{ "id": "e017226c-f32a-4439-b5e9-3092f3d2af83", "created_at": "2026-04-06T00:17:39.458505Z", "updated_at": "2026-04-10T03:37:23.786933Z", "deleted_at": null, "sha1_hash": "cc5efdd12549a38850cd5da35731c0ed460efd67", "title": "Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered by eSentire", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 838087, "plain_text": "Conti Affiliate Exposed: New Domain Names, IP Addresses and\r\nEmail Addresses Uncovered by eSentire\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 16:05:47 UTC\r\nA Cobalt Strike Cybercrime Syndicate and the Ransomware Hackers’ Favorite Weapon\r\nOn March 9, the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Secret Service issued an\r\nupdated alert about the Conti ransomware group, encouraging organizations to review their advisory and apply the\r\nrecommended mitigations. They stated: “Conti cyberthreat actors remain active and Conti ransomware attacks\r\nagainst U.S. and international organizations have risen to more than 1,000. Notable attack vectors include Trickbot\r\nand Cobalt Strike.”\r\neSentire’s Threat Response Unit security research team (TRU) has been tracking the movements of the Conti gang\r\nfor over two years. TRU issued a new report on the Conti Gang on March 7, 2022, two days prior to the CISA\r\nalert, where it warned its customers and critical infrastructure organizations that the Conti gang was continuing to\r\nlaunch attacks against oil terminals, pharmaceutical companies, food manufacturers, IT services providers, etc.\r\nConti declared its allegiance to Russia immediately following Russia’s invasion into Ukraine.\r\nFigure 1: Conti’s Name and Shame Site indicating allegiance to Russia.\r\nhttps://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire\r\nPage 1 of 11\n\nTRU is publishing a new set of Indicators of Compromise (IOCs), which are currently being used by a Conti\r\naffiliate, and eSentire is encouraging security defenders to also use these to detect any possible Conti activity in\r\ntheir networks. These IOCs all link back to the Cobalt Strike infrastructure.\r\nEvery week for the past three years, the public has heard countless news reports of businesses and public entities\r\nbeing compromised by ransomware. However, in these incidents, it is usually the ransomware groups behind the\r\nattacks that grab the headlines. TRU contends that it is not just the ransomware gangs that are causing the scourge,\r\nit is also those cybercriminals who are supplying the malware, the infrastructure and the tools. For some time,\r\nwhat appears to be their favorite weapon is Cobalt Strike. Cobalt Strike has repeatedly enabled ransomware threat\r\nactors to disrupt critical healthcare services, municipalities, educational institutions, energy companies, and\r\ninternational meat suppliers.\r\nFor the past year and half, Cobalt Strike (a threat emulation software used for adversary simulations and Red\r\nTeams) has been observed being used by the top ransomware gangs and financial cybercrime groups. Cobalt\r\nStrike is an organized, methodical and multi-functional software that is being used, unfortunately, in conjunction\r\nwith ransomware to disrupt critical systems. It is readily delivered by numerous initial access vectors and provides\r\na variety of tools that help threat actors navigate around defenses.\r\nBurning a Conti Affiliate’s Cobalt Strike Infrastructure\r\nTRU has been tracking the operations of an active Conti ransomware affiliate since August 2021. During TRU’s\r\nresearch, it discovered that cybersecurity company BreakPoint Labs (BPL) had also been studying the same Conti\r\naffiliate. Therefore, eSentire and BreakPoint Labs began sharing their findings with one another and uncovered\r\nsome important details relating to this affiliate, its infrastructure management methods, and its use of Cobalt\r\nStrike. It is also important to note that the main Conti operators have recently brought the Trickbot authors,\r\nWizard Spider, into their operation. Members of the Trickbot gang are long time partners of Conti ,and they have\r\nrecently developed BazarLoader which downloads additional malware onto a victim’s computer.\r\nInterestingly, TRU observed this affiliate’s Cobalt Strike infrastructure being leveraged in two subsequent\r\nransomware attempts on Valentine’s Day of 2022, just as the tensions between Russia and Ukraine were\r\nescalating.\r\nThe speed and efficacy of both the intrusion actions and the infrastructure management indicate automated, at-scale deployment of customized Cobalt Strike configurations and its associated initial access vectors.\r\nCustomization choices include legitimate certificates, non-standard CS ports, and malleable Command and\r\nControl (C2). In this report, we will examine associated ransomware operations, including operations that rely on:\r\nSonicWall exploits\r\nShathak (TA551) and TR (TA577) malware distribution operations\r\nBazarLoader and IcedID malware\r\nThe Cobalt Strike intrusion framework\r\nFiveHands/HelloKitty/DeathKitty ransomware and Conti ransomware\r\nTRU observed sophisticated intrusions conducted from the infrastructure, which are detailed below, followed by\r\nan exploration of the features of the infrastructure. Finally, a list of indicators comprising the vast Cobalt Strike\r\nhttps://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire\r\nPage 2 of 11\n\ndeployment are provided.\r\nCobalt Strike at Scale\r\nFollowing a series of leaks of the Cobalt Strike Intrusion Suite starting in 2020, the tool quickly rose to\r\nprominence in ransomware intrusions. Throughout 2021, eSentire’s TRU observed that – with few exceptions –\r\nhands-on- intrusions invariably relied on Cobalt Strike (Figure 2). The trend continues into 2022 alongside yet\r\nanother leak of Cobalt Strike’s latest version. With each successive leak of the tool, threat actors gain additional\r\nfeatures that help them to evade security and manage intrusions at scale.\r\nFigure 2: Cobalt Strike observed by TRU in incidents (blue trace) and timing of Cobalt Strike source code leaks to\r\nthe public (vertical black lines)\r\nWhy has Cobalt Strike become so popular for ransomware campaigns?\r\nRansomware intrusions are full-scale organizational intrusions that require actions such as discovery, lateral tool\r\ntransfer and privilege escalation (Figure 3). Not only can Cobalt Strike do all of that, it can also change up its\r\ndisguises using malleable C2 and an artifact kit to evade network and endpoint security. Threat actors need only\r\ndeliver Cobalt Strike’s Beacon – a highly configurable backdoor that allows attackers to quietly and remotely\r\ncontrol endpoints and inject other attacker tools – as a payload of their chosen initial access vector, and Beacon\r\nwill point back to an attacker – controlled Team Server, where attackers can log on and intrusions can be\r\norchestrated. Due to Cobalt Strike’s relative simplicity, it enables lower-tiered threat actors to act in supporting\r\nroles to ransomware operations, allowing for ransomware gangs to scale out their operations and increase\r\nefficiencies.\r\nIn short, the tool puts most of the features you’d find in other malware in one place. MITRE describes the tool as\r\nfollows: “Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT\u0026CK tactics, all executed\r\nwithin a single, integrated system.” Cobalt Strike has been in use and continuously updated with new functionality\r\nfor at least the past ten years. It is an “adversarial simulation software,” the developers (have continuously added\r\nevasive features, observed in the wild, to its pen testing capabilities). Cobalt Strike also has a public community\r\nthat openly shares aggressor scripts, which allow various plugins and integrations to be written for Cobalt Strike,\r\nand Beacon profiles, which define various communication protocols for C2. Thus, for many backdoors and RATs\r\navailable on the underground market, Cobalt Strike is capable of the same functionality, plus more.\r\nhttps://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire\r\nPage 3 of 11\n\nFigure 3: In the simplified kill chain model, Cobalt Strike can directly perform most intrusion actions allowing the\r\noperation to efficiently achieve their objectives\r\nRansomware Operations Utilizing the Cobalt Strike Infrastructure\r\nTRU observed at least two cybercrime operations utilizing the same Cobalt Strike infrastructure, during 2021 and\r\ninto 2022, and both operations are leveraging SonicWall exploits to deploy a Go variant of the\r\nFiveHands/HelloKitty/DeathKitty ransomware family and they are also employing initial access brokers,\r\nassociated with the Conti Ransomware operation. Earlier in the year, SonicWall exploits being used in FiveHands\r\nransomware campaigns (Figure 4), were associated with FiveHands affiliate UNC2447. A 2021 report by\r\nMandiant notes the group had previously deployed RagnarLocker. Symantec has since associated UNC2447 with\r\nrecent campaigns deploying Yanluowang Ransomware.\r\nFigure 4: A campaign utilizing SonicWall exploits leveraged the tracked Cobalt Strike infrastructure to deliver a\r\nGolang variant of the FiveHands Ransomware\r\nMore recently, the same Cobalt Strike infrastructure was observed being leveraged in Conti ransomware\r\ndeployments via Shathak (aka TA551) for initial access (Figure 5). Shathak is a threat group known for launching\r\nphishing campaigns that typically utilize malicious documents, and these often lead to backdoors, such as IcedID.\r\nTRU has seen some overlap in these campaigns with the TR botnet (aka TA577), which delivers payloads via\r\nmalicious documents and which tends to use the same toolset as the Shathak malicious phishing campaigns.\r\nhttps://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire\r\nPage 4 of 11\n\nFigure 5: An operation by the Shathak Group (akaTA551) leveraged BazarLoader through malicious emails.\r\nBazarLoader allowed the operation to pivot to the tracked Cobalt Strike infrastructure for Conti deployment.\r\nSyndicate Infrastructure\r\nManagement of the Cobalt Strike infrastructure appears to be highly automated, potentially relying on automated\r\nname server generation via reseller API. Legitimate and trusted certificates are deployed to the infrastructure\r\nwithin minutes of domain name creation. Domain names used for Cobalt Strike Command and Control (C2)\r\nreflect a common naming scheme, typically two to three words or acronyms that reflect common information\r\ntechnology and known brands. The infrastructure rotates through a consistent range of open ports and registrar\r\nchoices (Figure 6). TRU’s analysis of the Conti chat leaks provides some insight on infrastructure management\r\nwithin the Conti team, but it’s not clear how entwined the domains tracked here are with this core Conti group.\r\nHowever, the primary candidates from the leaked chats would be Carter’s infrastructure through which Bentley’s\r\nbuilds integrate the different tools and malware involved (such as BazarLoader, Cobalt Strike and the ransomware\r\nitself). An excerpt of the domain names, IP addresses and email addresses being used by this Conti affiliate are\r\nenclosed below. It appears that this Cobalt Strike infrastructure management group has also relied on a variety of\r\nProtonMail email addresses to register some of their domains:\r\nalexander_goshev@protonmail.com\r\ns_ff_hoster@protonmail.com\r\nbartolnm@protonmail.com\r\nsalamit@protonmail.com\r\nfabris_menendes@protonmail.com\r\nhosterg@protonmail.com\r\nworkdoenew@protonmail.com\r\nthisisalcohol@protonmail.com\r\nartur_gribauskaite@protonmail.com\r\nalex_magomedoff@protonmail.com\r\nExcerpt of the Cobalt Strike C2 Domain Names and IP Addresses Utilized by a\r\nConti Affiliate\r\nhttps://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire\r\nPage 5 of 11\n\nfirmwareupdater[.]com\r\naspdotnetpro[.]com\r\nfortinetdirect[.]com\r\nintergroupservices[.]com\r\nthumbsupdating[.]com\r\nestudiopay[.]com\r\nappnewrelease[.]com\r\ngpupdatemanager[.]com\r\nflashpointdatabase[.]com\r\nwirelesswebaccess[.]com\r\nwebdatabasesystem[.]com\r\n46[.]21[.]153[.]52\r\n23[.]227[.]196[.]236\r\n146[.]70[.]44[.]201\r\n198[.]252[.]99[.]99\r\n172[.]96[.]186[.]51\r\n23[.]227[.]202[.]142\r\n23[.]227[.]198[.]235\r\n46[.]21[.]153[.]48\r\n23[.]227[.]198[.]211\r\n23[.]227[.]196[.]58\r\nFigure 6: Ports and Registrars observed at time of domain creation\r\nSophisticated Intrusions\r\nCombined, TRU and BPL observed the Cobalt Strike infrastructure being leveraged to attack seven different U.S.\r\ncompanies between 2021 and 2022. The victims include companies in the financial, environmental, legal and\r\ncharitable sectors.\r\nhttps://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire\r\nPage 6 of 11\n\nIn July 2021, the threat actors behind the Cobalt Strike operation compromised four different financial\r\norganizations via one technology provider, which each of the victims were using to manage their IT environments.\r\nSince the technology provider deployed SonicWall as a VPN solution for its customers, the financial organizations\r\nwere rendered vulnerable to the previously mentioned exploits. In these cases, the threat actors were able to delete\r\ncloud-stored backups prior to ransomware deployment. Luckily, the financial companies had other, more recent\r\nbackups, to restore from – a good lesson to follow. The ransomware was later determined to be the late Go Version\r\nof Feral Spider and shared similarities to previous FiveHands and HelloKitty variants.\r\nMore recently, on Valentine’s Day 2022, amidst escalating tensions between Russia and Ukraine, the TRU\r\nintercepted an attack leveraging the Cobalt Strike infrastructure in which the threat actors were trying to breach a\r\nchildren’s charity and, hours later, they attempted to breach a legal firm. However, one attack stands out as a\r\ndemonstration of the power and capability of the Cobalt Strike Intrusion Suite, should it land in the wrong hands:\r\nthe ShadowBeacon Incident.\r\nThe Cobalt Strike ShadowBeacon Incident\r\nThe TRU observed the first Cobalt Strike Beacon early in the morning during the summer of 2021. The Beacon\r\ninstance presented an immediate mystery – it pointed to an internal device. The infected host was isolated and an\r\ninvestigation into the source of the signal was opened; another Beacon appeared. Again, a host was isolated. The\r\nBeacons were being deployed from the domain controllers via PsExec, a legitimate administrator tool used for\r\nremotely executing binaries. This time; however, the internal IP was different. Sensing an active hands-on\r\nintrusion, TRU began manually deleting the Beacon instances just as eSentire’s incident handlers were finding an\r\nanswer to the shifting Command and Control channel. The intruders were using Forty North’s C2Concealer. The\r\nBeacons were SMB Beacons, which utilize the organization’s internal SMB traffic for its C2. That meant that the\r\ncloaked internal device likely had an HTTP Beacon–through which it was funneling the traffic from SMB\r\nBeacons to the exterior Cobalt Strike C2 Server. The more common Beacon utilizes standard internet protocols.\r\nTo gain further intelligence around the mysterious internal device required a review of the Windows logs. Given\r\nthat the customer wasn’t ingesting their log signals into eSentire’s Atlas XDR platform, a manual request for logs\r\nwas initiated, introducing a delay to the investigation. With domain control and a cloaked machine, the attacker\r\ncontinued to deploy SMB beacons, struggling to maintain a foothold as incident handlers continued to shut down\r\nBeacon instances. But after receiving and manually reviewing the Windows logs, TRU discovered the intersection\r\nof the SMB traffic and patient zero.\r\nCrafty Threat Actors Bring Their Own Virtual Machine\r\nThe Windows logs revealed that the threat actor had been able to register their own virtual machine on the victim\r\norganization’s network, using it as a pivot to their actual, exterior C2. With the source of the infection no longer\r\nhiding in the VPN pool, the attacker was kicked out and the recovery process started. No ransomware was\r\nobserved.\r\nCobalt Strike Infrastructure-Campaign Links\r\nConti Playbook and Intrusion Tools Used in the ShadowBeacon Incident\r\nhttps://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire\r\nPage 7 of 11\n\nThe recent leak of a Conti message board provides a thorough set of tools and practices used by Conti. The\r\nfollowing was observed in both the ShadowBeacon Incident and Conti’s expansive playbooks:\r\nSonicWall Exploits\r\nForty North’s C2Concealer\r\nBring Your Own Virtual Machine (BYOVM)\r\nThe use of VPS servers for C2\r\nSonicWall Exploits and FiveHands Ransomware\r\nJune 2021 – CrowdStrike reports a new variant of Go ransomware\r\nAugust 2021 – BreakPoint Labs reports numerous domains associated with the previously mentioned breaches.\r\nThe hashes reported by CrowdStrike, and BreakPoint Labs share vhash similarity in VirusTotal\r\nAugust 2021 – eSentire observes the Cobalt Strike ShadowBeacon Incident.\r\nShathak, BazarLoader, IcedID and Conti Ransomware\r\nAugust 2021 – amibios-updater[.]com is reported by Brad Duncan of Palo Alto Networks’ Unit42 in association\r\nwith TA551 and BazarLoader\r\nOctober 2021 – IBM X-Force Reports Shathak brokering initial access on behalf of Conti ransomware affiliates\r\nNovember 2021 – sonyblueprint[.]com is reported by Unit42 in association with Shathak, BazarLoader and\r\nVNC, a remote desktop sharing protocol that precedes RDP.\r\nJanuary 2022 – customsecurityusa[.]com and juniperengineer[.]com reported by Unit42 in association with\r\nShathak and IcedID\r\nTR Botnet and IcedID\r\nJune, 2021 – Proofpoint notes use of IcedID by both TA577 and TA551(insert more common name of these\r\ngroups)\r\nDecember, 2021 – bqtconsulting[.]com is reported by SANS in association with IcedID and the backdoor,\r\nDarkVNC\r\nJanuary, 2022 – driverpackcdn[.]com is reported by Unit42 in association with IcedID\r\nFebruary 2022 – TRU observes two cyber incidents leveraging Cobalt Strike via the infrastructure (defined by the\r\ntraits outlined in the Syndicate Infrastructure paragraph) on recently created domains. IcedID was the initial access\r\nvector.\r\nGlossary of terms\r\nIcedID – a botnet loader known to arise from malicious documents and often leading to Cobalt Strike or other\r\nbackdoors that position threat actors for ransomware deployment.\r\nhttps://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire\r\nPage 8 of 11\n\nTR Botnet (akaTA577)– The TR botnet delivers payloads via malicious documents. TR has been associated with\r\nSquirrelWaffle and Qakbot campaigns but has recently been observed delivering IcedID.\r\nShathak (aka TA551)– A cybercrime group that is known for launching phishing campaigns that typically\r\ndistribute malicious documents which, in turn, often lead to backdoors such as IcedID.\r\nEmotet – A loader malware delivered via malicious document through email. Known to deliver Trickbot and\r\nCobalt Strike.\r\nTrickbot – A botnet loader delivered via malicious documents.\r\nConti (aka Grim Spider) – A large and sophisticated group of ransomware developers and operators, known for\r\ncompromising and disrupting the critical operations of healthcare organizations, 911 emergency services,\r\nmunicipalities, oil transportation and storage providers, electric companies, schools, IT service providers, food and\r\npharmaceutical providers. Conti popularized the modern ransomware model with its original project, Ryuk, which\r\nwas delivered via Emotet dropping Trickbot.\r\nCobalt Strike – An intrusion suite, billed as “adversary simulation” that has sophisticated evasion features, such\r\nas a malleable C2 and an injection kit, to deploy more tools throughout a victim’s IT environments.\r\nDiscovery – generally the first tactic threat actors take when they get hands-on keyboard in an environment.\r\nDiscovery helps threat actors determine the kind of endpoint they’ve landed on and what kind of accounts they\r\ncan pivot too next.\r\nLateral Tool Transfer – a technique that allows an active intruder to import more intrusion tools from their own\r\nenvironment to the victims, including password crackers, exploits and exfiltration tools.\r\nPrivilege Escalation – allows attackers to raise privileges on a compromised account or obtain credentials for\r\nmore privileged accounts.\r\nMalleable C2 – allows threat actors to rotate through different communication procedures, making it harder to\r\ntrack and detect known procedures.\r\nArtifact Kit – a Cobalt Strike feature that allows an active intruder the ability to inject tools into legitimate\r\nwindows processes, reducing their chance of detection.\r\nInitial Access – how an intruder gains entry into a victim’s network. Examples include phishing emails, remote\r\nexploits, and supply-chain attacks.\r\nAggressor Scripts – It is a scripting framework, built within Cobalt Strike 3.0 and later versions, which will\r\nautomate and customize the intrusion workflow being conducted by threat actors. Examples of Aggressor Scripts\r\ninclude notifying the threat actors of a successful compromise via Slack or running Mimikatz within the victim’s\r\nIT environment. Mimikatz is a credential password stealer tool.\r\nBeacon—it is the Cobalt Strike’s backdoor.\r\nhttps://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire\r\nPage 9 of 11\n\nBeacon Profiles –Beacon profiles define the configuration of the Beacon Backdoor– including the windows\r\nprocesses (aka injection targets) that artifact kit will use to deploy tools, how often Beacon will check in with\r\nTeam Server, and the C2’s URL and port.\r\nIf you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you\r\npartner with us for security services to disrupt threats before they impact your business. Want to learn more about\r\nhow we protect organizations globally? Connect with an eSentire Security Specialist.\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nGET STARTED\r\nhttps://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire\r\nPage 10 of 11\n\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nSource: https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire\r\nhttps://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.esentire.com/blog/conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire" ], "report_names": [ "conti-affiliate-exposed-new-domain-names-ip-addresses-and-email-addresses-uncovered-by-esentire" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8492b1a0-126f-4113-b8f7-101d28559629", "created_at": "2023-01-06T13:46:38.864213Z", "updated_at": "2026-04-10T02:00:03.126178Z", "deleted_at": null, "main_name": "GRIM SPIDER", "aliases": [ "GOLD ULRICK" ], "source_name": "MISPGALAXY:GRIM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "065b7ea2-5920-4270-824e-94ea8a79d197", "created_at": "2023-12-08T02:00:05.747632Z", "updated_at": "2026-04-10T02:00:03.492858Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "MISPGALAXY:UNC2447", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f83fef-38ee-4228-9d27-dde8afece1cb", "created_at": "2023-02-15T02:01:49.569611Z", "updated_at": "2026-04-10T02:00:03.351659Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "Hive0118" ], "source_name": "MISPGALAXY:TA577", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "22d450bb-fc7a-42af-9430-08887f0abf9f", "created_at": "2024-11-01T02:00:52.560354Z", "updated_at": "2026-04-10T02:00:05.276856Z", "deleted_at": null, "main_name": "TA577", "aliases": [ "TA577" ], "source_name": "MITRE:TA577", "tools": [ "Pikabot", "QakBot", "Latrodectus" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51", "created_at": "2022-10-25T16:07:24.35977Z", "updated_at": "2026-04-10T02:00:04.953882Z", "deleted_at": null, "main_name": "UNC2447", "aliases": [], "source_name": "ETDA:UNC2447", "tools": [ "7-Zip", "AdFind", "Agentemis", "Cobalt Strike", "CobaltStrike", "DEATHRANSOM", "DeathRansom", "FIVEHANDS", "FOXGRABBER", "HELLOKITTY", "HelloKitty", "KittyCrypt", "Mimikatz", "PCHUNTER", "RCLONE", "ROUTERSCAN", "Ragnar Locker", "RagnarLocker", "Rclone", "S3BROWSER", "SombRAT", "Thieflock", "WARPRISM", "cobeacon", "deathransom", "wacatac" ], "source_id": "ETDA", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434659, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cc5efdd12549a38850cd5da35731c0ed460efd67.pdf", "text": "https://archive.orkl.eu/cc5efdd12549a38850cd5da35731c0ed460efd67.txt", "img": "https://archive.orkl.eu/cc5efdd12549a38850cd5da35731c0ed460efd67.jpg" } }