{ "id": "1587ab41-8435-4795-85d4-375d74527a5b", "created_at": "2026-04-06T01:31:23.002654Z", "updated_at": "2026-04-10T03:38:03.383082Z", "deleted_at": null, "sha1_hash": "d44bca15032e689218f2b89194f665abab317948", "title": "Turla, Waterbug, Venomous Bear - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 141354, "plain_text": "Turla, Waterbug, Venomous Bear - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-06 00:46:08 UTC\r\nHome \u003e List all groups \u003e Turla, Waterbug, Venomous Bear\r\n APT group: Turla, Waterbug, Venomous Bear\r\nNames\r\nTurla (Kaspersky)\r\nWaterbug (Symantec)\r\nVenomous Bear (CrowdStrike)\r\nGroup 88 (Talos)\r\nSIG2 (NSA)\r\nSIG15 (NSA)\r\nSIG23 (NSA)\r\nIron Hunter (SecureWorks)\r\nCTG-8875 (SecureWorks)\r\nPacifier APT (Bitdefender)\r\nATK 13 (Thales)\r\nITG12 (IBM)\r\nMakersmark (ESET)\r\nKrypton (Microsoft)\r\nBelugasturgeon (Accenture)\r\nPopeye (?)\r\nWraith (?)\r\nTAG-0530 (Recorded Future)\r\nUNC4210 (Mandiant)\r\nSUMMIT (Google)\r\nSecret Blizzard (Microsoft)\r\nPensive Ursa (Palo Alto)\r\nBlue Python (PWC)\r\nG0010 (MITRE)\r\nCountry Russia\r\nSponsor\r\nState-sponsored, FSB Centre 16L: Radio-Electronic Intelligence on Communications Facilities, Post\r\nNumber 71330\r\nMotivation Information theft and espionage\r\nFirst seen 1996\r\nDescription Turla is a Russian-based threat group that has infected victims in over 45 countries, spanning a range\r\nof industries including government, embassies, military, education, research and pharmaceutical\r\ncompanies since 2004. Heightened activity was seen in mid-2015. Turla is known for conducting\r\nwatering hole and spear-phishing campaigns and leveraging in-house tools and malware. Turla’s\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ebff5365-ae36-4e47-a310-28c1f3be0b3a\r\nPage 1 of 7\n\nespionage platform is mainly used against Windows machines, but has also been seen used against\nmacOS and Linux machines.\nTurla has been known to also infiltrate malicious infrastructure from other APT groups such as\nTransparent Tribe, APT 36 in 2022.\nObserved\nSectors: Aerospace, Defense, Education, Embassies, Energy, Government, High-Tech, IT, Media,\nNGOs, Pharmaceutical, Research, Retail.\nCountries: Afghanistan, Algeria, Armenia, Australia, Austria, Azerbaijan, Belarus, Belgium, Bolivia,\nBotswana, Brazil, China, Chile, Denmark, Ecuador, Estonia, Finland, France, Georgia, Germany,\nHong Kong, Hungary, India, Indonesia, Iran, Iraq, Italy, Jamaica, Jordan, Kazakhstan, Kyrgyzstan,\nKuwait, Latvia, Mexico, Netherlands, Pakistan, Paraguay, Poland, Qatar, Romania, Russia, Serbia,\nSpain, Saudi Arabia, South Africa, Sweden, Switzerland, Syria, Tajikistan, Thailand, Tunisia,\nTurkmenistan, UK, Ukraine, Uruguay, USA, Uzbekistan, Venezuela, Vietnam, Yemen.\nTools used\nAdobeARM, Agent.BTZ, Agent.DNE, ApolloShadow, ASPXSpy, ATI-Agent, certutil, CloudDuke,\nCobra Carbon System, COMpfun, ComRAT, Crutch, DoublePulsar, EmpireProject, Epic,\nEternalBlue, EternalRomance, Gazer, gpresult, HTML5 Encoding, HyperStack, IcedCoffee,\nIronNetInjector, Kazuar, KopiLuwak, KSL0T, LightNeuron, Maintools.js, Metasploit, Meterpreter,\nMiamiBeach, Mimikatz, Mosquito, Nautilus, nbtscan, nbtstat, Neptun, NetFlash, NETVulture,\nNeuron, NewPass, Outlook Backdoor, Penquin Turla, PowerShellRunner-based RPC backdoor,\nPowerStallion, PsExec, pwdump, PyFlash, RocketMan, Satellite Turla, SScan, Skipper, SMBTouch,\nTinyTurla, TinyTurla-NG, Topinambour, Tunnus, TurlaChopper, Uroburos, Windows Credentials\nEditor, WhiteAtlas, WITCHCOVEN, Living off the Land.\nOperations performed\n1996\nOperation “Moonlight Maze”\nThat is why our experts, aided by researchers from King’s College London, have\ncarefully studied Moonlight Maze — one of the first widely known cyberespionage\ncampaigns, active since at least 1996. It is of particular interest because several\nindependent experts from countries have voiced the proposition that it is associated\nwith a much more modern — and still active — group, the authors of the Turla APT\nattack.\nNov 2008\nBreach of the US Department of Defense\nThe investigation was called “Operation Buckshot Yankee” and led to the\nestablishment of U.S. Cyber Command.\n2013\nOperation “Epic Turla”\nOver the last 10 months, Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call “Epic Turla”. The attackers behind Epic Turla have\ninfected several hundred computers in more than 45 countries, including government\ninstitutions, embassies, military, education, research and pharmaceutical companies.\n2014\nBreach of the Swiss military firm RUAG\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ebff5365-ae36-4e47-a310-28c1f3be0b3a\nPage 2 of 7\n\nDec 2014\nOperation “Penguin Turla”\nThe Turla APT campaigns have a broader reach than initially anticipated after the\nrecent discovery of two modules built to infect servers running Linux. Until now,\nevery Turla sample in captivity was designed for either 32- or 64-bit Windows\nsystems, but researchers at Kaspersky Lab have discovered otherwise.\n2015\nOperation “Satellite Turla”\nObviously, such incredibly apparent and large-scale attacks have little chance of\nsurviving for long periods of time, which is one of the key requirements for running an\nAPT operation. It is therefore not very feasible to perform the attack through MitM\ntraffic hijacking, unless the attackers have direct control over some high-traffic\nnetwork points, such as backbone routers or fiber optics. There are signs that such\nattacks are becoming more common, but there is a much simpler way to hijack\nsatellite-based Internet traffic.\n2015\nOperation “WITCHCOVEN”\nWhen an unsuspecting user visits any of the over 100 compromised websites, a small\npiece of inserted code—embedded in the site’s HTML and invisible to casual visitors\n—quietly redirects the user’s browser to a second compromised website without the\nuser’s knowledge. This second website hosts the WITCHCOVEN script, which uses\nprofiling techniques to collect technical information on the user’s computer. As of\nearly November 2015, we identified a total of 14 websites hosting the WITCHCOVEN\nprofiling script.\n2015\nESET researchers found a previously undocumented backdoor and document stealer.\nDubbed Crutch by its developers, we were able to attribute it to the infamous Turla\nAPT group. According to our research, it was used from 2015 to, at least, early 2020.\nNov 2016\nOperation “Skipper Turla”\nOn 28 January 2017, John Lambert of Microsoft (@JohnLaTwC) tweeted about a\nmalicious document that dropped a “very interesting .JS backdoor“. Since the end of\nNovember 2016, Kaspersky Lab has observed Turla using this new JavaScript payload\nand specific macro variant.\n2017\nOperation “Turla Mosquito”\nESET researchers have observed a significant change in the campaign of the infamous\nespionage group\nMar 2017 New versions of Carbon\nThe Turla espionage group has been targeting various institutions for many years.\nRecently, we found several new versions of Carbon, a second stage backdoor in the\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ebff5365-ae36-4e47-a310-28c1f3be0b3a\nPage 3 of 7\n\nTurla group arsenal.\nMay 2017\nNew backdoor Kazuar\nJun 2017\nSome of the tactics used in APT attacks die hard. A good example is provided by\nTurla’s watering hole campaigns. Turla, which has been targeting governments,\ngovernment officials and diplomats for years – see, as an example, this recent paper –\nis still using watering hole techniques to redirect potentially interesting victims to their\nC\u0026C infrastructure. In fact, they have been using them since at least 2014 with very\nfew variations in their modus operandi.\nJul 2017\nRussian malware link hid in a comment on Britney Spears’ Instagram\nThe Slovak IT security company ESET Security released a report yesterday detailing a\ncleverly hidden example of such a post. And its hideout? A Britney Spears photo.\nAmong the nearly 7,000 comments written on the performer’s post (shown below) was\none that could easily pass as spam.\nAug 2017\nNew backdoor Gazer\nAug 2017\nIn this case, the dropper is being delivered with a benign and possibly stolen decoy\ndocument inviting recipients to a G20 task force meeting on the “Digital Economy”.\nThe Digital Economy event is actually scheduled for October of this year in Hamburg,\nGermany.\nJan 2018\nA notorious hacking group is targeting the UK with an updated version of malware\ndesigned to embed itself into compromised networks and stealthily conduct espionage.\nBoth the Neuron and Nautilus malware variants have previously been attributed to the\nTurla advanced persistent threat group, which regularly carries out cyber-espionage\nagainst a range of targets, including government, military, technology, energy, and\nother commercial organisations.\nJan 2018\nEspionage Group Rolls Out Brand-New Toolset in Attacks Against Governments\nWaterbug may have hijacked a separate espionage group’s infrastructure during one\nattack against a Middle Eastern target.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ebff5365-ae36-4e47-a310-28c1f3be0b3a\nPage 4 of 7\n\nMar 2018\nStarting in March 2018, we observed a significant change in the campaign: it now\nleverages the open source exploitation framework Metasploit before dropping the\ncustom Mosquito backdoor.\n2018\nMuch of our 2018 research focused on Turla’s KopiLuwak javascript backdoor, new\nvariants of the Carbon framework and meterpreter delivery techniques. Also\ninteresting was Mosquito’s changing delivery techniques, customized PoshSec-Mod\nopen-source powershell use, and borrowed injector code. We tied some of this activity\ntogether with infrastructure and data points from WhiteBear and Mosquito\ninfrastructure and activity in 2017 and 2018.\nEarly 2019\n2019 has seen the Turla actor actively renew its arsenal. Its developers are still using a\nfamiliar coding style, but they’re creating new tools. Here we’ll tell you about several\nof them, namely “Topinambour” (aka Sunchoke – the Jerusalem artichoke) and its\nrelated modules. We didn’t choose to name it after a vegetable; the .NET malware\ndevelopers named it Topinambour themselves.\nApr 2019\nCOMpfun successor Reductor infects files on the fly to compromise TLS traffic\nMay 2019\nTurla, also known as Snake, is an infamous espionage group recognized for its\ncomplex malware. To confound detection, its operators recently started using\nPowerShell scripts that provide direct, in-memory loading and execution of malware\nexecutables and libraries. This allows them to bypass detection that can trigger when a\nmalicious executable is dropped on disk.\n2019\nTurla accessed and used the Command and Control (C2) infrastructure of Iranian APTs\nto deploy their own tools to victims of interest. Turla directly accessed ‘Poison Frog’\nC2 panels from their own infrastructure and used this access to task victims to\ndownload additional tools.\nSep 2019\nESET researchers found a watering hole (aka strategic web compromise) operation\ntargeting several high-profile Armenian websites. It relies on a fake Adobe Flash\nupdate lure and delivers two previously undocumented pieces of malware we have\ndubbed NetFlash and PyFlash.\nNov 2019\nCOMpfun authors spoof visa application with HTTP status-based Trojan\nJan 2020 During our investigation, we were able to identify three different targets where\nComRAT v4 has been used:\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ebff5365-ae36-4e47-a310-28c1f3be0b3a\nPage 5 of 7\n\n• Two Ministries of Foreign Affairs in Eastern Europe\n• One national parliament in the Caucasus region\nJun 2020\nAt the best of our knowledge, this time the hacking group used a previously unseen\nimplant, that we internally named “NewPass“ as one of the parameters used to send\nexfiltrated data to the command and control.\nJun 2020\nAccenture Cyber Threat Intelligence researchers identified a Turla compromise of a\nEuropean government organization. During this compromise Turla utilized a\ncombination of remote procedure call (RPC)-based backdoors, such as HyperStack and\nremote administration trojans (RATs), such as Kazuar and Carbon, which ACTI\nresearchers analyzed between June and October 2020.\nJan 2021\nIn January 2021, ESET Research uncovered a new backdoor on a server belonging to a\nMinistry of Foreign Affairs in Eastern Europe.\nFeb 2021\nIronNetInjector: Turla’s New Malware Loading Tool\nSep 2021\nTinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines\nMar 2022\nTurla, a group publicly attributed to Russia’s Federal Security Service (FSB), recently\nhosted Android apps on a domain spoofing the Ukrainian Azov Regiment.\nApr 2022\nTurla, a group TAG attributes to Russia FSB, continues to run campaigns against the\nBaltics, targeting defense and cybersecurity organizations in the region.\nMay 2022\nTURLA’s new phishing-based reconnaissance campaign in Eastern Europe\nSep 2022\nTurla: A Galaxy of Opportunity\nJul 2023\nMicrosoft: Hackers turn Exchange servers into malware control centers\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ebff5365-ae36-4e47-a310-28c1f3be0b3a\nPage 6 of 7\n\nDec 2022\nSnowblind: The Invisible Hand of Secret Blizzard\nJul 2023\nOver the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by\nPensive Ursa (Aka Turla)\nDec 2023\nTinyTurla Next Generation - Turla APT spies on Polish NGOs\n2024\nFrozen in transit: Secret Blizzard’s AiTM campaign against diplomats\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ebff5365-ae36-4e47-a310-28c1f3be0b3a\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=ebff5365-ae36-4e47-a310-28c1f3be0b3a\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=ebff5365-ae36-4e47-a310-28c1f3be0b3a" ], "report_names": [ "showcard.cgi?u=ebff5365-ae36-4e47-a310-28c1f3be0b3a" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a370eef5-5d11-4fda-ad85-f9be60a28d05", "created_at": "2023-01-06T13:46:38.717707Z", "updated_at": "2026-04-10T02:00:03.077727Z", "deleted_at": null, "main_name": "White Bear", "aliases": [ "Skipper Turla" ], "source_name": "MISPGALAXY:White Bear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439083, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d44bca15032e689218f2b89194f665abab317948.pdf", "text": "https://archive.orkl.eu/d44bca15032e689218f2b89194f665abab317948.txt", "img": "https://archive.orkl.eu/d44bca15032e689218f2b89194f665abab317948.jpg" } }