{ "id": "7a500990-bf81-403b-a8df-6ed9dcf4cd37", "created_at": "2026-04-06T00:16:27.369077Z", "updated_at": "2026-04-10T13:12:02.871218Z", "deleted_at": null, "sha1_hash": "d0e3615e6b8f7e9912f7e220c7c0541d9b8a674d", "title": "magecart (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 130910, "plain_text": "magecart (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 15:27:59 UTC\r\nMagecart is a malware framework intended to steal credit card information from compromised eCommerce\r\nwebsites. Used in criminal activities, it's a sophisticated implant built on top of relays, command and controls and\r\nanonymizers used to steal eCommerce customers' credit card information. The first stage is typically implemented\r\nin Javascript included into a compromised checkout page. It copies data from \"input fields\" and send them to a\r\nrelay which collects credit cards coming from a subset of compromised eCommerces and forwards them to\r\nCommand and Control servers.\r\n2026-03-26 ⋅ ANY.RUN ⋅\r\nActive Magecart Campaign Targets Spain, Steals Card Data via Hijacked eStores for Bank Fraud\r\nmagecart 2025-02-06 ⋅ Securi ⋅ Puja Srivastava\r\nGoogle Tag Manager Skimmer Steals Credit Card Info From Magento Site\r\nmagecart 2024-12-13 ⋅ Medium 0x_b0mb3r ⋅ Louis Schürmann\r\nTechnical Analysis: Magecart Skimmer\r\nmagecart 2024-03-04 ⋅ Securi ⋅ Denis Sinegubko\r\n40 New Domains of Magecart Veteran ATMZOW Found in Google Tag Manager\r\nmagecart 2022-11-21 ⋅ Zscaler ⋅ Sudeep Singh\r\nBlack Friday Alert: 4 Emerging Skimming Attacks to Watch for This Holiday Season\r\nmagecart 2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel\r\nAn inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure\r\nRiltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki\r\nPassword Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP\r\nTinyNuke Vidar Zloader 2022-07-19 ⋅ Recorded Future ⋅ Insikt Group®\r\nAmid Rising Magecart Attacks on Online Ordering Platforms, Recent Campaigns Infect 311 Restaurants\r\nmagecart 2022-05-10 ⋅ RiskIQ ⋅ Kelsey Clapp\r\nCommodity Skimming \u0026 Magecart Trends in First Quarter of 2022\r\nmagecart 2021-12-06 ⋅ GEMINI ⋅ GEMINI\r\nMagecart Groups Abuse Google Tag Manager\r\nmagecart 2021-12-03 ⋅ RiskIQ ⋅ Kelsey Clapp\r\nWoo's There? Magecart Targets WooCommerce\r\nmagecart 2021-11-03 ⋅ Malwarebytes ⋅ Jérôme Segura\r\nCredit card skimmer evades Virtual Machines\r\nmagecart 2021-10-19 ⋅ Malwarebytes ⋅ Jérôme Segura\r\nq-logger skimmer keeps Magecart attacks going\r\nmagecart 2021-09-22 ⋅ RiskIQ ⋅ Jordan Herman, Kelsey Clapp\r\nThe Bom Skimmer and MageCart Group 7\r\nmagecart 2021-09-13 ⋅ Malwarebytes ⋅ Jérôme Segura\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.magecart\r\nPage 1 of 4\n\nThe many tentacles of Magecart Group 8\r\nmagecart 2021-07-16 ⋅ Twitter (@MBThreatIntel) ⋅ Malwarebytes Threat Intelligence\r\nTweet on Magecart skimmer using steganography\r\nmagecart 2021-07-15 ⋅ Twitter (@AffableKraut) ⋅ Eric Brandel\r\nTweet on another digital skimmer/magecart script from the \"q-logger\" threat actor\r\nmagecart 2021-07-07 ⋅ SUCURI ⋅ Ben Martin\r\nMagecart Swiper Uses Unorthodox Concatenation\r\nmagecart 2021-06-28 ⋅ Malwarebytes ⋅ Jérôme Segura\r\nLil' skimmer, the Magecart impersonator - Malwarebytes Labs\r\nmagecart 2021-06-14 ⋅ scotthelme.co.uk ⋅ Scott Helme\r\nIntroducing Script Watch: Detect Magecart style attacks, fast!\r\nmagecart 2021-05-13 ⋅ Malwarebytes ⋅ Jérôme Segura\r\nNewly observed PHP-based skimmer shows ongoing Magecart Group 12 activity\r\nmagecart 2021-04-22 ⋅ Twitter (@AffableKraut) ⋅ Eric Brandel\r\nA thread on possibly new magecart skimmer\r\nmagecart 2021-01-14 ⋅ RiskIQ ⋅ Jordan Herman\r\nMediaLand: Magecart and Bulletproof Hosting\r\nmagecart 2021-01-14 ⋅ RiskIQ ⋅ Team RiskIQ\r\nNew Analysis Puts Magecart Interconnectivity into Focus\r\ngrelos magecart Raccoon 2020-12-16 ⋅ RiskIQ ⋅ Cory Kennedy, Jordan Herman, Mia Ihm\r\nSkimming a Little Off the Top: Meyhod’s Skimming Methods Hit Hairloss Specialists\r\nmagecart 2020-12-02 ⋅ Sansec ⋅ Sansec Threat Research Team\r\nPersistent parasite in EOL Magento 2 stores wakes at Black Friday\r\nmagecart 2020-11-27 ⋅ Reflectiz ⋅ Reflectiz\r\nThe ICO Fines Ticketmaster UK £1.25 Million for Security Failures: A Lesson to be Learned\r\nmagecart 2020-11-25 ⋅ Reflectiz ⋅ Idan Cohen\r\nCSP, the Right Solution for the Web-Skimming Pandemic?\r\nmagecart 2020-11-11 ⋅ RiskIQ ⋅ Jordan Herman\r\nMagecart Group 12: End of Life Magento Sites Infested with Ants and Cockroaches\r\nmagecart 2020-11-02 ⋅ SUCURI ⋅ Denis Sinegubko\r\nCSS-JS Steganography in Fake Flash Player Update Malware\r\nmagecart NetSupportManager RAT 2020-09-02 ⋅ RiskIQ ⋅ Jordan Herman\r\nThe Inter Skimmer Kit\r\nmagecart DreamBot TeslaCrypt 2020-07-22 ⋅ SUCURI ⋅ Denis Sinegubko\r\nSkimmers in Images \u0026 GitHub Repos\r\nmagecart 2020-07-11 ⋅ Trustwave ⋅ Peter Evans, Rodel Mendrez\r\nInjecting Magecart into Magento Global Config\r\nmagecart 2020-07-07 ⋅ GEMINI\r\n\"Keeper\" Magecart Group Infects 570 Sites\r\nmagecart 2020-07-07 ⋅ GEMINI\r\nFull list of all the 570+ sites that the Keeper gang hacked since April 2017\r\nmagecart 2020-07-06 ⋅ Sansec ⋅ Sansec Threat Research Team\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.magecart\r\nPage 2 of 4\n\nNorth Korean hackers implicated in stealing from US and European shoppers\r\nmagecart 2020-06-26 ⋅ Trend Micro ⋅ Joseph C Chen\r\nUS Local Government Services Targeted by New Magecart Credit Card Skimming Attack\r\nmagecart 2020-06-25 ⋅ Malwarebytes ⋅ Jérôme Segura\r\nWeb skimmer hides within EXIF metadata, exfiltrates credit cards via image files\r\nmagecart 2020-06-15 ⋅ ZDNet ⋅ Catalin Cimpanu\r\nWeb skimmers found on the websites of Intersport, Claire's, and Icing\r\nmagecart 2020-06-15 ⋅ Sansec ⋅ Sansec Threat Research Team\r\nMagecart strikes amid Corona lockdown\r\nmagecart 2020-06-09 ⋅ RiskIQ ⋅ Jordan Herman\r\nMisconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code\r\nmagecart 2020-06-05 ⋅ SUCURI ⋅ Denis Sinegubko\r\nEvasion Tactics in Hybrid Credit Card Skimmers\r\nmagecart 2020-05-20 ⋅ Reflectiz ⋅ Reflectiz\r\nThe Gocgle Malicious Campaign\r\nmagecart 2020-04-23 ⋅ SUCURI ⋅ Denis Sinegubko\r\nWeb Skimmer With a Domain Name Generator – Follow Up\r\nmagecart 2020-04-17 ⋅ SUCURI ⋅ Denis Sinegubko\r\nWeb Skimmer with a Domain Name Generator\r\nmagecart 2020-03-18 ⋅ RiskIQ ⋅ Yonathan Klijnsma\r\nMagecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims\r\nmagecart 2020-03-03 ⋅ PWC UK ⋅ PWC UK\r\nCyber Threats 2019:A Year in Retrospect\r\nKevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack\r\nEmotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar\r\nLockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper\r\nStoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle 2020-02-24 ⋅ Max Kersten's\r\nBlog ⋅ Max Kersten\r\nClosing in on MageCart 12\r\nmagecart 2020-02-19 ⋅ Yoroi ⋅ Marco Ramilli\r\nUncovering New Magecart Implant Attacking eCommerce\r\nmagecart 2020-02-17 ⋅ Max Kersten's Blog ⋅ Max Kersten\r\nFollowing the tracks of MageCart 12\r\nmagecart 2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Chris Boyd, David Ruiz, Jérôme Segura, Jovi Umawing, Nathan Collier, Pieter\r\nArntz, Thomas Reed, Wendy Zamora\r\n2020 State of Malware Report\r\nmagecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor 2020-02-07 ⋅ RiskIQ ⋅ Jordan Herman\r\nMagecart Group 12’s Latest: Actors Behind Attacks on Olympics Ticket Re-sellers Deftly Swapped Domains to\r\nContinue Campaign\r\nmagecart 2020-01-25 ⋅ Sanguine Security ⋅ Sanguine Labs\r\nIndonesian Magecart hackers arrested\r\nmagecart 2020-01-25 ⋅ GoggleHeadedHacker Blog ⋅ Jacob Pimental\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.magecart\r\nPage 3 of 4\n\nOlympic Ticket Reseller Magecart Infection\r\nmagecart 2020-01-20 ⋅ Max Kersten's Blog ⋅ Max Kersten\r\nTicket resellers infected with a credit card skimmer\r\nmagecart 2020-01-15 ⋅ PerimeterX ⋅ Guy Bary\r\nAnalyzing Magecart Malware – From Zero to Hero\r\nmagecart 2020-01-10 ⋅ CSIS ⋅ CSIS\r\nThreat Matrix H1 2019\r\nGustuff magecart Emotet Gandcrab Ramnit TrickBot 2019-10-09 ⋅ Trend Micro ⋅ Joseph C. Chen\r\nFIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online\r\nShops\r\nmagecart 2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT\r\nAPT trends report Q2 2019\r\nZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger\r\nHOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy 2019-06-04 ⋅ Malwarebytes ⋅\r\nJérôme Segura\r\nMagecart skimmers found on Amazon CloudFront CDN\r\nmagecart 2019-05-03 ⋅ Trend Micro ⋅ Joseph C Chen\r\nMirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada\r\nmagecart 2019-04-26 ⋅ Malwarebytes ⋅ Jérôme Segura\r\nGitHub hosted Magecart skimmer used against hundreds of e-commerce sites\r\nmagecart 2019-02-28 ⋅ RiskIQ ⋅ Yonathan Klijnsma\r\nMagecart Group 4: Never Gone, Always Advancing – Professionals In Cybercrime\r\nmagecart 2019-02-06 ⋅ CrowdStrike ⋅ Peyton Smith, Tim Parisi\r\nThreat Actor \"Magecart\": Coming to an eCommerce Store Near You\r\nmagecart 2018-09-18 ⋅ Trend Micro ⋅ Joseph C Chen\r\nMagecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites\r\nmagecart 2018-07-09 ⋅ RiskIQ ⋅ Jordan Herman, Yonathan Klijnsma\r\nInside and Beyond Ticketmaster: The Many Breaches of Magecart\r\nmagecart\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.magecart\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart" ], "report_names": [ "js.magecart" ], "threat_actors": [ { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c97cf0c1-7f0d-4e35-9bb9-bceaad178c3d", "created_at": "2023-01-06T13:46:38.760807Z", "updated_at": "2026-04-10T02:00:03.091254Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [], "source_name": "MISPGALAXY:ZooPark", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b076dcb-516e-42fb-9c8f-f153902cd5e9", "created_at": "2022-10-25T16:07:23.708745Z", "updated_at": "2026-04-10T02:00:04.720108Z", "deleted_at": null, "main_name": "Hidden Lynx", "aliases": [ "Aurora Panda", "Group 8", "Heart Typhoon", "Hidden Lynx", "Operation SMN" ], "source_name": "ETDA:Hidden Lynx", "tools": [ "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "BlackCoffee", "HiKit", "MCRAT.A", "Mdmbot.E", "Moudoor", "Naid", "PNGRAT", "Trojan.Naid", "ZoxPNG", "gresim" ], "source_id": "ETDA", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "93edf98a-03c1-48b3-a94c-e1bddc24f0e6", "created_at": "2022-10-25T16:07:24.435275Z", "updated_at": "2026-04-10T02:00:04.988022Z", "deleted_at": null, "main_name": "ZooPark", "aliases": [ "APT-C-38", "Cobalt Juno", "Saber Lion", "TG-2884" ], "source_name": "ETDA:ZooPark", "tools": [ "ZooPark" ], "source_id": "ETDA", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434587, "ts_updated_at": 1775826722, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d0e3615e6b8f7e9912f7e220c7c0541d9b8a674d.pdf", "text": "https://archive.orkl.eu/d0e3615e6b8f7e9912f7e220c7c0541d9b8a674d.txt", "img": "https://archive.orkl.eu/d0e3615e6b8f7e9912f7e220c7c0541d9b8a674d.jpg" } }