{ "id": "9a41e507-ca8a-4bd3-8ee5-7addde8b4c17", "created_at": "2026-04-06T00:13:02.316128Z", "updated_at": "2026-04-10T03:37:36.626364Z", "deleted_at": null, "sha1_hash": "c0837f73dab77eac49441731911ba0d8644f78c3", "title": "Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1824551, "plain_text": "Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against\r\nMiddle East\r\nPublished: 2024-10-11 · Archived: 2026-04-05 16:39:48 UTC\r\nAPT \u0026 Targeted Attacks\r\nTrend Micro's investigation into the recent activity of Earth Simnavaz provides new insights into the APT group’s evolving\r\ntactics and the immediate threat it poses to sectors in the Middle East.\r\nBy: Mohamed Fahmy, Bahaa Yamany, Ahmed Kamal, Nick Dai Oct 11, 2024 Read time: 9 min (2480 words)\r\nSummary\r\nTrend Micro researchers have been monitoring a cyber espionage group known as Earth Simnavaz, also referred to as\r\nAPT34 and OilRig, which has been actively targeting leading entities in the Middle East.\r\nThe group utilizes sophisticated tactics that include deploying backdoors that leverage Microsoft Exchange servers\r\nfor credentials theft, and exploiting vulnerabilities like CVE-2024-30088 for privilege escalation.\r\nEarth Simnavaz's uses a combination of customized .NET tools, PowerShell scripts, and IIS-based malware to allow\r\ntheir malicious activity to blend in with normal network traffic and avoid traditional detection methods.\r\nTheir recent activity suggests that Earth Simnavaz is focused on abusing vulnerabilities in key infrastructure of\r\ngeopolitically sensitive regions. They also seek to establish a persistent foothold in compromised entities, so these\r\ncan be weaponized to launch attacks on additional targets.\r\nRecently, Trend Micro has been tracking Earth Simnavaz (also known as APT34open on a new tab and OilRig), a cyber\r\nespionage group. This group primarily targets organizations in the energy sector, particularly those involved in oil and gas,\r\nas well as other infrastructure. It is known for using sophisticated tactics, techniques, and procedures (TTPs) to gain\r\nunauthorized access to networks and exfiltrate sensitive information.\r\nIn recent months, there has been a notable rise in cyberattacks attributed to this APT group specifically targeting\r\ninfrastructure in the Middle East region. This escalation in activity underscores the group's ongoing commitment to\r\nexploiting vulnerabilities within infrastructure frameworks in these geopolitically sensitive areas.\r\nOur latest research has identified  Earth Simnavaz’s deployment of a sophisticated new backdoor, which bears striking\r\nsimilarities to malware related to this APT group, as documented in our previous researchopen on a new tab. This new\r\nbackdoor facilitates the exfiltration of sensitive credentials, including accounts and passwords, through on-premises\r\nMicrosoft Exchange servers. Such tactics not only reflect the group's evolving methodologies but also highlight the\r\npersistent threat posed to organizations reliant on these platforms.\r\nMoreover, Earth Simnavaz has been observed using the same technique of abusing the dropped password filter policy as\r\ndetailed in our earlier findings. This technique enables attackers to extract clean-text passwords, further compromising the\r\nintegrity of targeted systems.\r\nIn addition to these methods, the group has leveraged a remote monitoring and management (RMM) tool known as ngrok in\r\ntheir operations. This tool allows for the seamless tunneling of traffic, providing attackers with an effective means to\r\nmaintain persistence and control over compromised environments.\r\nThe threat actors have also recently added CVE-2024-30088open on a new tab to their toolset, exploiting this vulnerability\r\nfor privilege escalation in targeted systems. Integrating this into their toolkit highlights Earth Simnavaz’s continuous\r\nadaptation by exploiting newer vulnerabilities to make their attacks stealthier and more effective.\r\nEarth Simnavaz’s activities highlight the ongoing threat posed by state-sponsored cyber actors, particularly in sectors vital to\r\nnational security and economic stability. As the threat landscape continues to evolve, understanding the tactics these groups\r\nuse is crucial for developing effective defense strategies against such sophisticated adversaries.\r\nAttack chain\r\nThe initial point of entry for these attacks has been traced back to a web shell uploaded to a vulnerable web server (Figure\r\n1). This web shell not only allows the execution of PowerShell code but also enables attackers to download and upload files\r\nhttps://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html\r\nPage 1 of 9\n\nfrom and to the server, thereby expanding their foothold within the targeted networks.\r\nOnce inside the network, the APT group leveraged this access to download the ngrok remote management tool, facilitating\r\nlateral movement and enabling them to reach the Domain Controller. During their operations, the group exploited CVE-2024-30088open on a new tab – the Windows Kernel Elevation of Privilege vulnerability – as a means of privilege\r\nescalation, utilizing an exploit binary that was loaded into memory via the open-source tool RunPE-In-Memoryopen on a\r\nnew tab.\r\nThis allowed them to register a password filter DLL, which subsequently dropped a backdoor responsible for exfiltrating\r\nsensitive data through the Exchange server. The exfiltrated data was relayed to a mail address controlled by the threat actor,\r\neffectively completing the infection chain and ensuring the attackers maintained control over the compromised environment.\r\nFigure 1. Attack chain\r\nEarth Simnavaz has been known to leverage compromised organizations to conduct supply chain attacks on other entities.\r\nWe expected that the threat actor could use the stolen accounts to initiate new attacks through phishing against additional\r\ntargets.\r\nThere is also a documented overlap between Earth Simnavaz and another APT group, FOX Kittenopen on a new tab. In\r\nAugust, an alertopen on a new tab from the Cybersecurity and Infrastructure Security Agency (CISA) highlighted FOX\r\nKitten's role in enabling ransomware attacks targeting organizations in the US and the Middle East. These threats should be\r\ntaken seriously, as the potential impact on compromised entities could be significant.\r\nObserved toolset and techniques\r\nAn initial infection was detected when a web shell was uploaded to a vulnerable web server. This web shell extracts values\r\nfrom HTTP request headers (\"func\" and \"command\"), as shown in Figure 2. By passing both arguments to other functions,\r\nthe web shell allows the threat actor to perform various actions (Table 1):\r\nCommand Function\r\nExecute PowerShell Command on infected\r\nserver\r\nfunc=Exc \u0026 Command= PW command to be executed\r\nDownload specific file from infected server func=Exc \u0026 Command= FilePath\r\nUpload File into infected server\r\nfunc=Exc \u0026 Command = content of file to be written on infected\r\nserver\r\nTable 1. Capabilities provided by the web shell\r\nhttps://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html\r\nPage 2 of 9\n\nFigure 2. Values extracted from HTTP request headers\r\nThe web shell also decrypts arguments received from the threat actor. It takes a Base64-encoded, AES-encrypted string,\r\ndecrypts it using a specified key and initialization vector (IV), and returns the decrypted plaintext (Figure 3).\r\nFigure 3. Decrypted string\r\nThe response sent back to the threat actor is encrypted using a different function. This response is encrypted with AES using\r\nthe given key IV. The resulting encrypted string is Base64-encoded (Figure 4). \r\nFigure 4. Response sent back to the threat actor\r\nExploiting CVE-2024-30088 for persistence\r\nAfter the web shells were implanted on the victim machines, another file called “r.exe” was dropped and executed. This is a\r\nsimple loader that takes the first argument as the input file, decodes it in one-byte-XOR operation, and executes it. The\r\ncodes in this loader were reused from an open-source toolopen on a new tab (Figure 5). The payload file was encoded to\r\nbypass traditional detection methods.\r\nhttps://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html\r\nPage 3 of 9\n\nFigure 5. Decoding routine in r.exe\r\nA payload file called “p.enc” comes with the loader under the same folder. The decoded payload turns out to be a privilege\r\nescalation tool. As its PDB string represents, this tool exploits CVE-2024-30088:\r\nC:\\Users\\reymond\\Desktop\\CVE-2024-30088-main\\x64\\Release\\poc.pdb\r\nThis vulnerability, which was patched in Juneopen on a new tab, allows threat actors to run arbitrary code in the context of\r\nSYSTEM and it works on multiple versions of Windows 10 and 11.\r\nOur analysis showed that the codes were reused from an open-source projectopen on a new tab (Figure 6). By using RunPE-In-Memory, combined with CVE-2024-30088, the threat actor was able to carry out their malicious actions stealthily.\r\nFigure 6. Reused code\r\nThis privilege escalation tool is coded to execute another dropped executable named “t.exe”, a .NET-compiled installer that\r\ncreates persistence by using the predefined task definition “e.xml”. The installed schedule task is for executing the script\r\n“u.ps1”. The final “u.ps1” we collected seemed to be replaced with a useless script, leading us to suspect that the threat\r\nactors intentionally altered the script and disrupted the incident investigation.\r\nFigure 7. Creating persistence using “e.xml”\r\nAbusing the dropped password filter policy\r\nAs mentioned earlier, the threat actor has been observed utilizing a tool similar to one identified in our previous research on\r\nthe same entity. This tool exploits on-premises Exchange servers to exfiltrate credentials to email accounts under their\r\ncontrol.\r\nAdditionally, abusing the dropped password filter policy has been detected as a method for acquiring credentials, which are\r\nthen exfiltrated via email. Threat actors can manipulate password filters to intercept or retrieve credentials from domain\r\nusers via domain controllers or local accounts on local machines. This exploitation occurs because the password validation\r\nprocess necessitates the plaintext password from the Local Security Authority (LSA).\r\nhttps://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html\r\nPage 4 of 9\n\nConsequently, deploying and registering a malicious password filter can facilitate credential harvesting each time a user\r\nupdates their password. This technique necessitates elevated privileges (local administrator access) and can be executed\r\nthrough the following steps:\r\n1. Password Filter psgfilter.dll be dropped into C:\\Windows\\System32\r\n2. Registry key modification to register the Password Filter [DLL\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\r\nNotification Packages = scecli, psgfilter]\r\nBy using this technique, the threat actor can capture and harvest every password from compromised machines, even after\r\nthey have been modified. The malicious DLL includes three exported functions (Figure 9) that facilitate the primary\r\nfunctionality of registering the DLL with the LSA (Figure 8):\r\nInitializeChangeNotify: Indicates that a password filter DLL is initialized.\r\nPasswordChangeNotify: Indicates that a password has been changed.\r\nPasswordFilter: Validates a new password based on password policy.\r\nFigure 8. Registering the DLL with the LSA\r\nFigure 9. Functions exported by DLL\r\nThe malicious actor took great care in working with the plaintext passwords while implementing the password filter export\r\nfunctions. Similar to the incident in our previous research, the threat actor also utilized plaintext passwords to gain access\r\nand deploy tools remotely.  The plaintext passwords were first encrypted before being exfiltrated when sent over networks.\r\nExfiltrating data through legitimate mail traffic\r\nThe primary function of the exfiltration tool (identified by Trend Micro as STEALHOOK involves retrieving valid domain\r\ncredentials from a specific location, which it then uses to access the Exchange Server for data exfiltration. The key objective\r\nof this stage is to capture the stolen passwords and transmit them to the attackers as email attachments. Additionally, we\r\nobserved that the threat actors leverage legitimate accounts with stolen passwords to route these emails through Exchange\r\nServers.\r\nThe backdoor exhibits significant similarities to one previously attributed to the same group in our earlier research. The\r\nmain functionalities of the backdoor can be categorized as follows:\r\nRetrieving User Credentials (Figure 10) – Calls the GetUserPassFromData function to retrieve the username and\r\npassword needed for authentication from this file: C:\\ProgramData\\WindowsUpdateService\\UpdateDir\\edf \r\nhttps://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html\r\nPage 5 of 9\n\nFigure 10. The backdoor retrieving user credentials\r\nRetrieving Email Sending Data (Figure 11) – Calls the GetSendData function to retrieve necessary configuration\r\ndata for sending an email from this file: C:\\ProgramData\\WindowsUpdateService\\UpdateDir\\edf \r\nServer: The specific Exchange mail server for the targeted victim where the data is leaked through.\r\nTarget: The email addresses through which the malicious actors receive the exfiltrated data.\r\nDomain: The internal active directory (AD) domain name related to the targeted entity.\r\nFigure 11. The backdoor retrieving email sending data\r\nSending Email (Figure 12) – If the configuration data retrieval is successful, the program constructs a message\r\ncontaining the user credentials and the configuration data. The email is sent with a specified subject and body, and all\r\nfiles in the following directory are attached: C:\\ProgramData\\WindowsUpdateService\\UpdateDir\r\nEmail Subject:  \"Update Service\"\r\nBody: \"Update Service Is Running...\"\r\nhttps://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html\r\nPage 6 of 9\n\nFigure 12. The backdoor sending emails\r\nUsing RMM tools\r\nThe threat actor recently upgraded their toolkit by incorporating RMM tools such as ngrok in their latest attacks. Ngrok is a\r\nlegitimate tool used to create secure tunnels from a local machine to the internet, allowing access to internal services through\r\npublic URLs. However, cyber attackers can exploit ngrok to bypass firewalls and network security controls for malicious\r\npurposes. They may use it to establish command-and-control (C\u0026C) communication, exfiltrate sensitive data, or deploy\r\npayloads by creating undetected tunnels between compromised machines and their servers, making it harder for security\r\nteams to detect suspicious activity.\r\nThe ngrok tool was downloaded onto the server using a PowerShell script (Figure 13), after which a WMI command was\r\nutilized to authenticate to a remote server, copy the file, and execute it remotely.\r\nFigure 13. Downloading ngrok\r\nIt appears that the threat actor utilized this tool in the later stages of the attack, leveraging a valid account and password for\r\nauthentication. These credentials were likely obtained during earlier phases of the operation, in which accounts and\r\npasswords were stolen and exfiltrated.\r\nAttribution\r\nMultiple data points and indicators attribute this attack to Earth Simnavaz, with evidence showing that the group remains\r\nactive, specifically targeting Middle Eastern countries. This campaign, like that in our previously reported research, involved\r\nthe targeting of Exchange servers and relaying communications through them. A significant similarity has been observed at\r\nboth the code and functionality levels between the Exchange backdoor used in this attack and the one seen in the earlier\r\ncampaign. Additionally, both tools share characteristics with the Karkoff backdooropen on a new tab, which is also linked to\r\nthe same threat actors and exploits the Exchange Web Services (EWS) API for malicious activities. Earth Simnavaz’s tactics\r\nalso overlap with that of FOX Kitten, another threat group which likewise has been observed using the RMM tool\r\nngrokopen on a new tab.\r\nTrend Micro Vision One Threat Intelligence \r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights\r\nwithin Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and be\r\nbetter prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the\r\ntechniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments,\r\nmitigate risks, and respond effectively to threats.\r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nhttps://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html\r\nPage 7 of 9\n\nAdvanced Cyberattacks Against Gulf Regions\r\nEarth Simnavaz Levies Advanced Cyberattacks Against Gulf Regions\r\nTrend Micro Vision One Threat Insights App\r\nThreat Actor/s:  Earth Simnavaz\r\nEmerging Threat:  Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East\r\nConclusion\r\nAPT groups like Earth Simnavaz have become increasingly active, particularly in targeting infrastructure in the Middle East.\r\nBased on the group’s toolset and activities, it’s evident that they aim to establish a persistent presence within compromised\r\nentities, using the affected infrastructure to launch further attacks on additional targets. Their primary goals appear to be\r\nespionage and the theft of sensitive information.\r\nEarth Simnavaz continues to rely on IIS-based malware such as web shells, customized .NET tools, and PowerShell scripts\r\nas core components of their attack arsenal. Recent campaigns have confirmed this technique remains actively in use.\r\nGeopolitical tensions likely play a significant role in this surge, so the Middle East should take these threats seriously. Earth\r\nSimnavaz’s approach involves blending into normal network activity and customizing its malware to avoid detection.\r\nIntelligence-driven incident response will be essential in effectively managing and mitigating these types of attacks. While\r\nthe group’s techniques haven’t evolved drastically, implementing a Zero Trust architecture, alongside mature SOC, EDR,\r\nand MDR capabilities, can greatly enhance defensive measures against threats like that posed by Earth Simnavaz.\r\nIndicators of Compromise (IOCs)\r\nSHA-256 Detection Description\r\n6e4f237ef084e400b43bc18860d9c781c851012652b558f57527cf61bee1e1ef Trojan.PS1.DULLDROP.I624 temp.ps1\r\nb3257f0c0ef298363f89c7a61ab27a706e9e308c22f1820dc4f02dfa0f68d897 Trojan.Win64.DULLOAD.I t.exe\r\nabfc8e9b4b02e196af83608d5aaef1771354b32c898852dff532bd8cfd2ce59d Backdoor.ASP.DULLWSHELL.I624 Defaults.aspx\r\n43c83976d9b6d19c63aef8715f7929557e93102ff0271b3539ccf2ef485a01a7 N/A u.ps1\r\nca98a24507d62afdb65e7ad7205dfe8cd9ef7d837126a3dfc95a74af873b1dc5 Backdoor.ASP.DULLWSHELL.I624 Defaults.aspx\r\n7ebbeb2a25da1b09a98e1a373c78486ed2c5a7f2a16eec63e576c99efe0c7a49 N/A Microsoft.Exchange.W\r\nc0189edde8fa030ff4a70492ced24e325847b04dba33821cf637219d0ddff3c9 Backdoor.ASP.DULLWSHELL.I624 Logout.aspx\r\n6d8bdd3e087b266d493074569a85e1173246d1d71ee88eca94266b5802e28112 HackTool.Win64.CVE202430088.I p.enc\r\ndb79c39bc06e55a52741a9170d8007fa93ac712df506632d624a651345d33f91 TrojanSpy.MSIL.STEALHOOK.A Update.dll\r\n27a0e31ae16cbc6129b4321d25515b9435c35cc2fa1fc748c6f109275bee3d6c\r\nContains the task of  that t.exe\r\nsource\r\ne.xml\r\n54e8fbae0aa7a279aaedb6d8eec0f95971397fea7fcee6c143772c8ee6e6b498 Trojan.Win64.DULLOAD.I r.exe\r\na24303234e0cc6f403fca8943e7170c90b69976015b6a84d64a9667810023ed7 Trojan.Win64.STEALHOOK.A passwin.dll\r\n1169d8fe861054d99b10f7a3c87e3bbbd941e585ce932e9e543a2efd701deac2 HackTool.PS1.DullScan.I p.ps1\r\naf979580849cc4619b815551842f3265b06497972c61369798135145b82f3cd8 Trojan.PS1.DULLDROP.I j.ps1\r\n1d2ff65ac590c8d0dec581f6b6efbf411a2ce5927419da31d50156d8f1e3a4ff Backdoor.ASP.DULLWSHELL.I624 Defaults.aspx\r\nabfc8e9b4b02e196af83608d5aaef1771354b32c898852dff532bd8cfd2ce59d Backdoor.ASP.DULLWSHELL.I624 s.inc\r\n98fb12a9625d600535df342551d30b27ed216fed14d9c6f63e8bf677cb730301 Renamed Ngrok n.exe\r\nca98a24507d62afdb65e7ad7205dfe8cd9ef7d837126a3dfc95a74af873b1dc5 Backdoor.ASP.DULLWSHELL.I624 Globals.aspx\r\nTags\r\nhttps://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html\r\nPage 8 of 9\n\nSource: https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html\r\nhttps://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MISPGALAXY", "MITRE" ], "references": [ "https://www.trendmicro.com/en_us/research/24/j/earth-simnavaz-cyberattacks.html" ], "report_names": [ "earth-simnavaz-cyberattacks.html" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434382, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c0837f73dab77eac49441731911ba0d8644f78c3.pdf", "text": "https://archive.orkl.eu/c0837f73dab77eac49441731911ba0d8644f78c3.txt", "img": "https://archive.orkl.eu/c0837f73dab77eac49441731911ba0d8644f78c3.jpg" } }