{ "id": "1b4687f7-8c24-4f7d-a517-96fb5c976f64", "created_at": "2026-04-06T00:15:52.83043Z", "updated_at": "2026-04-10T03:37:58.718834Z", "deleted_at": null, "sha1_hash": "d26843641c0850a9ce492329c4af2775feaa3320", "title": "Winnti Group, Wicked Panda - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82028, "plain_text": "Winnti Group, Wicked Panda - Threat Group Cards: A Threat\r\nActor Encyclopedia\r\nArchived: 2026-04-05 19:22:12 UTC\r\nHome \u003e List all groups \u003e Winnti Group, Wicked Panda\r\n APT group: Winnti Group, Wicked Panda\r\nNames\r\nWinnti Group (Kaspersky)\r\nWicked Panda (CrowdStrike)\r\nLeopard Typhoon (Microsoft)\r\nG0044 (MITRE)\r\nCountry China\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2010\r\nDescription Winnti Group is a threat group with Chinese origins that has been active since at\r\nleast 2010. The group has heavily targeted the gaming industry, but it has also\r\nexpanded the scope of its targeting. Some reporting suggests a number of other\r\ngroups, including APT 41, Axiom, Group 72, APT 17, Deputy Dog, Elderwood,\r\nSneaky Panda, and Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon, are\r\nclosely linked to or overlap with Winnti Group.\r\n(Trend Micro) The group behind the Winnti malware (which we will call the Winnti\r\ngroup for brevity) sprung up as a band of traditional cyber crooks, comprising black\r\nhats whose technical skills were employed to perpetrate financial fraud. Based on\r\nthe use of domain names they registered, the group started out in the business of\r\nfake/rogue anti-virus products in 2007. In 2009, the Winnti group shifted to targeting\r\ngaming companies in South Korea using a self-named data- and file-stealing\r\nmalware.\r\nThe group, which was primarily motivated by profit, is noted for utilizing self-developed technically-proficient tools for their attacks. They once attacked a game\r\nserver to illicitly farm in-game currency (“gaming gold”, which also has real-world\r\nvalue) and stole source codes of online game projects. The group also engaged in the\r\ntheft of digital certificates which they then used to sign their malware to make them\r\nstealthier. The Winnti group diversified its targets to include enterprises such as\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=55d0e323-bb26-4779-b09f-cae04740b0bd\r\nPage 1 of 4\n\nthose in pharmaceutics and telecommunications. The group has since earned infamy\nfor being involved in malicious activities associated with targeted attacks, such as\ndeploying spear-phishing campaigns and building a backdoor.\nObserved\nSectors: Online video game companies, Aviation, Defense, Education, Financial,\nGovernment, Healthcare, Pharmaceutical, Technology, Telecommunications.\nCountries: Belarus, Brazil, China, Germany, India, Indonesia, Japan, Peru,\nPhilippines, Russia, South Korea, Taiwan, Thailand, USA, Vietnam.\nTools used Cobalt Strike, FunnySwitch, Winnti.\nOperations performed\n2010\nHBGary investigated an information security incident at an\nAmerican video game company.\n2011\nIn the autumn of 2011, a Trojan was detected on a huge number of\ncomputers – all of them linked by the fact that they were used by\nplayers of a popular online game. It emerged that the piece of\nmalware landed on users’ computers as part of a regular update\nfrom the game’s official update server. Some even suspected that\nthe publisher itself was spying on players. However, it later\nbecame clear that the malicious program ended up on the users’\ncomputers by mistake: the cybercriminals were in fact targeting\nthe companies that develop and release computer games.\n2011\nFor example, by 2011, one of their victims was Gameforge, a\ncompany that offers so-called freemium games: while playing the\ngames is free, it is possible to buy virtual items/money with real\nmoney.The Winnti hackers were able to directly access\nGameforge’s databases and modify accounts to become ‘virtually’\nricher.\nSummer 2014\nThe Winnti hackers broke into Henkel’s network in 2014. We have\nthree files showing that this happened.\nAug 2014\nThis time the operators put such tag in the configuration and it\nturned out to be the name of the well-known global pharmaceutical\ncompany headquartered in Europe.\n2015 The hackers behind Winnti have also set their sights on Japan’s\nbiggest chemical company, Shin-Etsu Chemical. We have in our\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=55d0e323-bb26-4779-b09f-cae04740b0bd\nPage 2 of 4\n\nhands several varieties of the 2015 malware which was most likely\nused for the attack.\nJul 2015\nA BASF spokeswoman tells us in an email that in July 2015,\nhackers had successfully overcome “the first levels” of defense.\nOct 2015\nBreach of a Vietnamese gaming company\nDuring the investigation, a Linux version of Winnti was found.\nFeb 2016\nBreach of German Steelmaker ThyssenKrupp\nJun 2016\nAccording to Siemens, they were penetrated by the hackers in June\n2016.\nSummer 2016\nIn the case of another Japanese company, Sumitomo Electric,\nWinnti apparently penetrated their networks during the summer of\n2016.\nMar 2017\nRecently, the Winnti group, a threat actor with a past of traditional\ncybercrime –particularly with financial fraud, has been seen\nabusing GitHub by turning it into a conduit for the command and\ncontrol (C\u0026C) communications of their seemingly new backdoor\n(detected by Trend Micro as BKDR64_WINNTI.ONM).\nApr 2018\nBreach of German chemicals giant Bayer\nNov 2018\nBreach of Swiss drug maker Roche\nEarly 2019 Covestro is regarded as Germany’s most successful spin-off in the\nrecent past. Up until June 2019, they had at least two systems on\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=55d0e323-bb26-4779-b09f-cae04740b0bd\nPage 3 of 4\n\nwhich the Winnti malware had been installed.\nEarly 2019\nAnother manufacturer of adhesives, Bostik of France, was infected\nwith Winnti in early 2019.\n2019\nLion Air, Marriott and Valve declined to comment or were not\nimmediately available for comment\nLate 2019\nBreach of German chemicals company Lanxess\nFeb 2020\nBased on previous knowledge and targeting of the Winnti Group,\nwe assess that this sample was likely used to target Gravity Co.,\nLtd., a South Korean video game company. The company is\nknown for its Massive Multiplayer Online Role Playing Game\n(MMORPG) Ragnarok Online, which is also offered as a mobile\napplication.\nMar 2021\nExchange servers under siege from at least 10 APT groups\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=55d0e323-bb26-4779-b09f-cae04740b0bd\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=55d0e323-bb26-4779-b09f-cae04740b0bd\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=55d0e323-bb26-4779-b09f-cae04740b0bd" ], "report_names": [ "showcard.cgi?u=55d0e323-bb26-4779-b09f-cae04740b0bd" ], "threat_actors": [ { "id": "cea5ceec-0f14-4e34-bd0e-4074bc1a707d", "created_at": "2022-10-25T15:50:23.629983Z", "updated_at": "2026-04-10T02:00:05.362084Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "Group 72" ], "source_name": "MITRE:Axiom", "tools": [ "ZxShell", "gh0st RAT", "Zox", "PlugX", "Hikit", "PoisonIvy", "Derusbi", "Hydraq" ], "source_id": "MITRE", "reports": null }, { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "a339e456-3f5a-40e9-b293-233281105e85", "created_at": "2022-10-25T15:50:23.260847Z", "updated_at": "2026-04-10T02:00:05.248583Z", "deleted_at": null, "main_name": "Elderwood", "aliases": [ "Elderwood", "Elderwood Gang", "Beijing Group", "Sneaky Panda" ], "source_name": "MITRE:Elderwood", "tools": [ "PoisonIvy", "Naid", "Briba", "Hydraq", "Linfo", "Nerex", "Vasport", "Wiarp", "Pasam" ], "source_id": "MITRE", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "adfbe698-24b2-41fc-a701-781fef330b16", "created_at": "2024-01-09T02:00:04.17648Z", "updated_at": "2026-04-10T02:00:03.504826Z", "deleted_at": null, "main_name": "GREF", "aliases": [], "source_name": "MISPGALAXY:GREF", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "5c74936a-79d1-41b8-81eb-01d03c90a26b", "created_at": "2022-10-25T16:07:23.371052Z", "updated_at": "2026-04-10T02:00:04.570621Z", "deleted_at": null, "main_name": "Axiom", "aliases": [ "G0001", "Group 72", "Operation SMN" ], "source_name": "ETDA:Axiom", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "BlackCoffee", "BleDoor", "Chymine", "Darkmoon", "DeputyDog", "Derusbi", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PNGRAT", "PlugX", "Poison Ivy", "RbDoor", "RedDelta", "RibDoor", "Roarur", "SPIVY", "Sensocode", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "ZXShell", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "57d2c58d-0445-441f-b94f-99d217b9e3c4", "created_at": "2023-01-06T13:46:38.327743Z", "updated_at": "2026-04-10T02:00:02.930027Z", "deleted_at": null, "main_name": "Beijing Group", "aliases": [ "Elderwood", "Elderwood Gang", "SIG22", "G0066", "SNEAKY PANDA" ], "source_name": "MISPGALAXY:Beijing Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434552, "ts_updated_at": 1775792278, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d26843641c0850a9ce492329c4af2775feaa3320.pdf", "text": "https://archive.orkl.eu/d26843641c0850a9ce492329c4af2775feaa3320.txt", "img": "https://archive.orkl.eu/d26843641c0850a9ce492329c4af2775feaa3320.jpg" } }