{ "id": "e5a4cc26-c8ca-48fc-b1ef-9b360d1f5592", "created_at": "2026-04-06T00:08:38.162891Z", "updated_at": "2026-04-10T03:38:20.398948Z", "deleted_at": null, "sha1_hash": "c0b2860bef01e353607bafec0cea12ac7f2215df", "title": "Lazarus Under The Hood", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3021329, "plain_text": "Lazarus Under The Hood\r\nBy GReAT\r\nPublished: 2017-04-03 · Archived: 2026-04-05 12:42:18 UTC\r\n Download full report (PDF)\r\nIn February 2017 an article in the Polish media broke the silence on a long-running story about attacks on banks,\r\nallegedly related to the notoriously known Lazarus Group. While the original article didn’t mention Lazarus\r\nGroup it was quickly picked up by security researchers. Today we’d like to share some of our findings, and add\r\nsomething new to what’s currently common knowledge about Lazarus Group activities, and their connection to\r\nthe much talked about February 2016 incident, when an unknown attacker attempted to steal up to $851M USD\r\nfrom Bangladesh Central Bank.\r\nSince the Bangladesh incident there have been just a few articles explaining the connection between Lazarus\r\nGroup and the Bangladesh bank heist. One such publication was made available by BAE systems in May 2016,\r\nhowever it only included analysis of the wiper code. This was followed by another blogpost by Anomali Labs,\r\nconfirming the same wiping code similarity. This similarity was found to be satisfying to many readers, however\r\nat Kaspersky Lab, we were looking for a stronger connection.\r\nOther claims that Lazarus was the group behind attacks on the Polish financial sector, came from Symantec in\r\n2017, which noticed string reuse in malware at one of their Polish customers. Symantec also confirmed seeing the\r\nLazarus wiper tool in Poland at one of their customers. However, from this it’s only clear that Lazarus might have\r\nattacked Polish banks.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nWhile all these facts are fascinating, the connection between Lazarus attacks on banks, and their role in attacks on\r\nbanks’ systems, was still loose. The only case where specific malware targeting the bank’s infrastructure used to\r\nconnect to SWIFT messaging server was discovered, is the Bangladesh Central Bank case. However, while almost\r\nhttps://securelist.com/lazarus-under-the-hood/77908/\r\nPage 1 of 7\n\neverybody in the security industry has heard about the attack, few technical details have been revealed to the\r\npublic based on the investigation that took place on site at the attacked company. Considering that the afterhack\r\npublications by the media mentioned that the investigation stumbled upon three different attackers, it was not\r\nobvious whether Lazarus was the one responsible for the fraudulent SWIFT transactions, or if Lazarus had in fact\r\ndeveloped its own malware to attack banks’ systems.\r\nWe would like to add some strong facts that link some attacks on banks to Lazarus, and share some of our own\r\nfindings as well as shed some light on the recent TTPs used by the attacker, including some yet unpublished\r\ndetails from the attack in Europe in 2017.\r\nThis is the first time we announce some Lazarus Group operations that have thus far gone unreported to the\r\npublic. We have had the privilege of investigating these attacks and helping with incident response at a number of\r\nfinancial institutions in South East Asia and Europe. With cooperation and support from our research partners, we\r\nhave managed to address many important questions about the mystery of Lazarus attacks, such as their infiltration\r\nmethod, their relation to attacks on SWIFT software and, most importantly, shed some light on attribution.\r\nLazarus attacks are not a local problem and clearly the group’s operations span across the whole world. We have\r\nseen the detection of their infiltration tools in multiple countries in the past year. Lazarus was previously known to\r\nconduct cyberespionage and cybersabotage activities, such as attacks on Sony Pictures Entertainment with\r\nvolumes of internal data leaked, and many system harddrives in the company wiped. Their interest in financial\r\ngain is relatively new, considering the age of the group, and it seems that they have a different set of people\r\nworking on the problems of invisible money theft or the generation of illegal profit. We believe that Lazarus\r\nGroup is very large and works mainly on infiltration and espionage operations, while a substantially smaller units\r\nwithin the group, which we have dubbed Bluenoroff, is responsible for financial profit.\r\nhttps://securelist.com/lazarus-under-the-hood/77908/\r\nPage 2 of 7\n\nThe watering hole attack on Polish banks was very well covered by media, however not everyone knows that it\r\nwas one of many. Lazarus managed to inject malicious code in many other locations. We believe they started this\r\nwatering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia.\r\nLazarus/Bluenoroff regrouped and rushed into new countries, selecting mostly poorer and less developed\r\nlocations, hitting smaller banks because they are, apparently, easy prey.\r\nTo date, we’ve seen Bluenoroff attack four main types of targets:\r\nFinancial institutions\r\nCasinos\r\nCompanies involved in the development of financial trade software\r\nCrypto-currency businesses\r\nHere is the full list of countries where we have seen Bluenoroff watering hole attacks:\r\nMexico\r\nAustralia\r\nUruguay\r\nRussian Federation\r\nNorway\r\nIndia\r\nNigeria\r\nPeru\r\nPoland\r\nOf course, not all attacks were as successful as the Polish attack case, mainly because in Poland they managed to\r\ncompromise a government website. This website was frequently accessed by many financial institutions making it\r\na very powerful attack vector. Nevertheless, this wave of attacks resulted in multiple infections across the world,\r\nadding new hits to the map we’ve been building.\r\nhttps://securelist.com/lazarus-under-the-hood/77908/\r\nPage 3 of 7\n\nOne of the most interesting discoveries about Lazarus/Bluenoroff came from one of our research partners who\r\ncompleted a forensic analysis of a C2 server in Europe used by the group. Based on the forensic analysis report,\r\nthe attacker connected to the server via Terminal Services and manually installed an Apache Tomcat server using a\r\nlocal browser, configured it with Java Server Pages and uploaded the JSP script for C2. Once the server was ready,\r\nthe attacker started testing it. First with a browser, then by running test instances of their backdoor. The operator\r\nused multiple IPs: from France to Korea, connecting via proxies and VPN servers. However, one short connection\r\nwas made from a very unusual IP range, which originates in North Korea.\r\nhttps://securelist.com/lazarus-under-the-hood/77908/\r\nPage 4 of 7\n\nIn addition, the operator installed an off-the-shelf cryptocurrency mining software that should generate Monero\r\ncryptocoins. The software so intensely consumed system resources that the system became unresponsive and\r\nfroze. This could be the reason why it was not properly cleaned, and the server logs were preserved.\r\nThis is the first time we have seen a direct link between Bluenoroff and North Korea. Their activity spans from\r\nbackdoors to watering hole attacks, and attacks on SWIFT servers in banks of South East Asia and Bangladesh\r\nCentral Bank. Now, is it North Korea behind all the Bluenoroff attacks after all? As researchers, we prefer to\r\nprovide facts rather than speculations. Still, seeing IP in the C2 log, does make North Korea a key part of the\r\nLazarus Bluenoroff equation.\r\nConclusions\r\nLazarus is not just another APT actor. The scale of the Lazarus operations is shocking. It has been on a spike since\r\n2011 and activities didn’t disappear after Novetta published the results of its Operation Blockbuster research, in\r\nwhich we also participated. All those hundreds of samples that were collected give the impression that Lazarus is\r\noperating a factory of malware, which produces new samples via multiple independent conveyors.\r\nWe have seen them using various code obfuscation techniques, rewriting their own algorithms, applying\r\ncommercial software protectors, and using their own and underground packers. Lazarus knows the value of\r\nquality code, which is why we normally see rudimentary backdoors being pushed during the first stage of\r\ninfection. Burning those doesn’t impact the group too much. However, if the first stage backdoor reports an\r\ninteresting infection they start deploying more advanced code, carefully protecting it from accidental detection on\r\ndisk. The code is wrapped into a DLL loader or stored in an encrypted container, or maybe hidden in a binary\r\nencrypted registry value. It usually comes with an installer that only attackers can use, because they password\r\nprotect it. It guarantees that automated systems – be it a public sandbox or a researcher’s environment – will never\r\nsee the real payload.\r\nMost of the tools are designed to be disposable material that will be replaced with a new generation as soon as\r\nthey are burnt. And then there will be newer, and newer, and newer versions. Lazarus avoids reusing the same\r\ntools, same code, and the same algorithms. “Keep morphing!” seems to be their internal motto. Those rare cases\r\nhttps://securelist.com/lazarus-under-the-hood/77908/\r\nPage 5 of 7\n\nwhen they are caught with same tools are operational mistakes, because the group seems to be so large that one\r\npart doesn’t always know what the other is doing.\r\nThis level of sophistication is something that is not generally found in the cybercriminal world. It’s something that\r\nrequires strict organisation and control at all stages of operation. That’s why we think that Lazarus is not just\r\nanother APT actor.\r\nOf course such processes require a lot of money to keep running, which is why the appearance of the Bluenoroff\r\nsubgroup within Lazarus was logical.\r\nBluenoroff, being a subgroup of Lazarus, is focusing on financial attacks only. This subgroup has reverse\r\nengineering skills because they spend time tearing apart legitimate software, and implementing patches for\r\nSWIFT Alliance software, in attempts to find ways to steal big money. Their malware is different and they aren’t\r\nexactly soldiers that hit and run. Instead, they prefer to make an execution trace to reconstruct and quickly debug\r\nthe problem. They are field engineers that come when the ground is already cleared after conquering new lands.\r\nOne of Bluenoroff’s favorite strategies is to silently integrate into running processes without breaking them. From\r\nthe code we’ve seen, it looks as if they are not exactly looking for a hit and run solution when it comes to money\r\ntheft. Their solutions are aimed at invisible theft without leaving a trace. Of course, attempts to move around\r\nmillions of USD can hardly remain unnoticed, but we believe that their malware might be secretly deployed now\r\nin many other places and it isn’t triggering any serious alarms because it’s much more quiet.\r\nWe would like to note, that in all of the observed attacks against banks that we have analyzed, SWIFT software\r\nsolutions running on banks’ servers haven’t demonstrated or exposed any specific vulnerability. The attacks were\r\nfocused on banking infrastructure and staff, exploiting vulnerabilities in commonly used software or websites,\r\nbruteforcing passwords, using keyloggers and elevating privileges. However, the way banks use servers with\r\nSWIFT software installed requires personnel responsible for the administration and operation. Sooner or later, the\r\nattackers find these personnel, gain the necessary privileges, and access the server connected to the SWIFT\r\nmessaging platform. With administrative access to the platform they can manipulate software running on the\r\nsystem as they wish. There is not much that can stop them, because from a technical perspective, their activities\r\nmay not differ from what an authorized and qualified engineer would do: starting and stopping services, patching\r\nsoftware, modifying the database. Therefore, in all the breaches we have analyzed, SWIFT, as an organization has\r\nnot been at direct fault. More than that, we have witnessed SWIFT trying to protect its customers by implementing\r\nthe detection of database and software integrity issues. We believe that this is a step in the right direction and these\r\nactivities should be extended with full support. Complicating the patches of integrity checks further may create a\r\nserious threat to the success of future operations run by Lazarus/Bluenoroff against banks worldwide.\r\nTo date, the Lazarus/Bluenoroff group has been one of the most successful in launching large scale operations\r\nagainst the financial industry. We believe that they will remain one of the biggest threats to the banking sector,\r\nfinance and trading companies, as well as casinos for the next few years. We would like to note that none of the\r\nfinancial institutions we helped with incident response and investigation reported any financial loss.\r\nAs usual, defense against attacks such as those from Lazarus/Bluenoroff should include a multi-layered approach.\r\nKaspersky products include special mitigation strategies against this group, as well as the many other APT groups\r\nhttps://securelist.com/lazarus-under-the-hood/77908/\r\nPage 6 of 7\n\nwe track. If you are interested in reading more about effective mitigation strategies in general, we recommend the\r\nfollowing articles:\r\nStrategies for mitigating APTs\r\nHow to mitigate 85% of threats with four strategies\r\nWe will continue tracking the Lazarus/Bluenoroff actor and share new findings with our intel report subscribers,\r\nas well as with the general public. If you would like to be the first to hear our news, we suggest you subscribe to\r\nour intel reports.\r\nFor more information, contact: intelreports@kaspersky.com.\r\nDownload full report (PDF)\r\nSource: https://securelist.com/lazarus-under-the-hood/77908/\r\nhttps://securelist.com/lazarus-under-the-hood/77908/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "Malpedia" ], "references": [ "https://securelist.com/lazarus-under-the-hood/77908/" ], "report_names": [ "77908" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434118, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c0b2860bef01e353607bafec0cea12ac7f2215df.pdf", "text": "https://archive.orkl.eu/c0b2860bef01e353607bafec0cea12ac7f2215df.txt", "img": "https://archive.orkl.eu/c0b2860bef01e353607bafec0cea12ac7f2215df.jpg" } }