{ "id": "89690be7-c43a-4302-9db5-0ed8bdd243d0", "created_at": "2026-04-06T00:09:53.805423Z", "updated_at": "2026-04-10T03:38:09.719807Z", "deleted_at": null, "sha1_hash": "d068d4ddff3c53eacd27d22012194ec4ee09fb13", "title": "Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 785162, "plain_text": "Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm\r\nArchived: 2026-04-05 14:03:27 UTC\r\nDespite multiple arrests and the conviction of several members of the notorious cybercrime gang, FIN7 [1][2]\r\n(a.k.a. Carbanak Group), the group continues to develop its business model and toolset throughout 2021 [3].\r\nDuring the first week of June 2021, eSentire’s Threat Response Unit (TRU) witnessed an opportunistic malspam\r\ncampaign that was conducted by the FIN7 group. The criminal group used a fake legal complaint centering around\r\nBrown-Forman Inc. Brown-Forman is a large, U.S.-based wine and spirits company and the maker of the popular\r\nJack Daniels whisky. (Figures 1 and 2). On June 10, external researchers observed a USPS mail delivery\r\nnotification lure (Figure3). It was associated with the same infrastructure set as the legal complaint lure. Toward\r\nthe end of June, a ProofPoint researcher documented a Windows 11 lure used to deliver JSSLoader.\r\nOne of the victims of the malicious legal complaint campaign was a law firm. The lure successfully bypassed the\r\nlaw firm’s email filters, and it was not detected as suspicious by any of the firm’s employees. eSentire’s TRU team\r\nidentified the malicious document through threat hunting activities.\r\nThe initial stage of the malware arrives as an Excel attachment, which downloads and executes a variant of the\r\nJSSLoader Remote Access Trojan (RAT). The variant has been reported as being used by the FIN7 group [3]. The\r\nmalicious Excel document leverages Windows Management Instrumentation (WMI) to install the RAT. Once\r\ninstalled, JSSLoader provides the threat group with a backdoor to the victim’s computer and the organization.\r\nFigure 1: Brown-Forman Lookalike Landing Page (browm-forman[.]com)\r\nhttps://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc\r\nPage 1 of 9\n\nFigure 2: Legal Complaint lure observed by TRU on June 1, 2021 that led to an employee at a law firm\r\ndownloading and executing a variant of JSSLoader.\r\nFigure 3: USPS lure associated with FIN7 infrastructure.\r\nFIN7 Objectives\r\nFIN7 is a financially motivated cybercrime group which gained notoriety for stealing millions of credit card\r\nnumbers from businesses around the world. One security research team reported that the crime group stole more\r\nhttps://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc\r\nPage 2 of 9\n\nthan a billion dollars between 2015 and 2018 from companies globally. U.S. federal law officials filed court\r\ndocuments on June 17, 2021 stating that FIN7 had more than 70 members, all assigned to various departments\r\nunder the larger organization. The court documents went on to say that the FIN7 leaders would organize their\r\npersonnel into different teams. These teams are tasked with creating malware, crafting phishing documents and\r\ncollecting money from compromised victims. As for the U.S. victims, court officials stated that the group went\r\nafter hundreds of U.S. companies infecting organizations ranging from the burrito chain Chipotle and the\r\ndepartment store Saks Fifth Avenue. FIN7 is one of many cyber gangs observed participating in Magecart attacks\r\n[4]. Magecart is a consortium of malicious hacker groups who target online shopping cart systems, such as the\r\nMagento system, to steal customer payment card information.\r\nFIN7 has also been associated with the Ryuk ransomware group[5]. In December 2020, security researchers at\r\nTrusec observed an attacker use the tools and techniques of FIN7 to gain a foothold into an enterprise. In a second\r\nattack against the company, almost six weeks later, that same foothold was used to launch Ryuk ransomware into\r\nthe victim’s environment. The Truesec researchers stated that this was the first instance where they had observed a\r\ncombination of FIN7 tools and the RYUK ransomware. Until this incident, they said they had never seen FIN7\r\nassociated with ransomware attacks. The TRU has also never observed a connection between FIN7 and the Ryuk\r\nransomware group. Truesec theorized “it was possible FIN7 simply sold the access to the Ryuk group, but it is\r\nprobable that FIN7 and the Ryuk gang are more closely affiliated and may be part of the same organized crime\r\nnetwork.” [5]. No matter which theory is correct, this implies that few criminal organizations are out of scope for\r\nFIN7, since ransomware can often monetize intrusions regardless of the industry.\r\nSimilar conclusions can be drawn from the recent analysis on the victimology of the Avaddon ransomware group,\r\nwhich demonstrates a diverse set of victim targets, across business sectors and revenue volumes [6]. These\r\nobservations are part of a trend of modern, financially motivated attacks which implement a threat model that is\r\neffective, regardless of an organization’s industry. If FIN7 cannot make use of an organization they have\r\ncompromised, they are likely to participate in the “initial access market,” selling or trading access to the victim\r\nentity with another threat actor or threat group. Those threat actors are likely to be a ransomware group or its\r\naffiliates to monetize the access.\r\nFIN7’s Malicious Spam Campaign Using a Legal Lure Involving Brown-Forman\r\nInc.\r\nDuring this attack, the initial email arrives alleging a legal complaint for wine and spirits company, Brown-Forman, as observed by the TRU team, as well as other researchers [7]. Brown-Forman is one of the largest\r\nAmerican-owned spirits and wine companies and among the top 10 largest global spirits companies.\r\nSeveral researchers reported this lure, indicating that this was not a single incident, but most likely an\r\nopportunistic spam campaign. Corporate users might immediately suspect a random legal complaint, that arrives\r\nvia email, from a large spirits and wine company. However, law firms deal with legal complaints across industry\r\nverticals regularly so the content would not be considered out of the ordinary. Thus, law firms may be more\r\nsusceptible to this topic.\r\nFIN7’s Shifting Lures\r\nhttps://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc\r\nPage 3 of 9\n\nOn June 10, external researchers observed FIN7 using a USPS-themed email attachment[8]. The USPS lure is\r\nmore generic and thus, more opportunistic in nature. And as mentioned previously, during the last week of June, a\r\nProofpoint researcher saw a Windows 11 lure which led to the JSSLoader.\r\nWhatever the specific intentions of FIN7, they appear to be actively adjusting their lures to maximize campaign\r\nsuccess. For example, the legal complaint lure hit Internet users’ email inboxes the first week of June, just one\r\nmonth before settlement claims were due for a class action suit against Brown-Forman regarding a ransomware\r\nbreach the company suffered in August 2020 (Figure 5). The infamous REvil (Sodin) gang took credit for the\r\nransomware attack. Although the company said they were able to disrupt the attack before their data could be\r\nencrypted, the REvil gang broadcasted on their blog/leak site that they had access to Brown-Forman’s systems for\r\nover a month and stole a terabyte of their company data.\r\nThe fact that the TRU spotted FIN7 launching a malicious email campaign in June 2021, using the Brown-Forman\r\nlegal complaint as a lure, and it was approximately one month before claim forms were due from victims (Figure\r\n4.) is coincidental. Whether FIN7 is connected to the REvil (Sodinokibi) attack against Brown-Forman or whether\r\nthey are simply capitalizing on public news regarding the case remains to be seen. In further examining potential\r\nconnections between FIN7 and REvil, in August 2020 a Swiss security company promised to demonstrate\r\nconnections between the two threat groups in a series of blog posts [9] but never provided sufficient evidence. It\r\nappears that they were left waiting for confirmation from the ransomware victims [10][11]. Regardless, what we\r\ndo know for sure is that cybercriminals use well-timed lures and try to predict the susceptibility of a theme for\r\ntheir threat campaigns, and they will use lures built around social trends [12], global crises [13] and routine events\r\n[14].\r\nOperating Infrastructure Tying FIN7’s Malicious Email Lures Together\r\nFigure 4: Infrastructure and malware used in the latest FIN7 campaigns\r\nhttps://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc\r\nPage 4 of 9\n\nThe most recent lures associated with FIN7 show connections in their supporting infrastructure. (Figure 3). The\r\nservers are observed performing three distinct functions. The primary download server, observed by TRU, was\r\nbrowm-forman[.]com which served as a starting point. First stage payloads are fetched from intermediate\r\nservers, such as opposedent[.]com, jurisdictionious[.]com, halfious[.]com, pigeonious[.]com. It is unclear what\r\nrole fairedale[.]com plays, though given its position in redirection and JavaScript management, its role may be to\r\ntest whether a visiting computer is a susceptible victim (and not, for example, a security researcher) before\r\nredirecting the user to the malicious payload. The command- and- control domains(C2s), for the first payload,\r\nappear to be unitious[.]com, injuryless[.]com, deprivationant[.]com, jurisdictionient[.]com, and\r\nlegislationient[.]com. There is no apparent relationship with the infrastructure reported by previous research.\r\nAnother curious finding is that some infrastructure was not observed by TRU for months following domain\r\nregistration. In the incident which leveraged the Brown-Forman lure, the landing page for the lookalike domain\r\n(browm-forman[.]com) was registered 2021-03-11, but not observed until June. VirusTotal submissions for this\r\ndomain line up with the June observations. This gap between registration and operational use might have been to\r\nthwart website reputation filters which utilize domain age as input. This months-long time delta does not appear to\r\ncarry over to C2 domains used by the weaponized Excel document and subsequent JSSLoader payload. Both\r\ncontacted domains registered May 27th, a week prior to in- the-wild use.\r\nFinally, TRU observed registration of a new lookalike domain (brown-formam[.]com) on June 9th. While in-the-wild use has not been observed, the registration and TLS certificate patterns match the previous landing page. We\r\nassess this domain will replace the prior one given that it has been exposed publicly.\r\nKey Takeaways\r\nThe following key takeaways have been summarized by Spence Hutchinson, Manager of Threat Intelligence,\r\neSentire:\r\nDespite several key members of the FIN7 group being incarcerated, the gang continues to mount successful\r\nthreat campaigns, indicating that they have numerous members and extensive recruitment efforts.\r\nNotably for the Brown-Forman case, FIN7 threat actors registered the infrastructure months before the\r\nTRU saw it in action. Either the attackers were using it for months before eSentire saw the activity, or they\r\nweaponized it after a period of time to evade email filtering by newly registered domains. If that is the\r\ncase, this shows a degree of planning and sophistication on the part of FIN7.\r\nThe FIN7 group is very experienced. They have been involved in financial cybercrime for a long time, and\r\nthey know how to use social engineering techniques that will lure computer users. Their success in\r\ncompromising companies and individuals, via email, reiterates the importance of continually educating\r\none’s employees and partners to be on the lookout for malicious email campaigns.\r\nFIN7’s regular shifting of infrastructure and lures is a testament to their knowledge on how to evade\r\ndetection by security professionals.\r\nIt is plausible that proficient financial cybercrime groups, such as FIN7, are providing initial access to\r\nseasoned ransomware groups, such as REvil (Sodinokibi), Ryuk, etc. as a way to monetize their access.\r\nIf you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you\r\npartner with us for security services in order to disrupt threats before they impact your business.\r\nhttps://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc\r\nPage 5 of 9\n\nWant to learn more about how we protect legal firms globally? Connect with an eSentire Security Specialist.\r\nFigure 5: Brown-Forman Class Action Settlement. Note the Deadline aligns with the timing of the active\r\ncampaigns by FIN7 using the Brown-Forman complaint lure.\r\nAppendix of Domains Registered by the FIN7 Threat Group\r\nValue Creation Date\r\namusient[.]com 2021-06-29\r\nbrown-formam[.]com 2021-06-09\r\nspectrummel[.]com 2021-06-08\r\npigeonious[.]com 2021-06-08\r\nrichesk[.]com 2021-06-07\r\nunitious[.]com 2021-06-02\r\nhttps://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc\r\nPage 6 of 9\n\nindulgology[.]com 2021-06-02\r\nbaradical[.]com 2021-05-31\r\ndeprivationant[.]com 2021-05-27\r\ndullism[.]com 2021-05-27\r\ninjuryless[.]com 2021-05-27\r\nopposedent[.]com 2021-05-27\r\ncapermission[.]com 2021-05-24\r\nhemispherious[.]com 2021-05-17\r\njurisdictionient[.]com 2021-05-17\r\ncannstattraction[.]com 2021-05-13\r\nmyofibrilliance[.]com 2021-05-12\r\nmigrationable[.]com 2021-04-15\r\nshareholderery[.]com 2021-04-07\r\neyebrowaholic[.]com 2021-03-20\r\noffspringance[.]com 2021-03-19\r\nhttps://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc\r\nPage 7 of 9\n\nchyprediction[.]com 2021-03-17\r\nbrowm-forman[.]com 2021-03-11\r\nbank4america[.]com 2021-03-10\r\nassociationable[.]com 2021-03-09\r\ndiscriminatoid[.]com 2021-03-09\r\nshareholderma[.]com 2021-02-25\r\nconglomeratoid[.]com 2021-02-11\r\ndomestickum[.]com 2021-01-26\r\nfidespair[.]com 2021-01-22\r\nexecutivance[.]com 2021-01-21\r\nkeywordsance[.]com 2021-01-20\r\ncooperativology[.]com 2020-12-17\r\ncountrysidable[.]com 2020-12-14\r\nbypassociation[.]com 2020-12-14\r\nbattlefieldant[.]com 2020-12-14\r\nhttps://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc\r\nPage 8 of 9\n\nnonremittalable[.]com 2020-12-10\r\n[1] https://www.cyberscoop.com/fin7-hacking-arrest-financial/\r\n[2] https://www.justice.gov/opa/pr/three-members-notorious-international-cybercrime-group-fin7-custody-role-attacking-over-100\r\n[3] https://blog.morphisec.com/the-evolution-of-the-fin7-jssloader\r\n[4] https://socprime.com/news/fin7-group-involved-in-skimming-attacks/\r\n[5] https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/\r\n[6] https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire\r\n[7] https://mobile.twitter.com/Arkbird_SOLG/status/1400845444889120783\r\n[8] https://twitter.com/ShadowChasing1/status/1403150596849295362\r\n[9] “Before disclosing the relationship between Fin7 and REvil groups, we are trying to reach the ransomware\r\nvictims.”\r\n[10] eSentire | Cybercriminals Use Malicious Google Ads to Lure Computer…\r\n[11] https://www.proofpoint.com/us/blog/threat-insight/attackers-use-covid-19-vaccine-lures-spread-malware-phishing-and-bec\r\nSource: https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc\r\nhttps://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc" ], "report_names": [ "notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf7fc640-acfe-41c4-9f3d-5515d53a3ffb", "created_at": "2023-01-06T13:46:38.228042Z", "updated_at": "2026-04-10T02:00:02.883048Z", "deleted_at": null, "main_name": "APT1", "aliases": [ "PLA Unit 61398", "Comment Crew", "Byzantine Candor", "Comment Group", "GIF89a", "Group 3", "TG-8223", "Brown Fox", "ShadyRAT", "G0006", "COMMENT PANDA" ], "source_name": "MISPGALAXY:APT1", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434193, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d068d4ddff3c53eacd27d22012194ec4ee09fb13.pdf", "text": "https://archive.orkl.eu/d068d4ddff3c53eacd27d22012194ec4ee09fb13.txt", "img": "https://archive.orkl.eu/d068d4ddff3c53eacd27d22012194ec4ee09fb13.jpg" } }