",
				"Team9",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb",
			"created_at": "2023-01-06T13:46:38.393409Z",
			"updated_at": "2026-04-10T02:00:02.955738Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"Cloaked Ursa",
				"TA421",
				"Blue Kitsune",
				"BlueBravo",
				"IRON HEMLOCK",
				"G0016",
				"Nobelium",
				"Group 100",
				"YTTRIUM",
				"Grizzly Steppe",
				"ATK7",
				"ITG11",
				"COZY BEAR",
				"The Dukes",
				"Minidionis",
				"UAC-0029",
				"SeaDuke"
			],
			"source_name": "MISPGALAXY:APT29",
			"tools": [
				"SNOWYAMBER",
				"HALFRIG",
				"QUARTERRIG"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "63061658-5810-4f01-9620-7eada7e9ae2e",
			"created_at": "2022-10-25T15:50:23.752974Z",
			"updated_at": "2026-04-10T02:00:05.244531Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"Wizard Spider",
				"UNC1878",
				"TEMP.MixMaster",
				"Grim Spider",
				"FIN12",
				"GOLD BLACKBURN",
				"ITG23",
				"Periwinkle Tempest",
				"DEV-0193"
			],
			"source_name": "MITRE:Wizard Spider",
			"tools": [
				"TrickBot",
				"AdFind",
				"BITSAdmin",
				"Bazar",
				"LaZagne",
				"Nltest",
				"GrimAgent",
				"Dyre",
				"Ryuk",
				"Conti",
				"Emotet",
				"Rubeus",
				"Mimikatz",
				"Diavol",
				"PsExec",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3",
			"created_at": "2022-10-25T16:07:24.422115Z",
			"updated_at": "2026-04-10T02:00:04.983298Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"DEV-0193",
				"G0102",
				"Gold Blackburn",
				"Gold Ulrick",
				"Grim Spider",
				"ITG23",
				"Operation BazaFlix",
				"Periwinkle Tempest",
				"Storm-0230",
				"TEMP.MixMaster",
				"Wizard Spider"
			],
			"source_name": "ETDA:Wizard Spider",
			"tools": [
				"AdFind",
				"Agentemis",
				"Anchor_DNS",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"Conti",
				"Diavol",
				"Dyranges",
				"Dyre",
				"Dyreza",
				"Dyzap",
				"Gophe",
				"Invoke-SMBAutoBrute",
				"KEGTAP",
				"LaZagne",
				"LightBot",
				"PowerSploit",
				"PowerTrick",
				"PsExec",
				"Ryuk",
				"SessionGopher",
				"TSPY_TRICKLOAD",
				"Team9Backdoor",
				"The Trick",
				"TheTrick",
				"Totbrick",
				"TrickBot",
				"TrickLoader",
				"TrickMo",
				"Upatre",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a",
			"created_at": "2022-10-25T15:50:23.548494Z",
			"updated_at": "2026-04-10T02:00:05.292748Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"APT29",
				"IRON RITUAL",
				"IRON HEMLOCK",
				"NobleBaron",
				"Dark Halo",
				"NOBELIUM",
				"UNC2452",
				"YTTRIUM",
				"The Dukes",
				"Cozy Bear",
				"CozyDuke",
				"SolarStorm",
				"Blue Kitsune",
				"UNC3524",
				"Midnight Blizzard"
			],
			"source_name": "MITRE:APT29",
			"tools": [
				"PinchDuke",
				"ROADTools",
				"WellMail",
				"CozyCar",
				"Mimikatz",
				"Tasklist",
				"OnionDuke",
				"FatDuke",
				"POSHSPY",
				"EnvyScout",
				"SoreFang",
				"GeminiDuke",
				"reGeorg",
				"GoldMax",
				"FoggyWeb",
				"SDelete",
				"PolyglotDuke",
				"AADInternals",
				"MiniDuke",
				"SeaDuke",
				"Sibot",
				"RegDuke",
				"CloudDuke",
				"GoldFinder",
				"AdFind",
				"PsExec",
				"NativeZone",
				"Systeminfo",
				"ipconfig",
				"Impacket",
				"Cobalt Strike",
				"PowerDuke",
				"QUIETEXIT",
				"HAMMERTOSS",
				"BoomBox",
				"CosmicDuke",
				"WellMess",
				"VaporRage",
				"LiteDuke"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270",
			"created_at": "2022-10-25T16:07:23.341684Z",
			"updated_at": "2026-04-10T02:00:04.549917Z",
			"deleted_at": null,
			"main_name": "APT 29",
			"aliases": [
				"APT 29",
				"ATK 7",
				"Blue Dev 5",
				"BlueBravo",
				"Cloaked Ursa",
				"CloudLook",
				"Cozy Bear",
				"Dark Halo",
				"Earth Koshchei",
				"G0016",
				"Grizzly Steppe",
				"Group 100",
				"ITG11",
				"Iron Hemlock",
				"Iron Ritual",
				"Midnight Blizzard",
				"Minidionis",
				"Nobelium",
				"NobleBaron",
				"Operation Ghost",
				"Operation Office monkeys",
				"Operation StellarParticle",
				"SilverFish",
				"Solar Phoenix",
				"SolarStorm",
				"StellarParticle",
				"TEMP.Monkeys",
				"The Dukes",
				"UNC2452",
				"UNC3524",
				"Yttrium"
			],
			"source_name": "ETDA:APT 29",
			"tools": [
				"7-Zip",
				"ATI-Agent",
				"AdFind",
				"Agentemis",
				"AtNow",
				"BEATDROP",
				"BotgenStudios",
				"CEELOADER",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobalt Strike",
				"CobaltStrike",
				"CosmicDuke",
				"Cozer",
				"CozyBear",
				"CozyCar",
				"CozyDuke",
				"Danfuan",
				"EnvyScout",
				"EuroAPT",
				"FatDuke",
				"FoggyWeb",
				"GeminiDuke",
				"Geppei",
				"GoldFinder",
				"GoldMax",
				"GraphDrop",
				"GraphicalNeutrino",
				"GraphicalProton",
				"HAMMERTOSS",
				"HammerDuke",
				"LOLBAS",
				"LOLBins",
				"LiteDuke",
				"Living off the Land",
				"MagicWeb",
				"Mimikatz",
				"MiniDionis",
				"MiniDuke",
				"NemesisGemina",
				"NetDuke",
				"OnionDuke",
				"POSHSPY",
				"PinchDuke",
				"PolyglotDuke",
				"PowerDuke",
				"QUIETEXIT",
				"ROOTSAW",
				"RegDuke",
				"Rubeus",
				"SNOWYAMBER",
				"SPICYBEAT",
				"SUNSHUTTLE",
				"SeaDaddy",
				"SeaDask",
				"SeaDesk",
				"SeaDuke",
				"Sharp-SMBExec",
				"SharpView",
				"Sibot",
				"Solorigate",
				"SoreFang",
				"TinyBaron",
				"WINELOADER",
				"WellMail",
				"WellMess",
				"cobeacon",
				"elf.wellmess",
				"reGeorg",
				"tDiscoverer"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434464,
	"ts_updated_at": 1775826761,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c07e03f37c1154b3e212dd78902b0c27c075f9c4.pdf",
		"text": "https://archive.orkl.eu/c07e03f37c1154b3e212dd78902b0c27c075f9c4.txt",
		"img": "https://archive.orkl.eu/c07e03f37c1154b3e212dd78902b0c27c075f9c4.jpg"
	}
}