{ "id": "fbe9c789-060a-43d9-bdd2-720ca8b25485", "created_at": "2026-04-06T00:14:22.153289Z", "updated_at": "2026-04-10T03:37:51.370614Z", "deleted_at": null, "sha1_hash": "c133b079fdfe661f8e64e8d0ccf512f5668e1592", "title": "DarkSide (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 300078, "plain_text": "DarkSide (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 12:52:09 UTC\r\nFireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed,\r\nremovable disks, or network shares. The malware can be customized by the affiliates to create a build for specific\r\nvictims.\r\n2023-07-11 ⋅ Twitter (@embee_research) ⋅\r\nTweets on Ransomware Infrastructure Analysis With Censys and GrabbrApp\r\nDarkSide 2022-09-22 ⋅ Broadcom ⋅ Symantec Threat Hunter Team\r\nNoberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics\r\nBlackCat BlackMatter DarkSide 2022-07-13 ⋅ ⋅ GLIMPS ⋅ GLIMPS\r\nLockbit 3.0\r\nBlackMatter DarkSide LockBit 2022-06-29 ⋅ Mandiant ⋅ Jared Wilson\r\nBurrowing your way into VPNs, Proxies, and Tunnels\r\nDarkSide SMOKEDHAM 2022-05-20 ⋅ AhnLab ⋅ ASEC\r\nWhy Remediation Alone Is Not Enough When Infected by Malware\r\nCobalt Strike DarkSide 2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence\r\nCenter (MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi\r\nHelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker\r\nPhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT 2022-04-13 ⋅\r\nMicrosoft ⋅ Microsoft 365 Defender Threat Intelligence Team\r\nDismantling ZLoader: How malicious ads led to disabled security tools and ransomware\r\nBlackMatter Cobalt Strike DarkSide Ryuk Zloader 2022-03-23 ⋅ splunk ⋅ Shannon Davis\r\nGone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed\r\nAvaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk 2022-03-17 ⋅ Sophos ⋅ Tilly\r\nTravers\r\nThe Ransomware Threat Intelligence Center\r\nATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry\r\nDharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker\r\nRagnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker 2022-03-16 ⋅ Symantec ⋅ Symantec\r\nThreat Hunter Team\r\nThe Ransomware Threat Landscape: What to Expect in 2022\r\nAvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty\r\nSquirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin 2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe\r\nAn Empirically Comparative Analysis of Ransomware Binaries\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkside\r\nPage 1 of 8\n\nAvaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk 2022-02-21 ⋅ Brandefense ⋅\r\nBrandefense\r\nDarkside Ransomware Analysis Report\r\nDarkSide 2022-01-25 ⋅ Nozomi Networks ⋅ Alexey Kleymenov\r\nHow to Analyze Malware for Technical Writing\r\nDarkSide 2021-11-04 ⋅ CrowdStrike ⋅ Eric Loui, Josh Reynolds\r\nCARBON SPIDER Embraces Big Game Hunting, Part 2\r\nBlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader 2021-11-03 ⋅ Group-IB ⋅ Andrey Zhdanov\r\nThe Darker Things BlackMatter and their victims\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-11-01 ⋅ FBI ⋅ FBI\r\nPIN Number 20211101-001: Ransomware Actors Use Significant Financial Events and Stock Valuation to\r\nFacilitate Targeting and Extortion of Victims\r\nDarkSide RansomEXX DarkSide PyXie RansomEXX 2021-10-22 ⋅ HUNT \u0026 HACKETT ⋅ Krijn de Mik\r\nAdvanced IP Scanner: the preferred scanner in the A(P)T toolbox\r\nConti DarkSide Dharma Egregor Hades REvil Ryuk 2021-10-22 ⋅ Twitter (@GelosSnake) ⋅ Omri Segev Moyal\r\nTweet on List of wallets used by Darkside/Blackmatter Operator to split out the money\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-10-22 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nDarkSide ransomware rushes to cash out $7 million in Bitcoin\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-10-22 ⋅ The Record ⋅ Catalin Cimpanu\r\nDarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-10-22 ⋅ Elliptic ⋅ Elliptic Intel\r\nDarkSide bitcoins on the move following government cyberattack against REvil ransomware group\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-10-14 ⋅ YouTube (Uriel Kosayev) ⋅ Uriel Kosayev\r\nDarkSide Ransomware Reverse Engineering\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-10-12 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity\r\nBabuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil 2021-10-05 ⋅\r\nTrend Micro ⋅ Byron Gelera, Fyodor Yarochkin, Janus Agcaoili, Nikko Tamana\r\nRansomware as a Service: Enabler of Widespread Attacks\r\nCerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk 2021-09-23 ⋅ Blackberry ⋅ The BlackBerry Research \u0026\r\nIntelligence Team\r\nThreat Thursday: BlackMatter RaaS - Darker Than DarkSide?\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nBig Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack\r\nBlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades\r\nREvil 2021-09-02 ⋅ US Department of Health and Human Services ⋅ Health Sector Cybersecurity Coordination Center (HC3)\r\nDemystifying BlackMatter\r\nBlackMatter BlackMatter DarkSide 2021-08-30 ⋅ CrowdStrike ⋅ Eric Loui, Josh Reynolds\r\nCARBON SPIDER Embraces Big Game Hunting, Part 1\r\nBateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil 2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team\r\nThe Ransomware Threat\r\nBabuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkside\r\nPage 2 of 8\n\nConti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex\r\nMimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker 2021-08-06 ⋅ Group-IB ⋅ Andrey Zhdanov\r\nIt's alive! The story behind the BlackMatter ransomware strain\r\nBlackMatter DarkSide BlackMatter DarkSide 2021-08-06 ⋅ ⋅ metabaseq ⋅ Jesus Dominguez, Miguel Gonzalez\r\nInside DarkSide, the ransomware that attacked Colonial Pipeline\r\nDarkSide 2021-08-05 ⋅ Symantec ⋅ Threat Hunter Team\r\nAttacks Against Critical Infrastructure: A Global Concern\r\nBlackEnergy DarkSide DistTrack Stuxnet 2021-08-05 ⋅ cyble ⋅ Cyble\r\nBlackMatter Under the Lens: An Emerging Ransomware Group Looking for Affiliates\r\nDarkSide 2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nRansomware Gangs and the Name Game Distraction\r\nDarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze\r\nRansomEXX REvil Ryuk Sekhmet 2021-08-04 ⋅ Recorded Future ⋅ Insikt Group®\r\nProtect Against BlackMatter Ransomware Before It’s Offered\r\nBlackMatter DarkSide 2021-08-03 ⋅ Twitter (@sisoma2) ⋅ sisoma2\r\nPython script for recovering the hashes hardcoded in different samples of the BlackMatter ransomware\r\nDarkSide 2021-08-03 ⋅ Twitter (@ValthekOn) ⋅ Valthek\r\nTweet on blacklisted extensions \u0026 names of BlackMatter ransomware making the check against custom hashes\r\nvalues\r\nDarkSide 2021-08-03 ⋅ Twitter (@sysopfb) ⋅ Jason Reaves\r\nTweet on python script to decode the blob from Blackmatter ransomware\r\nDarkSide 2021-08-02 ⋅ The Record ⋅ Dmitry Smilyanets\r\nAn interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and\r\nREvil\r\nDarkSide LockBit REvil 2021-08-01 ⋅ ⋅ ID Ransomware ⋅ Andrew Ivanov\r\nBlackMatter Ransomware\r\nDarkSide 2021-07-31 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nBlackMatter ransomware gang rises from the ashes of DarkSide, REvil\r\nDarkSide REvil 2021-07-31 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nDarkSide ransomware gang returns as new BlackMatter operation\r\nDarkSide 2021-07-27 ⋅ Recorded Future ⋅ Insikt Group®\r\nBlackMatter Ransomware Emerges As Successor to DarkSide, REvil\r\nDarkSide LockBit REvil 2021-07-27 ⋅ ZAYOTEM ⋅ Halil Filik\r\nDarkSide Ransomware Technical Analysis Report\r\nDarkSide 2021-07-13 ⋅ Threat Post ⋅ Becky Bracken\r\nGuess Fashion Brand Deals With Data Loss After Ransomware Attack\r\nDarkSide 2021-07-08 ⋅ CISA ⋅ US-CERT\r\nMalware Analysis Report (AR21-189A): DarkSide Ransomware\r\nDarkSide 2021-07-03 ⋅ Bleeping Computer ⋅ Sergiu Gatlan\r\nUS chemical distributor shares info on DarkSide ransomware data theft\r\nDarkSide 2021-06-22 ⋅ Maltego ⋅ Intel 471, Maltego Team\r\nChasing DarkSide Affiliates: Identifying Threat Actors Connected to Darkside Ransomware Using Maltego \u0026\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkside\r\nPage 3 of 8\n\nIntel 471\r\nDarkSide DarkSide 2021-06-16 ⋅ Mandiant ⋅ Jared Wilson, Jordan Nuce, Justin Moore, Mike Hunhoff, Nick Harbour, Robert Dean,\r\nTyler McLellan\r\nSmoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise\r\nDarkSide Cobalt Strike DarkSide SMOKEDHAM UNC2465 2021-06-14 ⋅ CYBER GEEKS All Things Infosec ⋅\r\nCyberMasterV\r\nA Step-by-Step Analysis of a New Version of DarkSide Ransomware\r\nDarkSide 2021-06-13 ⋅ SecJuice ⋅ Secprentice\r\nBlue Team Detection: DarkSide Ransomware\r\nDarkSide 2021-06-10 ⋅ McAfee ⋅ ATR Operational Intelligence Team\r\nAre Virtual Machines the New Gold for Cyber Criminals?\r\nBabuk DarkSide 2021-06-04 ⋅ DeepInstinct ⋅ Bar Block\r\nThe Ransomware Conundrum – A Look into DarkSide\r\nDarkSide 2021-06-03 ⋅ Medium s2wlab ⋅ Denise Dasom Kim, Hyunmin Suh, Jungyeon Lim, YH Jeong\r\nW1 Jun | EN | Story of the week: Ransomware on the Darkweb\r\nDarkSide Babuk DarkSide 2021-06-02 ⋅ CrowdStrike ⋅ Heather Smith, Josh Dalman\r\nUnder Attack: Protecting Against Conti, DarkSide, REvil and Other Ransomware\r\nDarkSide Conti DarkSide REvil 2021-05-24 ⋅ MIT Technology Review ⋅ Daniel Golden, Renee Dudley\r\nThe Colonial pipeline ransomware hackers had a secret weapon: self-promoting cybersecurity firms\r\nDarkSide DarkSide 2021-05-21 ⋅ 360 Total Security ⋅ kate\r\nDarkSide’s Targeted Ransomware Analysis Report for Critical U.S. Infrastructure\r\nDarkSide 2021-05-21 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nDarkSide affiliates claim gang's bitcoins in deposit on hacker forum\r\nDarkSide 2021-05-20 ⋅ RiskIQ ⋅ Jennifer Grob\r\nAnalysis of Infrastructure used by DarkSide Affiliates\r\nDarkSide 2021-05-20 ⋅ Digital Shadows ⋅ Stefano De Blasi\r\nRansomware-as-a-Service, Rogue Affiliates, and What’s Next\r\nDarkSide DarkSide REvil 2021-05-19 ⋅ The Wall Street Journal ⋅ Collin Eaton\r\nColonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom\r\nDarkSide DarkSide 2021-05-19 ⋅ Nozomi Networks ⋅ Alexey Kleymenov\r\nColonial Pipeline Ransomware Attack: Revealing How DarkSide Works\r\nDarkSide 2021-05-18 ⋅ Elliptic ⋅ Tom Robinson\r\nDarkSide Ransomware has Netted Over $90 million in Bitcoin\r\nDarkSide DarkSide 2021-05-18 ⋅ The Record ⋅ Catalin Cimpanu\r\nDarkside gang estimated to have made over $90 million from ransomware attacks\r\nDarkSide DarkSide Mailto Maze REvil Ryuk 2021-05-18 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nDarkSide ransomware made $90 million in just nine months\r\nDarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk 2021-05-18 ⋅ KEYSIGHT TECHNOLOGIES ⋅ Radu\r\nEmanuel Chiscariu\r\nDarkSide Ransomware Behavior and Techniques\r\nDarkSide 2021-05-18 ⋅ CrowdStrike ⋅ Karan Sood, Liviu Arsene, Shaun Hurley\r\nDarkSide Goes Dark: How CrowdStrike Falcon Customers Were Protected\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkside\r\nPage 4 of 8\n\nDarkSide DarkSide 2021-05-17 ⋅ Gigamon ⋅ Joe Slowik\r\nTracking DarkSide and Ransomware: The Network View\r\nDarkSide DarkSide 2021-05-17 ⋅ splunk ⋅ Splunk Threat Research Team\r\nDarkSide Ransomware: Splunk Threat Update and Detections\r\nDarkSide 2021-05-17 ⋅ Fortinet ⋅ Fred Gutierrez, Gayathri Thirugnanasambandam, Val Saengphaibul\r\nNewly Discovered Function in DarkSide Ransomware Variant Targets Disk Partitions\r\nDarkSide 2021-05-14 ⋅ Blue Team Blog ⋅ Auth 0r\r\nDarkSide Ransomware Operations – Preventions and Detections.\r\nCobalt Strike DarkSide 2021-05-14 ⋅ Intel 471 ⋅ Intel 471\r\nThe moral underground? Ransomware operators retreat after Colonial Pipeline hack\r\nDarkSide DarkSide 2021-05-14 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nDarkSide ransomware servers reportedly seized, REvil restricts targets\r\nDarkSide DarkSide 2021-05-14 ⋅ Advanced Intelligence ⋅ Vitali Kremez\r\nFrom Dawn to \"Silent Night\": \"DarkSide Ransomware\" Initial Attack Vector Evolution\r\nDarkSide 2021-05-14 ⋅ Elliptic ⋅ Dr. Tom Robinson\r\nElliptic Follows the Bitcoin Ransoms Paid by Colonial Pipeline and Other DarkSide Ransomware Victims\r\nDarkSide DarkSide 2021-05-13 ⋅ Bloomberg ⋅ Jennifer Jacobs, Michael Riley, William Turton\r\nColonial Pipeline Paid Hackers Nearly $5 Million in Ransom\r\nDarkSide 2021-05-13 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nPopular Russian hacking forum XSS bans all ransomware topics\r\nDarkSide DarkSide LockBit REvil 2021-05-13 ⋅ The Record ⋅ Catalin Cimpanu\r\nPopular hacking forum bans ransomware ads\r\nDarkSide DarkSide 2021-05-13 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nChemical distributor pays $4.4 million to DarkSide ransomware\r\nDarkSide DarkSide 2021-05-12 ⋅ Trend Micro ⋅ Trend Micro Research\r\nWhat We Know About Darkside Ransomware and the US Pipeline Attack\r\nDarkSide 2021-05-12 ⋅ Zero Day ⋅ Kim Zetter\r\nAnatomy of a $2 Million Darkside Ransomware Breach\r\nDarkSide 2021-05-12 ⋅ Palo Alto Networks Unit 42 ⋅ Ramarcus Baylor\r\nDarkSide Ransomware Gang: An Overview\r\nDarkSide 2021-05-12 ⋅ SecurityScorecard ⋅ Ryan Sherstobitoff\r\nNew Evidence Supports Assessment that DarkSide Likely Responsible for Colonial Pipeline Ransomware Attack;\r\nOthers Targeted\r\nDarkSide DarkSide 2021-05-11 ⋅ KrebsOnSecurity ⋅ Brian Krebs\r\nA Closer Look at the DarkSide Ransomware Gang\r\nDarkSide 2021-05-11 ⋅ CISA ⋅ US-CERT\r\nAlert (AA21-131A) DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware\r\nAttacks\r\nDarkSide 2021-05-11 ⋅ Sophos ⋅ Ferenc László Nagy, Gabor Szappanos, Mark Loman, Peter Mackenzie, Sean Gallagher, Suriya\r\nNatarajan, Szabolcs Lévai, Yusuf Arslan Polat\r\nA defender’s view inside a DarkSide ransomware attack\r\nDarkSide 2021-05-11 ⋅ Dragos ⋅ Mike Hoffman, Tom Winston\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkside\r\nPage 5 of 8\n\nRecommendations Following the Colonial Pipeline Cyber Attack\r\nDarkSide 2021-05-11 ⋅ Flashpoint ⋅ Flashpoint\r\nDarkSide Ransomware Links to REvil Group Difficult to Dismiss\r\nDarkSide REvil 2021-05-11 ⋅ splunk ⋅ James Brodsky\r\nThe DarkSide of the Ransomware Pipeline\r\nDarkSide 2021-05-11 ⋅ FireEye ⋅ Alyssa Rahman, Andrew Moore, Brendan McKeague, Jared Wilson, Jeremy Kennelly, Jordan Nuce,\r\nKimberly Goody\r\nShining a Light on DARKSIDE Ransomware Operations\r\nCobalt Strike DarkSide 2021-05-11 ⋅ Mandiant ⋅ Alyssa Rahman, Andrew Moore, Brendan McKeague, Jared Wilson, Jeremy\r\nKennelly, Jordan Nuce, Kimberly Goody, Matt Williams\r\nShining a Light on DARKSIDE Ransomware Operations\r\nDarkSide DarkSide UNC2465 2021-05-10 ⋅ SecurityIntelligence ⋅ Limor Kessem\r\nShedding Light on the DarkSide Ransomware Attack\r\nDarkSide 2021-05-10 ⋅ Intel 471 ⋅ Intel 471\r\nHere’s what we know about DarkSide ransomware\r\nDarkSide 2021-05-10 ⋅ DarkTracer ⋅ DarkTracer\r\nIntelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware\r\ngangs released on the DarkWeb\r\nRansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze\r\nMedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok\r\nRansomEXX REvil Sekhmet SunCrypt ThunderX 2021-05-10 ⋅ SentinelOne ⋅ SentinelOne\r\nMeet DarkSide and Their Ransomware – SentinelOne Customers Protected\r\nDarkSide 2021-05-10 ⋅ ⋅ Anheng Threat Intelligence Center ⋅ Hunting Shadow Lab\r\nAnalysis of U.S. Oil Products Pipeline Operators Suspended by Ransomware Attacks\r\nDarkSide 2021-05-08 ⋅ Reuters ⋅ Christopher Bing, Stephanie Kelly\r\nCyber attack shuts down top U.S. fuel pipeline network\r\nDarkSide 2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker\r\nRansomware: Hunting for Inhibiting System Backup or Recovery\r\nAvaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX\r\nREvil Ryuk Snatch ThunderX 2021-05-06 ⋅ Chuongdong blog ⋅ Chuong Dong\r\nDarkside Ransomware\r\nDarkSide 2021-05-06 ⋅ Chuongdong blog ⋅ Chuong Dong\r\nDarkside Ransomware\r\nDarkSide 2021-05-01 ⋅ Twitter (@JAMESWT_MHT) ⋅ JamesWT\r\nTweet on linux version of DarkSide ransomware\r\nDarkSide DarkSide 2021-04-28 ⋅ ⋅ La Repubblica ⋅ Andrea Greco\r\nUn sospetto attacco telematico blocca le filiali della Bcc di Roma\r\nDarkSide 2021-04-26 ⋅ CoveWare ⋅ CoveWare\r\nRansomware Attack Vectors Shift as New Software Vulnerability Exploits Abound\r\nAvaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt 2021-04-25 ⋅ Vulnerability.ch\r\nBlog ⋅ Corsin Camichel\r\nRansomware and Data Leak Site Publication Time Analysis\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkside\r\nPage 6 of 8\n\nAvaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil 2021-04-22 ⋅ The Record ⋅ Catalin\r\nCimpanu\r\nRansomware gang wants to short the stock price of their victims\r\nDarkSide 2021-04-12 ⋅ DataBreaches.net ⋅ Dissent\r\nA chat with DarkSide\r\nDarkSide 2021-04-01 ⋅ Cybereason ⋅ Cybereason Nocturnus\r\nCybereason vs. DarkSide Ransomware\r\nDarkSide 2021-03-18 ⋅ Varonis ⋅ Snir Ben Shimol\r\nReturn of the Darkside: Analysis of a Large-Scale Data Theft Campaign\r\nDarkSide 2021-03-09 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Eric Loui, Sergei Frankoff\r\nJackpotting ESXi Servers For Maximum Encryption | Eric Loui \u0026 Sergei Frankoff | SANS CTI Summit 2021\r\nDarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT 2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff\r\nHypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to\r\nMaximize Impact\r\nDarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil\r\n2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2021 Global Threat Report\r\nRansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide\r\nDoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker\r\nMespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT\r\nRagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST\r\nSunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER\r\nSOLAR SPIDER VIKING SPIDER 2021-01-25 ⋅ SOC Prime ⋅ Emanuele De Lucia\r\nAffiliates vs Hunters: Fighting the DarkSide\r\nDarkSide 2021-01-11 ⋅ Bitdefender ⋅ Bitdefender Team\r\nDarkside Ransomware Decryption Tool\r\nDarkSide 2021-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nThreat Profile: GOLD WATERFALL\r\nCobalt Strike DarkSide GOLD WATERFALL 2021-01-01 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff\r\nHypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to\r\nMaximize Impact\r\nDarkSide RansomEXX DarkSide RansomEXX GOLD DUPONT 2020-12-16 ⋅ Accenture ⋅ Paul Mansfield\r\nTracking and combatting an evolving danger: Ransomware extortion\r\nDarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt 2020-12-03 ⋅ Medium GhouLSec ⋅ GhouLSec\r\n[Mal Series #13] Darkside Ransom\r\nDarkSide 2020-11-13 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nDarkSide ransomware is creating a secure data leak service in Iran\r\nDarkSide 2020-11-12 ⋅ databreachtoday ⋅ Mathew J. Schwartz\r\nDarkside Ransomware Gang Launches Affiliate Program\r\nDarkSide 2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab\r\nLeakware-Ransomware-Hybrid Attacks\r\nAvaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkside\r\nPage 7 of 8\n\nSunCrypt 2020-10-05 ⋅ Zawadi Done ⋅ Zawadi Done\r\nDarkSide ransomware analysis\r\nDarkSide 2020-09-22 ⋅ Digital Shadows ⋅ Stefano De Blasi\r\nDarkSide: The New Ransomware Group Behind Highly Targeted Attacks\r\nDarkSide 2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich\r\nHow Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing\r\nAvaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil\r\nSekhmet 2020-08-10 ⋅ ID Ransomware ⋅ Andrew Ivanov\r\nDarkSide Ransomware\r\nDarkSide 2020-08-01 ⋅ Acronis ⋅ Acronis Security\r\nDarkSide Ransomware Does Not Attack Hospitals, Schools and Governments\r\nDarkSide 2020-05-28 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team\r\nDarkSide Pipeline Attack Shakes Up the Ransomware-as-a-Service Landscape\r\nDarkSide DarkSide\r\n[TLP:WHITE] win_darkside_auto (20251219 | Detects win.darkside.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darkside\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside" ], "report_names": [ "win.darkside" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "99d9dd87-91c3-4371-9943-0a1c9c3cd99c", "created_at": "2022-10-25T16:07:23.277763Z", "updated_at": "2026-04-10T02:00:04.514755Z", "deleted_at": null, "main_name": "Solar Spider", "aliases": [], "source_name": "ETDA:Solar Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "334d00aa-7607-4072-9f5b-00d60bae89a7", "created_at": "2023-01-06T13:46:39.280703Z", "updated_at": "2026-04-10T02:00:03.272492Z", "deleted_at": null, "main_name": "GOLD WATERFALL", "aliases": [], "source_name": "MISPGALAXY:GOLD WATERFALL", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "f4e7d054-d52b-437f-abe6-027d8ea42d51", "created_at": "2025-08-07T02:03:25.028729Z", "updated_at": "2026-04-10T02:00:03.616558Z", "deleted_at": null, "main_name": "GOLD WATERFALL", "aliases": [ "" ], "source_name": "Secureworks:GOLD WATERFALL", "tools": [ "BlackMatter", "CANVAS", "Cobalt Strike", "Darkside" ], "source_id": "Secureworks", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998", "created_at": "2023-01-06T13:46:39.207556Z", "updated_at": "2026-04-10T02:00:03.246557Z", "deleted_at": null, "main_name": "RIDDLE SPIDER", "aliases": [], "source_name": "MISPGALAXY:RIDDLE SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e227b757-7032-4a99-b119-1bfda2ebd543", "created_at": "2023-01-06T13:46:39.21663Z", "updated_at": "2026-04-10T02:00:03.248543Z", "deleted_at": null, "main_name": "SOLAR SPIDER", "aliases": [], "source_name": "MISPGALAXY:SOLAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d", "created_at": "2022-10-25T16:07:23.42507Z", "updated_at": "2026-04-10T02:00:04.593122Z", "deleted_at": null, "main_name": "Bronze Starlight", "aliases": [ "Cinnamon Tempest", "DEV-0401", "HighGround", "Operation ChattyGoblin", "SLIME34" ], "source_name": "ETDA:Bronze Starlight", "tools": [ "Agent.dhwf", "Agentemis", "AtomSilo", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "HUI Loader", "Kaba", "Korplug", "LockFile", "Night Sky", "NightSky", "Pandora", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e9f7f836-b77f-4f95-aa02-9e99d32faf1d", "created_at": "2024-12-21T02:00:02.857057Z", "updated_at": "2026-04-10T02:00:03.791142Z", "deleted_at": null, "main_name": "UNC2465", "aliases": [], "source_name": "MISPGALAXY:UNC2465", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c69bcda3-0893-4ea1-9ec1-ae016332d283", "created_at": "2023-01-06T13:46:39.410593Z", "updated_at": "2026-04-10T02:00:03.317754Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "DEV-0401", "Cinnamon Tempest", "Emperor Dragonfly", "SLIME34" ], "source_name": "MISPGALAXY:BRONZE STARLIGHT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c", "created_at": "2022-10-25T16:07:24.12696Z", "updated_at": "2026-04-10T02:00:04.875073Z", "deleted_at": null, "main_name": "Riddle Spider", "aliases": [ "Avaddon Team" ], "source_name": "ETDA:Riddle Spider", "tools": [ "Avaddon" ], "source_id": "ETDA", "reports": null }, { "id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8", "created_at": "2025-08-07T02:03:24.674685Z", "updated_at": "2026-04-10T02:00:03.800936Z", "deleted_at": null, "main_name": "BRONZE STARLIGHT", "aliases": [ "Cinnamon Tempest ", "DEV-0401 ", "Emperor Dragonfly " ], "source_name": "Secureworks:BRONZE STARLIGHT", "tools": [ "AtomSilo", "Cobalt Strike", "HUI Loader", "Impacket", "LockFile", "NightSky", "Pandora", "PlugX", "Rook" ], "source_id": "Secureworks", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null }, { "id": "81e29474-63ad-4ce8-97db-b1712d5481d5", "created_at": "2024-04-24T02:00:49.570158Z", "updated_at": "2026-04-10T02:00:05.285111Z", "deleted_at": null, "main_name": "Cinnamon Tempest", "aliases": [ "Cinnamon Tempest", "DEV-0401", "Emperor Dragonfly", "BRONZE STARLIGHT" ], "source_name": "MITRE:Cinnamon Tempest", "tools": [ "Pandora", "PlugX", "Cheerscrypt", "Impacket", "Cobalt Strike", "HUI Loader", "Rclone" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434462, "ts_updated_at": 1775792271, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c133b079fdfe661f8e64e8d0ccf512f5668e1592.pdf", "text": "https://archive.orkl.eu/c133b079fdfe661f8e64e8d0ccf512f5668e1592.txt", "img": "https://archive.orkl.eu/c133b079fdfe661f8e64e8d0ccf512f5668e1592.jpg" } }