{ "id": "67a54665-bcbd-4d31-96b1-63947e53201a", "created_at": "2026-04-29T02:21:54.935628Z", "updated_at": "2026-04-29T08:22:43.041988Z", "deleted_at": null, "sha1_hash": "cb9d2136c2ad5e1d4734e3e11077c435379a0c5f", "title": "Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 70484, "plain_text": "Iranian Cyber Threat Evolution: From MBR Wipers to Identity\r\nWeaponization\r\nBy Justin Moore\r\nPublished: 2026-03-16 · Archived: 2026-04-29 02:13:44 UTC\r\nRecent cyberattacks attributed to Iranian threat actors extend beyond typical network disruption. Rather than an\r\nisolated incident of sabotage, this type of attack sits within a broader context defined by Iran's reliance on\r\nasymmetric retaliation and historical proxy doctrine. Iran-aligned threat actors increasingly leverage cyberspace as\r\na strategic equalizer.\r\nFor the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS), cyber\r\noperations provide a low-cost, high-impact mechanism for retaliation without crossing any geographical\r\nboundaries. In this environment, global organizations face increased cyber risk, as traditional malware deployment\r\nintersects with novel identity abuse. The shift from custom-built wiper malware to native administrative abuse\r\nremoves a critical detection guardrail that historically protected enterprise networks.\r\nFrom Custom Binaries to Identity Abuse\r\nIranian cyber actors’ current tactical shift is driven less by a lack of malware development capabilities than by the\r\nstrategic advantages of living-off-the-land (LotL) techniques. Operations designed to cause disruption have\r\nundergone a change since 2023: Instead of relying heavily on bespoke tools, the methods now employed are part\r\nof a larger trend toward greater scale and improved evasion.\r\nDuring the recent wiper incidents, threat actors operating under the Void Manticore (Handala) persona did not\r\ndeploy a novel wiper or traditional compiled malware. Instead, the attackers compromised highly privileged\r\nidentities, pushing legitimate remote-wipe commands to over 200,000 devices globally.\r\nThis shift from custom binaries to administrative abuse helps explain the current dynamic. In this context, Iranian\r\nadvanced persistent threats (APTs) increasingly appear to view enterprise administrative tools not solely as IT\r\ninfrastructure, but as weaponizable assets within a wider disruptive framework. This distinction is critical for\r\nunderstanding how Iranian state-aligned actors perceive mobile device management (MDM) platforms not as\r\nmanagement tools, but as high-leverage attack vectors that bypass traditional endpoint detection and response\r\n(EDR) telemetry.\r\nMoving Up the Escalation Ladder\r\nAlready in 2012 and 2016, Iranian actors were launching significant disruptive operations throughout the region.\r\nTracing the history of their cyber retaliation against perceived geopolitical slights, we see a clear, escalating\r\npattern of capability and intent over the last decade among groups linked to the IRGC and MOIS.\r\nThe Blunt Instruments (2016–2019)\r\nhttps://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/\r\nPage 1 of 5\n\nDuring this period, threat actor groups such as Curious Serpens (APT33, Elfin) and Evasive Serpens (APT34,\r\nOilRig) targeted IT infrastructure with high-visibility disk-wiping malware.\r\nShamoon resurgence: Following its initial debut in 2012, Shamoon 2 and Shamoon 3 were deployed\r\nagainst Middle Eastern entities. These attacks utilized spearphishing to gain initial access, eventually\r\nrelying on the Eldos RawDisk driver to bypass Windows APIs and overwrite the master boot record\r\n(MBR).\r\nZeroCleare and Dustman: Deployed heavily against the energy and industrial sectors, wipers like\r\nZeroCleare and its successor Dustman mirrored Shamoon’s reliance on modified legitimate drivers to\r\nachieve destructive effects.\r\nIn this era, Iranian actors prioritized visible retaliation over stealth. Their cyberattacks projected power and\r\ninflicted maximum operational immobilization.\r\nRansomware Smokescreen: Plausible Deniability and Supply Chain Compromise (2020–2022)\r\nAs scrutiny intensified, Iranian threat actors adapted their operational playbook to introduce plausible deniability.\r\nThe strategic focus shifted from overt, state-sponsored sabotage to mirroring financially motivated cybercrime.\r\nThis tactical pivot was primarily spearheaded by the threat actor group Agonizing Serpens (Agrius).\r\nThe Agonizing Serpens wiper suite (Apostle and Fantasy): Rather than relying on traditional spear\r\nphishing, Agonizing Serpens frequently exploited publicly available one-day vulnerabilities in public-facing web applications to drop custom web shells. Once initial access was established, the group deployed\r\npayloads designed to blur the lines between espionage and extortion.\r\nEvolution of Apostle: Initially observed as a pure wiper disguised as a ransomware operation, early\r\nversions of Apostle lacked the actual capability to decrypt files, indicating that data destruction was the\r\nprimary intent. Later variants, however, were patched to function as legitimate ransomware, complicating\r\nattribution and delaying incident response efforts by forcing defenders to treat the event as a standard\r\ncybercrime incident.\r\nSupply chain exploitation: The deployment of the Fantasy wiper represented a significant escalation in\r\nAgrius’s targeting methodology. By compromising a trusted third-party Israeli software developer, the\r\nthreat actors executed a supply-chain attack that impacted downstream victims across multiple global\r\nverticals.\r\nMasquerading as a ransomware syndicate offered a critical strategic advantage to Iranian cyber actors by\r\nobfuscating state alignment while still achieving the desired effect of business disruption and economic damage.\r\nHacktivism as a Front: Psychological Operations and Cross-Platform Destruction (2023–2025)\r\nBetween 2023 and 2025, the threat landscape shifted once again. The traditional APT model gave way to a surge\r\nof state-directed hacktivist personas. Groups such as Void Manticore and the Handala Hack Team operated openly\r\non platforms like Telegram, leveraging destructive attacks as a component of broader psychological operations\r\nand information warfare.\r\nhttps://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/\r\nPage 2 of 5\n\nBiBi, Hatef, and Hamsa wipers: The emergence of these malware families highlighted a critical technical\r\nevolution: cross-platform capability. While earlier wipers were strictly Windows-focused, threat actors\r\ndeployed the .NET-based Hatef wiper for Windows environments alongside the Bash-based Hamsa and\r\nBiBi wipers targeting Linux servers.\r\nFile-level destruction: Technically, these variants moved away from the complex MBR-wiping techniques\r\nof the Shamoon era. Instead, they opted for rapid, recursive file-level destruction, overwriting targeted files\r\nwith 4096-byte blocks of random data.\r\nMultiLayer and BFG Agonizer: Concurrently, collaborative deployments between Agonizing Serpens\r\nand Boggy Serpens (aka MuddyWater) introduced highly modular wipers like MultiLayer and BFG\r\nAgonizer. These operations frequently abused legitimate remote monitoring and management (RMM) tools\r\nto distribute the payloads at scale.\r\nDuring this period, wipers became just one component of a hybrid threat model. Destructive deployments were\r\nconsistently paired with aggressive data exfiltration, creating simultaneous hack-and-leak operations.\r\nThe Era of Identity Weaponization (2026 and Beyond)\r\nThe most recent escalation in Iranian offensive cyber operations marks a fundamental departure from the previous\r\ndecade of tradecraft. While the strategic motivations remain consistent, the technical execution has shifted from\r\ndeploying compiled, custom malware to a highly destructive form of LotL. Instead of attempting to evade EDR\r\nagents with sophisticated wiper binaries, these groups are targeting the enterprise management plane itself.\r\nExploitation of mobile device management (MDM): The primary attack vector relies on the compromise\r\nof highly privileged identities with access to cloud-based management consoles, such as MDM/RMM\r\nplatforms.\r\nBuilt-in command abuse: Once administrative access is secured, threat actors abuse legitimate, built-in\r\nfeatures — specifically, the built-in remote wipe or factory reset commands. By broadcasting these\r\ncommands across the entire managed tenant, attackers can simultaneously wipe hundreds of thousands of\r\ncorporate laptops, servers, and mobile devices (including bring-your-own-device (BYOD) hardware)\r\nacross global environments.\r\nThe EDR hidden zone: Because no traditional wiper malware is dropped, and no anomalous disk-writing\r\nprocesses are initiated by an unknown executable, EDR and antivirus platforms can remain largely blind to\r\nthe activity. The destructive commands are authenticated, authorized, and delivered directly from trusted\r\nvendor infrastructure.\r\nThis methodology offers unprecedented scale and speed. It eliminates the resource-intensive requirement to\r\ndevelop, test and update custom malware families while guaranteeing a catastrophic impact on the target's\r\noperational capabilities.\r\nThe Outlook: A Changed Strategic Calculus\r\nFor cybersecurity professionals and network defenders, the threat model has shifted significantly. The primary\r\nlesson from this evolutionary timeline is that an organization’s infrastructure is only as strong as its weakest\r\nadministrative credential. When threat actors can reliably turn the tools used to manage and secure a fleet into the\r\nhttps://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/\r\nPage 3 of 5\n\nvery instruments of its destruction, the defensive paradigm must evolve from focusing purely on malware\r\ndetection to enforcing strict identity resilience.\r\nFor state-aligned threat actors, disrupting operations through native identity abuse is a highly efficient, scalable\r\nway to project power and inflict economic damage. By understanding this tactical evolution, organizations can\r\ntransition from a posture of reactive malware hunting to one of verified, identity-centric resilience.\r\nTo mitigate the risk of state-aligned administrative abuse, security teams must implement the following strategic\r\ncountermeasures:\r\nTreat the management plane as Tier-0: Cloud-based management platforms must be classified as critical\r\ninfrastructure. Changes to MDM policies, role assignments, and enrollment scopes should be subjected to\r\nthe same rigorous change-control processes as domain controller modifications.\r\nEnforce strict conditional access and Zero Trust: Access to administrative portals must be gated behind\r\nrobust conditional access policies. Valid credentials and multi-factor authentication (MFA) are no longer\r\nsufficient; access must also require verification from a known, compliant, and cataloged corporate device.\r\nStolen credentials attempting to authenticate from an unknown device or anomalous IP address range must\r\ntrigger a hard block, not merely an MFA step-up prompt.\r\nEliminate standing privileges: Organizations must audit and radically reduce the number of accounts\r\nholding standing global administrator roles. Implement privileged identity management (PIM) to ensure\r\nthat administrative access is granted only on a Just-In-Time (JIT) basis, complete with approval workflows\r\nand strict timeboxing.\r\nIsolate and air-gap backups: In an environment where the cloud tenant itself is compromised, cloud-connected backups are highly susceptible to the same destruction. Maintaining offline, air-gapped, and\r\nimmutable backups is a non-negotiable requirement for ensuring organizational survivability against native\r\nadministrative wiping operations.\r\nTable of Contents\r\nFrom Custom Binaries to Identity Abuse\r\nMoving Up the Escalation Ladder\r\nThe Blunt Instruments (2016–2019)\r\nRansomware Smokescreen: Plausible Deniability and Supply Chain Compromise (2020–2022)\r\nHacktivism as a Front: Psychological Operations and Cross-Platform Destruction (2023–2025)\r\nThe Era of Identity Weaponization (2026 and Beyond)\r\nThe Outlook: A Changed Strategic Calculus\r\nAdditional Resources\r\nRelated Articles\r\nThreat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17)\r\nWeaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure\r\nInsights: Increased Risk of Wiper Attacks\r\nhttps://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/\r\nPage 4 of 5\n\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/\r\nhttps://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/evolution-of-iran-cyber-threats/" ], "report_names": [ "evolution-of-iran-cyber-threats" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-29T06:58:57.893292Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-29T06:58:57.592535Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "d0fef355-9eb9-4adc-8d90-a8c7494c4a81", "created_at": "2024-01-18T02:02:34.735032Z", "updated_at": "2026-04-29T06:58:58.319199Z", "deleted_at": null, "main_name": "Handala Hack Team", "aliases": [ "Operation HamsaUpdate" ], "source_name": "ETDA:Handala Hack Team", "tools": [ "Hamsa Wiper", "Handala", "Hatef Wiper" ], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-29T06:58:57.745497Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450", "MuddyKrill" ], "source_name": "MITRE:MuddyWater", "tools": [ "MuddyViper", "STARWHALE", "LP-Notes", "POWERSTATS", "Rclone", "Out1", "Tsundere Botnet", "PowerSploit", "Small Sieve", "Fooder", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-29T06:58:56.310338Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK51", "Boggy Serpens", "Earth Vetala", "Static Kitten", "COBALT ULSTER", "Mango Sandstorm", "TA450", "TEMP.Zagros", "Seedworm", "G0069" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-29T06:58:57.692044Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "21e01940-3851-417f-9e90-1a4a2da07033", "created_at": "2022-10-25T16:07:23.299369Z", "updated_at": "2026-04-29T06:58:57.743375Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "AMERICIUM", "Agonizing Serpens", "BlackShadow", "DEV-0227", "Pink Sandstorm", "SharpBoys", "Spectral Kitten" ], "source_name": "ETDA:Agrius", "tools": [ "ASPXSpy", "ASPXTool", "Agrius", "BFG Agonizer", "BFG Agonizer Wiper", "DEADWOOD", "DETBOSIT", "Detbosit", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "PW", "PartialWasher", "PartialWasher Wiper", "SQLShred", "Sqlextractor" ], "source_id": "ETDA", "reports": null }, { "id": "13e58cc3-9acc-4564-8f84-b8cc0082ee4a", "created_at": "2024-05-23T02:00:03.982213Z", "updated_at": "2026-04-29T06:58:56.874742Z", "deleted_at": null, "main_name": "Void Manticore", "aliases": [], "source_name": "MISPGALAXY:Void Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-29T06:58:56.933227Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e", "created_at": "2025-08-07T02:03:24.783147Z", "updated_at": "2026-04-29T06:58:57.523553Z", "deleted_at": null, "main_name": "COBALT SHADOW", "aliases": [ "AMERICIUM ", "Agonizing Serpens ", "Agrius", "Agrius ", "BlackShadow", "DEV-0227 ", "Justice Blade ", "Malek Team", "Malek Team ", "MoneyBird ", "Pink Sandstorm ", "Sharp Boyz ", "Spectral Kitten " ], "source_name": "Secureworks:COBALT SHADOW", "tools": [ "Apostle", "DEADWOOD", "Fantasy wiper", "IPsec Helper", "MiniDump", "Moneybird ransomware", "Sandals", "SecretsDump" ], "source_id": "Secureworks", "reports": null }, { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-29T06:58:56.779252Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "UNC2428", "Black Shadow", "SPECTRAL KITTEN", "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-29T06:58:57.849553Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-29T06:58:58.009074Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "7d982d5b-3428-483c-8804-c3ab774f1861", "created_at": "2024-11-01T02:00:52.70975Z", "updated_at": "2026-04-29T06:58:57.822183Z", "deleted_at": null, "main_name": "Agrius", "aliases": [ "Agrius", "Pink Sandstorm", "AMERICIUM", "Agonizing Serpens", "BlackShadow" ], "source_name": "MITRE:Agrius", "tools": [ "NBTscan", "Mimikatz", "IPsec Helper", "Moneybird", "MultiLayer Wiper", "DEADWOOD", "BFG Agonizer", "ASPXSpy" ], "source_id": "MITRE", "reports": null }, { "id": "704af71f-d1ed-4252-88a9-d23a17e4b7b4", "created_at": "2026-04-29T02:00:04.621965Z", "updated_at": "2026-04-29T06:58:57.779286Z", "deleted_at": null, "main_name": "VOID MANTICORE", "aliases": [ "VOID MANTICORE", "COBALT MYSTIQUE", "Handala Hack", "Homeland Justice", "Karma", "Karmabelow80", "BANISHED KITTEN", "Red Sandstorm" ], "source_name": "MITRE:VOID MANTICORE", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-29T06:58:57.501827Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-29T06:58:57.946937Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-29T06:58:57.629299Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-29T06:58:57.538371Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-29T06:58:57.579232Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-29T06:58:56.188715Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT 33", "Elfin", "Refined Kitten", "HOLMIUM", "G0064", "Peach Sandstorm", "TA451", "MAGNALLIUM", "COBALT TRINITY", "ATK35" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-29T06:58:56.229515Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Cobalt Gypsy", "Helix Kitten", "APT34", "ATK40", "G0049", "EUROPIUM", "TA452", "Earth Simnavaz", "Twisted Kitten", "Crambus", "APT 34", "IRN2", "Evasive Serpens", "Hazel Sandstorm" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-29T06:58:57.766157Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-29T06:58:58.033485Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null }, { "id": "63883709-27b5-4b65-9aac-c782780fbb28", "created_at": "2026-04-10T02:00:03.996704Z", "updated_at": "2026-04-29T06:58:57.167422Z", "deleted_at": null, "main_name": "TeamPCP", "aliases": [], "source_name": "MISPGALAXY:TeamPCP", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1777429314, "ts_updated_at": 1777450963, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cb9d2136c2ad5e1d4734e3e11077c435379a0c5f.pdf", "text": "https://archive.orkl.eu/cb9d2136c2ad5e1d4734e3e11077c435379a0c5f.txt", "img": "https://archive.orkl.eu/cb9d2136c2ad5e1d4734e3e11077c435379a0c5f.jpg" } }