{ "id": "f3e65179-8006-4b18-a54d-0f1f79d259c8", "created_at": "2026-04-06T00:13:38.607755Z", "updated_at": "2026-04-10T03:37:09.074938Z", "deleted_at": null, "sha1_hash": "d0a8417b6e9eeceba70ea46cd61e62112dba397a", "title": "Grandoreiro Banking Trojan with New TTPs | Zscaler Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 81386, "plain_text": "Grandoreiro Banking Trojan with New TTPs | Zscaler Blog\r\nBy Niraj Shivtarkar\r\nPublished: 2022-08-18 · Archived: 2026-04-05 18:27:08 UTC\r\nIntroduction\r\nRecently Zscaler ThreatLabz observed a Grandoreiro campaign targeting organizations in the Spanish-speaking\r\nnations of Mexico and Spain that work across a variety of different industry verticals such as Automotive,\r\nChemicals Manufacturing and others. In this campaign, the threat actors impersonate government officials from\r\nthe Attorney General’s Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in\r\norder to lure victims to download and execute “Grandoreiro” a prolific banking trojan that has been active since at\r\nleast 2016, and that specifically targets users in Latin America. Grandoreiro is written in Delphi and utilizes\r\ntechniques like binary padding to inflate binaries, Captcha implementation for sandbox evasion, and command-and-control (CnC) communication using patterns that are identical to LatentBot.\r\nKey Features of this Attack:\r\nGrandoreiro targets organizations in the Spanish-speaking nations of Mexico and Spain across various\r\nindustry verticals\r\nThe threat actors in this campaign impersonate Mexican Government Officials\r\nMultiple anti-analysis techniques are used by Grandoreiro Loader along with implementation of Captcha\r\nfor evading Sandboxes\r\nThe Grandoreiro Loader sends across a Check-In Request with all the required User, System and Campaign\r\ninformation\r\nThe Grandoreiro uses a binary padding technique to evade sandboxes, adding multiple BMP images to the\r\nresource section of the binary and inflating the size to 400+ MB\r\nThe CnC Communication pattern of 2022 Grandoreiro is now completely identical to the LatentBot with\r\n“ACTION=HELLO” beacon and ID based communication\r\nIn-depth analysis of the Grandoreiro campaign and corresponding Infection chain has been explained below.\r\nCampaign Details:\r\nThreatLabz has analyzed multiple infection chains for this Grandoreiro campaign, which began in June 2022 and\r\nis still ongoing. Based on our analysis, we can infer that the threat actors in this case are attempting to target\r\norganizations in the Spanish-speaking countries of Mexico and Spain. Industries targeted in this campaign\r\ninclude:\r\nChemicals Manufacturing\r\nAutomotive\r\nCivil and Industrial Construction\r\nMachinery\r\nhttps://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals\r\nPage 1 of 9\n\nLogistics - Fleet management services\r\nInfection Chain:\r\nThe infection chain employed by the threat actors in this campaign is quite similar to previous Grandoreiro\r\ncampaigns. It begins with a spear-phishing email written in Spanish, targeting victims in  Mexico and Spain. The\r\nemail consists of an embedded link which when clicked redirects the victim to a website that further downloads a\r\nmalicious ZIP archive on the victim's machine. The ZIP archive is bundled with the Grandoreiro Loader module\r\nwith a PDF Icon in order to lure the victim into execution; this is responsible for downloading, extracting and\r\nexecuting the final 400MB “Grandoreiro” payload from a Remote HFS server which further communicates with\r\nthe CnC Server using traffic identical to LatentBot\r\nLet’s dive into the spear-phishing emails received by the victims. The phishing emails are divided into two sets\r\nbased on the lures used by the threat actors.\r\nSet I - Impersonating Government Officials - Provisional Archiving Resolution:\r\nThe first set of phishing emails observed during the campaign were those in which the threat actors impersonated\r\nGovernment officials, instructing the victims to download and share the Provisional Archiving Resolution. Below\r\nare the details of the phishing emails:\r\n1.)\r\nSubject (Spanish) : Fiscalia General del Gobierno (RESOLUCIÓN13062022)\r\nSubject (English) : Government Attorney General (RESOLUTION 13062022)\r\n \r\nAs can be seen in the above screenshot, the threat actors are posing as the current Attorney General of Mexico\r\n“Alejandro Gertz Manero” The email subject and the signature are of the Attorney General’s Office “Fiscalia\r\nGeneral de Justicia'' making the email seem legit. The content in this case notifies the victims about the\r\nProvisional Archiving Resolution and asks them to download and share the Resolution before a specified date,\r\nafter which the payment would not be refunded. If the victim clicks on the embedded link to download the\r\nresolution, it redirects to a malicious domain: http[:]//barusgorlerat[.]me as shown in the screenshot, and then\r\ndownloads a ZIP file from the remote server consisting of the Grandoreiro Loader.\r\n2.)\r\nWe also came across a similar lure where the threat actors masquerade as “Alejandra Solano -  from the Public\r\nMinistry - Early Decision and Litigation Section” and ask the Victim to download and share the Provisional\r\nArchiving Resolution. In this case, the embedded link redirects to another domain:\r\nhttp[:]//damacenapirescontab[.]com as shown in the screenshot below.\r\nSubject (Spanish) :RV [EXTERNAL] Notificación del Ministerio Público - MP08062022 3:59:54 PM\r\nSubject (English) : RV [EXTERNAL] Notification of the Public Ministry - MP08062022 3:59:54 PM\r\nSet II - Cancellation of Mortgage Loan and Deposit Voucher Slip\r\nhttps://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals\r\nPage 2 of 9\n\nIn this set, there are two types of phishing email lures. The first is regarding the cancellation of a mortgage loan, in\r\nwhich the threat actors ask the victim to download a mortgage cancellation form by opening the embedded link as\r\nshown in the below screenshot. Once the link is opened it redirects to the malicious domain:\r\nhttp[:]//assesorattlas[.]me which then further downloads a ZIP File consisting of the Grandoreiro Loader.\r\nSubject (Spanish) : Hola agonzaleza Baja del préstamo hipotecario 12:05:38 PM\r\nSubject (English) : Hi Agonz, Low Mortgage Loan 12:05:38 PM\r\nThe second one consists of two similar emails targeted towards two different organizations in Mexico. Here, the\r\nvictim is asked to download a deposit voucher/slip by clicking on the hyperlink. Once the link is opened, it\r\ndownloads a ZIP File consisting of the Grandoreiro Loader from http[:]//assesorattlas[.]me and\r\nhttp[:]//perfomacepnneu[.]me as shown in the below screenshot.\r\nSubject (Spanish) : Sr.(a) alfonso.vera Comprobante deposito 05-Jul-22 8:06:09 PM\r\nSubject (English) : Sr. (a) alfonso.vera Proof of deposit 05-Jul-22 8:06:09 PM\r\nSubject (Spanish) : RV Comprobante deposito 28-jun-22 5:11:45 PM\r\nSubject (English) : RV Deposit voucher 28-jun-22 5:11:45 PM\r\nAfter analyzing all the phishing emails in our dataset, we were able to establish a common pattern between the\r\nemails on the basis of similar content to lure the victims, and the pattern of the embedded links (Pattern:\r\ndomain.tld/?timestamp), sometimes seen along with targeted countries (domain.tld/country/?timestamp) that\r\nwere used to download the Grandoreiro Loader from the remote HFS server.\r\n \r\nBy observing this pattern, we can state that the Grandoreiro campaign might be conducted by a single threat actor\r\nacross various organizations in Mexico and Spain. The pattern can also be beneficial to track other related\r\ncampaigns as well.\r\nOnce the victim clicks on the embedded link, the user is redirected to download a ZIP File onto the machine from\r\nthe following different URLs where all the downloaded files drop the Grandoreiro Loader. The file names\r\ncorrespond to the email lures being used: \r\n35[.]181[.]59[.]254/info99908hhzzb.zip\r\n35[.]180[.]117[.]32/$FISCALIGENERAL3489213839012\r\n35[.]181[.]59[.]254/$FISCALIGE54327065410839012?id_JIBBRS=DR-307494\r\n52[.]67[.]27[.]173/deposito(1110061313).zip\r\n54.232.38.61/notificacion(flfit48202).zip\r\n54.232.38.61/notificacion(egmux24178).zip\r\nNext, let’s examine the ZIP File named “informacion16280LIFSD.zip” which is downloaded from the following\r\nhttps://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals\r\nPage 3 of 9\n\nremote server 35[.]180[.]117[.]32/$FISCALIGENERAL3489213839012 once the victim clicks on the embedded\r\nlink in the Spear phishing email.\r\nThe ZIP archive bundles two files:\r\nA31136.xml\r\ninfonpeuz52271VVCYX.exe\r\nIn this case, the first file A31136.xml is not a XML file but a portable executable with the original name\r\n“Extensions.dll” and signed with a valid “ASUSTEK COMPUTER INCORPORATION” certificate. It is benign\r\nin nature as shown in the screenshot below, and never loaded by the Loader module.\r\nThe second file bundled inside the ZIP archive “infonpeuz52271VVCYX.exe” is the Grandoreiro Loader module\r\nwritten in Delphi and masking itself with a PDF Icon compiled on 14th June 2022 in order to lure the victims into\r\nexecution.\r\nWhen the loader module is executed by the victim, it initially creates a Mutex “ZTP@11” by calling\r\nCreateMutexA()\r\nThen it loads the “TForm1” Class Object from the resource section “RCData”, and the forms in Delphi are defined\r\nby the TForm class itself. \r\nFurther, the loader module performs the following anti-analysis checks before executing the critical functions.\r\ni) Detect Analysis Tools: The malware detects the below mentioned analysis tools by decrypting the tool names\r\nusing a XOR-based Decryption routine. It then takes a snapshot of currently executing processes in the system\r\nusing CreateToolhelp32Snapshot() and walks through the process list using Process32First() and Process32Next().\r\nIf any of the analysis tools exist, the malware execution is terminated.\r\nRegmon.exe Filemon.exe Procmon.exe Wireshark.exe Procexp64.exe\r\nProcexp.exe ProcessHacker.exe PCHunter64.exe PCHunter32.exe JoeTrace.exe\r\nList of Detected Analysis Tools\r\nThe second method that the malware uses to detect the analysis tools is to compare the text of the window names\r\nwith analysis tools (including TCPView and RegShot in this case) by using GetWindowTextW(), FindWindowW,\r\nand EnumWindows() APIs.\r\nii) Detect Execution Directory: In this case, the malware checks the directory in which it is being executed. If the\r\nbelow mentioned directory names are used, it terminates itself with a comparison logic in place.\r\nC:\\insidetm\r\nC:\\analysis\r\niii) Anti-Debug Technique: In this case, the Grandoreiro executes the IsDebuggerPresent() to determine whether\r\nthe current process is being executed in the context of a debugger. If the result is non-zero, the malware terminates\r\nhttps://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals\r\nPage 4 of 9\n\nitself as shown below in the screenshot.\r\niv) Vmware I/O Port Anti-VM Technique: In this case, the malware checks whether the execution is occurring\r\nin a  virtual environment (Vmware) by reading data from the I/O Port “0x5658h” (VX) used by Vmware. It\r\nachieves this by setting up the registers.\r\n \r\nIf, after execution of “in” instruction (executed in order to pull data from the port “VX”) the EBX register consists\r\nof the magic Number “VMXh” the malware is executed in a virtualized environment and thus further terminates\r\nitself. \r\nAfter completing the anti-analysis checks, the malware decrypts a URL by passing an encrypted string to the\r\nstring decryption routine. The string decryption routine performs XOR-based decryption.\r\nThis string decryption routine has been used previously in the older variants of Grandoreiro for decrypting strings\r\nand API calls in order to evade detection. The Grandoreiro string decryptor can be found here, developed by the\r\nSpiderLabs Team at TrustWave. \r\nThe Grandoreiro Loader then sends across a  GET Request to the previously decrypted URL:\r\n“http[:]//15[.]188[.]63[.]127/$TIME” which provides in response the URL to download the next stage.\r\n \r\nNext, the malware executes the URLDownloadToFile() API function with the szURL argument as the remote HFS\r\nserver URL “http://15[.]188[.]63[.]127:36992/zxeTYhO.xml” in order to download the Final Payload of the\r\nGrandoreiro Banking Trojan\r\nThe downloaded Grandoreiro Final Payload is a 9MB ZIP archive that is extracted dynamically, and the bundled\r\nexecutable (disguised as zxeTYhO.png) inside the archive is written in a folder whose name is generated at\r\nruntime in the “C:\\ProgramData'' directory. Also the PE file masquerading as “zxeTYhO.png” is renamed to\r\nASUSTek[random_string].exe, generated with a random string generation logic, and changes on every\r\nexecution.\r\nFurthermore, the Stage-1 Grandoreiro module collects the following System and User information where all the\r\nstrings are decrypted at runtime via the similar String Decryption Function.\r\ni) Username - Retrieves Username via GetUserNameW()\r\nii) ComputerName - Retrieves Computer name via GetComputerNameW\r\niii) Operating System and Version - Retrieves the Operating System and its version from the Windows\r\nNT\\\\CurrentVersion and ProductName registry hive.\r\niv) Antivirus - Retrieves the Antivirus Program installed on the machine via a WMI query\r\nv) Check Installed Programs - In this case the Grandoreiro module checks whether the following programs are\r\ninstalled by accessing the Program Files folder (Path: C:\\Program Files\\ and C:\\Program Files (x86)\\ ) or the\r\nAppData Folder (Path: C:\\Users\\\\AppData\\Local)\r\nhttps://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals\r\nPage 5 of 9\n\nCrypto Wallets:\r\n \r\nBinance Electrum Coinomi BitBox OPOLODesk LedgerLive Bitcoin Core\r\nBanking, Anti-Malware Programs and Mail Clients:\r\nAppBrad\r\nBradesco\r\nSicoobnet\r\nNavegador C6\r\nBank\r\nAplicativo\r\nItau\r\nTopaz OFD \r\nWarsaw\r\nDiebold\r\nWarsaw\r\nOutlook\r\nIf any of the listed programs are installed on the machine, the malware stores the program names to a list for\r\nfurther usage.\r\nOnce all of the above mentioned User and System information has been gathered by the malware, it then decrypts\r\nthe Check-In URL along with required parameters via the XOR-based String decryption routine used previously\r\nand concatenates the parameters with the corresponding gathered information.\r\nAfter completion of the concatenation, the loader sends across a POST Check-In Request to the Host:\r\n“barusgorlerat[.]me with all the gathered User, System, and Campaign information arranged along with the\r\ndifferent parameters.\r\nOnce the Check-In request is sent to the remote server, the loader executes the Grandoreiro Final Payload which\r\nwas downloaded, extracted, and renamed previously.\r\nGrandoreiro - Final Payload:\r\nThe Grandoreiro Final Payload written in Delphi was downloaded previously from the remote HFS server\r\n“http://15[.]188[.]63[.]127:36992/zxeTYhO.xml” as a 9.2 MB ZIP file which is then extracted and executed by\r\nthe Grandoreiro Loader. The extracted file is a 414MB Portable Executable file disguised with a “.png” extension\r\nwhich is later renamed to “.exe” dynamically by the loader and also the final payload is signed with  an\r\n“ASUSTEK DRIVER ASSISTANTE” digital certificate to appear legitimate and evade detection.\r\nAs seen in the older Grandoreiro samples, a similar “Binary Padding” technique is used here in order to inflate\r\nthe file size of the binary to around 400MB by adding two ~200MB Bitmap images in the resource section as\r\nshown in the screenshot below. This technique works as an anti-sandbox technique as it helps in evading\r\nsandboxes as most of them have a file size limit for execution.\r\nThe final payload maintains persistence on the Machine by leveraging the Run Registry key\r\n(HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) which would allow the payload to be executed on\r\nstartup.\r\nIn the following Grandoreiro variant, the Payload writes an .ini file (Name: ASUSTekGvaxvh.ini)  in the directory\r\nhttps://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals\r\nPage 6 of 9\n\nof execution which consists of all the following information as shown in the screenshot. The values in the\r\nConfiguration file are encrypted using a XOR-based Encryption routine with a key that changes in every sample.\r\nThe Command \u0026 Control communications have been updated from the 2020 variant. Previously there were some\r\nsimilarities between the Grandoreiro and LatentBot communications (as exhibited here), but they were not\r\nidentical. However, in the latest 2022 sample, the communication pattern has been upgraded by the threat actors\r\nand now it is completely identical to LatentBot where the name of the CnC Subdomain is generated via a Domain\r\nGeneration Algorithm just as the older Grandoreiro variants. The identical LatentBot beacon command\r\n“ACTION=HELLO” and the ID-Based communication\r\nIdentical to LatentBot, the Command \u0026 Control server provides the Cookie value as a response to the\r\n“ACTION=HELLO” beacon which is further used as an ID for communication in the latest Grandoreiro sample.\r\nFurthermore, Grandoreiro includes the following backdoor capabilities for espionage purposes:\r\nKeylogging\r\nAuto-Updation for newer versions and modules\r\nWeb-Injects and restricting access to specific websites\r\nCommand execution\r\nManipulating windows\r\nGuiding the victim's browser to a certain URL\r\nC2 Domain Generation via DGA (Domain Generation Algorithm)\r\nImitating mouse and keyboard movements\r\nWhile finalizing our article, we came across another ongoing Grandoreiro campaign with an extra anti-sandbox\r\ntechnique used by the malware authors. This technique requires a Captcha to be filled manually to execute the\r\nmalware in the victim’s machine. The malware is not executed until or unless the Captcha is filled.\r\n \r\nWe have analyzed the following malware in our Lab and found that the network communication is similar to the\r\none analyzed in the blog and it also follows “ACTION=HELLO” beacon and ID based communication as\r\ninherited from LatentBot.\r\nZscaler Sandbox Coverage:\r\nConclusion:\r\nThe threat actors behind Grandoreiro Banking malware are continuously evolving their tactics and malware to\r\nsuccessfully carry out attacks against their targets by incorporating new anti-analysis tricks to evade security\r\nsolutions; inheriting features from other Malware families. The Zscaler ThreatLabz team will continue to monitor\r\nthese attacks to help keep our customers safe\r\nIOCs:\r\nEmbedded Domains: (Same used for Check-In Request)\r\nhttps://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals\r\nPage 7 of 9\n\nhttp[:]//barusgorlerat[.]me\r\nhttp[:]//damacenapirescontab[.]com\r\nhttp[:]//assesorattlas[.]me\r\nhttp[:]//perfomacepnneu[.]me\r\nGrandoreiro Loader URLs:\r\n35[.]181[.]59[.]254/info99908hhzzb.zip\r\n35[.]180[.]117[.]32/$FISCALIGENERAL3489213839012\r\n35[.]181[.]59[.]254/$FISCALIGE54327065410839012?id_JIBBRS=DR-307494\r\n52[.]67[.]27[.]173/deposito(1110061313).zip\r\n54[.]232[.]38[.]61/notificacion(flfit48202).zip\r\n54[.]232[.]38[.]61/notificacion(egmux24178).zip\r\nFinal Grandoreiro Payload URLs with Check-In URL:\r\n15[.]188[.]63[.]127/$TIME\r\n167[.]114[.]137[.]244/$TIME\r\n15[.]188[.]63[.]127:36992/zxeTYhO.xml\r\n15[.]188[.]63[.]127:36992/vvOGniGH.xml\r\n15[.]188[.]63[.]127[:]36992/eszOscat.xml\r\n15[.]188[.]63[.]127:36992/YSRYIRIb.xml\r\n167[.]114[.]137[.]244:48514/eyGbtR.xml\r\nbarusgorlerat[.]me/MX/\r\nassesorattlas[.]me/MX/\r\nassesorattlas[.]me/AR/\r\natlasassessorcontabilidade[.]com/BRAZIL/\r\nvamosparaonde[.]com/segundona/\r\nmantersaols[.]com/MEX/MX/\r\npremiercombate[.]eastus.cloudapp.azure.com/PUMA/\r\nGrandoreiro CnC:\r\nPcbbcrjcgbcghjpbcgkccbjorkhhjcjj[.]fantasyleague[.]cc -\u003e fantasyleague[.]cc\r\njmllmedvhgmhldjgmhvmmlljhvgdzvzz[.]dynns[.]com\r\nciscofreak[.]com\r\nchjjhjmomaoheoojjbynnyjiidfcncc.cable-modem.org -\u003e cable-modem.org\r\nodbbdbmgmagdfggbbnynnyjiidfcncc.blogsyte.com -\u003e blogsyte.com\r\nifnnfnmcmacfdccnnjynnyjiidfcncc.collegefan.org -\u003e collegefan.org\r\nMD5 Hashes:\r\nGrandoreiro Loader:\r\n970f00d7383e44538cac7f6d38c23530\r\n724f26179624dbb9918609476ec0fce4\r\nhttps://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals\r\nPage 8 of 9\n\n2ec2d539acfe23107a19d731a330f61c\r\n6433f9af678fcd387983d7afafae2af2\r\n56416fa0e5137d71af7524cf4e7f878d\r\n7ea19ad38940ddb3e47c50e622de2aae\r\nGrandoreiro Final Payload:\r\ne02c77ecaf1ec058d23d2a9805931bf8\r\n6ab9b317178e4b2b20710de96e8b36a0\r\n5b7cbc023390547cd4e38a6ecff5d735\r\n531ac581ae74c0d2d59c22252aaac499\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals\r\nhttps://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.zscaler.com/blogs/security-research/grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals" ], "report_names": [ "grandoreiro-banking-trojan-new-ttps-targeting-various-industry-verticals" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434418, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d0a8417b6e9eeceba70ea46cd61e62112dba397a.pdf", "text": "https://archive.orkl.eu/d0a8417b6e9eeceba70ea46cd61e62112dba397a.txt", "img": "https://archive.orkl.eu/d0a8417b6e9eeceba70ea46cd61e62112dba397a.jpg" } }