{
	"id": "ebd7981d-2939-42a9-96ed-460f970fbfd4",
	"created_at": "2026-04-06T00:14:05.883981Z",
	"updated_at": "2026-04-10T03:38:06.692023Z",
	"deleted_at": null,
	"sha1_hash": "cf997247b2af600f4efb29b88207e28afabbc6b7",
	"title": "Cobalt Strike (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1552374,
	"plain_text": "Cobalt Strike (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 12:56:04 UTC\r\nCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on\r\nthe victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to\r\ncommand execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning\r\nand lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that\r\nonce loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the\r\nmemory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB\r\nnamed pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a\r\ntoolkit for developing shellcode loaders, called Artifact Kit.\r\nThe Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable,\r\nand highly customizable.\r\n2026-02-05 ⋅ Palo Alto Networks Unit 42 ⋅\r\nThe Shadow Campaigns: Uncovering Global Espionage\r\nCobalt Strike UNC6619 2026-02-03 ⋅ Kaspersky Labs ⋅ Anton Kargin, Georgy Kucherin\r\nThe Notepad++ supply chain attack — unnoticed execution chains and new IoCs\r\nChrysalis Cobalt Strike 2026-01-26 ⋅ Zscaler ⋅ Sudeep Singh, Yin Hong Chang\r\nAPT Attacks Target Indian Government Using GOGITTER, GITSHELLPAD, and GOSHELL | Part 1\r\nCobalt Strike 2026-01-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update July to December 2025\r\nCoper FluBot Joker Aisuru Mirai AsyncRAT BianLian Cobalt Strike DCRat Havoc Latrodectus PureLogs Stealer\r\nQuasar RAT Remcos Rhadamanthys Sliver ValleyRAT Venom RAT Vidar XWorm 2026-01-04 ⋅ sec0wn ⋅ Mo Bustami\r\nFrom a New Year's surprise to a bag of coal - Analysis of mystery PowerShell\r\nCobalt Strike 2025-11-20 ⋅ Google ⋅ Dan Perez, Harsh Parashar, Tierra Duncan\r\nBeyond the Watering Hole: APT24's Pivot to Multi-Vector Attacks\r\nBADAUDIO Cobalt Strike 2025-10-22 ⋅ Trend Micro ⋅ Daniel Lunghi, Joseph C Chen, Lenart Bermejo, Leon M Chang, Vickie Su\r\nThe Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns\r\nCobalt Strike DracuLoader ShadowPad 2025-10-02 ⋅ Cisco Talos ⋅ Joey Chen\r\nUAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud\r\nCobalt Strike IISpy UAT-8099 2025-09-29 ⋅ The DFIR Report ⋅ The DFIR Report\r\nFrom a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion\r\nBrute Ratel C4 Cobalt Strike Latrodectus 2025-09-24 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nChinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike\r\nCobalt Strike Leslieloader Pantegana SparkRAT Storm-2077 2025-08-28 ⋅ Trend Micro ⋅ Nick Dai, Pierre Lee\r\nTAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents\r\nCobalt Strike Merlin 2025-08-27 ⋅ Group-IB ⋅ Nikita Rostovcev, Sergei Turner\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 1 of 42\n\nShadowSilk: A Cross-Border Binary Union for Data Exfiltration\r\nCobalt Strike YoroTrooper 2025-07-21 ⋅ Kaspersky Labs ⋅ Daniil Pogorelov, Denis Kulik\r\nThe SOC files: Rumble in the jungle or APT41’s new target in Africa\r\nCobalt Strike MimiKatz 2025-07-17 ⋅ Medium Ireneusz Tarnowski ⋅ Ireneusz Tarnowski\r\nDissecting the ClickFix User-Execution Attack and Its Sophisticated Persistence via ADS\r\nCobalt Strike 2025-07-16 ⋅ Proofpoint ⋅ Mark Kelly, Proofpoint Threat Research Team\r\nPhish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting\r\nCobalt Strike Voldemort UNK_DropPitch UNK_FistBump UNK_SparkyCarp 2025-07-14 ⋅ Spamhaus ⋅ Spamhaus\r\nMalware Labs\r\nSpamhaus Botnet Threat Update January to June 2025\r\nCoper FluBot Hook Joker Mirai AsyncRAT BianLian BumbleBee Chaos Cobalt Strike DanaBot DCRat Havoc\r\nLatrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver ValleyRAT WarmCookie XWorm\r\n2025-06-24 ⋅ Bridewell ⋅ Bridewell\r\n2025 Cyber Threat Intelligence Report\r\nAsyncRAT Brute Ratel C4 Cobalt Strike Fog Ghost RAT Lumma Stealer Meduza Stealer Quasar RAT RedLine\r\nStealer Sliver 2025-06-23 ⋅ Rushter ⋅ Artem Golubin\r\nThreat Hunting Introduction: Cobalt Strike\r\nCobalt Strike 2025-06-19 ⋅ Hunt.io ⋅ Hunt.io\r\nCobalt Strike Operators Leverage PowerShell Loaders Across Chinese, Russian, and Global Infrastructure\r\nCobalt Strike 2025-06-15 ⋅ Positive Technologies ⋅ Stanislav Pyzhov, Vladislav Lunin\r\nTeam46 and TaxOff: two sides of the same coin\r\nCobalt Strike Team46 2025-05-27 ⋅ Trend Micro ⋅ Joseph C Chen\r\nEarth Lamia Develops Custom Arsenal to Target Multiple Industries\r\nBypassBoss Cobalt Strike JuicyPotato PULSEPACK STOWAWAY VShell Earth Lamia 2025-04-29 ⋅ Nextron Systems\r\n⋅ Maurice Fielenbach\r\nNitrogen Dropping Cobalt Strike – A Combination of “Chemical Elements”\r\nCobalt Strike Nitrogen Loader 2025-04-24 ⋅ Mandiant ⋅ Mandiant\r\nM-Trends 2025 Report\r\nAkira Black Basta LockBit SystemBC GootLoader LockBit WIREFIRE Akira Black Basta Cobalt Strike LockBit\r\nRansomHub SystemBC Pink Sandstorm 2025-03-31 ⋅ Seqrite ⋅ Sathwik Ram Prakki, Subhajeet Singha\r\nOperation HollowQuill: Malware delivered into Russian R\u0026D Networks via Research Decoy PDFs\r\nCobalt Strike HollowQuill 2025-03-31 ⋅ Trend Micro ⋅ Lenart Bermejo, Ted Lee, Theo Chen\r\nThe Espionage Toolkit of Earth Alux: A Closer Look at its Advanced Techniques\r\nGodzilla Webshell Cobalt Strike FINALDRAFT RAILSETTER Earth Alux 2025-01-29 ⋅ Palo Alto Networks Unit 42 ⋅\r\nLior Rochberger, Yoav Zemah\r\nCL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia\r\nCobalt Strike MimiKatz PlugX ValleyRAT Winos CL-STA-0048 2025-01-21 ⋅ Trend Micro ⋅ Leon Chang, Theo Chen\r\nGame of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions\r\nCobalt Strike HemiGate ShadowPad SNAPPYBEE SparrowDoor UNC4841 2025-01-10 ⋅ Spamhaus ⋅ Spamhaus\r\nMalware Labs\r\nSpamhaus Botnet Threat Update July to December 2024\r\nCoper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot DCRat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 2 of 42\n\nHavoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc 2025-01-07 ⋅ Hunt.io ⋅\r\nHunt.io\r\nGolang Beacons and VS Code Tunnels: Tracking a Cobalt Strike Server Leveraging Trusted Infrastructure\r\nCobalt Strike 2024-12-04 ⋅ Rapid7 ⋅ Tyler McGraw\r\nBlack Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware\r\nBlack Basta Cobalt Strike DarkGate SystemBC Zloader 2024-12-03 ⋅ Hunt.io ⋅ Hunt.io\r\nRare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity\r\nCobalt Strike 2024-12-02 ⋅ The DFIR Report ⋅ The DFIR Report\r\nThe Curious Case of an Egg-Cellent Resume\r\nMore_eggs Pyramid Cobalt Strike 2024-11-19 ⋅ Trend Micro ⋅ Trend Micro\r\nSpot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10\r\nUmbrella\r\nCobalt Strike LODEINFO NOOPDOOR MirrorFace 2024-11-12 ⋅ Recorded Future ⋅ Insikt Group\r\nChina-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike\r\nCobalt Strike 2024-11-12 ⋅ Recorded Future ⋅ Insikt Group\r\nChina-Nexus TAG-112 Compromises Tibetan Websites to Distribute Cobalt Strike\r\nCobalt Strike TAG-112 2024-10-31 ⋅ Hunt.io ⋅ Hunt.io\r\nTricks, Treats, and Threats: Cobalt Strike \u0026 the Goblin Lurking in Plain Sight\r\nCobalt Strike 2024-10-24 ⋅ Seqrite ⋅ Sathwik Ram Prakki, Subhajeet Singha\r\nOperation Cobalt Whisper: Threat Actor Targets Multiple Industries Across Hong Kong and Pakistan\r\nCobalt Strike Operation Cobalt Whisper 2024-10-23 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Holger Unterbrink, Jordyn Dunk,\r\nNicole Hoffman\r\nThreat Spotlight: WarmCookie/BadSpace\r\nCobalt Strike csharp-streamer RAT WarmCookie 2024-10-23 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Holger Unterbrink, Jordyn\r\nDunk, Nicole Hoffman\r\nHighlighting TA866/Asylum Ambuscade Activity Since 2021\r\nWasabiSeed Cobalt Strike csharp-streamer RAT Resident Rhadamanthys WarmCookie 2024-10-10 ⋅ Hunt.io ⋅ Hunt.io\r\nUnmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity\r\nCobalt Strike PlugX 2024-09-24 ⋅ Virus Bulletin ⋅ Aragorn Tseng, Chi-Yu You, Cristiana Brafman Kittner, Steve Su\r\nDown the GRAYRABBIT HOle - Exposing UNC3569 and its Modus Operandi\r\nKEYPLUG Cobalt Strike CROSSWALK GRAYRABBIT HelloBot HUI Loader PlugX SiestaGraph 2024-09-19 ⋅\r\nTrend Micro ⋅ Cyris Tseng, Philip Chen, Pierre Lee, Sunny Lu, Ted Lee\r\nEarth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC (IoCs)\r\nCobalt Strike Earth Baxia 2024-09-19 ⋅ Trend Micro ⋅ Cyris Tseng, Philip Chen, Pierre Lee, Sunny Lu, Ted Lee\r\nEarth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC\r\nCobalt Strike Earth Baxia 2024-08-29 ⋅ Securonix ⋅ Den Iyzvyk, Tim Peck\r\nFrom Cobalt Strike to Mimikatz: A Deep Dive into the SLOW#TEMPEST Campaign Targeting Chinese Users\r\nCobalt Strike MimiKatz 2024-08-26 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBlackSuit Ransomware\r\nBlackSuit Cobalt Strike SystemBC 2024-08-23 ⋅ TEAMT5 ⋅ Still Hsu\r\nSailing the Seven SEAs: Deep Dive into Polaris' Arsenal and Intelligence Insights\r\nCobalt Strike Hodur PlugX TONESHELL 2024-08-23 ⋅ ITOCHU ⋅ Suguru Ishimaru, Yusuke Niwa\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 3 of 42\n\nPirates of The Nang Hai: Follow the Artifacts No One Know\r\nCobalt Strike Xiangoop 2024-08-22 ⋅ ⋅ NTT ⋅ Rintaro Koike\r\nAppDomainManager Injectionを悪用したマルウェアによる攻撃について\r\nCobalt Strike Earth Baxia 2024-08-21 ⋅ TG Soft ⋅ C.R.A.M.\r\nChinese APT abuses MSC files with GrimResource vulnerability\r\nCobalt Strike Earth Baxia 2024-08-12 ⋅ Rapid7 ⋅ Tyler McGraw\r\nOngoing Social Engineering Campaign Refreshes Payloads\r\nBlack Basta Cobalt Strike GhostSocks Lumma Stealer SystemBC 2024-08-04 ⋅ Twitter (@embee_research) ⋅\r\nEmbee_research\r\nDecoding a Cobalt Strike Downloader Script With CyberChef\r\nCobalt Strike 2024-08-01 ⋅ Cisco ⋅ Ashley Shen, Joey Chen, Vitor Ventura\r\nAPT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike\r\nCobalt Strike ShadowPad 2024-07-25 ⋅ SOC Prime ⋅ Veronika Telychko\r\nUAC-0057 Attack Detection: A Surge in Adversary Activity Distributing PICASSOLOADER and Cobalt Strike\r\nBeacon\r\nCobalt Strike PicassoLoader Ghostwriter 2024-07-22 ⋅ Censys ⋅ Censys, Embee_research\r\nA Beginner’s Guide to Hunting Malicious Open Directories\r\nCobalt Strike Lumma Stealer Vidar 2024-07-18 ⋅ Mandiant ⋅ Jared Wilson, Jonathan Lepore, Luis Rocha, Mike Stokkel, Pierre\r\nGerlings, RENATO FONTANA, Stephen Eckels\r\nAPT41 Has Arisen From the DUST\r\nCobalt Strike 2024-07-16 ⋅ Recorded Future ⋅ Insikt Group\r\nTAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific\r\nIntergovernmental Bodies\r\nCobalt Strike Pantegana 2024-07-10 ⋅ Zscaler ⋅ Sudeep Singh, Yin Hong Chang\r\nDodgeBox: A deep dive into the updated arsenal of APT41 | Part 1\r\nCobalt Strike DUSTPAN DUSTTRAP 2024-07-09 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2024\r\nCoper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT\r\nQakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver 2024-07-02 ⋅ Sekoia ⋅ Quentin Bourgue\r\nExposing FakeBat loader: distribution methods and adversary infrastructure\r\nBlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer\r\nNetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar 2024-06-21 ⋅ Elastic ⋅ Joe\r\nDesimone, Samir Bousseaden\r\nGrimResource - Microsoft Management Console for initial access and evasion\r\nCobalt Strike 2024-05-23 ⋅ Checkpoint ⋅ Checkpoint Research\r\nSharp dragon expands towards africa and the caribbean\r\n5.t Downloader Cobalt Strike SharpPanda 2024-05-23 ⋅ Check Point ⋅ Check Point\r\nChinese Espionage Campaign Expands to Target Africa and The Caribbean\r\n5.t Downloader Cobalt Strike 2024-05-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nThreat actors misusing Quick Assist in social engineering attacks leading to ransomware\r\nBlack Basta Cobalt Strike QakBot UNC4393 2024-05-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence\r\nThreat actors misusing Quick Assist in social engineering attacks leading to ransomware\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 4 of 42\n\nBlack Basta Cobalt Strike QakBot SystemBC 2024-05-14 ⋅ Kaspersky ⋅ Boris Larin, Mert Degirmenci\r\nQakBot attacks with Windows zero-day (CVE-2024-30051)\r\nCobalt Strike QakBot 2024-05-10 ⋅ Rapid7 Labs ⋅ Evan McCann, Thomas Elkins, Tyler McGraw\r\nOngoing Social Engineering Campaign Linked to Black Basta Ransomware Operators\r\nBlack Basta Black Basta Cobalt Strike NetSupportManager RAT 2024-04-24 ⋅ Securonix ⋅ Den Iyzvyk, Oleg Kolesnikov,\r\nTim Peck\r\nAnalysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software\r\nfor Domain Takeover\r\nCobalt Strike Latrodectus 2024-04-01 ⋅ The DFIR Report ⋅ The DFIR Report\r\nFrom OneNote to RansomNote: An Ice Cold Intrusion\r\nCobalt Strike IcedID Nokoyawa Ransomware PhotoLoader 2024-03-01 ⋅ Medium b.magnezi ⋅ 0xMrMagnezi\r\nMalware Analysis - Cobalt Strike\r\nCobalt Strike 2024-02-09 ⋅ Censys ⋅ Censys, Embee_research\r\nA Beginners Guide to Tracking Malware Infrastructure\r\nAsyncRAT BianLian Cobalt Strike QakBot 2024-02-08 ⋅ YouTube (Embee Research) ⋅ Embee_research\r\nCobalt Strike Decoding and C2 Extraction - 3 Minute Malware Analysis Speedrun\r\nCobalt Strike 2024-01-26 ⋅ Trendmicro ⋅ Hara Hiroaki, Masaoki Shoji, Nick Dai, Vickie Su, Yuka Higashi\r\nSpot the Difference: An Analysis of the New LODEINFO Campaign by Earth Kasha\r\nAnel Cobalt Strike LODEINFO NOOPDOOR 2024-01-13 ⋅ YouTube (Embee Research) ⋅ Embee_research\r\nCobalt Strike Shellcode Analysis and C2 Extraction\r\nCobalt Strike 2024-01-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q4 2023\r\nFluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer\r\nMeterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver\r\n2024-01-09 ⋅ Recorded Future ⋅ Insikt Group\r\n2023 Adversary Infrastructure Report\r\nAsyncRAT Cobalt Strike Emotet PlugX ShadowPad 2024-01-04 ⋅ Netresec ⋅ Erik Hjelmvik\r\nHunting for Cobalt Strike in PCAP\r\nCobalt Strike 2023-12-20 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nDefeating Obfuscated Malware Scripts - Cobalt Strike\r\nCobalt Strike 2023-12-19 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nFree Ghidra Tutorials for Beginners\r\nCobalt Strike DarkGate 2023-12-08 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nGhidra Basics - Manual Shellcode Analysis and C2 Extraction\r\nCobalt Strike 2023-12-06 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nCinnamon Tempest\r\nCobalt Strike HUI Loader PlugX Sliver BRONZE STARLIGHT 2023-12-04 ⋅ The DFIR Report ⋅ The DFIR Report\r\nSQL Brute Force leads to Bluesky Ransomware\r\nBlueSky Cobalt Strike 2023-11-19 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nCombining Pivot Points to Identify Malware Infrastructure - Redline, Smokeloader and Cobalt Strike\r\nAmadey Cobalt Strike RedLine Stealer SmokeLoader 2023-11-14 ⋅ Medium joshuapenny88 ⋅ Joshua Penny\r\nHostingHunter Series: CHANG WAY TECHNOLOGIES CO. LIMITED\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 5 of 42\n\nHook Hydra Cobalt Strike SectopRAT 2023-11-10 ⋅ NSFOCUS ⋅ NSFOCUS\r\nThe New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits\r\nCobalt Strike Konni DarkCasino Opal Sleet 2023-11-07 ⋅ SOCRadar ⋅ SOCRadar\r\nNew Gootloader Variant “GootBot” Changes the Game in Malware Tactics\r\nGootLoader Cobalt Strike UNC2565 2023-11-06 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nUnpacking Malware With Hardware Breakpoints - Cobalt Strike\r\nCobalt Strike 2023-11-01 ⋅ nccgroup ⋅ Mick Koomen\r\nPopping Blisters for research: An overview of past payloads and exploring recent developments\r\nBlister Cobalt Strike 2023-10-23 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nCobalt Strike .VBS Loader - Decoding with Advanced CyberChef and Emulation\r\nCobalt Strike 2023-10-20 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nDecoding a Cobalt Strike .hta Loader Using CyberChef and Emulation\r\nCobalt Strike 2023-10-18 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nGhidra Tutorial - Using Entropy To Locate a Cobalt Strike Decryption Function\r\nCobalt Strike 2023-10-12 ⋅ Netresec ⋅ Erik Hjelmvik\r\nForensic Timeline of an IcedID Infection\r\nCobalt Strike IcedID IcedID Downloader 2023-10-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2023\r\nFluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar\r\nRAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar 2023-10-10 ⋅ Symantec ⋅\r\nThreat Hunter Team\r\nGrayling: Previously Unseen Threat Actor Targets Multiple Organizations in Taiwan\r\nCobalt Strike Havoc MimiKatz Grayling 2023-10-03 ⋅ Malware Traffic Analysis ⋅ Brad Duncan\r\n2023-10-03 (Tuesday) - PikaBot infection with Cobalt Strike\r\nCobalt Strike Pikabot 2023-09-22 ⋅ Mandiant ⋅ Dan Black, Josh Atkins, Luke Jenkins\r\nBackchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations\r\nBrute Ratel C4 Cobalt Strike EnvyScout GraphDrop QUARTERRIG sRDI Unidentified 107 (APT29) 2023-09-22 ⋅\r\nPalo Alto Networks Unit 42 ⋅ Lior Rochberger, Robert Falcone, Tom Fakterman\r\nCyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda\r\nCobalt Strike MimiKatz RemCom ShadowPad TONESHELL 2023-09-12 ⋅ ⋅ ANSSI ⋅ ANSSI\r\nFIN12: A Cybercriminal Group with Multiple Ransomware\r\nBlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC\r\n2023-08-30 ⋅ Trend Micro ⋅ Gilbert Sison, Hara Hiroaki, Lenart Bermejo, Leon M Chang, Ted Lee\r\nEarth Estries Targets Government, Tech for Cyberespionage\r\nCobalt Strike HemiGate Earth Estries 2023-08-28 ⋅ The DFIR Report ⋅ The DFIR Report\r\nHTML Smuggling Leads to Domain Wide Ransomware\r\nCobalt Strike IcedID Nokoyawa Ransomware 2023-08-18 ⋅ d01a ⋅ Mohamed Adel\r\nUnderstanding Syscalls: Direct, Indirect, and Cobalt Strike Implementation\r\nCobalt Strike 2023-08-18 ⋅ TEAMT5 ⋅ Still Hsu, Zih-Cing Liao\r\nUnmasking CamoFei: An In-depth Analysis of an Emerging APT Group Focused on Healthcare Sectors in East\r\nAsia\r\nCatB Cobalt Strike DoorMe GIMMICK 2023-08-17 ⋅ SentinelOne ⋅ Aleksandar Milenkoski, Tom Hegel\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 6 of 42\n\nChinese Entanglement | DLL Hijacking in the Asian Gambling Sector\r\nCobalt Strike HUI Loader BRONZE STARLIGHT 2023-08-07 ⋅ Recorded Future ⋅ Insikt Group\r\nRedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale\r\nWinnti Brute Ratel C4 Cobalt Strike FunnySwitch PlugX ShadowPad Spyder Earth Lusca 2023-07-29 ⋅ Google ⋅\r\nGoogle Cybersecurity Action Team\r\nThreat Horizons August 2023 Threat Horizons Report\r\nSharkBot Cobalt Strike 2023-07-11 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2023\r\nHydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot\r\nQuasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee 2023-07-07 ⋅ Lab52 ⋅ Lab52\r\nBeyond appearances: unknown actor using APT29’s TTP against Chinese users\r\nCobalt Strike 2023-06-30 ⋅ K7 Security ⋅ Dhanush\r\nCobalt Strike’s Deployment with Hardware Breakpoint for AMSI Bypass\r\nCobalt Strike 2023-06-16 ⋅ SOC Prime ⋅ Veronika Telychko\r\nPicassoLoader and Cobalt Strike Beacon Detection: UAC-0057 aka GhostWriter Hacking Group Attacks the\r\nUkrainian Leading Military Educational Institution\r\nCobalt Strike PicassoLoader Ghostwriter 2023-06-15 ⋅ eSentire ⋅ RussianPanda\r\neSentire Threat Intelligence Malware Analysis: Resident Campaign\r\nCobalt Strike Resident Rhadamanthys WarmCookie 2023-06-10 ⋅ The DFIR Report ⋅ The DFIR Report\r\nIcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment\r\nBlackCat Cobalt Strike IcedID 2023-06-08 ⋅ VMRay ⋅ Patrick Staubmann\r\nBusy Bees - The Transformation of BumbleBee\r\nBumbleBee Cobalt Strike Conti Meterpreter Sliver 2023-06-08 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nPractical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries\r\nAmadey AsyncRAT Cobalt Strike QakBot Quasar RAT Sliver solarmarker 2023-05-11 ⋅ cocomelonc ⋅ cocomelonc\r\nMalware development trick - part 28: Dump lsass.exe. Simple C++ example.\r\nCobalt Strike APT3 Keylogger 2023-04-20 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nBumblebee Malware Distributed Via Trojanized Installer Downloads\r\nBumbleBee Cobalt Strike 2023-04-20 ⋅ Github (dodo-sec) ⋅ dodo-sec\r\nAn analysis of syscall usage in Cobalt Strike Beacons\r\nCobalt Strike 2023-04-18 ⋅ Mandiant ⋅ Mandiant\r\nM-Trends 2023\r\nQUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive\r\nINDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC\r\nWhisperGate 2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q1 2023\r\nFluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT\r\nQakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar 2023-04-03 ⋅ The DFIR Report ⋅\r\nThe DFIR Report\r\nMalicious ISO File Leads to Domain Wide Ransomware\r\nCobalt Strike IcedID Mount Locker 2023-03-30 ⋅ United States District Court (Eastern District of New York) ⋅ Fortra, HEALTH-ISAC, Microsoft\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 7 of 42\n\nCracked Cobalt Strike (1:23-cv-02447)\r\nBlack Basta BlackCat LockBit RagnarLocker LockBit Black Basta BlackCat Cobalt Strike Cuba Emotet LockBit\r\nMount Locker PLAY QakBot RagnarLocker Royal Ransom Zloader 2023-03-30 ⋅ Recorded Future ⋅ Insikt Group\r\nWith KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets\r\nKEYPLUG Cobalt Strike PlugX RedGolf 2023-03-30 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)\r\neSentire Threat Intelligence Malware Analysis: BatLoader\r\nBATLOADER Cobalt Strike ISFB SystemBC Vidar 2023-03-28 ⋅ ExaTrack ⋅ ExaTrack\r\nMélofée: a new alien malware in the Panda's toolset targeting Linux hosts\r\nHelloBot Melofee Winnti Cobalt Strike SparkRAT STOWAWAY 2023-03-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves,\r\nJoshua Platt\r\nFrom Royal With Love\r\nCobalt Strike Conti PLAY Royal Ransom Somnia 2023-03-01 ⋅ Zscaler ⋅ Meghraj Nandanwar, Shatak Jain\r\nOneNote: A Growing Threat for Malware Distribution\r\nAsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer 2023-02-23 ⋅ Bitdefender ⋅ Bitdefender Team, Martin Zugec\r\nTechnical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966\r\nCobalt Strike DarkComet QuiteRAT RATel 2023-02-22 ⋅ Symantec ⋅ Symantec Threat Hunter Team\r\nHydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia\r\nCobalt Strike 2023-02-14 ⋅ Cybereason ⋅ Cybereason Incident Response (IR) team\r\nGootLoader - SEO Poisoning and Large Payloads Leading to Compromise\r\nGootLoader Cobalt Strike SystemBC 2023-02-13 ⋅ Kroll ⋅ Laurie Iacono, Stephen Green\r\nRoyal Ransomware Deep Dive\r\nCobalt Strike Royal Ransom 2023-02-13 ⋅ AhnLab ⋅ kingkimgim\r\nDalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign\r\nGodzilla Webshell ASPXSpy BlueShell CHINACHOPPER Cobalt Strike Ladon MimiKatz Dalbit 2023-02-08 ⋅\r\nTrend Micro ⋅ Ted Lee\r\nEarth Zhulong: Familiar Patterns Target Southeast Asian Firms\r\nCobalt Strike MACAMAX 1937CN 2023-02-03 ⋅ Mandiant ⋅ Genevieve Stark, Kimberly Goody\r\nFloat Like a Butterfly Sting Like a Bee\r\nBazarBackdoor BumbleBee Cobalt Strike 2023-02-02 ⋅ Kroll ⋅ Elio Biasiotto, Stephen Green\r\nHive Ransomware Technical Analysis and Initial Access Discovery\r\nBATLOADER Cobalt Strike Hive 2023-01-30 ⋅ Checkpoint ⋅ Arie Olshtein\r\nFollowing the Scent of TrickGate: 6-Year-Old Packer Used to Deploy the Most Wanted Malware\r\nAgent Tesla Azorult Buer Cerber Cobalt Strike Emotet Formbook HawkEye Keylogger Loki Password Stealer\r\n(PWS) Maze NetWire RC Remcos REvil TrickBot 2023-01-24 ⋅ Fortinet ⋅ Geri Revay\r\nThe Year of the Wiper\r\nAzov Wiper Bruh Wiper CaddyWiper Cobalt Strike Vidar 2023-01-23 ⋅ Kroll ⋅ Elio Biasiotto, Stephen Green\r\nBlack Basta – Technical Analysis\r\nBlack Basta Cobalt Strike MimiKatz QakBot SystemBC 2023-01-16 ⋅ Intrinsec ⋅ Intrinsec\r\nProxyNotShell – OWASSRF – Merry Xchange\r\nCobalt Strike SystemBC 2023-01-05 ⋅ Symantec ⋅ Threat Hunter Team\r\nBluebottle: Campaign Hits Banks in French-speaking Countries in Africa\r\nCloudEyE Cobalt Strike MimiKatz NetWire RC POORTRY Quasar RAT BlueBottle 2022-12-15 ⋅ Mandiant ⋅ Mandiant\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 8 of 42\n\nTrojanized Windows 10 Operating System Installers Targeted Ukrainian Government\r\nCobalt Strike STOWAWAY 2022-12-08 ⋅ Cisco Talos ⋅ Tiago Pereira\r\nBreaking the silence - Recent Truebot activity\r\nClop Cobalt Strike FlawedGrace Raspberry Robin Silence Teleport 2022-12-06 ⋅ EuRepoC ⋅ Camille Borrett, Kerstin Zettl-Schabath, Lena Rottinger\r\nConti/Wizard Spider\r\nBazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER 2022-12-02 ⋅ Palo Alto\r\nNetworks Unit 42 ⋅ Bob Jung, Dominik Reichel, Esmid Idrizovic\r\nBlowing Cobalt Strike Out of the Water With Memory Analysis\r\nCobalt Strike 2022-11-15 ⋅ SOC Prime ⋅ Veronika Telychko\r\nSomnia Malware Detection: UAC-0118 aka FRwL Launches Cyber Attacks Against Organizations in Ukraine\r\nUsing Enhanced Malware Strains\r\nCobalt Strike Vidar UAC-0118 2022-11-09 ⋅ Trend Micro ⋅ Hara Hiroaki, Ted Lee\r\nHack the Real Box: APT41’s New Subgroup Earth Longzhi\r\nCobalt Strike MimiKatz Earth Longzhi 2022-11-03 ⋅ paloalto Netoworks: Unit42 ⋅ Chris Navarrete, Durgesh Sangvikar, Matthew\r\nTennis, Siddhart Shibiraj, Yanhui Jia, Yu Fu\r\nCobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild\r\nCobalt Strike 2022-11-03 ⋅ Github (chronicle) ⋅ Chronicle\r\nGCTI Open Source Detection Signatures\r\nCobalt Strike Sliver 2022-11-03 ⋅ Group-IB ⋅ Rustam Mirkasymov\r\nFinancially motivated, dangerously activated: OPERA1ER APT in Africa\r\nCobalt Strike Common Raven 2022-10-31 ⋅ Cynet ⋅ Max Malyutin\r\nOrion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware\r\nBlack Basta Cobalt Strike QakBot 2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2022\r\nFluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password\r\nStealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars\r\nTofsee Vjw0rm 2022-10-13 ⋅ Microsoft ⋅ Microsoft Threat Hunting, MSRC Team\r\nHunting for Cobalt Strike: Mining and plotting for fun and profit\r\nCobalt Strike 2022-10-12 ⋅ Trend Micro ⋅ Ian Kenefick, Lucas Silva, Nicole Hernandez\r\nBlack Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike\r\nBlack Basta Brute Ratel C4 Cobalt Strike QakBot 2022-10-03 ⋅ Check Point ⋅ Marc Salinas Fernandez\r\nBumblebee: increasing its capacity and evolving its TTPs\r\nBumbleBee Cobalt Strike Meterpreter Sliver Vidar 2022-10-03 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph Chen\r\nWater Labbu Abuses Malicious DApps to Steal Cryptocurrency\r\nCobalt Strike Water Labbu 2022-09-26 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBumbleBee: Round Two\r\nBumbleBee Cobalt Strike Meterpreter 2022-09-25 ⋅ YouTube (Arda Büyükkaya) ⋅ Arda Büyükkaya\r\nCobalt Strike Shellcode Loader With Rust (YouTube)\r\nCobalt Strike 2022-09-13 ⋅ AdvIntel ⋅ Advanced Intelligence\r\nAdvIntel's State of Emotet aka \"SpmTools\" Displays Over Million Compromised Machines Through 2022\r\nConti Cobalt Strike Emotet Ryuk TrickBot 2022-09-12 ⋅ The DFIR Report ⋅ The DFIR Report\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 9 of 42\n\nDead or Alive? An Emotet Story\r\nCobalt Strike Emotet 2022-09-07 ⋅ Google ⋅ Google Threat Analysis Group, Pierre-Marc Bureau\r\nInitial access broker repurposing techniques in targeted attacks against Ukraine\r\nAnchorMail Cobalt Strike IcedID 2022-09-07 ⋅ cyble ⋅ Cyble\r\nBumblebee Returns With New Infection Technique\r\nBumbleBee Cobalt Strike 2022-09-06 ⋅ Didier Stevens ⋅ Didier Stevens\r\nAn Obfuscated Beacon – Extra XOR Layer\r\nCobalt Strike 2022-09-06 ⋅ CISA ⋅ CISA, FBI, MS-ISAC, US-CERT\r\nAlert (AA22-249A) #StopRansomware: Vice Society\r\nCobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin 2022-09-06 ⋅ cocomelonc ⋅ cocomelonc\r\nMalware development tricks: parent PID spoofing. Simple C++ example.\r\nCobalt Strike Konni 2022-09-06 ⋅ ⋅ INCIBE-CERT ⋅ INCIBE\r\nEstudio del análisis de Nobelium\r\nBEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage 2022-\r\n09-01 ⋅ Trend Micro ⋅ Trend Micro\r\nRansomware Spotlight Black Basta\r\nBlack Basta Cobalt Strike MimiKatz QakBot 2022-09-01 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara\r\nHunting C2/Adversaries Infrastructure with Shodan and Censys\r\nBrute Ratel C4 Cobalt Strike Deimos GRUNT IcedID Merlin Meterpreter Nighthawk PoshC2 Sliver 2022-08-30 ⋅\r\neSentire ⋅ eSentire Threat Response Unit (TRU)\r\nHacker Infrastructure Used in Cisco Breach Discovered Attacking a Top Workforce Management Corporation \u0026\r\nan Affiliate of Russia’s Evil Corp Gang Suspected, Reports eSentire\r\nCobalt Strike FiveHands UNC2447 2022-08-25 ⋅ SentinelOne ⋅ Jim Walter\r\nBlueSky Ransomware | AD Lateral Movement, Evasion and Fast Encryption Put Threat on the Radar\r\nBlueSky Cobalt Strike JuicyPotato 2022-08-22 ⋅ Microsoft ⋅ Microsoft\r\nExtortion Economics - Ransomware’s new business model\r\nBlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount\r\nLocker Nokoyawa Ransomware REvil Ryuk 2022-08-19 ⋅ nccgroup ⋅ Ross Inman\r\nBack in Black: Unlocking a LockBit 3.0 Ransomware Attack\r\nFAKEUPDATES Cobalt Strike LockBit 2022-08-18 ⋅ Group-IB ⋅ Nikita Rostovtsev\r\nAPT41 World Tour 2021 on a tight schedule\r\nCobalt Strike 2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk\r\nOverview of the Cyber Weapons Used in the Ukraine - Russia War\r\nAcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper\r\nINDUSTROYER2 InvisiMole IsaacWiper PartyTicket 2022-08-18 ⋅ Sophos ⋅ Sean Gallagher\r\nCookie stealing: the new perimeter bypass\r\nCobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT 2022-08-18 ⋅ ⋅ NSFOCUS ⋅ NSFOCUS\r\nNew APT group MURENSHARK investigative report: Torpedoes hit Turkish Navy\r\nCobalt Strike 2022-08-18 ⋅ Trustwave ⋅ Pawel Knapczyk\r\nOverview of the Cyber Weapons Used in the Ukraine - Russia War\r\nAcidRain CaddyWiper Cobalt Strike CredoMap DCRat DoubleZero GraphSteel GrimPlant HermeticWiper\r\nINDUSTROYER2 InvisiMole IsaacWiper PartyTicket 2022-08-17 ⋅ Cybereason ⋅ Cybereason Global SOC Team\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 10 of 42\n\nBumblebee Loader – The High Road to Enterprise Domain Control\r\nBumbleBee Cobalt Strike 2022-08-17 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nDarkTortilla Malware Analysis\r\nAgent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer 2022-08-12 ⋅ SANS ISC ⋅ Brad\r\nDuncan\r\nMonster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike\r\nCobalt Strike DarkVNC IcedID 2022-08-11 ⋅ Malcat ⋅ malcat team\r\nLNK forensic and config extraction of a cobalt strike beacon\r\nCobalt Strike 2022-08-11 ⋅ SecurityScorecard ⋅ Robert Ames\r\nThe Increase in Ransomware Attacks on Local Governments\r\nBlackCat BlackCat Cobalt Strike LockBit 2022-08-10 ⋅ ⋅ Weixin ⋅ Red Raindrop Team\r\nOperation(верность) mercenary: a torrent of steel trapped in the plains of Eastern Europe\r\nBumbleBee Cobalt Strike 2022-08-08 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBumbleBee Roasts Its Way to Domain Admin\r\nBumbleBee Cobalt Strike 2022-08-04 ⋅ YouTube (Arda Büyükkaya) ⋅ Arda Büyükkaya\r\nLockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool\r\nCobalt Strike LockBit 2022-08-03 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan\r\nFlight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware\r\nBazarBackdoor BumbleBee Cobalt Strike Conti 2022-08-02 ⋅ Cisco Talos ⋅ Asheer Malhotra, Vitor Ventura\r\nManjusaka: A Chinese sibling of Sliver and Cobalt Strike\r\nManjusaka Cobalt Strike Manjusaka 2022-07-30 ⋅ cocomelonc\r\nMalware AV evasion - part 8. Encode payload via Z85\r\nAgent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector 2022-07-28 ⋅ SentinelOne ⋅ James Haughom,\r\nJulien Reisdorffer, Júlio Dantas\r\nLiving Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool\r\nCobalt Strike LockBit 2022-07-27 ⋅ Trend Micro ⋅ Buddy Tancio, Jed Valderama\r\nGootkit Loader’s Updated Tactics and Fileless Delivery of Cobalt Strike\r\nCobalt Strike GootKit Kronos REvil SunCrypt 2022-07-27 ⋅ ReversingLabs ⋅ Joseph Edwards\r\nThreat analysis: Follina exploit fuels 'live-off-the-land' attacks\r\nCobalt Strike MimiKatz 2022-07-27 ⋅ cyble ⋅ Cyble Research Labs\r\nTargeted Attacks Being Carried Out Via DLL SideLoading\r\nCobalt Strike QakBot 2022-07-22 ⋅ Binary Ninja ⋅ Xusheng Li\r\nReverse Engineering a Cobalt Strike Dropper With Binary Ninja\r\nCobalt Strike 2022-07-20 ⋅ NVISO Labs ⋅ Sasja Reynaert\r\nAnalysis of a trojanized jQuery script: GootLoader unleashed\r\nGootLoader Cobalt Strike 2022-07-20 ⋅ Advanced Intelligence ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy\r\nAnatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion\r\nCobalt Strike 2022-07-20 ⋅ U.S. Cyber Command ⋅ Cyber National Mission Force Public Affairs\r\nCyber National Mission Force discloses IOCs from Ukrainian networks\r\nCobalt Strike GraphSteel GrimPlant MicroBackdoor 2022-07-20 ⋅ Mandiant ⋅ Mandiant Threat Intelligence\r\nEvacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities\r\nCobalt Strike GraphSteel GrimPlant MicroBackdoor 2022-07-19 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Peter Renals\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 11 of 42\n\nRussian APT29 Hackers Use Online Storage Services, DropBox and Google Drive\r\nCobalt Strike EnvyScout Gdrive 2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nObscure Serpens\r\nCobalt Strike Empire Downloader Meterpreter MimiKatz DarkHydrus 2022-07-18 ⋅ Censys ⋅ Censys\r\nRussian Ransomware C2 Network Discovered in Censys Data\r\nCobalt Strike DeimosC2 MimiKatz PoshC2 2022-07-13 ⋅ Malwarebytes Labs ⋅ Hossein Jazi, Roberto Santos\r\nCobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign\r\nCobalt Strike 2022-07-13 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Durgesh Sangvikar, Siddhart Shibiraj, Yanhui Jia, Yu Fu\r\nCobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption\r\nCobalt Strike 2022-07-11 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nUAC-0056 attack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4941)\r\nCobalt Strike 2022-07-07 ⋅ SANS ISC ⋅ Brad Duncan\r\nEmotet infection with Cobalt Strike\r\nCobalt Strike Emotet 2022-07-07 ⋅ IBM ⋅ Charlotte Hammond, Kat Weinberger, Ole Villadsen\r\nUnprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine\r\nAnchorMail BumbleBee Cobalt Strike IcedID Meterpreter 2022-07-06 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nUAC-0056 cyberattack on Ukrainian state organizations using Cobalt Strike Beacon (CERT-UA#4914)\r\nCobalt Strike 2022-06-30 ⋅ Trend Micro ⋅ Emmanuel Panopio, James Panlilio, John Kenneth Reyes, Kenneth Adrian Apostol, Melvin\r\nSingwa, Mirah Manlapig, Paolo Ronniel Labrador\r\nBlack Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare\r\nExploit\r\nBlack Basta Cobalt Strike QakBot 2022-06-28 ⋅ Lumen ⋅ Black Lotus Labs\r\nZuoRAT Hijacks SOHO Routers To Silently Stalk Networks\r\nZuoRAT Cobalt Strike 2022-06-27 ⋅ Kaspersky ICS CERT ⋅ Artem Snegirev, Kirill Kruglov\r\nAttacks on industrial control systems using ShadowPad\r\nCobalt Strike PlugX ShadowPad 2022-06-26 ⋅ BushidoToken\r\nOverview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022\r\nCobalt Strike CredoMap EnvyScout 2022-06-23 ⋅ cyble ⋅ Cyble Research Labs\r\nMatanbuchus Loader Resurfaces\r\nCobalt Strike Matanbuchus 2022-06-23 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nBRONZE STARLIGHT Ransomware Operations Use HUI Loader\r\nATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster\r\nBRONZE STARLIGHT 2022-06-21 ⋅ Cisco Talos ⋅ Chris Neal, Flavio Costa, Guilherme Venere\r\nAvos ransomware group expands with new attack arsenal\r\nAvosLocker Cobalt Strike DarkComet MimiKatz 2022-06-20 ⋅ ⋅ Cert-UA ⋅ Cert-UA\r\nUAC-0098 group cyberattack on critical infrastructure of Ukraine (CERT-UA#4842)\r\nCobalt Strike 2022-06-17 ⋅ SANS ISC ⋅ Brad Duncan\r\nMalspam pushes Matanbuchus malware, leads to Cobalt Strike\r\nCobalt Strike Matanbuchus 2022-06-11 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Threat Intelligence\r\nTweet on DEV-0401, DEV-0234 exploiting Confluence RCE CVE-2022-26134\r\nKinsing Mirai Cobalt Strike Lilac Typhoon 2022-06-07 ⋅ AdvIntel ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy\r\nBlackCat — In a Shifting Threat Landscape, It Helps to Land on Your Feet: Tech Dive\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 12 of 42\n\nBlackCat BlackCat Cobalt Strike 2022-06-07 ⋅ cyble ⋅ Cyble\r\nBumblebee Loader on The Rise\r\nBumbleBee Cobalt Strike 2022-06-06 ⋅ Trellix ⋅ Trelix\r\nGrowling Bears Make Thunderous Noise\r\nCobalt Strike HermeticWiper WhisperGate NB65 2022-06-04 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien\r\n[QuickNote] CobaltStrike SMB Beacon Analysis\r\nCobalt Strike 2022-06-03 ⋅ AttackIQ ⋅ AttackIQ Adversary Research Team, Jackson Wells\r\nAttack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group\r\nCobalt Strike MimiKatz 2022-06-02 ⋅ Mandiant ⋅ Mandiant Intelligence\r\nTo HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions\r\nFAKEUPDATES Blister Cobalt Strike DoppelPaymer Dridex FriedEx Hades LockBit Macaw MimiKatz Phoenix\r\nLocker WastedLocker 2022-06-02 ⋅ Mandiant ⋅ Mandiant\r\nTRENDING EVIL Q2 2022\r\nCloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot 2022-06-01 ⋅ Elastic ⋅ Andrew Pease, Daniel Stepanic, Derek\r\nDitch, Salim Bitam, Seth Goodwin\r\nCUBA Ransomware Campaign Analysis\r\nCobalt Strike Cuba Meterpreter MimiKatz SystemBC 2022-05-25 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt\r\nSocGholish Campaigns and Initial Access Kit\r\nFAKEUPDATES Blister Cobalt Strike NetSupportManager RAT 2022-05-24 ⋅ BitSight ⋅ BitSight, João Batista, Pedro\r\nUmbelino\r\nEmotet Botnet Rises Again\r\nCobalt Strike Emotet QakBot SystemBC 2022-05-24 ⋅ The Hacker News ⋅ Florian Goutin\r\nMalware Analysis: Trickbot\r\nCobalt Strike Conti Ryuk TrickBot 2022-05-22 ⋅ R136a1 ⋅ Dominik Reichel\r\nIntroduction of a PE file extractor for various situations\r\nCobalt Strike Matanbuchus 2022-05-20 ⋅ Cybleinc ⋅ Cyble\r\nMalware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof Of Concept To Deliver Cobalt-Strike Beacon\r\nCobalt Strike 2022-05-20 ⋅ AhnLab ⋅ ASEC\r\nWhy Remediation Alone Is Not Enough When Infected by Malware\r\nCobalt Strike DarkSide 2022-05-20 ⋅ sonatype ⋅ Ax Sharma\r\nNew 'pymafka' malicious package drops Cobalt Strike on macOS, Windows, Linux\r\nCobalt Strike 2022-05-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nBumblebee Malware from TransferXL URLs\r\nBumbleBee Cobalt Strike 2022-05-19 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nBumblebee Malware from TransferXL URLs\r\nBumbleBee Cobalt Strike 2022-05-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT\r\nWizard Spider In-Depth Analysis\r\nCobalt Strike Conti WIZARD SPIDER 2022-05-17 ⋅ Trend Micro ⋅ Trend Micro Research\r\nRansomware Spotlight: RansomEXX\r\nLaZagne Cobalt Strike IcedID MimiKatz PyXie RansomEXX TrickBot 2022-05-12 ⋅ Red Canary ⋅ Lauren Podber, Tony\r\nLambert\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 13 of 42\n\nGootloader and Cobalt Strike malware analysis\r\nGootLoader Cobalt Strike 2022-05-12 ⋅ Red Canary ⋅ Lauren Podber, Tony Lambert\r\nThe Goot cause: Detecting Gootloader and its follow-on activity\r\nGootLoader Cobalt Strike 2022-05-12 ⋅ Intel 471 ⋅ Intel 471\r\nWhat malware to look for if you want to prevent a ransomware attack\r\nConti BumbleBee Cobalt Strike IcedID Sliver 2022-05-12 ⋅ TEAMT5 ⋅ Leon Chang, Silvia Yeh\r\nThe Next Gen PlugX/ShadowPad? A Dive into the Emerging China-Nexus Modular Trojan, Pangolin8RAT\r\n(slides)\r\nKEYPLUG Cobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad Winnti SLIME29 TianWu 2022-05-11 ⋅ ⋅\r\nNTT ⋅ Ryu Hiyoshi\r\nOperation RestyLink: Targeted attack campaign targeting Japanese companies\r\nCobalt Strike 2022-05-11 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nTA578 using thread-hijacked emails to push ISO files for Bumblebee malware\r\nBumbleBee Cobalt Strike IcedID PhotoLoader 2022-05-10 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli\r\nA Malware Analysis in RU-AU conflict\r\nCobalt Strike 2022-05-09 ⋅ TEAMT5 ⋅ TeamT5\r\nHiding in Plain Sight: Obscuring C2s by Abusing CDN Services\r\nCobalt Strike 2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center\r\n(MSTIC)\r\nRansomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself\r\nAnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon\r\nATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi\r\nHelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker\r\nPhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT 2022-05-09 ⋅\r\nThe DFIR Report ⋅ The DFIR Report\r\nSEO Poisoning – A Gootloader Story\r\nGootLoader LaZagne Cobalt Strike GootKit 2022-05-09 ⋅ cocomelonc ⋅ cocomelonc\r\nMalware development: persistence - part 4. Windows services. Simple C++ example.\r\nAnchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu 2022-05-08 ⋅ IronNet ⋅ Brent Eskridge,\r\nJoey Fitzpatrick, Michael Leardi\r\nTracking Cobalt Strike Servers Used in Cyberattacks on Ukraine\r\nCobalt Strike 2022-05-06 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nThis New Fileless Malware Hides Shellcode in Windows Event Logs\r\nCobalt Strike 2022-05-06 ⋅ Palo Alto Networks Unit 42 ⋅ Chris Navarrete, Durgesh Sangvikar, Siddhart Shibiraj, Yanhui Jia, Yu Fu\r\nCobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding\r\nCobalt Strike 2022-05-06 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence\r\nTwitter Thread on initial infeciton of SocGholish/ FAKEUPDATES campaigns lead to BLISTER Loader,\r\nCobaltStrike, Lockbit and followed by Hands On Keyboard activity\r\nFAKEUPDATES Blister Cobalt Strike LockBit 2022-05-05 ⋅ Cisco Talos ⋅ Aliza Berk, Asheer Malhotra, Jung soo An, Justin\r\nThattil, Kendall McKay\r\nMustang Panda deploys a new wave of malware targeting Europe\r\nCobalt Strike Meterpreter PlugX PUBLOAD 2022-05-04 ⋅ Twitter (@felixw3000) ⋅ Felix\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 14 of 42\n\nTwitter Thread with info on infection chain with IcedId, Cobalt Strike, and Hidden VNC.\r\nCobalt Strike IcedID PhotoLoader 2022-05-04 ⋅ Kaspersky ⋅ Denis Legezo\r\nA new secret stash for “fileless” malware\r\nCobalt Strike 2022-05-03 ⋅ Cluster25 ⋅ Cluster25\r\nThe Strange Link Between A Destructive Malware And A Ransomware-Gang Linked Custom Loader: IsaacWiper\r\nVs Vatet\r\nCobalt Strike IsaacWiper PyXie 2022-05-03 ⋅ Recorded Future ⋅ Insikt Group®\r\nSOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse\r\nCobalt Strike EnvyScout 2022-05-03 ⋅ Recorded Future ⋅ Insikt Group\r\nSOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse\r\nCobalt Strike 2022-05-02 ⋅ ⋅ Macnica ⋅ Hiroshi Takeuchi\r\nAttack Campaigns that Exploit Shortcuts and ISO Files\r\nCobalt Strike 2022-05-02 ⋅ Cisco Talos ⋅ JAIME FILSON, Kendall McKay, Paul Eubanks\r\nConti and Hive ransomware operations: Leveraging victim chats for insights\r\nCobalt Strike Conti Hive 2022-04-28 ⋅ PWC ⋅ PWC UK\r\nCyber Threats 2021: A Year in Retrospect (Annex)\r\nCobalt Strike Conti PlugX RokRAT Inception Framework Red Menshen 2022-04-28 ⋅ Mandiant ⋅ Anders Vejlby, John\r\nWolfram, Nick Simonian, Sarah Hawley, Tyler McLellan\r\nTrello From the Other Side: Tracking APT29 Phishing Campaigns\r\nCobalt Strike 2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Jim Walter, Júlio Dantas\r\nLockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility\r\nCobalt Strike LockBit 2022-04-27 ⋅ Mandiant ⋅ Mandiant\r\nAssembling the Russian Nesting Doll: UNC2452 Merged into APT29\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2022-04-27 ⋅ ⋅ ANSSI ⋅ ANSSI\r\nLE GROUPE CYBERCRIMINEL FIN7\r\nBateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter\r\nBOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet\r\nQadars Ranbyus SocksBot 2022-04-27 ⋅ Sentinel LABS ⋅ James Haughom, Jim Walter, Júlio Dantas\r\nLockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility\r\nCobalt Strike LockBit BRONZE STARLIGHT 2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nOperation Gambling Puppet\r\nreptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka\r\n2022-04-27 ⋅ Trendmicro ⋅ Trendmicro\r\nIOCs for Earth Berberoka - Windows\r\nAsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka 2022-04-26 ⋅ Intel 471 ⋅ Intel 471\r\nConti and Emotet: A constantly destructive duo\r\nCobalt Strike Conti Emotet IcedID QakBot TrickBot 2022-04-26 ⋅ Trend Micro ⋅ Lord Alfred Remorin, Ryan Flores, Stephen\r\nHilt\r\nHow Cybercriminals Abuse Cloud Tunneling Services\r\nAsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT 2022-04-25 ⋅ The DFIR Report ⋅ The DFIR Report\r\nQuantum Ransomware\r\nCobalt Strike IcedID 2022-04-25 ⋅ Morphisec ⋅ Morphisec Labs\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 15 of 42\n\nNew Core Impact Backdoor Delivered Via VMware Vulnerability\r\nCobalt Strike JSSLoader 2022-04-21 ⋅ ZeroSec ⋅ Andy Gill\r\nUnderstanding Cobalt Strike Profiles - Updated For Cobalt Strike 4.6\r\nCobalt Strike 2022-04-19 ⋅ Blake's R\u0026D ⋅ bmcder02\r\nExtracting Cobalt Strike from Windows Error Reporting\r\nCobalt Strike 2022-04-19 ⋅ Varonis ⋅ Nadav Ovadia\r\nHive Ransomware Analysis\r\nCobalt Strike Hive MimiKatz 2022-04-18 ⋅ SentinelOne ⋅ James Haughom\r\nFrom the Front Lines | Peering into A PYSA Ransomware Attack\r\nChisel Chisel Cobalt Strike Mespinoza 2022-04-18 ⋅ vanmieghem ⋅ Vincent Van Mieghem\r\nA blueprint for evading industry leading endpoint protection in 2022\r\nCobalt Strike 2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy\r\nEnter KaraKurt: Data Extortion Arm of Prolific Ransomware Group\r\nAvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt 2022-04-14 ⋅ Cynet ⋅ Max\r\nMalyutin\r\nOrion Threat Alert: Flight of the BumbleBee\r\nBumbleBee Cobalt Strike 2022-04-13 ⋅ ESET Research ⋅ Jean-Ian Boutin, Tomáš Procházka\r\nESET takes part in global operation to disrupt Zloader botnets\r\nCobalt Strike Zloader 2022-04-13 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team\r\nDismantling ZLoader: How malicious ads led to disabled security tools and ransomware\r\nBlackMatter Cobalt Strike DarkSide Ryuk Zloader 2022-04-08 ⋅ Infinitum Labs ⋅ Arda Büyükkaya\r\nThreat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team\r\nCobalt Strike MimiKatz 2022-04-07 ⋅ InQuest ⋅ Nick Chalard, Will MacArthur\r\nUkraine CyberWar Overview\r\nCyclopsBlink Cobalt Strike GraphSteel GrimPlant HermeticWiper HermeticWizard MicroBackdoor PartyTicket\r\nSaint Bot Scieron WhisperGate 2022-04-07 ⋅ splunk ⋅ Splunk Threat Research Team\r\nYou Bet Your Lsass: Hunting LSASS Access\r\nCobalt Strike MimiKatz 2022-04-06 ⋅ Github (infinitumlabs) ⋅ Arda Büyükkaya\r\nKarakurt Hacking Team Indicators of Compromise (IOC)\r\nCobalt Strike 2022-04-04 ⋅ Mandiant ⋅ Brendan McKeague, Bryce Abdo, Ioana Teaca, Zander Work\r\nFIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7\r\nGriffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite 2022-03-31 ⋅ nccgroup ⋅ Alex Jessop, Nikolaos\r\nPantazopoulos, RIFT: Research and Intelligence Fusion Team, Simon Biggs\r\nConti-nuation: methods and techniques observed in operations post the leaks\r\nCobalt Strike Conti QakBot 2022-03-31 ⋅ SC Media ⋅ SC Staff\r\nNovel obfuscation leveraged by Hive ransomware\r\nCobalt Strike Hive 2022-03-30 ⋅ Prevailion ⋅ Prevailion\r\nWizard Spider continues to confound\r\nBazarBackdoor Cobalt Strike Emotet 2022-03-30 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nPhishing campaign targets Russian govt dissidents with Cobalt Strike\r\nUnidentified PS 002 (RAT) Cobalt Strike 2022-03-29 ⋅ Malwarebytes Labs ⋅ Hossein Jazi\r\nNew spear phishing campaign targets Russian dissidents\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 16 of 42\n\nUnidentified PS 002 (RAT) Cobalt Strike 2022-03-29 ⋅ SentinelOne ⋅ Antonis Terefos, James Haughom, Jeff Cavanaugh, Jim\r\nWalter, Nick Fox, Shai Tilias\r\nFrom the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection\r\nCobalt Strike Hive 2022-03-28 ⋅ Medium walmartglobaltech ⋅ Jason Reaves\r\nCobaltStrike UUID stager\r\nCobalt Strike 2022-03-25 ⋅ nccgroup ⋅ Yun Zheng Hu\r\nMining data from Cobalt Strike beacons\r\nCobalt Strike 2022-03-25 ⋅ GOV.UA ⋅ State Service of Special Communication and Information Protection of Ukraine (CIP)\r\nWho is behind the Cyberattacks on Ukraine's Critical Information Infrastructure: Statistics for March 15-22\r\nXloader Agent Tesla CaddyWiper Cobalt Strike DoubleZero GraphSteel GrimPlant HeaderTip HermeticWiper\r\nIsaacWiper MicroBackdoor Pandora RAT 2022-03-22 ⋅ NVISO Labs ⋅ Didier Stevens\r\nCobalt Strike: Overview – Part 7\r\nCobalt Strike 2022-03-22 ⋅ Red Canary ⋅ Red Canary\r\n2022 Threat Detection Report\r\nFAKEUPDATES Silver Sparrow BazarBackdoor Cobalt Strike GootKit Yellow Cockatoo RAT 2022-03-21 ⋅ Threat\r\nPost ⋅ Lisa Vaas\r\nConti Ransomware V. 3, Including Decryptor, Leaked\r\nCobalt Strike Conti TrickBot 2022-03-21 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)\r\nConti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered\r\nHelloKitty BazarBackdoor Cobalt Strike Conti FiveHands HelloKitty IcedID 2022-03-17 ⋅ Google ⋅ Benoit Sevens,\r\nGoogle Threat Analysis Group, Vladislav Stolyarov\r\nExposing initial access broker with ties to Conti\r\nBazarBackdoor BumbleBee Cobalt Strike Conti 2022-03-16 ⋅ SANS ISC ⋅ Brad Duncan\r\nQakbot infection with Cobalt Strike and VNC activity\r\nCobalt Strike QakBot 2022-03-16 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nQakbot infection with Cobalt Strike and VNC activity\r\nCobalt Strike QakBot 2022-03-16 ⋅ paloalto Netoworks: Unit42 ⋅ Andrew Guan, Chris Navarrete, Durgesh Sangvikar, Siddhart\r\nShibiraj, Yanhui Jia, Yu Fu\r\nCobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect\r\nCobalt Strike 2022-03-15 ⋅ SentinelOne ⋅ Amitai Ben Shushan Ehrlich\r\nThreat Actor UAC-0056 Targeting Ukraine with Fake Translation Software\r\nCobalt Strike GraphSteel GrimPlant SaintBear 2022-03-15 ⋅ Prevailion ⋅ Matt Stafford, Sherman Smith\r\nWhat Wicked Webs We Un-weave\r\nCobalt Strike Conti 2022-03-14 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nFake antivirus updates used to deploy Cobalt Strike in Ukraine\r\nCobalt Strike 2022-03-12 ⋅ Arash's Blog ⋅ Arash Parsa\r\nAnalyzing Malware with Hooks, Stomps, and Return-addresses\r\nCobalt Strike 2022-03-11 ⋅ ⋅ Cert-UA\r\nCyberattack on Ukrainian state authorities using the Cobalt Strike Beacon (CERT-UA#4145)\r\nCobalt Strike 2022-03-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nCISA updates Conti ransomware alert with nearly 100 domain names\r\nBazarBackdoor Cobalt Strike Conti TrickBot 2022-03-09 ⋅ BreachQuest ⋅ Bernard Silvestrini, Marco Figueroa, Napoleon Bing\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 17 of 42\n\nThe Conti Leaks | Insight into a Ransomware Unicorn\r\nCobalt Strike MimiKatz TrickBot 2022-03-08 ⋅ Mandiant ⋅ Douglas Bienstock, Geoff Ackerman, John Wolfram, Rufus Brown,\r\nVan Ta\r\nDoes This Look Infected? A Summary of APT41 Targeting U.S. State Governments\r\nKEYPLUG Cobalt Strike LOWKEY 2022-03-07 ⋅ The DFIR Report ⋅ The DFIR Report\r\n2021 Year In Review\r\nCobalt Strike 2022-03-04 ⋅ Telsy ⋅ Telsy\r\nLegitimate Sites Used As Cobalt Strike C2s Against Indian Government\r\nCobalt Strike 2022-03-03 ⋅ Trend Micro ⋅ Trend Micro Research\r\nCyberattacks are Prominent in the Russia-Ukraine Conflict\r\nBazarBackdoor Cobalt Strike Conti Emotet WhisperGate 2022-03-01 ⋅ VirusTotal ⋅ VirusTotal\r\nVirusTotal's 2021 Malware Trends Report\r\nAnubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus\r\nRAT 2022-02-24 ⋅ Fortinet ⋅ Fred Gutierrez\r\nNobelium Returns to the Political World Stage\r\nCobalt Strike 2022-02-24 ⋅ Cynet ⋅ Max Malyutin\r\nNew Wave of Emotet – When Project X Turns Into Y\r\nCobalt Strike Emotet 2022-02-23 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy\r\n24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR)\r\nCobalt Strike Conti 2022-02-23 ⋅ SophosLabs Uncut ⋅ Andrew Brandt\r\nDridex bots deliver Entropy ransomware in recent attacks\r\nCobalt Strike Dridex Entropy 2022-02-23 ⋅ cyber.wtf blog ⋅ Luca Ebach\r\nWhat the Pack(er)?\r\nCobalt Strike Emotet 2022-02-22 ⋅ Bleeping Computer ⋅ Bill Toulas\r\nVulnerable Microsoft SQL Servers targeted with Cobalt Strike\r\nCobalt Strike Kingminer Lemon Duck 2022-02-22 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)\r\nIcedID to Cobalt Strike In Under 20 Minutes\r\nCobalt Strike IcedID PhotoLoader 2022-02-21 ⋅ The DFIR Report\r\nQbot and Zerologon Lead To Full Domain Compromise\r\nCobalt Strike QakBot 2022-02-21 ⋅ ASEC\r\nCobalt Strike Being Distributed to Vulnerable MS-SQL Servers\r\nCobalt Strike Lemon Duck 2022-02-20 ⋅ Medium SOCFortress ⋅ SOCFortress\r\nDetecting Cobalt Strike Beacons\r\nCobalt Strike 2022-02-18 ⋅ Huntress Labs ⋅ Matthew Brennan\r\nHackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection\r\nCobalt Strike 2022-02-16 ⋅ Security Onion ⋅ Doug Burks\r\nQuick Malware Analysis: Emotet Epoch 5 and Cobalt Strike pcap from 2022-02-08\r\nCobalt Strike Emotet 2022-02-15 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)\r\nIncrease in Emotet Activity and Cobalt Strike Deployment\r\nCobalt Strike Emotet 2022-02-10 ⋅ Cybereason ⋅ Cybereason Global SOC Team\r\nThreat Analysis Report: All Paths Lead to Cobalt Strike - IcedID, Emotet and QBot\r\nCobalt Strike Emotet IcedID QakBot 2022-02-09 ⋅ vmware ⋅ VMWare\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 18 of 42\n\nExposing Malware in Linux-Based Multi-Cloud Environments\r\nACBackdoor BlackMatter DarkSide Erebus HelloKitty Kinsing PLEAD QNAPCrypt RansomEXX REvil Sysrv-hello TeamTNT Vermilion Strike Cobalt Strike 2022-01-31 ⋅ CyberArk ⋅ Arash Parsa\r\nAnalyzing Malware with Hooks, Stomps and Return-addresses\r\nCobalt Strike 2022-01-28 ⋅ Morphisec ⋅ Morphisec Labs\r\nLog4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk\r\nCobalt Strike 2022-01-27 ⋅ JSAC 2021 ⋅ Hajime Yanagishita, Kiyotaka Tamada, Suguru Ishimaru, You Nakatsuru\r\nWhat We Can Do against the Chaotic A41APT Campaign\r\nCHINACHOPPER Cobalt Strike HUI Loader SodaMaster 2022-01-26 ⋅ Blackberry ⋅ Codi Starks, Ryan Gibson, Will Ikard\r\nLog4U, Shell4Me\r\nCobalt Strike 2022-01-25 ⋅ Cynet ⋅ Orion Threat Research and Intelligence Team\r\nThreats Looming Over the Horizon\r\nCobalt Strike Meterpreter NightSky 2022-01-24 ⋅ The DFIR Report ⋅ The DFIR Report\r\nCobalt Strike, a Defender’s Guide – Part 2\r\nCobalt Strike 2022-01-20 ⋅ Morphisec ⋅ Michael Gorelik\r\nLog4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk\r\nCobalt Strike 2022-01-19 ⋅ Sophos ⋅ Colin Cowie, Mat Gangwer, Sophos MTR Team, Stan Andic\r\nZloader Installs Remote Access Backdoors and Delivers Cobalt Strike\r\nCobalt Strike Zloader 2022-01-19 ⋅ Elastic ⋅ Andrew Pease, Daniel Stepanic, Derek Ditch, Seth Goodwin\r\nCollecting Cobalt Strike Beacons with the Elastic Stack\r\nCobalt Strike 2022-01-19 ⋅ Elastic ⋅ Andrew Pease, Daniel Stepanic, Derek Ditch, Seth Goodwin\r\nExtracting Cobalt Strike Beacon Configurations\r\nCobalt Strike 2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nKraken the Code on Prometheus\r\nPrometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk 2022-01-18 ⋅\r\nRecorded Future ⋅ Insikt Group®\r\n2021 Adversary Infrastructure Report\r\nBazarBackdoor Cobalt Strike Dridex IcedID QakBot TrickBot 2022-01-17 ⋅ Trend Micro ⋅ Cedric Pernet, Daniel Lunghi,\r\nGloria Chen, Jaromír Hořejší, Joseph Chen, Kenney Lu\r\nDelving Deep: An Analysis of Earth Lusca’s Operations\r\nBIOPASS Cobalt Strike FunnySwitch JuicyPotato ShadowPad Winnti Earth Lusca 2022-01-16 ⋅ forensicitguy ⋅ Tony\r\nLambert\r\nAnalyzing a CACTUSTORCH HTA Leading to Cobalt Strike\r\nCACTUSTORCH Cobalt Strike 2022-01-15 ⋅ Huntress Labs ⋅ Team Huntress\r\nThreat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike (by DEV-0401)\r\nCobalt Strike 2022-01-11 ⋅ Cybereason ⋅ Chen Erlich, Daichi Shimabukuro, Niv Yona, Ofir Ozer, Omri Refaeli\r\nThreat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike\r\nCobalt Strike QakBot Squirrelwaffle 2022-01-11 ⋅ Twitter (@cglyer) ⋅ Christopher Glyer\r\nThread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and\r\ndeploying NightSky ransomware\r\nCobalt Strike NightSky 2022-01-11 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt\r\nSigned DLL campaigns as a service\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 19 of 42\n\nBATLOADER Cobalt Strike ISFB Zloader 2022-01-09 ⋅ forensicitguy ⋅ Tony Lambert\r\nInspecting a PowerShell Cobalt Strike Beacon\r\nCobalt Strike 2022-01-06 ⋅ Sekoia ⋅ sekoia\r\nNOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies\r\nCobalt Strike EnvyScout 2022-01-01 ⋅ Silent Push ⋅ Silent Push\r\nConsequences- The Conti Leaks and future problems\r\nCobalt Strike Conti 2021-12-29 ⋅ Blake's R\u0026D ⋅ Blake\r\nCobalt Strike DFIR: Listening to the Pipes\r\nCobalt Strike 2021-12-29 ⋅ CrowdStrike ⋅ Benjamin Wiley, Falcon OverWatch Team\r\nOverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion\r\nAttempt\r\nCobalt Strike 2021-12-28 ⋅ Morphus Labs ⋅ Renato Marinho\r\nAttackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons\r\nCobalt Strike 2021-12-22 ⋅ Telsy ⋅ Telsy Research Team\r\nPhishing Campaign targeting citizens abroad using COVID-19 theme lures\r\nCobalt Strike 2021-12-16 ⋅ Red Canary ⋅ The Red Canary Team\r\nIntelligence Insights: December 2021\r\nCobalt Strike QakBot Squirrelwaffle 2021-12-16 ⋅ TEAMT5 ⋅ Aragorn Tseng, Charles Li, Peter Syu, Tom Lai\r\nWinnti is Coming - Evolution after Prosecution\r\nCobalt Strike FishMaster FunnySwitch HIGHNOON ShadowPad Spyder 2021-12-10 ⋅ Accenture ⋅ Accenture\r\nKarakurt rises from its lair\r\nCobalt Strike Karakurt 2021-12-07 ⋅ Bleeping Computer ⋅ Lawrence Abrams\r\nEmotet now drops Cobalt Strike, fast forwards ransomware attacks\r\nCobalt Strike Emotet 2021-12-06 ⋅ CERT-FR ⋅ CERT-FR\r\nPhishing campaigns by the Nobelium intrusion set\r\nCobalt Strike 2021-12-06 ⋅ Mandiant ⋅ Ashraf Abdalhalim, Ben Read, Doug Bienstock, Gabriella Roncone, Jonathan Leathery, Josh\r\nMadeley, Juraj Sucik, Luis Rocha, Luke Jenkins, Manfred Erjak, Marius Fodoreanu, Microsoft Detection and Response Team (DART),\r\nMicrosoft Threat Intelligence Center (MSTIC), Mitchell Clarke, Parnian Najafi, Sarah Hawley, Wojciech Ledzion\r\nSuspected Russian Activity Targeting Government and Business Entities Around the Globe (UNC2452)\r\nCobalt Strike CryptBot 2021-12-02 ⋅ CERT-FR ⋅ CERT-FR\r\nPhishing Campaigns by the Nobelium Intrusion Set\r\nCobalt Strike 2021-11-30 ⋅ Symantec ⋅ Symantec Threat Hunter Team\r\nYanluowang: Further Insights on New Ransomware Threat\r\nBazarBackdoor Cobalt Strike FiveHands 2021-11-29 ⋅ Mandiant ⋅ Brandan Schondorfer, Tyler McLellan\r\nKitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again\r\nCobalt Strike ROLLCOAST 2021-11-29 ⋅ The DFIR Report ⋅ The DFIR Report\r\nCONTInuing the Bazar Ransomware Story\r\nBazarBackdoor Cobalt Strike Conti 2021-11-19 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Mohamed Fahmy, Sherif Magdy\r\nSquirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains\r\nCobalt Strike QakBot Squirrelwaffle 2021-11-17 ⋅ Trend Micro ⋅ Abdelrhman Sharshar, Mohamed Fahmy, Ryan Maglaque,\r\nSherif Magdy\r\nAnalyzing ProxyShell-related Incidents via Trend Micro Managed XDR\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 20 of 42\n\nCobalt Strike Cotx RAT 2021-11-17 ⋅ nviso ⋅ Didier Stevens\r\nCobalt Strike: Decrypting Obfuscated Traffic – Part 4\r\nCobalt Strike 2021-11-17 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42\r\nTweet on Matanbuchus Loader used to deliver Qakbot (tag obama128b) and follow-up CobaltStrike\r\nCobalt Strike QakBot 2021-11-17 ⋅ Black Hills Information Security ⋅ Kyle Avery\r\nDNS Over HTTPS for Cobalt Strike\r\nCobalt Strike 2021-11-16 ⋅ Cisco ⋅ Asheer Malhotra, Chetan Raghuprasad, Vanja Svajcer\r\nAttackers use domain fronting technique to target Myanmar with Cobalt Strike\r\nCobalt Strike 2021-11-16 ⋅ Blackberry ⋅ Dean Given, Eoin Wickens, Jim Simpson, Marta Janus, T.J. O'Leary, Tom Bonner\r\nFinding Beacons in the dark\r\nCobalt Strike 2021-11-16 ⋅ IronNet ⋅ IronNet Threat Research, Joey Fitzpatrick, Morgan Demboski, Peter Rydzynski\r\nHow IronNet's Behavioral Analytics Detect REvil and Conti Ransomware\r\nCobalt Strike Conti IcedID REvil 2021-11-15 ⋅ TRUESEC ⋅ Fabio Viggiani\r\nProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks\r\nCobalt Strike Conti QakBot 2021-11-13 ⋅ Just Still ⋅ Still Hsu\r\nThreat Spotlight - Domain Fronting\r\nCobalt Strike 2021-11-12 ⋅ Malwarebytes ⋅ Hossein Jazi\r\nA multi-stage PowerShell based attack targets Kazakhstan\r\nCobalt Strike 2021-11-11 ⋅ Cynet ⋅ Max Malyutin\r\nA Duck Nightmare Quakbot Strikes with QuakNightmare Exploitation\r\nCobalt Strike QakBot 2021-11-10 ⋅ Sekoia ⋅ Cyber Threat Intelligence team\r\nWalking on APT31 infrastructure footprints\r\nRekoobe Unidentified ELF 004 Cobalt Strike 2021-11-10 ⋅ AT\u0026T ⋅ Josh Gomez\r\nStories from the SOC - Powershell, Proxyshell, Conti TTPs OH MY!\r\nCobalt Strike Conti 2021-11-09 ⋅ Cybereason ⋅ Aleksandar Milenkoski, Eli Salem\r\nTHREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware\r\nCobalt Strike Conti 2021-11-05 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nHunter Becomes Hunted: Zebra2104 Hides a Herd of Malware\r\nCobalt Strike DoppelDridex Mount Locker Phobos StrongPity 2021-11-05 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42\r\nTweet on TA551 (Shathak) BazarLoader infection with CobaltStrike and DarkVNC drops\r\nBazarBackdoor Cobalt Strike 2021-11-03 ⋅ nviso ⋅ Didier Stevens\r\nCobalt Strike: Using Process Memory To Decrypt Traffic – Part 3\r\nCobalt Strike 2021-11-03 ⋅ Didier Stevens ⋅ Didier Stevens\r\nNew Tool: cs-extract-key.py\r\nCobalt Strike 2021-11-02 ⋅ Intel 471 ⋅ Intel 471\r\nCybercrime underground flush with shipping companies’ credentials\r\nCobalt Strike Conti 2021-11-02 ⋅ unh4ck ⋅ Cyb3rSn0rlax\r\nDetecting CONTI CobaltStrike Lateral Movement Techniques - Part 2\r\nCobalt Strike Conti 2021-11-02 ⋅ boschko.ca blog ⋅ Olivier Laflamme\r\nCobalt Strike Process Injection\r\nCobalt Strike 2021-11-01 ⋅ Accenture ⋅ Curt Wilson, Heather Larrieu, Katrina Hill\r\nDiving into double extortion campaigns\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 21 of 42\n\nCobalt Strike MimiKatz 2021-11-01 ⋅ The DFIR Report ⋅ @iiamaleks, @samaritan_o\r\nFrom Zero to Domain Admin\r\nCobalt Strike Hancitor 2021-10-29 ⋅ Europol ⋅ Europol\r\n12 targeted for involvement in ransomware attacks against critical infrastructure\r\nCobalt Strike Dharma LockerGoga MegaCortex TrickBot 2021-10-29 ⋅ ⋅ Національна поліція України ⋅ Національна\r\nполіція України\r\nCyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies\r\nCobalt Strike Dharma LockerGoga MegaCortex TrickBot 2021-10-27 ⋅ nviso ⋅ Didier Stevens\r\nCobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2\r\nCobalt Strike 2021-10-26 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Mariano Graziano, Nick Mavis\r\nSQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike\r\nCobalt Strike QakBot Squirrelwaffle 2021-10-26 ⋅ unh4ck ⋅ Hamza OUADIA\r\nDetecting CONTI CobaltStrike Lateral Movement Techniques - Part 1\r\nCobalt Strike Conti 2021-10-26 ⋅ ANSSI\r\nIdentification of a new cyber criminal group: Lockean\r\nCobalt Strike DoppelPaymer Egregor Maze PwndLocker QakBot REvil 2021-10-21 ⋅ nviso ⋅ Didier Stevens\r\nCobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 1\r\nCobalt Strike 2021-10-21 ⋅ CrowdStrike ⋅ Alex Clinton, Tasha Robinson\r\nStopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit\r\nCampaign\r\nCobalt Strike FlawedGrace TinyMet 2021-10-18 ⋅ The DFIR Report ⋅ The DFIR Report\r\nIcedID to XingLocker Ransomware in 24 hours\r\nCobalt Strike IcedID Mount Locker 2021-10-18 ⋅ paloalto Netoworks: Unit42 ⋅ Brad Duncan\r\nCase Study: From BazarLoader to Network Reconnaissance\r\nBazarBackdoor Cobalt Strike 2021-10-18 ⋅ Symantec ⋅ Threat Hunter Team\r\nHarvester: Nation-state-backed group uses new toolset to target victims in South Asia\r\nCobalt Strike Graphon 2021-10-14 ⋅ Medium walmartglobaltech ⋅ Jason Reaves\r\nInvestigation into the state of NIM malware Part 2\r\nCobalt Strike NimGrabber Nimrev Unidentified 088 (Nim Ransomware) 2021-10-13 ⋅ Blackberry ⋅ BlackBerry Research\r\n\u0026 Intelligence Team\r\nBlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book\r\nCobalt Strike 2021-10-12 ⋅ Mandiant ⋅ Alyssa Rahman\r\nDefining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis\r\nCobalt Strike 2021-10-11 ⋅ Accenture ⋅ Accenture Cyber Threat Intelligence\r\nMoving Left of the Ransomware Boom\r\nREvil Cobalt Strike MimiKatz RagnarLocker REvil 2021-10-08 ⋅ 0ffset Blog ⋅ Chuong Dong\r\nSQUIRRELWAFFLE – Analysing The Main Loader\r\nCobalt Strike Squirrelwaffle 2021-10-07 ⋅ Netskope ⋅ Ghanashyam Satpathy, Gustavo Palazolo\r\nSquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot\r\nCobalt Strike QakBot Squirrelwaffle 2021-10-07 ⋅ Mandiant ⋅ Mandiant Research Team\r\nFIN12 Group Profile: FIN12 Priotizes Speed to Deploy Ransomware Aginst High-Value Targets\r\nCobalt Strike Empire Downloader TrickBot 2021-10-06 ⋅ Blackberry ⋅ Blackberry Research\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 22 of 42\n\nFinding Beacons in the Dark\r\nCobalt Strike 2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\nDrawing a Dragon: Connecting the Dots to Find APT41\r\nCobalt Strike Ghost RAT 2021-10-04 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBazarLoader and the Conti Leaks\r\nBazarBackdoor Cobalt Strike Conti 2021-10-04 ⋅ Sophos ⋅ Chaitanya Ghorpade, Kajal Katiyar, Krisztián Diriczi, Rahil Shah,\r\nSean Gallagher, Vikas Singh\r\nAtom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack\r\nATOMSILO Cobalt Strike 2021-10-03 ⋅ Github (0xjxd) ⋅ Joel Dönne\r\nSquirrelWaffle - From Maldoc to Cobalt Strike\r\nCobalt Strike Squirrelwaffle 2021-10-01 ⋅ 0ffset Blog ⋅ Chuong Dong\r\nSQUIRRELWAFFLE – Analysing the Custom Packer\r\nCobalt Strike Squirrelwaffle 2021-09-30 ⋅ CrowdStrike ⋅ Falcon OverWatch Team\r\nHunting for the Confluence Exploitation: When Falcon OverWatch Becomes the First Line of Defense\r\nCobalt Strike 2021-09-30 ⋅ PT Expert Security Center\r\nMasters of Mimicry: new APT group ChamelGang and its arsenal\r\nCobalt Strike 2021-09-30 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence\r\nMasters of Mimicry: new APT group ChamelGang and its arsenal\r\nCobalt Strike 2021-09-29 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy\r\nBackup “Removal” Solutions - From Conti Ransomware With Love\r\nCobalt Strike Conti 2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan\r\n2021-09-29 (Wednesday) - Hancitor with Cobalt Strike\r\nCobalt Strike Hancitor 2021-09-29 ⋅ Malware Traffic Analysis ⋅ Brad Duncan\r\nHancitor with Cobalt Strike\r\nCobalt Strike Hancitor 2021-09-28 ⋅ Zscaler ⋅ Avinash Kumar, Brett Stone-Gross\r\nSquirrelwaffle: New Loader Delivering Cobalt Strike\r\nCobalt Strike Squirrelwaffle 2021-09-27 ⋅ Cynet ⋅ Max Malyutin\r\nA Virtual Baffle to Battle Squirrelwaffle\r\nCobalt Strike Squirrelwaffle 2021-09-26 ⋅ NSFOCUS ⋅ Jie Ji\r\nInsights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2\r\nCobalt Strike LockFile 2021-09-24 ⋅ Trend Micro ⋅ Warren Sto.Tomas\r\nExamining the Cring Ransomware Techniques\r\nCobalt Strike Cring MimiKatz 2021-09-22 ⋅ CISA ⋅ US-CERT\r\nAlert (AA21-265A) Conti Ransomware\r\nCobalt Strike Conti 2021-09-21 ⋅ Medium elis531989 ⋅ Eli Salem\r\nThe Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle”\r\nCobalt Strike Squirrelwaffle 2021-09-21 ⋅ GuidePoint Security ⋅ Drew Schmitt\r\nA Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike\r\nCobalt Strike 2021-09-21 ⋅ Sophos ⋅ Andrew Brandt, Chaitanya Ghorpade, Krisztián Diriczi, Shefali Gupta, Vikas Singh\r\nCring ransomware group exploits ancient ColdFusion server\r\nCobalt Strike Cring 2021-09-21 ⋅ skyblue.team blog ⋅ skyblue team\r\nScanning VirusTotal's firehose\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 23 of 42\n\nCobalt Strike 2021-09-21 ⋅ eSentire ⋅ eSentire\r\nRansomware Hackers Attack a Top Safety Testing Org. Using Tactics and Techniques Borrowed from Chinese\r\nEspionage Groups\r\nCobalt Strike MimiKatz UNC215 2021-09-17 ⋅ Medium inteloperator ⋅ Intel Operator\r\nThe default: 63 6f 62 61 6c 74 strike\r\nCobalt Strike 2021-09-17 ⋅ Malware Traffic Analysis ⋅ Brad Duncan\r\n2021-09-17 - SQUIRRELWAFFLE Loader with Cobalt Strike\r\nCobalt Strike Squirrelwaffle 2021-09-17 ⋅ CrowdStrike ⋅ Falcon OverWatch Team\r\nFalcon OverWatch Hunts Down Adversaries Where They Hide\r\nBazarBackdoor Cobalt Strike 2021-09-16 ⋅ RiskIQ ⋅ RiskIQ\r\nUntangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure\r\nand a Windows Zero-Day Exploit\r\nCobalt Strike Ryuk 2021-09-16 ⋅ Medium Shabarkin ⋅ Pavel Shabarkin\r\nPointer: Hunting Cobalt Strike globally\r\nCobalt Strike 2021-09-16 ⋅ Twitter (@GossiTheDog) ⋅ Kevin Beaumont\r\nTweet on some unknown threat actor dropping Mgbot, custom IIS modular backdoor and cobalstrike using\r\nexploiting ProxyShell\r\nCobalt Strike MgBot 2021-09-15 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence\r\nCenter (MSTIC)\r\nAnalyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability\r\nCobalt Strike 2021-09-14 ⋅ Recorded Future ⋅ Insikt Group®\r\nFull-Spectrum Cobalt Strike Detection\r\nCobalt Strike 2021-09-13 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBazarLoader to Conti Ransomware in 32 Hours\r\nBazarBackdoor Cobalt Strike Conti 2021-09-12 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara\r\nMapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444\r\nCobalt Strike 2021-09-10 ⋅ Gigamon ⋅ Joe Slowik\r\nRendering Threats: A Network Perspective\r\nBumbleBee Cobalt Strike 2021-09-09 ⋅ Trend Micro ⋅ Trend Micro\r\nRemote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs\r\nBumbleBee Cobalt Strike 2021-09-08 ⋅ Arash's Blog ⋅ Arash Parsa\r\nHook Heaps and Live Free\r\nCobalt Strike 2021-09-07 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara\r\nCobalt Strike C2 Hunting with Shodan\r\nCobalt Strike 2021-09-06 ⋅ kienmanowar Blog ⋅ m4n0w4r\r\nQuick analysis CobaltStrike loader and shellcode\r\nCobalt Strike 2021-09-03 ⋅ Sophos ⋅ Anand Ajjan, Andrew Ludgate, Gabor Szappanos, Peter Mackenzie, Sean Gallagher, Sergio\r\nBestulic, Syed Zaidi\r\nConti affiliates use ProxyShell Exchange exploit in ransomware attacks\r\nCobalt Strike Conti 2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel\r\nThe State of SSL/TLS Certificate Usage in Malware C\u0026C Communications\r\nAdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 24 of 42\n\nFindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT\r\nRockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader 2021-09-02 ⋅ Twitter\r\n(@th3_protoCOL) ⋅ Colin, GaborSzappanos\r\nTweet on Confluence Server exploitation (CVE-2021-26084) in the wild and cobaltsrike activity (mentioned in\r\nreplies by GaborSzappanos)\r\nCobalt Strike 2021-09-02 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara\r\nCobalt Strike PowerShell Payload Analysis\r\nCobalt Strike 2021-09-01 ⋅ YouTube (Black Hat) ⋅ Aragorn Tseng, Charles Li\r\nMem2Img: Memory-Resident Malware Detection via Convolution Neural Network\r\nCobalt Strike PlugX Waterbear 2021-08-31 ⋅ BreakPoint Labs ⋅ BreakPoint Labs\r\nCobalt Strike and Ransomware – Tracking An Effective Ransomware Campaign\r\nCobalt Strike 2021-08-30 ⋅ ⋅ Qianxin ⋅ Red Raindrop Team\r\nOperation (Thủy Tinh) OceanStorm: The evil lotus hidden under the abyss\r\nCobalt Strike MimiKatz 2021-08-29 ⋅ The DFIR Report ⋅ The DFIR Report\r\nCobalt Strike, a Defender’s Guide\r\nCobalt Strike 2021-08-27 ⋅ Morphisec ⋅ Morphisec Labs\r\nProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors\r\nCobalt Strike 2021-08-27 ⋅ Aon ⋅ Aon’s Cyber Labs, Noah Rubin\r\nCobalt Strike Configuration Extractor and Parser\r\nCobalt Strike 2021-08-25 ⋅ Trend Micro ⋅ Hara Hiroaki, Ted Lee\r\nEarth Baku An APT Group Targeting Indo-Pacific Countries With New Stealth Loaders and Backdoor\r\nCobalt Strike DUSTPAN SideWalk 2021-08-24 ⋅ ESET Research ⋅ Mathieu Tartare, Thibaut Passilly\r\nThe SideWalk may be as dangerous as the CROSSWALK\r\nCobalt Strike CROSSWALK SideWalk SparklingGoblin 2021-08-24 ⋅ Trend Micro ⋅ Hara Hiroaki, Ted Lee\r\nEarth Baku Returns\r\nCobalt Strike CROSSWALK DUSTPAN SideWalk 2021-08-23 ⋅ FBI ⋅ FBI\r\nIndicators of Compromise Associated with OnePercent Group Ransomware\r\nCobalt Strike MimiKatz 2021-08-23 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Chad Tilbury\r\nKeynote: Cobalt Strike Threat Hunting\r\nCobalt Strike 2021-08-19 ⋅ Blackberry ⋅ BlackBerry Research \u0026 Intelligence Team\r\nBlackBerry Prevents: Threat Actor Group TA575 and Dridex Malware\r\nCobalt Strike Dridex TA575 2021-08-19 ⋅ Sekoia ⋅ sekoia\r\nAn insider insights into Conti operations – Part two\r\nCobalt Strike Conti 2021-08-18 ⋅ Intezer ⋅ Ryan Robinson\r\nCobalt Strike: Detect this Persistent Threat\r\nCobalt Strike 2021-08-17 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Yelisey Boguslavskiy\r\nHunting for Corporate Insurance Policies: Indicators of [Ransom] Exfiltration\r\nCobalt Strike Conti 2021-08-17 ⋅ Sekoia ⋅ sekoia\r\nAn insider insights into Conti operations – Part one\r\nCobalt Strike Conti 2021-08-17 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara\r\nCobalt Strike Hunting — DLL Hijacking/Attack Analysis\r\nCobalt Strike 2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 25 of 42\n\nThe Ransomware Threat\r\nBabuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike\r\nConti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex\r\nMimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker 2021-08-11 ⋅ Advanced Intelligence ⋅ Vitali Kremez\r\nSecret \"Backdoor\" Behind Conti Ransomware Operation: Introducing Atera Agent\r\nCobalt Strike Conti 2021-08-09 ⋅ IstroSec ⋅ Ladislav Bačo\r\nAPT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)\r\nCobalt Strike 2021-08-05 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nDetecting Cobalt Strike: Government-Sponsored Threat Groups (APT32)\r\nCobalt Strike 2021-08-05 ⋅ Red Canary ⋅ Brian Donohue, Dan Cotton, Tony Lambert\r\nWhen Dridex and Cobalt Strike give you Grief\r\nCobalt Strike DoppelDridex DoppelPaymer 2021-08-04 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nDetecting Cobalt Strike: Cybercrime Attacks (GOLD LAGOON)\r\nCobalt Strike 2021-08-04 ⋅ Sentinel LABS ⋅ Gal Kristal\r\nHotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations\r\nCobalt Strike 2021-08-04 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team, CrowdStrike IR, Falcon OverWatch Team\r\nPROPHET SPIDER Exploits Oracle WebLogic to Facilitate Ransomware Activity\r\nCobalt Strike Egregor Mount Locker Prophet Spider 2021-08-03 ⋅ Cybereason ⋅ Assaf Dahan, Daniel Frank, Lior Rochberger,\r\nTom Fakterman\r\nDeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos\r\nCHINACHOPPER Cobalt Strike MimiKatz Nebulae 2021-08-02 ⋅ Youtube (Forschungsinstitut Cyber Defense) ⋅ Alexander\r\nRausch, Konstantin Klinger\r\nThe CODE 2021: Workshop presentation and demonstration about CobaltStrike\r\nCobalt Strike 2021-08-01 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBazarCall to Conti Ransomware via Trickbot and Cobalt Strike\r\nBazarBackdoor Cobalt Strike Conti TrickBot 2021-07-30 ⋅ Twitter (@Unit42_Intel) ⋅ Unit 42\r\nTweet on BazarLoader infection leading to cobaltstrike and Powershell script file for PrintNightmare vulnerability\r\nBazarBackdoor Cobalt Strike 2021-07-29 ⋅ Rasta Mouse ⋅ Rasta Mouse\r\nNTLM Relaying via Cobalt Strike\r\nCobalt Strike 2021-07-29 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team\r\nBazaCall: Phony call centers lead to exfiltration and ransomware\r\nBazarBackdoor Cobalt Strike 2021-07-27 ⋅ Blackberry ⋅ BlackBerry Research \u0026 Intelligence Team\r\nOld Dogs New Tricks: Attackers Adopt Exotic Programming Languages\r\nelf.wellmess ElectroRAT BazarNimrod Buer Cobalt Strike Remcos Snake TeleBot WellMess Zebrocy 2021-07-25 ⋅\r\nMedium svch0st ⋅ svch0st\r\nGuide to Named Pipes and Hunting for Cobalt Strike Pipes\r\nCobalt Strike 2021-07-22 ⋅ Medium michaelkoczwara ⋅ Michael Koczwara\r\nCobalt Strike Hunting — simple PCAP and Beacon Analysis\r\nCobalt Strike 2021-07-19 ⋅ The DFIR Report ⋅ The DFIR Report\r\nIcedID and Cobalt Strike vs Antivirus\r\nCobalt Strike IcedID 2021-07-14 ⋅ Kaspersky ⋅ Aseel Kayal, Mark Lechtik, Paul Rascagnères\r\nLuminousMoth APT: Sweeping attacks for the chosen few\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 26 of 42\n\nCobalt Strike 2021-07-14 ⋅ MDSec ⋅ Chris Basnett\r\nInvestigating a Suspicious Service\r\nCobalt Strike 2021-07-14 ⋅ Google ⋅ Clement Lecigne, Google Threat Analysis Group, Maddie Stone\r\nHow We Protect Users From 0-Day Attacks (CVE-2021-21166, CVE-2021-30551, CVE-2021-33742, CVE-2021-\r\n1879)\r\nCobalt Strike 2021-07-13 ⋅ YouTube ( Matt Soseman) ⋅ Matt Soseman\r\nSolarwinds and SUNBURST attacks compromised my lab!\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2021-07-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nHancitor tries XLL as initial malware file\r\nCobalt Strike Hancitor 2021-07-08 ⋅ Avast Decoded ⋅ Threat Intelligence Team\r\nDecoding Cobalt Strike: Understanding Payloads\r\nCobalt Strike Empire Downloader 2021-07-08 ⋅ Recorded Future ⋅ Insikt Group\r\nChinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and\r\nOther Tooling\r\nCobalt Strike Earth Lusca 2021-07-07 ⋅ Trustwave ⋅ Nikita Kazymirskyi, Rodel Mendrez\r\nDiving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails\r\nCobalt Strike REvil 2021-07-07 ⋅ McAfee ⋅ McAfee Labs\r\nRyuk Ransomware Now Targeting Webservers\r\nCobalt Strike Ryuk 2021-07-07 ⋅ Trend Micro ⋅ Gloria Chen, Jaromír Hořejší, Joseph C Chen, Kenney Lu\r\nBIOPASS RAT: New Malware Sniffs Victims via Live Streaming\r\nBIOPASS Cobalt Strike Derusbi 2021-07-06 ⋅ Twitter (@MBThreatIntel) ⋅ Malwarebytes Threat Intelligence\r\nTweet on a malspam campaign that is taking advantage of Kaseya VSA ransomware attack to drop CobaltStrike\r\nCobalt Strike 2021-07-05 ⋅ Trend Micro ⋅ Abraham Camba, Buddy Tancio, Catherine Loveria, Ryan Maglaque\r\nTracking Cobalt Strike: A Trend Micro Vision One Investigation\r\nCobalt Strike 2021-07-03 ⋅ Medium AK1001 ⋅ AK1001\r\nAnalyzing Cobalt Strike PowerShell Payload\r\nCobalt Strike 2021-07-02 ⋅ MalwareBookReports ⋅ muzi\r\nSkip the Middleman: Dridex Document to Cobalt Strike\r\nCobalt Strike Dridex 2021-07-01 ⋅ The Record ⋅ Catalin Cimpanu\r\nMongolian certificate authority hacked eight times, compromised with malware\r\nCobalt Strike 2021-07-01 ⋅ Avast Decoded ⋅ Igor Morgenstern, Jan Vojtěšek, Luigino Camastra\r\nBackdoored Client from Mongolian CA MonPass\r\nCobalt Strike FishMaster 2021-07-01 ⋅ Avast Decoded ⋅ Igor Morgenstern, Jan Vojtěšek, Luigino Camastra\r\nBackdoored Client from Mongolian CA MonPass\r\nCobalt Strike Earth Lusca 2021-06-30 ⋅ Group-IB ⋅ Oleg Skulkin\r\nREvil Twins Deep Dive into Prolific RaaS Affiliates' TTPs\r\nCobalt Strike REvil 2021-06-29 ⋅ Proofpoint ⋅ Daniel Blackford, Selena Larson\r\nCobalt Strike: Favorite Tool from APT to Crimeware\r\nCobalt Strike 2021-06-29 ⋅ Accenture ⋅ Accenture Security\r\nHADES ransomware operators continue attacks\r\nCobalt Strike Hades MimiKatz 2021-06-28 ⋅ The DFIR Report ⋅ The DFIR Report\r\nHancitor Continues to Push Cobalt Strike\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 27 of 42\n\nCobalt Strike Hancitor 2021-06-22 ⋅ Twitter (@Cryptolaemus1) ⋅ Cryptolaemus, dao ming si, Kirk Sayre\r\nTweet on TA575, a Dridex affiliate delivering cobaltstrike (packed withe Cryptone) directly via the macro docs\r\nCobalt Strike Dridex 2021-06-22 ⋅ CrowdStrike ⋅ The Falcon Complete Team\r\nResponse When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators\r\nCobalt Strike 2021-06-20 ⋅ The DFIR Report ⋅ The DFIR Report\r\nFrom Word to Lateral Movement in 1 Hour\r\nCobalt Strike IcedID 2021-06-18 ⋅ SecurityScorecard ⋅ Ryan Sherstobitoff\r\nSecurityScorecard Finds USAID Hack Much Larger Than Initially Thought\r\nCobalt Strike 2021-06-17 ⋅ Binary Defense ⋅ Brandon George\r\nAnalysis of Hancitor – When Boring Begets Beacon\r\nCobalt Strike Ficker Stealer Hancitor 2021-06-16 ⋅ ⋅ Національної поліції України ⋅ Національна поліція України\r\nCyberpolice exposes hacker group in spreading encryption virus and causing half a billion dollars in damage to\r\nforeign companies\r\nClop Cobalt Strike FlawedAmmyy 2021-06-16 ⋅ FireEye ⋅ Jared Wilson, Justin Moore, Mike Hunhoff, Nick Harbour, Robert\r\nDean, Tyler McLellan\r\nSmoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise\r\nCobalt Strike SMOKEDHAM 2021-06-16 ⋅ Mandiant ⋅ Jared Wilson, Jordan Nuce, Justin Moore, Mike Hunhoff, Nick Harbour,\r\nRobert Dean, Tyler McLellan\r\nSmoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise\r\nCobalt Strike SMOKEDHAM 2021-06-16 ⋅ Mandiant ⋅ Jared Wilson, Jordan Nuce, Justin Moore, Mike Hunhoff, Nick Harbour,\r\nRobert Dean, Tyler McLellan\r\nSmoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise\r\nDarkSide Cobalt Strike DarkSide SMOKEDHAM UNC2465 2021-06-15 ⋅ Secureworks ⋅ Counter Threat Unit\r\nResearchTeam\r\nHades Ransomware Operators Use Distinctive Tactics and Infrastructure\r\nCobalt Strike Hades 2021-06-12 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie\r\nA thread on RagnarLocker ransomware group's TTP seen in an Incident Response\r\nCobalt Strike RagnarLocker 2021-06-10 ⋅ Group-IB ⋅ Nikita Rostovcev\r\nBig airline heist APT41 likely behind massive supply chain attack\r\nCobalt Strike 2021-06-09 ⋅ Twitter (@RedDrip7) ⋅ RedDrip7\r\nTweet on in the wild exploit of CVE-2021-26868 (according to @_clem1)\r\nCobalt Strike 2021-06-04 ⋅ Inky ⋅ Roger Kay\r\nColonial Pipeline Ransomware Hack Unleashes Flood of Related Phishing Attempts\r\nCobalt Strike 2021-06-04 ⋅ Twitter (@alex_lanstein) ⋅ Alex Lanstein\r\nTweet on UNC2652/NOBELIUM targeting IOS users exploiting CVE-2021-1879\r\nCobalt Strike 2021-06-02 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp\r\nChina-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware\r\nCobalt Strike ColdLock 2021-06-02 ⋅ Sophos ⋅ Sean Gallagher\r\nAMSI bypasses remain tricks of the malware trade\r\nAgent Tesla Cobalt Strike Meterpreter 2021-06-01 ⋅ SentinelOne ⋅ Juan Andrés Guerrero-Saade\r\nNobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks\r\nCobalt Strike 2021-06-01 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 28 of 42\n\n(MSTIC)\r\nNew sophisticated email-based attack from NOBELIUM\r\nCobalt Strike 2021-06-01 ⋅ Department of Justice ⋅ Office of Public Affairs\r\nJustice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development\r\nCobalt Strike 2021-06-01 ⋅ SANS ⋅ Jake Williams, Kevin Haley\r\nA Contrarian View on SolarWinds\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2021-05-29 ⋅ Twitter (@elisalem9) ⋅ Eli Salem\r\nTweet on obfuscation mechanism and extraction procedure of COBALTSTRIKE beacon module used by\r\nNOBELIUM/UNC2452\r\nCobalt Strike 2021-05-28 ⋅ CISA ⋅ US-CERT\r\nMalware Analysis Report (AR21-148A): Cobalt Strike Beacon\r\nCobalt Strike 2021-05-28 ⋅ CISA ⋅ US-CERT\r\nAlert (AA21-148A): Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs\r\nCobalt Strike 2021-05-28 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC)\r\nBreaking down NOBELIUM’s latest early-stage toolset\r\nBOOMBOX Cobalt Strike 2021-05-27 ⋅ Volexity ⋅ Damien Cash, Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair,\r\nThomas Lancaster\r\nSuspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns\r\nCobalt Strike 2021-05-26 ⋅ DeepInstinct ⋅ Ron Ben Yizhak\r\nA Deep Dive into Packing Software CryptOne\r\nCobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader 2021-05-25 ⋅ Huntress\r\nLabs ⋅ Matthew Brennan\r\nCobalt Strikes Again: An Analysis of Obfuscated Malware\r\nCobalt Strike 2021-05-21 ⋅ blackarrow ⋅ Pablo Ambite\r\nLeveraging Microsoft Teams to persist and cover up Cobalt Strike traffic\r\nCobalt Strike 2021-05-21 ⋅ ⋅ LAC ⋅ Yoshihiro Ishikawa\r\nTargeted attack by 'Cobalt Strike loader' that exploits Microsoft's digital signature-Attacker group APT41\r\nCobalt Strike DUSTPAN 2021-05-19 ⋅ Intel 471 ⋅ Intel 471\r\nLook how many cybercriminals love Cobalt Strike\r\nBazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot 2021-05-19 ⋅ Medium Mehmet\r\nErgene ⋅ Mehmet Ergene\r\nEnterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2\r\nCobalt Strike 2021-05-18 ⋅ Sophos ⋅ Greg Iddon, John Shier, Mat Gangwer, Peter Mackenzie\r\nThe Active Adversary Playbook 2021\r\nCobalt Strike MimiKatz 2021-05-17 ⋅ Talos ⋅ Brad Garnett\r\nCase Study: Incident Response is a relationship-driven business\r\nCobalt Strike 2021-05-16 ⋅ NCSC Ireland ⋅ NCSC Ireland\r\nRansomware Attack on Health Sector - UPDATE 2021-05-16\r\nCobalt Strike Conti 2021-05-14 ⋅ Blue Team Blog ⋅ Auth 0r\r\nDarkSide Ransomware Operations – Preventions and Detections.\r\nCobalt Strike DarkSide 2021-05-14 ⋅ GuidePoint Security ⋅ Drew Schmitt\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 29 of 42\n\nFrom ZLoader to DarkSide: A Ransomware Story\r\nDarkSide Cobalt Strike Zloader 2021-05-13 ⋅ AWAKE ⋅ Kieran Evans\r\nCatching the White Stork in Flight\r\nCobalt Strike MimiKatz RMS 2021-05-12 ⋅ The DFIR Report\r\nConti Ransomware\r\nCobalt Strike Conti IcedID 2021-05-12 ⋅ Medium Mehmet Ergene ⋅ Mehmet Ergene\r\nEnterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 1\r\nCobalt Strike 2021-05-11 ⋅ FireEye ⋅ Alyssa Rahman, Andrew Moore, Brendan McKeague, Jared Wilson, Jeremy Kennelly, Jordan\r\nNuce, Kimberly Goody\r\nShining a Light on DARKSIDE Ransomware Operations\r\nCobalt Strike DarkSide 2021-05-11 ⋅ Mal-Eats ⋅ mal_eats\r\nCampo, a New Attack Campaign Targeting Japan\r\nAnchorDNS BazarBackdoor campoloader Cobalt Strike Phobos Snifula TrickBot Zloader 2021-05-10 ⋅ ZERO.BS ⋅\r\nZEROBS\r\nCobaltstrike-Beacons analyzed\r\nCobalt Strike 2021-05-10 ⋅ Mal-Eats ⋅ mal_eats\r\nOverview of Campo, a new attack campaign targeting Japan\r\nAnchorDNS BazarBackdoor Cobalt Strike ISFB Phobos TrickBot Zloader 2021-05-07 ⋅ Medium svch0st ⋅ svch0st\r\nStats from Hunting Cobalt Strike Beacons\r\nCobalt Strike 2021-05-07 ⋅ TEAMT5 ⋅ Aragorn Tseng, Charles Li\r\nMem2Img: Memory-Resident Malware Detection via Convolution Neural Network\r\nCobalt Strike PlugX Waterbear 2021-05-07 ⋅ SophosLabs Uncut ⋅ Rajesh Nataraj\r\nNew Lemon Duck variants exploiting Microsoft Exchange Server\r\nCHINACHOPPER Cobalt Strike Lemon Duck 2021-05-07 ⋅ Cisco Talos ⋅ Andrew Windsor, Caitlin Huey, Edmund Brumaghin\r\nLemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs\r\nCHINACHOPPER Cobalt Strike Lemon Duck 2021-05-05 ⋅ SophosLabs Uncut ⋅ Andrew Brandt, Gabor Szappanos, Peter\r\nMackenzie, Vikas Singh\r\nIntervention halts a ProxyLogon-enabled attack\r\nCobalt Strike 2021-05-05 ⋅ TRUESEC ⋅ Mattias Wåhlén\r\nAre The Notorious Cyber Criminals Evil Corp actually Russian Spies?\r\nCobalt Strike Hades WastedLocker 2021-05-04 ⋅ Medium sergiusechel ⋅ Sergiu Sechel\r\nImproving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false\r\npositives\r\nCobalt Strike 2021-05-02 ⋅ The DFIR Report ⋅ The DFIR Report\r\nTrickbot Brief: Creds and Beacons\r\nCobalt Strike TrickBot 2021-04-29 ⋅ NTT ⋅ Threat Detection NTT Ltd.\r\nThe Operations of Winnti group\r\nCobalt Strike ShadowPad Spyder Winnti Earth Lusca 2021-04-29 ⋅ FireEye ⋅ Justin Moore, Raymond Leong, Tyler McLellan\r\nUNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat\r\nCobalt Strike FiveHands HelloKitty 2021-04-27 ⋅ Trend Micro ⋅ Janus Agcaoili\r\nHello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability\r\nCHINACHOPPER Cobalt Strike 2021-04-27 ⋅ Trend Micro ⋅ Earle Earnshaw, Janus Agcaoili\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 30 of 42\n\nLegitimate Tools Weaponized for Ransomware in 2021\r\nCobalt Strike MimiKatz 2021-04-26 ⋅ getrevue ⋅ Twitter (@80vul)\r\nHunting Cobalt Strike DNS redirectors by using ZoomEye\r\nCobalt Strike 2021-04-26 ⋅ nviso ⋅ Maxime Thiebaut\r\nAnatomy of Cobalt Strike’s DLL Stager\r\nCobalt Strike 2021-04-24 ⋅ ⋅ Non-offensive security ⋅ Non-offensive security team\r\nDetect Cobalt Strike server through DNS protocol\r\nCobalt Strike 2021-04-23 ⋅ Twitter (@vikas891) ⋅ Vikas Singh\r\nTweet on DOPPEL SPIDER using Intensive/Multiple Injected Cobalt Strike Beacons with varied polling intervals\r\nCobalt Strike DoppelPaymer 2021-04-22 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie\r\nTwwet On TTPs seen in IR used by DOPPEL SPIDER\r\nCobalt Strike DoppelPaymer 2021-04-21 ⋅ SophosLabs Uncut ⋅ Anand Aijan, Andrew Brandt, Markel Picado, Michael Wood, Sean\r\nGallagher, Sivagnanam Gn, Suriya Natarajan\r\nNearly half of malware now use TLS to conceal communications\r\nAgent Tesla Cobalt Strike Dridex SystemBC 2021-04-20 ⋅ Medium walmartglobaltech ⋅ Jason Reaves\r\nCobaltStrike Stager Utilizing Floating Point Math\r\nCobalt Strike 2021-04-19 ⋅ Netresec ⋅ Erik Hjelmvik\r\nAnalysing a malware PCAP with IcedID and Cobalt Strike traffic\r\nCobalt Strike IcedID 2021-04-18 ⋅ YouTube (dist67) ⋅ Didier Stevens\r\nDecoding Cobalt Strike Traffic\r\nCobalt Strike 2021-04-14 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nApril 2021 Forensic Quiz: Answers and Analysis\r\nAnchor BazarBackdoor Cobalt Strike 2021-04-12 ⋅ Inde ⋅ Chris Campbell\r\nA Different Kind of Zoombomb\r\nCobalt Strike 2021-04-09 ⋅ F-Secure ⋅ Giulio Ginesi, Riccardo Ancarani\r\nDetecting Exposed Cobalt Strike DNS Redirectors\r\nCobalt Strike 2021-04-07 ⋅ Medium sixdub ⋅ Justin Warner\r\nUsing Kaitai Struct to Parse Cobalt Strike Beacon Configs\r\nCobalt Strike 2021-04-05 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt\r\nTrickBot Crews New CobaltStrike Loader\r\nCobalt Strike TrickBot 2021-04-01 ⋅ DomainTools ⋅ Joe Slowik\r\nCOVID-19 Phishing With a Side of Cobalt Strike\r\nCobalt Strike 2021-04-01 ⋅ Palo Alto Networks Unit 42 ⋅ Brad Duncan\r\nHancitor’s Use of Cobalt Strike and a Noisy Network Ping Tool\r\nCobalt Strike Hancitor Moskalvzapoe 2021-03-31 ⋅ Red Canary ⋅ Red Canary\r\n2021 Threat Detection Report\r\nShlayer Andromeda Cobalt Strike Dridex Emotet IcedID MimiKatz QakBot TrickBot 2021-03-30 ⋅ GuidePoint Security\r\n⋅ Drew Schmitt\r\nYet Another Cobalt Strike Stager: GUID Edition\r\nCobalt Strike 2021-03-29 ⋅ The DFIR Report ⋅ The DFIR Report\r\nSodinokibi (aka REvil) Ransomware\r\nCobalt Strike IcedID REvil 2021-03-21 ⋅ Blackberry ⋅ Blackberry Research\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 31 of 42\n\n2021 Threat Report\r\nBashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth\r\nBazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader\r\nTrickBot 2021-03-21 ⋅ YouTube (dist67) ⋅ Didier Stevens\r\nFinding Metasploit \u0026 Cobalt Strike URLs\r\nCobalt Strike 2021-03-18 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT\r\nSilverFish GroupThreat Actor Report\r\nCobalt Strike Dridex Koadic 2021-03-18 ⋅ DeepInstinct ⋅ Ben Gross\r\nCobalt Strike – Post-Exploitation Attackers Toolkit\r\nCobalt Strike 2021-03-16 ⋅ McAfee ⋅ McAfee ATR\r\nTechnical Analysis of Operation Diànxùn\r\nCobalt Strike 2021-03-16 ⋅ Elastic ⋅ Joe Desimone\r\nDetecting Cobalt Strike with memory signatures\r\nCobalt Strike 2021-03-11 ⋅ Cyborg Security ⋅ Josh Campbell\r\nYou Don't Know the HAFNIUM of it...\r\nCHINACHOPPER Cobalt Strike PowerCat 2021-03-11 ⋅ Qurium ⋅ Qurium\r\nMyanmar – Multi-stage malware attack targets elected lawmakers\r\nCobalt Strike 2021-03-10 ⋅ Proofpoint ⋅ Dennis Schwarz, Matthew Mesa, Proofpoint Threat Research Team\r\nNimzaLoader: TA800’s New Initial Access Malware\r\nBazarNimrod Cobalt Strike 2021-03-09 ⋅ splunk ⋅ Security Research Team\r\nCloud Federated Credential Abuse \u0026 Cobalt Strike: Threat Research February 2021\r\nCobalt Strike 2021-03-08 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBazar Drops the Anchor\r\nAnchor BazarBackdoor Cobalt Strike 2021-03-08 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Adam\r\nPennington, Jen Burns, Katie Nickels\r\nSTAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT\u0026CK(R)\r\nCobalt Strike SUNBURST TEARDROP 2021-03-07 ⋅ InfoSec Handlers Diary Blog ⋅ Didier Stevens\r\nPCAPs and Beacons\r\nCobalt Strike 2021-03-01 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt\r\nNimar Loader\r\nBazarBackdoor BazarNimrod Cobalt Strike 2021-03-01 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt\r\nInvestigation into the state of Nim malware\r\nBazarNimrod Cobalt Strike 2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff\r\nHypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to\r\nMaximize Impact\r\nDarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil\r\n2021-02-25 ⋅ FireEye ⋅ Brendan McKeague, Bryce Abdo, Van Ta\r\nSo Unchill: Melting UNC2198 ICEDID to Ransomware Operations\r\nMOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC 2021-02-24 ⋅ Github (AmnestyTech) ⋅ Amnesty\r\nInternational\r\nOverview of Ocean Lotus Samples used to target Vietnamese Human Rights Defenders\r\nOceanLotus Cobalt Strike KerrDown 2021-02-24 ⋅ ⋅ VMWare Carbon Black ⋅ Takahiro Haruyama\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 32 of 42\n\nKnock, knock, Neo. - Active C2 Discovery Using Protocol Emulation\r\nCobalt Strike 2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2021 Global Threat Report\r\nRansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide\r\nDoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker\r\nMespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT\r\nRagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST\r\nSunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER\r\nSOLAR SPIDER VIKING SPIDER 2021-02-11 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report\r\nTweet on Hancitor Activity followed by cobaltsrike beacon\r\nCobalt Strike Hancitor 2021-02-09 ⋅ Securehat ⋅ Securehat\r\nExtracting the Cobalt Strike Config from a TEARDROP Loader\r\nCobalt Strike TEARDROP 2021-02-09 ⋅ Cobalt Strike ⋅ Raphael Mudge\r\nLearn Pipe Fitting for all of your Offense Projects\r\nCobalt Strike 2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nExcel spreadsheets push SystemBC malware\r\nCobalt Strike SystemBC 2021-02-02 ⋅ Committee to Protect Journalists ⋅ Madeline Earp\r\nHow Vietnam-based hacking operation OceanLotus targets journalists\r\nCobalt Strike 2021-02-02 ⋅ Twitter (@TheDFIRReport) ⋅ The DFIR Report\r\nTweet on recent dridex post infection activity\r\nCobalt Strike Dridex 2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández\r\nDe ataque con Malware a incidente de Ransomware\r\nAvaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire\r\nDownloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX\r\nREvil Ryuk SDBbot SmokeLoader TrickBot Zloader 2021-02-01 ⋅ pkb1s.github.io ⋅ Petros Koutroumpis\r\nRelay Attacks via Cobalt Strike Beacons\r\nCobalt Strike 2021-02-01 ⋅ AhnLab ⋅ ASEC Analysis Team\r\nBlueCrab ransomware, CobaltStrike hacking tool installed in corporate environment\r\nCobalt Strike REvil 2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report\r\nBazar, No Ryuk?\r\nBazarBackdoor Cobalt Strike Ryuk 2021-01-28 ⋅ TrustedSec ⋅ Adam Chester\r\nTailoring Cobalt Strike on Target\r\nCobalt Strike 2021-01-28 ⋅ ⋅ AhnLab ⋅ ASEC Analysis Team\r\nBlueCrab ransomware constantly trying to bypass detection\r\nCobalt Strike REvil 2021-01-26 ⋅ Twitter (@swisscom_csirt) ⋅ Swisscom CSIRT\r\nTweet on Cring Ransomware groups using customized Mimikatz sample followed by CobaltStrike and dropping\r\nCring rasomware\r\nCobalt Strike Cring MimiKatz 2021-01-20 ⋅ Microsoft ⋅ Microsoft 365 Defender Research Team, Microsoft Cyber Defense\r\nOperations Center (CDOC), Microsoft Threat Intelligence Center (MSTIC)\r\nDeep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop\r\nCobalt Strike SUNBURST TEARDROP 2021-01-18 ⋅ Symantec ⋅ Threat Hunter Team\r\nRaindrop: New Malware Discovered in SolarWinds Investigation\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 33 of 42\n\nCobalt Strike Raindrop SUNBURST TEARDROP 2021-01-17 ⋅ Twitter (@AltShiftPrtScn) ⋅ Peter Mackenzie\r\nTweet on Conti Ransomware group exploiting FortiGate VPNs to drop in CobaltStrike loaders\r\nCobalt Strike Conti 2021-01-15 ⋅ Medium Dansec ⋅ Dan Lussier\r\nDetecting Malicious C2 Activity -SpawnAs \u0026 SMB Lateral Movement in CobaltStrike\r\nCobalt Strike 2021-01-14 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence\r\nHigaisa or Winnti? APT41 backdoors, old and new\r\nCobalt Strike CROSSWALK FunnySwitch PlugX ShadowPad 2021-01-12 ⋅ BrightTALK (FireEye) ⋅ Ben Read, John\r\nHultquist\r\nUNC2452: What We Know So Far\r\nCobalt Strike SUNBURST TEARDROP 2021-01-12 ⋅ Fox-IT ⋅ Wouter Jansen\r\nAbusing cloud services to fly under the radar\r\nCobalt Strike 2021-01-11 ⋅ The DFIR Report ⋅ The DFIR Report\r\nTrickbot Still Alive and Well\r\nCobalt Strike TrickBot 2021-01-11 ⋅ SolarWinds ⋅ Sudhakar Ramakrishna\r\nNew Findings From Our Investigation of SUNBURST\r\nCobalt Strike SUNBURST TEARDROP 2021-01-10 ⋅ Medium walmartglobaltech ⋅ Jason Reaves\r\nMAN1, Moskal, Hancitor and a side of Ransomware\r\nCobalt Strike Hancitor SendSafe VegaLocker Moskalvzapoe 2021-01-09 ⋅ Connor McGarr's Blog ⋅ Connor McGarr\r\nMalware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking\r\nCobalt Strike 2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli\r\nCommand and Control Traffic Patterns\r\nostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID\r\nISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot 2021-01-07 ⋅ Recorded Future ⋅ Insikt Group®\r\nAversary Infrastructure Report 2020: A Defender's View\r\nOctopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2 2021-01-06 ⋅ Red Canary ⋅ Tony Lambert\r\nHunting for GetSystem in offensive security tools\r\nCobalt Strike Empire Downloader Meterpreter PoshC2 2021-01-05 ⋅ Trend Micro ⋅ Trend Micro Research\r\nEarth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration\r\nCobalt Strike Earth Wendigo 2021-01-04 ⋅ Medium haggis-m ⋅ Michael Haag\r\nMalleable C2 Profiles and You\r\nCobalt Strike 2021-01-01 ⋅ Talos ⋅ Talos Incident Response\r\nCobalt Strikes Out\r\nCobalt Strike 2021-01-01 ⋅ Talos ⋅ Talos Incident Response\r\nEvicting Maze\r\nCobalt Strike Maze 2021-01-01 ⋅ SecureWorks\r\nThreat Profile: GOLD DRAKE\r\nCobalt Strike Dridex FriedEx Koadic MimiKatz WastedLocker Evil Corp 2021-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nThreat Profile: GOLD WINTER\r\nCobalt Strike Hades Meterpreter GOLD WINTER 2021-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nThreat Profile: GOLD WATERFALL\r\nCobalt Strike DarkSide GOLD WATERFALL 2021-01-01 ⋅ Mandiant ⋅ Mandiant\r\nM-TRENDS 2021\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 34 of 42\n\nCobalt Strike SUNBURST 2021-01-01 ⋅ ⋅ Github (WBGlIl) ⋅ WBGlIl\r\nA book on cobaltstrike\r\nCobalt Strike 2021-01-01 ⋅ Symantec ⋅ Symantec Threat Hunter Team\r\nSupply Chain Attacks:Cyber Criminals Target the Weakest Link\r\nCobalt Strike Raindrop SUNBURST TEARDROP 2021-01-01 ⋅ AWAKE ⋅ Awake Security\r\nBreaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR)\r\nCobalt Strike IcedID PhotoLoader 2020-12-26 ⋅ Medium grimminck ⋅ Stefan Grimminck\r\nSpoofing JARM signatures. I am the Cobalt Strike server now!\r\nCobalt Strike 2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén\r\nCollaboration between FIN7 and the RYUK group, a Truesec Investigation\r\nCarbanak Cobalt Strike Ryuk 2020-12-21 ⋅ Fortinet ⋅ Udi Yavo\r\nWhat We Have Learned So Far about the “Sunburst”/SolarWinds Hack\r\nCobalt Strike SUNBURST TEARDROP 2020-12-20 ⋅ Randhome ⋅ Etienne Maynier\r\nAnalyzing Cobalt Strike for Fun and Profit\r\nCobalt Strike 2020-12-15 ⋅ Github (sophos-cybersecurity) ⋅ Sophos Cyber Security Team\r\nsolarwinds-threathunt\r\nCobalt Strike SUNBURST 2020-12-15 ⋅ PICUS Security ⋅ Süleyman Özarslan\r\nTactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach\r\nCobalt Strike SUNBURST 2020-12-14 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42\r\nThreat Brief: SolarStorm and SUNBURST Customer Coverage\r\nCobalt Strike SUNBURST 2020-12-11 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team\r\nMountLocker Ransomware-as-a-Service Offers Double Extortion Capabilities to Affiliates\r\nCobalt Strike Mount Locker 2020-12-10 ⋅ Intel 471 ⋅ Intel 471\r\nNo pandas, just people: The current state of China’s cybercrime underground\r\nAnubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT 2020-12-10 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42\r\nThreat Brief: FireEye Red Team Tool Breach\r\nCobalt Strike 2020-12-09 ⋅ Cisco ⋅ Caitlin Huey, David Liebenberg\r\nQuarterly Report: Incident Response trends from Fall 2020\r\nCobalt Strike IcedID Maze RansomEXX Ryuk 2020-12-09 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan\r\nRecent Qakbot (Qbot) activity\r\nCobalt Strike QakBot 2020-12-09 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall\r\nIt's not FINished The Evolving Maturity in Ransomware Operations (SLIDES)\r\nCobalt Strike DoppelPaymer QakBot REvil 2020-12-08 ⋅ Cobalt Strike ⋅ Raphael Mudge\r\nA Red Teamer Plays with JARM\r\nCobalt Strike 2020-12-02 ⋅ Red Canary ⋅ twitter (@redcanary)\r\nTweet on increased #Qbot activity delivering Cobalt Strike \u0026 #Egregor ransomware\r\nCobalt Strike Egregor QakBot 2020-12-01 ⋅ mez0.cc ⋅ mez0\r\nCobalt Strike PowerShell Execution\r\nCobalt Strike 2020-12-01 ⋅ 360.cn ⋅ jindanlong\r\nHunting Beacons\r\nCobalt Strike 2020-11-30 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center\r\n(MSTIC)\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 35 of 42\n\nThreat actor (BISMUTH) leverages coin miner techniques to stay under the radar – here’s how to spot them\r\nCobalt Strike 2020-11-30 ⋅ FireEye ⋅ Mitchell Clarke, Tom Hall\r\nIt's not FINished The Evolving Maturity in Ransomware Operations\r\nCobalt Strike DoppelPaymer MimiKatz QakBot REvil 2020-11-27 ⋅ ⋅ Macnica ⋅ Hiroshi Takeuchi\r\nAnalyzing Organizational Invasion Ransom Incidents Using Dtrack\r\nCobalt Strike Dtrack 2020-11-26 ⋅ Cybereason ⋅ Cybereason Nocturnus, Lior Rochberger\r\nCybereason vs. Egregor Ransomware\r\nCobalt Strike Egregor IcedID ISFB QakBot 2020-11-25 ⋅ SentinelOne ⋅ Jim Walter\r\nEgregor RaaS Continues the Chaos with Cobalt Strike and Rclone\r\nCobalt Strike Egregor 2020-11-20 ⋅ ⋅ 360 netlab ⋅ JiaYu\r\nBlackrota, a highly obfuscated backdoor developed by Go\r\nCobalt Strike 2020-11-20 ⋅ F-Secure Labs ⋅ Riccardo Ancarani\r\nDetecting Cobalt Strike Default Modules via Named Pipe Analysis\r\nCobalt Strike 2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu\r\nThe malware that usually installs ransomware and you need to remove right away\r\nAvaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx\r\nMegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader 2020-11-17 ⋅ cyble ⋅ Cyble\r\nOceanLotus Continues With Its Cyber Espionage Operations\r\nCobalt Strike Meterpreter 2020-11-17 ⋅ Salesforce Engineering ⋅ John Althouse\r\nEasily Identify Malicious Servers on the Internet with JARM\r\nCobalt Strike TrickBot 2020-11-15 ⋅ Trustnet ⋅ Michael Wainshtain\r\nFrom virus alert to PowerShell Encrypted Loader\r\nCobalt Strike 2020-11-09 ⋅ Bleeping Computer ⋅ Ionut Ilascu\r\nFake Microsoft Teams updates lead to Cobalt Strike deployment\r\nCobalt Strike DoppelPaymer NjRAT Predator The Thief Zloader 2020-11-06 ⋅ Cobalt Strike ⋅ Raphael Mudge\r\nCobalt Strike 4.2 – Everything but the kitchen sink\r\nCobalt Strike 2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez\r\nAnatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware \"one\" Group via Cobalt Strike\r\nBazarBackdoor Cobalt Strike Ryuk 2020-11-06 ⋅ Volexity ⋅ Steven Adair, Thomas Lancaster, Volexity Threat Research\r\nOceanLotus: Extending Cyber Espionage Operations Through Fake Websites\r\nCobalt Strike KerrDown APT32 2020-11-06 ⋅ Palo Alto Networks Unit 42 ⋅ CRYPSIS, Drew Schmitt, Ryan Tracey\r\nIndicators of Compromise related to Cobaltstrike, PyXie Lite, Vatet and Defray777\r\nCobalt Strike PyXie RansomEXX 2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report\r\nRyuk Speed Run, 2 Hours to Ransom\r\nBazarBackdoor Cobalt Strike Ryuk 2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst\r\nTweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK\r\nCobalt Strike Ryuk Zloader 2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna\r\nTrick or Threat: Ryuk ransomware targets the health care industry\r\nBazarBackdoor Cobalt Strike Ryuk TrickBot 2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT\r\nAPT trends report Q3 2020\r\nWellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack\r\nLODEINFO MoriAgent Okrum PlugX POISONPLUG Rover ShadowPad SoreFang Winnti 2020-11-03 ⋅ InfoSec\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 36 of 42\n\nHandlers Diary Blog ⋅ Renato Marinho\r\nAttackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike\r\nCobalt Strike 2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect\r\nUNC 1878 Indicators from Threatconnect\r\nBazarBackdoor Cobalt Strike Ryuk 2020-10-30 ⋅ YouTube (Kaspersky Tech) ⋅ Kris McConkey\r\nAround the world in 80 days 4.2bn packets\r\nCobalt Strike Derusbi HyperBro Poison Ivy ShadowPad Winnti 2020-10-29 ⋅ Github (Swisscom) ⋅ Swisscom CSIRT\r\nList of CobaltStrike C2's used by RYUK\r\nCobalt Strike 2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team\r\nA Bazar start: How one hospital thwarted a Ryuk ransomware outbreak\r\nCobalt Strike Ryuk TrickBot 2020-10-29 ⋅ RiskIQ ⋅ RiskIQ\r\nRyuk Ransomware: Extensive Attack Infrastructure Revealed\r\nCobalt Strike Ryuk 2020-10-28 ⋅ FireEye ⋅ Douglas Bienstock, Jeremy Kennelly, Joshua Shilko, Kimberly Goody, Steve Elovitz\r\nUnhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser\r\nBazarBackdoor Cobalt Strike Ryuk UNC1878 2020-10-27 ⋅ Sophos Managed Threat Response (MTR) ⋅ Greg Iddon\r\nMTR Casebook: An active adversary caught in the act\r\nCobalt Strike 2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report\r\nRyuk in 5 Hours\r\nBazarBackdoor Cobalt Strike Ryuk 2020-10-14 ⋅ Sophos ⋅ Sean Gallagher\r\nThey’re back: inside a new Ryuk ransomware attack\r\nCobalt Strike Ryuk SystemBC 2020-10-14 ⋅ RiskIQ ⋅ Jon Gross, Steve Ginty\r\nA Well-Marked Trail: Journeying through OceanLotus's Infrastructure\r\nCobalt Strike 2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez\r\n\"Front Door\" into BazarBackdoor: Stealthy Cybercrime Weapon\r\nBazarBackdoor Cobalt Strike Ryuk 2020-10-11 ⋅ Github (StrangerealIntel) ⋅ StrangerealIntel\r\nChimera, APT19 under the radar ?\r\nCobalt Strike Meterpreter 2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report\r\nRyuk’s Return\r\nBazarBackdoor Cobalt Strike Ryuk 2020-10-08 ⋅ Bayerischer Rundfunk ⋅ Ann-Kathrin Wetter, Hakan Tanriverdi, Kai Biermann,\r\nMax Zierer, Thi Do Nguyen\r\nThere is no safe place\r\nCobalt Strike 2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination\r\nCenter (HC3)\r\nReport 202010021600: Recent Bazarloader Use in Ransomware Campaigns\r\nBazarBackdoor Cobalt Strike Ryuk TrickBot 2020-10-01 ⋅ US-CERT ⋅ US-CERT\r\nAlert (AA20-275A): Potential for China Cyber Response to Heightened U.S.-China Tensions\r\nCHINACHOPPER Cobalt Strike Empire Downloader MimiKatz Poison Ivy 2020-10-01 ⋅ Wired ⋅ Andy Greenberg\r\nRussia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency\r\nCobalt Strike Meterpreter 2020-09-29 ⋅ CrowdStrike ⋅ Kareem Hamdan, Lucas Miller\r\nGetting the Bacon from the Beacon\r\nCobalt Strike 2020-09-29 ⋅ Github (Apr4h) ⋅ Apra\r\nCobaltStrikeScan\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 37 of 42\n\nCobalt Strike 2020-09-24 ⋅ US-CERT ⋅ US-CERT\r\nAnalysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor\r\nCobalt Strike Meterpreter 2020-09-22 ⋅ vmware ⋅ Omar Elgebaly, Takahiro Haruyama\r\nDetecting Threats in Real-time With Active C2 Information\r\nAgent.BTZ Cobalt Strike Dacls NetWire RC PoshC2 Winnti 2020-09-21 ⋅ Cisco Talos ⋅ Joe Marshall, JON MUNSHAW,\r\nNick Mavis\r\nThe art and science of detecting Cobalt Strike\r\nCobalt Strike 2020-09-18 ⋅ Trend Micro ⋅ Trend Micro\r\nU.S. Justice Department Charges APT41 Hackers over Global Cyberattacks\r\nCobalt Strike ColdLock SharPyShell 2020-09-03 ⋅ ⋅ Viettel Cybersecurity ⋅ vuonglvm\r\nAPT32 deobfuscation arsenal: Deobfuscating một vài loại Obfucation Toolkit của APT32 (Phần 2)\r\nCobalt Strike 2020-09-01 ⋅ Cisco Talos ⋅ Caitlin Huey, David Liebenberg\r\nQuarterly Report: Incident Response trends in Summer 2020\r\nCobalt Strike LockBit Mailto Maze Ryuk 2020-08-31 ⋅ The DFIR Report ⋅ The DFIR Report\r\nNetWalker Ransomware in 1 Hour\r\nCobalt Strike Mailto MimiKatz 2020-08-20 ⋅ ⋅ Seebug Paper ⋅ Malayke\r\nUse ZoomEye to track multiple Redteam C\u0026C post-penetration attack frameworks\r\nCobalt Strike Empire Downloader PoshC2 2020-08-19 ⋅ ⋅ TEAMT5 ⋅ TeamT5\r\n調查局 08/19 公布中國對台灣政府機關駭侵事件說明\r\nCobalt Strike Waterbear 2020-08-14 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez\r\nTweet on Zloader infection leading to Cobaltstrike Installation\r\nCobalt Strike Zloader 2020-08-06 ⋅ Wired ⋅ Andy Greenberg\r\nChinese Hackers Have Pillaged Taiwan's Semiconductor Industry\r\nCobalt Strike MimiKatz Winnti Red Charon 2020-08-04 ⋅ BlackHat ⋅ Chung-Kuan Chen, Inndy Lin, Shang-De Jiang\r\nOperation Chimera - APT Operation Targets Semiconductor Vendors\r\nCobalt Strike MimiKatz Winnti Red Charon 2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT\r\nAPT trends report Q2 2020\r\nPhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya\r\nGodlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess\r\nX-Agent XTunnel 2020-07-26 ⋅ Shells.System blog ⋅ Askar\r\nIn-Memory shellcode decoding to evade AVs/EDRs\r\nCobalt Strike 2020-07-22 ⋅ On the Hunt ⋅ Newton Paul\r\nAnalysing Fileless Malware: Cobalt Strike Beacon\r\nCobalt Strike 2020-07-21 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura\r\nChinese APT group targets India and Hong Kong using new variant of MgBot malware\r\nKSREMOTE Cobalt Strike MgBot Evasive Panda 2020-07-07 ⋅ MWLab ⋅ Ladislav Bačo\r\nCobalt Strike stagers used by FIN6\r\nCobalt Strike 2020-07-01 ⋅ Contextis ⋅ Lampros Noutsos, Oliver Fay\r\nDLL Search Order Hijacking\r\nCobalt Strike PlugX 2020-06-23 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team\r\nSodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike\r\nCobalt Strike REvil 2020-06-23 ⋅ NCC Group ⋅ Michael Sandee, Nikolaos Pantazopoulos, Stefano Antenucci\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 38 of 42\n\nWastedLocker: A New Ransomware Variant Developed By The Evil Corp Group\r\nCobalt Strike ISFB WastedLocker 2020-06-22 ⋅ Sentinel LABS ⋅ Jason Reaves, Joshua Platt\r\nInside a TrickBot Cobalt Strike Attack Server\r\nCobalt Strike TrickBot 2020-06-22 ⋅ Talos Intelligence ⋅ Asheer Malhotra\r\nIndigoDrop spreads via military-themed lures to deliver Cobalt Strike\r\nCobalt Strike IndigoDrop 2020-06-19 ⋅ Zscaler ⋅ Atinderpal Singh, Nirmal Singh, Sahil Antil\r\nTargeted Attack Leverages India-China Border Dispute to Lure Victims\r\nCobalt Strike 2020-06-19 ⋅ Youtube (Raphael Mudge) ⋅ Raphael Mudge\r\nBeacon Object Files - Luser Demo\r\nCobalt Strike 2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC)\r\nAdvisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple\r\nAustralian networks\r\nTwoFace Cobalt Strike Empire Downloader 2020-06-17 ⋅ Malwarebytes ⋅ Hossein Jazi, Jérôme Segura\r\nMulti-stage APT attack drops Cobalt Strike using Malleable C2 feature\r\nCobalt Strike 2020-06-15 ⋅ NCC Group ⋅ Exploit Development Group\r\nStriking Back at Retired Cobalt Strike: A look at a legacy vulnerability\r\nCobalt Strike 2020-06-09 ⋅ Github (Sentinel-One) ⋅ Gal Kristal\r\nCobaltStrikeParser\r\nCobalt Strike 2020-05-14 ⋅ Lab52 ⋅ Dex\r\nThe energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey\r\nCobalt Strike HTran MimiKatz PlugX Quasar RAT 2020-05-11 ⋅ SentinelOne ⋅ Gal Kristal\r\nThe Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration\r\nCobalt Strike 2020-04-24 ⋅ The DFIR Report ⋅ The DFIR Report\r\nUrsnif via LOLbins\r\nCobalt Strike LOLSnif TeamSpy 2020-04-16 ⋅ Medium CyCraft ⋅ CyCraft Technology Corp\r\nTaiwan High-Tech Ecosystem Targeted by Foreign APT Group: Digital Skeleton Key Bypasses Security Measures\r\nCobalt Strike MimiKatz Red Charon 2020-04-02 ⋅ Darktrace ⋅ Max Heinemeyer\r\nCatching APT41 exploiting a zero-day vulnerability\r\nCobalt Strike 2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight\r\nThe Dukes of Moscow\r\nCobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke 2020-03-25 ⋅ Wilbur Security ⋅ JW\r\nTrickbot to Ryuk in Two Hours\r\nCobalt Strike Ryuk TrickBot 2020-03-25 ⋅ FireEye ⋅ Christopher Glyer, Dan Perez, Sarah Jones, Steve Miller\r\nThis Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits\r\nSpeculoos Cobalt Strike 2020-03-22 ⋅ Malware and Stuff ⋅ Andreas Klopsch\r\nMustang Panda joins the COVID-19 bandwagon\r\nCobalt Strike 2020-03-20 ⋅ RECON INFOSEC ⋅ Luke Rusten\r\nAnalysis Of Exploitation: CVE-2020-10189 ( exploited by APT41)\r\nCobalt Strike 2020-03-04 ⋅ Cobalt Strike ⋅ Raphael Mudge\r\nCobalt Strike joins Core Impact at HelpSystems, LLC\r\nCobalt Strike 2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike\r\n2020 CrowdStrike Global Threat Report\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 39 of 42\n\nMESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon\r\nSystem Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx\r\nGandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook\r\nBackdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon\r\nTerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40\r\nBlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group\r\nGOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER\r\nPINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY\r\nTIGER 2020-03-03 ⋅ PWC UK ⋅ PWC UK\r\nCyber Threats 2019:A Year in Retrospect\r\nKevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack\r\nEmotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar\r\nLockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper\r\nStoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle 2020-02-20 ⋅ McAfee ⋅\r\nChristiaan Beek, Darren Fitzpatrick, Eamonn Ryan\r\nCSI: Evidence Indicators for Targeted Ransomware Attacks – Part II\r\nCobalt Strike LockerGoga Maze MegaCortex 2020-02-19 ⋅ FireEye ⋅ FireEye\r\nM-Trends 2020\r\nCobalt Strike Grateful POS LockerGoga QakBot TrickBot 2020-02-18 ⋅ Trend Micro ⋅ Cedric Pernet, Daniel Lunghi, Jamz\r\nYaneza, Kenney Lu\r\nUncovering DRBControl: Inside the Cyberespionage Campaign Targeting Gambling Operations\r\nCobalt Strike HyperBro PlugX Trochilus RAT Operation DRBControl 2020-02-18 ⋅ Cisco Talos ⋅ Vanja Svajcer\r\nBuilding a bypass with MSBuild\r\nCobalt Strike GRUNT MimiKatz 2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center\r\nAPT Report 2019\r\nChrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus\r\nBONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike\r\nDacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS\r\nHOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax\r\nMiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot\r\nVolgmer X-Agent Zebrocy 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE MOHAWK\r\nAIRBREAK scanbox BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi homefry murkytop SeDll\r\nAPT40 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE PRESIDENT\r\nCHINACHOPPER Cobalt Strike PlugX MUSTANG PANDA 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nBRONZE RIVERSIDE\r\nAnel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves APT10 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nGOLD DUPONT\r\nCobalt Strike Defray PyXie GOLD DUPONT 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nGOLD KINGSWOOD\r\nMore_eggs ATMSpitter Cobalt Strike CobInt MimiKatz 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 40 of 42\n\nGOLD NIAGARA\r\nBateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nTIN WOODLAWN\r\nCobalt Strike KerrDown MimiKatz PHOREAL RatSnif Remy SOUNDBITE APT32 2020-01-01 ⋅ Secureworks ⋅\r\nSecureWorks\r\nGOLD KINGSWOOD\r\nMore_eggs ATMSpitter Cobalt Strike CobInt MimiKatz Cobalt 2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko\r\nCyber Threat Landscape in Japan – Revealing Threat in the Shadow\r\nCerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer\r\n(PWS) PandaBanker PLEAD POISONPLUG TrickBot BlackTech 2019-12-05 ⋅ Raphael Mudge\r\nCobalt Strike 4.0 – Bring Your Own Weaponization\r\nCobalt Strike 2019-12-05 ⋅ ⋅ Github (blackorbird) ⋅ blackorbird\r\nAPT32 Report\r\nCobalt Strike 2019-11-29 ⋅ Deloitte ⋅ Thomas Thomasen\r\nCyber Threat Intelligence \u0026 Incident Response\r\nCobalt Strike 2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser\r\nAchievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions\r\nMESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT\r\nHIGHNOON HTran MimiKatz NetWire RC POISONPLUG Poison Ivy pupy Quasar RAT ZXShell 2019-11-05 ⋅\r\ntccontre Blog ⋅ tccontre\r\nCobaltStrike - beacon.dll : Your No Ordinary MZ Header\r\nCobalt Strike 2019-09-23 ⋅ MITRE ⋅ MITRE ATT\u0026CK\r\nAPT41\r\nDerusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire\r\nDownloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 2019-09-22 ⋅ Check Point\r\nResearch ⋅ Check Point Research\r\nRancor: The Year of The Phish\r\n8.t Dropper Cobalt Strike 2019-06-13 ⋅ Sekoia ⋅ sekoia\r\nHunting and detecting Cobalt Strike\r\nCobalt Strike 2019-06-04 ⋅ Bitdefender ⋅ Bitdefender\r\nAn APT Blueprint: Gaining New Visibility into Financial Threats\r\nMore_eggs Cobalt Strike 2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc.\r\n2019 Data Breach Investigations Report\r\nBlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam 2019-04-24 ⋅ Weixin ⋅\r\nTencent\r\n\"Sea Lotus\" APT organization's attack techniques against China in the first quarter of 2019 revealed\r\nCobalt Strike SOUNDBITE 2019-04-15 ⋅ PenTestPartners ⋅ Neil Lines\r\nCobalt Strike. Walkthrough for Red Teamers\r\nCobalt Strike 2019-04-01 ⋅ ⋅ Macnica Networks ⋅ Macnica Networks\r\nOceanLotus Attack on Southeast Asian Automotive Industry\r\nCACTUSTORCH Cobalt Strike 2019-04-01 ⋅ ⋅ Macnica Networks ⋅ Macnica Networks\r\nTrends in Cyber Espionage Targeting Japan 2nd Half of 2018\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 41 of 42\n\nAnel Cobalt Strike Datper PLEAD Quasar RAT RedLeaves taidoor Zebrocy 2019-03-24 ⋅ One Night in Norfolk ⋅ Kevin\r\nPerlow\r\nJEShell: An OceanLotus (APT32) Backdoor\r\nCobalt Strike KerrDown 2019-02-27 ⋅ Morphisec ⋅ Alon Groisman, Michael Gorelik\r\nNew Global Cyber Attack on Point of Sale Sytem\r\nCobalt Strike 2019-02-26 ⋅ Fox-IT ⋅ Fox IT\r\nIdentifying Cobalt Strike team servers in the wild\r\nCobalt Strike 2018-11-19 ⋅ FireEye ⋅ Andrew Thompson, Ben Withnell, Jonathan Leathery, Matthew Dunwoody, Michael Matonis,\r\nNick Carr\r\nNot So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign\r\nCobalt Strike 2018-11-18 ⋅ Stranded on Pylos Blog ⋅ Joe\r\nCozyBear – In from the Cold?\r\nCobalt Strike APT29 2018-10-01 ⋅ FireEye ⋅ Katie Nickels, Regina Elwell\r\nATT\u0026CKing FIN7\r\nBateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak\r\nCobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot 2018-10-01 ⋅ ⋅ Macnica Networks ⋅ Macnica\r\nNetworks\r\nTrends in cyber espionage (targeted attacks) targeting Japan | First half of 2018\r\nAnel Cobalt Strike Datper FlawedAmmyy Quasar RAT RedLeaves taidoor Winnti xxmm 2018-10-01 ⋅ Group-IB ⋅\r\nGroup-IB\r\nHi-Tech Crime Trends 2018\r\nBackSwap Cobalt Strike Cutlet Meterpreter 2018-08-03 ⋅ JPCERT/CC ⋅ Takuya Endo, Yukako Uchida\r\nVolatility Plugin for Detecting Cobalt Strike Beacon\r\nCobalt Strike 2018-07-31 ⋅ Github (JPCERTCC) ⋅ JPCERT/CC\r\nScanner for CobaltStrike\r\nCobalt Strike 2018-05-21 ⋅ ⋅ LAC ⋅ Yoshihiro Ishikawa\r\nConfirmed new attacks by APT attacker group menuPass (APT10)\r\nCobalt Strike 2017-06-06 ⋅ FireEye ⋅ Ian Ahl\r\nPrivileges and Credentials: Phished at the Request of Counsel\r\nCobalt Strike 2017-06-06 ⋅ Mandiant ⋅ Ian Ahl\r\nPrivileges and Credentials: Phished at the Request of Counsel\r\nCobalt Strike APT19 2017-04-26 ⋅ Youtube (Kaspersky) ⋅ Kaspersky\r\nChina's Evolving Cyber Operations: A Look into APT19's Shift in Tactics\r\nCobalt Strike APT19 2016-10-11 ⋅ Symantec ⋅ Symantec Security Response\r\nOdinaff: New Trojan used in high level financial attacks\r\nCobalt Strike KLRD MimiKatz Odinaff 2012-01-01 ⋅ Cobalt Strike ⋅ Cobalt Strike\r\nCobalt Strike Website\r\nCobalt Strike\r\n[TLP:WHITE] win_cobalt_strike_auto (20251219 | Detects win.cobalt_strike.)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike\r\nPage 42 of 42",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike"
	],
	"report_names": [
		"win.cobalt_strike"
	],
	"threat_actors": [
		{
			"id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308",
			"created_at": "2022-10-25T15:50:23.320841Z",
			"updated_at": "2026-04-10T02:00:05.356444Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"Gamaredon Group",
				"IRON TILDEN",
				"Primitive Bear",
				"ACTINIUM",
				"Armageddon",
				"Shuckworm",
				"DEV-0157",
				"Aqua Blizzard"
			],
			"source_name": "MITRE:Gamaredon Group",
			"tools": [
				"QuietSieve",
				"Pteranodon",
				"Remcos",
				"PowerPunch"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "059b16f8-d4e0-4399-9add-18101a2fd298",
			"created_at": "2022-10-25T15:50:23.29434Z",
			"updated_at": "2026-04-10T02:00:05.380938Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"Evilnum"
			],
			"source_name": "MITRE:Evilnum",
			"tools": [
				"More_eggs",
				"EVILNUM",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312",
			"created_at": "2024-06-07T02:00:03.998431Z",
			"updated_at": "2026-04-10T02:00:03.64336Z",
			"deleted_at": null,
			"main_name": "RansomHub",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHub",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "82b92285-4588-48c9-8578-bb39f903cf62",
			"created_at": "2022-10-25T15:50:23.850506Z",
			"updated_at": "2026-04-10T02:00:05.418577Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"Charming Kitten"
			],
			"source_name": "MITRE:Charming Kitten",
			"tools": [
				"DownPaper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "11f52079-26d3-4e06-8665-6a0b3efdc41c",
			"created_at": "2022-10-25T16:07:23.736987Z",
			"updated_at": "2026-04-10T02:00:04.732021Z",
			"deleted_at": null,
			"main_name": "InvisiMole",
			"aliases": [
				"UAC-0035"
			],
			"source_name": "ETDA:InvisiMole",
			"tools": [
				"InvisiMole"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7c00086d-9535-4552-8201-1dd725e41b12",
			"created_at": "2023-04-26T02:03:03.128736Z",
			"updated_at": "2026-04-10T02:00:05.239152Z",
			"deleted_at": null,
			"main_name": "LuminousMoth",
			"aliases": [
				"LuminousMoth"
			],
			"source_name": "MITRE:LuminousMoth",
			"tools": [
				"PlugX",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e5a1096e-e481-4a8c-ae06-e3328276d935",
			"created_at": "2022-10-25T16:07:23.199712Z",
			"updated_at": "2026-04-10T02:00:04.485374Z",
			"deleted_at": null,
			"main_name": "Clockwork Spider",
			"aliases": [],
			"source_name": "ETDA:Clockwork Spider",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d",
			"created_at": "2025-08-07T02:03:24.741594Z",
			"updated_at": "2026-04-10T02:00:03.653394Z",
			"deleted_at": null,
			"main_name": "COBALT HICKMAN",
			"aliases": [
				"APT39 ",
				"Burgundy Sandstorm ",
				"Chafer ",
				"ITG07 ",
				"Remix Kitten "
			],
			"source_name": "Secureworks:COBALT HICKMAN",
			"tools": [
				"MechaFlounder",
				"Mimikatz",
				"Remexi",
				"TREKX"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "8aaa5515-92dd-448d-bb20-3a253f4f8854",
			"created_at": "2024-06-19T02:03:08.147099Z",
			"updated_at": "2026-04-10T02:00:03.685355Z",
			"deleted_at": null,
			"main_name": "IRON HUNTER",
			"aliases": [
				"ATK13 ",
				"Belugasturgeon ",
				"Blue Python ",
				"CTG-8875 ",
				"ITG12 ",
				"KRYPTON ",
				"MAKERSMARK ",
				"Pensive Ursa ",
				"Secret Blizzard ",
				"Turla",
				"UAC-0003 ",
				"UAC-0024 ",
				"UNC4210 ",
				"Venomous Bear ",
				"Waterbug "
			],
			"source_name": "Secureworks:IRON HUNTER",
			"tools": [
				"Carbon-DLL",
				"ComRAT",
				"LightNeuron",
				"Mosquito",
				"PyFlash",
				"Skipper",
				"Snake",
				"Tavdig"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f",
			"created_at": "2022-10-25T15:50:23.579601Z",
			"updated_at": "2026-04-10T02:00:05.360509Z",
			"deleted_at": null,
			"main_name": "TA551",
			"aliases": [
				"TA551",
				"GOLD CABIN",
				"Shathak"
			],
			"source_name": "MITRE:TA551",
			"tools": [
				"QakBot",
				"IcedID",
				"Valak",
				"Ursnif"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c9617bb6-45c8-495e-9759-2177e61a8e91",
			"created_at": "2022-10-25T15:50:23.405039Z",
			"updated_at": "2026-04-10T02:00:05.387643Z",
			"deleted_at": null,
			"main_name": "Carbanak",
			"aliases": [
				"Carbanak",
				"Anunak"
			],
			"source_name": "MITRE:Carbanak",
			"tools": [
				"Carbanak",
				"Mimikatz",
				"PsExec",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1f3cf3d1-4764-4158-a216-dd6352e671bb",
			"created_at": "2022-10-25T15:50:23.837615Z",
			"updated_at": "2026-04-10T02:00:05.322197Z",
			"deleted_at": null,
			"main_name": "APT19",
			"aliases": [
				"APT19",
				"Codoso",
				"C0d0so0",
				"Codoso Team",
				"Sunshop Group"
			],
			"source_name": "MITRE:APT19",
			"tools": [
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4434c71b-c424-4c06-b923-4f3f54f24f40",
			"created_at": "2022-10-25T16:07:23.453526Z",
			"updated_at": "2026-04-10T02:00:04.611408Z",
			"deleted_at": null,
			"main_name": "ChamelGang",
			"aliases": [
				"CamoFei"
			],
			"source_name": "ETDA:ChamelGang",
			"tools": [
				"7-Zip",
				"Agentemis",
				"BeaconLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"DoorMe",
				"FRP",
				"Fast Reverse Proxy",
				"ProxyT",
				"Tiny SHell",
				"cobeacon",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "99d9dd87-91c3-4371-9943-0a1c9c3cd99c",
			"created_at": "2022-10-25T16:07:23.277763Z",
			"updated_at": "2026-04-10T02:00:04.514755Z",
			"deleted_at": null,
			"main_name": "Solar Spider",
			"aliases": [],
			"source_name": "ETDA:Solar Spider",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "56daf304-dd2c-4fa1-a01f-8c0a7e5e5c30",
			"created_at": "2022-10-25T16:07:23.586985Z",
			"updated_at": "2026-04-10T02:00:04.676803Z",
			"deleted_at": null,
			"main_name": "EmpireMonkey",
			"aliases": [
				"Anthropoid Spider",
				"CobaltGoblin",
				"EmpireMonkey"
			],
			"source_name": "ETDA:EmpireMonkey",
			"tools": [
				"AKO Doxware",
				"AKO Ransomware",
				"MedusaLocker",
				"MedusaReborn"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "0bc63952-5795-4fc7-85c1-50a7f207f2f0",
			"created_at": "2023-11-14T02:00:07.095723Z",
			"updated_at": "2026-04-10T02:00:03.450401Z",
			"deleted_at": null,
			"main_name": "DarkCasino",
			"aliases": [],
			"source_name": "MISPGALAXY:DarkCasino",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "501fec31-9b82-487b-bad5-736645148ddc",
			"created_at": "2022-10-25T16:07:23.569989Z",
			"updated_at": "2026-04-10T02:00:04.670486Z",
			"deleted_at": null,
			"main_name": "Earth Wendigo",
			"aliases": [],
			"source_name": "ETDA:Earth Wendigo",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6",
			"created_at": "2022-10-25T16:07:23.605611Z",
			"updated_at": "2026-04-10T02:00:04.685162Z",
			"deleted_at": null,
			"main_name": "FamousSparrow",
			"aliases": [
				"Earth Estries"
			],
			"source_name": "ETDA:FamousSparrow",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8670f370-1865-4264-9a1b-0dfe7617c329",
			"created_at": "2022-10-25T16:07:23.69953Z",
			"updated_at": "2026-04-10T02:00:04.716126Z",
			"deleted_at": null,
			"main_name": "Hades",
			"aliases": [
				"Operation TrickyMouse"
			],
			"source_name": "ETDA:Hades",
			"tools": [
				"Brave Prince",
				"Gold Dragon",
				"GoldDragon",
				"Lovexxx",
				"Olympic Destroyer",
				"Running RAT",
				"RunningRAT",
				"SOURGRAPE",
				"running_rat"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ec14074c-8517-40e1-b4d7-3897f1254487",
			"created_at": "2023-01-06T13:46:38.300905Z",
			"updated_at": "2026-04-10T02:00:02.918468Z",
			"deleted_at": null,
			"main_name": "APT10",
			"aliases": [
				"Red Apollo",
				"HOGFISH",
				"BRONZE RIVERSIDE",
				"G0045",
				"TA429",
				"Purple Typhoon",
				"STONE PANDA",
				"Menupass Team",
				"happyyongzi",
				"CVNX",
				"Cloud Hopper",
				"ATK41",
				"Granite Taurus",
				"POTASSIUM"
			],
			"source_name": "MISPGALAXY:APT10",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "535a1a2d-0cc7-4746-bed1-4ab13b6ec979",
			"created_at": "2024-11-08T02:00:03.970177Z",
			"updated_at": "2026-04-10T02:00:03.74428Z",
			"deleted_at": null,
			"main_name": "Operation Cobalt Whisper",
			"aliases": [],
			"source_name": "MISPGALAXY:Operation Cobalt Whisper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "539855ac-def3-46a0-a490-f33abde7976f",
			"created_at": "2025-08-07T02:03:24.802704Z",
			"updated_at": "2026-04-10T02:00:03.718613Z",
			"deleted_at": null,
			"main_name": "GOLD ANDREW",
			"aliases": [
				"Smoky Spider "
			],
			"source_name": "Secureworks:GOLD ANDREW",
			"tools": [
				"Smoke Loader"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "334d00aa-7607-4072-9f5b-00d60bae89a7",
			"created_at": "2023-01-06T13:46:39.280703Z",
			"updated_at": "2026-04-10T02:00:03.272492Z",
			"deleted_at": null,
			"main_name": "GOLD WATERFALL",
			"aliases": [],
			"source_name": "MISPGALAXY:GOLD WATERFALL",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "af509bbb-8d18-4903-a9bd-9e94099c6b30",
			"created_at": "2023-01-06T13:46:38.585525Z",
			"updated_at": "2026-04-10T02:00:03.030833Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"OceanLotus",
				"ATK17",
				"G0050",
				"APT-C-00",
				"APT-32",
				"Canvas Cyclone",
				"SeaLotus",
				"Ocean Buffalo",
				"OceanLotus Group",
				"Cobalt Kitty",
				"Sea Lotus",
				"APT 32",
				"POND LOACH",
				"TIN WOODLAWN",
				"Ocean Lotus"
			],
			"source_name": "MISPGALAXY:APT32",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2f964894-0020-457e-b4e7-65a8c8fe740c",
			"created_at": "2025-05-29T02:00:03.202897Z",
			"updated_at": "2026-04-10T02:00:03.858601Z",
			"deleted_at": null,
			"main_name": "Earth Alux",
			"aliases": [],
			"source_name": "MISPGALAXY:Earth Alux",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d0338f31-ace4-4fec-972b-d1ba9815d1de",
			"created_at": "2023-01-06T13:46:39.283728Z",
			"updated_at": "2026-04-10T02:00:03.273567Z",
			"deleted_at": null,
			"main_name": "GOLD WINTER",
			"aliases": [],
			"source_name": "MISPGALAXY:GOLD WINTER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7936e2f8-5179-414a-8b57-530c28062f26",
			"created_at": "2023-04-27T02:04:45.231554Z",
			"updated_at": "2026-04-10T02:00:04.87247Z",
			"deleted_at": null,
			"main_name": "RedGolf",
			"aliases": [],
			"source_name": "ETDA:RedGolf",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Destroy RAT",
				"DestroyRAT",
				"ELFSHELF",
				"KEYPLUG",
				"Kaba",
				"Korplug",
				"PlugX",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c416152c-d268-40a3-8887-01d2ec452b7c",
			"created_at": "2023-04-27T02:04:45.481771Z",
			"updated_at": "2026-04-10T02:00:04.987067Z",
			"deleted_at": null,
			"main_name": "YoroTrooper",
			"aliases": [
				"Silent Lynx"
			],
			"source_name": "ETDA:YoroTrooper",
			"tools": [
				"Loda",
				"Loda RAT",
				"LodaRAT",
				"Meterpreter",
				"Nymeria",
				"Warzone",
				"Warzone RAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa5b200f-a6c6-4d17-bc65-911d9a7bf4ef",
			"created_at": "2022-10-25T16:07:23.866039Z",
			"updated_at": "2026-04-10T02:00:04.765416Z",
			"deleted_at": null,
			"main_name": "Mallard Spider",
			"aliases": [
				"Gold Lagoon"
			],
			"source_name": "ETDA:Mallard Spider",
			"tools": [
				"Egregor",
				"Mimikatz",
				"Oakboat",
				"PinkSlip",
				"Pinkslipbot",
				"ProLock",
				"PwndLocker",
				"QakBot",
				"Qbot",
				"QuackBot",
				"QuakBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f547e816-ea17-442e-915d-c5c76a30669b",
			"created_at": "2022-10-25T16:07:23.891717Z",
			"updated_at": "2026-04-10T02:00:04.780944Z",
			"deleted_at": null,
			"main_name": "NB65",
			"aliases": [],
			"source_name": "ETDA:NB65",
			"tools": [
				"NB65"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "12211366-1f14-4eed-9d91-46b6a2ede618",
			"created_at": "2025-08-07T02:03:25.014713Z",
			"updated_at": "2026-04-10T02:00:03.624097Z",
			"deleted_at": null,
			"main_name": "GOLD ULRICK",
			"aliases": [
				"Grim Spider ",
				"UNC1878 "
			],
			"source_name": "Secureworks:GOLD ULRICK",
			"tools": [
				"Bloodhound",
				"Buer Loader",
				"Cobalt Strike",
				"Conti",
				"Diavol",
				"PowerShell Empire",
				"Ryuk",
				"SystemBC",
				"Team9 (aka BazarLoader)",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "f4e7d054-d52b-437f-abe6-027d8ea42d51",
			"created_at": "2025-08-07T02:03:25.028729Z",
			"updated_at": "2026-04-10T02:00:03.616558Z",
			"deleted_at": null,
			"main_name": "GOLD WATERFALL",
			"aliases": [
				""
			],
			"source_name": "Secureworks:GOLD WATERFALL",
			"tools": [
				"BlackMatter",
				"CANVAS",
				"Cobalt Strike",
				"Darkside"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "cfdd35af-bd12-4c03-8737-08fca638346d",
			"created_at": "2022-10-25T16:07:24.165595Z",
			"updated_at": "2026-04-10T02:00:04.887031Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Cosmic Wolf",
				"Marbled Dust",
				"Silicon",
				"Teal Kurma",
				"UNC1326"
			],
			"source_name": "ETDA:Sea Turtle",
			"tools": [
				"Drupalgeddon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8a3bd03a-f69b-455b-b88b-3842a3528bfd",
			"created_at": "2022-10-25T16:07:24.178007Z",
			"updated_at": "2026-04-10T02:00:04.89066Z",
			"deleted_at": null,
			"main_name": "SharpPanda",
			"aliases": [
				"Sharp Dragon",
				"SharpPanda"
			],
			"source_name": "ETDA:SharpPanda",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"RoyalRoad",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2137e858-a11d-4b75-ae54-3267b096a4fc",
			"created_at": "2025-06-29T02:01:56.98797Z",
			"updated_at": "2026-04-10T02:00:04.667535Z",
			"deleted_at": null,
			"main_name": "Earth Lamia",
			"aliases": [],
			"source_name": "ETDA:Earth Lamia",
			"tools": [
				"BypassBoss",
				"PULSEPACK"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "71b19e59-b5f7-4bc6-816d-194be0f02af0",
			"created_at": "2022-10-25T16:07:24.301036Z",
			"updated_at": "2026-04-10T02:00:04.928222Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Budminer",
				"Earth Aughisky",
				"G0015"
			],
			"source_name": "ETDA:Taidoor",
			"tools": [
				"Dripion",
				"Masson",
				"Taidoor",
				"simbot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6ad410c7-e291-4327-a54b-281c23f0d4fa",
			"created_at": "2022-10-25T16:07:24.501468Z",
			"updated_at": "2026-04-10T02:00:05.013427Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Mushy Scorpius"
			],
			"source_name": "ETDA:Karakurt",
			"tools": [
				"7-Zip",
				"Agentemis",
				"AnyDesk",
				"Cobalt Strike",
				"CobaltStrike",
				"FileZilla",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"WinZip",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "88854a9f-641a-4412-89db-449b4d5cbc51",
			"created_at": "2022-10-25T16:07:23.963599Z",
			"updated_at": "2026-04-10T02:00:04.810023Z",
			"deleted_at": null,
			"main_name": "Operation HangOver",
			"aliases": [
				"G0042",
				"Monsoon",
				"Operation HangOver",
				"Viceroy Tiger"
			],
			"source_name": "ETDA:Operation HangOver",
			"tools": [
				"AutoIt backdoor",
				"BADNEWS",
				"BackConfig",
				"JakyllHyde",
				"TINYTYPHON",
				"Unknown Logger",
				"WSCSPL"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb",
			"created_at": "2022-10-25T16:07:24.380872Z",
			"updated_at": "2026-04-10T02:00:04.966462Z",
			"deleted_at": null,
			"main_name": "Viking Spider",
			"aliases": [],
			"source_name": "ETDA:Viking Spider",
			"tools": [
				"Ragnar Locker",
				"RagnarLocker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "748eb9f3-ef15-4645-881b-b91681111812",
			"created_at": "2022-10-25T16:07:24.510024Z",
			"updated_at": "2026-04-10T02:00:05.016515Z",
			"deleted_at": null,
			"main_name": "Monty Spider",
			"aliases": [
				"Gold Riverview"
			],
			"source_name": "ETDA:Monty Spider",
			"tools": [
				"Necurs",
				"nucurs"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "12517c87-040a-4627-a3df-86ca95e5c13f",
			"created_at": "2022-10-25T16:07:23.61665Z",
			"updated_at": "2026-04-10T02:00:04.689Z",
			"deleted_at": null,
			"main_name": "FIN6",
			"aliases": [
				"ATK 88",
				"Camouflage Tempest",
				"FIN6",
				"G0037",
				"Gold Franklin",
				"ITG08",
				"Skeleton Spider",
				"Storm-0538",
				"TAAL",
				"TAG-CR2",
				"White Giant"
			],
			"source_name": "ETDA:FIN6",
			"tools": [
				"AbaddonPOS",
				"Agentemis",
				"AmmyyRAT",
				"Anchor_DNS",
				"BlackPOS",
				"CmdSQL",
				"Cobalt Strike",
				"CobaltStrike",
				"FlawedAmmyy",
				"FrameworkPOS",
				"Grateful POS",
				"JSPSPY",
				"Kaptoxa",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LockerGoga",
				"MMon",
				"Magecart",
				"Meterpreter",
				"Mimikatz",
				"More_eggs",
				"NeverQuest",
				"POSWDS",
				"Reedum",
				"Ryuk",
				"SCRAPMINT",
				"SONE",
				"SpicyOmelette",
				"StealerOne",
				"Taurus Loader Stealer Module",
				"Terra Loader",
				"TerraStealer",
				"Vawtrak",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"cobeacon",
				"grabnew"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba",
			"created_at": "2022-10-25T16:07:24.36191Z",
			"updated_at": "2026-04-10T02:00:04.954902Z",
			"deleted_at": null,
			"main_name": "UNC2452",
			"aliases": [
				"Dark Halo",
				"Nobelium",
				"SolarStorm",
				"StellarParticle",
				"UNC2452"
			],
			"source_name": "ETDA:UNC2452",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508",
			"created_at": "2022-10-25T16:07:24.584775Z",
			"updated_at": "2026-04-10T02:00:05.042135Z",
			"deleted_at": null,
			"main_name": "UNC1878",
			"aliases": [],
			"source_name": "ETDA:UNC1878",
			"tools": [
				"Agentemis",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"KEGTAP",
				"Ryuk",
				"Team9Backdoor",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960",
			"created_at": "2022-10-25T16:07:24.077859Z",
			"updated_at": "2026-04-10T02:00:04.860725Z",
			"deleted_at": null,
			"main_name": "Promethium",
			"aliases": [
				"APT-C-41",
				"G0056",
				"Magenta Dust",
				"Promethium",
				"StrongPity"
			],
			"source_name": "ETDA:Promethium",
			"tools": [
				"StrongPity",
				"StrongPity2",
				"StrongPity3",
				"Truvasys"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3f86085e-95c5-4007-8bd7-86ad330ce4eb",
			"created_at": "2022-10-25T16:07:24.457008Z",
			"updated_at": "2026-04-10T02:00:04.998531Z",
			"deleted_at": null,
			"main_name": "Bismuth",
			"aliases": [
				"Canvas Cyclone"
			],
			"source_name": "ETDA:Bismuth",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24",
			"created_at": "2022-10-25T16:47:55.853415Z",
			"updated_at": "2026-04-10T02:00:03.856263Z",
			"deleted_at": null,
			"main_name": "GOLD TOMAHAWK",
			"aliases": [
				"Karakurt",
				"Karakurt Lair",
				"Karakurt Team"
			],
			"source_name": "Secureworks:GOLD TOMAHAWK",
			"tools": [
				"7-Zip",
				"AnyDesk",
				"Mega",
				"QuickPacket",
				"Rclone",
				"SendGB"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "698f4ba6-a3da-4b06-98b2-863b12a15e83",
			"created_at": "2022-10-25T16:47:55.778377Z",
			"updated_at": "2026-04-10T02:00:03.615699Z",
			"deleted_at": null,
			"main_name": "GOLD LAGOON",
			"aliases": [
				""
			],
			"source_name": "Secureworks:GOLD LAGOON",
			"tools": [
				"QakBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4",
			"created_at": "2025-08-07T02:03:25.096857Z",
			"updated_at": "2026-04-10T02:00:03.659118Z",
			"deleted_at": null,
			"main_name": "NICKEL JUNIPER",
			"aliases": [
				"Konni",
				"OSMIUM ",
				"Opal Sleet "
			],
			"source_name": "Secureworks:NICKEL JUNIPER",
			"tools": [
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1aead86d-0c57-4e3b-b464-a69f6de20cde",
			"created_at": "2023-01-06T13:46:38.318176Z",
			"updated_at": "2026-04-10T02:00:02.925424Z",
			"deleted_at": null,
			"main_name": "DAGGER PANDA",
			"aliases": [
				"UAT-7290",
				"Red Foxtrot",
				"IceFog",
				"RedFoxtrot",
				"Red Wendigo",
				"PLA Unit 69010"
			],
			"source_name": "MISPGALAXY:DAGGER PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6241b9be-9c59-4164-a7f2-c45844b14a56",
			"created_at": "2023-01-06T13:46:38.321506Z",
			"updated_at": "2026-04-10T02:00:02.926657Z",
			"deleted_at": null,
			"main_name": "APT24",
			"aliases": [
				"PITTY PANDA",
				"G0011",
				"Temp.Pittytiger"
			],
			"source_name": "MISPGALAXY:APT24",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "01d569b1-f089-4a8f-8396-85078b93da26",
			"created_at": "2023-01-06T13:46:38.411615Z",
			"updated_at": "2026-04-10T02:00:02.963422Z",
			"deleted_at": null,
			"main_name": "BuhTrap",
			"aliases": [],
			"source_name": "MISPGALAXY:BuhTrap",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2128689c-108c-4d66-b551-de8e4fcf8653",
			"created_at": "2023-11-14T02:00:07.084086Z",
			"updated_at": "2026-04-10T02:00:03.445971Z",
			"deleted_at": null,
			"main_name": "Water Labbu",
			"aliases": [],
			"source_name": "MISPGALAXY:Water Labbu",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6d1762e8-c48c-4fda-b4d1-ecb91179720e",
			"created_at": "2022-10-25T16:07:24.55351Z",
			"updated_at": "2026-04-10T02:00:05.031489Z",
			"deleted_at": null,
			"main_name": "Salty Spider",
			"aliases": [],
			"source_name": "ETDA:Salty Spider",
			"tools": [
				"Kookoo",
				"Kukacka",
				"Kuku",
				"SalLoad",
				"SaliCode",
				"Sality"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "058823d4-60c2-42ab-a3aa-4c10f0ff37c9",
			"created_at": "2022-10-25T16:07:24.57064Z",
			"updated_at": "2026-04-10T02:00:05.036609Z",
			"deleted_at": null,
			"main_name": "Smoky Spider",
			"aliases": [],
			"source_name": "ETDA:Smoky Spider",
			"tools": [
				"Dofoil",
				"Oficla",
				"Sasfis",
				"Sharik",
				"Smoke Loader",
				"SmokeLoader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "220e1e99-97ab-440a-8027-b672c5c5df44",
			"created_at": "2022-10-25T16:47:55.773407Z",
			"updated_at": "2026-04-10T02:00:03.649501Z",
			"deleted_at": null,
			"main_name": "GOLD KINGSWOOD",
			"aliases": [
				"Cobalt Gang ",
				"Cobalt Spider "
			],
			"source_name": "Secureworks:GOLD KINGSWOOD",
			"tools": [
				"ATMSpitter",
				"Buhtrap",
				"Carbanak",
				"Cobalt Strike",
				"CobtInt",
				"Cyst",
				"Metasploit",
				"Meterpreter",
				"Mimikatz",
				"SpicyOmelette"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d",
			"created_at": "2023-11-17T02:00:07.588367Z",
			"updated_at": "2026-04-10T02:00:03.453612Z",
			"deleted_at": null,
			"main_name": "MirrorFace",
			"aliases": [
				"Earth Kasha"
			],
			"source_name": "MISPGALAXY:MirrorFace",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9",
			"created_at": "2022-10-25T16:07:24.557505Z",
			"updated_at": "2026-04-10T02:00:05.032451Z",
			"deleted_at": null,
			"main_name": "Scully Spider",
			"aliases": [
				"Scully Spider",
				"TA547"
			],
			"source_name": "ETDA:Scully Spider",
			"tools": [
				"DanaBot",
				"Lumma Stealer",
				"LummaC2",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"Rhadamanthys",
				"Rhadamanthys Stealer",
				"Stealc"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "93542ae8-73cb-482b-90a3-445a20663f15",
			"created_at": "2022-10-25T16:07:24.058412Z",
			"updated_at": "2026-04-10T02:00:04.853499Z",
			"deleted_at": null,
			"main_name": "PKPLUG",
			"aliases": [
				"Stately Taurus"
			],
			"source_name": "ETDA:PKPLUG",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c2385aea-d30b-4dbc-844d-fef465cf3ea9",
			"created_at": "2023-01-06T13:46:38.916521Z",
			"updated_at": "2026-04-10T02:00:03.144667Z",
			"deleted_at": null,
			"main_name": "LUNAR SPIDER",
			"aliases": [
				"GOLD SWATHMORE"
			],
			"source_name": "MISPGALAXY:LUNAR SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5b317799-01c0-48fa-aee2-31a738116771",
			"created_at": "2022-11-20T02:02:37.746719Z",
			"updated_at": "2026-04-10T02:00:04.561617Z",
			"deleted_at": null,
			"main_name": "Earth Longzhi",
			"aliases": [
				"Earth Longzhi"
			],
			"source_name": "ETDA:Earth Longzhi",
			"tools": [
				"Agentemis",
				"BigpipeLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"CroxLoader",
				"MultiPipeLoader",
				"OutLoader",
				"Symatic Loader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f799b96d-bc59-4b35-ae5c-dfe87e5b735b",
			"created_at": "2023-04-26T02:02:01.286476Z",
			"updated_at": "2026-04-10T02:00:03.363506Z",
			"deleted_at": null,
			"main_name": "RedGolf",
			"aliases": [],
			"source_name": "MISPGALAXY:RedGolf",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0",
			"created_at": "2023-01-06T13:46:39.237624Z",
			"updated_at": "2026-04-10T02:00:03.255835Z",
			"deleted_at": null,
			"main_name": "OUTLAW SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:OUTLAW SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "11c69e3d-a740-4a70-abd3-158ac0375452",
			"created_at": "2023-01-06T13:46:39.29608Z",
			"updated_at": "2026-04-10T02:00:03.27813Z",
			"deleted_at": null,
			"main_name": "Common Raven",
			"aliases": [
				"NXSMS",
				"DESKTOP-GROUP",
				"OPERA1ER"
			],
			"source_name": "MISPGALAXY:Common Raven",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a2c3c22a-b3db-4d4a-9a5a-76bfe6171843",
			"created_at": "2023-11-21T02:00:07.315543Z",
			"updated_at": "2026-04-10T02:00:03.461446Z",
			"deleted_at": null,
			"main_name": "UNC4841",
			"aliases": [
				"SLIME57"
			],
			"source_name": "MISPGALAXY:UNC4841",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89",
			"created_at": "2022-10-25T15:50:23.739197Z",
			"updated_at": "2026-04-10T02:00:05.275809Z",
			"deleted_at": null,
			"main_name": "UNC2452",
			"aliases": [
				"UNC2452",
				"NOBELIUM",
				"StellarParticle",
				"Dark Halo"
			],
			"source_name": "MITRE:UNC2452",
			"tools": [
				"Sibot",
				"Mimikatz",
				"Cobalt Strike",
				"AdFind",
				"GoldMax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "62585174-b1f8-47b1-9165-19b594160b01",
			"created_at": "2023-01-06T13:46:39.369991Z",
			"updated_at": "2026-04-10T02:00:03.304964Z",
			"deleted_at": null,
			"main_name": "TA578",
			"aliases": [],
			"source_name": "MISPGALAXY:TA578",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c4bc6ac9-d3e5-43f1-9adf-e77ac5386788",
			"created_at": "2022-10-25T15:50:23.722608Z",
			"updated_at": "2026-04-10T02:00:05.397432Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"Thrip"
			],
			"source_name": "MITRE:Thrip",
			"tools": [
				"PsExec",
				"Mimikatz",
				"Catchamas"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f809bfcb-b200-4988-80a8-be78ef6a52ef",
			"created_at": "2023-01-06T13:46:39.186988Z",
			"updated_at": "2026-04-10T02:00:03.240002Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"Adept Libra"
			],
			"source_name": "MISPGALAXY:TeamTNT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d5cb8d20-b5b9-4ec6-9660-3dded9bd3c89",
			"created_at": "2023-01-06T13:46:39.204681Z",
			"updated_at": "2026-04-10T02:00:03.245695Z",
			"deleted_at": null,
			"main_name": "MALLARD SPIDER",
			"aliases": [
				"GOLD LAGOON"
			],
			"source_name": "MISPGALAXY:MALLARD SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "46818902-c96d-445c-afdb-075ef6b4afab",
			"created_at": "2023-02-18T02:04:24.443028Z",
			"updated_at": "2026-04-10T02:00:04.828275Z",
			"deleted_at": null,
			"main_name": "Operation RestyLink",
			"aliases": [
				"Earth Yako",
				"Operation Enelink"
			],
			"source_name": "ETDA:Operation RestyLink",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6",
			"created_at": "2022-10-25T15:50:23.777222Z",
			"updated_at": "2026-04-10T02:00:05.399303Z",
			"deleted_at": null,
			"main_name": "PROMETHIUM",
			"aliases": [
				"PROMETHIUM",
				"StrongPity"
			],
			"source_name": "MITRE:PROMETHIUM",
			"tools": [
				"Truvasys",
				"StrongPity"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd",
			"created_at": "2023-01-06T13:46:39.110148Z",
			"updated_at": "2026-04-10T02:00:03.216613Z",
			"deleted_at": null,
			"main_name": "NARWHAL SPIDER",
			"aliases": [
				"GOLD ESSEX",
				"TA544",
				"Storm-0302"
			],
			"source_name": "MISPGALAXY:NARWHAL SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9fe7fd84-e2b4-4db5-9c90-c4a5791d3f94",
			"created_at": "2023-01-06T13:46:38.904178Z",
			"updated_at": "2026-04-10T02:00:03.14055Z",
			"deleted_at": null,
			"main_name": "SALTY SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:SALTY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7583fbd4-2bc9-458d-81da-50b27b84e136",
			"created_at": "2023-02-15T02:01:49.565258Z",
			"updated_at": "2026-04-10T02:00:03.349283Z",
			"deleted_at": null,
			"main_name": "TA575",
			"aliases": [],
			"source_name": "MISPGALAXY:TA575",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f21d7691-a720-46bb-81d7-11edb9f73eba",
			"created_at": "2023-11-08T02:00:07.126478Z",
			"updated_at": "2026-04-10T02:00:03.420826Z",
			"deleted_at": null,
			"main_name": "1937CN",
			"aliases": [],
			"source_name": "MISPGALAXY:1937CN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "19935e32-f1a5-462d-8934-8b1c3bf3b5f2",
			"created_at": "2022-10-25T16:07:23.36465Z",
			"updated_at": "2026-04-10T02:00:04.565476Z",
			"deleted_at": null,
			"main_name": "Aquatic Panda",
			"aliases": [
				"G0143"
			],
			"source_name": "ETDA:Aquatic Panda",
			"tools": [
				"Agentemis",
				"Bladabindi",
				"Cobalt Strike",
				"CobaltStrike",
				"Fishmaster",
				"JollyJellyfish",
				"Jorik",
				"cobeacon",
				"njRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8610b0d9-a6af-4010-818f-28671efc5d5e",
			"created_at": "2023-01-06T13:46:38.897477Z",
			"updated_at": "2026-04-10T02:00:03.138459Z",
			"deleted_at": null,
			"main_name": "PINCHY SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:PINCHY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d027fba8-ffe7-4093-aa0d-833b52ce4427",
			"created_at": "2023-01-06T13:46:39.438394Z",
			"updated_at": "2026-04-10T02:00:03.326914Z",
			"deleted_at": null,
			"main_name": "TianWu",
			"aliases": [],
			"source_name": "MISPGALAXY:TianWu",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c84bbd2e-003d-4c43-8a46-d777455db2c7",
			"created_at": "2022-10-25T15:50:23.701006Z",
			"updated_at": "2026-04-10T02:00:05.378962Z",
			"deleted_at": null,
			"main_name": "GOLD SOUTHFIELD",
			"aliases": [
				"GOLD SOUTHFIELD",
				"Pinchy Spider"
			],
			"source_name": "MITRE:GOLD SOUTHFIELD",
			"tools": [
				"ConnectWise",
				"REvil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c8b57a00-18f4-4e49-9954-849de5e97506",
			"created_at": "2023-11-05T02:00:08.065073Z",
			"updated_at": "2026-04-10T02:00:03.395154Z",
			"deleted_at": null,
			"main_name": "SparklingGoblin",
			"aliases": [],
			"source_name": "MISPGALAXY:SparklingGoblin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "322248d6-4baf-4ada-af8e-074bc6c10132",
			"created_at": "2023-11-05T02:00:08.072145Z",
			"updated_at": "2026-04-10T02:00:03.397406Z",
			"deleted_at": null,
			"main_name": "YoroTrooper",
			"aliases": [
				"Comrade Saiga",
				"Salted Earth",
				"Sturgeon Fisher",
				"ShadowSilk",
				"Silent Lynx",
				"Cavalry Werewolf",
				"SturgeonPhisher"
			],
			"source_name": "MISPGALAXY:YoroTrooper",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb",
			"created_at": "2022-10-25T16:07:23.427162Z",
			"updated_at": "2026-04-10T02:00:04.594113Z",
			"deleted_at": null,
			"main_name": "Buhtrap",
			"aliases": [
				"Buhtrap",
				"Operation TwoBee",
				"Ratopak Spider",
				"UAC-0008"
			],
			"source_name": "ETDA:Buhtrap",
			"tools": [
				"AmmyyRAT",
				"Buhtrap",
				"CottonCastle",
				"FlawedAmmyy",
				"NSIS",
				"Niteris EK",
				"Nullsoft Scriptable Install System",
				"Ratopak"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5bbced13-72f7-40dc-8c41-dcce75bf885e",
			"created_at": "2022-10-25T15:50:23.695735Z",
			"updated_at": "2026-04-10T02:00:05.335976Z",
			"deleted_at": null,
			"main_name": "Winnti Group",
			"aliases": [
				"Winnti Group"
			],
			"source_name": "MITRE:Winnti Group",
			"tools": [
				"PipeMon",
				"Winnti for Windows",
				"PlugX"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a5bd315b-6220-441f-8ed1-39e194dcd0e3",
			"created_at": "2023-12-01T02:02:33.667762Z",
			"updated_at": "2026-04-10T02:00:04.641333Z",
			"deleted_at": null,
			"main_name": "DarkCasino",
			"aliases": [
				"Water Hydra"
			],
			"source_name": "ETDA:DarkCasino",
			"tools": [
				"CloudEyE",
				"DarkMe",
				"GuLoader",
				"PikoloRAT",
				"vbdropper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f88b16bc-df4b-48e7-ae35-f4117240ff24",
			"created_at": "2022-10-25T15:50:23.556699Z",
			"updated_at": "2026-04-10T02:00:05.312313Z",
			"deleted_at": null,
			"main_name": "Chimera",
			"aliases": [
				"Chimera"
			],
			"source_name": "MITRE:Chimera",
			"tools": [
				"PsExec",
				"esentutl",
				"Mimikatz",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "dd08f179-5c65-4497-92ad-8ca0997e17e8",
			"created_at": "2023-01-06T13:46:39.113278Z",
			"updated_at": "2026-04-10T02:00:03.217613Z",
			"deleted_at": null,
			"main_name": "NOCTURNAL SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:NOCTURNAL SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a0673493-5872-49a0-8d0d-4391302cff01",
			"created_at": "2023-03-04T02:01:54.10107Z",
			"updated_at": "2026-04-10T02:00:03.358084Z",
			"deleted_at": null,
			"main_name": "Chamelgang",
			"aliases": [
				"CamoFei"
			],
			"source_name": "MISPGALAXY:Chamelgang",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "079e3d6e-24ef-42b0-b555-75c288f9efd8",
			"created_at": "2023-03-04T02:01:54.105946Z",
			"updated_at": "2026-04-10T02:00:03.359009Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Karakurt Lair"
			],
			"source_name": "MISPGALAXY:Karakurt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "056826cb-6e17-4954-a9b4-2cc8c6ae3cb8",
			"created_at": "2023-03-04T02:01:54.115678Z",
			"updated_at": "2026-04-10T02:00:03.360898Z",
			"deleted_at": null,
			"main_name": "Prophet Spider",
			"aliases": [
				"GOLD MELODY",
				"UNC961"
			],
			"source_name": "MISPGALAXY:Prophet Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8754f54b-7154-4996-b065-94f04f846022",
			"created_at": "2023-11-07T02:00:07.095161Z",
			"updated_at": "2026-04-10T02:00:03.405596Z",
			"deleted_at": null,
			"main_name": "NB65",
			"aliases": [
				"Network Battalion 65"
			],
			"source_name": "MISPGALAXY:NB65",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "274f04ff-fae8-4e90-bcf5-3e391a860cd5",
			"created_at": "2023-12-08T02:00:05.75114Z",
			"updated_at": "2026-04-10T02:00:03.493837Z",
			"deleted_at": null,
			"main_name": "UNC215",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC215",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "065b7ea2-5920-4270-824e-94ea8a79d197",
			"created_at": "2023-12-08T02:00:05.747632Z",
			"updated_at": "2026-04-10T02:00:03.492858Z",
			"deleted_at": null,
			"main_name": "UNC2447",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC2447",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "38e9c8e3-38f8-4500-8c5c-8349b3e9a998",
			"created_at": "2023-01-06T13:46:39.207556Z",
			"updated_at": "2026-04-10T02:00:03.246557Z",
			"deleted_at": null,
			"main_name": "RIDDLE SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:RIDDLE SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e227b757-7032-4a99-b119-1bfda2ebd543",
			"created_at": "2023-01-06T13:46:39.21663Z",
			"updated_at": "2026-04-10T02:00:03.248543Z",
			"deleted_at": null,
			"main_name": "SOLAR SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:SOLAR SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "132e1e0f-8725-42cb-8c2d-d2f3ebb1f005",
			"created_at": "2023-12-08T02:00:05.758552Z",
			"updated_at": "2026-04-10T02:00:03.495698Z",
			"deleted_at": null,
			"main_name": "UAC-0118",
			"aliases": [
				"FRwL",
				"FromRussiaWithLove"
			],
			"source_name": "MISPGALAXY:UAC-0118",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "50068c14-343c-4491-b568-df41dd59551c",
			"created_at": "2022-10-25T15:50:23.253218Z",
			"updated_at": "2026-04-10T02:00:05.234464Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Indrik Spider",
				"Evil Corp",
				"Manatee Tempest",
				"DEV-0243",
				"UNC2165"
			],
			"source_name": "MITRE:Indrik Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"Dridex",
				"WastedLocker",
				"BitPaymer",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "12b5d602-4017-4a6f-a2a3-387a6e07a27b",
			"created_at": "2023-01-06T13:46:39.095233Z",
			"updated_at": "2026-04-10T02:00:03.21157Z",
			"deleted_at": null,
			"main_name": "InvisiMole",
			"aliases": [],
			"source_name": "MISPGALAXY:InvisiMole",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "870f6f62-84f5-48ca-a18e-cf2902cd6924",
			"created_at": "2022-10-25T15:50:23.303818Z",
			"updated_at": "2026-04-10T02:00:05.301184Z",
			"deleted_at": null,
			"main_name": "APT32",
			"aliases": [
				"APT32",
				"SeaLotus",
				"OceanLotus",
				"APT-C-00",
				"Canvas Cyclone"
			],
			"source_name": "MITRE:APT32",
			"tools": [
				"Mimikatz",
				"ipconfig",
				"Kerrdown",
				"Cobalt Strike",
				"SOUNDBITE",
				"OSX_OCEANLOTUS.D",
				"KOMPROGO",
				"netsh",
				"RotaJakiro",
				"PHOREAL",
				"Arp",
				"Denis",
				"Goopy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "fdf30f70-537c-458d-82b2-54b4f09cea48",
			"created_at": "2023-01-06T13:46:39.119613Z",
			"updated_at": "2026-04-10T02:00:03.221272Z",
			"deleted_at": null,
			"main_name": "SMOKY SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:SMOKY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "873919c0-bc6a-4c19-b18d-c107e4aa3d20",
			"created_at": "2023-01-06T13:46:39.138138Z",
			"updated_at": "2026-04-10T02:00:03.227223Z",
			"deleted_at": null,
			"main_name": "Higaisa",
			"aliases": [],
			"source_name": "MISPGALAXY:Higaisa",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bcf899bb-34bb-43e1-929d-02bc91974f2a",
			"created_at": "2023-02-18T02:04:24.050644Z",
			"updated_at": "2026-04-10T02:00:04.639142Z",
			"deleted_at": null,
			"main_name": "Dalbit",
			"aliases": [],
			"source_name": "ETDA:Dalbit",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agentemis",
				"AntSword",
				"BadPotato",
				"BlueShell",
				"CHINACHOPPER",
				"China Chopper",
				"Cobalt Strike",
				"CobaltStrike",
				"EFSPotato",
				"FRP",
				"Fast Reverse Proxy",
				"Godzilla",
				"Godzilla Loader",
				"HTran",
				"HUC Packet Transmit Tool",
				"JuicyPotato",
				"LadonGo",
				"Metasploit",
				"Mimikatz",
				"NPS",
				"ProcDump",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"RottenPotato",
				"SinoChopper",
				"SweetPotato",
				"cobeacon",
				"reGeorg"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "efa7c047-b61c-4598-96d5-e00d01dec96b",
			"created_at": "2022-10-25T16:07:23.404442Z",
			"updated_at": "2026-04-10T02:00:04.584239Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"BlackTech",
				"Canary Typhoon",
				"Circuit Panda",
				"Earth Hundun",
				"G0098",
				"Manga Taurus",
				"Operation PLEAD",
				"Operation Shrouded Crossbow",
				"Operation Waterbear",
				"Palmerworm",
				"Radio Panda",
				"Red Djinn",
				"T-APT-03",
				"TEMP.Overboard"
			],
			"source_name": "ETDA:BlackTech",
			"tools": [
				"BIFROST",
				"BUSYICE",
				"BendyBear",
				"Bluether",
				"CAPGELD",
				"DRIGO",
				"Deuterbear",
				"Flagpro",
				"GOODTIMES",
				"Gh0stTimes",
				"IconDown",
				"KIVARS",
				"LOLBAS",
				"LOLBins",
				"Linopid",
				"Living off the Land",
				"TSCookie",
				"Waterbear",
				"XBOW",
				"elf.bifrose"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1d8dd2ca-5592-482e-b89d-6a7e1a49f4f6",
			"created_at": "2023-01-06T13:46:38.408359Z",
			"updated_at": "2026-04-10T02:00:02.962242Z",
			"deleted_at": null,
			"main_name": "TeamSpy Crew",
			"aliases": [
				"TeamSpy",
				"Team Bear",
				"Anger Bear",
				"IRON LYRIC"
			],
			"source_name": "MISPGALAXY:TeamSpy Crew",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1f6ae238-765f-4495-9d54-6a7883d7a319",
			"created_at": "2022-10-25T16:07:24.573456Z",
			"updated_at": "2026-04-10T02:00:05.037738Z",
			"deleted_at": null,
			"main_name": "TA511",
			"aliases": [
				"MAN1",
				"Moskalvzapoe"
			],
			"source_name": "ETDA:TA511",
			"tools": [
				"Agentemis",
				"Chanitor",
				"Cobalt Strike",
				"CobaltStrike",
				"Ficker Stealer",
				"Hancitor",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2646f776-792a-4498-967b-ec0d3498fdf1",
			"created_at": "2022-10-25T15:50:23.475784Z",
			"updated_at": "2026-04-10T02:00:05.269591Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"BlackTech",
				"Palmerworm"
			],
			"source_name": "MITRE:BlackTech",
			"tools": [
				"Kivars",
				"PsExec",
				"TSCookie",
				"Flagpro",
				"Waterbear"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "9d2b77c7-ddb6-4ab3-9ae7-d3ecd11e0527",
			"created_at": "2023-10-14T02:03:14.230825Z",
			"updated_at": "2026-04-10T02:00:04.712961Z",
			"deleted_at": null,
			"main_name": "Grayling",
			"aliases": [],
			"source_name": "ETDA:Grayling",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Havokiz",
				"Mimikatz",
				"NetSpy",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "50bd4a6c-7542-4bdd-8b37-ab468fc428ef",
			"created_at": "2023-01-06T13:46:38.998658Z",
			"updated_at": "2026-04-10T02:00:03.176186Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"G0015",
				"Earth Aughisky"
			],
			"source_name": "MISPGALAXY:Taidoor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8c8fea8c-c957-4618-99ee-1e188f073a0e",
			"created_at": "2024-02-02T02:00:04.086766Z",
			"updated_at": "2026-04-10T02:00:03.563647Z",
			"deleted_at": null,
			"main_name": "Storm-1567",
			"aliases": [
				"Akira",
				"PUNK SPIDER",
				"GOLD SAHARA"
			],
			"source_name": "MISPGALAXY:Storm-1567",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "21e01940-3851-417f-9e90-1a4a2da07033",
			"created_at": "2022-10-25T16:07:23.299369Z",
			"updated_at": "2026-04-10T02:00:04.527895Z",
			"deleted_at": null,
			"main_name": "Agrius",
			"aliases": [
				"AMERICIUM",
				"Agonizing Serpens",
				"BlackShadow",
				"DEV-0227",
				"Pink Sandstorm",
				"SharpBoys",
				"Spectral Kitten"
			],
			"source_name": "ETDA:Agrius",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agrius",
				"BFG Agonizer",
				"BFG Agonizer Wiper",
				"DEADWOOD",
				"DETBOSIT",
				"Detbosit",
				"IPsec Helper",
				"Moneybird",
				"MultiLayer Wiper",
				"PW",
				"PartialWasher",
				"PartialWasher Wiper",
				"SQLShred",
				"Sqlextractor"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "92c0dae2-e255-4b90-8d8f-be88e393ab8d",
			"created_at": "2022-10-25T16:07:24.402328Z",
			"updated_at": "2026-04-10T02:00:04.97641Z",
			"deleted_at": null,
			"main_name": "Wild Neutron",
			"aliases": [
				"Butterfly",
				"Morpho",
				"Sphinx Moth",
				"The Postal Group",
				"Wild Neutron"
			],
			"source_name": "ETDA:Wild Neutron",
			"tools": [
				"HesperBot",
				"Jiripbot",
				"JripBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "65e1eee1-bc35-4093-9554-1a668e1bc30a",
			"created_at": "2024-02-08T02:00:04.320426Z",
			"updated_at": "2026-04-10T02:00:03.583546Z",
			"deleted_at": null,
			"main_name": "Earth Yako",
			"aliases": [
				"Operation RestyLink",
				"Enelink"
			],
			"source_name": "MISPGALAXY:Earth Yako",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6a0effeb-3ee2-4a67-9a9f-ef5c330b1c3a",
			"created_at": "2023-09-07T02:02:47.827633Z",
			"updated_at": "2026-04-10T02:00:04.873323Z",
			"deleted_at": null,
			"main_name": "RedHotel",
			"aliases": [
				"Operation FishMedley",
				"RedHotel",
				"TAG-22"
			],
			"source_name": "ETDA:RedHotel",
			"tools": [
				"Agentemis",
				"BIOPASS",
				"BIOPASS RAT",
				"BleDoor",
				"Brute Ratel",
				"Brute Ratel C4",
				"Cobalt Strike",
				"CobaltStrike",
				"FunnySwitch",
				"POISONPLUG.SHADOW",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"ShadowPad Winnti",
				"SprySOCKS",
				"Spyder",
				"Winnti",
				"XShellGhost",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a1063e48-c06a-4bdd-bb56-03654dd2c690",
			"created_at": "2023-01-06T13:46:39.39909Z",
			"updated_at": "2026-04-10T02:00:03.313651Z",
			"deleted_at": null,
			"main_name": "Earth Wendigo",
			"aliases": [],
			"source_name": "MISPGALAXY:Earth Wendigo",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f45af9e4-5037-4a5a-82c1-4627845eea49",
			"created_at": "2024-09-26T02:00:04.286721Z",
			"updated_at": "2026-04-10T02:00:03.707415Z",
			"deleted_at": null,
			"main_name": "Earth Baxia",
			"aliases": [],
			"source_name": "MISPGALAXY:Earth Baxia",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f6f91e1c-9202-4497-bf22-9cd5ef477600",
			"created_at": "2023-01-06T13:46:38.86765Z",
			"updated_at": "2026-04-10T02:00:03.12735Z",
			"deleted_at": null,
			"main_name": "WIZARD SPIDER",
			"aliases": [
				"TEMP.MixMaster",
				"GOLD BLACKBURN",
				"DEV-0193",
				"UNC2053",
				"Pistachio Tempest",
				"DEV-0237",
				"Storm-0230",
				"FIN12",
				"Periwinkle Tempest",
				"Storm-0193",
				"Trickbot LLC"
			],
			"source_name": "MISPGALAXY:WIZARD SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea",
			"created_at": "2023-01-06T13:46:38.745572Z",
			"updated_at": "2026-04-10T02:00:03.086207Z",
			"deleted_at": null,
			"main_name": "APT40",
			"aliases": [
				"ATK29",
				"Red Ladon",
				"MUDCARP",
				"ISLANDDREAMS",
				"TEMP.Periscope",
				"KRYPTONITE PANDA",
				"G0065",
				"TA423",
				"ITG09",
				"Gingham Typhoon",
				"TEMP.Jumper",
				"BRONZE MOHAWK",
				"GADOLINIUM"
			],
			"source_name": "MISPGALAXY:APT40",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "aacd5cbc-604b-4b6e-9e58-ef96c5d1a784",
			"created_at": "2023-01-06T13:46:38.953463Z",
			"updated_at": "2026-04-10T02:00:03.159523Z",
			"deleted_at": null,
			"main_name": "APT31",
			"aliases": [
				"JUDGMENT PANDA",
				"BRONZE VINEWOOD",
				"Red keres",
				"Violet Typhoon",
				"TA412"
			],
			"source_name": "MISPGALAXY:APT31",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b43c8747-c898-448a-88a9-76bff88e91b5",
			"created_at": "2024-02-02T02:00:04.058535Z",
			"updated_at": "2026-04-10T02:00:03.545252Z",
			"deleted_at": null,
			"main_name": "Opal Sleet",
			"aliases": [
				"Konni",
				"Vedalia",
				"OSMIUM"
			],
			"source_name": "MISPGALAXY:Opal Sleet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "13354d3f-3f40-44ec-b42a-3cda18809005",
			"created_at": "2022-10-25T15:50:23.275272Z",
			"updated_at": "2026-04-10T02:00:05.36519Z",
			"deleted_at": null,
			"main_name": "APT3",
			"aliases": [
				"APT3",
				"Gothic Panda",
				"Pirpi",
				"UPS Team",
				"Buckeye",
				"Threat Group-0110",
				"TG-0110"
			],
			"source_name": "MITRE:APT3",
			"tools": [
				"OSInfo",
				"schtasks",
				"PlugX",
				"LaZagne",
				"SHOTPUT",
				"RemoteCMD"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f2fa9952-301f-4376-ac69-743d6f2bec1e",
			"created_at": "2023-01-06T13:46:39.122721Z",
			"updated_at": "2026-04-10T02:00:03.22231Z",
			"deleted_at": null,
			"main_name": "VENOM SPIDER",
			"aliases": [
				"badbullz",
				"badbullzvenom"
			],
			"source_name": "MISPGALAXY:VENOM SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eecf54a2-2deb-41e5-9857-fed94a53f858",
			"created_at": "2023-01-06T13:46:39.349959Z",
			"updated_at": "2026-04-10T02:00:03.296196Z",
			"deleted_at": null,
			"main_name": "SaintBear",
			"aliases": [
				"Bleeding Bear",
				"Cadet Blizzard",
				"Nascent Ursa",
				"Nodaria",
				"Storm-0587",
				"DEV-0587",
				"Saint Bear",
				"EMBER BEAR",
				"UNC2589",
				"TA471",
				"UAC-0056",
				"FROZENVISTA",
				"Lorec53",
				"Lorec Bear"
			],
			"source_name": "MISPGALAXY:SaintBear",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4",
			"created_at": "2022-10-25T15:50:23.334495Z",
			"updated_at": "2026-04-10T02:00:05.264841Z",
			"deleted_at": null,
			"main_name": "TeamTNT",
			"aliases": [
				"TeamTNT"
			],
			"source_name": "MITRE:TeamTNT",
			"tools": [
				"Peirates",
				"MimiPenguin",
				"LaZagne",
				"Hildegard"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2fa14cf4-969f-48bc-b68e-a8e7eedc6e98",
			"created_at": "2022-10-25T15:50:23.538608Z",
			"updated_at": "2026-04-10T02:00:05.378092Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"Lotus Blossom",
				"DRAGONFISH",
				"Spring Dragon",
				"RADIUM",
				"Raspberry Typhoon",
				"Bilbug",
				"Thrip"
			],
			"source_name": "MITRE:Lotus Blossom",
			"tools": [
				"AdFind",
				"Impacket",
				"Elise",
				"Hannotog",
				"NBTscan",
				"Sagerunex",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01",
			"created_at": "2022-10-25T16:07:23.562676Z",
			"updated_at": "2026-04-10T02:00:04.662064Z",
			"deleted_at": null,
			"main_name": "Earth Berberoka",
			"aliases": [
				"GamblingPuppet"
			],
			"source_name": "ETDA:Earth Berberoka",
			"tools": [
				"Agent.dhwf",
				"AngryRebel",
				"AsyncRAT",
				"CinaRAT",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"Kaba",
				"Korplug",
				"Moudour",
				"Mydoor",
				"PCRat",
				"PlugX",
				"PuppetLoader",
				"Quasar RAT",
				"QuasarRAT",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"Xamtrav",
				"Yggdrasil",
				"oRAT"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "11d9bc85-5bb6-4aa7-a237-a103ff31b1a2",
			"created_at": "2023-10-21T02:00:12.136874Z",
			"updated_at": "2026-04-10T02:00:02.901347Z",
			"deleted_at": null,
			"main_name": "Grayling",
			"aliases": [],
			"source_name": "MISPGALAXY:Grayling",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4",
			"created_at": "2023-01-06T13:46:38.269054Z",
			"updated_at": "2026-04-10T02:00:02.90356Z",
			"deleted_at": null,
			"main_name": "APT3",
			"aliases": [
				"GOTHIC PANDA",
				"TG-0110",
				"Buckeye",
				"Group 6",
				"Boyusec",
				"BORON",
				"BRONZE MAYFAIR",
				"Red Sylvan",
				"Brocade Typhoon"
			],
			"source_name": "MISPGALAXY:APT3",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e",
			"created_at": "2024-06-04T02:03:07.956135Z",
			"updated_at": "2026-04-10T02:00:03.689959Z",
			"deleted_at": null,
			"main_name": "IRON HEMLOCK",
			"aliases": [
				"APT29 ",
				"ATK7 ",
				"Blue Kitsune ",
				"Cozy Bear ",
				"The Dukes",
				"UNC2452 ",
				"YTTRIUM "
			],
			"source_name": "Secureworks:IRON HEMLOCK",
			"tools": [
				"CosmicDuke",
				"CozyCar",
				"CozyDuke",
				"DiefenDuke",
				"FatDuke",
				"HAMMERTOSS",
				"LiteDuke",
				"MiniDuke",
				"OnionDuke",
				"PolyglotDuke",
				"RegDuke",
				"RegDuke Loader",
				"SeaDuke",
				"Sliver"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "119c8bea-816e-4799-942b-ff375026671e",
			"created_at": "2022-10-25T16:07:23.957309Z",
			"updated_at": "2026-04-10T02:00:04.807212Z",
			"deleted_at": null,
			"main_name": "Operation Ghostwriter",
			"aliases": [
				"DEV-0257",
				"Operation Asylum Ambuscade",
				"PUSHCHA",
				"Storm-0257",
				"TA445",
				"UAC-0051",
				"UAC-0057",
				"UNC1151",
				"White Lynx"
			],
			"source_name": "ETDA:Operation Ghostwriter",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"HALFSHELL",
				"Impacket",
				"RADIOSTAR",
				"VIDEOKILLER",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c28760b2-5ec6-42ad-852f-be00372a7ce4",
			"created_at": "2022-10-27T08:27:13.172734Z",
			"updated_at": "2026-04-10T02:00:05.279557Z",
			"deleted_at": null,
			"main_name": "Ember Bear",
			"aliases": [
				"Ember Bear",
				"UNC2589",
				"Bleeding Bear",
				"DEV-0586",
				"Cadet Blizzard",
				"Frozenvista",
				"UAC-0056"
			],
			"source_name": "MITRE:Ember Bear",
			"tools": [
				"P.A.S. Webshell",
				"CrackMapExec",
				"ngrok",
				"reGeorg",
				"WhisperGate",
				"Saint Bot",
				"PsExec",
				"Rclone",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e8aee970-e31e-489f-81c2-c23cd52e255c",
			"created_at": "2023-01-06T13:46:38.763687Z",
			"updated_at": "2026-04-10T02:00:03.092181Z",
			"deleted_at": null,
			"main_name": "RANCOR",
			"aliases": [
				"Rancor Group",
				"G0075",
				"Rancor Taurus",
				"Rancor group",
				"Rancor"
			],
			"source_name": "MISPGALAXY:RANCOR",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6efb28db-4d91-46cb-8ab7-fe9e8449ccfc",
			"created_at": "2023-01-06T13:46:38.772861Z",
			"updated_at": "2026-04-10T02:00:03.095095Z",
			"deleted_at": null,
			"main_name": "DarkHydrus",
			"aliases": [
				"LazyMeerkat",
				"G0079",
				"Obscure Serpens"
			],
			"source_name": "MISPGALAXY:DarkHydrus",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a6814184-2133-4520-b7b3-63e6b7be2f64",
			"created_at": "2025-08-07T02:03:25.019385Z",
			"updated_at": "2026-04-10T02:00:03.859468Z",
			"deleted_at": null,
			"main_name": "GOLD VICTOR",
			"aliases": [
				"DEV-0832 ",
				"STAC5279 ",
				"Vanilla Tempest ",
				"Vice Society",
				"Vice Spider "
			],
			"source_name": "Secureworks:GOLD VICTOR",
			"tools": [
				"Advanced IP Scanner",
				"Advanced Port Scanner",
				"HelloKitty ransomware",
				"INC ransomware",
				"MEGAsync",
				"Neshta",
				"PAExec",
				"PolyVice ransomware",
				"PortStarter",
				"PsExec",
				"QuantumLocker ransomware",
				"Rhysida ransomware",
				"Supper",
				"SystemBC",
				"Zeppelin ransomware"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38",
			"created_at": "2023-01-06T13:46:39.487358Z",
			"updated_at": "2026-04-10T02:00:03.344509Z",
			"deleted_at": null,
			"main_name": "BazarCall",
			"aliases": [
				"BazzarCall",
				"BazaCall"
			],
			"source_name": "MISPGALAXY:BazarCall",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae",
			"created_at": "2022-12-27T17:02:23.458269Z",
			"updated_at": "2026-04-10T02:00:04.813897Z",
			"deleted_at": null,
			"main_name": "Operation LiberalFace",
			"aliases": [
				"MirrorFace",
				"Operation AkaiRyū",
				"Operation LiberalFace"
			],
			"source_name": "ETDA:Operation LiberalFace",
			"tools": [
				"Anel",
				"AsyncRAT",
				"LODEINFO",
				"MirrorStealer",
				"UpperCut",
				"lena"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "04a7ebaa-ebb1-4971-b513-a0c86886d932",
			"created_at": "2023-01-06T13:46:38.784965Z",
			"updated_at": "2026-04-10T02:00:03.099088Z",
			"deleted_at": null,
			"main_name": "Inception Framework",
			"aliases": [
				"Clean Ursa",
				"Cloud Atlas",
				"G0100",
				"ATK116",
				"Blue Odin"
			],
			"source_name": "MISPGALAXY:Inception Framework",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f35997d9-ca1e-453f-b968-0e675cc16d97",
			"created_at": "2023-01-06T13:46:39.490819Z",
			"updated_at": "2026-04-10T02:00:03.345364Z",
			"deleted_at": null,
			"main_name": "Evasive Panda",
			"aliases": [
				"BRONZE HIGHLAND"
			],
			"source_name": "MISPGALAXY:Evasive Panda",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84",
			"created_at": "2024-04-24T02:00:49.516358Z",
			"updated_at": "2026-04-10T02:00:05.309426Z",
			"deleted_at": null,
			"main_name": "Akira",
			"aliases": [
				"Akira",
				"GOLD SAHARA",
				"PUNK SPIDER",
				"Howling Scorpius"
			],
			"source_name": "MITRE:Akira",
			"tools": [
				"Mimikatz",
				"PsExec",
				"AdFind",
				"Akira _v2",
				"Akira",
				"Megazord",
				"LaZagne",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "a0548d4e-edc2-40c1-a4e2-c1d6103012eb",
			"created_at": "2023-01-06T13:46:38.793461Z",
			"updated_at": "2026-04-10T02:00:03.102807Z",
			"deleted_at": null,
			"main_name": "Thrip",
			"aliases": [
				"G0076",
				"ATK78"
			],
			"source_name": "MISPGALAXY:Thrip",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ba9fa308-a29a-4928-9c06-73aafec7624c",
			"created_at": "2024-05-01T02:03:07.981061Z",
			"updated_at": "2026-04-10T02:00:03.750803Z",
			"deleted_at": null,
			"main_name": "BRONZE RIVERSIDE",
			"aliases": [
				"APT10 ",
				"CTG-5938 ",
				"CVNX ",
				"Hogfish ",
				"MenuPass ",
				"MirrorFace ",
				"POTASSIUM ",
				"Purple Typhoon ",
				"Red Apollo ",
				"Stone Panda "
			],
			"source_name": "Secureworks:BRONZE RIVERSIDE",
			"tools": [
				"ANEL",
				"AsyncRAT",
				"ChChes",
				"Cobalt Strike",
				"HiddenFace",
				"LODEINFO",
				"PlugX",
				"PoisonIvy",
				"QuasarRAT",
				"QuasarRAT Loader",
				"RedLeaves"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b4ec06e5-60c9-4796-9f85-129c77d1652b",
			"created_at": "2023-01-06T13:46:39.21956Z",
			"updated_at": "2026-04-10T02:00:03.249407Z",
			"deleted_at": null,
			"main_name": "VIKING SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:VIKING SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b296f34c-c424-41da-98bf-90312a5df8ef",
			"created_at": "2024-06-19T02:03:08.027585Z",
			"updated_at": "2026-04-10T02:00:03.621193Z",
			"deleted_at": null,
			"main_name": "GOLD DRAKE",
			"aliases": [
				"Evil Corp",
				"Indrik Spider ",
				"Manatee Tempest "
			],
			"source_name": "Secureworks:GOLD DRAKE",
			"tools": [
				"BitPaymer",
				"Cobalt Strike",
				"Covenant",
				"Donut",
				"Dridex",
				"Hades",
				"Koadic",
				"LockBit",
				"Macaw Locker",
				"Mimikatz",
				"Payload.Bin",
				"Phoenix CryptoLocker",
				"PowerShell Empire",
				"PowerSploit",
				"SocGholish",
				"WastedLocker"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "27e51b73-410e-4a33-93a1-49cf8a743cf7",
			"created_at": "2023-01-06T13:46:39.210675Z",
			"updated_at": "2026-04-10T02:00:03.247656Z",
			"deleted_at": null,
			"main_name": "GOLD DUPONT",
			"aliases": [
				"SPRITE SPIDER"
			],
			"source_name": "MISPGALAXY:GOLD DUPONT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb",
			"created_at": "2023-01-06T13:46:38.82716Z",
			"updated_at": "2026-04-10T02:00:03.113893Z",
			"deleted_at": null,
			"main_name": "GreyEnergy",
			"aliases": [],
			"source_name": "MISPGALAXY:GreyEnergy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1b3a247f-6186-4482-8b92-c3fb2d767c7d",
			"created_at": "2023-01-06T13:46:38.883911Z",
			"updated_at": "2026-04-10T02:00:03.132231Z",
			"deleted_at": null,
			"main_name": "APT39",
			"aliases": [
				"COBALT HICKMAN",
				"G0087",
				"Radio Serpens",
				"TA454",
				"ITG07",
				"Burgundy Sandstorm",
				"REMIX KITTEN"
			],
			"source_name": "MISPGALAXY:APT39",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "33ae2a40-02cd-4dba-8461-d0a50e75578b",
			"created_at": "2023-01-06T13:46:38.947314Z",
			"updated_at": "2026-04-10T02:00:03.155091Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"UNC1326",
				"COSMIC WOLF",
				"Marbled Dust",
				"SILICON",
				"Teal Kurma"
			],
			"source_name": "MISPGALAXY:Sea Turtle",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6d11e45c-4e31-4997-88f5-295b2564cfc6",
			"created_at": "2022-10-25T15:50:23.794721Z",
			"updated_at": "2026-04-10T02:00:05.358892Z",
			"deleted_at": null,
			"main_name": "Rancor",
			"aliases": [
				"Rancor"
			],
			"source_name": "MITRE:Rancor",
			"tools": [
				"DDKONG",
				"PLAINTEE",
				"certutil"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7",
			"created_at": "2022-10-25T16:07:23.704358Z",
			"updated_at": "2026-04-10T02:00:04.718034Z",
			"deleted_at": null,
			"main_name": "Harvester",
			"aliases": [],
			"source_name": "ETDA:Harvester",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Graphon",
				"Metasploit",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e",
			"created_at": "2024-06-04T02:03:07.799286Z",
			"updated_at": "2026-04-10T02:00:03.606456Z",
			"deleted_at": null,
			"main_name": "GOLD BLACKBURN",
			"aliases": [
				"ITG23 ",
				"Periwinkle Tempest ",
				"Wizard Spider "
			],
			"source_name": "Secureworks:GOLD BLACKBURN",
			"tools": [
				"BazarLoader",
				"Buer Loader",
				"Bumblebee",
				"Dyre",
				"Team9",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9e6186dd-9334-4aac-9957-98f022cd3871",
			"created_at": "2022-10-25T15:50:23.357398Z",
			"updated_at": "2026-04-10T02:00:05.368552Z",
			"deleted_at": null,
			"main_name": "ZIRCONIUM",
			"aliases": [
				"APT31",
				"Violet Typhoon"
			],
			"source_name": "MITRE:ZIRCONIUM",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "30c9c492-afc6-4aa1-8fe6-cecffed946e0",
			"created_at": "2022-10-25T15:50:23.400822Z",
			"updated_at": "2026-04-10T02:00:05.350302Z",
			"deleted_at": null,
			"main_name": "Higaisa",
			"aliases": [
				"Higaisa"
			],
			"source_name": "MITRE:Higaisa",
			"tools": [
				"PlugX",
				"certutil",
				"gh0st RAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "478e9b27-39b9-49e4-a3c5-81569a767275",
			"created_at": "2022-10-25T15:50:23.417339Z",
			"updated_at": "2026-04-10T02:00:05.41593Z",
			"deleted_at": null,
			"main_name": "Taidoor",
			"aliases": [
				"Taidoor"
			],
			"source_name": "MITRE:Taidoor",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3f53ecb7-e228-471d-8f85-0b2ba110ab4b",
			"created_at": "2023-01-06T13:46:39.181151Z",
			"updated_at": "2026-04-10T02:00:03.237995Z",
			"deleted_at": null,
			"main_name": "Red Charon",
			"aliases": [],
			"source_name": "MISPGALAXY:Red Charon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d1dcfc37-1f9b-4acd-a023-25153f183c2e",
			"created_at": "2025-08-07T02:03:24.783147Z",
			"updated_at": "2026-04-10T02:00:03.664754Z",
			"deleted_at": null,
			"main_name": "COBALT SHADOW",
			"aliases": [
				"AMERICIUM ",
				"Agonizing Serpens ",
				"Agrius",
				"Agrius ",
				"BlackShadow",
				"DEV-0227 ",
				"Justice Blade ",
				"Malek Team",
				"Malek Team ",
				"MoneyBird ",
				"Pink Sandstorm ",
				"Sharp Boyz ",
				"Spectral Kitten "
			],
			"source_name": "Secureworks:COBALT SHADOW",
			"tools": [
				"Apostle",
				"DEADWOOD",
				"Fantasy wiper",
				"IPsec Helper",
				"MiniDump",
				"Moneybird ransomware",
				"Sandals",
				"SecretsDump"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "47b52642-e5b8-4502-b714-b625002d86aa",
			"created_at": "2024-06-19T02:03:08.086579Z",
			"updated_at": "2026-04-10T02:00:03.812509Z",
			"deleted_at": null,
			"main_name": "GOLD MELODY",
			"aliases": [
				"PROPHET SPIDER",
				"UNC961"
			],
			"source_name": "Secureworks:GOLD MELODY",
			"tools": [
				"7-Zip",
				"AUDITUNNEL",
				"BURP Suite",
				"GOTROJ",
				"JSP webshells",
				"Mimikatz",
				"Wget"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7cfe3bc9-7a6c-4ee1-a635-5ea7b947147f",
			"created_at": "2024-06-19T02:03:08.122318Z",
			"updated_at": "2026-04-10T02:00:03.652418Z",
			"deleted_at": null,
			"main_name": "GOLD SWATHMORE",
			"aliases": [
				"Lunar Spider "
			],
			"source_name": "Secureworks:GOLD SWATHMORE",
			"tools": [
				"Cobalt Strike",
				"GlobeImposter",
				"Gozi",
				"Gozi Trojan",
				"IcedID",
				"Latrodectus",
				"TrickBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "8d76e350-dfb5-4733-800d-876de41f690d",
			"created_at": "2023-01-06T13:46:38.841887Z",
			"updated_at": "2026-04-10T02:00:03.119083Z",
			"deleted_at": null,
			"main_name": "DNSpionage",
			"aliases": [
				"COBALT EDGEWATER"
			],
			"source_name": "MISPGALAXY:DNSpionage",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "544ecd2c-82c9-417c-9d98-d1ae395df964",
			"created_at": "2025-10-29T02:00:52.035025Z",
			"updated_at": "2026-04-10T02:00:05.408558Z",
			"deleted_at": null,
			"main_name": "AppleJeus",
			"aliases": [
				"AppleJeus",
				"Gleaming Pisces",
				"Citrine Sleet",
				"UNC1720",
				"UNC4736"
			],
			"source_name": "MITRE:AppleJeus",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4e453d66-9ecd-47d9-b63a-32fa5450f071",
			"created_at": "2024-06-19T02:03:08.077075Z",
			"updated_at": "2026-04-10T02:00:03.830523Z",
			"deleted_at": null,
			"main_name": "GOLD LOTUS",
			"aliases": [
				"BlackByte",
				"Hecamede "
			],
			"source_name": "Secureworks:GOLD LOTUS",
			"tools": [
				"BlackByte",
				"Cobalt Strike",
				"ExByte",
				"Mega",
				"RDP",
				"SoftPerfect Network Scanner"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc",
			"created_at": "2023-01-06T13:46:38.354607Z",
			"updated_at": "2026-04-10T02:00:02.939761Z",
			"deleted_at": null,
			"main_name": "APT23",
			"aliases": [
				"BRONZE HOBART",
				"G0081",
				"Red Orthrus",
				"Earth Centaur",
				"PIRATE PANDA",
				"KeyBoy",
				"Tropic Trooper"
			],
			"source_name": "MISPGALAXY:APT23",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a241a1ca-2bc9-450b-a07b-aae747ee2710",
			"created_at": "2024-06-19T02:03:08.150052Z",
			"updated_at": "2026-04-10T02:00:03.737173Z",
			"deleted_at": null,
			"main_name": "IRON RITUAL",
			"aliases": [
				"APT29",
				"Blue Dev 5 ",
				"BlueBravo ",
				"Cloaked Ursa ",
				"CozyLarch ",
				"Dark Halo ",
				"Midnight Blizzard ",
				"NOBELIUM ",
				"StellarParticle ",
				"UNC2452 "
			],
			"source_name": "Secureworks:IRON RITUAL",
			"tools": [
				"Brute Ratel C4",
				"Cobalt Strike",
				"EnvyScout",
				"GoldFinder",
				"GoldMax",
				"NativeZone",
				"RAINDROP",
				"SUNBURST",
				"Sibot",
				"TEARDROP",
				"VaporRage"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "029625d2-9734-44f9-9e10-b894b4f57f08",
			"created_at": "2023-01-06T13:46:38.364105Z",
			"updated_at": "2026-04-10T02:00:02.944092Z",
			"deleted_at": null,
			"main_name": "Charming Kitten",
			"aliases": [
				"iKittens",
				"Group 83",
				"NewsBeef",
				"G0058",
				"CharmingCypress",
				"Mint Sandstorm",
				"Parastoo"
			],
			"source_name": "MISPGALAXY:Charming Kitten",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac",
			"created_at": "2022-10-25T16:07:24.349252Z",
			"updated_at": "2026-04-10T02:00:04.949821Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"ATK 13",
				"Belugasturgeon",
				"Blue Python",
				"CTG-8875",
				"G0010",
				"Group 88",
				"ITG12",
				"Iron Hunter",
				"Krypton",
				"Makersmark",
				"Operation Epic Turla",
				"Operation Moonlight Maze",
				"Operation Penguin Turla",
				"Operation Satellite Turla",
				"Operation Skipper Turla",
				"Operation Turla Mosquito",
				"Operation WITCHCOVEN",
				"Pacifier APT",
				"Pensive Ursa",
				"Popeye",
				"SIG15",
				"SIG2",
				"SIG23",
				"Secret Blizzard",
				"TAG-0530",
				"Turla",
				"UNC4210",
				"Venomous Bear",
				"Waterbug"
			],
			"source_name": "ETDA:Turla",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"ATI-Agent",
				"AdobeARM",
				"Agent.BTZ",
				"Agent.DNE",
				"ApolloShadow",
				"BigBoss",
				"COMpfun",
				"Chinch",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobra Carbon System",
				"ComRAT",
				"DoublePulsar",
				"EmPyre",
				"EmpireProject",
				"Epic Turla",
				"EternalBlue",
				"EternalRomance",
				"GoldenSky",
				"Group Policy Results Tool",
				"HTML5 Encoding",
				"HyperStack",
				"IcedCoffee",
				"IronNetInjector",
				"KSL0T",
				"Kapushka",
				"Kazuar",
				"KopiLuwak",
				"Kotel",
				"LOLBAS",
				"LOLBins",
				"LightNeuron",
				"Living off the Land",
				"Maintools.js",
				"Metasploit",
				"Meterpreter",
				"MiamiBeach",
				"Mimikatz",
				"MiniDionis",
				"Minit",
				"NBTscan",
				"NETTRANS",
				"NETVulture",
				"Neptun",
				"NetFlash",
				"NewPass",
				"Outlook Backdoor",
				"Penquin Turla",
				"Pfinet",
				"PowerShell Empire",
				"PowerShellRunner",
				"PowerShellRunner-based RPC backdoor",
				"PowerStallion",
				"PsExec",
				"PyFlash",
				"QUIETCANARY",
				"Reductor RAT",
				"RocketMan",
				"SMBTouch",
				"SScan",
				"Satellite Turla",
				"SilentMoon",
				"Sun rootkit",
				"TTNG",
				"TadjMakhal",
				"Tavdig",
				"TinyTurla",
				"TinyTurla Next Generation",
				"TinyTurla-NG",
				"Topinambour",
				"Tunnus",
				"Turla",
				"Turla SilentMoon",
				"TurlaChopper",
				"Uroburos",
				"Urouros",
				"WCE",
				"WITCHCOVEN",
				"WhiteAtlas",
				"WhiteBear",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Wipbot",
				"WorldCupSec",
				"XTRANS",
				"certutil",
				"certutil.exe",
				"gpresult",
				"nbtscan",
				"nbtstat",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "475ea823-9e47-4098-b235-0900bc1a5362",
			"created_at": "2022-10-25T16:07:24.506596Z",
			"updated_at": "2026-04-10T02:00:05.015497Z",
			"deleted_at": null,
			"main_name": "Lunar Spider",
			"aliases": [
				"Gold SwathMore"
			],
			"source_name": "ETDA:Lunar Spider",
			"tools": [
				"BokBot",
				"IceID",
				"IcedID",
				"NeverQuest",
				"Vawtrak",
				"grabnew"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "64a08f65-4ef8-4ad5-bac1-ce4e0fd2808c",
			"created_at": "2024-08-28T02:02:09.663698Z",
			"updated_at": "2026-04-10T02:00:04.927384Z",
			"deleted_at": null,
			"main_name": "TAG-100",
			"aliases": [
				"Storm-2077"
			],
			"source_name": "ETDA:TAG-100",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"CrossC2",
				"LESLIELOADER",
				"Pantegana",
				"SparkRAT",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b69037ec-2605-4de4-bb32-a20d780a8406",
			"created_at": "2023-01-06T13:46:38.790766Z",
			"updated_at": "2026-04-10T02:00:03.101635Z",
			"deleted_at": null,
			"main_name": "MUSTANG PANDA",
			"aliases": [
				"Stately Taurus",
				"LuminousMoth",
				"TANTALUM",
				"Twill Typhoon",
				"TEMP.HEX",
				"Earth Preta",
				"Polaris",
				"BRONZE PRESIDENT",
				"HoneyMyte",
				"Red Lich",
				"TA416"
			],
			"source_name": "MISPGALAXY:MUSTANG PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf",
			"created_at": "2023-01-06T13:46:38.405479Z",
			"updated_at": "2026-04-10T02:00:02.961112Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"ATK32",
				"G0046",
				"G0008",
				"Sangria Tempest",
				"ELBRUS",
				"GOLD NIAGARA",
				"Coreid",
				"Carbanak",
				"Carbon Spider",
				"JokerStash",
				"CARBON SPIDER"
			],
			"source_name": "MISPGALAXY:FIN7",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cc045f52-bbdb-4fcc-8fbf-a0d8a7c5e64f",
			"created_at": "2022-10-25T16:07:24.519535Z",
			"updated_at": "2026-04-10T02:00:05.019918Z",
			"deleted_at": null,
			"main_name": "Narwhal Spider",
			"aliases": [
				"Gold Essex",
				"Storm-0302"
			],
			"source_name": "ETDA:Narwhal Spider",
			"tools": [
				"Cutwail",
				"Pushdo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4660477f-333f-4a18-b49b-0b4d7c66d482",
			"created_at": "2023-01-06T13:46:38.511962Z",
			"updated_at": "2026-04-10T02:00:03.007466Z",
			"deleted_at": null,
			"main_name": "PROMETHIUM",
			"aliases": [
				"StrongPity",
				"G0056"
			],
			"source_name": "MISPGALAXY:PROMETHIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9",
			"created_at": "2022-10-25T15:50:23.317961Z",
			"updated_at": "2026-04-10T02:00:05.280403Z",
			"deleted_at": null,
			"main_name": "FIN6",
			"aliases": [
				"FIN6",
				"Magecart Group 6",
				"ITG08",
				"Skeleton Spider",
				"TAAL",
				"Camouflage Tempest"
			],
			"source_name": "MITRE:FIN6",
			"tools": [
				"FlawedAmmyy",
				"GrimAgent",
				"FrameworkPOS",
				"More_eggs",
				"Cobalt Strike",
				"Windows Credential Editor",
				"AdFind",
				"PsExec",
				"LockerGoga",
				"Ryuk",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4023e661-f566-4b5b-a06f-9d370403f074",
			"created_at": "2024-02-02T02:00:04.064685Z",
			"updated_at": "2026-04-10T02:00:03.547155Z",
			"deleted_at": null,
			"main_name": "Pink Sandstorm",
			"aliases": [
				"AMERICIUM",
				"BlackShadow",
				"DEV-0022",
				"Agrius",
				"Agonizing Serpens",
				"UNC2428",
				"Black Shadow",
				"SPECTRAL KITTEN"
			],
			"source_name": "MISPGALAXY:Pink Sandstorm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "908cf62e-45cd-492b-bf12-d0902e12fece",
			"created_at": "2024-08-20T02:00:04.543947Z",
			"updated_at": "2026-04-10T02:00:03.68848Z",
			"deleted_at": null,
			"main_name": "UNC4393",
			"aliases": [
				"Storm-1811",
				"CURLY SPIDER",
				"STAC5777"
			],
			"source_name": "MISPGALAXY:UNC4393",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4",
			"created_at": "2022-10-25T15:50:23.808974Z",
			"updated_at": "2026-04-10T02:00:05.291959Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"Magic Hound",
				"TA453",
				"COBALT ILLUSION",
				"Charming Kitten",
				"ITG18",
				"Phosphorus",
				"APT35",
				"Mint Sandstorm"
			],
			"source_name": "MITRE:Magic Hound",
			"tools": [
				"Impacket",
				"CharmPower",
				"FRP",
				"Mimikatz",
				"Systeminfo",
				"ipconfig",
				"netsh",
				"PowerLess",
				"Pupy",
				"DownPaper",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c7d9878a-e691-4c6f-81ae-84fb115a1345",
			"created_at": "2022-10-25T16:07:23.359506Z",
			"updated_at": "2026-04-10T02:00:04.556639Z",
			"deleted_at": null,
			"main_name": "APT 41",
			"aliases": [
				"BrazenBamboo",
				"Bronze Atlas",
				"Double Dragon",
				"Earth Baku",
				"G0096",
				"Grayfly",
				"Operation ColunmTK",
				"Operation CuckooBees",
				"Operation ShadowHammer",
				"Red Kelpie",
				"SparklingGoblin",
				"TA415",
				"TG-2633"
			],
			"source_name": "ETDA:APT 41",
			"tools": [
				"9002 RAT",
				"ADORE.XSEC",
				"ASPXSpy",
				"ASPXTool",
				"AceHash",
				"Agent.dhwf",
				"Agentemis",
				"AndroidControl",
				"AngryRebel",
				"AntSword",
				"BLUEBEAM",
				"Barlaiy",
				"BlackCoffee",
				"Bladabindi",
				"BleDoor",
				"CCleaner Backdoor",
				"CHINACHOPPER",
				"COLDJAVA",
				"China Chopper",
				"ChyNode",
				"Cobalt Strike",
				"CobaltStrike",
				"Crackshot",
				"CrossWalk",
				"CurveLast",
				"CurveLoad",
				"DAYJOB",
				"DBoxAgent",
				"DEADEYE",
				"DEADEYE.APPEND",
				"DEADEYE.EMBED",
				"DEPLOYLOG",
				"DIRTCLEANER",
				"DUSTTRAP",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"DodgeBox",
				"DragonEgg",
				"ELFSHELF",
				"EasyNight",
				"Farfli",
				"FunnySwitch",
				"Gh0st RAT",
				"Ghost RAT",
				"HDD Rootkit",
				"HDRoot",
				"HKDOOR",
				"HOMEUNIX",
				"HUI Loader",
				"HidraQ",
				"HighNoon",
				"HighNote",
				"Homux",
				"Hydraq",
				"Jorik",
				"Jumpall",
				"KEYPLUG",
				"Kaba",
				"Korplug",
				"LATELUNCH",
				"LOLBAS",
				"LOLBins",
				"LightSpy",
				"Living off the Land",
				"Lowkey",
				"McRAT",
				"MdmBot",
				"MessageTap",
				"Meterpreter",
				"Mimikatz",
				"MoonBounce",
				"MoonWalk",
				"Motnug",
				"Moudour",
				"Mydoor",
				"NTDSDump",
				"PACMAN",
				"PCRat",
				"PINEGROVE",
				"PNGRAT",
				"POISONPLUG",
				"POISONPLUG.SHADOW",
				"POTROAST",
				"PRIVATELOG",
				"PipeMon",
				"PlugX",
				"PortReuse",
				"ProxIP",
				"ROCKBOOT",
				"RbDoor",
				"RedDelta",
				"RedXOR",
				"RibDoor",
				"Roarur",
				"RouterGod",
				"SAGEHIRE",
				"SPARKLOG",
				"SQLULDR2",
				"STASHLOG",
				"SWEETCANDLE",
				"ScrambleCross",
				"Sensocode",
				"SerialVlogger",
				"ShadowHammer",
				"ShadowPad Winnti",
				"SinoChopper",
				"Skip-2.0",
				"SneakCross",
				"Sogu",
				"Speculoos",
				"Spyder",
				"StealthReacher",
				"StealthVector",
				"TERA",
				"TIDYELF",
				"TIGERPLUG",
				"TOMMYGUN",
				"TVT",
				"Thoper",
				"Voldemort",
				"WIDETONE",
				"WINNKIT",
				"WINTERLOVE",
				"Winnti",
				"WyrmSpy",
				"X-Door",
				"XDOOR",
				"XMRig",
				"XShellGhost",
				"Xamtrav",
				"ZXShell",
				"ZoxPNG",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"gresim",
				"njRAT",
				"pwdump",
				"xDll"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c0cedde3-5a9b-430f-9b77-e6568307205e",
			"created_at": "2022-10-25T16:07:23.528994Z",
			"updated_at": "2026-04-10T02:00:04.642473Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"APT-C-06",
				"ATK 52",
				"CTG-1948",
				"Dubnium",
				"Fallout Team",
				"G0012",
				"G0126",
				"Higaisa",
				"Luder",
				"Operation DarkHotel",
				"Operation Daybreak",
				"Operation Inexsmar",
				"Operation PowerFall",
				"Operation The Gh0st Remains the Same",
				"Purple Pygmy",
				"SIG25",
				"Shadow Crane",
				"T-APT-02",
				"TieOnJoe",
				"Tungsten Bridge",
				"Zigzag Hail"
			],
			"source_name": "ETDA:DarkHotel",
			"tools": [
				"Asruex",
				"DarkHotel",
				"DmaUp3.exe",
				"GreezeBackdoor",
				"Karba",
				"Nemain",
				"Nemim",
				"Ramsay",
				"Retro",
				"Tapaoux",
				"Trojan.Win32.Karba.e",
				"Virus.Win32.Pioneer.dx",
				"igfxext.exe",
				"msieckc.exe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d5156b55-5d7d-4fb2-836f-861d2e868147",
			"created_at": "2023-01-06T13:46:38.557326Z",
			"updated_at": "2026-04-10T02:00:03.023048Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"ACTINIUM",
				"DEV-0157",
				"Blue Otso",
				"G0047",
				"IRON TILDEN",
				"PRIMITIVE BEAR",
				"Shuckworm",
				"UAC-0010",
				"BlueAlpha",
				"Trident Ursa",
				"Winterflounder",
				"Aqua Blizzard",
				"Actinium"
			],
			"source_name": "MISPGALAXY:Gamaredon Group",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d196cb29-a861-4838-b157-a31ac92c6fb1",
			"created_at": "2023-11-04T02:00:07.66699Z",
			"updated_at": "2026-04-10T02:00:03.386945Z",
			"deleted_at": null,
			"main_name": "Earth Longzhi",
			"aliases": [
				"SnakeCharmer"
			],
			"source_name": "MISPGALAXY:Earth Longzhi",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633",
			"created_at": "2023-11-04T02:00:07.676869Z",
			"updated_at": "2026-04-10T02:00:03.389898Z",
			"deleted_at": null,
			"main_name": "Earth Estries",
			"aliases": [],
			"source_name": "MISPGALAXY:Earth Estries",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4d5f939b-aea9-4a0e-8bff-003079a261ea",
			"created_at": "2023-01-06T13:46:39.04841Z",
			"updated_at": "2026-04-10T02:00:03.196806Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"WICKED PANDA",
				"BRONZE EXPORT",
				"Brass Typhoon",
				"TG-2633",
				"Leopard Typhoon",
				"G0096",
				"Grayfly",
				"BARIUM",
				"BRONZE ATLAS",
				"Red Kelpie",
				"G0044",
				"Earth Baku",
				"TA415",
				"WICKED SPIDER",
				"HOODOO",
				"Winnti",
				"Double Dragon"
			],
			"source_name": "MISPGALAXY:APT41",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5b04780e-7b64-4e62-b776-c6749ff7dec8",
			"created_at": "2022-10-25T16:07:23.531741Z",
			"updated_at": "2026-04-10T02:00:04.643562Z",
			"deleted_at": null,
			"main_name": "DarkHydrus",
			"aliases": [
				"ATK 77",
				"DarkHydrus",
				"G0079",
				"LazyMeerkat",
				"Obscure Serpens"
			],
			"source_name": "ETDA:DarkHydrus",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Mimikatz",
				"Phishery",
				"RogueRobin",
				"RogueRobinNET",
				"Trojan.Phisherly",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9df68733-9bcd-43b1-88f1-24b110fa3d56",
			"created_at": "2022-10-25T16:07:24.051993Z",
			"updated_at": "2026-04-10T02:00:04.851037Z",
			"deleted_at": null,
			"main_name": "Pinchy Spider",
			"aliases": [
				"G0115",
				"Gold Garden",
				"Gold Southfield",
				"Pinchy Spider"
			],
			"source_name": "ETDA:Pinchy Spider",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"GandCrab",
				"GrandCrab",
				"REvil",
				"Sodin",
				"Sodinokibi",
				"VIDAR",
				"Vidar Stealer",
				"certutil",
				"certutil.exe",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03",
			"created_at": "2025-08-07T02:03:24.746965Z",
			"updated_at": "2026-04-10T02:00:03.640335Z",
			"deleted_at": null,
			"main_name": "COBALT ILLUSION",
			"aliases": [
				"APT35 ",
				"APT42 ",
				"Agent Serpens Palo Alto",
				"Charming Kitten ",
				"CharmingCypress ",
				"Educated Manticore Checkpoint",
				"ITG18 ",
				"Magic Hound ",
				"Mint Sandstorm sub-group ",
				"NewsBeef ",
				"Newscaster ",
				"PHOSPHORUS sub-group ",
				"TA453 ",
				"UNC788 ",
				"Yellow Garuda "
			],
			"source_name": "Secureworks:COBALT ILLUSION",
			"tools": [
				"Browser Exploitation Framework (BeEF)",
				"MagicHound Toolset",
				"PupyRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "4b7f4f69-7c56-4691-9071-9365884a7f30",
			"created_at": "2024-10-25T02:02:07.672671Z",
			"updated_at": "2026-04-10T02:00:04.660715Z",
			"deleted_at": null,
			"main_name": "Earth Baxia",
			"aliases": [],
			"source_name": "ETDA:Earth Baxia",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"EAGLEDOOR",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff",
			"created_at": "2024-12-28T02:01:54.899899Z",
			"updated_at": "2026-04-10T02:00:04.880446Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Earth Estries",
				"FamousSparrow",
				"GhostEmperor",
				"Operator Panda",
				"RedMike",
				"Salt Typhoon",
				"UNC2286"
			],
			"source_name": "ETDA:Salt Typhoon",
			"tools": [
				"Agentemis",
				"Backdr-NQ",
				"Cobalt Strike",
				"CobaltStrike",
				"Crowdoor",
				"Cryptmerlin",
				"Deed RAT",
				"Demodex",
				"FamousSparrow",
				"FuxosDoor",
				"GHOSTSPIDER",
				"HemiGate",
				"MASOL RAT",
				"Mimikatz",
				"NBTscan",
				"NinjaCopy",
				"ProcDump",
				"PsExec",
				"PsList",
				"SnappyBee",
				"SparrowDoor",
				"TrillClient",
				"WinRAR",
				"Zingdoor",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d24c2548-d163-4a73-865f-0d4cb917fee7",
			"created_at": "2024-04-20T02:00:03.580316Z",
			"updated_at": "2026-04-10T02:00:03.628323Z",
			"deleted_at": null,
			"main_name": "UNC3569",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC3569",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e698860d-57e8-4780-b7c3-41e5a8314ec0",
			"created_at": "2022-10-25T15:50:23.287929Z",
			"updated_at": "2026-04-10T02:00:05.329769Z",
			"deleted_at": null,
			"main_name": "APT41",
			"aliases": [
				"APT41",
				"Wicked Panda",
				"Brass Typhoon",
				"BARIUM"
			],
			"source_name": "MITRE:APT41",
			"tools": [
				"ASPXSpy",
				"BITSAdmin",
				"PlugX",
				"Impacket",
				"gh0st RAT",
				"netstat",
				"PowerSploit",
				"ZxShell",
				"KEYPLUG",
				"LightSpy",
				"ipconfig",
				"sqlmap",
				"China Chopper",
				"ShadowPad",
				"MESSAGETAP",
				"Mimikatz",
				"certutil",
				"njRAT",
				"Cobalt Strike",
				"pwdump",
				"BLACKCOFFEE",
				"MOPSLED",
				"ROCKBOOT",
				"dsquery",
				"Winnti for Linux",
				"DUSTTRAP",
				"Derusbi",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "03a6f362-cbab-4ce9-925d-306b8c937bf1",
			"created_at": "2024-11-01T02:00:52.635907Z",
			"updated_at": "2026-04-10T02:00:05.339384Z",
			"deleted_at": null,
			"main_name": "Saint Bear",
			"aliases": [
				"Saint Bear",
				"Storm-0587",
				"TA471",
				"UAC-0056",
				"Lorec53"
			],
			"source_name": "MITRE:Saint Bear",
			"tools": [
				"OutSteel",
				"Saint Bot"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a",
			"created_at": "2024-11-01T02:00:52.763555Z",
			"updated_at": "2026-04-10T02:00:05.263997Z",
			"deleted_at": null,
			"main_name": "Daggerfly",
			"aliases": [
				"Daggerfly",
				"Evasive Panda",
				"BRONZE HIGHLAND"
			],
			"source_name": "MITRE:Daggerfly",
			"tools": [
				"PlugX",
				"MgBot",
				"BITSAdmin",
				"MacMa",
				"Nightdoor"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "7d982d5b-3428-483c-8804-c3ab774f1861",
			"created_at": "2024-11-01T02:00:52.70975Z",
			"updated_at": "2026-04-10T02:00:05.357255Z",
			"deleted_at": null,
			"main_name": "Agrius",
			"aliases": [
				"Agrius",
				"Pink Sandstorm",
				"AMERICIUM",
				"Agonizing Serpens",
				"BlackShadow"
			],
			"source_name": "MITRE:Agrius",
			"tools": [
				"NBTscan",
				"Mimikatz",
				"IPsec Helper",
				"Moneybird",
				"MultiLayer Wiper",
				"DEADWOOD",
				"BFG Agonizer",
				"ASPXSpy"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "52eb5fb6-706b-49c0-9ba5-43bea03940d0",
			"created_at": "2024-11-01T02:00:52.694476Z",
			"updated_at": "2026-04-10T02:00:05.410572Z",
			"deleted_at": null,
			"main_name": "TA578",
			"aliases": [
				"TA578"
			],
			"source_name": "MITRE:TA578",
			"tools": [
				"Latrodectus",
				"IcedID"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f63c346d-18c8-4821-a56d-fefb1ad7ed5d",
			"created_at": "2022-10-25T16:07:23.42507Z",
			"updated_at": "2026-04-10T02:00:04.593122Z",
			"deleted_at": null,
			"main_name": "Bronze Starlight",
			"aliases": [
				"Cinnamon Tempest",
				"DEV-0401",
				"HighGround",
				"Operation ChattyGoblin",
				"SLIME34"
			],
			"source_name": "ETDA:Bronze Starlight",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"AtomSilo",
				"Cobalt Strike",
				"CobaltStrike",
				"Destroy RAT",
				"DestroyRAT",
				"HUI Loader",
				"Kaba",
				"Korplug",
				"LockFile",
				"Night Sky",
				"NightSky",
				"Pandora",
				"PlugX",
				"RedDelta",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "40b623c7-b621-48db-b55b-dd4f6746fbc6",
			"created_at": "2024-06-19T02:03:08.017681Z",
			"updated_at": "2026-04-10T02:00:03.665818Z",
			"deleted_at": null,
			"main_name": "GOLD CABIN",
			"aliases": [
				"Shathak",
				"TA551 "
			],
			"source_name": "Secureworks:GOLD CABIN",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e",
			"created_at": "2024-06-19T02:03:08.052814Z",
			"updated_at": "2026-04-10T02:00:03.659971Z",
			"deleted_at": null,
			"main_name": "GOLD FRANKLIN",
			"aliases": [
				"FIN6 ",
				"ITG08 ",
				"MageCart Group 6 ",
				"Skeleton Spider ",
				"Storm-0538 ",
				"White Giant "
			],
			"source_name": "Secureworks:GOLD FRANKLIN",
			"tools": [
				"FrameWorkPOS",
				"Metasploit",
				"Meterpreter",
				"Mimikatz",
				"PowerSploit",
				"PowerUpSQL",
				"RemCom"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ccd0f6b5-6d20-4d28-9796-88ab6deb4087",
			"created_at": "2024-06-19T02:03:08.067518Z",
			"updated_at": "2026-04-10T02:00:03.671628Z",
			"deleted_at": null,
			"main_name": "GOLD HERON",
			"aliases": [
				"Doppel Spider "
			],
			"source_name": "Secureworks:GOLD HERON",
			"tools": [
				"Cobalt Strike",
				"DoppelPaymer",
				"Dridex",
				"Grief",
				"PowerShell Empire"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e254cf33-e7f5-407b-a8a1-1a856a9f1c71",
			"created_at": "2025-01-21T02:00:03.599871Z",
			"updated_at": "2026-04-10T02:00:03.804511Z",
			"deleted_at": null,
			"main_name": "Operation DRBControl",
			"aliases": [],
			"source_name": "MISPGALAXY:Operation DRBControl",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "46a151bd-e4c2-46f9-aee9-ee6942b01098",
			"created_at": "2023-01-06T13:46:38.288168Z",
			"updated_at": "2026-04-10T02:00:02.911919Z",
			"deleted_at": null,
			"main_name": "APT19",
			"aliases": [
				"DEEP PANDA",
				"Codoso",
				"KungFu Kittens",
				"Group 13",
				"G0009",
				"G0073",
				"Checkered Typhoon",
				"Black Vine",
				"TEMP.Avengers",
				"PinkPanther",
				"Shell Crew",
				"BRONZE FIRESTONE",
				"Sunshop Group"
			],
			"source_name": "MISPGALAXY:APT19",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e9f7f836-b77f-4f95-aa02-9e99d32faf1d",
			"created_at": "2024-12-21T02:00:02.857057Z",
			"updated_at": "2026-04-10T02:00:03.791142Z",
			"deleted_at": null,
			"main_name": "UNC2465",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC2465",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "4632103e-8035-4a83-9ecb-c1e12e21288c",
			"created_at": "2022-10-25T16:07:23.542255Z",
			"updated_at": "2026-04-10T02:00:04.64888Z",
			"deleted_at": null,
			"main_name": "DNSpionage",
			"aliases": [],
			"source_name": "ETDA:DNSpionage",
			"tools": [
				"Agent Drable",
				"AgentDrable",
				"CACTUSPIPE",
				"DNSpionage",
				"DropperBackdoor",
				"Karkoff",
				"MailDropper",
				"OILYFACE"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5d9dfc61-6138-497a-b9da-33885539f19c",
			"created_at": "2022-10-25T16:07:23.720008Z",
			"updated_at": "2026-04-10T02:00:04.726002Z",
			"deleted_at": null,
			"main_name": "Icefog",
			"aliases": [
				"ATK 23",
				"Dagger Panda",
				"Icefog",
				"Red Wendigo"
			],
			"source_name": "ETDA:Icefog",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Dagger Three",
				"Fucobha",
				"Icefog",
				"Javafog",
				"POISONPLUG.SHADOW",
				"RoyalRoad",
				"ShadowPad Winnti",
				"XShellGhost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ed3810b7-141a-4ed0-8a01-6a972b80458d",
			"created_at": "2022-10-25T16:07:23.443259Z",
			"updated_at": "2026-04-10T02:00:04.602946Z",
			"deleted_at": null,
			"main_name": "Carbanak",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider",
				"ELBRUS",
				"G0008",
				"Gold Waterfall",
				"Sangria Tempest"
			],
			"source_name": "ETDA:Carbanak",
			"tools": [
				"AVE_MARIA",
				"Agentemis",
				"AmmyyRAT",
				"Antak",
				"Anunak",
				"Ave Maria",
				"AveMariaRAT",
				"BABYMETAL",
				"BIRDDOG",
				"Backdoor Batel",
				"Batel",
				"Bateleur",
				"BlackMatter",
				"Boostwrite",
				"Cain \u0026 Abel",
				"Carbanak",
				"Cl0p",
				"Cobalt Strike",
				"CobaltStrike",
				"DNSMessenger",
				"DNSRat",
				"DNSbot",
				"DRIFTPIN",
				"DarkSide",
				"FOXGRABBER",
				"FlawedAmmyy",
				"HALFBAKED",
				"JS Flash",
				"KLRD",
				"MBR Eraser",
				"Mimikatz",
				"Nadrac",
				"Odinaff",
				"POWERPIPE",
				"POWERSOURCE",
				"PsExec",
				"SQLRAT",
				"Sekur",
				"Sekur RAT",
				"SocksBot",
				"SoftPerfect Network Scanner",
				"Spy.Agent.ORM",
				"TEXTMATE",
				"TeamViewer",
				"TiniMet",
				"TinyMet",
				"Toshliph",
				"VB Flash",
				"WARPRISM",
				"avemaria",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c69bcda3-0893-4ea1-9ec1-ae016332d283",
			"created_at": "2023-01-06T13:46:39.410593Z",
			"updated_at": "2026-04-10T02:00:03.317754Z",
			"deleted_at": null,
			"main_name": "BRONZE STARLIGHT",
			"aliases": [
				"DEV-0401",
				"Cinnamon Tempest",
				"Emperor Dragonfly",
				"SLIME34"
			],
			"source_name": "MISPGALAXY:BRONZE STARLIGHT",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7",
			"created_at": "2023-01-06T13:46:39.413725Z",
			"updated_at": "2026-04-10T02:00:03.31882Z",
			"deleted_at": null,
			"main_name": "BRONZE HIGHLAND",
			"aliases": [
				"Evasive Panda",
				"Daggerfly"
			],
			"source_name": "MISPGALAXY:BRONZE HIGHLAND",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6dbb9bfb-3d63-4f81-99bd-35d61304d82a",
			"created_at": "2023-01-06T13:46:39.441522Z",
			"updated_at": "2026-04-10T02:00:03.330836Z",
			"deleted_at": null,
			"main_name": "SLIME29",
			"aliases": [],
			"source_name": "MISPGALAXY:SLIME29",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "59a48c28-d918-419f-b8b8-44be0c9741c8",
			"created_at": "2023-11-08T02:00:07.172993Z",
			"updated_at": "2026-04-10T02:00:03.434175Z",
			"deleted_at": null,
			"main_name": "BlueBottle",
			"aliases": [],
			"source_name": "MISPGALAXY:BlueBottle",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7cf4ec85-806f-4fd7-855a-6669ed381bf5",
			"created_at": "2023-11-08T02:00:07.176033Z",
			"updated_at": "2026-04-10T02:00:03.435082Z",
			"deleted_at": null,
			"main_name": "Dalbit",
			"aliases": [],
			"source_name": "MISPGALAXY:Dalbit",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9806f226-935f-48eb-b138-6616c9bb9d69",
			"created_at": "2022-10-25T16:07:23.73153Z",
			"updated_at": "2026-04-10T02:00:04.729977Z",
			"deleted_at": null,
			"main_name": "Indrik Spider",
			"aliases": [
				"Blue Lelantos",
				"DEV-0243",
				"Evil Corp",
				"G0119",
				"Gold Drake",
				"Gold Winter",
				"Manatee Tempest",
				"Mustard Tempest",
				"UNC2165"
			],
			"source_name": "ETDA:Indrik Spider",
			"tools": [
				"Advanced Port Scanner",
				"Agentemis",
				"Babuk",
				"Babuk Locker",
				"Babyk",
				"BitPaymer",
				"Bugat",
				"Bugat v5",
				"Cobalt Strike",
				"CobaltStrike",
				"Cridex",
				"Dridex",
				"EmPyre",
				"EmpireProject",
				"FAKEUPDATES",
				"FakeUpdate",
				"Feodo",
				"FriedEx",
				"Hades",
				"IEncrypt",
				"LINK_MSIEXEC",
				"MEGAsync",
				"Macaw Locker",
				"Metasploit",
				"Mimikatz",
				"PayloadBIN",
				"Phoenix Locker",
				"PowerShell Empire",
				"PowerSploit",
				"PsExec",
				"QNAP-Worm",
				"Raspberry Robin",
				"RaspberryRobin",
				"SocGholish",
				"Vasa Locker",
				"WastedLoader",
				"WastedLocker",
				"cobeacon",
				"wp_encrypt"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d",
			"created_at": "2025-08-07T02:03:25.101147Z",
			"updated_at": "2026-04-10T02:00:03.846812Z",
			"deleted_at": null,
			"main_name": "NICKEL KIMBALL",
			"aliases": [
				"APT43 ",
				"ARCHIPELAGO ",
				"Black Banshee ",
				"Crooked Pisces ",
				"Emerald Sleet ",
				"ITG16 ",
				"Kimsuky ",
				"Larva-24005 ",
				"Opal Sleet ",
				"Ruby Sleet ",
				"SharpTongue ",
				"Sparking Pisces ",
				"Springtail ",
				"TA406 ",
				"TA427 ",
				"THALLIUM ",
				"UAT-5394 ",
				"Velvet Chollima "
			],
			"source_name": "Secureworks:NICKEL KIMBALL",
			"tools": [
				"BabyShark",
				"FastFire",
				"FastSpy",
				"FireViewer",
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73",
			"created_at": "2023-01-06T13:46:39.195689Z",
			"updated_at": "2026-04-10T02:00:03.243054Z",
			"deleted_at": null,
			"main_name": "Ghostwriter",
			"aliases": [
				"UAC-0057",
				"UNC1151",
				"TA445",
				"PUSHCHA",
				"Storm-0257",
				"DEV-0257"
			],
			"source_name": "MISPGALAXY:Ghostwriter",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51",
			"created_at": "2022-10-25T16:07:23.474746Z",
			"updated_at": "2026-04-10T02:00:04.623746Z",
			"deleted_at": null,
			"main_name": "Cobalt Group",
			"aliases": [
				"ATK 67",
				"Cobalt Gang",
				"Cobalt Spider",
				"G0080",
				"Gold Kingswood",
				"Mule Libra",
				"TAG-CR3"
			],
			"source_name": "ETDA:Cobalt Group",
			"tools": [
				"ATMRipper",
				"ATMSpitter",
				"Agentemis",
				"AmmyyRAT",
				"AtNow",
				"COOLPANTS",
				"CobInt",
				"Cobalt Strike",
				"CobaltStrike",
				"Cyst Downloader",
				"Fareit",
				"FlawedAmmyy",
				"Formbook",
				"Little Pig",
				"Metasploit Stager",
				"Mimikatz",
				"More_eggs",
				"NSIS",
				"Nullsoft Scriptable Install System",
				"Pony Loader",
				"Ripper ATM",
				"SDelete",
				"Siplog",
				"SoftPerfect Network Scanner",
				"SpicyOmelette",
				"Taurus Builder",
				"Taurus Builder Kit",
				"Taurus Loader",
				"Terra Loader",
				"ThreatKit",
				"VenomKit",
				"cobeacon",
				"win.xloader"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75024aad-424b-449a-b286-352fe9226bcb",
			"created_at": "2023-01-06T13:46:38.962724Z",
			"updated_at": "2026-04-10T02:00:03.164536Z",
			"deleted_at": null,
			"main_name": "BlackTech",
			"aliases": [
				"CIRCUIT PANDA",
				"Temp.Overboard",
				"Palmerworm",
				"G0098",
				"T-APT-03",
				"Manga Taurus",
				"Earth Hundun",
				"Mobwork",
				"HUAPI",
				"Red Djinn",
				"Canary Typhoon"
			],
			"source_name": "MISPGALAXY:BlackTech",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "945a572f-ebe3-4e2f-a288-512fe751cfa8",
			"created_at": "2022-10-25T16:07:24.413971Z",
			"updated_at": "2026-04-10T02:00:04.97924Z",
			"deleted_at": null,
			"main_name": "Winnti Group",
			"aliases": [
				"G0044",
				"Leopard Typhoon",
				"Wicked Panda",
				"Winnti Group"
			],
			"source_name": "ETDA:Winnti Group",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"FunnySwitch",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "83025f5e-302e-46b0-baf6-650a4d313dfc",
			"created_at": "2024-05-01T02:03:07.971863Z",
			"updated_at": "2026-04-10T02:00:03.743131Z",
			"deleted_at": null,
			"main_name": "BRONZE MOHAWK",
			"aliases": [
				"APT40 ",
				"GADOLINIUM ",
				"Gingham Typhoon ",
				"Kryptonite Panda ",
				"Leviathan ",
				"Nanhaishu ",
				"Pickleworm ",
				"Red Ladon ",
				"TA423 ",
				"Temp.Jumper ",
				"Temp.Periscope "
			],
			"source_name": "Secureworks:BRONZE MOHAWK",
			"tools": [
				"AIRBREAK",
				"BlackCoffee",
				"China Chopper",
				"Cobalt Strike",
				"DadJoke",
				"Donut",
				"FUSIONBLAZE",
				"GreenCrash",
				"Meterpreter",
				"Nanhaishu",
				"Orz",
				"SeDll"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "0ed62b86-b1a8-4463-a157-1db21e91e7f4",
			"created_at": "2024-11-16T02:00:03.81128Z",
			"updated_at": "2026-04-10T02:00:03.770291Z",
			"deleted_at": null,
			"main_name": "TAG-112",
			"aliases": [],
			"source_name": "MISPGALAXY:TAG-112",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5af25e74-ab1e-4b3e-a3f8-c39227d79a2d",
			"created_at": "2025-09-27T02:00:03.95423Z",
			"updated_at": "2026-04-10T02:00:03.889451Z",
			"deleted_at": null,
			"main_name": "UNK_DropPitch",
			"aliases": [],
			"source_name": "MISPGALAXY:UNK_DropPitch",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9678b3fd-5373-4049-af73-25ab371ced8b",
			"created_at": "2025-09-27T02:00:03.956533Z",
			"updated_at": "2026-04-10T02:00:03.890321Z",
			"deleted_at": null,
			"main_name": "UNK_SparkyCarp",
			"aliases": [],
			"source_name": "MISPGALAXY:UNK_SparkyCarp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6d2910b0-9fea-46a2-84e6-a043b1e023e4",
			"created_at": "2022-10-25T16:07:23.946958Z",
			"updated_at": "2026-04-10T02:00:04.80291Z",
			"deleted_at": null,
			"main_name": "Operation DRBControl",
			"aliases": [],
			"source_name": "ETDA:Operation DRBControl",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b",
			"created_at": "2025-08-07T02:03:24.722093Z",
			"updated_at": "2026-04-10T02:00:03.681914Z",
			"deleted_at": null,
			"main_name": "COBALT EDGEWATER",
			"aliases": [
				"APT34 ",
				"Cold River ",
				"DNSpionage "
			],
			"source_name": "Secureworks:COBALT EDGEWATER",
			"tools": [
				"AgentDrable",
				"DNSpionage",
				"Karkoff",
				"MailDropper",
				"SideTwist",
				"TWOTONE"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "956fc691-b6c6-4b09-b69d-8f007c189839",
			"created_at": "2025-08-07T02:03:24.860251Z",
			"updated_at": "2026-04-10T02:00:03.656547Z",
			"deleted_at": null,
			"main_name": "GOLD ESSEX",
			"aliases": [
				"Narwhal Spider ",
				"Storm-0302 ",
				"TA544 "
			],
			"source_name": "Secureworks:GOLD ESSEX",
			"tools": [
				"Cutwail",
				"Pony",
				"Pushdo"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "604a4a41-3fa7-4bee-9c1b-4f83c21b9d35",
			"created_at": "2025-09-27T02:00:03.938884Z",
			"updated_at": "2026-04-10T02:00:03.888766Z",
			"deleted_at": null,
			"main_name": "UNK_FistBump",
			"aliases": [],
			"source_name": "MISPGALAXY:UNK_FistBump",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f6a742aa-6f89-4f79-973f-1ee1ce6bf763",
			"created_at": "2023-11-17T02:00:07.597764Z",
			"updated_at": "2026-04-10T02:00:03.455973Z",
			"deleted_at": null,
			"main_name": "MurenShark",
			"aliases": [
				"Actor210426"
			],
			"source_name": "MISPGALAXY:MurenShark",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b",
			"created_at": "2025-08-07T02:03:24.569066Z",
			"updated_at": "2026-04-10T02:00:03.730864Z",
			"deleted_at": null,
			"main_name": "BRONZE CANAL",
			"aliases": [
				"BlackTech",
				"CTG-6177 ",
				"Circuit Panda ",
				"Earth Hundun",
				"Palmerworm ",
				"Red Djinn",
				"Shrouded Crossbow "
			],
			"source_name": "Secureworks:BRONZE CANAL",
			"tools": [
				"Bifrose",
				"DRIGO",
				"Deuterbear",
				"Flagpro",
				"Gh0stTimes",
				"KIVARS",
				"PLEAD",
				"Spiderpig",
				"Waterbear",
				"XBOW"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "2a24d664-6a72-4b4c-9f54-1553b64c453c",
			"created_at": "2025-08-07T02:03:24.553048Z",
			"updated_at": "2026-04-10T02:00:03.787296Z",
			"deleted_at": null,
			"main_name": "BRONZE ATLAS",
			"aliases": [
				"APT41 ",
				"BARIUM ",
				"Blackfly ",
				"Brass Typhoon",
				"CTG-2633",
				"Earth Baku ",
				"GREF",
				"Group 72 ",
				"Red Kelpie ",
				"TA415 ",
				"TG-2633 ",
				"Wicked Panda ",
				"Winnti"
			],
			"source_name": "Secureworks:BRONZE ATLAS",
			"tools": [
				"Acehash",
				"CCleaner v5.33 backdoor",
				"ChinaChopper",
				"Cobalt Strike",
				"DUSTPAN",
				"Dicey MSDN",
				"Dodgebox",
				"ForkPlayground",
				"HUC Proxy Malware (Htran)"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6daadf00-952c-408a-89be-aa490d891743",
			"created_at": "2025-08-07T02:03:24.654882Z",
			"updated_at": "2026-04-10T02:00:03.645565Z",
			"deleted_at": null,
			"main_name": "BRONZE PRESIDENT",
			"aliases": [
				"Earth Preta ",
				"HoneyMyte ",
				"Mustang Panda ",
				"Red Delta ",
				"Red Lich ",
				"Stately Taurus ",
				"TA416 ",
				"Temp.Hex ",
				"Twill Typhoon "
			],
			"source_name": "Secureworks:BRONZE PRESIDENT",
			"tools": [
				"BlueShell",
				"China Chopper",
				"Claimloader",
				"Cobalt Strike",
				"HIUPAN",
				"ORat",
				"PTSOCKET",
				"PUBLOAD",
				"PlugX",
				"RCSession",
				"TONESHELL",
				"TinyNote"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "e7572efb-2549-4723-8635-81a516a15608",
			"created_at": "2026-02-11T02:00:03.94104Z",
			"updated_at": "2026-04-10T02:00:03.967978Z",
			"deleted_at": null,
			"main_name": "UNC6619",
			"aliases": [
				"TGR-STA-1030",
				"Shadow Campaigns"
			],
			"source_name": "MISPGALAXY:UNC6619",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c",
			"created_at": "2025-08-07T02:03:24.631402Z",
			"updated_at": "2026-04-10T02:00:03.608938Z",
			"deleted_at": null,
			"main_name": "BRONZE MAYFAIR",
			"aliases": [
				"APT3 ",
				"Gothic Panda ",
				"Pirpi",
				"TG-0110 ",
				"UPSTeam"
			],
			"source_name": "Secureworks:BRONZE MAYFAIR",
			"tools": [
				"Cookiecutter",
				"HUC Proxy Malware (Htran)",
				"Pirpi",
				"PlugX",
				"SplitVPN",
				"UPS",
				"ctt",
				"ctx"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "fdcb30ba-5fef-4ae2-97bd-f8200f4bd2e5",
			"created_at": "2025-04-22T02:01:52.35523Z",
			"updated_at": "2026-04-10T02:00:04.658231Z",
			"deleted_at": null,
			"main_name": "Earth Alux",
			"aliases": [],
			"source_name": "ETDA:Earth Alux",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Godzilla",
				"Godzilla Loader",
				"MASQLOADER",
				"RAILLOAD",
				"RAILSETTER",
				"RSBINJECT",
				"VARGEIT",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751",
			"created_at": "2025-04-23T02:00:55.174827Z",
			"updated_at": "2026-04-10T02:00:05.353712Z",
			"deleted_at": null,
			"main_name": "BlackByte",
			"aliases": [
				"BlackByte",
				"Hecamede"
			],
			"source_name": "MITRE:BlackByte",
			"tools": [
				"AdFind",
				"BlackByte Ransomware",
				"Exbyte",
				"Arp",
				"BlackByte 2.0 Ransomware",
				"PsExec",
				"Cobalt Strike",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "62b1b01f-168d-42db-afa1-29d794abc25f",
			"created_at": "2025-04-23T02:00:55.22426Z",
			"updated_at": "2026-04-10T02:00:05.358041Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Sea Turtle",
				"Teal Kurma",
				"Marbled Dust",
				"Cosmic Wolf",
				"SILICON"
			],
			"source_name": "MITRE:Sea Turtle",
			"tools": [
				"SnappyTCP"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "90f216f2-4897-46fc-bb76-3acae9d112ca",
			"created_at": "2023-01-06T13:46:39.248936Z",
			"updated_at": "2026-04-10T02:00:03.260122Z",
			"deleted_at": null,
			"main_name": "GOLD CABIN",
			"aliases": [
				"Shakthak",
				"TA551",
				"ATK236",
				"G0127",
				"Monster Libra"
			],
			"source_name": "MISPGALAXY:GOLD CABIN",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "04b07437-41bb-4126-bcbb-def16f19d7c6",
			"created_at": "2022-10-25T16:07:24.232628Z",
			"updated_at": "2026-04-10T02:00:04.906097Z",
			"deleted_at": null,
			"main_name": "Stone Panda",
			"aliases": [
				"APT 10",
				"ATK 41",
				"Bronze Riverside",
				"CTG-5938",
				"CVNX",
				"Cuckoo Spear",
				"Earth Kasha",
				"G0045",
				"G0093",
				"Granite Taurus",
				"Happyyongzi",
				"Hogfish",
				"ITG01",
				"Operation A41APT",
				"Operation Cache Panda",
				"Operation ChessMaster",
				"Operation Cloud Hopper",
				"Operation Cuckoo Spear",
				"Operation New Battle",
				"Operation Soft Cell",
				"Operation TradeSecret",
				"Potassium",
				"Purple Typhoon",
				"Red Apollo",
				"Stone Panda",
				"TA429",
				"menuPass",
				"menuPass Team"
			],
			"source_name": "ETDA:Stone Panda",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"Anel",
				"AngryRebel",
				"BKDR_EVILOGE",
				"BKDR_HGDER",
				"BKDR_NVICM",
				"BUGJUICE",
				"CHINACHOPPER",
				"ChChes",
				"China Chopper",
				"Chymine",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"DARKTOWN",
				"DESLoader",
				"DILLJUICE",
				"DILLWEED",
				"Darkmoon",
				"DelfsCake",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"Ecipekac",
				"Emdivi",
				"EvilGrab",
				"EvilGrab RAT",
				"FYAnti",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"GreetCake",
				"HAYMAKER",
				"HEAVYHAND",
				"HEAVYPOT",
				"HTran",
				"HUC Packet Transmit Tool",
				"Ham Backdoor",
				"HiddenFace",
				"Impacket",
				"Invoke the Hash",
				"KABOB",
				"Kaba",
				"Korplug",
				"LODEINFO",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MiS-Type",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"NBTscan",
				"NOOPDOOR",
				"Newsripper",
				"P8RAT",
				"PCRat",
				"PlugX",
				"Poison Ivy",
				"Poldat",
				"PowerSploit",
				"PowerView",
				"PsExec",
				"PsList",
				"Quarks PwDump",
				"Quasar RAT",
				"QuasarRAT",
				"RedDelta",
				"RedLeaves",
				"Rubeus",
				"SNUGRIDE",
				"SPIVY",
				"SharpSploit",
				"SigLoader",
				"SinoChopper",
				"SodaMaster",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trochilus RAT",
				"UpperCut",
				"Vidgrab",
				"WinRAR",
				"WmiExec",
				"Wmonder",
				"Xamtrav",
				"Yggdrasil",
				"Zlib",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"dfls",
				"lena",
				"nbtscan",
				"pivy",
				"poisonivy",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb",
			"created_at": "2023-01-06T13:46:38.393409Z",
			"updated_at": "2026-04-10T02:00:02.955738Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"Cloaked Ursa",
				"TA421",
				"Blue Kitsune",
				"BlueBravo",
				"IRON HEMLOCK",
				"G0016",
				"Nobelium",
				"Group 100",
				"YTTRIUM",
				"Grizzly Steppe",
				"ATK7",
				"ITG11",
				"COZY BEAR",
				"The Dukes",
				"Minidionis",
				"UAC-0029",
				"SeaDuke"
			],
			"source_name": "MISPGALAXY:APT29",
			"tools": [
				"SNOWYAMBER",
				"HALFRIG",
				"QUARTERRIG"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a97fee0d-af4b-4661-ae17-858925438fc4",
			"created_at": "2023-01-06T13:46:38.396415Z",
			"updated_at": "2026-04-10T02:00:02.957137Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"TAG_0530",
				"Pacifier APT",
				"Blue Python",
				"UNC4210",
				"UAC-0003",
				"VENOMOUS Bear",
				"Waterbug",
				"Pfinet",
				"KRYPTON",
				"Popeye",
				"SIG23",
				"ATK13",
				"ITG12",
				"Group 88",
				"Uroburos",
				"Hippo Team",
				"IRON HUNTER",
				"MAKERSMARK",
				"Secret Blizzard",
				"UAC-0144",
				"UAC-0024",
				"G0010"
			],
			"source_name": "MISPGALAXY:Turla",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cfdd350b-de30-4d29-bbee-28159f26c8c2",
			"created_at": "2023-01-06T13:46:38.433736Z",
			"updated_at": "2026-04-10T02:00:02.972971Z",
			"deleted_at": null,
			"main_name": "VICEROY TIGER",
			"aliases": [
				"OPERATION HANGOVER",
				"Donot Team",
				"APT-C-35",
				"SectorE02",
				"Orange Kala"
			],
			"source_name": "MISPGALAXY:VICEROY TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b3070c7b-c1e8-462c-94f1-62a0d2bdbc67",
			"created_at": "2023-01-06T13:46:39.116254Z",
			"updated_at": "2026-04-10T02:00:03.218594Z",
			"deleted_at": null,
			"main_name": "SCULLY SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:SCULLY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd",
			"created_at": "2023-01-06T13:46:39.153487Z",
			"updated_at": "2026-04-10T02:00:03.232006Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"EvilNum",
				"Jointworm",
				"KNOCKOUT SPIDER",
				"DeathStalker",
				"TA4563"
			],
			"source_name": "MISPGALAXY:Evilnum",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6c4f98b3-fe14-42d6-beaa-866395455e52",
			"created_at": "2023-01-06T13:46:39.169554Z",
			"updated_at": "2026-04-10T02:00:03.23458Z",
			"deleted_at": null,
			"main_name": "Evil Corp",
			"aliases": [
				"GOLD DRAKE"
			],
			"source_name": "MISPGALAXY:Evil Corp",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01",
			"created_at": "2023-01-06T13:46:39.178183Z",
			"updated_at": "2026-04-10T02:00:03.23716Z",
			"deleted_at": null,
			"main_name": "UNC1878",
			"aliases": [],
			"source_name": "MISPGALAXY:UNC1878",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "cf32661e-7543-4b57-8665-7f8101a000e9",
			"created_at": "2023-01-06T13:46:39.322379Z",
			"updated_at": "2026-04-10T02:00:03.287241Z",
			"deleted_at": null,
			"main_name": "TA800",
			"aliases": [],
			"source_name": "MISPGALAXY:TA800",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "9c8a7541-1ce3-450a-9e41-494bc7af11a4",
			"created_at": "2023-01-06T13:46:39.358343Z",
			"updated_at": "2026-04-10T02:00:03.300601Z",
			"deleted_at": null,
			"main_name": "Red Menshen",
			"aliases": [
				"Earth Bluecrow",
				"Red Dev 18"
			],
			"source_name": "MISPGALAXY:Red Menshen",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "542cf9d0-9c68-428c-aff8-81b6f59dc985",
			"created_at": "2023-02-15T02:01:49.554105Z",
			"updated_at": "2026-04-10T02:00:03.347115Z",
			"deleted_at": null,
			"main_name": "Moskalvzapoe",
			"aliases": [
				"MAN1",
				"TA511"
			],
			"source_name": "MISPGALAXY:Moskalvzapoe",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "fc7f0460-0a66-4178-9c5b-75abb22b87b0",
			"created_at": "2023-11-08T02:00:07.15123Z",
			"updated_at": "2026-04-10T02:00:03.427759Z",
			"deleted_at": null,
			"main_name": "UNC2565",
			"aliases": [
				"Hive0127"
			],
			"source_name": "MISPGALAXY:UNC2565",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d",
			"created_at": "2025-08-07T02:03:24.595597Z",
			"updated_at": "2026-04-10T02:00:03.740023Z",
			"deleted_at": null,
			"main_name": "BRONZE FIRESTONE",
			"aliases": [
				"APT19 ",
				"C0d0s0",
				"Checkered Typhoon ",
				"Chlorine ",
				"Deep Panda ",
				"Pupa ",
				"TG-3551 "
			],
			"source_name": "Secureworks:BRONZE FIRESTONE",
			"tools": [
				"9002",
				"Alice's Rabbit Hole",
				"Cobalt Strike",
				"Derusbi",
				"PlugX",
				"PoisonIvy",
				"PowerShell Empire",
				"Trojan Briba",
				"Zuguo"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "86182dd7-646c-49c5-91a6-4b62fd2119a7",
			"created_at": "2025-08-07T02:03:24.617638Z",
			"updated_at": "2026-04-10T02:00:03.738499Z",
			"deleted_at": null,
			"main_name": "BRONZE HOBART",
			"aliases": [
				"APT23",
				"Earth Centaur ",
				"KeyBoy ",
				"Pirate Panda ",
				"Red Orthrus ",
				"TA413 ",
				"Tropic Trooper "
			],
			"source_name": "Secureworks:BRONZE HOBART",
			"tools": [
				"Crowdoor",
				"DSNGInstaller",
				"KeyBoy",
				"LOWZERO",
				"Mofu",
				"Pfine",
				"Sepulcher",
				"Xiangoop Loader",
				"Yahaoyah"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "c7cab8cf-81aa-4a94-a9d3-0f0b40317e53",
			"created_at": "2025-05-29T02:00:03.195374Z",
			"updated_at": "2026-04-10T02:00:03.851587Z",
			"deleted_at": null,
			"main_name": "HollowQuill",
			"aliases": [],
			"source_name": "MISPGALAXY:HollowQuill",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "63061658-5810-4f01-9620-7eada7e9ae2e",
			"created_at": "2022-10-25T15:50:23.752974Z",
			"updated_at": "2026-04-10T02:00:05.244531Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"Wizard Spider",
				"UNC1878",
				"TEMP.MixMaster",
				"Grim Spider",
				"FIN12",
				"GOLD BLACKBURN",
				"ITG23",
				"Periwinkle Tempest",
				"DEV-0193"
			],
			"source_name": "MITRE:Wizard Spider",
			"tools": [
				"TrickBot",
				"AdFind",
				"BITSAdmin",
				"Bazar",
				"LaZagne",
				"Nltest",
				"GrimAgent",
				"Dyre",
				"Ryuk",
				"Conti",
				"Emotet",
				"Rubeus",
				"Mimikatz",
				"Diavol",
				"PsExec",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ba3eea09-ce30-4cfa-ae3a-b5992c4b81f8",
			"created_at": "2022-10-25T15:50:23.441443Z",
			"updated_at": "2026-04-10T02:00:05.263145Z",
			"deleted_at": null,
			"main_name": "Aquatic Panda",
			"aliases": [
				"Aquatic Panda"
			],
			"source_name": "MITRE:Aquatic Panda",
			"tools": [
				"Wevtutil",
				"Winnti for Windows",
				"njRAT",
				"Cobalt Strike",
				"ShadowPad",
				"Winnti for Linux"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3",
			"created_at": "2022-10-25T15:50:23.509601Z",
			"updated_at": "2026-04-10T02:00:05.277674Z",
			"deleted_at": null,
			"main_name": "Turla",
			"aliases": [
				"Turla",
				"IRON HUNTER",
				"Group 88",
				"Waterbug",
				"WhiteBear",
				"Krypton",
				"Venomous Bear",
				"Secret Blizzard",
				"BELUGASTURGEON"
			],
			"source_name": "MITRE:Turla",
			"tools": [
				"PsExec",
				"nbtstat",
				"ComRAT",
				"netstat",
				"certutil",
				"KOPILUWAK",
				"IronNetInjector",
				"LunarWeb",
				"Arp",
				"Uroburos",
				"PowerStallion",
				"Kazuar",
				"Systeminfo",
				"LightNeuron",
				"Mimikatz",
				"Tasklist",
				"LunarMail",
				"HyperStack",
				"NBTscan",
				"TinyTurla",
				"Penquin",
				"LunarLoader"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "92049df8-7902-48e8-ad17-97398b923698",
			"created_at": "2022-10-25T16:07:23.81315Z",
			"updated_at": "2026-04-10T02:00:04.757082Z",
			"deleted_at": null,
			"main_name": "LuminousMoth",
			"aliases": [],
			"source_name": "ETDA:LuminousMoth",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a",
			"created_at": "2022-10-25T15:50:23.481057Z",
			"updated_at": "2026-04-10T02:00:05.306469Z",
			"deleted_at": null,
			"main_name": "Leviathan",
			"aliases": [
				"MUDCARP",
				"Kryptonite Panda",
				"Gadolinium",
				"BRONZE MOHAWK",
				"TEMP.Jumper",
				"APT40",
				"TEMP.Periscope",
				"Gingham Typhoon"
			],
			"source_name": "MITRE:Leviathan",
			"tools": [
				"Windows Credential Editor",
				"BITSAdmin",
				"HOMEFRY",
				"Derusbi",
				"at",
				"BLACKCOFFEE",
				"BADFLICK",
				"gh0st RAT",
				"PowerSploit",
				"MURKYTOP",
				"NanHaiShu",
				"Orz",
				"Cobalt Strike",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a",
			"created_at": "2022-10-25T15:50:23.298889Z",
			"updated_at": "2026-04-10T02:00:05.316886Z",
			"deleted_at": null,
			"main_name": "menuPass",
			"aliases": [
				"menuPass",
				"POTASSIUM",
				"Stone Panda",
				"APT10",
				"Red Apollo",
				"CVNX",
				"HOGFISH",
				"BRONZE RIVERSIDE"
			],
			"source_name": "MITRE:menuPass",
			"tools": [
				"certutil",
				"FYAnti",
				"UPPERCUT",
				"SNUGRIDE",
				"P8RAT",
				"RedLeaves",
				"SodaMaster",
				"pwdump",
				"Mimikatz",
				"PlugX",
				"PowerSploit",
				"ChChes",
				"cmd",
				"QuasarRAT",
				"AdFind",
				"Cobalt Strike",
				"PoisonIvy",
				"EvilGrab",
				"esentutl",
				"Impacket",
				"Ecipekac",
				"PsExec",
				"HUI Loader"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4fe925e8-95e5-4a63-9f96-4d0f9bedac08",
			"created_at": "2022-10-25T15:50:23.469077Z",
			"updated_at": "2026-04-10T02:00:05.384299Z",
			"deleted_at": null,
			"main_name": "DarkHydrus",
			"aliases": [
				"DarkHydrus"
			],
			"source_name": "MITRE:DarkHydrus",
			"tools": [
				"Mimikatz",
				"RogueRobin",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c240435e-8863-4e5b-9f47-20c6f5c52131",
			"created_at": "2022-10-25T16:07:23.253019Z",
			"updated_at": "2026-04-10T02:00:04.505012Z",
			"deleted_at": null,
			"main_name": "Outlaw Spider",
			"aliases": [],
			"source_name": "ETDA:Outlaw Spider",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ee3363a4-e807-4f95-97d8-b603c31b9de1",
			"created_at": "2023-01-06T13:46:38.485884Z",
			"updated_at": "2026-04-10T02:00:02.99385Z",
			"deleted_at": null,
			"main_name": "FIN6",
			"aliases": [
				"SKELETON SPIDER",
				"ITG08",
				"MageCart Group 6",
				"ATK88",
				"TA4557",
				"Storm-0538",
				"White Giant",
				"GOLD FRANKLIN",
				"G0037",
				"Camouflage Tempest"
			],
			"source_name": "MISPGALAXY:FIN6",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8",
			"created_at": "2023-01-06T13:46:39.071873Z",
			"updated_at": "2026-04-10T02:00:03.203749Z",
			"deleted_at": null,
			"main_name": "TA2101",
			"aliases": [
				"GOLD VILLAGE",
				"Storm-0216",
				"DEV-0216",
				"UNC2198",
				"TUNNEL SPIDER",
				"Maze Team",
				"TWISTED SPIDER"
			],
			"source_name": "MISPGALAXY:TA2101",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a76ba723-d744-472a-b683-19d80e105d9f",
			"created_at": "2023-01-06T13:46:39.089347Z",
			"updated_at": "2026-04-10T02:00:03.209505Z",
			"deleted_at": null,
			"main_name": "Attor",
			"aliases": [],
			"source_name": "MISPGALAXY:Attor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f",
			"created_at": "2022-10-25T16:07:23.83826Z",
			"updated_at": "2026-04-10T02:00:04.761303Z",
			"deleted_at": null,
			"main_name": "Magic Hound",
			"aliases": [
				"APT 35",
				"Agent Serpens",
				"Ballistic Bobcat",
				"Charming Kitten",
				"CharmingCypress",
				"Cobalt Illusion",
				"Cobalt Mirage",
				"Educated Manticore",
				"G0058",
				"G0059",
				"Magic Hound",
				"Mint Sandstorm",
				"Operation BadBlood",
				"Operation Sponsoring Access",
				"Operation SpoofedScholars",
				"Operation Thamar Reservoir",
				"Phosphorus",
				"TA453",
				"TEMP.Beanie",
				"Tarh Andishan",
				"Timberworm",
				"TunnelVision",
				"UNC788",
				"Yellow Garuda"
			],
			"source_name": "ETDA:Magic Hound",
			"tools": [
				"7-Zip",
				"AnvilEcho",
				"BASICSTAR",
				"CORRUPT KITTEN",
				"CWoolger",
				"CharmPower",
				"ChromeHistoryView",
				"CommandCam",
				"DistTrack",
				"DownPaper",
				"FRP",
				"Fast Reverse Proxy",
				"FireMalv",
				"Ghambar",
				"GoProxy",
				"GorjolEcho",
				"HYPERSCRAPE",
				"Havij",
				"MPK",
				"MPKBot",
				"Matryoshka",
				"Matryoshka RAT",
				"MediaPl",
				"Mimikatz",
				"MischiefTut",
				"NETWoolger",
				"NOKNOK",
				"PINEFLOWER",
				"POWERSTAR",
				"PowerLess Backdoor",
				"PsList",
				"Pupy",
				"PupyRAT",
				"SNAILPROXY",
				"Shamoon",
				"TDTESS",
				"WinRAR",
				"WoolenLogger",
				"Woolger",
				"pupy",
				"sqlmap"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "186f3cc2-500c-4233-b688-8b6d6e08e2a3",
			"created_at": "2023-01-06T13:46:39.098169Z",
			"updated_at": "2026-04-10T02:00:03.212492Z",
			"deleted_at": null,
			"main_name": "ANTHROPOID SPIDER",
			"aliases": [
				"Empire Monkey",
				"CobaltGoblin"
			],
			"source_name": "MISPGALAXY:ANTHROPOID SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "28a272c4-098b-4d1b-9115-c7ff8decab7c",
			"created_at": "2023-01-06T13:46:39.101189Z",
			"updated_at": "2026-04-10T02:00:03.21354Z",
			"deleted_at": null,
			"main_name": "CLOCKWORK SPIDER",
			"aliases": [],
			"source_name": "MISPGALAXY:CLOCKWORK SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a0d0e1ef-3562-40a8-a021-321db92644d9",
			"created_at": "2023-01-06T13:46:39.104046Z",
			"updated_at": "2026-04-10T02:00:03.2146Z",
			"deleted_at": null,
			"main_name": "DOPPEL SPIDER",
			"aliases": [
				"GOLD HERON"
			],
			"source_name": "MISPGALAXY:DOPPEL SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a15363f3-ec73-4a94-a94c-60ffb4925a40",
			"created_at": "2023-01-06T13:46:39.10693Z",
			"updated_at": "2026-04-10T02:00:03.215548Z",
			"deleted_at": null,
			"main_name": "MONTY SPIDER",
			"aliases": [
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:MONTY SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d555c5da-abe4-42aa-a8cf-77b68905891a",
			"created_at": "2022-10-25T16:07:23.548385Z",
			"updated_at": "2026-04-10T02:00:04.65211Z",
			"deleted_at": null,
			"main_name": "Doppel Spider",
			"aliases": [
				"Gold Heron",
				"Grief Group"
			],
			"source_name": "ETDA:Doppel Spider",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DoppelPaymer",
				"Pay OR Grief",
				"Pay or Grief",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "39ea99fb-1704-445d-b5cd-81e7c99d6012",
			"created_at": "2022-10-25T16:07:23.601894Z",
			"updated_at": "2026-04-10T02:00:04.684134Z",
			"deleted_at": null,
			"main_name": "Evilnum",
			"aliases": [
				"G0120",
				"Jointworm",
				"Operation Phantom in the [Command] Shell",
				"TA4563"
			],
			"source_name": "ETDA:Evilnum",
			"tools": [
				"Bypass-UAC",
				"Cardinal RAT",
				"ChromeCookiesView",
				"EVILNUM",
				"Evilnum",
				"IronPython",
				"LaZagne",
				"MailPassView",
				"More_eggs",
				"ProduKey",
				"PyVil",
				"PyVil RAT",
				"SONE",
				"SpicyOmelette",
				"StealerOne",
				"Taurus Loader Stealer Module",
				"Taurus Loader TeamViewer Module",
				"Terra Loader",
				"TerraPreter",
				"TerraStealer",
				"TerraTV"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a2d3f35f-3b29-4509-bff5-af2638140d39",
			"created_at": "2022-10-25T16:07:23.633982Z",
			"updated_at": "2026-04-10T02:00:04.695802Z",
			"deleted_at": null,
			"main_name": "FIN12",
			"aliases": [],
			"source_name": "ETDA:FIN12",
			"tools": [
				"Agentemis",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"KEGTAP",
				"TSPY_TRICKLOAD",
				"Team9Backdoor",
				"The Trick",
				"TheTrick",
				"Totbrick",
				"TrickBot",
				"TrickLoader",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eaa8168f-3fab-4831-aa60-5956f673e6b3",
			"created_at": "2022-10-25T16:07:23.805824Z",
			"updated_at": "2026-04-10T02:00:04.754761Z",
			"deleted_at": null,
			"main_name": "Lotus Blossom",
			"aliases": [
				"ATK 1",
				"ATK 78",
				"Billbug",
				"Bronze Elgin",
				"CTG-8171",
				"Dragonfish",
				"G0030",
				"G0076",
				"Lotus Blossom",
				"Operation Lotus Blossom",
				"Red Salamander",
				"Spring Dragon",
				"Thrip"
			],
			"source_name": "ETDA:Lotus Blossom",
			"tools": [
				"BKDR_ESILE",
				"Catchamas",
				"EVILNEST",
				"Elise",
				"Group Policy Results Tool",
				"Hannotog",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"PsExec",
				"Rikamanu",
				"Sagerunex",
				"Spedear",
				"Syndicasec",
				"WMI Ghost",
				"Wimmie",
				"gpresult"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0",
			"created_at": "2024-02-02T02:00:04.041676Z",
			"updated_at": "2026-04-10T02:00:03.537352Z",
			"deleted_at": null,
			"main_name": "Vanilla Tempest",
			"aliases": [
				"DEV-0832",
				"Vice Society"
			],
			"source_name": "MISPGALAXY:Vanilla Tempest",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "00f01865-62f9-4931-b532-510eeb5e5bc7",
			"created_at": "2024-02-02T02:00:04.043727Z",
			"updated_at": "2026-04-10T02:00:03.538157Z",
			"deleted_at": null,
			"main_name": "Lilac Typhoon",
			"aliases": [
				"DEV-0234"
			],
			"source_name": "MISPGALAXY:Lilac Typhoon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a1071a25-d7c1-41be-a97f-2ec1b167ceb0",
			"created_at": "2023-02-18T02:04:24.365926Z",
			"updated_at": "2026-04-10T02:00:04.792271Z",
			"deleted_at": null,
			"main_name": "OPERA1ER",
			"aliases": [
				"Common Raven",
				"DESKTOP-GROUP",
				"NXSMS",
				"Operation Nervone"
			],
			"source_name": "ETDA:OPERA1ER",
			"tools": [
				"AgenTesla",
				"Agent Tesla",
				"AgentTesla",
				"Agentemis",
				"BitRAT",
				"BlackNET RAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Kasidet",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Metasploit",
				"Negasteal",
				"NetWeird",
				"NetWire",
				"NetWire RAT",
				"NetWire RC",
				"NetWired RC",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"Ngrok",
				"Origin Logger",
				"PsExec",
				"RDPWrap",
				"Recam",
				"Remcos",
				"RemcosRAT",
				"Remvio",
				"Revealer Keylogger",
				"Socmer",
				"VenomRAT",
				"ZPAQ",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6",
			"created_at": "2022-10-25T16:07:24.114365Z",
			"updated_at": "2026-04-10T02:00:04.869887Z",
			"deleted_at": null,
			"main_name": "RedDelta",
			"aliases": [
				"Operation Dianxun",
				"TA416"
			],
			"source_name": "ETDA:RedDelta",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"Chymine",
				"Cobalt Strike",
				"CobaltStrike",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Gen:Trojan.Heur.PT",
				"Kaba",
				"Korplug",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Xamtrav",
				"cobeacon",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6477a057-a76b-4b60-9135-b21ee075ca40",
			"created_at": "2025-11-01T02:04:53.060656Z",
			"updated_at": "2026-04-10T02:00:03.845594Z",
			"deleted_at": null,
			"main_name": "BRONZE TIGER",
			"aliases": [
				"Earth Estries ",
				"Famous Sparrow ",
				"Ghost Emperor ",
				"RedMike ",
				"Salt Typhoon "
			],
			"source_name": "Secureworks:BRONZE TIGER",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7d553b83-a7b2-431f-9bc9-08da59f3c4ea",
			"created_at": "2023-01-06T13:46:39.444946Z",
			"updated_at": "2026-04-10T02:00:03.331753Z",
			"deleted_at": null,
			"main_name": "GOBLIN PANDA",
			"aliases": [
				"Conimes",
				"Cycldek"
			],
			"source_name": "MISPGALAXY:GOBLIN PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "59d91b6f-bccf-4ae4-a14c-028b198848b6",
			"created_at": "2023-03-10T02:01:52.119563Z",
			"updated_at": "2026-04-10T02:00:03.36177Z",
			"deleted_at": null,
			"main_name": "TA866",
			"aliases": [],
			"source_name": "MISPGALAXY:TA866",
			"tools": [
				"Screenshotter",
				"AHK Bot",
				"WasabiSeed"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "70872c3a-e788-4b55-a7d6-b2df52001ad0",
			"created_at": "2023-01-06T13:46:39.18401Z",
			"updated_at": "2026-04-10T02:00:03.239111Z",
			"deleted_at": null,
			"main_name": "UNC2452",
			"aliases": [
				"DarkHalo",
				"StellarParticle",
				"NOBELIUM",
				"Solar Phoenix",
				"Midnight Blizzard"
			],
			"source_name": "MISPGALAXY:UNC2452",
			"tools": [
				"SNOWYAMBER",
				"HALFRIG",
				"QUARTERRIG"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3",
			"created_at": "2023-01-06T13:46:39.390649Z",
			"updated_at": "2026-04-10T02:00:03.311299Z",
			"deleted_at": null,
			"main_name": "Kinsing",
			"aliases": [
				"Money Libra"
			],
			"source_name": "MISPGALAXY:Kinsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2664d6f5-f918-4978-87f8-f6afad7402c6",
			"created_at": "2023-01-06T13:46:39.393669Z",
			"updated_at": "2026-04-10T02:00:03.312065Z",
			"deleted_at": null,
			"main_name": "Earth Berberoka",
			"aliases": [
				"GamblingPuppet"
			],
			"source_name": "MISPGALAXY:Earth Berberoka",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "821d8858-a784-4ab2-9ecb-56c7afeed7d7",
			"created_at": "2023-11-21T02:00:07.403629Z",
			"updated_at": "2026-04-10T02:00:03.479942Z",
			"deleted_at": null,
			"main_name": "SilverFish",
			"aliases": [],
			"source_name": "MISPGALAXY:SilverFish",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bfded1cf-be73-44f9-a391-0751c9996f9a",
			"created_at": "2022-10-25T15:50:23.337107Z",
			"updated_at": "2026-04-10T02:00:05.252413Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"FIN7",
				"GOLD NIAGARA",
				"ITG14",
				"Carbon Spider",
				"ELBRUS",
				"Sangria Tempest"
			],
			"source_name": "MITRE:FIN7",
			"tools": [
				"Mimikatz",
				"AdFind",
				"JSS Loader",
				"HALFBAKED",
				"REvil",
				"PowerSploit",
				"CrackMapExec",
				"Carbanak",
				"Pillowmint",
				"Cobalt Strike",
				"POWERSOURCE",
				"RDFSNIFFER",
				"SQLRat",
				"Lizar",
				"TEXTMATE",
				"BOOSTWRITE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242",
			"created_at": "2022-10-25T15:50:23.744036Z",
			"updated_at": "2026-04-10T02:00:05.294413Z",
			"deleted_at": null,
			"main_name": "Cobalt Group",
			"aliases": [
				"Cobalt Group",
				"GOLD KINGSWOOD",
				"Cobalt Gang",
				"Cobalt Spider"
			],
			"source_name": "MITRE:Cobalt Group",
			"tools": [
				"Mimikatz",
				"More_eggs",
				"SpicyOmelette",
				"SDelete",
				"Cobalt Strike",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6b6155e4-94ec-4909-b908-550afe758ad6",
			"created_at": "2022-10-25T15:50:23.365074Z",
			"updated_at": "2026-04-10T02:00:05.2978Z",
			"deleted_at": null,
			"main_name": "APT39",
			"aliases": [
				"APT39",
				"ITG07",
				"Remix Kitten"
			],
			"source_name": "MITRE:APT39",
			"tools": [
				"NBTscan",
				"MechaFlounder",
				"Remexi",
				"CrackMapExec",
				"pwdump",
				"Mimikatz",
				"Windows Credential Editor",
				"Cadelspy",
				"PsExec",
				"ASPXSpy",
				"ftp"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7",
			"created_at": "2022-10-25T16:07:23.422755Z",
			"updated_at": "2026-04-10T02:00:04.592069Z",
			"deleted_at": null,
			"main_name": "Bronze Highland",
			"aliases": [
				"Daggerfly",
				"Digging Taurus",
				"Evasive Panda",
				"Storm Cloud",
				"StormBamboo",
				"TAG-102",
				"TAG-112"
			],
			"source_name": "ETDA:Bronze Highland",
			"tools": [
				"Agentemis",
				"CDDS",
				"CloudScout",
				"Cobalt Strike",
				"CobaltStrike",
				"DazzleSpy",
				"KsRemote",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MacMa",
				"Macma",
				"MgBot",
				"Mgmbot",
				"NetMM",
				"Nightdoor",
				"OSX.CDDS",
				"POCOSTICK",
				"RELOADEXT",
				"Suzafk",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2a7e1c40-e88e-49ca-97d1-ec65a306eb7a",
			"created_at": "2023-04-27T02:04:44.903564Z",
			"updated_at": "2026-04-10T02:00:04.724185Z",
			"deleted_at": null,
			"main_name": "Hydrochasma",
			"aliases": [],
			"source_name": "ETDA:Hydrochasma",
			"tools": [
				"Agentemis",
				"BrowserGhost",
				"Cobalt Strike",
				"CobaltStrike",
				"GO Simple Tunnel",
				"GOST",
				"HackBrowserData",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ProcDump",
				"SoftEther VPN",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368",
			"created_at": "2022-10-25T16:07:24.225216Z",
			"updated_at": "2026-04-10T02:00:04.904162Z",
			"deleted_at": null,
			"main_name": "Sprite Spider",
			"aliases": [
				"Gold Dupont",
				"Sprite Spider"
			],
			"source_name": "ETDA:Sprite Spider",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Coroxy",
				"Defray 2018",
				"Defray777",
				"DroxiDat",
				"Glushkov",
				"LaZagne",
				"Metasploit",
				"PyXie",
				"PyXie RAT",
				"Ransom X",
				"RansomExx",
				"SharpHound",
				"Shifu",
				"SystemBC",
				"Target777",
				"Vatet",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9baa7519-772a-4862-b412-6f0463691b89",
			"created_at": "2022-10-25T15:50:23.354429Z",
			"updated_at": "2026-04-10T02:00:05.310361Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Mustang Panda",
				"TA416",
				"RedDelta",
				"BRONZE PRESIDENT",
				"STATELY TAURUS",
				"FIREANT",
				"CAMARO DRAGON",
				"EARTH PRETA",
				"HIVE0154",
				"TWILL TYPHOON",
				"TANTALUM",
				"LUMINOUS MOTH",
				"UNC6384",
				"TEMP.Hex",
				"Red Lich"
			],
			"source_name": "MITRE:Mustang Panda",
			"tools": [
				"CANONSTAGER",
				"STATICPLUGIN",
				"ShadowPad",
				"TONESHELL",
				"Cobalt Strike",
				"HIUPAN",
				"Impacket",
				"SplatCloak",
				"PAKLOG",
				"Wevtutil",
				"AdFind",
				"CLAIMLOADER",
				"Mimikatz",
				"PUBLOAD",
				"StarProxy",
				"CorKLOG",
				"RCSession",
				"NBTscan",
				"PoisonIvy",
				"SplatDropper",
				"China Chopper",
				"PlugX"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "61940e18-8f90-4ecc-bc06-416c54bc60f9",
			"created_at": "2022-10-25T16:07:23.659529Z",
			"updated_at": "2026-04-10T02:00:04.703976Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"Actinium",
				"Aqua Blizzard",
				"Armageddon",
				"Blue Otso",
				"BlueAlpha",
				"Callisto",
				"DEV-0157",
				"G0047",
				"Iron Tilden",
				"Operation STEADY#URSA",
				"Primitive Bear",
				"SectorC08",
				"Shuckworm",
				"Trident Ursa",
				"UAC-0010",
				"UNC530",
				"Winterflounder"
			],
			"source_name": "ETDA:Gamaredon Group",
			"tools": [
				"Aversome infector",
				"BoneSpy",
				"DessertDown",
				"DilongTrash",
				"DinoTrain",
				"EvilGnome",
				"FRAUDROP",
				"Gamaredon",
				"GammaDrop",
				"GammaLoad",
				"GammaSteel",
				"Gussdoor",
				"ObfuBerry",
				"ObfuMerry",
				"PlainGnome",
				"PowerPunch",
				"Pteranodon",
				"Pterodo",
				"QuietSieve",
				"Remcos",
				"RemcosRAT",
				"Remote Manipulator System",
				"Remvio",
				"Resetter",
				"RuRAT",
				"SUBTLE-PAWS",
				"Socmer",
				"UltraVNC"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e6148aa7-4347-4444-a2a0-dbbf7c0f121c",
			"created_at": "2022-10-25T16:07:24.12696Z",
			"updated_at": "2026-04-10T02:00:04.875073Z",
			"deleted_at": null,
			"main_name": "Riddle Spider",
			"aliases": [
				"Avaddon Team"
			],
			"source_name": "ETDA:Riddle Spider",
			"tools": [
				"Avaddon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "083d63b2-3eee-42a8-b1bd-54e657a229e8",
			"created_at": "2022-10-25T16:07:24.143338Z",
			"updated_at": "2026-04-10T02:00:04.879634Z",
			"deleted_at": null,
			"main_name": "SaintBear",
			"aliases": [
				"Ember Bear",
				"FROZENVISTA",
				"G1003",
				"Lorec53",
				"Nascent Ursa",
				"Nodaria",
				"SaintBear",
				"Storm-0587",
				"TA471",
				"UAC-0056",
				"UNC2589"
			],
			"source_name": "ETDA:SaintBear",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Elephant Client",
				"Elephant Implant",
				"GraphSteel",
				"Graphiron",
				"GrimPlant",
				"OutSteel",
				"Saint Bot",
				"SaintBot",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d511e74b-96b8-4ab9-88d6-bc183351dbd8",
			"created_at": "2025-08-07T02:03:24.674685Z",
			"updated_at": "2026-04-10T02:00:03.800936Z",
			"deleted_at": null,
			"main_name": "BRONZE STARLIGHT",
			"aliases": [
				"Cinnamon Tempest ",
				"DEV-0401 ",
				"Emperor Dragonfly "
			],
			"source_name": "Secureworks:BRONZE STARLIGHT",
			"tools": [
				"AtomSilo",
				"Cobalt Strike",
				"HUI Loader",
				"Impacket",
				"LockFile",
				"NightSky",
				"Pandora",
				"PlugX",
				"Rook"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "3da47784-d268-47eb-9a0d-ce25fdc605c0",
			"created_at": "2025-08-07T02:03:24.692797Z",
			"updated_at": "2026-04-10T02:00:03.72967Z",
			"deleted_at": null,
			"main_name": "BRONZE VAPOR",
			"aliases": [
				"Chimera ",
				"DEV-0039 ",
				"Thorium ",
				"Tumbleweed Typhoon "
			],
			"source_name": "Secureworks:BRONZE VAPOR",
			"tools": [
				"Acehash",
				"CloudDrop",
				"Cobalt Strike",
				"Mimikatz",
				"STOCKPIPE",
				"Sharphound",
				"Watercycle"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "74d9dada-0106-414a-8bb9-b0d527db7756",
			"created_at": "2025-08-07T02:03:24.69718Z",
			"updated_at": "2026-04-10T02:00:03.733346Z",
			"deleted_at": null,
			"main_name": "BRONZE VINEWOOD",
			"aliases": [
				"APT31 ",
				"BRONZE EXPRESS ",
				"Judgment Panda ",
				"Red Keres",
				"TA412",
				"VINEWOOD ",
				"Violet Typhoon ",
				"ZIRCONIUM "
			],
			"source_name": "Secureworks:BRONZE VINEWOOD",
			"tools": [
				"DropboxAES RAT",
				"HanaLoader",
				"Metasploit",
				"Mimikatz",
				"Reverse ICMP shell",
				"Trochilus"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "07775b09-acd9-498e-895f-f10063115629",
			"created_at": "2024-06-04T02:03:07.817613Z",
			"updated_at": "2026-04-10T02:00:03.650268Z",
			"deleted_at": null,
			"main_name": "GOLD DUPONT",
			"aliases": [
				"Sprite Spider ",
				"Storm-2460 "
			],
			"source_name": "Secureworks:GOLD DUPONT",
			"tools": [
				"777",
				"ArtifactExx",
				"Cobalt Strike",
				"Defray",
				"Metasploit",
				"PipeMagic",
				"PyXie",
				"Shifu",
				"SystemBC",
				"Vatet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "80300c2f-309a-43c2-9d01-0357a174ad20",
			"created_at": "2024-06-19T02:03:08.140588Z",
			"updated_at": "2026-04-10T02:00:03.6222Z",
			"deleted_at": null,
			"main_name": "GOLD WINTER",
			"aliases": [
				""
			],
			"source_name": "Secureworks:GOLD WINTER",
			"tools": [
				"Advanced Port Scanner",
				"Cobalt Strike",
				"Hades",
				"MEGAsync",
				"MSBuild",
				"Metasploit",
				"Mimikatz",
				"PsExec",
				"SocGholish"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5da6b5fd-1955-412a-81aa-069fb50b6e31",
			"created_at": "2025-08-07T02:03:25.116085Z",
			"updated_at": "2026-04-10T02:00:03.668978Z",
			"deleted_at": null,
			"main_name": "TIN WOODLAWN",
			"aliases": [
				"APT32 ",
				"Cobalt Kitty",
				"OceanLotus",
				"WOODLAWN "
			],
			"source_name": "Secureworks:TIN WOODLAWN",
			"tools": [
				"Cobalt Strike",
				"Denis",
				"Goopy",
				"JEShell",
				"KerrDown",
				"Mimikatz",
				"Ratsnif",
				"Remy",
				"Rizzo",
				"RolandRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e7ef34b6-e7b6-46f3-8dd8-2708c1659cd6",
			"created_at": "2023-11-08T02:00:07.107758Z",
			"updated_at": "2026-04-10T02:00:03.415268Z",
			"deleted_at": null,
			"main_name": "SharpPanda",
			"aliases": [
				"Sharp Dragon"
			],
			"source_name": "MISPGALAXY:SharpPanda",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "db5b833a-965e-4f46-b75d-7e829466a5fa",
			"created_at": "2024-12-21T02:00:02.843374Z",
			"updated_at": "2026-04-10T02:00:03.780907Z",
			"deleted_at": null,
			"main_name": "Storm-2077",
			"aliases": [
				"TAG-100",
				"RedNovember"
			],
			"source_name": "MISPGALAXY:Storm-2077",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ea34919f-9093-4e34-b9de-a37ab9b4d5c4",
			"created_at": "2022-10-25T16:07:24.35727Z",
			"updated_at": "2026-04-10T02:00:04.952883Z",
			"deleted_at": null,
			"main_name": "UNC215",
			"aliases": [],
			"source_name": "ETDA:UNC215",
			"tools": [
				"AdFind",
				"CHINACHOPPER",
				"China Chopper",
				"FOCUSFJORD",
				"HighShell",
				"HyperBro",
				"HyperSSL",
				"HyperShell",
				"Mimikatz",
				"NBTscan",
				"ProcDump",
				"PsExec",
				"SEASHARPEE",
				"SinoChopper",
				"SysUpdate",
				"TwoFace",
				"WHEATSCAN",
				"WinRAR",
				"certutil",
				"certutil.exe",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82",
			"created_at": "2022-10-25T16:07:23.619566Z",
			"updated_at": "2026-04-10T02:00:04.690061Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"APT-C-11",
				"ATK 32",
				"G0046",
				"Gold Niagara",
				"GrayAlpha",
				"ITG14",
				"TAG-CR1"
			],
			"source_name": "ETDA:FIN7",
			"tools": [
				"7Logger",
				"Agentemis",
				"Anubis Backdoor",
				"Anunak",
				"Astra",
				"BIOLOAD",
				"BIRDWATCH",
				"Bateleur",
				"Boostwrite",
				"CROWVIEW",
				"Carbanak",
				"Cobalt Strike",
				"CobaltStrike",
				"DICELOADER",
				"DNSMessenger",
				"FOWLGAZE",
				"HALFBAKED",
				"JSSLoader",
				"KillACK",
				"LOADOUT",
				"Lizar",
				"Meterpreter",
				"Mimikatz",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"POWERPLANT",
				"POWERSOURCE",
				"RDFSNIFFER",
				"Ragnar Loader",
				"SQLRAT",
				"Sardonic",
				"Sekur",
				"Sekur RAT",
				"TEXTMATE",
				"Tirion",
				"VB Flash",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4f7d2815-7504-4818-bf8d-bba18161b111",
			"created_at": "2025-08-07T02:03:24.613342Z",
			"updated_at": "2026-04-10T02:00:03.732192Z",
			"deleted_at": null,
			"main_name": "BRONZE HIGHLAND",
			"aliases": [
				"Daggerfly",
				"Daggerfly ",
				"Evasive Panda ",
				"Evasive Panda ",
				"Storm Bamboo "
			],
			"source_name": "Secureworks:BRONZE HIGHLAND",
			"tools": [
				"Cobalt Strike",
				"KsRemote",
				"Macma",
				"MgBot",
				"Nightdoor",
				"PlugX"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "650a9c54-160c-4a25-8e96-e845f2dd6f82",
			"created_at": "2026-01-18T02:00:03.063535Z",
			"updated_at": "2026-04-10T02:00:03.901997Z",
			"deleted_at": null,
			"main_name": "Earth Lamia",
			"aliases": [
				"UNC5454"
			],
			"source_name": "MISPGALAXY:Earth Lamia",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1820b6d5-4c68-4c37-bd25-034fd77cf1bf",
			"created_at": "2026-01-17T02:00:03.195495Z",
			"updated_at": "2026-04-10T02:00:03.89438Z",
			"deleted_at": null,
			"main_name": "CL-STA-0048",
			"aliases": [
				"CL STA 0048"
			],
			"source_name": "MISPGALAXY:CL-STA-0048",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "5c13338b-eaed-429a-9437-f5015aa98276",
			"created_at": "2022-10-25T16:07:23.582715Z",
			"updated_at": "2026-04-10T02:00:04.675765Z",
			"deleted_at": null,
			"main_name": "Emissary Panda",
			"aliases": [
				"APT 27",
				"ATK 15",
				"Bronze Union",
				"Budworm",
				"Circle Typhoon",
				"Earth Smilodon",
				"Emissary Panda",
				"G0027",
				"Group 35",
				"Iron Taurus",
				"Iron Tiger",
				"Linen Typhoon",
				"LuckyMouse",
				"Operation DRBControl",
				"Operation Iron Tiger",
				"Operation PZChao",
				"Operation SpoiledLegacy",
				"Operation StealthyTrident",
				"Red Phoenix",
				"TEMP.Hippo",
				"TG-3390",
				"ZipToken"
			],
			"source_name": "ETDA:Emissary Panda",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Agent.dhwf",
				"AngryRebel",
				"Antak",
				"CHINACHOPPER",
				"China Chopper",
				"Destroy RAT",
				"DestroyRAT",
				"FOCUSFJORD",
				"Farfli",
				"Gh0st RAT",
				"Ghost RAT",
				"HTTPBrowser",
				"HTran",
				"HUC Packet Transmit Tool",
				"HighShell",
				"HttpBrowser RAT",
				"HttpDump",
				"HyperBro",
				"HyperSSL",
				"HyperShell",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"Moudour",
				"Mydoor",
				"Nishang",
				"OwaAuth",
				"PCRat",
				"PlugX",
				"ProcDump",
				"PsExec",
				"RedDelta",
				"SEASHARPEE",
				"Sensocode",
				"SinoChopper",
				"Sogu",
				"SysUpdate",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Token Control",
				"TokenControl",
				"TwoFace",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Xamtrav",
				"ZXShell",
				"gsecdump",
				"luckyowa"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7a257844-df90-4bd4-b0f1-77d00ff82802",
			"created_at": "2022-10-25T16:07:24.376356Z",
			"updated_at": "2026-04-10T02:00:04.964565Z",
			"deleted_at": null,
			"main_name": "Venom Spider",
			"aliases": [
				"Golden Chickens",
				"TA4557",
				"Venom Spider"
			],
			"source_name": "ETDA:Venom Spider",
			"tools": [
				"More_eggs",
				"PureLocker",
				"SONE",
				"SpicyOmelette",
				"StealerOne",
				"Taurus Builder",
				"Taurus Builder Kit",
				"Taurus Loader",
				"Taurus Loader Reconnaissance Module",
				"Taurus Loader Stealer Module",
				"Taurus Loader TeamViewer Module",
				"Terra Loader",
				"TerraCrypt",
				"TerraLogger",
				"TerraPreter",
				"TerraRecon",
				"TerraStealer",
				"TerraTV",
				"TerraWiper",
				"ThreatKit",
				"VenomKit",
				"VenomLNK",
				"lite_more_eggs"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3",
			"created_at": "2022-10-25T16:07:24.422115Z",
			"updated_at": "2026-04-10T02:00:04.983298Z",
			"deleted_at": null,
			"main_name": "Wizard Spider",
			"aliases": [
				"DEV-0193",
				"G0102",
				"Gold Blackburn",
				"Gold Ulrick",
				"Grim Spider",
				"ITG23",
				"Operation BazaFlix",
				"Periwinkle Tempest",
				"Storm-0230",
				"TEMP.MixMaster",
				"Wizard Spider"
			],
			"source_name": "ETDA:Wizard Spider",
			"tools": [
				"AdFind",
				"Agentemis",
				"Anchor_DNS",
				"BEERBOT",
				"BazarBackdoor",
				"BazarCall",
				"BazarLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"Conti",
				"Diavol",
				"Dyranges",
				"Dyre",
				"Dyreza",
				"Dyzap",
				"Gophe",
				"Invoke-SMBAutoBrute",
				"KEGTAP",
				"LaZagne",
				"LightBot",
				"PowerSploit",
				"PowerTrick",
				"PsExec",
				"Ryuk",
				"SessionGopher",
				"TSPY_TRICKLOAD",
				"Team9Backdoor",
				"The Trick",
				"TheTrick",
				"Totbrick",
				"TrickBot",
				"TrickLoader",
				"TrickMo",
				"Upatre",
				"bazaloader",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cf1c7efe-4464-4347-95d3-c86fb4d7db51",
			"created_at": "2022-10-25T16:07:24.35977Z",
			"updated_at": "2026-04-10T02:00:04.953882Z",
			"deleted_at": null,
			"main_name": "UNC2447",
			"aliases": [],
			"source_name": "ETDA:UNC2447",
			"tools": [
				"7-Zip",
				"AdFind",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DEATHRANSOM",
				"DeathRansom",
				"FIVEHANDS",
				"FOXGRABBER",
				"HELLOKITTY",
				"HelloKitty",
				"KittyCrypt",
				"Mimikatz",
				"PCHUNTER",
				"RCLONE",
				"ROUTERSCAN",
				"Ragnar Locker",
				"RagnarLocker",
				"Rclone",
				"S3BROWSER",
				"SombRAT",
				"Thieflock",
				"WARPRISM",
				"cobeacon",
				"deathransom",
				"wacatac"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "416f8374-2b06-47e4-ba91-929b3f85d9bf",
			"created_at": "2022-10-25T16:07:24.093951Z",
			"updated_at": "2026-04-10T02:00:04.864244Z",
			"deleted_at": null,
			"main_name": "Rancor",
			"aliases": [
				"G0075",
				"Rancor Group",
				"Rancor Taurus"
			],
			"source_name": "ETDA:Rancor",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DDKONG",
				"Derusbi",
				"Dudell",
				"ExDudell",
				"KHRAT",
				"PLAINTEE",
				"RoyalRoad",
				"certutil",
				"certutil.exe",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2439ad53-39cc-4fff-8fdf-4028d65803c0",
			"created_at": "2022-10-25T16:07:23.353204Z",
			"updated_at": "2026-04-10T02:00:04.55407Z",
			"deleted_at": null,
			"main_name": "APT 32",
			"aliases": [
				"APT 32",
				"APT-C-00",
				"APT-LY-100",
				"ATK 17",
				"G0050",
				"Lotus Bane",
				"Ocean Buffalo",
				"OceanLotus",
				"Operation Cobalt Kitty",
				"Operation PhantomLance",
				"Pond Loach",
				"SeaLotus",
				"SectorF01",
				"Tin Woodlawn"
			],
			"source_name": "ETDA:APT 32",
			"tools": [
				"Agentemis",
				"Android.Backdoor.736.origin",
				"AtNow",
				"Backdoor.MacOS.OCEANLOTUS.F",
				"BadCake",
				"CACTUSTORCH",
				"CamCapture Plugin",
				"CinaRAT",
				"Cobalt Strike",
				"CobaltStrike",
				"Cuegoe",
				"DKMC",
				"Denis",
				"Goopy",
				"HiddenLotus",
				"KOMPROGO",
				"KerrDown",
				"METALJACK",
				"MSFvenom",
				"Mimikatz",
				"Nishang",
				"OSX_OCEANLOTUS.D",
				"OceanLotus",
				"PHOREAL",
				"PWNDROID1",
				"PhantomLance",
				"PowerSploit",
				"Quasar RAT",
				"QuasarRAT",
				"RatSnif",
				"Remy",
				"Remy RAT",
				"Rizzo",
				"Roland",
				"Roland RAT",
				"SOUNDBITE",
				"Salgorea",
				"Splinter RAT",
				"Terracotta VPN",
				"Yggdrasil",
				"cobeacon",
				"denesRAT",
				"fingerprintjs2"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef",
			"created_at": "2022-10-25T16:07:23.455744Z",
			"updated_at": "2026-04-10T02:00:04.61281Z",
			"deleted_at": null,
			"main_name": "Chimera",
			"aliases": [
				"Bronze Vapor",
				"G0114",
				"Nuclear Taurus",
				"Operation Skeleton Key",
				"Red Charon",
				"THORIUM",
				"Tumbleweed Typhoon"
			],
			"source_name": "ETDA:Chimera",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"SkeletonKeyInjector",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "17e10d0c-1e0d-46ae-b618-e38257652da1",
			"created_at": "2026-02-04T02:00:03.706015Z",
			"updated_at": "2026-04-10T02:00:03.949251Z",
			"deleted_at": null,
			"main_name": "Team46",
			"aliases": [
				"TaxOff"
			],
			"source_name": "MISPGALAXY:Team46",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "8d33d51a-e365-4768-89f7-8be2d174e2c8",
			"created_at": "2026-02-04T02:00:03.70754Z",
			"updated_at": "2026-04-10T02:00:03.950274Z",
			"deleted_at": null,
			"main_name": "UAT-8099",
			"aliases": [],
			"source_name": "MISPGALAXY:UAT-8099",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "02c9f3f6-5d10-456b-9e63-750286048149",
			"created_at": "2022-10-25T16:07:23.722884Z",
			"updated_at": "2026-04-10T02:00:04.72726Z",
			"deleted_at": null,
			"main_name": "Inception Framework",
			"aliases": [
				"ATK 116",
				"Blue Odin",
				"Clean Ursa",
				"Cloud Atlas",
				"G0100",
				"Inception Framework",
				"Operation Cloud Atlas",
				"Operation RedOctober",
				"The Rocra"
			],
			"source_name": "ETDA:Inception Framework",
			"tools": [
				"Lastacloud",
				"PowerShower",
				"VBShower"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2ee03999-5432-4a65-a850-c543b4fefc3d",
			"created_at": "2022-10-25T16:07:23.882813Z",
			"updated_at": "2026-04-10T02:00:04.776949Z",
			"deleted_at": null,
			"main_name": "Mustang Panda",
			"aliases": [
				"Bronze President",
				"Camaro Dragon",
				"Earth Preta",
				"G0129",
				"Hive0154",
				"HoneyMyte",
				"Mustang Panda",
				"Operation SMUGX",
				"Operation SmugX",
				"PKPLUG",
				"Red Lich",
				"Stately Taurus",
				"TEMP.Hex",
				"Twill Typhoon"
			],
			"source_name": "ETDA:Mustang Panda",
			"tools": [
				"9002 RAT",
				"AdFind",
				"Agent.dhwf",
				"Agentemis",
				"CHINACHOPPER",
				"China Chopper",
				"Chymine",
				"ClaimLoader",
				"Cobalt Strike",
				"CobaltStrike",
				"DCSync",
				"DOPLUGS",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Farseer",
				"Gen:Trojan.Heur.PT",
				"HOMEUNIX",
				"Hdump",
				"HenBox",
				"HidraQ",
				"Hodur",
				"Homux",
				"HopperTick",
				"Hydraq",
				"Impacket",
				"Kaba",
				"Korplug",
				"LadonGo",
				"MQsTTang",
				"McRAT",
				"MdmBot",
				"Mimikatz",
				"NBTscan",
				"NetSess",
				"Netview",
				"Orat",
				"POISONPLUG.SHADOW",
				"PUBLOAD",
				"PVE Find AD Users",
				"PlugX",
				"Poison Ivy",
				"PowerView",
				"QMAGENT",
				"RCSession",
				"RedDelta",
				"Roarur",
				"SPIVY",
				"ShadowPad Winnti",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TONEINS",
				"TONESHELL",
				"TVT",
				"TeamViewer",
				"Thoper",
				"TinyNote",
				"WispRider",
				"WmiExec",
				"XShellGhost",
				"Xamtrav",
				"Zupdax",
				"cobeacon",
				"nbtscan",
				"nmap",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "236a8303-bf12-4787-b6d0-549b44271a19",
			"created_at": "2024-06-04T02:03:07.966137Z",
			"updated_at": "2026-04-10T02:00:03.706923Z",
			"deleted_at": null,
			"main_name": "IRON TILDEN",
			"aliases": [
				"ACTINIUM ",
				"Aqua Blizzard ",
				"Armageddon",
				"Blue Otso ",
				"BlueAlpha ",
				"Dancing Salome ",
				"Gamaredon",
				"Gamaredon Group",
				"Hive0051 ",
				"Primitive Bear ",
				"Shuckworm ",
				"Trident Ursa ",
				"UAC-0010 ",
				"UNC530 ",
				"WinterFlounder "
			],
			"source_name": "Secureworks:IRON TILDEN",
			"tools": [
				"Pterodo"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a",
			"created_at": "2022-10-25T15:50:23.548494Z",
			"updated_at": "2026-04-10T02:00:05.292748Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"APT29",
				"IRON RITUAL",
				"IRON HEMLOCK",
				"NobleBaron",
				"Dark Halo",
				"NOBELIUM",
				"UNC2452",
				"YTTRIUM",
				"The Dukes",
				"Cozy Bear",
				"CozyDuke",
				"SolarStorm",
				"Blue Kitsune",
				"UNC3524",
				"Midnight Blizzard"
			],
			"source_name": "MITRE:APT29",
			"tools": [
				"PinchDuke",
				"ROADTools",
				"WellMail",
				"CozyCar",
				"Mimikatz",
				"Tasklist",
				"OnionDuke",
				"FatDuke",
				"POSHSPY",
				"EnvyScout",
				"SoreFang",
				"GeminiDuke",
				"reGeorg",
				"GoldMax",
				"FoggyWeb",
				"SDelete",
				"PolyglotDuke",
				"AADInternals",
				"MiniDuke",
				"SeaDuke",
				"Sibot",
				"RegDuke",
				"CloudDuke",
				"GoldFinder",
				"AdFind",
				"PsExec",
				"NativeZone",
				"Systeminfo",
				"ipconfig",
				"Impacket",
				"Cobalt Strike",
				"PowerDuke",
				"QUIETEXIT",
				"HAMMERTOSS",
				"BoomBox",
				"CosmicDuke",
				"WellMess",
				"VaporRage",
				"LiteDuke"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2c7ecb0e-337c-478f-95d4-7dbe9ba44c39",
			"created_at": "2022-10-25T16:07:23.690871Z",
			"updated_at": "2026-04-10T02:00:04.709966Z",
			"deleted_at": null,
			"main_name": "Goblin Panda",
			"aliases": [
				"1937CN",
				"Conimes",
				"Cycldek",
				"Goblin Panda"
			],
			"source_name": "ETDA:Goblin Panda",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agent.dhwf",
				"BackDoor-FBZT!52D84425CDF2",
				"BlueCore",
				"BrowsingHistoryView",
				"ChromePass",
				"CoreLoader",
				"Custom HDoor",
				"Destroy RAT",
				"DestroyRAT",
				"DropPhone",
				"FoundCore",
				"HDoor",
				"HTTPTunnel",
				"JsonCookies",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"NBTscan",
				"NewCore RAT",
				"PlugX",
				"ProcDump",
				"PsExec",
				"QCRat",
				"RainyDay",
				"RedCore",
				"RedDelta",
				"RoyalRoad",
				"Sisfader",
				"Sisfader RAT",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Trojan.Win32.Staser.ytq",
				"USBCulprit",
				"Win32/Zegost.BW",
				"Xamtrav",
				"ZeGhost",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68",
			"created_at": "2022-10-25T16:07:24.578896Z",
			"updated_at": "2026-04-10T02:00:05.039955Z",
			"deleted_at": null,
			"main_name": "TA551",
			"aliases": [
				"G0127",
				"Gold Cabin",
				"Monster Libra",
				"Shathak",
				"TA551"
			],
			"source_name": "ETDA:TA551",
			"tools": [
				"BokBot",
				"CRM",
				"Gozi",
				"Gozi CRM",
				"IceID",
				"IcedID",
				"Papras",
				"Snifula",
				"Ursnif",
				"Valak",
				"Valek"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270",
			"created_at": "2022-10-25T16:07:23.341684Z",
			"updated_at": "2026-04-10T02:00:04.549917Z",
			"deleted_at": null,
			"main_name": "APT 29",
			"aliases": [
				"APT 29",
				"ATK 7",
				"Blue Dev 5",
				"BlueBravo",
				"Cloaked Ursa",
				"CloudLook",
				"Cozy Bear",
				"Dark Halo",
				"Earth Koshchei",
				"G0016",
				"Grizzly Steppe",
				"Group 100",
				"ITG11",
				"Iron Hemlock",
				"Iron Ritual",
				"Midnight Blizzard",
				"Minidionis",
				"Nobelium",
				"NobleBaron",
				"Operation Ghost",
				"Operation Office monkeys",
				"Operation StellarParticle",
				"SilverFish",
				"Solar Phoenix",
				"SolarStorm",
				"StellarParticle",
				"TEMP.Monkeys",
				"The Dukes",
				"UNC2452",
				"UNC3524",
				"Yttrium"
			],
			"source_name": "ETDA:APT 29",
			"tools": [
				"7-Zip",
				"ATI-Agent",
				"AdFind",
				"Agentemis",
				"AtNow",
				"BEATDROP",
				"BotgenStudios",
				"CEELOADER",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobalt Strike",
				"CobaltStrike",
				"CosmicDuke",
				"Cozer",
				"CozyBear",
				"CozyCar",
				"CozyDuke",
				"Danfuan",
				"EnvyScout",
				"EuroAPT",
				"FatDuke",
				"FoggyWeb",
				"GeminiDuke",
				"Geppei",
				"GoldFinder",
				"GoldMax",
				"GraphDrop",
				"GraphicalNeutrino",
				"GraphicalProton",
				"HAMMERTOSS",
				"HammerDuke",
				"LOLBAS",
				"LOLBins",
				"LiteDuke",
				"Living off the Land",
				"MagicWeb",
				"Mimikatz",
				"MiniDionis",
				"MiniDuke",
				"NemesisGemina",
				"NetDuke",
				"OnionDuke",
				"POSHSPY",
				"PinchDuke",
				"PolyglotDuke",
				"PowerDuke",
				"QUIETEXIT",
				"ROOTSAW",
				"RegDuke",
				"Rubeus",
				"SNOWYAMBER",
				"SPICYBEAT",
				"SUNSHUTTLE",
				"SeaDaddy",
				"SeaDask",
				"SeaDesk",
				"SeaDuke",
				"Sharp-SMBExec",
				"SharpView",
				"Sibot",
				"Solorigate",
				"SoreFang",
				"TinyBaron",
				"WINELOADER",
				"WellMail",
				"WellMess",
				"cobeacon",
				"elf.wellmess",
				"reGeorg",
				"tDiscoverer"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "81e29474-63ad-4ce8-97db-b1712d5481d5",
			"created_at": "2024-04-24T02:00:49.570158Z",
			"updated_at": "2026-04-10T02:00:05.285111Z",
			"deleted_at": null,
			"main_name": "Cinnamon Tempest",
			"aliases": [
				"Cinnamon Tempest",
				"DEV-0401",
				"Emperor Dragonfly",
				"BRONZE STARLIGHT"
			],
			"source_name": "MITRE:Cinnamon Tempest",
			"tools": [
				"Pandora",
				"PlugX",
				"Cheerscrypt",
				"Impacket",
				"Cobalt Strike",
				"HUI Loader",
				"Rclone"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "b9806584-4d82-4f32-ae97-18a2583e8d11",
			"created_at": "2022-10-25T16:07:23.787833Z",
			"updated_at": "2026-04-10T02:00:04.749709Z",
			"deleted_at": null,
			"main_name": "Leviathan",
			"aliases": [
				"APT 40",
				"ATK 29",
				"Bronze Mohawk",
				"G0065",
				"Gadolinium",
				"Gingham Typhoon",
				"ISLANDDREAMS",
				"ITG09",
				"Jumper Taurus",
				"Kryptonite Panda",
				"Mudcarp",
				"Red Ladon",
				"TA423",
				"TEMP.Jumper",
				"TEMP.Periscope"
			],
			"source_name": "ETDA:Leviathan",
			"tools": [
				"AIRBREAK",
				"Agent.dhwf",
				"Agentemis",
				"AngryRebel",
				"BADFLICK",
				"BlackCoffee",
				"CHINACHOPPER",
				"China Chopper",
				"Cobalt Strike",
				"CobaltStrike",
				"DADJOKE",
				"Dadstache",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"Farfli",
				"GRILLMARK",
				"Gh0st RAT",
				"Ghost RAT",
				"HOMEFRY",
				"Hellsing Backdoor",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"LUNCHMONEY",
				"Living off the Land",
				"MURKYTOP",
				"Moudour",
				"Mydoor",
				"NanHaiShu",
				"Orz",
				"PCRat",
				"PNGRAT",
				"PlugX",
				"RedDelta",
				"SeDLL",
				"Sensocode",
				"SinoChopper",
				"Sogu",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"Xamtrav",
				"ZXShell",
				"ZoxPNG",
				"cobeacon",
				"gresim",
				"scanbox"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9b02c527-5077-489e-9a80-5d88947fddab",
			"created_at": "2022-10-25T16:07:24.103499Z",
			"updated_at": "2026-04-10T02:00:04.867181Z",
			"deleted_at": null,
			"main_name": "Reaper",
			"aliases": [
				"APT 37",
				"ATK 4",
				"Cerium",
				"Crooked Pisces",
				"G0067",
				"Geumseong121",
				"Group 123",
				"ITG10",
				"InkySquid",
				"Moldy Pisces",
				"Opal Sleet",
				"Operation Are You Happy?",
				"Operation Battle Cruiser",
				"Operation Black Banner",
				"Operation Daybreak",
				"Operation Dragon messenger",
				"Operation Erebus",
				"Operation Evil New Year",
				"Operation Evil New Year 2018",
				"Operation Fractured Block",
				"Operation Fractured Statue",
				"Operation FreeMilk",
				"Operation Golden Bird",
				"Operation Golden Time",
				"Operation High Expert",
				"Operation Holiday Wiper",
				"Operation Korean Sword",
				"Operation North Korean Human Right",
				"Operation Onezero",
				"Operation Rocket Man",
				"Operation SHROUDED#SLEEP",
				"Operation STARK#MULE",
				"Operation STIFF#BIZON",
				"Operation Spy Cloud",
				"Operation Star Cruiser",
				"Operation ToyBox Story",
				"Osmium",
				"Red Eyes",
				"Ricochet Chollima",
				"Ruby Sleet",
				"ScarCruft",
				"TA-RedAnt",
				"TEMP.Reaper",
				"Venus 121"
			],
			"source_name": "ETDA:Reaper",
			"tools": [
				"Agentemis",
				"BLUELIGHT",
				"Backdoor.APT.POORAIM",
				"CARROTBALL",
				"CARROTBAT",
				"CORALDECK",
				"Cobalt Strike",
				"CobaltStrike",
				"DOGCALL",
				"Erebus",
				"Exploit.APT.RICECURRY",
				"Final1stSpy",
				"Freenki Loader",
				"GELCAPSULE",
				"GOLDBACKDOOR",
				"GreezeBackdoor",
				"HAPPYWORK",
				"JinhoSpy",
				"KARAE",
				"KevDroid",
				"Konni",
				"MILKDROP",
				"N1stAgent",
				"NavRAT",
				"Nokki",
				"Oceansalt",
				"POORAIM",
				"PoohMilk",
				"PoohMilk Loader",
				"RICECURRY",
				"RUHAPPY",
				"RokRAT",
				"SHUTTERSPEED",
				"SLOWDRIFT",
				"SOUNDWAVE",
				"SYSCON",
				"Sanny",
				"ScarCruft",
				"StarCruft",
				"Syscon",
				"VeilShell",
				"WINERACK",
				"ZUMKONG",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434445,
	"ts_updated_at": 1775792286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cf997247b2af600f4efb29b88207e28afabbc6b7.pdf",
		"text": "https://archive.orkl.eu/cf997247b2af600f4efb29b88207e28afabbc6b7.txt",
		"img": "https://archive.orkl.eu/cf997247b2af600f4efb29b88207e28afabbc6b7.jpg"
	}
}