{ "id": "d6a1fec3-acd8-4109-975b-a2cd62dbeb89", "created_at": "2026-04-06T00:08:43.477716Z", "updated_at": "2026-04-10T03:37:37.095815Z", "deleted_at": null, "sha1_hash": "c376665d6c0b921f648b306d4719b17b87ea9db9", "title": "OilRig, APT 34, Helix Kitten, Chrysene", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 133526, "plain_text": "OilRig, APT 34, Helix Kitten, Chrysene\r\nArchived: 2026-04-05 16:30:02 UTC\r\nHome \u003e List all groups \u003e OilRig, APT 34, Helix Kitten, Chrysene\r\n APT group: OilRig, APT 34, Helix Kitten, Chrysene\r\nNames\r\nOilRig (Palo Alto)\r\nAPT 34 (FireEye)\r\nHelix Kitten (CrowdStrike)\r\nTwisted Kitten (CrowdStrike)\r\nCrambus (Symantec)\r\nChrysene (Dragos)\r\nCobalt Gypsy (SecureWorks)\r\nTA452 (Proofpoint)\r\nIRN2 (Area 1)\r\nATK 40 (Thales)\r\nITG13 (IBM)\r\nDEV-0861 (?)\r\nEUROPIUM (Microsoft)\r\nHazel Sandstorm (Microsoft)\r\nScarred Manticore (Check Point)\r\nEvasive Serpens (Palo Alto)\r\nYellow Maero (PWC)\r\nStorm-0861 (Microsoft)\r\nUNC1860 (Mandiant)\r\nEarth Simnavaz (Trend Micro)\r\nG0049 (MITRE)\r\nCountry Iran\r\nSponsor State-sponsored, Ministry of Intelligence and Security (MOIS)\r\nMotivation Information theft and espionage\r\nFirst seen 2014\r\nDescription OilRig is a threat group with suspected Iranian origins that has targeted Middle\r\nEastern and international victims since at least 2014. The group has targeted a\r\nvariety of industries, including financial, government, energy, chemical, and\r\ntelecommunications, and has largely focused its operations within the Middle East.\r\nIt appears the group carries out supply chain attacks, leveraging the trust relationship\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=eeb31f97-edcf-4836-b621-a1865305b91e\r\nPage 1 of 8\n\nbetween organizations to attack their primary targets. FireEye assesses that the group\r\nworks on behalf of the Iranian government based on infrastructure details that\r\ncontain references to Iran, use of Iranian infrastructure, and targeting that aligns with\r\nnation-state interests. This group was previously tracked under two distinct groups,\r\nAPT 34 and OilRig, but was combined due to additional reporting giving higher\r\nconfidence about the overlap of the activity.\r\nOilRig has 1 subgroup:\r\n1. Subgroup: Greenbug, Volatile Kitten\r\nOilRig seems to be closely related to APT 33, Elfin, Magnallium since at least 2017\r\nand perhaps DNSpionage. They also seem to overlap with Hexane.\r\nAlso see HomeLand Justice and Orangeworm.\r\nObserved\r\nSectors: Aviation, Chemical, Defense, Education, Energy, Financial, Government,\r\nHigh-Tech, IT, Hospitality, Oil and gas, Telecommunications.\r\nCountries: Albania, Azerbaijan, Bahrain, China, Egypt, Iraq, Israel, Jordan, Kuwait,\r\nLebanon, Mauritius, Oman, Pakistan, Qatar, Saudi Arabia, Turkey, UAE, UK, USA.\r\nTools used\r\nAlma Communicator, BONDUPDATER, certutil, Clayslide, DistTrack,\r\nDNSExfitrator, DNSpionage, Dustman, Fox Panel, GoogleDrive RAT, Helminth,\r\nISMAgent, ISMDoor, ISMInjector, Jason, Karkoff, LaZagne, LIONTAIL,\r\nLONGWATCH, Mimikatz, MrPerfectInstaller, Nautilus, Neuron, OilRig, OopsIE,\r\nPICKPOCKET, Plink, POWBAT, PowerExchange, POWRUNER, PsList,\r\nQUADAGENT, RDAT, RGDoor, Saitama, SideTwist, SpyNote RAT, StoneDrill,\r\nThreeDollars, TONEDEAF, TONEDEAF 2.0, TwoFace, VALUEVAULT, Webmask,\r\nWinRAR, ZeroCleare, Living off the Land.\r\nOperations performed\r\nAug 2012\r\nShamoon Attacks\r\nW32.Disttrack is a new threat that is being used in specific targeted\r\nattacks against at least one organization in the energy sector. It is a\r\ndestructive malware that corrupts files on a compromised computer\r\nand overwrites the MBR (Master Boot Record) in an effort to render a\r\ncomputer unusable.\r\nTarget: Saudi Aramco and Rasgas.\r\n\u003chttps://www.symantec.com/connect/blogs/shamoon-attacks\u003e\r\nMay 2016 Targeted Attacks against Banks in the Middle East\r\nIn the first week of May 2016, FireEye’s DTI identified a wave of\r\nemails containing malicious attachments being sent to multiple banks\r\nin the Middle East region. The threat actors appear to be performing\r\ninitial reconnaissance against would-be targets, and the attacks caught\r\nour attention since they were using unique scripts not commonly seen\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=eeb31f97-edcf-4836-b621-a1865305b91e\r\nPage 2 of 8\n\nin crimeware campaigns.\nJun 2016\nWe have identified two separate testing efforts carried out by the\nOilRig actors, one occurring in June and one in November of 2016.\nThe sample set associated with each of these testing activities is rather\nsmall, but the changes made to each of the files give us a chance to\nunderstand what modifications the actor performs in an attempt to\nevade detection. This testing activity also suggests that the threat\ngroup responsible for the OilRig attack campaign have an organized,\nprofessional operations model that includes a testing component to the\ndevelopment of their tools.\nOct 2016\nIn recent weeks we’ve discovered that the group have been actively\nupdating their Clayslide delivery documents, as well as the Helminth\nbackdoor used against victims. Additionally, the scope of\norganizations targeted by this group has expanded to not only include\norganizations within Saudi Arabia, but also a company in Qatar and\ngovernment organizations in Turkey, Israel and the United States.\nNov 2016\nShamoon v2\nThe malware used in the recent attacks (W32.Disttrack.B) is largely\nunchanged from the variant used four years ago. In the 2012 attacks,\ninfected computers had their master boot records wiped and replaced\nwith an image of a burning US flag. The latest attacks instead used a\nphoto of the body of Alan Kurdi, the three year-old Syrian refugee\nwho drowned in the Mediterranean last year.\nJan 2017 Delivers Digitally Signed Malware, Impersonates University of\nOxford\nIn recent attacks they set up a fake VPN Web Portal and targeted at\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=eeb31f97-edcf-4836-b621-a1865305b91e\nPage 3 of 8\n\nleast five Israeli IT vendors, several financial institutes, and the Israeli\nPost Office.\nLater, the attackers set up two fake websites pretending to be a\nUniversity of Oxford conference sign-up page and a job application\nwebsite. In these websites they hosted malware that was digitally\nsigned with a valid, likely stolen code signing certificate.\nJun 2017\nIn July 2017, we observed the OilRig group using a tool they\ndeveloped called ISMAgent in a new set of targeted attacks. The\nOilRig group developed ISMAgent as a variant of the ISMDoor\nTrojan. In August 2017, we found this threat group has developed yet\nanother Trojan that they call ‘Agent Injector’ with the specific purpose\nof installing the ISMAgent backdoor. We are tracking this tool as\nISMInjector.\nJul 2017\nThe web server logs on the system we examined that was\ncompromised with the TwoFace shell gave us a glimpse into the\ncommands the actor executed through their malware. These\ncommands also enabled us to create a profile of the actor, specifically\ntheir intentions and the tools and techniques used to carry out their\noperation.\nSep 2017\nWhile expanding our research into the TwoFace webshell from this\npast July, we were able to uncover several IP addresses that logged in\nand directly interfaced with the shell we discovered and wrote about.\nInvestigating deeper into these potential adversary Ips revealed a much\nlarger infrastructure used to execute the attacks.\nNov 2017\nNew Targeted Attack in the Middle East\nIn this latest campaign, APT34 leveraged the recent Microsoft Office\nvulnerability CVE-2017-11882 to deploy POWRUNER and\nBONDUPDATER.\nJan 2018 On January 8, 2018, Unit 42 observed the OilRig threat group carry\nout an attack on an insurance agency based in the Middle East. Just\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=eeb31f97-edcf-4836-b621-a1865305b91e\nPage 4 of 8\n\nover a week later, on January 16, 2018, we observed an attack on a\nMiddle Eastern financial institution. In both attacks, the OilRig group\nattempted to deliver a new Trojan that we are tracking as OopsIE.\nThe January 8 attack used a variant of the ThreeDollars delivery\ndocument, which we identified as part of the OilRig toolset based on\nattacks that occurred in August 2017.\nJan 2018\nWhile investigating files uploaded to a TwoFace webshell, Unit 42\ndiscovered actors installing an Internet Information Services (IIS)\nbackdoor that we call RGDoor. Our data suggests that actors have\ndeployed the RGDoor backdoor on webservers belonging to eight\nMiddle Eastern government organizations, as well as one financial and\none educational institution.\nMay 2018\nTechnology Service Provider and Government Agency\nBetween May and June 2018, Unit 42 observed multiple attacks by the\nOilRig group appearing to originate from a government agency in the\nMiddle East. Based on previously observed tactics, it is highly likely\nthe OilRig group leveraged credential harvesting and compromised\naccounts to use the government agency as a launching platform for\ntheir true attacks.\nDec 2018\nShamoon v3\nAfter a two-year absence, the destructive malware Shamoon\n(W32.Disttrack.B) re-emerged on December 10 in a new wave of\nattacks against targets in the Middle East. These latest Shamoon\nattacks are doubly destructive, since they involve a new wiper\n(Trojan.Filerase) that deletes files from infected computers before the\nShamoon malware wipes the master boot record.\nJun 2019 [W]e identified three new malware families and a reappearance of\nPICKPOCKET, malware exclusively observed in use by APT34. The\nnew malware families, which we will examine later in this post, show\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=eeb31f97-edcf-4836-b621-a1865305b91e\nPage 5 of 8\n\nAPT34 relying on their PowerShell development capabilities, as well\nas trying their hand at Golang.\nDec 2019\nNew Destructive Wiper ZeroCleare Targets Energy Sector in the\nMiddle East\nJan 2020\nOur researchers Paul Litvak and Michael Kajilolti have discovered a\nnew campaign conducted by APT34 employing an updated toolset.\nBased on uncovered phishing documents, we believe this Iranian actor\nis targeting Westat employees, or United States organizations hiring\nWestat services.\nMar 2020\nKarkoff 2020: a new APT34 espionage operation involves Lebanon\nGovernment\nApr 2020\nWhile analyzing an attack against a Middle Eastern\ntelecommunications organization, we discovered a variant of an\nOilRig-associated tool we call RDAT using a novel email-based\ncommand and control (C2) channel that relied on a technique known\nas steganography to hide commands and data within bitmap images\nattached to emails.\nJan 2021\nIran’s APT34 Returns with an Updated Arsenal\n2021\nOilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes\n2022\nFrom Albania to the Middle East: The Scarred Manticore is Listening\nApr 2022 APT34 targets Jordan Government using new Saitama backdoor\n\ntargets-jordan-government-using-new-saitama-backdoor/\u003e\nMay 2022\nIt began with a spearphishing email to a diplomat in Jordan.\nJul 2022\nMicrosoft investigates Iranian attacks against the Albanian\ngovernment\nDec 2022\nNew APT34 Malware Targets The Middle East\nFeb 2023\nCrambus: New Campaign Targets Middle Eastern Government\nAug 2023\nAPT34 Unleashes New Wave of Phishing Attack with Variant of\nSideTwist Trojan\nSep 2024\nThe Unraveling of an Iranian Cyber Attack Against the Iraqi\nGovernment\nSep 2024\nEarth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against\nMiddle East\nCounter operations\nMar 2019\nIn an incident reminiscent of the Shadow Brokers leak that exposed\nthe NSA’s hacking tools, someone has now published similar hacking\ntools belonging to one of Iran’s elite cyber-espionage units, known as\nAPT34, Oilrig, or HelixKitten.\nUpdate: this leak may have been the work of the CIA.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=eeb31f97-edcf-4836-b621-a1865305b91e\nPage 7 of 8\n\nJun 2019\nA new hacking tool believed to have been in the arsenal of Iranian\nstate hackers has been published today online, in a Telegram channel.\nThis new tool is named Jason and was published online earlier today\nin the same Telegram channel where the leaker – going by the name of\nLab Dookhtegan – dumped the six other previous hacking tools.\nUpdate: this leak may have been the work of the CIA.\nInformation\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=eeb31f97-edcf-4836-b621-a1865305b91e\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=eeb31f97-edcf-4836-b621-a1865305b91e\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=eeb31f97-edcf-4836-b621-a1865305b91e" ], "report_names": [ "showcard.cgi?u=eeb31f97-edcf-4836-b621-a1865305b91e" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "e58deb93-aff1-4be5-8deb-37fe8af0b7ed", "created_at": "2022-10-25T16:07:23.918534Z", "updated_at": "2026-04-10T02:00:04.789509Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [ "Greenbug", "Volatile Kitten" ], "source_name": "ETDA:Greenbug", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c4acd072-595e-4d33-9ce9-bbf41010bb1a", "created_at": "2023-01-06T13:46:38.751893Z", "updated_at": "2026-04-10T02:00:03.088252Z", "deleted_at": null, "main_name": "Orangeworm", "aliases": [], "source_name": "MISPGALAXY:Orangeworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df96153-0450-4cbb-8a13-b737f16394ef", "created_at": "2023-11-03T02:00:07.788769Z", "updated_at": "2026-04-10T02:00:03.382078Z", "deleted_at": null, "main_name": "Scarred Manticore", "aliases": [], "source_name": "MISPGALAXY:Scarred Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3e0bc1b7-0dd7-444a-964b-64dfb5145c8f", "created_at": "2022-10-25T15:50:23.413202Z", "updated_at": "2026-04-10T02:00:05.388465Z", "deleted_at": null, "main_name": "Orangeworm", "aliases": [ "Orangeworm" ], "source_name": "MITRE:Orangeworm", "tools": [ "Kwampirs", "netstat", "ipconfig", "cmd", "Arp", "Systeminfo" ], "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "6a60b1ba-609f-4bed-b15b-3ffc050d2ac6", "created_at": "2022-10-25T16:07:24.033083Z", "updated_at": "2026-04-10T02:00:04.846068Z", "deleted_at": null, "main_name": "Orangeworm", "aliases": [ "G0071" ], "source_name": "ETDA:Orangeworm", "tools": [ "Kwampirs", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-10T02:00:03.509338Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-10T02:00:03.619131Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "107d5019-7454-46cf-9e39-c72d76a14633", "created_at": "2024-10-04T02:00:04.774831Z", "updated_at": "2026-04-10T02:00:03.719006Z", "deleted_at": null, "main_name": "UNC1860", "aliases": [], "source_name": "MISPGALAXY:UNC1860", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bba8e81-73af-4010-86dc-d43c408ca342", "created_at": "2023-01-06T13:46:38.553459Z", "updated_at": "2026-04-10T02:00:03.021597Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [], "source_name": "MISPGALAXY:Greenbug", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434123, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c376665d6c0b921f648b306d4719b17b87ea9db9.pdf", "text": "https://archive.orkl.eu/c376665d6c0b921f648b306d4719b17b87ea9db9.txt", "img": "https://archive.orkl.eu/c376665d6c0b921f648b306d4719b17b87ea9db9.jpg" } }