{ "id": "fc367ec5-e73c-4ac1-8239-02b6ec509c6d", "created_at": "2026-04-06T00:10:32.671703Z", "updated_at": "2026-04-10T13:12:47.693882Z", "deleted_at": null, "sha1_hash": "cc61019a4194b24a408814c436c65367e47d8b54", "title": "Analysis of top non-HTTP/S threats | Zscaler Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2703076, "plain_text": "Analysis of top non-HTTP/S threats | Zscaler Blog\r\nBy Aniruddha Dolas, Mohd Sadique, Manohar Ghule\r\nPublished: 2021-05-05 · Archived: 2026-04-05 19:46:03 UTC\r\nAdversaries generally use Standard Application Layer Protocols for communication between malware and command and\r\ncontrol (C\u0026C) servers. This is for several reasons: first, malicious traffic blends in more easily with legitimate traffic on\r\nstandard protocols like HTTP/S; second, companies that rely on appliances for security often don’t inspect all SSL/TLS\r\nencrypted traffic as it is extremely resource-intensive to do so.\r\nHowever, the massive growth of SSL attacks – 260% higher in 2020 compared to 2019 – has turned many security teams’\r\nattention to these encrypted channels. For those that do inspect their encrypted traffic, modern network security proxies,\r\ngateways, and firewalls are evolved enough to conveniently parse application protocols and strip the SSL layer to scan the\r\nunderlying data. And by knowing the protocol, scan engines using heuristics or machine-learning techniques can more easily\r\ndifferentiate between malicious and legitimate traffic, giving security teams an advantage.\r\nThese trends have led some adversaries to turn to custom protocols. Although custom protocols for malicious\r\ncommunication are nothing new, almost one-third of prevalent malware families we recently analyzed support\r\ncommunication over non-HTTP/S protocols. Almost all of these malware families are Remote Access Trojans (RATs) and\r\nare found all over, from campaigns of mass infection to highly targeted attacks. \r\nIn this article, we dissect the custom protocols used in some of the most prevalent RATs seen in recent campaigns. At the\r\nend, we share a number of signatures and Snort rules that aid in detecting these attacks.\r\nBelow are statistical representations of traffic that Zscaler blocked for non-HTTP/S C\u0026C communication, as well as the\r\nmost active RAT families that we observed over a three-month period.\r\nFig.1: Hits of top threats communicating over non-HTTP/S in the last quarter.\r\nFig.2: Hits of top non-HTTP/S based RAT families in last quarter.\r\nhttps://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols\r\nPage 1 of 12\n\nRemcos RAT\r\nRemcos is remote access and surveillance software developed and distributed by an organization called Breaking Security.\r\nThe Remcos RAT appeared in hacking forums in late 2016. Since then, it has been favored by many cyber criminals and\r\neven adopted by APT actors such as the Gorgon Group and Elfin Group. Remcos is primarily delivered to victims via\r\nmalicious attachments in phishing emails. Its capabilities range from logging keystrokes to executing commands, stealing\r\ncredentials, and capturing microphones and webcams. RC4 key and encrypted configuration data is kept in the resource\r\nsection “SETTINGS” under “RCData”. The configuration contains the C\u0026C address, port, mutex name, and encryption key\r\nfor C\u0026C communication.\r\nFig.3: Encrypted configuration in resource.\r\nFig.4: Decrypted configuration\r\nRemcos communicates over non-HTTP/S channels/ports on custom protocols. The bot can be configured to communicate in\r\nplain text, which makes it fairly straightforward to detect C\u0026C traffic. The custom protocol contains the header\r\n“[DataStart]” followed by the size of data and then followed by the exfiltrated data.\r\nhttps://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols\r\nPage 2 of 12\n\nFig.5: Data sent to C\u0026C server in plain text.\r\nHowever, in most cases, the communication is encrypted using the RC4 algorithm with a key present in the configuration. It\r\nis not possible to match signatures in encrypted binary data. However, there is scope for heuristics-based detection. Upon\r\nexecution, Remcos sends system information to its C\u0026C server, and in return the server replies with commands to execute.\r\nAs this request and response is encrypted with the same symmetric key, the header “[DataStart]” will generate the same\r\nencrypted stream of bytes in place of the header for all communication generated by the executable. \r\nhttps://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols\r\nPage 3 of 12\n\nFig.6: Data sent to C\u0026C server as RC4 encrypted.\r\nAs an example, it can be seen in the above image, a binary stream of bytes “08 b4 de f6 84 27 70 9a 57 17 5e” has taken\r\nplace of the header “[DataStart]”. The repeated stream pattern of 11 bytes in requests and responses—plus a combination of\r\nother heuristics such as entropy and data length limits—can be considered for flagging RC4 encrypted Remcos traffic.\r\nCrimson RAT\r\nCrimson RAT has been favored by threat actors for targeted attacks on governments and organizations in the financial,\r\nhealthcare, and space technology sectors. In 2016, it was found to be used in targeted attacks against Indian diplomatic and\r\nmilitary resources. Last year, we found it targeting Indian financial institutions. Crimson is typically delivered to the victim\r\nvia a phishing email containing a malicious .doc file or link to a malicious executable.\r\nFig.7: Data sent to C\u0026C server\r\nNetWire RAT\r\nThe NetWire RAT is a malicious tool that emerged almost a decade ago and has been updated many times since then.\r\nNetWire has been detected in various campaigns such as Hydrojiin and advanced persistent threat (APT) attacks\r\nincluding SilverTerrier and The White Company. Typically, the NetWire RAT is downloaded as a second-stage payload to\r\nsystems that have been compromised using other malware such as GuLoader. Also, it was found to be delivered via exploit\r\nkits.\r\nNetWire communicates with custom protocols over TCP and communication is encrypted with AES encryption. Each packet\r\nbegins with a length of data followed by one byte for the command and then followed by data. The initial packet sends a 32-\r\nbyte seed value along with 16-byte IV value and hardcoded password specified in the binary to generate the AES key. The\r\nC\u0026C server generates a session key for this information.\r\nFig.8: Data sent to C\u0026C server as AES encrypted.\r\nAs the communication is AES encrypted, it is not possible to scan for signature patterns in communication. However, there\r\nis enough information in the initial packet to flag the traffic as NetWire C\u0026C communication.\r\nAsyncRAT\r\nhttps://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols\r\nPage 4 of 12\n\nAsyncRAT is an open-source RAT designed to remotely monitor and control other computers through a secure encrypted\r\nconnection. AsyncRAT provides functionality such as keylogger, screen viewer, command execution, and many more.\r\nBecause of its feature of secure communication, AsyncRAT is used for malicious motives by cybercriminals and weaponized\r\nin APT campaigns such as \"Operation Spalax.\" AsyncRAT has been found to be delivered via various methods such as\r\nspear-phishing, malvertising, and exploit kits.\r\nAsyncRAT communicates over secure TCP channels. As the custom certificate is carried in the binary itself and matched\r\nagainst the C\u0026C certificate, it is not possible to strip the TLS layer at the proxy/gateway level. However, such custom\r\ncertificates can be filtered out and communication can be blocked by other preventing controls.\r\nFig.9: Server certificate having subject and issuer name as “AsyncRAT Server”\r\nQuasar RAT\r\nQuasar is an open-source RAT that has been observed being used maliciously by cybercriminals and APT actors including\r\n“Gorgon Group” and “Patchwork.\" Its features include remote desktop, keylogging, password stealing, and many more.\r\nQuasar encrypts communications using an AES algorithm with a pre-shared key hardcoded in the client binary. It is not\r\npossible to scan for signature patterns on AES-encrypted traffic. However, the distinctive characteristics of encrypted data\r\npackets can be leveraged to flag Quasar's AES encrypted traffic.\r\nFig.10: Data sent to C\u0026C server as AES encrypted.\r\nhttps://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols\r\nPage 5 of 12\n\nThe distinctive first 4 bytes of the payload can be used to identify Quasar traffic. Specifically, the first 4 bytes can identify\r\nthe first packet sent from the server to the client following the TCP handshake. This packet is used to initiate the\r\nserver/client authentication process. The first 4 bytes of the TCP payload contain \"40 00 00 00\" which is the size of the data\r\nthat follows in little endian.\r\nAgent Tesla RAT\r\nThe Agent Tesla RAT has been very active and prevalent. Over the last couple of years, there have been huge ongoing\r\nphishing campaigns delivering Agent Tesla RAT. Agent Tesla has evolved over time, varying its behavior from campaign to\r\ncampaign. Cybercriminals use this RAT to steal user credentials and spy on victims through screenshots, keyboard logging,\r\nand clipboard capturing. Credential stealing is supported across various software ranging from browsers to mail clients,\r\nVPNs, and wallets.\r\nAgent Tesla communicates and exfiltrates data to its C\u0026C server on HTTP, FTP, SMTP, and Telegram API. All collected\r\ndata is encapsulated into an HTML page, and that HTML page is sent to a C\u0026C over one of the aforementioned protocols.\r\nFor communication over FTP, the HTML page is sent as a file to an FTP C\u0026C server. The file name is generated in format\r\n“PW___.HTML”\r\nFig.11: Data to be sent via FTP.\r\nFig.12: Exfiltration over FTP\r\nFor communication over SMTP, the HTML page is sent as a mail body to the C\u0026C server. The mail subject is generated in\r\nformat “PW_/”.\r\nhttps://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols\r\nPage 6 of 12\n\nFig.13: Exfiltration over SMTP\r\nCyberGate RAT\r\nCyberGate allows an attacker to browse and manipulate files, devices, and settings on the victim's machine as well as\r\ndownload and execute additional malware. It also has a wide range of information-stealing abilities including browser\r\ncredential theft, keylogging, screen capture, and remote enabling of webcams. \r\nThe CyberGate RAT communicates on a custom protocol over TCP. CyberGate collects the info as per the command\r\nreceived from the C\u0026C server, compresses data by ZLib, encrypts it by RC4 with a hardcoded key, and then sends it to the\r\nC\u0026C server. \r\nFig.14: Compressed and Encrypted data sent to C\u0026C.\r\nPackets begin with the data length followed by a marker then by a new line delimiter followed by encrypted data. To flag the\r\nCyberGate RAT traffic, a combination of data length, marker, and delimiter can be considered.\r\nNanoCore RAT\r\nhttps://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols\r\nPage 7 of 12\n\nThough NanoCore RAT emerged almost a decade ago, it is still one of the most prevalent RAT families, and multiple\r\nversions have appeared since then. NanoCore RAT is modular malware which comes with plugin support to expand its\r\nfunctionality. Basic plugins feature remote surveillance via remote desktop, monitor webcam, capture audio, etc. Additional\r\nplugins have been found to be used for cryptocurrency mining, ransomware attacks, credential stealing, and more. NanoCore\r\nRAT has been found to be delivered via phishing emails containing .doc macros that load a NanoCore binary with fileless\r\ninfection techniques.\r\nNanoCore communicates on a custom protocol over TCP and uses the DES algorithm with hardcoded key and IV value to\r\nencrypt the communication between bot and its C\u0026C server. The communication packet begins with a 4-byte data length\r\nfollowed by DES-encrypted data of that length.\r\nFig.15: Encrypted data C\u0026C communication\r\nIt is not possible to scan for patterns in DES-encrypted data. However, we observed that the publicly available bot builder\r\ndoes not have an option for configuring the DES key. Thus, all samples generated from this bot-builder will have the same\r\nDES key, which is “722018788C294897”. This results in some encrypted traffic that will be the same across all bots\r\ngenerated using the publicly available bot-builder. One such command from the server is “is alive” which is 0x600; when\r\nencrypted with a key it will produce “c1 c3 d0 32 43 59 a1 78”. \r\nHowever, there are other customized bot-builders available underground that allow the user to configure the key. For a more\r\ngeneric detection, we need to check for heuristics of data length value against TCP packet size and entropy of data. The first\r\nresponse from the server will be always 0x24 bytes in length, and the first 4 bytes will always be “20 00 00 00”. This\r\nresponse contains a GUID of plugins that the bot will load. The bot responds back to this with 0x12 bytes data, which will\r\nalways start with the 4-byte stream “08 00 00 00”. These characteristics can be leveraged for detection. \r\nFig.16: Fix length first response from C\u0026C server.\r\nGh0st RAT\r\nGh0st is an open-source RAT that has been observed being used maliciously by cybercriminals and APT actors such as\r\n“TA459” and “APT18.\". Its features include remote desktop, logging keystrokes, stealing credentials, capturing microphone\r\nand webcam, and many more. The source code of the  Gh0stRAT is publicly available and attackers have customized it to\r\nsuit their needs. Thus, many variants have been discovered.\r\nhttps://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols\r\nPage 8 of 12\n\nGh0st communicates on a custom protocol over TCP. It uses a sequential byte-to-byte encryption algorithm to encrypt\r\ncommunication with the C\u0026C server. Upon execution, it collects system data such as system information, version, processor\r\ndescription, installed antivirus, etc. Then, a marker and data length are prepended to this data. Finally, collected data is\r\nencrypted with single-byte operation of XOR and SUB on each byte. \r\nFig.17: Collected data before encryption and after encryption.\r\nnjRAT\r\nDiscovered almost a decade ago, njRAT, also known as Bladabindi, is the most active and prevalent remote access trojan. It\r\nallows attackers to do surveillance and control the victim's computer. Its features include remote desktop, logging\r\nkeystrokes, stealing credentials, capturing microphone and webcam, and many more. njRAT is mostly found to be delivered\r\nvia phishing email campaigns containing malicious Word document attachments. It is also found to be delivered by\r\nmasquerading as a legitimate application installer uploaded to file-sharing services and luring victims via drive-by download\r\ncampaigns.\r\nSince the leak of source code 2013, njRAT has become widely adopted by cybercriminals and APT actors including Gorgon\r\nGroup and APT41. Numerous variants have been detected over the years. Some variants have been found to be\r\ncommunicating over standard HTTP protocol and others were found to be communicating over custom protocols over TCP.\r\nThe packet begins with data length in a decimal format null-terminated string followed by command and then delimiter\r\nfollowed by exfiltrated data.\r\nhttps://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols\r\nPage 9 of 12\n\nFig.18: Fix length first response from C\u0026C server.\r\nCoverage:\r\nZscaler’s multilayered cloud security platform detects indicators at various levels.\r\nThe following are the Cloud IPS (non-HTTP/S) signatures that enable detection of the above RATs:\r\nWin32.Backdoor.RemcosRAT\r\nWin32.Backdoor.NetwiredRC\r\nWin32.Backdoor.CrimsonRAT\r\nWin32.Backdoor.AsyncRAT\r\nWin32.Backdoor.QuasarRAT\r\nWin32.Backdoor.AgentTesla\r\nWin32.Backdoor.Cybergate\r\nWin32.Backdoor.Nanocore\r\nWin32.Backdoor.Gh0stRAT\r\nWin32.Backdoor.NjRat\r\nConclusion\r\nAll of the above-discussed RATs are communicating on custom and encrypted protocols over TCP. When communication is\r\nencrypted, it is more difficult to scan for their signature patterns in network traffic. However, we have discussed alternative\r\nways to flag RAT traffic based on the heuristics of encrypted data. Four properties that are common to most RAT traffic on\r\nnon-HTTP/S are:\r\n1. Packets start with a length of encrypted data. Adding 4 to the little endian value of the first 4 should give the total\r\nlength of TCP data.\r\n2. Entropy of data followed after data length is high.\r\n3. The C\u0026C server responds in the same packet format as the client.\r\n4. Often, server responses have lengths in specific ranges as they send only commands.\r\nhttps://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols\r\nPage 10 of 12\n\nSnort Rules\r\nalert tcp $EXTERNAL_NET any -\u003e $HOME_NET any (msg:\"Zscaler Win32.Backdoor.CrimsonRat - CNC command\";\r\nflow:established,to_client; content:\"|00 00 00 00|\"; offset: 1; depth: 4;\r\npcre:\"/\\x00\\x00\\x00\\x00(thumb|filsz|rupth|dowf|endpo|scrsz|cscreen|dirs|stops|scren|cnls|udlt|delt|afile|listf|file|info|runf|fles|dowr|info|fl\r\nclasstype:trojan-activity; reference:url,https://research.zscaler.com;) \r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"Zscaler Win32.Backdoor.NetWiredRC - Check-in request\";\r\nflow:established,to_server; dsize:69; content:\"|41 00 00 00 99|\"; offset:0; depth:5; flowbits:set,ZS.NetwireRAT.Client;\r\nflowbits:noalert; metadata: classtype:trojan-activity; reference:url,https://research.zscaler.com;)\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"Zscaler Win32.Backdoor.NetWiredRC - Check-in response\";\r\nflow:established,to_server; dsize:5; content:\"|3f 00 00 00 9b|\"; flowbits:isset,ZS.NetwireRAT.Client; metadata:\r\nclasstype:trojan-activity; reference:url,https://research.zscaler.com;)\r\nalert tcp $EXTERNAL_NET any -\u003e $HOME_NET any (msg:\"Zscaler Win32.Backdoor.AsyncRAT - Malicious SSL Cert\";\r\nflow:established,to_client; content:\"|16 03 01|\"; offset:0; depth:3; content:\"AsyncRAT\"; distance:0; fast_pattern;\r\nclasstype:trojan-activity; reference:url,https://research.zscaler.com;)\r\nalert tcp $EXTERNAL_NET any -\u003e $HOME_NET any (msg:\"Zscaler Win32.Backdoor.QuasarRAT - CNC response header\";\r\nflow:established,to_client; dsize:68; content:\"|40 00 00 00|\"; offset: 0; depth: 4; classtype:trojan-activity;\r\nreference:url,https://research.zscaler.com;)\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"Zscaler Win32.Backdoor.AgentTesla CNC via FTP/SMTP\";\r\nflow:established,to_server; content:\"|3C|html|3E|Time|3A|\"; content:\"|3C|br|3E|User Name|3A|\";\r\ncontent:\"|3C|br|3E|Computer Name|3A|\"; distance: 0; content: \"|3C|br|3E|OSFullName|3A|\"; distance: 0;\r\ncontent:\"CPU|3A|\"; distance: 0; content:\"|3C|br|3E|RAM|3A|\"; distance: 0; content: \"URL|3A|\"; distance: 0; content:\r\n\"Application|3A|\"; distance: 0; classtype:trojan-activity; reference:url,https://research.zscaler.com;)\r\nalert tcp $HOME_NET any -\u003e any any (msg:\"Zscaler Win32.Backdoor.CyberGate - Data Exfiltration\";\r\nflow:established,to_server; dsize:40300; pcre:\"/\\d{2,3}[#$]{4,6}\\x0d\\x0a/\"; content:\"|23 23 24 23 23 0d 0a|\";\r\nclasstype:trojan-activity; reference:url,https://research.zscaler.com;)\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"Zscaler Win32.Backdoor.Nanocore Pulse check\";\r\nflow:established,to_server; dsize:12; content:\"|08 00 00 00|\"; offset: 0; depth: 4; content:\"/c1 c3 d0 32  43 59 a1 78|\";\r\ndistance:0; within:8; classtype:trojan-activity; reference:url,https://research.zscaler.com;)\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"Zscaler Win32.Backdoor.Nanocore - Generic C\u0026C command\r\n(request)\"; flow:established,to_server; flowbits:isset,ZS.NanocoreGen; dsize:12; content:\"|08 00 00 00|\"; offset:0; depth:4;\r\nbyte_test:1,!=,0,5,relative;  reference:url,https://zscaler.com;)\r\nalert tcp $EXTERNAL_NET any -\u003e $HOME_NET any (msg:\"Zscaler Win32.Backdoor.Nanocore - Generic C\u0026C command\r\n(response)\"; flow:established,to_client; flowbits:noalert; flowbits:set,ZS.NanocoreGen; content:\"|20 00 00 00|\"; offset:0;\r\ndepth:4; byte_test:1,!=,0,5,relative; dsize:36; reference:url,https://zscaler.com;)\r\nalert tcp any any -\u003e any any (msg:\"Zscaler Win32.Backdoor.Gh0stRAT - Possible Data Exfil activity\";\r\nflow:to_server,established; byte_extract:1,10,varbyte; byte_test:1,!=,varbyte,11; byte_test:1,=,varbyte,12;\r\nbyte_test:1,=,varbyte,13; byte_test:1,!=,varbyte,15; byte_extract:4,16,vardword; byte_test:4,=,vardword,20;\r\nbyte_test:4,=,vardword,24; byte_test:4,=,vardword,28; byte_test:4,!=,vardword,0; sid:8000031; classtype:trojan-activity;\r\nreference:url,https://research.zscaler.com;)\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"Zscaler Win32.Backdoor.NjRat - Data Exfil activity\";\r\nflow:to_server,established; content:\"|00|inf\"; offset:3; depth:4; pcre:\"/\\d{1,3}\\x00\\w{1,3}/\"; pcre:\"/(?:[A-Za-z0-9+\\/]{4})*\r\n(?:[A-Za-z0-9+\\/]{2}==|[A-Za-z0-9+\\/]{3}=)?/\"; flowbits:isset,ZS.njrat; flowbits:unset,ZS.njrat; classtype:trojan-activity;\r\nreference:url,https://research.zscaler.com;)\r\nhttps://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols\r\nPage 11 of 12\n\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any (msg:\"Zscaler Win32.Backdoor.NjRat - Data Exfil activity\";\r\nflow:to_server,established; content:\"|00|ll\"; offset:3; depth:3; pcre:\"/^\\d{1,3}\\x00/\"; pcre:\"/(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{2}==|[A-Za-z0-9+\\/]{3}=)?/\"; flowbits:set,ZS.njrat; flowbits:noalert; classtype:trojan-activity;\r\nreference:url,https://research.zscaler.com;)\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols\r\nhttps://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols" ], "report_names": [ "catching-rats-over-custom-protocols" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "64d750e4-67db-4461-bae2-6e75bfced852", "created_at": "2022-10-25T16:07:24.01415Z", "updated_at": "2026-04-10T02:00:04.839502Z", "deleted_at": null, "main_name": "Operation Spalax", "aliases": [], "source_name": "ETDA:Operation Spalax", "tools": [ "AsyncRAT", "Bladabindi", "Jorik", "Remcos", "RemcosRAT", "Remvio", "Socmer", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "7041fcf5-b34d-47c3-be4c-3c40f243af89", "created_at": "2023-01-06T13:46:38.611261Z", "updated_at": "2026-04-10T02:00:03.038745Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "G0062" ], "source_name": "MISPGALAXY:TA459", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8aefee7-fb57-409b-857e-23e986cb4a56", "created_at": "2023-01-06T13:46:38.285223Z", "updated_at": "2026-04-10T02:00:02.910756Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "SCANDIUM", "PLA Navy", "Wekby", "G0026", "Satin Typhoon", "DYNAMITE PANDA", "TG-0416" ], "source_name": "MISPGALAXY:APT18", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "0bf35542-9ebc-44a9-b319-b6df0bee4bac", "created_at": "2022-10-25T15:50:23.437853Z", "updated_at": "2026-04-10T02:00:05.36762Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "TA459" ], "source_name": "MITRE:TA459", "tools": [ "gh0st RAT", "NetTraveler", "PlugX", "ZeroT" ], "source_id": "MITRE", "reports": null }, { "id": "2669aa86-663f-4e72-9362-9e61ff3599f4", "created_at": "2022-10-25T15:50:23.344796Z", "updated_at": "2026-04-10T02:00:05.38663Z", "deleted_at": null, "main_name": "APT18", "aliases": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ], "source_name": "MITRE:APT18", "tools": [ "hcdLoader", "gh0st RAT", "cmd", "Pisloader", "HTTPBrowser" ], "source_id": "MITRE", "reports": null }, { "id": "802552ac-1f16-4b85-8d78-76d683684124", "created_at": "2022-10-25T16:07:24.28032Z", "updated_at": "2026-04-10T02:00:04.920517Z", "deleted_at": null, "main_name": "TA459", "aliases": [ "G0062" ], "source_name": "ETDA:TA459", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "NetTraveler", "Netfile", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav", "ZeroT" ], "source_id": "ETDA", "reports": null }, { "id": "0451922a-d2c6-4917-a2fd-3f3b3547d697", "created_at": "2022-10-25T16:07:24.391313Z", "updated_at": "2026-04-10T02:00:04.972764Z", "deleted_at": null, "main_name": "The White Company", "aliases": [ "G0089", "Operation Shaheen" ], "source_name": "ETDA:The White Company", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9962552c-9d9d-4627-97f6-4558183fdd7f", "created_at": "2022-10-25T15:50:23.448869Z", "updated_at": "2026-04-10T02:00:05.390938Z", "deleted_at": null, "main_name": "The White Company", "aliases": [ "The White Company" ], "source_name": "MITRE:The White Company", "tools": [ "Revenge RAT", "NETWIRE" ], "source_id": "MITRE", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434232, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cc61019a4194b24a408814c436c65367e47d8b54.pdf", "text": "https://archive.orkl.eu/cc61019a4194b24a408814c436c65367e47d8b54.txt", "img": "https://archive.orkl.eu/cc61019a4194b24a408814c436c65367e47d8b54.jpg" } }