{ "id": "cd4b6e69-f27a-47d2-8714-59f4aeb93bde", "created_at": "2026-04-06T00:07:09.544782Z", "updated_at": "2026-04-10T03:37:37.057305Z", "deleted_at": null, "sha1_hash": "d4589b22af21509f6cd1c8477fadd56fcf34cbe2", "title": "New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1096225, "plain_text": "New Targeted Attack in the Middle East by APT34, a Suspected\r\nIranian Threat Group, Using CVE-2017-11882 Exploit\r\nBy Mandiant\r\nPublished: 2017-12-07 · Archived: 2026-04-05 13:50:47 UTC\r\nWritten by: Manish Sardiwal, Vincent Cannon, Nalani Fraser, Yogesh Londhe, Nick Richard, Jacqueline O'Leary\r\nLess than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an\r\nattacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle\r\nEast. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer\r\nto as APT34, using a custom PowerShell backdoor to achieve its objectives.\r\nWe believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts\r\nto benefit Iranian nation-state interests and has been operational since at least 2014. This threat group has\r\nconducted broad targeting across a variety of industries, including financial, government, energy, chemical, and\r\ntelecommunications, and has largely focused its operations within the Middle East. We assess that APT34 works\r\non behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian\r\ninfrastructure, and targeting that aligns with nation-state interests.\r\nAPT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised\r\naccounts, sometimes coupled with social engineering tactics. In May 2016, we published a blog detailing a spear\r\nphishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute\r\nPOWBAT malware. We now attribute that campaign to APT34. In July 2017, we observed APT34 targeting a\r\nMiddle East organization using a PowerShell-based backdoor that we call POWRUNER and a downloader with\r\ndomain generation algorithm functionality that we call BONDUPDATER, based on strings within the malware.\r\nThe backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199.\r\nIn this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy\r\nPOWRUNER and BONDUPDATER.\r\nThe full report on APT34 is available to our MySIGHT customer community. APT34 loosely aligns with public\r\nreporting related to the group \"OilRig\". As individual organizations may track adversaries using varied data sets, it\r\nis possible that our classifications of activity may not wholly align.\r\nCVE-2017-11882: Microsoft Office Stack Memory Corruption Vulnerability\r\nCVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run\r\narbitrary code in the context of the current user as a result of improperly handling objects in memory. The\r\nvulnerability was patched by Microsoft on Nov. 14, 2017. A full proof of concept (POC) was publicly released a\r\nweek later by the reporter of the vulnerability.\r\nhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html\r\nPage 1 of 11\n\nThe vulnerability exists in the old Equation Editor (EQNEDT32.EXE), a component of Microsoft Office that is\r\nused to insert and evaluate mathematical formulas. The Equation Editor is embedded in Office documents using\r\nobject linking and embedding (OLE) technology. It is created as a separate process instead of child process of\r\nOffice applications. If a crafted formula is passed to the Equation Editor, it does not check the data length properly\r\nwhile copying the data, which results in stack memory corruption. As the EQNEDT32.exe is compiled using an\r\nolder compiler and does not support address space layout randomization (ASLR), a technique that guards against\r\nthe exploitation of memory corruption vulnerabilities, the attacker can easily alter the flow of program execution.\r\nAnalysis\r\nAPT34 sent a malicious .rtf file (MD5: a0e6933f4e0497269620f44a083b2ed4) as an attachment in a malicious\r\nspear phishing email sent to the victim organization. The malicious file exploits CVE-2017-11882, which corrupts\r\nthe memory on the stack and then proceeds to push the malicious data to the stack. The malware then overwrites\r\nthe function address with the address of an existing instruction from EQNEDT32.EXE. The overwritten\r\ninstruction (displayed in Figure 1) is used to call the “WinExec” function from kernel32.dll, as depicted in the\r\ninstruction at 00430c12, which calls the “WinExec” function.\r\nFigure 1: Disassembly of overwritten function address\r\nAfter exploitation, the ‘WinExec’ function is successfully called to create a child process, “mshta.exe”, in the\r\ncontext of current logged on user. The process “mshta.exe” downloads a malicious script from hxxp://mumbai-m[.]site/b.txt and executes it, as seen in Figure 2.\r\nFigure 2: Attacker data copied to corrupt stack buffer\r\nExecution Workflow\r\nThe malicious script goes through a series of steps to successfully execute and ultimately establish a connection to\r\nthe command and control (C2) server. The full sequence of events starting with the exploit document is illustrated\r\nin Figure 3.\r\nhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html\r\nPage 2 of 11\n\nFigure 3: CVE-2017-11882 and POWRUNER attack sequence\r\n1. The malicious .rtf file exploits CVE-2017-11882.\r\n2. The malware overwrites the function address with an existing instruction from EQNEDT32.EXE.\r\n3. The malware creates a child process, “mshta.exe,” which downloads a file from: hxxp://mumbai-m[.]site/b.txt.\r\n4. b.txt contains a PowerShell command to download a dropper from: hxxp://dns-update[.]club/v.txt. The\r\nPowerShell command also renames the downloaded file from v.txt to v.vbs and executes the script.\r\n5. The v.vbs script drops four components (hUpdateCheckers.base, dUpdateCheckers.base,\r\ncUpdateCheckers.bat, and GoogleUpdateschecker.vbs) to the directory:\r\nC:\\ProgramData\\Windows\\Microsoft\\java\\\r\n6. v.vbs uses CertUtil.exe, a legitimate Microsoft command-line program installed as part of Certificate\r\nServices, to decode the base64-encoded files hUpdateCheckers.base and dUpdateCheckers.base, and drop\r\nhUpdateCheckers.ps1 and dUpdateCheckers.ps1 to the staging directory.\r\n7. cUpdateCheckers.bat is launched and creates a scheduled task for GoogleUpdateschecker.vbs persistence.\r\n8. GoogleUpdateschecker.vbs is executed after sleeping for five seconds.\r\n9. cUpdateCheckers.bat and *.base are deleted from the staging directory.\r\nFigure 4 contains an excerpt of the v.vbs script pertaining to the Execution Workflow section.\r\nhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html\r\nPage 3 of 11\n\nFigure 4: Execution Workflow Section of v.vbs\r\nAfter successful execution of the steps mentioned in the Execution Workflow section, the Task Scheduler will\r\nlaunch GoogleUpdateschecker.vbs every minute, which in turn executes the dUpdateCheckers.ps1 and\r\nhUpdateCheckers.ps1 scripts. These PowerShell scripts are final stage payloads – they include a downloader with\r\ndomain generation algorithm (DGA) functionality and the backdoor component, which connect to the C2 server to\r\nreceive commands and perform additional malicious activities.\r\nhUpdateCheckers.ps1 (POWRUNER)\r\nThe backdoor component, POWRUNER, is a PowerShell script that sends and receives commands to and from\r\nthe C2 server. POWRUNER is executed every minute by the Task Scheduler. Figure 5 contains an excerpt of the\r\nPOWRUNER backdoor.\r\nhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html\r\nPage 4 of 11\n\nFigure 5: POWRUNER PowerShell script hUpdateCheckers.ps1\r\nPOWRUNER begins by sending a random GET request to the C2 server and waits for a response. The server will\r\nrespond with either “not_now” or a random 11-digit number. If the response is a random number, POWRUNER\r\nwill send another random GET request to the server and store the response in a string. POWRUNER will then\r\ncheck the last digit of the stored random number response, interpret the value as a command, and perform an\r\naction based on that command. The command values and the associated actions are described in Table 1.\r\nCommand Description Action\r\n0\r\nServer response string contains batch\r\ncommands\r\nExecute batch commands and send results back\r\nto server\r\n1 Server response string is a file path\r\nCheck for file path and upload (PUT) the file to\r\nserver\r\n2 Server response string is a file path Check for file path and download (GET) the file\r\nTable 1: POWRUNER commands\r\nAfter successfully executing the command, POWRUNER sends the results back to the C2 server and stops\r\nexecution.\r\nThe C2 server can also send a PowerShell command to capture and store a screenshot of a victim’s system.\r\nPOWRUNER will send the captured screenshot image file to the C2 server if the “fileupload” command is issued.\r\nFigure 6 shows the PowerShell “Get-Screenshot” function sent by the C2 server.\r\nFigure 6: PowerShell Screenshot Functionality\r\ndUpdateCheckers.ps1 (BONDUPDATER)\r\nOne of the recent advancements by APT34 is the use of DGA to generate subdomains. The BONDUPDATER\r\nscript, which was named based on the hard-coded string “B007”, uses a custom DGA algorithm to generate\r\nsubdomains for communication with the C2 server.\r\nDGA Implementation\r\nhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html\r\nPage 5 of 11\n\nFigure 7 provides a breakdown of how an example domain (456341921300006B0C8B2CE9C9B007.mumbai-m[.]site) is generated using BONDUPDATER’s custom DGA.\r\nFigure 7: Breakdown of subdomain created by BONDUPDATER\r\n1. This is a randomly generated number created using the following expression: $rnd = -join (Get-Random -\r\nInputObject (10..99) -Count (%{ Get-Random -InputObject (1..6)}));\r\n2. This value is either 0 or 1. It is initially set to 0. If the first resolved domain IP address starts with\r\n24.125.X.X, then it is set to 1.\r\n3. Initially set to 000, then incremented by 3 after every DNS request\r\n4. First 12 characters of system UUID.\r\n5. “B007” hardcoded string.\r\n6. Hardcoded domain “mumbai-m[.]site”\r\nBONDUPDATER will attempt to resolve the resulting DGA domain and will take the following actions based on\r\nthe IP address resolution:\r\n1. Create a temporary file in %temp% location\r\nThe file created will have the last two octets of the resolved IP addresses as its filename.\r\n2. BONDUPDATER will evaluate the last character of the file name and perform the corresponding action\r\nfound in Table 2.\r\nCharacter Description\r\n0 File contains batch commands, it executes the batch commands\r\n1 Rename the temporary file as .ps1 extension\r\n2 Rename the temporary file as .vbs extension\r\nTable 2: BONDUPDATER Actions\r\nFigure 8 is a screenshot of BONDUPDATER’s DGA implementation.\r\nhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html\r\nPage 6 of 11\n\nFigure 8: Domain Generation Algorithm\r\nSome examples of the generated subdomains observed at time of execution include:\r\n143610035BAF04425847B007.mumbai-m[.]site\r\n835710065BAF04425847B007.mumbai-m[.]site\r\n376110095BAF04425847B007.mumbai-m[.]site\r\nNetwork Communication\r\nFigure 9 shows example network communications between a POWRUNER backdoor client and server.\r\nFigure 9: Example Network Communication\r\nIn the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the\r\nrandom number (99999999990) as a response. As the response is a random number that ends with ‘0’,\r\nPOWRUNER sends another random GET request to receive an additional command string. The C2 server sends\r\nback Base64 encoded response.\r\nhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html\r\nPage 7 of 11\n\nIf the server had sent the string “not_now” as response, as shown in Figure 10, POWRUNER would have ceased\r\nany further requests and terminated its execution.\r\nFigure 10: Example \"not now\" server response\r\nBatch Commands\r\nPOWRUNER may also receive batch commands from the C2 server to collect host information from the system.\r\nThis may include information about the currently logged in user, the hostname, network configuration data, active\r\nconnections, process information, local and domain administrator accounts, an enumeration of user directories,\r\nand other data. An example batch command is provided in Figure 11.\r\nFigure 11: Batch commands sent by POWRUNER C2 server\r\nAdditional Use of POWRUNER / BONDUPDATER\r\nAPT34 has used POWRUNER and BONDUPDATER to target Middle East organizations as early as July 2017. In\r\nJuly 2017, a FireEye Web MPS appliance detected and blocked a request to retrieve and install an APT34\r\nPOWRUNER / BONDUPDATER downloader file. During the same month, FireEye observed APT34 target a\r\nseparate Middle East organization using a malicious .rtf file (MD5: 63D66D99E46FB93676A4F475A65566D8)\r\nthat exploited CVE-2017-0199. This file issued a GET request to download a malicious file from:\r\nhxxp://94.23.172.164/dupdatechecker.doc.\r\nAs shown in Figure 12, the script within the dupatechecker.doc file attempts to download another file named\r\ndupatechecker.exe from the same server. The file also contains a comment by the malware author that appears to\r\nbe an apparent taunt to security researchers.\r\nhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html\r\nPage 8 of 11\n\nFigure 12: Contents of dupdatechecker.doc script\r\nThe dupatechecker.exe file (MD5: C9F16F0BE8C77F0170B9B6CE876ED7FB) drops both BONDUPDATER\r\nand POWRUNER. These files connect to proxychecker[.]pro for C2.\r\nOutlook and Implications\r\nRecent activity by APT34 demonstrates that they are capable group with potential access to their own\r\ndevelopment resources. During the past few months, APT34 has been able to quickly incorporate exploits for at\r\nleast two publicly vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to target organizations in the Middle\r\nEast. We assess that APT34’s efforts to continuously update their malware, including the incorporation of DGA for\r\nC2, demonstrate the group’s commitment to pursing strategies to deter detection. We expect APT34 will continue\r\nto evolve their malware and tactics as they continue to pursue access to entities in the Middle East region.\r\nIOCs\r\nFilename / Domain / IP Address MD5 Hash or Description\r\nCVE-2017-11882 exploit\r\ndocument\r\nA0E6933F4E0497269620F44A083B2ED4\r\nb.txt 9267D057C065EA7448ACA1511C6F29C7\r\nv.txt/v.vbs B2D13A336A3EB7BD27612BE7D4E334DF\r\ndUpdateCheckers.base 4A7290A279E6F2329EDD0615178A11FF\r\nhUpdateCheckers.base 841CE6475F271F86D0B5188E4F8BC6DB\r\ncUpdateCheckers.bat 52CA9A7424B3CC34099AD218623A0979\r\ndUpdateCheckers.ps1 BBDE33F5709CB1452AB941C08ACC775E\r\nhUpdateCheckers.ps1 247B2A9FCBA6E9EC29ED818948939702\r\nGoogleUpdateschecker.vbs C87B0B711F60132235D7440ADD0360B0\r\nhxxp://mumbai-m[.]site POWRUNER C2\r\nhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html\r\nPage 9 of 11\n\nhxxp://dns-update[.]club Malware Staging Server\r\nCVE-2017-0199 exploit document 63D66D99E46FB93676A4F475A65566D8\r\n94.23.172.164:80 Malware Staging Server\r\ndupdatechecker.doc D85818E82A6E64CA185EDFDDBA2D1B76\r\ndupdatechecker.exe C9F16F0BE8C77F0170B9B6CE876ED7FB\r\nproxycheker[.]pro C2\r\n46.105.221.247 Has resolved mumbai-m[.]site \u0026 hpserver[.]online\r\n148.251.55.110 Has resolved mumbai-m[.]site and dns-update[.]club\r\n185.15.247.147 Has resolved dns-update[.]club\r\n145.239.33.100 Has resolved dns-update[.]club\r\n82.102.14.219\r\nHas resolved ns2.dns-update[.]club \u0026 hpserver[.]online \u0026\r\nanyportals[.]com\r\nv7-hpserver.online.hta E6AC6F18256C4DDE5BF06A9191562F82\r\ndUpdateCheckers.base 3C63BFF9EC0A340E0727E5683466F435\r\nhUpdateCheckers.base EEB0FF0D8841C2EBE643FE328B6D9EF5\r\ncUpdateCheckers.bat FB464C365B94B03826E67EABE4BF9165\r\ndUpdateCheckers.ps1 635ED85BFCAAB7208A8B5C730D3D0A8C\r\nhUpdateCheckers.ps1 13B338C47C52DE3ED0B68E1CB7876AD2\r\ngoogleupdateschecker.vbs DBFEA6154D4F9D7209C1875B2D5D70D5\r\nhpserver[.]online C2\r\nv7-anyportals.hta EAF3448808481FB1FDBB675BC5EA24DE\r\ndUpdateCheckers.base 42449DD79EA7D2B5B6482B6F0D493498\r\nhUpdateCheckers.base A3FCB4D23C3153DD42AC124B112F1BAE\r\ndUpdateCheckers.ps1 EE1C482C41738AAA5964730DCBAB5DFF\r\nhUpdateCheckers.ps1 E516C3A3247AF2F2323291A670086A8F\r\nanyportals[.]com C2\r\nPosted in\r\nhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html\r\nPage 10 of 11\n\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html\r\nhttps://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" ], "report_names": [ "targeted-attack-in-middle-east-by-apt34.html" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434029, "ts_updated_at": 1775792257, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d4589b22af21509f6cd1c8477fadd56fcf34cbe2.pdf", "text": "https://archive.orkl.eu/d4589b22af21509f6cd1c8477fadd56fcf34cbe2.txt", "img": "https://archive.orkl.eu/d4589b22af21509f6cd1c8477fadd56fcf34cbe2.jpg" } }