{ "id": "94772e6b-ea3b-43cb-b5cf-8d1c3928358b", "created_at": "2026-04-06T00:15:34.901536Z", "updated_at": "2026-04-10T13:11:45.797172Z", "deleted_at": null, "sha1_hash": "d5c0e40e5a4ccf718d3db08535cdba025ebc08b6", "title": "AsyncRAT (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 354481, "plain_text": "AsyncRAT (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 13:09:51 UTC\r\nAsyncRAT\r\nVTCollection    \r\nAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a\r\nsecure encrypted connection. It is an open source remote administration tool, however, it could also be used\r\nmaliciously because it provides functionality such as keylogger, remote desktop control, and many other functions\r\nthat may cause harm to the victim’s computer. In addition, AsyncRAT can be delivered via various methods such\r\nas spear-phishing, malvertising, exploit kit and other techniques.\r\nReferences\r\n2026-01-29 ⋅ Censys ⋅\r\nAsyncRAT C2 Activity at Internet Scale\r\nAsyncRAT\r\n2026-01-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update July to December 2025\r\nCoper FluBot Joker Aisuru Mirai AsyncRAT BianLian Cobalt Strike DCRat Havoc Latrodectus PureLogs\r\nStealer Quasar RAT Remcos Rhadamanthys Sliver ValleyRAT Venom RAT Vidar XWorm\r\n2025-09-18 ⋅ Hunt.io ⋅ Hunt.io\r\nTracking AsyncRAT via Trojanized ScreenConnect and Open Directories\r\nAsyncRAT\r\n2025-08-26 ⋅ Recorded Future ⋅ Insikt Group\r\nTAG-144’s Persistent Grip on South American Organizations\r\nAsyncRAT BitRAT DCRat LimeRAT NjRAT PureCrypter Quasar RAT Remcos\r\n2025-07-14 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2025\r\nCoper FluBot Hook Joker Mirai AsyncRAT BianLian BumbleBee Chaos Cobalt Strike DanaBot DCRat\r\nHavoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver ValleyRAT\r\nWarmCookie XWorm\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nPage 1 of 13\n\n2025-06-24 ⋅ Bridewell ⋅ Bridewell\r\n2025 Cyber Threat Intelligence Report\r\nAsyncRAT Brute Ratel C4 Cobalt Strike Fog Ghost RAT Lumma Stealer Meduza Stealer Quasar RAT\r\nRedLine Stealer Sliver\r\n2025-06-12 ⋅ Check Point Research ⋅ Check Point\r\nFrom Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery\r\nAsyncRAT Skuld\r\n2025-06-05 ⋅ Hunt.io ⋅ Hunt.io\r\nAbusing Paste.ee to Deploy XWorm and AsyncRAT Across Global C2 Infrastructure\r\nAsyncRAT XWorm\r\n2025-04-23 ⋅ Medium b.magnezi ⋅ 0xMrMagnezi\r\nAsyncRAT Malware Analysis\r\nAsyncRAT\r\n2025-04-22 ⋅ AhnLab ⋅ ASEC\r\nDistribution of PebbleDash Malware in March 2025\r\nAsyncRAT PEBBLEDASH\r\n2025-03-26 ⋅ ThreatMon ⋅ Aziz Kaplan, ThreatMon, ThreatMon Malware Research Team\r\nRaton / Silly - Remote Access Trojan | Technical Malware Analysis Report\r\nAsyncRAT\r\n2025-03-18 ⋅ WeLiveSecurity ⋅ Dominik Breitenbacher\r\nOperation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor\r\nAnel AsyncRAT\r\n2025-03-11 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nBlind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks\r\nAsyncRAT NjRAT Quasar RAT Remcos\r\n2025-02-24 ⋅ Kaspersky Labs ⋅ Georgy Kucherin, João Godinho\r\nThe GitVenom campaign: cryptocurrency theft using GitHub\r\nAsyncRAT Quasar RAT\r\n2025-02-12 ⋅ Red Canary ⋅ Phil Hagen, Tony Lambert\r\nDefying tunneling: A Wicked approach to detecting malicious network traffic\r\nAsyncRAT DCRat NjRAT XWorm\r\n2025-02-12 ⋅ cyber.wtf blog ⋅ Hendrik Eckardt, Leonard Rapp\r\nUnpacking Pyarmor v8+ scripts\r\nAsyncRAT DCRat XWorm\r\n2025-01-10 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update July to December 2024\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nPage 2 of 13\n\nCoper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot\r\nDCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc\r\n2025-01-03 ⋅ Nimantha Deshappriya\r\nRATs on the island (Remote Access Trojans in Sri Lanka's Cybersecurity Landscape)\r\nAsyncRAT Quasar RAT Remcos\r\n2024-11-21 ⋅ Rapid7 ⋅ Anna Širokova\r\nA Bag of RATs: VenomRAT vs. AsyncRAT\r\nAsyncRAT Venom RAT\r\n2024-11-18 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team, Selena Larson, Tommy Madjar\r\nSecurity Brief: ClickFix Social Engineering Technique Floods Threat Landscape\r\nAsyncRAT Brute Ratel C4 DanaBot DarkGate Latrodectus Lumma Stealer NetSupportManager RAT XWorm\r\n2024-10-16 ⋅ ThreatMon ⋅ Aziz Kaplan, ThreatMon, ThreatMon Malware Research Team\r\nX-ZIGZAG Technical Malware Analysis Report\r\nAsyncRAT X-ZIGZAG\r\n2024-07-17 ⋅ Huntress Labs ⋅ Alden Schmidt, Greg Linares, Matt Anderson\r\nFake Browser Updates Lead to BOINC Volunteer Computing Software\r\nFAKEUPDATES MintsLoader AsyncRAT\r\n2024-07-16 ⋅ Sentinel LABS ⋅ Jim Walter\r\nNullBulge | Threat Actor Masquerades as Hacktivist Group Rebelling Against AI\r\nAsyncRAT LockBit XWorm Nullbulge\r\n2024-07-09 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2024\r\nCoper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT\r\nQakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver\r\n2024-05-14 ⋅ Check Point Research ⋅ Antonis Terefos, Tera0017\r\nFoxit PDF “Flawed Design” Exploitation\r\nRafel RAT Agent Tesla AsyncRAT DCRat DONOT Nanocore RAT NjRAT Pony Remcos Venom RAT\r\nXWorm\r\n2024-04-20 ⋅ Axel's IT Security Research ⋅ Axel Mahr\r\nNew Robust Technique for Reliably Identifying AsyncRAT/DcRAT/VenomRAT Servers\r\nAsyncRAT DCRat Venom RAT\r\n2024-04-13 ⋅ cyber5w ⋅ cyber5w, M4lcode\r\nAnalysis of malicious Microsoft office macros\r\nAsyncRAT Ave Maria\r\n2024-04-11 ⋅ Github (jeFF0Falltrades) ⋅ Jeff Archer\r\nRat King Configuration Parser\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nPage 3 of 13\n\nAsyncRAT DCRat Quasar RAT Venom RAT\r\n2024-02-09 ⋅ Censys ⋅ Censys, Embee_research\r\nA Beginners Guide to Tracking Malware Infrastructure\r\nAsyncRAT BianLian Cobalt Strike QakBot\r\n2024-01-25 ⋅ JSAC 2024 ⋅ Masafumi Takeda, Tomoya Furukawa\r\nThreat Intelligence of Abused Public Post-Exploitation Frameworks\r\nAsyncRAT DCRat Empire Downloader GRUNT Havoc Koadic Merlin PoshC2 Quasar RAT Sliver\r\n2024-01-15 ⋅ DFIR.ch ⋅ Stephan Berger\r\nHunting AsyncRAT \u0026 QuasarRAT\r\nAsyncRAT Quasar RAT\r\n2024-01-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q4 2023\r\nFluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer\r\nMeterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys\r\nSliver\r\n2024-01-09 ⋅ Recorded Future ⋅ Insikt Group\r\n2023 Adversary Infrastructure Report\r\nAsyncRAT Cobalt Strike Emotet PlugX ShadowPad\r\n2024-01-05 ⋅ AlienLabs ⋅ Fernando Martinez\r\nAsyncRAT loader: Obfuscation, DGAs, decoys and Govno\r\nMintsLoader AsyncRAT\r\n2023-12-13 ⋅ cocomelonc ⋅ cocomelonc\r\nMalware in the wild book\r\nAsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer\r\n2023-12-12 ⋅ Check Point Research ⋅ Check Point\r\nNovember 2023’s Most Wanted Malware: New AsyncRAT Campaign Discovered while FakeUpdates Re-Entered the Top Ten after Brief Hiatus\r\nFAKEUPDATES AsyncRAT\r\n2023-12-02 ⋅ openhunting.io ⋅ openhunting.io\r\nThreat Hunting Malware Infrastructure\r\nVBREVSHELL AsyncRAT\r\n2023-11-01 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nMalware Unpacking With Memory Dumps - Intermediate Methods (Pe-Sieve, Process Hacker, Hxd and Pe-bear)\r\nAsyncRAT\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nPage 4 of 13\n\n2023-10-30 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nUnpacking .NET Malware With Process Hacker and Dnspy\r\nAsyncRAT\r\n2023-10-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2023\r\nFluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot\r\nQuasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar\r\n2023-09-08 ⋅ Gi7w0rm\r\nUncovering DDGroup — A long-time threat actor\r\nAsyncRAT Ave Maria BitRAT DBatLoader NetWire RC Quasar RAT XWorm\r\n2023-07-20 ⋅ Gatewatcher ⋅ Gatewatcher\r\nzip-files-make-it-bigger-to-avoid-edr-detection\r\nAsyncRAT\r\n2023-07-11 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2023\r\nHydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT\r\nQakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee\r\n2023-06-08 ⋅ Twitter (@embee_research) ⋅ Embee_research\r\nPractical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries\r\nAmadey AsyncRAT Cobalt Strike QakBot Quasar RAT Sliver solarmarker\r\n2023-05-19 ⋅ cocomelonc ⋅ cocomelonc\r\nMalware source code investigation: AsyncRAT\r\nAsyncRAT\r\n2023-05-09 ⋅ Huntress Labs ⋅ Matthew Brennan\r\nAdvanced Cyberchef Tips - AsyncRAT Loader\r\nAsyncRAT\r\n2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q1 2023\r\nFluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT\r\nQakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar\r\n2023-04-08 ⋅ kienmanowar Blog ⋅ m4n0w4r, Tran Trung Kien\r\n[QuickNote] Uncovering Suspected Malware Distributed By Individuals from Vietnam\r\nAsyncRAT DCRat WorldWind\r\n2023-03-30 ⋅ loginsoft ⋅ Saharsh Agrawal\r\nFrom Innocence to Malice: The OneNote Malware Campaign Uncovered\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nPage 5 of 13\n\nAgent Tesla AsyncRAT DOUBLEBACK Emotet Formbook IcedID NetWire RC QakBot Quasar RAT\r\nRedLine Stealer XWorm\r\n2023-03-27 ⋅ splunk ⋅ Splunk Threat Research Team\r\nAsyncRAT Crusade: Detections and Defense\r\nAsyncRAT\r\n2023-03-15 ⋅ Lab52 ⋅ Lab52\r\nAPT-C-36: from NjRAT to LimeRAT\r\nAsyncRAT NjRAT\r\n2023-03-01 ⋅ Zscaler ⋅ Meghraj Nandanwar, Shatak Jain\r\nOneNote: A Growing Threat for Malware Distribution\r\nAsyncRAT Cobalt Strike IcedID QakBot RedLine Stealer\r\n2023-02-27 ⋅ Blackberry ⋅ BlackBerry Research \u0026 Intelligence Team\r\nBlind Eagle Deploys Fake UUE Files and Fsociety to Target Colombia's Judiciary, Financial, Public, and Law\r\nEnforcement Entities\r\nAsyncRAT APT-C-36\r\n2023-02-11 ⋅ @0xToxin\r\nAsyncRAT OneNote Dropper\r\nAsyncRAT\r\n2023-02-08 ⋅ Huntress Labs ⋅ Michael Elford\r\nAsyncRAT: Analysing the Three Stages of Execution\r\nAsyncRAT\r\n2023-01-04 ⋅ cocomelonc\r\nMalware development tricks: part 26. Mutex. C++ example.\r\nAsyncRAT Conti HelloKitty\r\n2022-12-06 ⋅ ⋅ 360 Threat Intelligence Center ⋅ 360 Beacon Lab\r\nAnalysis of suspected APT-C-56 (Transparent Tribe) attacks against terrorism\r\nAhMyth Meterpreter SpyNote AsyncRAT\r\n2022-10-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2022\r\nFluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password\r\nStealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars\r\nTofsee Vjw0rm\r\n2022-09-06 ⋅ Check Point ⋅ Check Point Research\r\nDangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa\r\nAsyncRAT Meterpreter PoshC2 DangerousSavanna\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nPage 6 of 13\n\n2022-08-29 ⋅ ⋅ 360 netlab ⋅ wanghao\r\nPureCrypter Loader continues to be active and has spread to more than 10 other families\r\n404 Keylogger Agent Tesla AsyncRAT Formbook RedLine Stealer\r\n2022-08-29 ⋅ Netskope ⋅ Gustavo Palazolo\r\nAsyncRAT: Using Fully Undetected Downloader\r\nAsyncRAT\r\n2022-08-18 ⋅ Proofpoint ⋅ Joe Wise, Proofpoint Threat Research Team, Selena Larson\r\nReservations Requested: TA558 Targets Hospitality and Travel\r\nAsyncRAT Loda NjRAT Ozone RAT Revenge RAT Vjw0rm\r\n2022-08-17 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nDarkTortilla Malware Analysis\r\nAgent Tesla AsyncRAT Cobalt Strike DarkTortilla Nanocore RAT RedLine Stealer\r\n2022-08-16 ⋅ Qualys ⋅ Pawan Kumar N\r\nAsyncRAT C2 Framework: Overview, Technical Analysis \u0026 Detection\r\nAsyncRAT\r\n2022-07-17 ⋅ Resecurity ⋅ Resecurity\r\nShortcut-Based (LNK) Attacks Delivering Malicious Code On The Rise\r\nAsyncRAT BumbleBee Emotet IcedID QakBot\r\n2022-07-15 ⋅ HP ⋅ Patrick Schläpfer\r\nStealthy OpenDocument Malware Deployed Against Latin American Hotels\r\nAsyncRAT\r\n2022-07-13 ⋅ Trellix ⋅ Mohsin Dalla, Sushant Kumar Arya\r\nTargeted Attack on Government Agencies\r\nAsyncRAT LimeRAT\r\n2022-06-08 ⋅ Symantec ⋅ Karthikeyan C Kasiviswanathan, Yuvaraj Megavarnadu\r\nAttackers Exploit MSDT Follina Bug to Drop RAT, Infostealer\r\nAsyncRAT\r\n2022-06-03 ⋅ Avast ⋅ Threat Intelligence Team\r\nOutbreak of Follina in Australia\r\nAsyncRAT\r\n2022-06-03 ⋅ Avast Decoded ⋅ Threat Intelligence Team\r\nOutbreak of Follina in Australia\r\nAsyncRAT APT40\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nPage 7 of 13\n\n2022-06-02 ⋅ FortiGuard Labs ⋅ Fred Gutierrez, Gergely Revay, James Slaughter, Shunichi Imano\r\nThreat Actors Prey on Eager Travelers\r\nAsyncRAT NetWire RC Quasar RAT\r\n2022-06-01 ⋅ Github (jstnk9) ⋅ Jose Luis Sánchez Martínez\r\nAnalyzing AsyncRAT distributed in Colombia\r\nAsyncRAT\r\n2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research \u0026 Intelligence Team\r\n.NET Stubs: Sowing the Seeds of Discord (PureCrypter)\r\nAberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer\r\nFormbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine\r\nStealer WhisperGate\r\n2022-05-12 ⋅ Morphisec ⋅ Hido Cohen\r\nNew SYK Crypter Distributed Via Discord\r\nAsyncRAT Ave Maria Nanocore RAT NjRAT Quasar RAT RedLine Stealer\r\n2022-05-11 ⋅ HP ⋅ HP Wolf Security\r\nThreat Insights Report Q1 - 2022\r\nAsyncRAT Emotet Mekotio Vjw0rm\r\n2022-05-06 ⋅ Mitchell's Musings ⋅ Aiden Mitchell\r\nAttempted AsyncRAT via .vbs\r\nAsyncRAT\r\n2022-05-02 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)\r\nAsyncRAT Activity\r\nAsyncRAT\r\n2022-04-28 ⋅ vx-underground ⋅ Twitter (@vxunderground)\r\nTweet on leaked Prynt Stealer source code and similarity to AyncRAT\r\nAsyncRAT Prynt Stealer\r\n2022-04-27 ⋅ Zscaler ⋅ Brett Stone-Gross, Dennis Schwarz\r\nTargeted attack on Thailand Pass customers delivers AsyncRAT\r\nAsyncRAT\r\n2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nOperation Gambling Puppet\r\nreptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka\r\n2022-04-27 ⋅ Trendmicro ⋅ Trendmicro\r\nIOCs for Earth Berberoka - Windows\r\nAsyncRAT Cobalt Strike PlugX Quasar RAT Earth Berberoka\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nPage 8 of 13\n\n2022-04-27 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nNew APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware\r\nHelloBot AsyncRAT Ghost RAT HelloBot PlugX Quasar RAT Earth Berberoka\r\n2022-04-26 ⋅ Trend Micro ⋅ Lord Alfred Remorin, Ryan Flores, Stephen Hilt\r\nHow Cybercriminals Abuse Cloud Tunneling Services\r\nAsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT\r\n2022-04-19 ⋅ RiskIQ ⋅ Jennifer Grob\r\nRiskIQ: Legitimate WordPress Site Hosts Malicious Content\r\nAsyncRAT\r\n2022-04-05 ⋅ Cisco Talos ⋅ Alex Karkins, Edmund Brumaghin\r\nThreat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter\r\nAsyncRAT LimeRAT\r\n2022-03-31 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)\r\nSuspected AsyncRAT Delivered via ISO Files Using HTML Smuggling Technique\r\nAsyncRAT\r\n2022-03-12 ⋅ Brian Stadnicki\r\nAsyncRAT RCE vulnerability\r\nAsyncRAT\r\n2022-03-01 ⋅ VirusTotal ⋅ VirusTotal\r\nVirusTotal's 2021 Malware Trends Report\r\nAnubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT\r\nOrcus RAT\r\n2022-02-22 ⋅ NCSC Switzerland ⋅ NCSC Switzerland\r\nWeek 7: Supposed order confirmation delivers malware and new variants in fake extortion emails\r\nAsyncRAT\r\n2022-02-16 ⋅ Abdallah Elnoty\r\nPlaying with AsyncRAT\r\nAsyncRAT\r\n2022-02-15 ⋅ Proofpoint ⋅ Joe Wise, Selena Larson\r\nCharting TA2541's Flight\r\nAsyncRAT TA2541\r\n2022-02-15 ⋅ Threat Post ⋅ Elizabeth Montalbano\r\nTA2541: APT Has Been Shooting RATs at Aviation for Years\r\nAsyncRAT Houdini NetWire RC Parallax RAT\r\n2022-02-15 ⋅ BleepingComputer ⋅ Ionut Ilascu\r\nUnskilled hacker linked to years of attacks on aviation, transport sectors\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nPage 9 of 13\n\nAsyncRAT Houdini NetWire RC Parallax RAT\r\n2022-02-14 ⋅ Morphisec ⋅ Arnold Osipov, Hido Cohen\r\nJourney of a Crypto Scammer - NFT-001\r\nAsyncRAT BitRAT Remcos\r\n2022-02-07 ⋅ RiskIQ ⋅ RiskIQ\r\nRiskIQ: Malicious Infrastructure Connected to Particular Windows Host Certificates\r\nAsyncRAT BitRAT Nanocore RAT\r\n2022-01-26 ⋅ The Hacker News ⋅ Ravie Lakshmanan\r\nHackers Using New Evasive Technique to Deliver AsyncRAT Malware\r\nAsyncRAT\r\n2022-01-25 ⋅ Morphisec ⋅ Michael Dereviashkin\r\nNew Threat Campaign Identified: AsyncRAT Introduces a New Delivery Technique\r\nAsyncRAT\r\n2022-01-12 ⋅ Cisco ⋅ Chetan Raghuprasad, Vanja Svajcer\r\nNanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure\r\nAsyncRAT Nanocore RAT NetWire RC\r\n2021-12-29 ⋅ Github (jeFF0Falltrades) ⋅ Jeff Archer\r\nAsyncRAT Configuration Parser\r\nAsyncRAT\r\n2021-12-13 ⋅ RiskIQ ⋅ Jordan Herman\r\nRiskIQ: Connections between Nanocore, Netwire, and AsyncRAT and Vjw0rm dynamic DNS C2\r\ninfrastructure\r\nAsyncRAT Nanocore RAT NetWire RC Vjw0rm\r\n2021-11-29 ⋅ Trend Micro ⋅ Jaromír Hořejší\r\nCampaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites\r\nAsyncRAT Azorult Nanocore RAT NjRAT RedLine Stealer Remcos\r\n2021-11-11 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team\r\nHTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted\r\nattacks\r\nAsyncRAT Mekotio NjRAT\r\n2021-10-26 ⋅ Kaspersky ⋅ Kaspersky Lab ICS CERT\r\nAPT attacks on industrial organizations in H1 2021\r\n8.t Dropper AllaKore AsyncRAT GoldMax LimeRAT NjRAT NoxPlayer Raindrop ReverseRAT ShadowPad\r\nZebrocy\r\n2021-10-15 ⋅ ESET Research ⋅ ESET Research\r\nTweet on a malicious campaign targeting governmental and education entities in Colombia using multiple\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nPage 10 of 13\n\nstages to drop AsyncRAT or njRAT Keylogger on their victims\r\nAsyncRAT NjRAT\r\n2021-09-16 ⋅ Cisco ⋅ Tiago Pereira, Vitor Ventura\r\nOperation Layover: How we tracked an attack on the aviation industry to five years of compromise\r\nAsyncRAT Houdini NjRAT\r\n2021-09-13 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nAPT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs\r\nAsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos\r\n2021-09-13 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší\r\nAPT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)\r\nAsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos\r\n2021-09-03 ⋅ Trend Micro ⋅ Mohamad Mokbel\r\nThe State of SSL/TLS Certificate Usage in Malware C\u0026C Communications\r\nAdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex\r\nFindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT\r\nRockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader\r\n2021-08-19 ⋅ Talos ⋅ Asheer Malhotra, Vanja Svajcer, Vitor Ventura\r\nMalicious Campaign Targets Latin America: The seller, The operator and a curious link\r\nAsyncRAT NjRAT\r\n2021-07-30 ⋅ Menlo Security ⋅ MENLO Security\r\nISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign\r\nAsyncRAT NjRAT\r\n2021-07-19 ⋅ Bitdefender ⋅ Bitdefender\r\nDebugging MosaicLoader, One Step at a Time\r\nAsyncRAT Glupteba\r\n2021-07-12 ⋅ IBM ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki\r\nPassword Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos\r\n2021-07-12 ⋅ Cipher Tech Solutions ⋅ Claire Zaboeva, Dan Dash, Melissa Frydrych\r\nRoboSki and Global Recovery: Automation to Combat Evolving Obfuscation\r\n404 Keylogger Agent Tesla AsyncRAT Ave Maria Azorult BitRAT Formbook HawkEye Keylogger Loki\r\nPassword Stealer (PWS) Nanocore RAT NetWire RC NjRAT Quasar RAT RedLine Stealer Remcos\r\n2021-06-27 ⋅ Fortinet ⋅ Gayathri Thirugnanasambandam\r\nSpear Phishing Campaign with New Techniques Aimed at Aviation Companies\r\nAsyncRAT\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nPage 11 of 13\n\n2021-05-14 ⋅ Morphisec ⋅ Arnold Osipov\r\nAHK RAT Loader Used in Unique Delivery Campaigns\r\nAsyncRAT Houdini Revenge RAT\r\n2021-05-11 ⋅ Twitter (@MsftSecIntel) ⋅ Microsoft Security Intelligence\r\nTweet on Snip3 crypter delivering AsyncRAT or AgentTesla\r\nAgent Tesla AsyncRAT\r\n2021-05-07 ⋅ Morphisec ⋅ Nadav Lorber\r\nRevealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader\r\nAgent Tesla AsyncRAT NetWire RC Revenge RAT\r\n2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Manohar Ghule, Mohd Sadique\r\nCatching RATs Over Custom Protocols Analysis of top non-HTTP/S threats\r\nAgent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar\r\nRAT Remcos\r\n2021-03-16 ⋅ Morphisec ⋅ Nadav Lorber\r\nTracking HCrypt: An Active Crypter as a Service\r\nAsyncRAT LimeRAT Remcos\r\n2021-02-25 ⋅ Intezer ⋅ Intezer\r\nYear of the Gopher A 2020 Go Malware Round-Up\r\nNiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim\r\nNjRAT Quasar RAT WellMess Zebrocy\r\n2021-02-19 ⋅ K7 Security ⋅ Partheeban J\r\nGitHub – Home to AsyncRAT Backdoor\r\nAsyncRAT\r\n2021-01-11 ⋅ ESET Research ⋅ Matías Porolli\r\nOperation Spalax: Targeted malware attacks in Colombia\r\nAgent Tesla AsyncRAT NjRAT Remcos\r\n2020-12-10 ⋅ Intel 471 ⋅ Intel 471\r\nNo pandas, just people: The current state of China’s cybercrime underground\r\nAnubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT\r\n2020-12-10 ⋅ JPCERT/CC ⋅ Kota Kino\r\nAttack Activities by Quasar Family\r\nAsyncRAT Quasar RAT Venom RAT XPCTRA\r\n2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT\r\nAPT trends report Q3 2020\r\nWellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK\r\nDtrack LODEINFO MoriAgent Okrum PlugX POISONPLUG Rover ShadowPad SoreFang Winnti\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nPage 12 of 13\n\n2020-10-19 ⋅ Red Sky Alliance ⋅ Yury Polozov\r\nPossible Identity of a Kuwaiti Hacker NYANxCAT\r\nAsyncRAT\r\n2020-09-21 ⋅ ⋅ Qianxin ⋅ RedDrip Team\r\nOperation Tibo: A retaliatory targeted attack from the South Asian APT organization \"Mo Luo Suo\"\r\nAsyncRAT Darktrack RAT\r\n2020-08-26 ⋅ Proofpoint ⋅ Proofpoint Threat Research Team\r\nThreat Actor Profile: TA2719 Uses Colorful Lures to Deliver RATs in Local Languages\r\nAsyncRAT Nanocore RAT TA2719\r\n2020-07-30 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2020\r\nAdWind Agent Tesla Arkei Stealer AsyncRAT Ave Maria Azorult DanaBot Emotet IcedID ISFB KPOT\r\nStealer Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT Pony Raccoon RedLine Stealer\r\nRemcos Zloader\r\n2019-11-19 ⋅ VMWare Carbon Black ⋅ VMWare\r\nThreat Analysis Unit (TAU) Threat Intelligence Notification: AsyncRAT\r\nAsyncRAT\r\n2019-01-19 ⋅ Github (NYAN-x-CAT) ⋅ NYAN-x-CAT\r\nAsyncRAT: Open-Source Remote Administration Tool For Windows C# (RAT)\r\nAsyncRAT\r\nYara Rules\r\n[TLP:WHITE] win_asyncrat_auto (20201014 | autogenerated rule brought to you by yara-signator)\r\n[TLP:WHITE] win_asyncrat_w0   (20201006 | detect AsyncRat in memory)\r\nDownload all Yara Rules\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat" ], "report_names": [ "win.asyncrat" ], "threat_actors": [ { "id": "059b16f8-d4e0-4399-9add-18101a2fd298", "created_at": "2022-10-25T15:50:23.29434Z", "updated_at": "2026-04-10T02:00:05.380938Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "Evilnum" ], "source_name": "MITRE:Evilnum", "tools": [ "More_eggs", "EVILNUM", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "40451441-a311-494f-8025-fdbad7a527d4", "created_at": "2024-02-06T02:00:04.114318Z", "updated_at": "2026-04-10T02:00:03.571851Z", "deleted_at": null, "main_name": "TA2719", "aliases": [], "source_name": "MISPGALAXY:TA2719", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "64d750e4-67db-4461-bae2-6e75bfced852", "created_at": "2022-10-25T16:07:24.01415Z", "updated_at": "2026-04-10T02:00:04.839502Z", "deleted_at": null, "main_name": "Operation Spalax", "aliases": [], "source_name": "ETDA:Operation Spalax", "tools": [ "AsyncRAT", "Bladabindi", "Jorik", "Remcos", "RemcosRAT", "Remvio", "Socmer", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4f5da0b4-5d47-4ae4-87cb-dfcb3c3524ae", "created_at": "2022-10-25T16:07:23.96921Z", "updated_at": "2026-04-10T02:00:04.812941Z", "deleted_at": null, "main_name": "Operation Layover", "aliases": [], "source_name": "ETDA:Operation Layover", "tools": [ "AsyncRAT", "Bladabindi", "CyberGate", "CyberGate RAT", "Jorik", "Rebhip", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "316b23b5-e097-4dc6-8b1c-d096860c6c16", "created_at": "2022-10-25T16:07:24.290801Z", "updated_at": "2026-04-10T02:00:04.924688Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "ETDA:TA558", "tools": [ "AZORult", "AsyncRAT", "Bladabindi", "ExtRat", "Jorik", "Loda", "Loda RAT", "LodaRAT", "Nymeria", "PuffStealer", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "Rultazo", "Socmer", "Vengeance Justice Worm", "Vjw0rm", "Xtreme RAT", "XtremeRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "e47e5bc6-9823-48b4-b4c8-44d213853a3d", "created_at": "2023-11-17T02:00:07.588367Z", "updated_at": "2026-04-10T02:00:03.453612Z", "deleted_at": null, "main_name": "MirrorFace", "aliases": [ "Earth Kasha" ], "source_name": "MISPGALAXY:MirrorFace", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d997a1d5-b410-42c4-a490-90f287ad3034", "created_at": "2024-07-21T02:00:04.751362Z", "updated_at": "2026-04-10T02:00:03.675263Z", "deleted_at": null, "main_name": "Nullbulge", "aliases": [], "source_name": "MISPGALAXY:Nullbulge", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99468ac6-ccfd-4cd8-b726-791600e61431", "created_at": "2023-11-01T02:01:06.647272Z", "updated_at": "2026-04-10T02:00:05.313262Z", "deleted_at": null, "main_name": "TA2541", "aliases": [ "TA2541" ], "source_name": "MITRE:TA2541", "tools": [ "Snip3", "Revenge RAT", "jRAT", "WarzoneRAT", "Imminent Monitor", "AsyncRAT", "NETWIRE", "Agent Tesla", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "97dc332f-2241-4755-ae33-54e5eff3990a", "created_at": "2023-01-06T13:46:39.307201Z", "updated_at": "2026-04-10T02:00:03.282272Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "MISPGALAXY:TA2541", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fce5181c-7aab-400f-bd03-9db9e791da04", "created_at": "2022-10-25T15:50:23.759799Z", "updated_at": "2026-04-10T02:00:05.3002Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ], "source_name": "MITRE:Transparent Tribe", "tools": [ "DarkComet", "ObliqueRAT", "njRAT", "Peppy" ], "source_id": "MITRE", "reports": null }, { "id": "16f2436b-5f84-44e3-a306-f1f9e92f7bea", "created_at": "2023-01-06T13:46:38.745572Z", "updated_at": "2026-04-10T02:00:03.086207Z", "deleted_at": null, "main_name": "APT40", "aliases": [ "ATK29", "Red Ladon", "MUDCARP", "ISLANDDREAMS", "TEMP.Periscope", "KRYPTONITE PANDA", "G0065", "TA423", "ITG09", "Gingham Typhoon", "TEMP.Jumper", "BRONZE MOHAWK", "GADOLINIUM" ], "source_name": "MISPGALAXY:APT40", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "452d2d74-e812-45d6-b0fe-b8a6cc4ebd01", "created_at": "2022-10-25T16:07:23.562676Z", "updated_at": "2026-04-10T02:00:04.662064Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "ETDA:Earth Berberoka", "tools": [ "Agent.dhwf", "AngryRebel", "AsyncRAT", "CinaRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "PuppetLoader", "Quasar RAT", "QuasarRAT", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav", "Yggdrasil", "oRAT" ], "source_id": "ETDA", "reports": null }, { "id": "af2a195b-fed2-4e2c-9443-13e9b08a02ae", "created_at": "2022-12-27T17:02:23.458269Z", "updated_at": "2026-04-10T02:00:04.813897Z", "deleted_at": null, "main_name": "Operation LiberalFace", "aliases": [ "MirrorFace", "Operation AkaiRyū", "Operation LiberalFace" ], "source_name": "ETDA:Operation LiberalFace", "tools": [ "Anel", "AsyncRAT", "LODEINFO", "MirrorStealer", "UpperCut", "lena" ], "source_id": "ETDA", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "83025f5e-302e-46b0-baf6-650a4d313dfc", "created_at": "2024-05-01T02:03:07.971863Z", "updated_at": "2026-04-10T02:00:03.743131Z", "deleted_at": null, "main_name": "BRONZE MOHAWK", "aliases": [ "APT40 ", "GADOLINIUM ", "Gingham Typhoon ", "Kryptonite Panda ", "Leviathan ", "Nanhaishu ", "Pickleworm ", "Red Ladon ", "TA423 ", "Temp.Jumper ", "Temp.Periscope " ], "source_name": "Secureworks:BRONZE MOHAWK", "tools": [ "AIRBREAK", "BlackCoffee", "China Chopper", "Cobalt Strike", "DadJoke", "Donut", "FUSIONBLAZE", "GreenCrash", "Meterpreter", "Nanhaishu", "Orz", "SeDll" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "8ce861d7-7fbd-4d9c-a211-367c118bfdbd", "created_at": "2023-01-06T13:46:39.153487Z", "updated_at": "2026-04-10T02:00:03.232006Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "EvilNum", "Jointworm", "KNOCKOUT SPIDER", "DeathStalker", "TA4563" ], "source_name": "MISPGALAXY:Evilnum", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59be3740-c8c7-47aa-84c8-e80d0cb7ea3a", "created_at": "2022-10-25T15:50:23.481057Z", "updated_at": "2026-04-10T02:00:05.306469Z", "deleted_at": null, "main_name": "Leviathan", "aliases": [ "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope", "Gingham Typhoon" ], "source_name": "MITRE:Leviathan", "tools": [ "Windows Credential Editor", "BITSAdmin", "HOMEFRY", "Derusbi", "at", "BLACKCOFFEE", "BADFLICK", "gh0st RAT", "PowerSploit", "MURKYTOP", "NanHaiShu", "Orz", "Cobalt Strike", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "cf91b389-9602-45c0-8d6b-c61d14800f54", "created_at": "2023-01-06T13:46:39.448277Z", "updated_at": "2026-04-10T02:00:03.332604Z", "deleted_at": null, "main_name": "TA558", "aliases": [], "source_name": "MISPGALAXY:TA558", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "286172a2-6946-475d-a5a2-3cf985155a06", "created_at": "2023-01-06T13:46:39.460654Z", "updated_at": "2026-04-10T02:00:03.336749Z", "deleted_at": null, "main_name": "DangerousSavanna", "aliases": [], "source_name": "MISPGALAXY:DangerousSavanna", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "39ea99fb-1704-445d-b5cd-81e7c99d6012", "created_at": "2022-10-25T16:07:23.601894Z", "updated_at": "2026-04-10T02:00:04.684134Z", "deleted_at": null, "main_name": "Evilnum", "aliases": [ "G0120", "Jointworm", "Operation Phantom in the [Command] Shell", "TA4563" ], "source_name": "ETDA:Evilnum", "tools": [ "Bypass-UAC", "Cardinal RAT", "ChromeCookiesView", "EVILNUM", "Evilnum", "IronPython", "LaZagne", "MailPassView", "More_eggs", "ProduKey", "PyVil", "PyVil RAT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Taurus Loader TeamViewer Module", "Terra Loader", "TerraPreter", "TerraStealer", "TerraTV" ], "source_id": "ETDA", "reports": null }, { "id": "3a0cfbbc-2acf-4cc8-afe1-1859679c522c", "created_at": "2022-10-25T16:07:24.373716Z", "updated_at": "2026-04-10T02:00:04.963615Z", "deleted_at": null, "main_name": "Vendetta", "aliases": [ "TA2719" ], "source_name": "ETDA:Vendetta", "tools": [ "AsyncRAT", "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "ReZer0", "Remcos", "RemcosRAT", "Remvio", "RoboSki", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null }, { "id": "878ce40c-9fbc-4cff-a5c4-771086979fa7", "created_at": "2022-10-25T16:07:24.264056Z", "updated_at": "2026-04-10T02:00:04.915395Z", "deleted_at": null, "main_name": "TA2541", "aliases": [], "source_name": "ETDA:TA2541", "tools": [ "AVE_MARIA", "AgenTesla", "Agent Tesla", "AgentTesla", "AsyncRAT", "Ave Maria", "AveMariaRAT", "DarkRAT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Imminent Monitor", "Imminent Monitor RAT", "Iniduoh", "Jenxcus", "Kognito", "Luminosity RAT", "LuminosityLink", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Njw0rm", "Origin Logger", "Parallax", "Parallax RAT", "ParallaxRAT", "Recam", "Revenge RAT", "RevengeRAT", "Revetrat", "WSHRAT", "ZPAQ", "avemaria", "dinihou", "dunihi" ], "source_id": "ETDA", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2664d6f5-f918-4978-87f8-f6afad7402c6", "created_at": "2023-01-06T13:46:39.393669Z", "updated_at": "2026-04-10T02:00:03.312065Z", "deleted_at": null, "main_name": "Earth Berberoka", "aliases": [ "GamblingPuppet" ], "source_name": "MISPGALAXY:Earth Berberoka", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "abb24b7b-6baa-4070-9a2b-aa59091097d1", "created_at": "2022-10-25T16:07:24.339942Z", "updated_at": "2026-04-10T02:00:04.944806Z", "deleted_at": null, "main_name": "Transparent Tribe", "aliases": [ "APT 36", "APT-C-56", "Copper Fieldstone", "Earth Karkaddan", "G0134", "Green Havildar", "Mythic Leopard", "Opaque Draco", "Operation C-Major", "Operation Honey Trap", "Operation Transparent Tribe", "ProjectM", "STEPPY-KAVACH", "Storm-0156", "TEMP.Lapis", "Transparent Tribe" ], "source_name": "ETDA:Transparent Tribe", "tools": [ "Amphibeon", "Android RAT", "Bezigate", "Bladabindi", "Bozok", "Bozok RAT", "BreachRAT", "Breut", "CapraRAT", "CinaRAT", "Crimson RAT", "DarkComet", "DarkKomet", "ElizaRAT", "FYNLOS", "Fynloski", "Jorik", "Krademok", "Limepad", "Luminosity RAT", "LuminosityLink", "MSIL", "MSIL/Crimson", "Mobzsar", "MumbaiDown", "Oblique RAT", "ObliqueRAT", "Peppy RAT", "Peppy Trojan", "Quasar RAT", "QuasarRAT", "SEEDOOR", "Scarimson", "SilentCMD", "Stealth Mango", "UPDATESEE", "USBWorm", "Waizsar RAT", "Yggdrasil", "beendoor", "klovbot", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "c68fa27f-e8d9-4932-856b-467ccfe39997", "created_at": "2023-01-06T13:46:38.450585Z", "updated_at": "2026-04-10T02:00:02.980334Z", "deleted_at": null, "main_name": "Operation C-Major", "aliases": [ "APT36", "APT 36", "TMP.Lapis", "COPPER FIELDSTONE", "Storm-0156", "Transparent Tribe", "ProjectM", "Green Havildar", "Earth Karkaddan", "C-Major", "Mythic Leopard" ], "source_name": "MISPGALAXY:Operation C-Major", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434534, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d5c0e40e5a4ccf718d3db08535cdba025ebc08b6.pdf", "text": "https://archive.orkl.eu/d5c0e40e5a4ccf718d3db08535cdba025ebc08b6.txt", "img": "https://archive.orkl.eu/d5c0e40e5a4ccf718d3db08535cdba025ebc08b6.jpg" } }