{ "id": "20e023d2-d278-4954-935e-b498e918016c", "created_at": "2026-04-06T00:21:49.994293Z", "updated_at": "2026-04-10T03:38:01.714943Z", "deleted_at": null, "sha1_hash": "cf9d08391f722238414b7d96692deb0067bda765", "title": "APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 602583, "plain_text": "APT Cobalt Strike Campaign targeting Slovakia (DEF CON talk)\r\nBy Themefisher \u0026 IstroSec\r\nArchived: 2026-04-05 20:17:01 UTC\r\nIn March 2021 our researchers discovered APT campaign targeting Slovakia. We found that this campaign has been active\r\nat least since February 2021 and some C\u0026C servers were still active in June 2021. Threat actor used mostly Cobalt Strike\r\nand phishing emails and documents on behalf of Slovak National Security Authority. Our threat intelligence and malware\r\nresearch revealed several command and controls servers around the globe. Some of them had direct relations to targets in\r\nSlovak republic.\r\nCobalt Strike\r\nAs described on the Cobalt Strike’s website, Cobalt Strike is “software for Adversary Simulations and Red Team\r\nOperations”. It is a commercial tool with price $3,500 per user for one year and it is used by many pentesters and red\r\nteamers as well as by some of the advanced threat actors such as APT19, APT29, APT32, Leviathan, Cobalt Group and\r\nFIN6. Again, official website says:\r\n“Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded\r\nactor in your customer’s network”.\r\nTherefore it is kind of more interesting malware than relatively common backdoors, rats and Metasploit and other publicly\r\naccessible free samples.\r\n“NSA” ISO Sample\r\nSomebody submitted the sample called AktualizC!ciu.img to the sandbox Any.Run on 23rd March 2021. This sample was\r\nbeen submitted for analysis from Slovakia. And then, it has been submitted again on 9th April. Probabably someone was\r\nalready/again investigating the attack. The original ISO filesystem contains timestamps with information about the\r\ntimezone: UTC-07:00 (Pacific Daylight Time). Also, this sample has been submitted to VirusTotal shortly after the reported\r\ntimestamps of creation the ISO filesystems. This indicates that no tampering of creation timestamps of ISO filesystem has\r\nbeen applied.\r\nThe Volume name of the ISO filesystem is interesting - it contains “NBU”, which is abbreviation of the National Security\r\nAuthority in Slovakia.\r\nhttps://www.istrosec.com/blog/apt-sk-cobalt/\r\nPage 1 of 9\n\nFig. 1: NSA ISO Sample\r\nFig. 2: Content of NSA ISO Sample\r\nThe “NSA” ISO Sample contains two files: one LNK file and one DLL file. The LNK file actually executes the following\r\ncommand: C:\\Windows\\System32\\rundll32.exe diassvcs.dll InitializeComponent\r\nRefering the access time of LNK file, this file has been accessed 13 minutes before the ISO filesystem has been created.\r\nThus there is probably no automation in the packaging process of the malware sample and the payload for delivery (see\r\nbelow) has been created manually by human.\r\nhttps://www.istrosec.com/blog/apt-sk-cobalt/\r\nPage 2 of 9\n\nFig. 3: Details of LNK file from NSA ISO Sample\r\nCobalt Strike Beacon\r\nDLL file diassvcs.dll is a loader/packer with some anti-analysis protections enabled. In the picture below there is the\r\nunpacking routine consisting of decryption loops followed by the calls to VirtualProtect Windows API and to the\r\nunpacked payload itself.\r\nFig. 4: Unpacking routine of DLL Loader from NSA ISO Sample\r\nhttps://www.istrosec.com/blog/apt-sk-cobalt/\r\nPage 3 of 9\n\nThe unpacked payload is DLL file, but without standard MS-DOS header. This malformed header can be often seen for\r\nexample in Metasploit’s Meterpreter payloads and it is used as a part of shellcode.\r\nFig. 5: Malformed MZ header of unpacked Cobalt Strike Beacon\r\nThis DLL file is actually a Cobalt Strike Beacon. The extracted configuration is attached below.\r\nBeaconType - HTTPS\r\nPort - 443\r\nSleepTime - 45000\r\nMaxGetSize - 1403644\r\nJitter - 37\r\nMaxDNS - Not Found\r\nPublicKey - b'0\\x81\\x9f0\\r\\x06\\t*\\x86H\\x86\\xf7\\r\\x01\\x01\\x01\\x05\\x00\\x03\\x81\\x8d\\x000\\x81\\x89\\x02\\\r\nC2Server - content.pcmsar.net,/jquery-3.3.1.min.js\r\nUserAgent - Not Found\r\nHttpPostUri - /jquery-3.3.2.min.js\r\nHttpGet_Metadata - Not Found\r\nHttpPost_Metadata - Not Found\r\nSpawnTo - b'\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\r\nPipeName - Not Found\r\nDNS_Idle - Not Found\r\nDNS_Sleep - Not Found\r\nSSH_Host - Not Found\r\nSSH_Port - Not Found\r\nSSH_Username - Not Found\r\nSSH_Password_Plaintext - Not Found\r\nSSH_Password_Pubkey - Not Found\r\nHttpGet_Verb - GET\r\nHttpPost_Verb - POST\r\nHttpPostChunk - 0\r\nSpawnto_x86 - %windir%\\syswow64\\dllhost.exe\r\nSpawnto_x64 - %windir%\\sysnative\\dllhost.exe\r\nCryptoScheme - 0\r\nProxy_Config - Not Found\r\nProxy_User - Not Found\r\nProxy_Password - Not Found\r\nProxy_Behavior - Use IE settings\r\nWatermark - 1359593325\r\nbStageCleanup - True\r\nhttps://www.istrosec.com/blog/apt-sk-cobalt/\r\nPage 4 of 9\n\nbCFGCaution - False\r\nKillDate - 0\r\nbProcInject_StartRWX - False\r\nbProcInject_UseRWX - False\r\nbProcInject_MinAllocSize - 17500\r\nProcInject_PrependAppend_x86 - b'\\x90\\x90'\r\n Empty\r\nProcInject_PrependAppend_x64 - b'\\x90\\x90'\r\n Empty\r\nProcInject_Execute - ntdll:RtlUserThreadStart\r\n CreateThread\r\n NtQueueApcThread-s\r\n CreateRemoteThread\r\n RtlCreateUserThread\r\nProcInject_AllocationMethod - NtMapViewOfSection\r\nbUsesCookies - True\r\nHostHeader -\r\nFrom this config we can see that this is a HTTP Beacon based on jQuery Malleable-C2 profile\r\nCobalt Strike C2 Server\r\nAnalysis of Cobalt Strike C2 Server at content.pcmsar[.]net revealed couple of interesting things. The server is hosted at\r\nCanadian OVH SAS hosting. It is powered by nginx webserver, with Let’s Encrypt certificate issued on Mar 15 08:27:41\r\n2021 GMT (approximately one week before the Cobalt Strike Payload packed into ISO). Without any parameters, the HTTP\r\nrequests are redirected to https://spectator.sme.sk/, a popular Slovakia’s English-language online newspaper.\r\nhttps://www.istrosec.com/blog/apt-sk-cobalt/\r\nPage 5 of 9\n\nFig. 6: HTTPS details of Cobalt Strike C\u0026C server\r\nThreat Actor C2 Infrastructure\r\nBased on observations above (and couple of others) there is possible to discover more C2 servers. Some of them are hosted\r\nin OVH, and many of them have SSL/TLS certificates issued by Sectigo instead of Let’s Encrypt. They are active since\r\nFebruary 2021 (confirmed), but probably some of them was used also back in 2020. These C2 servers also incorporated the\r\nredirection to innocent websites and they uses similar domains by themselves. For example, C2 server hosted at\r\ncbdnewsandreviews[.]net redirects visitors to https://www.newsreview.com//.\r\nThe discovered C2 servers are located around the globe, for example, in Canada, France and Australia.\r\nFig. 7: HTTPS details of another Cobalt Strike C\u0026C server\r\nMore Malware Samples\r\nWith information about C2 infrastructure, our researchers have found another malware samples linked to the same threat\r\nactor. For example, another ISO called evil.iso. This file is very similar to the analyzed “NSA” ISO, it contains LNK and\r\nDLL file with Cobalt Strike Beacon payload. It was submitted to Any.Run on 26th February 2021 from Netherlands\r\n(hypothesis is that the malware analyst used the ProtonVPN which is often used by them for protecting their privacy). First\r\nsubmittion on VirusTotal is from 25th February, however, the ISO file (with original name invitation.iso) was created most\r\nlikely on 17th February in Pacific Standard Timezone (UTC-08:00).\r\nhttps://www.istrosec.com/blog/apt-sk-cobalt/\r\nPage 6 of 9\n\nFig. 8: Evil ISO Sample\r\nDelivery Method\r\nBased on similarities of analyzed ISO files we were able to find another similar files. It seems that at least some of them\r\nhave been delivered via phishing emails with ISO/IMG attachments looking like Word documents. Moreover, it seems that\r\nthe same threat actor delivers at least one phishing email to the targets in Czech republic in March 2021.\r\nFig. 9: Example of email with similar attachement delivered to the private company\r\nFindings and Summary\r\nWe were able to discover and track the campaign targeting Slovakia Government and Cobalt Strike infrastructure used by\r\nthe threat actor. This analysis was based solely on publicly available information, community threat intelligence sources and\r\nour own malware research. The incident and results have been reported to the local authorities such as computer security\r\nincident response team. The report included the collected indicators of compromise such as hashes and IP addresses. These\r\nIOCs have been used during the investigation. Imagine, it is like the oraculum - you can predict which IP addresses will the\r\nattacker use in the next steps, or, you can use the reported IOCs as a pivots during the forensic analysis. All the results are\r\nonly from the hunting in public sources.\r\nDEF CON Talk\r\nhttps://www.istrosec.com/blog/apt-sk-cobalt/\r\nPage 7 of 9\n\nFig. 10: Our talk at DEFCON 29 Recon Village\r\nWe presented this case at Recon Village at DEF CON 29 conference in August 2021 (Las Vegas \u0026 Virtual). We also\r\nintroduced and explained couple of concepts, tips and tricks for malware hunting and advanced search. Presentation slides\r\nand video from our talk are available below.\r\nDEF CON 29 Recon Village Presentation Slides [PDF]\r\nAfterword\r\n(updated on Sep 13, 2021)\r\nThis blog post was originally based on research and analysis during March and April 2021. Therefore, we published our\r\nresults based only on data available at that time, without referring to the results and articles published a few weeks and\r\nmonths later.\r\nFew days after DEF CON talk and after publishing this blog post, Slovak technology portal Zive.sk wrote an article about\r\nthis incident based on our research. Then, ESET Research found that this attack targeted diplomats from more than 13\r\nEuropean countries and think-tanks and this attack was linked to APT29/Dukes/Nobelium also by Microsoft Threat\r\nIntelligence Center. In their article from the end of May they published IOCs which contain also some of the IOCs\r\nmentioned here, including “NSA” ISO Sample.\r\nhttps://www.istrosec.com/blog/apt-sk-cobalt/\r\nPage 8 of 9\n\nAnd finally, Catalin Cimpanu from The Record published post “Russian cyberspies targeted the Slovak government for\r\nmonths” based on above work.\r\nSample IOCs\r\nHashes\r\nbd05e95b88b41cad419d450b10f801c5: AktualizC!ciu.img\r\ned24b708a0abb91d2d984c646527823f: Aktualizáciu.lnk\r\ne55d9f6300fa32458b909fded48ec2c9: diassvcs.dll\r\n1adfe420043628286d0f3ff007113bfa: Cobalt Strike Beacon\r\nb0c12b32ed763e2fd9f0a1669f82d579: evil.iso\r\n038579bdb1de9e0ab541df532afeb50d: Programme outline.lnk\r\n72b494d0921296cdd5e4a07a0869b244: Plending forms.lnk\r\n600aceaddb22b9a1d6ae374ba7fc28c5: GraphicalComponent.dll\r\nDomains\r\ncontent.pcmsar[.]net\r\ncbdnewsandreviews[.]net\r\nIP Addresses\r\n51.79.69[.]211\r\n139.99.167[.]177\r\nReferences\r\nhttps://www.cobaltstrike.com/\r\nhttps://app.any.run/tasks/2c77358b-a7bc-4ebc-b034-362a1ddd0cd3/\r\nhttps://www.virustotal.com/gui/file/89016b87e97a07b4e0263a18827defdeaa3e150b1523534bbdebe7305beabb64/details\r\nhttps://www.cobaltstrike.com/help-malleable-c2\r\nhttps://github.com/threatexpress/malleable-c2\r\nhttps://app.any.run/tasks/41080dd6-5e6d-4150-8fab-715f142a9d7e/\r\nDEF CON 29 Recon Village Presentation Slides\r\nSource: https://www.istrosec.com/blog/apt-sk-cobalt/\r\nhttps://www.istrosec.com/blog/apt-sk-cobalt/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.istrosec.com/blog/apt-sk-cobalt/" ], "report_names": [ "apt-sk-cobalt" ], "threat_actors": [ { "id": "1f3cf3d1-4764-4158-a216-dd6352e671bb", "created_at": "2022-10-25T15:50:23.837615Z", "updated_at": "2026-04-10T02:00:05.322197Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ], "source_name": "MITRE:APT19", "tools": [ "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "46a151bd-e4c2-46f9-aee9-ee6942b01098", "created_at": "2023-01-06T13:46:38.288168Z", "updated_at": "2026-04-10T02:00:02.911919Z", "deleted_at": null, "main_name": "APT19", "aliases": [ "DEEP PANDA", "Codoso", "KungFu Kittens", "Group 13", "G0009", "G0073", "Checkered Typhoon", "Black Vine", "TEMP.Avengers", "PinkPanther", "Shell Crew", "BRONZE FIRESTONE", "Sunshop Group" ], "source_name": "MISPGALAXY:APT19", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f2ce5b52-a220-4b94-ab66-4b81f3fed05d", "created_at": "2025-08-07T02:03:24.595597Z", "updated_at": "2026-04-10T02:00:03.740023Z", "deleted_at": null, "main_name": "BRONZE FIRESTONE", "aliases": [ "APT19 ", "C0d0s0", "Checkered Typhoon ", "Chlorine ", "Deep Panda ", "Pupa ", "TG-3551 " ], "source_name": "Secureworks:BRONZE FIRESTONE", "tools": [ "9002", "Alice's Rabbit Hole", "Cobalt Strike", "Derusbi", "PlugX", "PoisonIvy", "PowerShell Empire", "Trojan Briba", "Zuguo" ], "source_id": "Secureworks", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null }, { "id": "b9806584-4d82-4f32-ae97-18a2583e8d11", "created_at": "2022-10-25T16:07:23.787833Z", "updated_at": "2026-04-10T02:00:04.749709Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "APT 40", "ATK 29", "Bronze Mohawk", "G0065", "Gadolinium", "Gingham Typhoon", "ISLANDDREAMS", "ITG09", "Jumper Taurus", "Kryptonite Panda", "Mudcarp", "Red Ladon", "TA423", "TEMP.Jumper", "TEMP.Periscope" ], "source_name": "ETDA:Leviathan", "tools": [ "AIRBREAK", "Agent.dhwf", "Agentemis", "AngryRebel", "BADFLICK", "BlackCoffee", "CHINACHOPPER", "China Chopper", "Cobalt Strike", "CobaltStrike", "DADJOKE", "Dadstache", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "GRILLMARK", "Gh0st RAT", "Ghost RAT", "HOMEFRY", "Hellsing Backdoor", "Kaba", "Korplug", "LOLBAS", "LOLBins", "LUNCHMONEY", "Living off the Land", "MURKYTOP", "Moudour", "Mydoor", "NanHaiShu", "Orz", "PCRat", "PNGRAT", "PlugX", "RedDelta", "SeDLL", "Sensocode", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "ZoxPNG", "cobeacon", "gresim", "scanbox" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434909, "ts_updated_at": 1775792281, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cf9d08391f722238414b7d96692deb0067bda765.pdf", "text": "https://archive.orkl.eu/cf9d08391f722238414b7d96692deb0067bda765.txt", "img": "https://archive.orkl.eu/cf9d08391f722238414b7d96692deb0067bda765.jpg" } }