{ "id": "2a6efbf9-5407-4711-85dc-5a0e64b95d06", "created_at": "2026-04-06T00:18:21.170869Z", "updated_at": "2026-04-10T03:35:42.330915Z", "deleted_at": null, "sha1_hash": "c552970e23591453896cd7bcdcdc6e2302854384", "title": "New Ransomware Tactic: Adversaries Target ESXi Servers | CrowdStrike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 199901, "plain_text": "New Ransomware Tactic: Adversaries Target ESXi Servers |\r\nCrowdStrike\r\nBy Eric Loui - Sergei Frankoff\r\nArchived: 2026-04-02 12:42:33 UTC\r\nThis is Part 1 of a three-part blog series. Read Part 2 and Part 3. Targeted large-scale ransomware campaigns,\r\nreferred to as big game hunting (BGH), remained the primary eCrime threat to organizations across all sectors in\r\n2020. The relentless volume and pace of these campaigns mean that some sophisticated BGH actors have not\r\nattracted much attention. Two such groups are SPRITE SPIDER, the operators of the Defray777 ransomware (aka\r\nDefray, Defray 2018, Target777, RansomX, RansomEXX), and CARBON SPIDER, a group formerly focused on\r\ncompromising point-of-sale (POS) devices, and that was responsible for introducing the Darkside ransomware.\r\nWhile ransomware for Linux has existed for many years, BGH actors have not historically targeted Linux, much\r\nless the ESXi hypervisor specifically. This likely reflects the overwhelming dominance of the Windows operating\r\nsystem in businesses and large organizations. However, in the second half of 2020, SPRITE SPIDER and\r\nCARBON SPIDER began deploying Linux versions of Defray777 and Darkside, respectively, designed\r\nspecifically to affect ESXi. Affected victims include organizations that have used virtualization to host many of\r\ntheir corporate systems on a few ESXi servers, creating a virtual jackpot for the ransomware. By deploying\r\nransomware on these ESXi hosts, adversaries were able to quickly increase the scope of affected systems within\r\nthe victim environments, resulting in additional pressure on victims to pay a ransom demand. This is a new BGH\r\ntactic CrowdStrike refers to as Hypervisor Jackpotting.\r\nWhat Is ESXi?\r\nESXi is a Type-1 hypervisor (aka a “bare-metal” hypervisor) developed by VMware. A hypervisor is software that\r\nruns and manages virtual machines (VMs). In contrast to Type-2 hypervisors that run on a conventional host\r\noperating system, a Type-1 hypervisor runs directly on a dedicated host’s hardware. ESXi systems are commonly\r\nmanaged by vCenter, a centralized server administration tool that can control multiple ESXi devices. While ESXi\r\nis not a Linux operating system, it is possible to run some Linux-compiled ELF binaries within the ESXi\r\ncommand shell. According to multiple estimates, VMware holds an overwhelming majority of the worldwide\r\nvirtual machine market share, well ahead of its nearest competitor. This means that threat actors seeking to encrypt\r\nvirtual infrastructure may prioritize developing malware that can affect VMware environments.\r\nSPRITE SPIDER and Defray777 Ransomware\r\nSPRITE SPIDER is an eCrime actor that conducts low-volume BGH ransomware campaigns using the Defray777\r\nransomware. Other tools used by SPRITE SPIDER include the Vatet loader and the PyXie remote access tool\r\n(RAT). The adversary has established initial access by exploiting vulnerable Citrix Application Delivery\r\nControllers, as well as by using LUNAR SPIDER’s BokBot trojan. To avoid detection, SPRITE SPIDER often\r\nstages payloads on internal servers within a victim network and uses in-memory-only deployments of its later-https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/\r\nPage 1 of 5\n\nstage tooling. SPRITE SPIDER uses both PyXie and Cobalt Strike to move laterally within a victim environment\r\nafter obtaining initial access. Like other BGH actors, SPRITE SPIDER first attempts to compromise domain\r\ncontrollers (DCs). After acquiring DC access, SPRITE SPIDER collects and exfiltratrates sensitive victim data,\r\nthen deploys its Defray777 ransomware. In November 2020, SPRITE SPIDER launched a dedicated leak site\r\n(DLS) on a Tor hidden service domain to publish files from noncompliant ransomware victims. Leaking stolen\r\ndata in an effort to pressure victims into paying is part of a broader trend across the BGH ecosystem. Compared to\r\nother BGH actors, SPRITE SPIDER was relatively late to adopt this tactic, possibly due to a desire to avoid\r\nattention. In July 2020, SPRITE SPIDER began using a Linux version of its Defray777 ransomware. The Linux\r\nversion contains the same file scanning and encryption logic as its Windows counterpart, and is designed to\r\nreceive a command-line argument with a path to the directory where it will begin its recursive encryption process.\r\nFiles are encrypted using AES in ECB mode with a 256-bit key that is uniquely generated for each file. The key is\r\nthen encrypted using an embedded 4096-bit RSA public key and appended to the encrypted file. Each victim is\r\ntargeted with a unique build of Defray777 containing a unique RSA public key. If a victim pays the ransom, they\r\nreceive a decryption tool containing an RSA private key that corresponds to the public encryption key.\r\nESXi Access\r\nIn order to compromise ESXi devices, SPRITE SPIDER attempts to harvest credentials that can be used to\r\nauthenticate to the vCenter web interface. SPRITE SPIDER uses PyXie’s LaZagne module to recover vCenter\r\ncredentials stored in web browsers, and also runs Mimikatz to steal credentials from host memory. After\r\nauthenticating to vCenter, SPRITE SPIDER enables SSH to permit persistent access to ESXi devices. In some\r\ncases, the adversary will also change the root account password or the host’s SSH keys.\r\nESXi Encryption\r\nWhile SPRITE SPIDER uses an in-memory deployment technique for the Windows variant of Defray777, on\r\nESXi, the adversary typically writes the Linux version of Defray777 to /tmp/ , using a filename attempting to\r\nmasquerade as a legitimate tool (e.g., svc-new). SPRITE SPIDER enumerates system information and processes\r\non the ESXi host using the uname , df , and esxcli vm process list commands. Before executing\r\nDefray777, SPRITE SPIDER terminates running VMs in order to allow the ransomware to encrypt files associated\r\nwith the VMs. SPRITE SPIDER may also uninstall VMware Fault Domain Manager (FDM) using a bash script\r\nnamed VMware-fdm-uninstall.sh . FDM is a tool that monitors VMs and reboots them when a VM fails.\r\nCARBON SPIDER and Darkside Ransomware\r\nSince 2016, CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access\r\nbeing gained using low-volume phishing campaigns against this sector. CARBON SPIDER has used a variety of\r\nbackdoors and RATs to enable persistent access. The adversary’s signature persistent access tools include the\r\nSekur (aka Anunak) implant, which has been used since 2016, and the Harpy (aka Griffon) backdoor, which has\r\nbeen used from 2018 through 2020. CARBON SPIDER extensively uses Cobalt Strike for lateral movement, as\r\nwell as open-source post-exploitation tools like PowerSploit. In April 2020, the adversary abruptly shifted its\r\noperational model away from narrow campaigns focused entirely on companies operating POS devices, to broad,\r\nopportunistic operations attempting to infect large numbers of victims across almost all sectors. The goal of these\r\ncampaigns was to deliver the REvil ransomware, which CARBON SPIDER obtained from ransomware-as-a-https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/\r\nPage 2 of 5\n\nservice (RaaS) vendor PINCHY SPIDER. It is likely CARBON SPIDER pivoted to BGH in response to the\r\nCOVID-19 pandemic, which dramatically reduced in-person retail sales and hospitality business. Similar to\r\nSPRITE SPIDER, CARBON SPIDER typically seeks to compromise a DC first before exfiltrating data and\r\ndeploying ransomware. CARBON SPIDER deepened its commitment to BGH through 2020 by introducing its\r\nown ransomware, Darkside. In August 2020, the adversary began deploying Darkside, likely in order to avoid\r\nsharing profits from BGH campaigns with PINCHY SPIDER, the REvil vendor. In November 2020, the adversary\r\ntook another step into the world of BGH by establishing a RaaS affiliate program for Darkside, allowing other\r\nactors to use the ransomware while paying CARBON SPIDER a cut. Similar to SPRITE SPIDER and others,\r\nCARBON SPIDER operates a DLS for Darkside, which has been active since August 2020. In August 2020,\r\nCARBON SPIDER also began using a Linux variant of Darkside configured specifically to affect ESXi hosts. The\r\nESXi version of Darkside targets files relating to VMware virtual machines, including files with the following file\r\nextensions: vmdk , vswp , vmem , vmsn , nvram , vmsd , vmss , vmx , vmxf , log . Files are encrypted using\r\nthe ChaCha20 algorithm with a 32-byte key and 8-byte nonce, uniquely generated per file. The ChaCha20 key and\r\nnonce are then encrypted using a 4096-bit RSA public key that is embedded in the ransomware. To speed up the\r\nencryption process, Darkside also has a configurable encryption size that can be used to control how much of each\r\nfile is encrypted. In samples recovered by CrowdStrike Intelligence, the encryption size was set to 50MB, which\r\nis enough data to prevent the recovery of the virtual machine files. An example of the Darkside configuration, as\r\nwritten to its log file, is shown in Figure 1.\r\nFigure 1. Darkside configuration from log file\r\nESXi Access\r\nSimilar to SPRITE SPIDER, CARBON SPIDER has gained access to ESXi servers using valid credentials. The\r\nadversary has typically accessed these systems via the vCenter web interface, using legitimate credentials, but has\r\nalso logged in over SSH using the Plink utility to drop Darkside.\r\nESXi Encryption\r\nCARBON SPIDER writes Darkside to /tmp/ on ESXi hosts with a generic filename. The adversary typically\r\ndoes not do the same amount of host reconnaissance that SPRITE SPIDER does. CARBON SPIDER has used\r\nbuilt-in VMware Tools scripts to shut down guest VMs in order to make sure these VMs are encrypted by\r\nDarkside.\r\nConclusion\r\nhttps://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/\r\nPage 3 of 5\n\nBy deploying ransomware on ESXi, SPRITE SPIDER and CARBON SPIDER likely intend to impose greater\r\nharm on victims than could be achieved by their respective Windows ransomware families alone. Encrypting one\r\nESXi server inflicts the same amount of damage as individually deploying ransomware on each VM hosted on a\r\ngiven server. Consequently, targeting ESXi hosts can also improve the speed of BGH operations. If these\r\nransomware attacks on ESXi servers continue to be successful, it is likely that more adversaries will begin to\r\ntarget virtualization infrastructure in the medium term.\r\nMITRE ATT\u0026CK® TTP Comparison\r\nThe following table provides an overview of SPRITE SPIDER and CARBON SPIDER’s tactics, techniques and\r\nprocedures (TTPs) specific to ESXi ransomware attacks.\r\nTactic Technique\r\nSPRITE\r\nSPIDER\r\nCARBON\r\nSPIDER\r\nSummary\r\nInitial\r\nAccess\r\nT1078 - Valid Accounts Y Y\r\nBoth SPRITE SPIDER and\r\nCARBON SPIDER\r\nauthenticate to vCenter\r\nusing valid credentials\r\nExecution\r\nT1059.004 - Command and\r\nScripting Interpreter: Unix\r\nShell\r\nY Y\r\nThe adversaries use the\r\nESXi command shell to\r\ntransfer and execute the\r\nransomware\r\nPersistence T1078 - Valid Accounts Y Y\r\nPreviously compromised\r\ncredentials enable persistent\r\naccess\r\nPersistence\r\nT-1098.004 - SSH Authorized\r\nKeys\r\nY\r\nSPRITE SPIDER has\r\nchanged root SSH keys for\r\nESXi hosts\r\nDefense\r\nEvasion\r\nT1222.002 - File and Directory\r\nPermissions Modification:\r\nLinux and Mac File and\r\nDirectory Permissions\r\nModification\r\nY Y\r\nBoth adversaries mark their\r\nrespective ransomware\r\nbinaries as executable using\r\nchmod\r\nDefense\r\nEvasion\r\nT1036.005 - Masquerading:\r\nMatch Legitimate Name or\r\nLocation\r\nY Y\r\nDefray777 and Darkside\r\nuse filenames that appear to\r\nbe innocuous or legitimate\r\nDefense\r\nEvasion\r\nT1070.004 - Indicator Removal\r\non Host: File Deletion\r\nY\r\nSPRITE SPIDER may\r\ndelete the Defray777 binary\r\nafter execution\r\nhttps://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/\r\nPage 4 of 5\n\nDiscovery\r\nT1082 - System Information\r\nDiscovery\r\nY\r\nSPRITE SPIDER performs\r\nbasic reconnaissance (e.g.,\r\nuname , df )\r\nDiscovery T1057 - Process Discovery Y\r\nSPRITE SPIDER performs\r\nbasic reconnaissance (e.g.,\r\nesxcli vm process list )\r\nImpact T1489 - Service Stop Y Y\r\nBoth adversaries may\r\nattempt to terminate\r\nrunning VMs\r\nImpact\r\nT1486 - Data Encrypted for\r\nImpact\r\nY Y\r\nDefray777 and Darkside\r\nencrypt victim systems\r\nIndicators of Compromise\r\nExample SHA256 hashes of Darkside and Defray777 Linux variants:\r\nDescription SHA256 hash\r\nDarkside Linux Binary da3bb9669fb983ad8d2ffc01aab9d56198bd9cedf2cc4387f19f4604a070a9b5\r\nDefray777 Linux Binary cb408d45762a628872fa782109e8fcfc3a5bf456074b007de21e9331bb3c5849\r\nAdditional Resources\r\nRead Part 2 of this two-part blog series, Hypervisor Jackpotting (Part 2): eCrime Actors Increase\r\nTargeting of ESXi Servers with Ransomware.\r\nRead more about big game hunting adversaries tracked by CrowdStrike Intelligence in 2020 in the new\r\nCrowdStrike 2021 Global Threat Report.\r\nCheck out the Global Threat Report resource hub to learn more about today’s adversaries.\r\nTo learn more about how to incorporate intelligence on threat actors into your security strategy, visit the\r\nCROWDSTRIKE FALCON® INTELLIGENCE™ Threat Intelligence page.\r\nLearn more about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product\r\nwebpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/\r\nhttps://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/" ], "report_names": [ "carbon-spider-sprite-spider-target-esxi-servers-with-ransomware" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9", "created_at": "2023-01-06T13:46:38.916521Z", "updated_at": "2026-04-10T02:00:03.144667Z", "deleted_at": null, "main_name": "LUNAR SPIDER", "aliases": [ "GOLD SWATHMORE" ], "source_name": "MISPGALAXY:LUNAR SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f", "created_at": "2024-06-19T02:03:08.122318Z", "updated_at": "2026-04-10T02:00:03.652418Z", "deleted_at": null, "main_name": "GOLD SWATHMORE", "aliases": [ "Lunar Spider " ], "source_name": "Secureworks:GOLD SWATHMORE", "tools": [ "Cobalt Strike", "GlobeImposter", "Gozi", "Gozi Trojan", "IcedID", "Latrodectus", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "475ea823-9e47-4098-b235-0900bc1a5362", "created_at": "2022-10-25T16:07:24.506596Z", "updated_at": "2026-04-10T02:00:05.015497Z", "deleted_at": null, "main_name": "Lunar Spider", "aliases": [ "Gold SwathMore" ], "source_name": "ETDA:Lunar Spider", "tools": [ "BokBot", "IceID", "IcedID", "NeverQuest", "Vawtrak", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434701, "ts_updated_at": 1775792142, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c552970e23591453896cd7bcdcdc6e2302854384.pdf", "text": "https://archive.orkl.eu/c552970e23591453896cd7bcdcdc6e2302854384.txt", "img": "https://archive.orkl.eu/c552970e23591453896cd7bcdcdc6e2302854384.jpg" } }