{ "id": "445c28c1-0cff-44f4-a2ba-7a51cb6f09eb", "created_at": "2026-04-06T00:12:05.362697Z", "updated_at": "2026-04-10T13:12:11.879504Z", "deleted_at": null, "sha1_hash": "d435a1d7662f1012529533d80ad9d820f49678a9", "title": "‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1122114, "plain_text": "‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform\r\nBy Robert Falcone, Bryan Lee\r\nPublished: 2016-10-17 · Archived: 2026-04-05 19:04:28 UTC\r\nUnit 42 has reported on various Sofacy group attacks over the last year, most recently with a post on Komplex, an\r\nOS X variant of a tool commonly used by the Sofacy group. In the same timeframe of the Komplex attacks, we\r\ncollected several weaponized documents that use a tactic previously not observed in use by the Sofacy group.\r\nWeaponizing documents to exploit known Microsoft Word vulnerabilities is a common tactic deployed by many\r\nadversary groups, but in this example, we discovered RTF documents containing embedded OLE Word documents\r\nfurther containing embedded Adobe Flash (.SWF) files, designed to exploit Flash vulnerabilities rather than\r\nMicrosoft Word. We have named this tool that generates these documents DealersChoice.\r\nIn addition to the discovery of this new tactic, we were able to identify two different variants of the embedded\r\nSWF files: the first being a standalone version containing a compressed payload which we have dubbed\r\nDealersChoice.A and a second variant being a much more modular version deploying additional anti-analysis\r\ntechniques which we have dubbed DealersChoice.B. The unearthing of DealersChoice.B suggests a possible code\r\nevolution of the initial DealersChoice.A variant. Also, artifacts within DealersChoice suggests that Sofacy created\r\nit with the intentions to target both Windows and OSX operating systems, as DealersChoice could potentially be\r\ncross-platform due to its use of Adobe Flash files.\r\nTargeting data of Sofacy group attacks remain limited, but we were able to identify a Ukrainian based defense\r\ncontractor as well as the Ministry of Foreign Affairs of a nation state in that same region as being targeted by these\r\nattacks. The following post focuses on our study of DealersChoice, though it is worth noting that the U.S.\r\ngovernment has recently attributed many of the same indicators of compromise associated with this entity during\r\nthe DNC intrusion to Russia. (Sofacy, also known as APT 28, is a group commonly attributed to Russia.)\r\nDealersChoice Attacks\r\nBased on our telemetry, the attacks delivering DealersChoice documents occurred in August 2016 and focused\r\nprimarily on organizations in countries that were part of the former Soviet republic. These malicious documents\r\nwere delivered to a Ukrainian-based defense contractor as well as a Ministry of Foreign Affairs of a nation state in\r\nthe same region, both via phishing attacks.\r\nWe were able to collect the actual phishing email targeting the Ukrainian based defense contractor, which can be\r\nseen in Figure 1. The emails shows a fairly well crafted phish, which had a spoofed sender address masquerading\r\nas part of the European Parliament’s Press Unit and used an existing person’s signature block to increase the\r\nappearance of legitimacy. The file attachment is a sample of the DealersChoice.A variant named Bulletin.doc\r\ncontaining details about a possible Russian invasion of Ukraine.\r\nhttps://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/\r\nPage 1 of 11\n\nFigure 1 Attack Email Delivered to Ukrainian defense organization and MFA of nearby country\r\nIf the recipient opens the Bulletin.doc attachment, a decoy document is displayed that has a title of “Russian\r\ninvasion possible ‘at any minute’”, as seen in Figure 2. The contents of the decoy document were copied and\r\npasted from an August 7, 2016 article posted at the Irish Times with very little modification.\r\nhttps://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/\r\nPage 2 of 11\n\nFigure 2 Decoy document displayed by DealersChoice documents on Possible Russian Invasion of Ukraine\r\nDuring our analysis of the DealersChoice delivery document, we found a second, albeit different, version of\r\nDealersChoice that we do not have the associated targeting information, although we believe it was delivered in\r\nanother phishing attack. This additional sample also opened a decoy document, which in this case was a document\r\ndetailing Turkish politics. Again, it appears the threat actors took content from an online news article, as the\r\ncontents in this decoy documents match an August 4, 2016 article posted to the Huffington Post. Figure 3 shows\r\nthis decoy content, which in this case the threat actors appear to be less careful when they copied and pasted the\r\ncontent, as they introduced a spelling error (see “STANBUL”) at the beginning of the document.\r\nhttps://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/\r\nPage 3 of 11\n\nFigure 3 Decoy document opened by the additional DealersChoice sample\r\nDeal with it\r\nWhile the decoy documents are displayed to victim, the DealersChoice delivery document is busy carrying out\r\nmalicious activities in an attempt to exploit the system. As previously mentioned, we have seen two different\r\nvariations of DealersChoice. Both variations share a common core of components, however, how they exploit\r\nvulnerabilities and install the payload is markedly different. We will describe specifics on how both\r\nDealersChoice.A and DealersChoice.B operate in further sub-sections; however, we need to first describe the core\r\ncomponents shared between the two.\r\nAt face value, DealersChoice is a rich text file (RTF) that has two responsibilities: display the decoy content\r\nembedded within the RTF and to load an embedded Word document (OLE). The Word document loads an\r\nembedded Flash file (SWF), which ultimately executes ActionScript that begins the malicious activity on the\r\nsystem. The ActionScript within the embedded Flash file, specifically the code and the actions it carries out is\r\nwhere the two variants of DealersChoice differ. As depicted in the diagram in Figure 4, the ActionScript in\r\nDealersChoice.A checks the version of Flash player and attempts to exploit a vulnerability by loading one of three\r\nembedded Flash files (SWF) to install an embedded payload. The ActionScript in DealersChoice.B differs\r\ndramatically, as it contacts a C2 server to receive a Flash file and a payload in order to exploit a vulnerability and\r\ninstall a Trojan.\r\nhttps://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/\r\nPage 4 of 11\n\nFigure 4 DealersChoice variants A and B use different approaches to achieve the same goal\r\nAs you can see, DealersChoice.A is more of a standalone toolkit with all components embedded within one file,\r\nwhereas DealersChoice.B requires an active C2 server to obtain additional resources required to exploit the\r\nsystem. The filename “allInFlash.swf” of the Flash file embedded in the Word document of DealersChoice.A\r\nsuggests it author intended it to be standalone as well.\r\nDealersChoice.A\r\nThe DealersChoice.A variant is a standalone tool that contains all the necessary components to exploit the system.\r\nBased on embedded metadata, the DealersChoice.A SWF file was created on August 15, 2016, which is the same\r\nday in which the attack on the Ukrainian defense organization and a day before the attack on the targeted Ministry\r\nof Foreign Affairs.\r\nThe Flash SWF file that contained the malicious ActionScript also had four files embedded within it, named\r\nExtSwf, ExtSwf1, ExtSwf2 and Main22_Pay. The ActionScript uses the zlib library to decompress the\r\nMain22_Pay file, which contains the shellcode and the payload that the shellcode will install on the system. The\r\nActionScript will check the version of Flash player and will use zlib to decompress followed by a decryption\r\nhttps://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/\r\nPage 5 of 11\n\nroutine (0xb7 as a key) on one of the ExtSwf, ExtSwf1 or ExtSwf2 files as an embedded SWF. The following\r\nActionScript shows the custom algorithm that will decrypt the embedded SWF file:\r\nprivate function unpack(ciphertext:ByteArray, akey:uint) : ByteArray\r\n{\r\n  ciphertext.position = 0;\r\n  var key:uint = akey;\r\n  var count:uint = 0;\r\n  while(count \u003c ciphertext.length)\r\n  {\r\n    key = key \u003e\u003e 1 ^ ((key \u0026 64) \u003e\u003e 6 ^ (key \u0026 32) \u003e\u003e 5 ^ (key \u0026 2) \u003e\u003e 1 ^ (key \u0026 8) \u003e\u003e 3) \u003c\u003c 7;\r\n    ciphertext[count] = ciphertext[count] ^ key;\r\n    count++;\r\n  }\r\n  ciphertext.position = 0;\r\n  ciphertext.uncompress();\r\n  ciphertext.position = 0;\r\n  return ciphertext;\r\n}\r\nThe embedded SWF decrypted contains ActionScript that attempts to exploit a vulnerability. The purpose of\r\naforementioned version check is to make sure that the correct malicious ActionScript is executed to exploit a\r\nvulnerability that the Flash player is vulnerable to. Table 1 shows the range of Flash player versions within\r\nDealersChoice.A, the embedded SWF file loaded and the associated vulnerability exploited by the loaded SWF.\r\nTable 1 Versions of Flash player DealersChoice.A looks for and the associated vulnerability exploited\r\nIt appears the author(s) of DealersChoice did extensive research, as the range of versions for each vulnerability\r\naligns with the vulnerable versions as described in the vendor’s advisory. It should also be noted that if the Flash\r\nversion on the system is not within these ranges, DealersChoice will not load any of the malicious SWF files and\r\ntherefore not attempt to exploit the system.\r\nhttps://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/\r\nPage 6 of 11\n\nThe result of exploiting any of the vulnerabilities listed in Table 1 is the execution of shellcode from the\r\nMain22_Pay file embedded within the SWF. The shellcode appears to use the Mersenne Twister algorithm with an\r\ninitial seed value of 0xD01A7C2 to generate a pseudo-random number to use as a key to decrypt an embedded\r\npayload. Once decrypted, the shellcode installs the payload to %APPDATA%\\Local\\nshwmpfs.dll (SHA256:\r\n73db52c0d4e31a00030b47b4f0fa7125000b19c6c9d462c3d0ce0f9d68f04e4c). The shellcode also creates the\r\nfollowing registry key for persistence, which is the Office Test Persistence method used by Sofacy in previous\r\nattacks:\r\nHKCU\\Software\\Microsoft\\Office test\\Special\\Perf:\r\nUsers\\Administrator\\AppData\\Local\\nshwmpfs.dll\r\nThe ‘nshwmpfs.dll’ payload is a sample of Sofacy’s Carberp-based tool, which is very similar to the payload we\r\ndescribed in our previous blog. This payload communicates with servicecdp[.]com as its C2 server, which is also\r\nmentioned in our prior blog as well, which suggests the Sofacy group is reusing their infrastructure across separate\r\nattacks.\r\nWhile analyzing DealersChoice.A, we found an interesting artifact in the \"ExtSwf\" SWF file, which sets a flag\r\nwith the following line of code if the system is running on Apple's OSX operating system:\r\nstatic var _osx = System.capabilities.version.toUpperCase().indexOf(\"MAC\") \u003e= 0;\r\nThis artifact is interesting as the shellcode executed relies on Windows APIs and the payload installed is a\r\nWindows DLL that would not run on OSX. This flag does suggest that the threat actors do consider the OSX\r\noperating system when developing their malicious exploit code in cross platform file types, such as Flash SWF\r\nfiles. While we cannot confirm this, it is possible that the threat actors could use DealersChoice.A to exploit and\r\nload an OSX Trojan if prepared with the appropriate shellcode.\r\nDealersChoice.B\r\nWhile researching DealersChoice.A, we found DealersChoice.B delivery documents that shared many of the same\r\nattributes, but were newer as the metadata within the embedded Flash file suggests they were created on August\r\n25, 2016. DealersChoice.B documents are slightly different than their predecessors, specifically in that they do not\r\ncontain three separate SWF files to exploit vulnerabilities on the system. Instead, DealersChoice.B relies on an\r\nactive C2 server to provide a malicious SWF file to exploit a vulnerability, as well as the payload to execute. We\r\npresume that the threat actor checks the version of Flash player at the C2 and loads the malicious exploit code on\r\nthe fly. We named these documents DealersChoice.B based on this difference. During our analysis, the C2 server\r\nwas not operational so we were unable to obtain the malicious SWF or payload associated with this delivery\r\ndocument.\r\nThe core components of DealersChoice are in variant B, specifically an RTF file with an embedded Word\r\ndocument that loads an embedded Flash file (SWF). However, the Flash file in variant B are different than its\r\nhttps://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/\r\nPage 7 of 11\n\npredecessor, which contains one embedded file named Main64_Pay. The Main64_Pay file is decompressed using\r\nthe zlib library and decrypted using the same algorithm as discussed in the DealersChoice.A section, but using\r\n0x8f as a key instead of 0xb7. When loaded, Main64_Pay runs ActionScript in a function named “Main32”, which\r\nbegins creating and sending HTTP GET request to the following URL:\r\nhttp://appexsrv[.]net/search.php?\u003cCapabilities.serverString\u003e\r\nThe \u003cCapabilities.serverString\u003e portion of the URL is the output of the read only string provided within the\r\nflash.system.Capabilities.serverString property, which contains a string of system specific information that the\r\nwebserver can use to determine the system's operating system, Flash version and more. During our analysis, the\r\nHTTP GET request appears as the following, which shows the system specific information sent to the C2 server:\r\nWe believe the threat actors use the system information in this beacon for the following reasons (and possibly\r\nothers):\r\n1. Determine the version of Flash to serve an appropriate malicious SWF to exploit a vulnerability in that\r\nversion of Flash\r\n2. Determine the operating system to provide the appropriate payload, possibly making this a cross-platform\r\nexploit framework\r\n3. Filter out analysis systems based on operating system, architecture, screen resolution and/or language\r\nIf the C2 server is operational, it is going to respond to the beacon to “server.php” with data that include variables\r\nnamed \"k1\",\"k2\",\"k3\" and \"k4\". The function is going to use the value in the \"k1\" variable in another HTTP\r\nrequest to the following URL:\r\nhttp://appexsrv[.]net/api/v1/\u003ck1 variable\u003e/\u003cCapabilities.serverString\u003e\r\nThe C2 will respond to this request with a compressed and encrypted SWF file as the response data. The function\r\nuses the \"k3\" variable as a key to decrypt the SWF using the same encryption algorithm, and  will then make\r\nanother request to the following URL:\r\nhttp://appexsrv[.]net/api/v1/\u003ck2 variable\u003e/\u003cCapabilities.serverString\u003e\r\nhttps://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/\r\nPage 8 of 11\n\nThe C2 server will respond to this request with compressed and encrypted binary data that the function will\r\ndecrypt using the \"k4\" variable as a key using the same encryption algorithm. The decrypted binary data is the\r\npayload that is loaded into memory, suggesting the payload provided by the C2 server will be similar to the\r\npayload embedded in the other version of this toolkit, specifically starting with shellcode that decrypts and installs\r\nan embedded DLL.\r\nInfrastructure\r\nAmongst the two known DealersChoice variants, DealersChoice.A was found to drop a payload onto the victim\r\nhost after exploiting an available Adobe Flash vulnerability which then communicated with a C2 server located at\r\nservicecdp[.]com. This C2 was previously reported on by Unit 42 in a June 2016 blog regarding an attack\r\ncampaign targeting government organizations. The payload discovered communicating to servicecdp[.]com in\r\nJune was then linked to other Sofacy group attacks in that time frame using the same Microsoft Word DLL side-loading technique.\r\nWhile we were unable to retrieve the payload for DealersChoice.B, we were able to identify appexsrv[.]net as the\r\nC2 server used to deliver the malicious exploit code and the payload. Examination of passive DNS records did not\r\nshow overlaps with previous attack campaigns, but we were able to identify two other domains, appexrv[.]com\r\nand upmonserv[.]net registered by the same email address, Kellen.green82@mail.com. These additional domains\r\ndo not appear to be active C2s at this time. Figure 5 shows the infrastructure and samples associated with\r\nDealersChoice.\r\nFigure 5 Infrastructure and samples associated with DealersChoice\r\nEvidence of a Tiered Infrastructure\r\nThe remote server used by DealersChoice.B to obtain its malicious exploit code and its payload is appexsrv[.]net\r\n(resolved to 95.183.50.23). During our analysis, the remote server did not serve a SWF file or a payload, but\r\ninstead it responded with the following HTTP 503 error that is quite interesting:\r\nhttps://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/\r\nPage 9 of 11\n\nHTTP/1.1 503 Service Unavailable\r\nServer: squid\r\nMime-Version: 1.0\r\nDate: Wed, 05 Oct 2016 13:12:12 GMT\r\nContent-Type: text/html\r\nContent-Length: 0\r\nX-Squid-Error: ERR_CONNECT_FAIL 110\r\nConnection: keep-alive\r\nThe HTTP 503 error shows that the server at 95.183.50.23 is running a Squid HTTP proxy. The response shows\r\nthat the proxy was unable to connect to the server that the proxy is configured to communicate, specifically with a\r\n110 error that occurs when the connection timed out. This suggests that the server is most likely set up as a\r\ntransparent proxy to forward HTTP requests to another server. The use of this Squid proxy suggests the threat\r\nactors want to conceal the true location of their C2 server.\r\nConclusion\r\nDealersChoice is an exploit platform that allows the Sofacy threat group to exploit vulnerabilities in Adobe Flash.\r\nCross-platform exploits are obviously a focus for Sofacy, as they included checks within DealersChoice to\r\ndetermine the operating system of the targeted system. These checks were specifically for Apple’s OS X operating\r\nsystem, which coupled with our discovery of Sofacy’s Komplex OSX Trojan suggests that this threat group is\r\ncapable of operating in both Windows and Apple environments. Our analysis of DealersChoice has also led us to\r\nthe discovery of a potential tiered infrastructure that leverages transparent proxies to hide the true location of\r\nSofacy’s C2 servers.\r\nPalo Alto Networks customers are protected from DealersChoice delivery documents and the Sofacy Carberp\r\npayload via:\r\nWildFire detection of all known samples as malicious\r\nAll known C2s are classified as malicious in PAN-DB\r\nTraps was able to block exploit code used by DealersChoice\r\nAutoFocus customers can gather additional information on DealersChoice and Sofacy Carberp via:\r\nAutoFocus tags have been created DealersChoice\r\nPayload matches SofacyCarberp tag in AutoFocus\r\nIndicators of Compromise\r\nhttps://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/\r\nPage 10 of 11\n\nDealersChoice.A\r\ndc2c3314ef4e6186b519af29a246679caa522acd0c44766ecb9df4d2d5f3995b\r\nDealersChoice.B\r\ncc68ed96ef3a67b156565acbea2db8ed911b2b31132032f3ef37413f8e2772c5\r\naf9c1b97e03c0e89c5b09d6a7bd0ba7eb58a0e35908f5675f7889c0a8273ec81\r\nDealersChoice.B C2\r\nappexsrv[.]net\r\nSofacy Carberp\r\n73db52c0d4e31a00030b47b4f0fa7125000b19c6c9d462c3d0ce0f9d68f04e4c\r\nSofacy Carberp C2\r\nservicecdp[.]com\r\nSource: https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/\r\nhttps://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/" ], "report_names": [ "unit42-dealerschoice-sofacys-flash-player-exploit-platform" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434325, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d435a1d7662f1012529533d80ad9d820f49678a9.pdf", "text": "https://archive.orkl.eu/d435a1d7662f1012529533d80ad9d820f49678a9.txt", "img": "https://archive.orkl.eu/d435a1d7662f1012529533d80ad9d820f49678a9.jpg" } }