{ "id": "86ea7229-ec9e-4259-a5e9-0e1ce621eef4", "created_at": "2026-04-06T00:12:15.856219Z", "updated_at": "2026-04-10T03:37:36.868664Z", "deleted_at": null, "sha1_hash": "d32d58830492765f4294cd215ff38d915a69ed88", "title": "DarkBeatC2: The Latest MuddyWater Attack Framework", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 412029, "plain_text": "DarkBeatC2: The Latest MuddyWater Attack Framework\r\nPublished: 2024-04-04 · Archived: 2026-04-05 20:41:15 UTC\r\nDuring the “Swords of Iron War” against Hamas terrorists, Iranian threat actors increased the intensity of their\r\n“hack and leak” fake hacktivist operations against Israeli companies in the private sector. This blog post\r\nhighlights some of the recent attacks conducted and provides an analysis of “DarkBeatC2,” the latest C2\r\nframework in MuddyWater’s arsenal.\r\nExecutive Summary\r\nIranian threat actors continue to collaborate and hand off compromised targets to conduct supply-chain attacks by\r\nleveraging information from previous breaches.\r\nDeep Instinct’s Threat Research team identified a previously unreported C2 framework that MuddyWater is\r\nsuspected of using.\r\nIn this post, we shed additional light on recent state-sponsored attacks.\r\nBackground\r\nDespite the large number of Iranian cyber attacks against Israeli organizations, which has significantly increased\r\nsince the start of the “Swords of Iron War,” Israeli reporting about the attacks has been limited to mainstream\r\nnews reports without technical details beyond general IOCs.\r\nMost of the technical details about the attacks are exclusively being shared by international companies outside of\r\nIsrael even though most of the incident response is done by local Israeli companies and the Israel National Cyber\r\nDirectorate (INCD).\r\nFor example, in mid-February 2024, Google shared a recap of some of the events that have occurred since the start\r\nof 2024. The report includes information not reported by the local news or the INCD.\r\nWhen the INCD does share alerts about malicious cyber activity against Israeli companies, which is infrequent,\r\nthey’re vague on specifics. Recently, they shared an alert about multiple state-sponsored groups targeting “mostly”\r\na few specific sectors.\r\nThe alert also includes a Yara rule set and a long list of IOCs without any additional context.\r\nProviding IOCs without any context might help for a day, but there is a reason why they are located at the bottom\r\nof the “Pyramid of Pain,” a term we will often refer to in this blog.\r\nGoing Through a Pile of Garbage to Find Golden Nuggets\r\nWhile the shared information is not enough to be useful for the companies that are being targeted, let’s do a\r\ndumpster dive into what has been shared and see if we can salvage anything useful.\r\nhttps://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework\r\nPage 1 of 11\n\nThe Yara rules are for various wipers based on the rule’s names. Although no hashes or additional info is provided,\r\nit is possible to link the rules to the following specific attacks:\r\n1. BiBi wiper by KarMa\r\n2. Homeland Justice wiper targeting Albanian Parliament (2022)\r\n3. Homeland Justice wiper targeting Albania’s Institute of Statistics (INSTAT)\r\nGoogle links KarMa to DEV-0842/BanishedKitten. In Microsoft’s investigation into the 2022 Albanian\r\ngovernment attacks, they “assessed with high confidence that multiple Iranian actors participated in this attack.”\r\nMicrosoft states, “DEV-0842 deployed the ransomware and wiper malware,” while three additional groups\r\nparticipated in the attack. Each group was responsible for a different step in the “Cyber Kill Chain.”\r\nAdditionally, Microsoft links all the different groups in this attack to the Iranian Ministry of Intelligence and\r\nSecurity (MOIS).\r\nFigure 1: Threat actors behind the attack against the Albanian government in 2022. (Source:\r\nMicrosoft)\r\nIn another investigation into the 2022 Albanian government attack, Mandiant also raised “the possibility of a\r\ncross-team collaboration.”\r\nThe IOC list shared by INCD includes hashes for seven files, only three of which are publicly available. Among\r\nthose publicly available, two are generic webshells from 2020.\r\nThe last file is also a webshell. But unlike the other two, it is not a generic webshell but a variant of the FoxShell\r\nused by ScarredManticore/DEV-0861/ShroudedSnooper, which Microsoft observed participating in the 2022\r\ncyberattack on the Albanian government.\r\nIf we make an analogy to medical terminology, webshell is just a symptom, and trying to prevent webshells by\r\nhash values is easily bypassed. Therefore, it is not considered as a prevention capability.\r\nOut of the three domains shared by INCD, only one is publicly known to be directly related to Iranian activity.\r\nThe domain vatacloud[.]com was used by DEV-1084 (DarkBit) in their attack against the Technion in February\r\n2023. According to Microsoft, “DEV-1084 likely worked in partnership with MERCURY.”\r\nMercury, known as MuddyWater, is also part of the Iranian MOIS.\r\nhttps://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework\r\nPage 2 of 11\n\nThe last of the IOCs includes 31 IP addresses without a description.\r\nOut of those, Deep Instinct could not identify any known malicious activity in 11 IP addresses.\r\nAnother 11 IP addresses are known to be associated with MuddyWater from previous campaigns,\r\nsuch as SimpleHarm, PhonyC2, and MuddyC2Go (1, 2).\r\nThe nine remaining IP addresses are most likely also related to MuddyWater. Moreover, we believe that these IPs\r\nhost the latest tools used by the threat actor and their latest C2 framework, which we named “DarkBeatC2.”\r\nNow, let’s examine the additional context surrounding the above findings to see the full picture.\r\nPresenting “Lord Nemesis”\r\n“Lord Nemesis” is the latest, “all the rage” Iranian “faketivist” operation.\r\nFigure 2: Faketivism definition.\r\nDue to the lack of transparency and context in reports on most Iranian cyber operations against Israel, the\r\nfollowing rare sighting of a detailed report about a recent supply-chain attack amplifies why context is so\r\nimportant.\r\nA unique report from OP Innovate details how the attackers, who call themselves “Lord Nemesis,” managed to\r\naccess multiple organizations by compromising a single IT provider named “Rashim.”\r\nAccording to the report, “One of the critical factors that allowed Lord Nemesis to extend its attack beyond Rashim\r\nwas the company’s practice of maintaining an admin user account on some of its customer systems. By hijacking\r\nthis admin account, the attackers were able to access numerous organizations by using their VPN that relied on the\r\nMichlol CRM, potentially compromising the security of these institutions and putting their data at risk.”\r\nWhile the report contains additional context that explains how the attackers operated after they gained initial\r\naccess, it does not explain how the attack was attributed to “Nemesis Kitten,” as mentioned at the beginning of\r\nhttps://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework\r\nPage 3 of 11\n\ntheir report.\r\nAccording to Microsoft, “Nemesis Kitten” is DEV-0270 (Cobalt Mirage, TunnelVision), a subgroup of the Iranian\r\nthreat actor Mint Sandstorm (PHOSPHORUS, APT35, Charming Kitten), which we have previously observed\r\nexploiting Exchange servers.\r\nWhile “Mint Sandstorm” has been linked to the Iranian IRGC, DEV-0270 is a private subcontractor known as\r\n“SecNerd” or “Najee Technology.”\r\nHowever, the most important detail from Op Innovate’s blog is the following: “To instill fear in his victims and\r\ndemonstrate the extent of his access, ‘Lord Nemesis,’ contacted a list of Rashim’s users and colleagues via\r\nRashim’s email system on March 4th. This communication occurred four months after the initial breach of\r\nRashim’s infrastructure, highlighting the attacker’s prolonged presence within the system.”\r\nThis is important because if “Lord Nemesis” were able to breach Rashim’s email system, they might have\r\nbreached the email systems of Rashim’s customers using the admin accounts that now we know they obtained\r\nfrom “Rashim,” thanks to Op Innovate’s reporting.\r\nSo, why is this so important? Read on.\r\nBack to MuddyWater\r\nWe have reported about MuddyWater activity numerous times.\r\nDespite the reports, the threat actor only slightly changes its core TTPs, as the “Pyramid of Pain” predicted. While\r\noccasionally switching to a new remote administration tool or changing their C2 framework (due to a previous one\r\nbeing leaked), MuddyWater’s methods remain constant, as described in our very first blog about the threat actor.\r\nFigure 3: Updated MuddyWater campaign overview.\r\nIn a recent security brief by Proofpoint, MuddyWater (TA450) was observed sending PDF attachments from the\r\nemail of a compromised Israeli company.\r\nThose PDF attachments contained links to various web hosting services where users could download an archive\r\ncontaining a remote administration tool, as shown in Figure 3 above.\r\nHowever, one of those web hosting providers – “Egnyte,” with a “salary.egnyte[.]com” subdomain – was new and\r\nnot previously known to be in use by MuddyWater.\r\nhttps://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework\r\nPage 4 of 11\n\nWhile this change seems minor and insignificant, it is the exact opposite when given additional context. At the\r\nsame time Proofpoint reported this campaign, Deep Instinct observed a similar campaign using a different\r\nsubdomain, “kinneretacil.egnyte[.]com.” The subdomain refers to the domain “kinneret.ac.il,” which is an Israeli\r\nhigher education college.\r\nKinneret is a customer of “Rashim,” thanks to the information that was shared by OP Innovate. This led us to\r\nbelieve that kinneretacil.egnyte[.]com might be part of their infrastructure compromised by “Lord Nemesis,”\r\nespecially since it shared username “ori ben-dor” which looks like an authentic Israeli name (see Figure 4).\r\nFigure 4: Uploader information at kinneretacil.egnyte[.]com\r\nThanks to the context given by Proofpoint, it appears the Egnyte account was not compromised but rather created\r\nby MuddyWater. This can be seen by the lack of creativity in the uploader name (“Shared by gsdfg gsg”) in the\r\ninstance Proofpoint observed (See Figure 5).\r\nFigure 5: Uploader information at salary.egnyte[.]com\r\nSince MuddyWater used a compromised email account to spread the links to salary.egnyte[.]com, this was also\r\nlikely with the kinneretacil.egnyte[.]com links, although we don’t have direct evidence.\r\nMuddyWater may have used the “Kinneret” email account to distribute these links, exploiting the trust recipients\r\nhave in the sender as a familiar and credible organization.\r\nDuring the same time, another archive hosted both on Sync and OneHub was observed using the Hebrew name for\r\n“scholarship.” This indicates another potential abuse of their access to “Rashim’s” accounts to target victims in the\r\neducation sector, tricking them into installing a remote administration tool.\r\nhttps://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework\r\nPage 5 of 11\n\nWhile not conclusive, the timeframe and context of the events indicate a potential hand-off or collaboration\r\nbetween IRGC and MOIS to inflict as much harm as possible on Israeli organizations and individuals.\r\nAdditional MuddyWater Shenanigans\r\nIn early March 2024, after a year of silence, DarkBit made some bold claims about their new victims. However, so\r\nfar, the only proof they have provided indicates a single compromise at the INCD.\r\nFor those of you who don’t remember, DarkBit is the group that took responsibility for the Technion hack.\r\nMicrosoft attributed it to MuddyWater, and DarkBit itself later admitted this (See Figure 6).\r\nFigure 6: DarkBit acknowledging they are MuddyWater. (Source: K7 Security Labs)\r\nWhile DarkBit has since deleted this message, the internet still remembers.\r\nIn their current iteration, DarkBit decided to upload and leak stolen data using “freeupload[.]store”\r\nFigure 7: DarkBit using freeupload[.]store (Source: K7 Security Labs)\r\nDuring the same timeframe, in early March 2024, Deep Instinct identified two different MSI files named\r\n“IronSwords.msi,” which are installers of “Atera Agent,” the current RMM used by MuddyWater.\r\nThose files have been uploaded as is, without being packaged into archives. One file has been uploaded to\r\nfiletransfer[.]io, while the second file was uploaded to freeupload[.]store.\r\nThe domain freeupload[.]store belongs to the “0Day forums,” a hacking community on the dark web.\r\nThe discovery of the Atera installer on a public hosting service, by itself, does not provide sufficient evidence to\r\ndraw conclusions. However, when considering the context – the specific filename, the timing of its appearance,\r\nthe nature of the software, and the fact the same file hosting service was used – the likelihood that these two files\r\nare connected to another Iranian campaign, likely carried out by MuddyWater, is significantly increased.\r\nIntroducing DarkBeatC2\r\nDeep Instinct found a needle in the haystack: the DarkBeatC2 and other new tools that MuddyWater most likely\r\nuses.\r\nThe IP address 185.236.234[.]161 is not known to be associated with MuddyWater. However, it does belong to\r\n“Stark-Industries,” a known hosting provider for malicious activity.\r\nhttps://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework\r\nPage 6 of 11\n\nThe IP address hosts the “reNgine” open-source reconnaissance framework.\r\nWhile there is no previous public documentation of MuddyWater using this framework, they have a track record\r\nof using a variety of open-source tools, and reconnaissance is an important part of the “Cyber Kill Chain.”\r\nAdditionally, the domains aramcoglobal[.]site and mafatehgroup[.]com point to the IP address 185.236.234[.]161.\r\nThe domain mafatehgroup[.]com impersonates the domain mafateehgroup.com, which is a digital services\r\nprovider with offices in Jordan and Saudi Arabia. Jordan, Saudia, and Aramco are known targets of Iranian threat\r\nactors.\r\nThe IP address 185.216.13[.]242 also belongs to “Stark-Industries,” but this IP hosted an administration panel for\r\n“Tactical RMM.”\r\nCybersecurity researchers have reported that “Tactical RMM” is being exploited by threat actors to deploy\r\nransomware.\r\n“Tactical RMM” is another remote administration tool. It’s no surprise that MuddyWater is abusing it given its\r\ntrack record of leveraging RATs.\r\nThe domain “websiteapicloud[.]com” resolves to the same IP address, 185.216.13[.]242, which hosts the “Tactical\r\nRMM.” This has already been observed to be linked to an unnamed APT.\r\nWhile writing this blog, we learned that “Intel-Ops” is also tracking the MuddyWater activity described above.\r\nDeep Instinct tracks the domain “websiteapicloud[.]com” as part of MuddyWater's new DarkBeatC2 framework.\r\nWhile IP addresses are at the bottom of the “Pyramid of Pain” and should be easy for a threat actor to change,\r\nMuddyWater keeps reusing the same IP addresses.\r\nEarly links between MuddyWater and DarkBeatC2 can be seen in the following IP addresses:\r\n1. 91.121.240[.]102 – This IP was mentioned almost a year ago in the “SimpleHarm” campaign, but in\r\nFebruary this year, the domain googlelinks[.]net started to point to it.\r\n2. 137.74.131[.]19 – This IP is in the same subnet that has been known to host MuddyWater servers in both\r\n“SimpleHarm” and “PhonyC2” campaigns. The domain googlevalues[.]com also pointed to this IP address\r\nin February 2024.\r\n3. 164.132.237[.]68 – This IP is in the same subnet that has been known to host MuddyWater servers in both\r\n“SimpleHarm” and “PhonyC2” campaigns. The domain nc6010721b[.]biz resolved to this IP address in\r\n2021. The domain name pattern (6nc/nc6) is very similar to domains we suspected to be related to\r\nMuddyWater in their “PhonyC2” campaign. While we still can’t confirm whether this is done by the VPS\r\nprovider or by MuddyWater, there is a relation between those two.\r\nWhile there are more domains and IPs related to the DarkBeatC2, which you can find in the indicators appendix to\r\nthis blog, we will focus on the following domain: googleonlinee[.]com\r\nhttps://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework\r\nPage 7 of 11\n\nMuch like MuddyWater’s previous C2 frameworks, it serves as a central point to manage all of the infected\r\ncomputers. The threat actor usually establishes a connection to their C2 in one of the following ways:\r\n1. Manually executing PowerShell code to establish a connection to the C2 after gaining initial access via\r\nanother method.\r\n2. Wrapping a connector to execute the code to establish a C2 connection within the first stage payload,\r\nwhich is delivered in a spear phishing email.\r\n3. Sideloading a malicious DLL to execute the code to establish a C2 connection by masquerading as a\r\nlegitimate application (PowGoop and MuddyC2Go).\r\nWhile we could not identify how the connection to DarkBeatC2 was made, we were able to obtain some of the\r\nPowerShell responses to understand more about what it does and how.\r\nIn general, this framework is similar to the previous C2 frameworks used by MuddyWater. PowerShell remains\r\ntheir “bread and butter.”\r\nThe URL googleonlinee[.]com/setting/8955224/r4WB7DzDOwfaHSevxHH0 contains the following PowerShell\r\ncode:\r\nFigure 8: PowerShell code from “setting” URI.\r\nThe above code simply fetches and executes two additional PowerShell scripts from the same C2 server.\r\nThe code from the URL with “8946172” is included in Figure 9.\r\nFigure 9: PowerShell code from “8946172” URI.\r\nThis code is also simple. It reads the contents of a file named “C:\\ProgramData\\SysInt.log“ and sends it to the C2\r\nvia a POST request.\r\nhttps://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework\r\nPage 8 of 11\n\nWhile we don’t know the contents of the file, the C2 framework creates it in another stage, perhaps for a similar\r\npurpose to the file named “db.sqlite” in PhonyC2.\r\nThe code from the second URL, with “7878123,” is included in Figure 10.\r\nFigure 10: PowerShell code from “7878123” URI.\r\nThis code is more complex than the previous two code snippets. It runs in a loop that sleeps for 20 seconds, trying\r\nto connect to the C2 and fetch additional content. If the content is not null, there is an additional check to see if the\r\ncontent contains the string “SRT_”. If this string is present, the content is converted into an array with the sign “_”\r\nas a delimiter. The script then takes the second object of the array and sleeps the amount of time in seconds that is\r\nrepresented as a number in that object.\r\nIf the content is not null but does not contain the string “SRT_” the script will convert the content of the response\r\ninto a scriptblock and will execute it while writing the response to the aforementioned “SysInt.log” file.\r\nDuring our analysis, the server responded with a 403-error message. As such, we did not receive any content\r\nduring this phase.\r\nConclusion\r\nIranian threat actors are actively targeting Israeli networks. Sharing information about these active intrusions\r\ncould lead to proper treatment for the issue. Exposing attack vectors and addressing underlying vulnerabilities is\r\nmore effective than simply reacting to IOCs after an infection has occurred.\r\nWe encourage everyone to share their findings – with context – like OP Innovate did.\r\nBecause the security posture and maturity level of blue teams vary between companies and industries, minimizing\r\ntime to breach detection is crucial.\r\nRelying solely on products that enhance detection capabilities could backfire and slow the blue team’s detection\r\ncapabilities due to the sheer amount of data that needs to be processed.\r\nThis post, once again, highlights the strength of Deep Instinct’s prevention-first capabilities. We prevent\r\nthreats that other tools can’t find leveraging our deep-learning framework. This eliminates the need for\r\nhttps://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework\r\nPage 9 of 11\n\nmanual intervention by the blue team, saving time, effort, and frustration while ensuring breaches are\r\neliminated.\r\nIOCs\r\nNetwork\r\nIP Address Description\r\n185.236.234[.]161 reNgine\r\n185.216.13[.]242 Tactical RMM (websiteapicloud[.]com)\r\n45.66.249[.]226 Suspected as DarkBeatC2 (googlelinks[.]net)\r\n137.74.131[.]19 Suspected as DarkBeatC2 (googlevalues[.]com)\r\n164.132.237[.]68 Suspected as DarkBeatC2 (google-word[.]com)\r\n95.164.61[.]64 Suspected as DarkBeatC2 (webapicloud[.]com and security-onedrive[.]com)\r\n95.164.46[.]54 Suspected as DarkBeatC2 (webftpcloud[.]com)\r\n91.225.218[.]210 Suspected as DarkBeatC2 (websiteftpcloud[.]com)\r\n95.164.38[.]68 Suspected as DarkBeatC2 (softwaree-cloud[.]com)\r\n45.140.147[.]81 Suspected as DarkBeatC2 (domainsoftcloud[.]com)\r\n80.71.157[.]130 DarkBeatC2 (microsoft-corp[.]com)\r\n103.35.190[.]203 DarkBeatC2 (asure-onlinee[.]com)\r\n95.164.46[.]253 DarkBeatC2 (googleonlinee[.]com)\r\nFile\r\nMD5 Description\r\n353b4643ec51ecff7206175d930b0713 MEK-DDMC.exe Albania’s INSTAT Wiper\r\n3dd1f91f89dc70e90f7bc001ed50c9e7\r\nDarkBeatC2 PowerShell response from\r\ngoogleonlinee[.]com/setting/8955224/r4WB7DzDOwfaHSevxHH0\r\nbede9522ff7d2bf7daff04392659b8a8\r\nDarkBeatC2 PowerShell response from\r\ngoogleonlinee[.]com/zero/8946172/eUwYPH9eIbAOiLs\r\nhttps://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework\r\nPage 10 of 11\n\nMD5 Description\r\n32bfe46efceae5813b75b40852fde3c2\r\nDarkBeatC2 PowerShell response from\r\ngoogleonlinee[.]com/zero/8946172/0IGkmSybmd3BXIe\r\nb7d15723d7ef47497c6efb270065ed84\r\nDarkBeatC2 PowerShell response from\r\ngoogleonlinee[.]com/zero/7878123/eUwYPH9eIbAOiLs\r\nSource: https://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework\r\nhttps://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework" ], "report_names": [ "darkbeatc2-the-latest-muddywater-attack-framework" ], "threat_actors": [ { "id": "640fc3dc-433d-4244-a85a-21d5135498b2", "created_at": "2025-08-07T02:03:24.71289Z", "updated_at": "2026-04-10T02:00:03.688893Z", "deleted_at": null, "main_name": "COBALT AZTEC", "aliases": [ "DEV-1084 ", "GOLD AZTEC", "Storm-1084 " ], "source_name": "Secureworks:COBALT AZTEC", "tools": [ "DarkBit ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48", "created_at": "2022-10-25T16:07:23.84296Z", "updated_at": "2026-04-10T02:00:04.762229Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "DEV-0270", "DireFate", "Lord Nemesis", "Nemesis Kitten", "Yellow Dev 23", "Yellow Dev 24" ], "source_name": "ETDA:DEV-0270", "tools": [ "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "WmiExec" ], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "9d63303c-817c-40d7-b703-c6d62f0dbddc", "created_at": "2023-10-14T02:03:14.471787Z", "updated_at": "2026-04-10T02:00:04.891855Z", "deleted_at": null, "main_name": "ShroudedSnooper", "aliases": [], "source_name": "ETDA:ShroudedSnooper", "tools": [ "HTTPSnoop", "PipeSnoop", "TOFULOAD", "TOFUPIPE" ], "source_id": "ETDA", "reports": null }, { "id": "1ddad928-ad5f-4885-9abd-e8965dd793df", "created_at": "2023-11-08T02:00:07.129402Z", "updated_at": "2026-04-10T02:00:03.421623Z", "deleted_at": null, "main_name": "ShroudedSnooper", "aliases": [], "source_name": "MISPGALAXY:ShroudedSnooper", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaef3218-1f8c-4767-b1ff-da7a6662acc0", "created_at": "2023-03-04T02:01:54.110909Z", "updated_at": "2026-04-10T02:00:03.359871Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "Nemesis Kitten", "Storm-0270" ], "source_name": "MISPGALAXY:DEV-0270", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0321f048-2313-42dd-b10c-08a99ae98f2a", "created_at": "2024-02-02T02:00:04.06752Z", "updated_at": "2026-04-10T02:00:03.54849Z", "deleted_at": null, "main_name": "Storm-1084", "aliases": [ "DEV-1084" ], "source_name": "MISPGALAXY:Storm-1084", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "7f25e108-e694-49b6-a494-c8458b33eb3f", "created_at": "2024-01-09T02:00:04.199217Z", "updated_at": "2026-04-10T02:00:03.509338Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [], "source_name": "MISPGALAXY:HomeLand Justice", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-10T02:00:03.860954Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434335, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d32d58830492765f4294cd215ff38d915a69ed88.pdf", "text": "https://archive.orkl.eu/d32d58830492765f4294cd215ff38d915a69ed88.txt", "img": "https://archive.orkl.eu/d32d58830492765f4294cd215ff38d915a69ed88.jpg" } }