{ "id": "860f05b8-5210-4cd8-8be1-8ce9ce205cb7", "created_at": "2026-04-06T00:16:34.44774Z", "updated_at": "2026-04-10T03:37:36.826434Z", "deleted_at": null, "sha1_hash": "cc937aee3378ee8ca2bdc1eb56ce431aece0f88d", "title": "What Is DNS Tunneling? [+ Examples \u0026 Protection Tips]", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10993266, "plain_text": "What Is DNS Tunneling? [+ Examples \u0026 Protection Tips]\r\nArchived: 2026-04-05 18:07:48 UTC\r\nTable of contents\r\nWhat is DNS tunneling used for?\r\nHow does DNS tunneling work?\r\nWhat are the different types of DNS tunneling attacks?\r\nWhat are the potential consequences of DNS tunneling?\r\nHow to protect against DNS tunneling\r\nWhat is the history of DNS tunneling?\r\nDNS tunneling FAQs\r\nTable of contents\r\nWhat is DNS tunneling used for?\r\nHow does DNS tunneling work?\r\nWhat are the different types of DNS tunneling attacks?\r\nWhat are the potential consequences of DNS tunneling?\r\nHow to protect against DNS tunneling\r\nWhat is the history of DNS tunneling?\r\nDNS tunneling FAQs\r\n1. What is DNS tunneling used for?\r\n2. How does DNS tunneling work?\r\n3. What are the different types of DNS tunneling attacks?\r\n4. What are the potential consequences of DNS tunneling?\r\n5. How to protect against DNS tunneling\r\n6. What is the history of DNS tunneling?\r\n7. DNS tunneling FAQs\r\nDNS tunneling is a technique that sends data from other applications or protocols by hiding it inside DNS queries\r\nand responses.\r\nAttackers use it to bypass security systems and communicate with systems inside a private network. It usually\r\ninvolves control of a domain and a server that processes these queries to let the attacker receive and send\r\ncommands.\r\nWhat is DNS tunneling used for?\r\nDNS tunneling is used for sending data that is not typically part of DNS traffic. But it can be applied in both\r\nlegitimate and malicious ways.\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 1 of 14\n\nFundamentally, DNS is a critical part of the internet. It's used by browsers, email systems and other services.\r\nWhich is why some networks allow DNS traffic without sufficient restrictions. And attackers take advantage of\r\nthis openness.\r\nHow?\r\nThey use DNS tunneling for command and control of infected devices. They also use it to move malware payloads\r\ninto a network.\r\nOnce inside, attackers can collect user credentials. They can also map out the network and steal sensitive\r\ninformation.\r\nIn some cases, attackers use DNS tunneling to control infected systems and launch further attacks.\r\nOn the other hand:\r\nDNS tunneling has legitimate uses. Security teams test DNS tunneling to see how it might bypass defenses. This\r\nhelps them find and fix gaps in their network security.\r\nIt's also used in controlled situations. For example, when security researchers study how malware behaves. Or\r\nwhen they analyze how attackers communicate with infected systems.\r\nHow does DNS tunneling work?\r\nWhen used as an attack method, DNS tunneling uses the DNS protocol to secretly send data between a client and\r\na server.\r\nIt's a step-by-step process that relies on the openness of DNS to carry other traffic without detection.\r\nHere's how it works, step by step:\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 2 of 14\n\n1. The attacker registers a domain\r\nThe domain, like badsite.com, is controlled by the attacker and points to a server they own.\r\n2. The attacker infects a computer\r\nThey use malware to gain control of a computer inside a target network. The computer becomes the client\r\nfor the DNS tunnel.\r\n3. The client sends a DNS query\r\nThe infected computer encodes data in DNS queries. For example, it puts a secret value in the subdomain\r\nof a DNS request.\r\n4. The query reaches the DNS resolver\r\nThe DNS resolver forwards the request to the appropriate servers to resolve the domain name.\r\n5. The attacker's server decodes the request\r\nThe attacker's server receives the DNS request. It decodes the embedded data and can send back\r\ncommands or other data in DNS responses.\r\n6. The server encodes a response\r\nThe attacker's server encodes its own data as a DNS response. This could be an instruction for the infected\r\ncomputer to carry out.\r\n7. The client receives and decodes the response\r\nThe infected computer receives the DNS response from the resolver. It decodes the data and takes action as\r\ninstructed.\r\n8. The process repeats as needed\r\nIf the data is too large for a single DNS message, the client and server split it into smaller parts. Each part\r\nis sent in its own DNS query or response.\r\nAttackers often use tools like iodine, dnscat2, and Cobalt Strike to perform DNS tunneling. Which handle the\r\nencoding and decoding of data within DNS packets.\r\nEssentially, DNS tunneling uses the trusted DNS protocol as a cover for sending hidden data. This lets attackers\r\nmaintain a covert channel between a compromised system and their command server.\r\nWhat are the different types of DNS tunneling attacks?\r\nDNS tunneling can take several forms, depending on how it's used and the attacker's goals. Each type can present\r\nunique challenges and security concerns.\r\nDNS tunneling is not just a single type of attack. It can be adapted for different needs—whether for command and\r\ncontrol, data theft or simply bypassing local restrictions.\r\nUnderstanding these types is key to detecting and stopping them.\r\nHere's a closer look:\r\nCommand and control (C2) tunneling\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 3 of 14\n\nThis is the most common type of DNS tunneling attack. It uses the DNS protocol to create a backchannel for\r\ncommand and control communications. Attackers can send commands to compromised devices and receive status\r\nupdates, all through trusted DNS traffic.\r\nExample: The SUNBURST malware, used in the SolarWinds breach (2020), included DNS-based C2\r\nfunctionality. It used subdomain queries to pass encoded victim information to attacker-controlled nameservers.\r\nData exfiltration\r\nAttackers can use DNS tunneling to move data out of a secure environment. Sensitive files or user details can be\r\nencoded in DNS queries and responses. This bypasses many traditional security controls that focus on web and\r\nemail traffic.\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 4 of 14\n\nExample: In 2017, researchers uncovered DNSMessenger, a PowerShell-based backdoor that used DNS TXT\r\nrecords to exfiltrate data without writing files to disk.\r\nNetwork footprinting and exploration\r\nDNS queries can be used to learn about an internal network. Attackers can identify systems, services and other\r\nassets. This information helps them plan further attacks or find high-value targets.\r\nExample: OilRig, an APT group active since 2014, used DNS tunneling to map network structures and identify\r\ntargets before escalating attacks.\r\nVPN bypass for network restrictions\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 5 of 14\n\nSome VPN services use DNS tunneling to get around network restrictions. This type of DNS tunneling can be\r\nused to bypass firewall policies in a corporate or transportation environment. It works by using DNS as a tunnel\r\nfor VPN traffic when other protocols are blocked.\r\nExample: Astrill VPN and HA Tunnel Plus both use DNS tunneling to bypass captive portals or ISP restrictions—\r\noften observed in enterprise and commercial travel networks.\r\nMalware delivery and staging\r\nDNS tunneling can be used to deliver additional malware payloads to an infected system. Attackers can use the\r\ntunnel to send commands that download more tools or updates for their malware. This can help maintain control\r\nor expand their access over time.\r\nExample: The Decoy Dog campaign (2023) used DNS tunneling to deliver staged payloads. TXT and CNAME\r\nrecords were used to distribute encoded data back to infected hosts.\r\nWhat are the potential consequences of DNS tunneling?\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 6 of 14\n\nDNS tunneling can create serious security and operational challenges for organizations. It uses trusted DNS traffic\r\nto bypass typical controls and carry hidden data.\r\nHere's what can happen:\r\nData exfiltration\r\nAttackers can use DNS tunneling to move sensitive information out of a secure network. This data can\r\ninclude user details, internal files or other confidential records. The transfers can happen slowly over time\r\nto avoid detection.\r\nNote:\r\nDNS queries used for exfiltration often embed data into subdomains or TXT records, making them appear\r\nas legitimate name resolution traffic in logs—difficult to flag without deep packet inspection or anomaly\r\ndetection tools.\r\nUnauthorized access\r\nOnce attackers set up a DNS tunnel, they can keep control over infected devices. This access can let them\r\nmove laterally within the network. They can stay hidden as long as the DNS traffic is not closely inspected.\r\nNote:\r\nBecause DNS tunnels often maintain persistence over long sessions, attackers may rotate domains or\r\ntunneling tools to avoid triggering behavioral-based detection systems.\r\nCommand and control channels\r\nDNS tunneling can provide a covert way for attackers to send commands to compromised systems. They\r\ncan use it to install additional malware or launch new attacks. This backchannel can be hard to shut down if\r\nnot monitored.\r\nNote:\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 7 of 14\n\nC2 instructions are frequently embedded in encoded DNS requests, then decoded by malware on the\r\ninfected host—making the traffic appear as routine DNS lookups unless context-aware inspection is\r\napplied.\r\nNetwork mapping and exploration\r\nDNS queries can help attackers learn more about the internal network. They use this information to find\r\nhigh-value targets or weak points. These insights can make follow-on attacks more effective.\r\nNote:\r\nAttackers may probe internal naming conventions or service discovery records (e.g., SRV or PTR records)\r\nthrough DNS to identify system roles, usernames, or legacy infrastructure.\r\nDifficulty in detection\r\nDNS traffic is usually trusted. Many security teams focus on other areas like web or email traffic. This can\r\nlet DNS tunneling slip by unnoticed for extended periods.\r\nNote:\r\nMany DNS logs focus only on domain names, not payload content. Without visibility into record types like\r\nTXT or unusually long subdomain queries, DNS tunnels often remain invisible.\r\nFinancial and operational impact\r\nResponding to a DNS tunneling attack can be costly. It can include time, money and resources to rebuild\r\nsystems and restore trust. These efforts can also disrupt normal business operations.\r\nNote:\r\nIncident response often requires rebuilding DNS infrastructure, auditing endpoint behavior, and\r\nimplementing stricter egress controls—interrupting business continuity and increasing total recovery time.\r\nIn short:\r\nDNS tunneling is often overlooked. But it can have wide-ranging effects when attackers use it to hide their\r\nactivities and move data out of an organization.\r\nHow to protect against DNS tunneling\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 8 of 14\n\nProtecting against DNS tunneling isn't as simple as blocking DNS traffic.\r\nThe protocol is foundational to internet and network communication—so the better approach is layered.\r\nYou'll want to detect tunneling attempts early, mitigate suspicious traffic, and prevent known abuse paths from\r\nbeing exploited.\r\nHere's how to tackle the issue across three key areas: detection, mitigation, and prevention.\r\nDetection\r\nAnalyze DNS query payloads for signs of tunneling\r\nLook for long subdomains, high character entropy, and numeric-heavy strings. These traits often appear in\r\nbase-encoded or algorithmically generated domains used for tunneling.\r\nTip:\r\nFor long subdomains or encoded payloads, monitor for patterns consistent with base32 or base64\r\nencoding, such as repeating padding characters or consistent label lengths. These can flag tunneling that\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 9 of 14\n\nevades entropy checks alone.\r\nInspect DNS record types\r\nTXT records, especially when returned unexpectedly or at volume, can indicate attempts to exfiltrate or\r\ndeliver data. Other uncommon record types may also be abused.\r\nTip:\r\nTXT records used in tunneling often arrive in bursts or align with specific client actions, like file access or\r\nuploads. Time-correlation analysis can reveal whether they're part of interactive sessions or automated\r\ndata pulls.\r\nMonitor DNS traffic volume per domain\r\nDNS tunneling typically requires a large number of queries. A high volume of requests to a single domain,\r\nespecially with varied subdomains, should raise a flag.\r\nNote:\r\nHigh DNS query volume to randomized subdomains from the same second-level domain (e.g.,\r\na1.domain.com, a2.domain.com) can indicate DNS tunneling tools cycling through identifiers during a\r\nsession.\r\nTrack DNS traffic per client IP\r\nAbnormally high DNS activity from a single client could signal beaconing behavior or data exfiltration\r\nattempts using a tunneling tool.\r\nCompare domain request patterns with known benign behavior\r\nLegitimate domains usually follow readable naming conventions. If a domain's subdomains appear\r\nrandomized or meaningless, it may be worth deeper inspection.\r\nCorrelate traffic with domain history and geolocation\r\nNewly registered domains or DNS traffic directed to unexpected regions may indicate suspicious behavior.\r\nCombine this with WHOIS data or passive DNS lookups to validate intent.\r\nNote:\r\nA newly registered domain communicating with internal hosts before ever being seen in public DNS logs\r\nmay be infrastructure spun up specifically for covert exfiltration.\r\nUse statistical analysis tools\r\nMeasure the proportion of numerical characters, label lengths, and longest meaningful substrings (LMS)\r\nwithin DNS queries. Anomalies in these indicators may point to tunneling activity.\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 10 of 14\n\nMitigation\r\nRedirect DNS queries through internal resolvers\r\nForce all client devices to use enterprise DNS servers. This helps centralize monitoring and enables policy\r\nenforcement before queries reach external resolvers.\r\nApply sinkholing to known malicious domains\r\nIf a domain is confirmed as malicious or part of a campaign, reroute it to a sinkhole server. This disrupts\r\ncommunication with the attacker without dropping traffic completely.\r\nTip:\r\nWhen sinkholing domains, log and alert on follow-up traffic, like fallback domains or increased web traffic\r\nto unknown hosts. Attackers often pivot once tunneling is blocked.\r\nEnforce query size and length restrictions\r\nSet thresholds on DNS labels and overall query lengths. Many tunneling tools rely on oversized or\r\nmaximized queries to transmit data.\r\nTip:\r\nDNS queries that push length limits often arrive with suspicious regularity. Combine query size\r\nenforcement with frequency thresholding to catch sessions that rely on rapid-fire long queries. For\r\nlegitimate use-cases that could exceed default limits, make sure to allowlist them when enforcing size caps.\r\nInspect and log DNS responses\r\nReview not only what clients send, but what they receive. Malicious payloads can be hidden in TXT or\r\nCNAME responses and executed after decoding.\r\nTip:\r\nBe cautious about blocking TXT records entirely. Instead, enforce context-aware rules—e.g., flag TXT\r\nresponses over 200 bytes or those returned in response to client-generated queries.\r\nUse network detection and response (NDR) solutions\r\nBehavioral analytics can help identify DNS tunneling based on deviations from established baselines. This\r\nis especially effective against new or unknown tools.\r\nTip:\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 11 of 14\n\nBehavioral NDR tools become more accurate if you segment baselines by device type. DNS tunneling\r\npatterns differ between IoT devices, user laptops, and cloud workloads—so avoid a one-size-fits-all\r\nthreshold.\r\nBlock unknown or suspicious DNS record types\r\nIf your environment doesn't require certain record types like NULL or TXT in client queries, consider\r\nblocking them at the resolver level.\r\nPrevention\r\nUse a DNS security solution with tunneling protections\r\nChoose a service that inspects DNS traffic for signs of tunneling, tracks campaigns and tooling, and\r\nprovides attribution context for incident response.\r\nTip:\r\nUse DNS solutions that integrate with threat intel feeds specifically tuned to DNS abuse. Especially those\r\ntracking tunneling kits or disposable C2 infrastructure.\r\nFilter access to domains by reputation and content category\r\nBlock access to domains with low reputation scores or those associated with command-and-control\r\nbehavior—even if the DNS traffic appears benign.\r\nEncrypt internal DNS traffic with DoT or DoH\r\nWhile these methods protect legitimate DNS traffic from interception, they also give you control over\r\nresolvers and visibility through compatible security tools.\r\nTip:\r\nDevices that route DNS queries over HTTPS (DoH) can bypass enterprise DNS controls. Only allow DoH\r\nresolvers you manage or monitor. Block others via firewall or DNS itself.\r\nLimit internet access based on role or device type\r\nPrevent unmanaged or non-compliant systems from reaching external DNS resolvers. Restrict DNS access\r\nto what's necessary for normal business operations.\r\nTip:\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 12 of 14\n\nCombine role-based DNS access with identity-aware proxies. If a contractor laptop is sending high-volume\r\nDNS queries outside their expected app usage, identity context can help auto-escalate.\r\nUpdate malware protection and endpoint controls\r\nMany DNS tunneling tools rely on malware already present in the environment. Stopping the initial\r\ninfection is one of the best defenses against tunneling.\r\nTrain staff to avoid installing unapproved VPNs or apps\r\nSome DNS tunneling activity comes from legitimate services used in unintended ways—like consumer\r\nVPNs. Raise awareness around approved tools and usage policies.\r\nTip:\r\nFlag repeated installs or updates of consumer VPNs on endpoints. Many tunneling incidents begin with\r\nwell-meaning users installing \"free\" apps that abuse DNS for session creation.\r\nWhat is the history of DNS tunneling?\r\nDNS tunneling has been around for decades.\r\nThe concept first surfaced in the late 1990s, when researchers began exploring how DNS could be abused to\r\ntransmit data beyond its intended use.\r\nBy 2004, the technique had gained enough traction to be presented publicly—most notably by Dan Kaminsky at\r\nBlack Hat. Kaminsky also released OzymanDNS, one of the earliest known tools that demonstrated how DNS\r\ncould be used to tunnel traffic.\r\nAfter that, several other tools emerged. Each followed the same basic principle: encode data in DNS queries or\r\nresponses to bypass network restrictions. NSTX came out in 2000, before Kaminsky’s 2004 talk, while Iodine\r\n(2006) and DNScat (2010) followed later.\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 13 of 14\n\nOver time, threat actors adopted these utilities for command-and-control, exfiltration, and even VPN services.\r\nLargely because DNS remains widely allowed and lightly inspected in many environments.\r\nDNS tunneling FAQs\r\nDNS tunneling is used to send non-DNS data through DNS queries and responses. Attackers use it to bypass\r\nsecurity controls, exfiltrate data, or maintain command-and-control access to infected systems. It can also be used\r\nlegitimately for security testing or to bypass network restrictions under controlled conditions.\r\nSigns include long or random-looking subdomains, high DNS query volume to a single domain, frequent use of\r\nTXT records, and abnormal DNS activity from a single client. Newly registered domains and traffic to unusual\r\nregions can also indicate tunneling, especially when paired with behavioral anomalies.\r\nDNS tunneling enables attackers to steal data, control infected systems, deliver malware, explore networks, and\r\nevade security tools. Because DNS traffic is often trusted, tunneling can go undetected, resulting in extended\r\nbreaches, business disruption, and costly incident response.\r\nDNS tunneling itself is not inherently illegal. It has legitimate uses in research and secure testing. However, using\r\nit to exfiltrate data, control compromised systems, or bypass security controls without authorization is illegal and\r\nconsidered malicious activity.\r\nNotable examples include:\r\nSUNBURST (2020): Used DNS for C2 during the SolarWinds breach.\r\nDNSMessenger (2017): Exfiltrated data via DNS without touching disk.\r\nOilRig APT: Used DNS to map internal networks.\r\nDecoy Dog (2023): Delivered staged malware through DNS.\r\nAstrill VPN / HA Tunnel Plus: Bypassed network restrictions using DNS.\r\nSource: https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nhttps://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling" ], "report_names": [ "what-is-dns-tunneling" ], "threat_actors": [ { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434594, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cc937aee3378ee8ca2bdc1eb56ce431aece0f88d.pdf", "text": "https://archive.orkl.eu/cc937aee3378ee8ca2bdc1eb56ce431aece0f88d.txt", "img": "https://archive.orkl.eu/cc937aee3378ee8ca2bdc1eb56ce431aece0f88d.jpg" } }