{ "id": "7fd55366-f2a7-4113-9dc6-ae8ec3bb22b6", "created_at": "2026-04-06T00:17:26.755492Z", "updated_at": "2026-04-10T13:11:51.490471Z", "deleted_at": null, "sha1_hash": "d182073e6910d30eb50c80e47f2fc304f84440a0", "title": "Lessons from the Conti Leaks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7892047, "plain_text": "Lessons from the Conti Leaks\r\nBy BushidoToken\r\nPublished: 2022-04-17 · Archived: 2026-04-05 19:16:44 UTC\r\n \r\nIf you wanted to learn how an organized cybercriminal operation worked, look no further than the threat group\r\nknown as Conti. The recent leaks of the group's chat logs have uncovered an unprecedented wealth of information\r\nand insights into how these veteran cybercriminals organize themselves. \r\nCyber Threat Intelligence (CTI) vendors and independent researchers have spent weeks poring over the Conti\r\nleaked chat logs and have uncovered dozens of very significant findings. \r\nIn this blog, I didn't want to duplicate what is already known (too much). I wanted to share some of the findings\r\nthat I thought were the most interesting to me. To rapidly get up to speed on the Conti Leaks, I highly recommend\r\nother researchers to read the work in the following blogs:\r\nhttps://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/conti-leaks-examining-the-panama-papers-of-ransomware.html\r\nhttps://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships\r\nhttps://intel471.com/blog/conti-leaks-ransomware-development\r\nhttps://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nPage 1 of 13\n\nhttps://intel471.com/blog/conti-leaks-cybercrime-fire-team\r\nhttps://arcticwolf.com/resources/blog/karakurt-web\r\nhttps://research.checkpoint.com/wp-content/uploads/2022/03/map_index_v2.html\r\nhttps://www.trmlabs.com/post/analysis-corroborates-suspected-ties-between-conti-and-ryuk-ransomware-groups-and-wizard-spider\r\nhttps://www.wired.co.uk/article/conti-ransomware-russia\r\nhttps://ddanchev.blogspot.com/2022/02/exposing-conti-ransomware-gang-osint_28.html\r\nI will also recommend to read what other researchers have tweeted about what they found in the Conti Leaks:\r\nObservable Tactics, Techniques, and Procedures (TTPs)\r\nhttps://twitter.com/TheDFIRReport/status/1498642505646149634\r\nCobalt Strike commands from RocketChat logs\r\nhttps://twitter.com/c3rb3ru5d3d53c/status/1499130574321197058\r\nAll CVEs discussed in the Conti chat server\r\nhttps://twitter.com/c3rb3ru5d3d53c/status/1499570311460753408\r\nProof Conti members are active on Twitter https://twitter.com/VK_Intel/status/1498761290709409792\r\nСonti member interviewed by local police https://twitter.com/VK_Intel/status/1498400616615395328\r\nConti members acquire CarbonBlack and Sophos\r\nhttps://twitter.com/albertzsigovits/status/1498237945685422087\r\nConti's Exploit[.]in account https://twitter.com/pancak3lullz/status/1499108972258906123\r\nConti's Bitcoin wallets https://twitter.com/pancak3lullz/status/1498347648637624326\r\nWith those out of the way, we can get to the meat of this blog. I cannot emphasize enough that these leaks are\r\ngargantuan and span years of the group's operations. I seem to find something new every time I take another look\r\nat them but now have enough for a blog of my own.\r\nReconnaissance\r\nOne major discovery in the Conti leaks is that multiple vendors have covered is the existence of an \"OSINT\r\nTeam\" who gathers details on Conti's targets. This team uses multiple techniques, as well as commercial tools, to\r\nfind every piece of information about a target that will support the end goal of domain-wide Conti ransomware\r\ndeployment. This OSINT Team also may engage with the targets (HUMINT), posing as marketing or sales people,\r\ngathering details and information about managers, executives, and how the company operates for exploitation\r\nlater.\r\nhttps://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nPage 2 of 13\n\nFig. 1 - Overview of the Conti OSINT Team\r\nPhishing\r\nIt is well-documented that Conti ransomware attacks often begin via a phishing email. The group has been\r\nlaunching widespread and targeted phishing campaigns for years using a multitude of tactics. The Conti Leaks\r\nalso shared some insights into how these phishing campaigns are orchestrated.\r\nFig. 2 - Example Phishing Email Templates used by Conti\r\nhttps://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nPage 3 of 13\n\nFig. 3 - Iterable Email Marketing Dashboard shared in Conti Leaks in September 2020\r\nMalware\r\nThe Conti Leaks revealed details on how a persistent cybercriminal operation develops its malware campaigns.\r\nThe image below (see Fig. 4) highlights how the group works to test and develop its payloads against common\r\ndetections systems used by its targets, such as ESET and Windows Defender.\r\nFig. 4 - Conti members testing and making payloads fully undetectable (FUD)\r\nCommand and Control (C2)\r\nLike any malware group, Conti needs server and hosting infrastructure to be able to launch its campaigns. This\r\nincludes payload staging servers, proxy servers, C2 domains, Virtual Private Servers (VPS), and remote storage\r\nhttps://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nPage 4 of 13\n\nfor exfiltrated data.\r\nFig. 5 - Conti members discussed using ZEHost for hosting \r\nhttps://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nPage 5 of 13\n\nFig. 6 - Unknown botnet C2 panel shared by a Conti member \r\nTradecraft, Exploits, and 0days\r\nWhat sets Conti apart from the rest of their peers in the cybercrime ecosystem is that members of this ransomware\r\ngroup are innovators and quick to leverage newly disclosed techniques. The Conti Leaks revealed multiple\r\ntechniques used by Conti that had not been previously discussed publicly online. \r\nFig. 7 - Conti member \"target\" stating intentions in September 2020 to acquire a developer account in the\r\nMicrosoft Store to approve their own files\r\nFig. 8 - Conti member \"giovanni\" sharing a manual (aka \"mana\") for the PetitPotam exploit for Microsoft’s\r\nNTLM authentication system in August 2021\r\nhttps://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nPage 6 of 13\n\nFig. 9 - Conti member \"mango\" sharing the opportunity to buy a 0day privilege escalation exploit in the Windows\r\nWIDFRD.sys driver for \"60k\" in June 2021\r\nFig. 10 - Conti member \"revers\" shares that they read reports on the \"Turla\" group (a Russian cyber-espionage\r\nAPT linked to the FSB) \r\nA Cybercrime Empire\r\nResearchers have stated that they believe Conti has up to 150+ members worldwide. If we do the math, each\r\nmember is allegedly getting paid on average $2,000 per month which equals around roughly $300,000 per month\r\nin Conti \"employee\" salaries and roughly $3,600,000 per year. This is a LOT for a cybercrime group. With this\r\namount of purchasing-power, it is only natural Conti leadership began to wonder about acquisitions and starting\r\ntheir own forums, carding shops, and even cryptocurrency platforms.\r\nFig. 11 - Conti members design what their new cybercrime forum might look like \r\nhttps://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nPage 7 of 13\n\nFig. 12 - Logo of \"McDuckGroup\" shared to Conti Leaks\r\nResearchers shared screenshots of all the links pasted into the Conti chats. One stood out to me: a logo with\r\n\"McDuckGroup\" and Scrooge McDuck. While some researchers I collaborate with theorized this was a\r\nransomware rebrand, I managed to uncover it was the logo for a carding market currently under development.\r\nAfter Googling \"McDuckGroup\", a site called \"mcduckgroup[.]shop\" popped up as the first result. This is\r\nevidently a carding marketing due to the search bars for BIN numbers, Expiry dates, cardholder names, and\r\naddresses. Currently no data has been loaded onto the site.\r\nRansomware\r\nA number of other ransomware groups are mentioned in the Conti Leaks. Trellix researchers highlighted how\r\nrepresentatives of NetWalker, MAZE, and LockBit all have a presence in the Conti chat server. Ryuk, Diavol,\r\nREvil, AvosLocker, BlackMatter, and Crylock ransomware families are all also mentioned in the Conti Leaks. \r\nhttps://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nPage 8 of 13\n\nFig. 13 - \"bomba777\" and \"gagarin66\" (a MAZE affiliate) discuss REvil depositing 900k in Bitcoin to XSS[.]is\r\nFig. 14 - \"rags\" discusses REvil arrests in January 2022 by Russian FSB, blaming them for the alleged crackdown\r\non cryptocurrency in Russia\r\nhttps://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nPage 9 of 13\n\nFig. 15 - \"CRYPTOHAZARD\" leak site linked to MAZE ransomware (newsmaze[.]top)\r\nhttps://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nPage 10 of 13\n\nFig. 16 - \"mango\" and \"stern\" shared adverts for AvosLocker and BlackMatter\r\nFig. 17 - Logos and designs for CryLock ransomware shared to Conti server\r\nFig. 18 - Conti V3 Locker source code disclosed publicly by @contileaks Twitter account\r\nSamples of Conti v3 \r\nlocker.exe e1b147aa2efa6849743f570a3aca8390faf4b90aed490a5682816dd9ef10e473 \r\nlocker_x86.dll fb737da1b74e8c84e6d8bd7f2d879603c27790e290c04a21e00fbde5ed86eee3 \r\ncryptor.exe 5f3ae6e0d2e118ed31e7c38b652f4e59f5d5745398596c8b31248eda059778af\r\nhttps://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nPage 11 of 13\n\nClosing Comments\r\nThe Conti Leaks have provided cybercrime researchers an unparalleled look into how Russian-speaking organized\r\nhacking groups operate. The leaks also supplement the Conti Playbook that was leaked by a disgruntled member\r\nin August 2021. As a community of cybersecurity researchers, we now know more about the Conti ransomware\r\ngroup than any other threat group in history.\r\nFor the Conti group itself, however, it appears to be business as usual (BAU). Less than one week after the Conti\r\nchats were leaked, new victims were uploaded to the ContiNews darknet site. \r\nFig. 19 - New victims added to ContiNews shortly after the Conti Leaks\r\nBleepingComputer also reported on hacktivist groups, such as Network Battalion 65 (aka NB65), are leveraging a\r\nmodified version of the leaked Conti v3 source code already. The group has targeted organizations in Russia for\r\nretribution over the invasion in Ukraine. (Sample available here)\r\nhttps://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nPage 12 of 13\n\nFig. 20 - NB65 modified version of Conti v3 ransomware\r\nConti has seemingly recovered from the leaks and might be at the 'too big to fail' stage of operations. The Russian\r\nstate is clearly fully aware of Conti's operations and allows them to operate with impunity. Researchers at Trellix\r\nhighlighted the group's connections to the Russian state and how the intelligence services also benefit from Conti's\r\ncoveted network access to high-profile organizations around the world.\r\nLastly, I hope you enjoyed the blog. There are still likely some secrets yet to be revealed in the Conti Leaks. I\r\nappreciate the help and resources shared by researchers online. S/O to Curated Intel, Trellix, Intel471,\r\nSecureworks, The DFIR Report, and researchers such as @vk_intel, @pancak3lullz, and @c3rb3ru5d3d53c, and\r\nmany others!\r\nSource: https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nhttps://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.bushidotoken.net/2022/04/lessons-from-conti-leaks.html" ], "report_names": [ "lessons-from-conti-leaks.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "f547e816-ea17-442e-915d-c5c76a30669b", "created_at": "2022-10-25T16:07:23.891717Z", "updated_at": "2026-04-10T02:00:04.780944Z", "deleted_at": null, "main_name": "NB65", "aliases": [], "source_name": "ETDA:NB65", "tools": [ "NB65" ], "source_id": "ETDA", "reports": null }, { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "8492b1a0-126f-4113-b8f7-101d28559629", "created_at": "2023-01-06T13:46:38.864213Z", "updated_at": "2026-04-10T02:00:03.126178Z", "deleted_at": null, "main_name": "GRIM SPIDER", "aliases": [ "GOLD ULRICK" ], "source_name": "MISPGALAXY:GRIM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8754f54b-7154-4996-b065-94f04f846022", "created_at": "2023-11-07T02:00:07.095161Z", "updated_at": "2026-04-10T02:00:03.405596Z", "deleted_at": null, "main_name": "NB65", "aliases": [ "Network Battalion 65" ], "source_name": "MISPGALAXY:NB65", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434646, "ts_updated_at": 1775826711, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d182073e6910d30eb50c80e47f2fc304f84440a0.pdf", "text": "https://archive.orkl.eu/d182073e6910d30eb50c80e47f2fc304f84440a0.txt", "img": "https://archive.orkl.eu/d182073e6910d30eb50c80e47f2fc304f84440a0.jpg" } }