{ "id": "6e8461e8-974b-4ebd-b9fb-b215343ab38c", "created_at": "2026-04-06T00:19:15.797785Z", "updated_at": "2026-04-10T03:38:19.70847Z", "deleted_at": null, "sha1_hash": "d6701e860d79877cc83630ddc31592f7d6735c33", "title": "Mikroceen: Spying backdoor leveraged in high-profile networks in Central Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 501408, "plain_text": "Mikroceen: Spying backdoor leveraged in high-profile networks in\r\nCentral Asia\r\nBy Peter Kálnai\r\nArchived: 2026-04-05 16:15:11 UTC\r\nIn this joint blogpost with fellow researchers from Avast, we provide a technical analysis of a constantly developed RAT that\r\nhas been used in various targeted campaigns against both public and private subjects since late 2017. We observed multiple\r\ninstances of attacks involving this RAT, and all of them happened in Central Asia. Among the targeted subjects were several\r\nimportant companies in the telecommunications and gas industries, and governmental entities.\r\nMoreover, we connect the dots between the latest campaign and three previously published reports: Kaspersky’s Microcin\r\nagainst Russian military personnel, Palo Alto Networks’ BYEBY against the Belarussian government and Checkpoint’s\r\nVicious Panda against the Mongolian public sector. Also, we discuss other malware that was typically a part of the attacker’s\r\ntoolset together with the RAT. We chose the name Mikroceen to cover all instances of the RAT, in acknowledgement of\r\nKaspersky’s initial report on the family. The misspelling is intentional, in order to avoid the established microbiological\r\nnotion, but also to have at least phonemic agreement.\r\nClustering\r\nFirst let’s discuss the clustering of Mikroceen, which is a simple RAT, and show our reasons for thinking reports from\r\nKaspersky, Palo Alto Networks and Checkpoint write about the same specific malware family (among other malicious tools\r\nmentioned). Figure 1 provides a comparison of the decryption loop that is used for configuration data consisting of the C\u0026C\r\ndomain, a name and a password associated with each sample of the RAT. The loop is practically the same and it is\r\nimplemented in three copies in a row. Checkpoint also discussed the similarities of the HTTP headers in the data sections\r\nbetween BYEBY and Vicious Panda, and a shared logging message V09SS0lO that base64 decodes to WORKIN. The\r\nencoded string is also present in Microcin.\r\nFigure 1. Part of the code used to decipher internal data; the exported DLL name is at the bottom\r\nIn the section Attackers’ arsenal below we also compare the command grammars of the RAT’s features and typical error\r\nmessages that are logged during execution with its previous instances. To support the evidence, the preferred provider of the\r\nattackers' infrastructure and the most typical malware simultaneously found on the compromised networks. All these clues\r\nshould evoke strong confidence that it’s the same malware family.\r\nTimeline \u0026 victimology\r\nFigure 2 sketches the evolution how the threat was tracked in time. As we mentioned earlier, the Central Asian region joined\r\nRussia, Belarus and Mongolia as areas with victims of Mikroceen intrusions. These victims were not desktop users, but\r\nendpoints in corporate networks where a higher level of security is expected.\r\nhttps://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia\r\nPage 1 of 7\n\nFigure 2. Timeline of events related to Mikroceen\r\nFigure 3. The recent campaigns in Central Asia surrounded by the previously reported ones\r\nAttackers’ arsenal\r\nLet us describe the tools the attackers used in their campaign in Central Asia. Unfortunately, we were unable to discover\r\nhow they got into the compromised networks.\r\nRAT (client-side backdoor)\r\nOnce the intruders establish a foothold on a victim machine, the code in Figure 4 serves to install the RAT on the system.\r\nNote the parameter start= auto, which establishes the malware’s persistence after a reboot.\r\n@echo off\r\nsc stop PCAudit\r\nsc delete PCAudit\r\nsc create PCAudit binpath= \"C:\\WINDOWS\\syswow64\\svchost.exe -k netsvcs\" type= share start= auto displayname= \"Windows Uplo\r\nsc description PCAudit \"Windows Help Service is a microsoft Windows component for System(Important). If this service is st\r\nsc failure PCAudit reset= 0 actions= restart/0\r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Services\\PCAudit\\Parameters /v ServiceDll /t REG_EXPAND_SZ /d %SystemRoot%\\Syswow64\\\r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Services\\PCAudit\\Parameters /v ServiceMain /t REG_SZ /d NtHelpServiceMain\r\nreg add HKLM\\SYSTEM\\CurrentControlSet\\Services\\PCAudit\\Parameters /v ServiceDllUnloadOnStop /t REG_DWORD /d 1\r\nsc start PCAudit\r\ndel %0\r\nFigure 4. Installation batch code\r\nAs we mentioned earlier, each bot comes with configuration data: C\u0026C, client name and client password. The name of the\r\nbot appears in the server-side interface. What is quite unusual is that an operator needs to authenticate by entering the\r\nclient’s password in order to control the client. We can only speculate about the purpose, but it could serve as protection\r\nagainst botnet takeover, in case a competing actor or law enforcement seize their infrastructure. So, we see that certain effort\r\nwas put on the security of the client-server connection. Moreover, the client can connect directly to the C\u0026C server or route\r\nthe traffic via a proxy, which could be useful – especially in corporate networks. The connection is further secured by a\r\ncertificate and this is a feature that distinguishes Mikroceen from the legion of backdoors we have seen since previously.\r\nMikroceen uses the same basic features as already described Palo Alto Networks about BYEBY. The grammar of commands\r\nis quite specific, because each command is truncated to 6 letters and then base64 encoded. That results an 8-letter\r\nincomprehensible word in the code. While in previous cases the encoding was straightforward, in the campaign in Central\r\nhttps://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia\r\nPage 2 of 7\n\nAsia there’s additional unknown encryption layer added. The connection of the 8-letter words with the commands in that\r\ncase was done by agreement on the code level.\r\nCommand Microcin, BYEBY, Vicious Panda Mikroceen\r\nhello! aGVsbG8h AmbZDkEx\r\nGOODBY R09PREJZ eYTS5IwW\r\nBYE BY QllFIEJZ bo7aO8Nb\r\nDISCON RElTQ09O 6GEI6owo\r\nLIST D TElTVCBE Ki0Swb7I\r\nSTARTC U1RBUlRD h71RBG8X\r\nCOMMAN Q09NTUFO 5fdi2TfG\r\nTRANSF + (UPLOAD,\r\nDOWNLO)\r\nVFJBTlNG + (VVBMT0FE,\r\nRE9XTkxP)\r\nJ8AoctiB + (QHbU0hQo,\r\nhwuvE43y)\r\nEXECUT RVhFQ1VU gRQ7mIYr\r\nTable 1. Command grammar of various instances of the RAT\r\nDuring execution, the client logs debug messages in a temporary file. This varies among various Mikroceen instances. Table\r\n2 provides a comparison of these messages from case to case and gives additional evidence that links the instances of\r\nMikroceen.\r\nMicrocin BYEBY Vicious Panda Mikroceen #rowspan#\r\n#rowspan#\r\n#rowspan# #rowspan# 32-bit 64-bit\r\nFolder\r\n%\r\nCSIDL_COMMON_DOCUMENTS%\r\n%TEMP%\r\n%\r\nCSIDL_COMMON_DOCUMENTS%\r\n%TEMP%\r\nFilename 7B296FB0.CAB vmunisvc.cab 5E8C6FF0.CAB 7B296FB0.CAB W52G86ST\r\nKeywords\r\nat main\r\nV09SS0lO\r\nU3RhcnQ=\r\nV09SS0lO\r\nU3RhcnQ=\r\nV09SS0lO\r\nU3RhcnQ=\r\nV09SS0lO GvFa8Sei\r\nKeyword\r\nat connect\r\nZGlyZWN0 ZGlyZWN0 ZGlyZWN0 wfZ155bJ wfZ155bJ\r\nTable 2. Logging messages in a temporary file\r\nSimultaneously occurring malware\r\nThe previous reports always mention a wide arsenal of tools that are used in the attacks. In our case it was the same – not\r\njust Mikroceen, but other malware as well. Here are the three most important tools we observed in the compromised\r\nnetworks.\r\nLateral movement via Mimikatz\r\nThe attackers used their implementation of Mimikatz, delivered via a two-stage mechanism: the first stage was a dropper\r\nusually called installer.exe or Yokel64.exe, which dropped the main payload with an indicative external DLL name\r\nmktz64.dll in the second stage. While Mikroceen has never come with debug information, here we can see the string\r\nE:\\2018_\\MimHash\\mimikatz\\Bin\\mktzx64.pdb\r\nFigure 5. A PDB string in the Mimikatz payload\r\nhttps://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia\r\nPage 3 of 7\n\nMimikatz is an open source project by French security researcher Benjamin Delpy, developed since 2007. It’s a robust tool\r\nthat, among other things, can bypass various Windows authentication schemes, basically by dumping credential data from\r\nthe Windows Local Security Account database. It’s mainly used by red teams in IT security but also misused across the\r\nspectrum of APT actors, e.g. Lazarus Group, Telebots, Okrum etc. After running it in a test virtual environment, its output is\r\n(the incorrect spaces before the commas are in the original):\r\n#1 domain = MSEDGEWIN10, user = Administrator , nthash=FC525C9683E8FE067095BA2DDC971889.\r\n#2 domain = MSEDGEWIN10, user = IEUser , nthash=FC525C9683E8FE067095BA2DDC971889.\r\nLateral movement via WMI\r\nThe attackers use an additional tool to spread in the hosting network. This time they leverage Windows Management\r\nInstrumentation (WMI). All relevant data is needed as the file’s name, as during the execution it expects\r\n@@\u003cComputerName\u003e,\u003cUserName\u003e,\u003cPassword\u003e,.exe.  In the first step, a console to a remote computer is established,\r\nwhere the connection is identified by \u003cComputerName\u003e and authenticated with (\u003cUserName\u003e, \u003cPassword\u003e). Afterwards,\r\nproxy security is set to the strict level, which means arguments of each remote procedure call are encrypted and the server’s\r\naccess to local resources is allowed. Then WMI is used again to retrieve the Win32_Process class, which in turn is used to\r\ncreate a process with given parameters. When all the work is done, the tool terminates itself.\r\nGh0st RAT\r\nThis infamous, old RAT was created around 2008. In this instance it was found as rastls.dll on the compromised systems,\r\nwhile the exported DLL name is usually svchost.dll. It tries to connect with https://yuemt.zzux[.]com:443, which resolves to\r\nan IP address in China. This is an exception with no explanation, because the server doesn’t belong to any of the C\u0026C\r\nproviders used by Mikroceen. From our point of view, it seems redundant to use this additional backdoor, whose capacity is\r\nfully provided by Mikroceen itself.\r\nTo recognize this backdoor, one observes the string Gh0st within the binary. The character string uwqixgze} is used as a\r\nplaceholder for the C\u0026C domain.\r\nFigure 6. Gh0st RAT malware (fragment)\r\nC\u0026C panel (server-side interface)\r\nThe previous reports already mention the poor operational security of the attackers (their open directories were observed by\r\nKaspersky and Checkpoint), and the actors behind continue to leak tools not necessarily leveraged on the victims' side. We\r\nwere able to get our hands on an older version of RAT’s control panel.  On the lower part of Figure 7 there’s a graphical\r\ninterface through which all bots are commanded. It is very minimalistic, which may be due to an older version from 2017,\r\nbut still, just compare it with the greater than 10-year-old panel of Gh0st RAT. There’s not much improved since, visually or\r\nfunctionally, so the introduction of SSL connections seems like the main shift between the projects (the text box for “CN\r\nName” on the figure). It seems that the operators of the botnet are content customers of Vultr services, a child company of\r\nChoopa LLC, as their operational infrastructure is mostly hosted there, and this was also observed in the Vicious Panda\r\ncampaign by Checkpoint. This is a bullet-proof provider, documented by researchers from Cisco as early as 2015.\r\nhttps://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia\r\nPage 4 of 7\n\nFigure 7. Interfaces for controlling bots: Gh0st RAT (2008) vs. Mikroceen’s interface (2017)\r\nConclusion\r\nWe have presented the analysis of a custom implementation of a client-server model developed for spying purposes. The\r\nmalware developers put great effort into the security and robustness of the connection with their victims and the operators\r\nmanaged to penetrate high-profile corporate networks. Moreover, they have a larger toolset of attack tools at their disposal\r\nand their projects are under constant development, mostly visible as variations in obfuscation.\r\nIndicators of Compromise (IoCs)\r\nHere are the hashes of samples described in the article. Additional IoCs collected from the attacks can be found on ESET’s\r\nGitHub or Avast’s GitHub.\r\nSHA Timestamp Description ES\r\nd215bb8af5581b31f194248fc3bd13d999a5991c\r\n2016-06-29\r\n00:34:42\r\nMicrocin (Kaspersky)\r\n7771e1738fc2e4de210ac06a5e62c534\r\nWi\r\n7a63fc9db2bc1e9b1ef793723d5877e6b4c566b8\r\n2017-07-06\r\n08:15:31\r\nBYEBY (PANW)\r\n383a2d8f421ad2f243cbc142e9715c78f867a114b037626c2097cb3e070f67d6\r\nWi\r\n2f80f51188dc9aea697868864d88925d64c26abc\r\n2017-01-28\r\n11:33:43\r\nVicious Panda (Checkpoint) Wi\r\n302cf1a90507efbded6b8f53e380591a3eaf6dcb\r\n2019-04-25\r\n01:15:40\r\nMikroceen 32-bit Wi\r\nhttps://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia\r\nPage 5 of 7\n\nSHA Timestamp Description ES\r\n21ffd24b8074d7cffdf4cc339d1fa8fe892eba27\r\n2018-12-10\r\n07:46:25\r\nMikroceen 64-bit Wi\r\n5192023133dce042da8b6220e4e7e2e0dcb000b3\r\n2019-03-11\r\n12:14:09\r\nMimikatz Wi\r\nc18602552352fee592972603262fe15c2cdb215a\r\n2015-03-16\r\n03:29:39\r\nLateral Movement via WMI Wi\r\n4de4b662055d3083a1bccf2bc49976cdd819bc01\r\n2015-12-31\r\n03:10:15\r\nGh0st RAT Wi\r\nReferences\r\nVasily Berdnikov, Dmitry Karasovsky, Alexey Shulmin: “Microcin malware”, Kaspersky Labs 2017-9-25\r\nJosh Grunzweig, Robert Falcone: “Threat Actors Target Government of Belarus Using CMSTAR Trojan”, September\r\n2017\r\nCheckpoint Research: “Vicious Panda: The COVID Campaign”, 2020-03-12\r\nSecDev Group \u0026 Citizenlab, “Tracking GhostNet: Investigating a Cyber Espionage Network”, March 2009,\r\nDhia Mahjoub, Jeremiah O'Connor, Thibault Reuille, Thomas Mathew: “Phishing, Spiking, and Bad Hosting”, Cisco\r\nUmbrella Blog, 2015-09-14\r\n“Mimikatz: A little tool to play with Windows security”\r\nPeter Kálnai, Anton Cherepanov. “Lazarus KillDisks Central American casino”, WeLiveSecurity.com, April 2018\r\nAnton Cherepanov, Robert Lipovský: “New TeleBots backdoor: First evidence linking Industroyer to NotPetya”,\r\nWeLiveSecurity.com, October 2018\r\nZuzana Hromcová: “Okrum: Ke3chang group targets diplomatic missions”, WeLiveSecurity.com, July 2019\r\nAvast Threat Intelligence, GitHub repository\r\nESET Threat Intelligence, GitHub repository\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nExecution\r\nT1035 Service Execution\r\nThe RAT is configured to run as a service at startup\r\nvia sc.exe.\r\nT1059 Command-Line Interface The RAT can execute a command line.\r\nT1064 Scripting\r\nThe attackers used batch scripts for malware\r\ninstallation and execution.\r\nT1105 Remote File Copy\r\nThe RAT can download files to the victim’s\r\nmachine\r\nT1106 Execution through API\r\nThe RAT launches the Windows console via\r\nCreateProcess.\r\nPersistence T1050 New Service The RAT is executed automatically\r\nDefense\r\nEvasion\r\nT1036 Masquerading\r\nThe RAT disguises itself as various types of\r\nlegitimate services.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nThe commands of the RAT and some of its\r\ncomponents are encoded/encrypted.\r\nDiscovery\r\nT1082 System Information Discovery\r\nThe RAT sends information, like the version of the\r\noperating system to be displayed, in operator’s\r\npanel.\r\nT1016\r\nSystem Network Configuration\r\nDiscovery\r\nThe RAT collects network information, including\r\nhost IP address and proxy information.\r\nT1033 System Owner/User Discovery\r\nThe RAT sends information, like the username to\r\nbe displayed, in operator’s panel.\r\nCredential\r\nAccess\r\nT1003.001\r\nOS Credential Dumping:\r\nLSASS Memory\r\nMimikatz is used in the attack.\r\nhttps://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia\r\nPage 6 of 7\n\nTactic ID Name Description\r\nCommand and\r\nControl\r\nT1032\r\nStandard Cryptographic\r\nProtocol\r\nThe RAT uses SSL for encrypting C2\r\ncommunications.\r\nT1043 Commonly Used Port The RAT uses port 443.\r\nT1071\r\nStandard Application Layer\r\nProtocol\r\nThe RAT uses the Schannel implementation of\r\nSSL.\r\nT1001 Data Obfuscation\r\nThe RAT’s interface controls the client with\r\nobfuscated commands.\r\nT1090.002 Proxy: External Proxy\r\nThe RAT has a proxy option that masks traffic\r\nbetween the malware and the remote operators.\r\nExfiltration T1041\r\nExfiltration Over Command\r\nand Control Channel\r\nThe operator of the RAT can download any desired\r\nfile from a victim.\r\nCollection T1113 Screen Capture The RAT can capture the victim’s screen.\r\nSource: https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia\r\nhttps://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia\r\nPage 7 of 7\n\ncertificate and this Mikroceen uses the is a feature that distinguishes same basic features Mikroceen as already described from the legion of backdoors Palo Alto Networks we have seen about BYEBY. The grammar since previously. of commands\nis quite specific, because each command is truncated to 6 letters and then base64 encoded. That results an 8-letter\nincomprehensible word in the code. While in previous cases the encoding was straightforward, in the campaign in Central\n Page 2 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia" ], "report_names": [ "mikroceen-spying-backdoor-high-profile-networks-central-asia" ], "threat_actors": [ { "id": "3cc6c262-df23-4075-a93f-b496e8908eb2", "created_at": "2022-10-25T16:07:23.682239Z", "updated_at": "2026-04-10T02:00:04.708878Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "GhostNet", "Snooping Dragon" ], "source_name": "ETDA:GhostNet", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Gh0stnet", "Ghost RAT", "Ghostnet", "Moudour", "Mydoor", "PCRat", "Remosh", "TOM-Skype" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "e91dae30-a513-4fb1-aace-4457466313b3", "created_at": "2023-01-06T13:46:38.974913Z", "updated_at": "2026-04-10T02:00:03.168521Z", "deleted_at": null, "main_name": "GhostNet", "aliases": [ "Snooping Dragon" ], "source_name": "MISPGALAXY:GhostNet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5c5d5d4-3969-4e34-9982-55144c3908eb", "created_at": "2022-10-25T16:07:24.37846Z", "updated_at": "2026-04-10T02:00:04.965506Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "Bronze Dudley" ], "source_name": "ETDA:Vicious Panda", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "BBSRAT", "Byeby", "Cmstar", "Enfal", "Lurid", "Pylot", "RoyalRoad", "Travle", "meciv" ], "source_id": "ETDA", "reports": null }, { "id": "0a03e7f0-2f75-4153-9c4f-c46d12d3962e", "created_at": "2022-10-25T15:50:23.453824Z", "updated_at": "2026-04-10T02:00:05.28793Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "Ke3chang", "APT15", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "Nylon Typhoon" ], "source_name": "MITRE:Ke3chang", "tools": [ "Okrum", "Systeminfo", "netstat", "spwebmember", "Mimikatz", "Tasklist", "MirageFox", "Neoichor", "ipconfig" ], "source_id": "MITRE", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c7097f4-849b-4bc0-a7e6-ba2b510722b6", "created_at": "2022-10-25T16:07:23.869951Z", "updated_at": "2026-04-10T02:00:04.766204Z", "deleted_at": null, "main_name": "Mikroceen", "aliases": [ "SixLittleMonkeys" ], "source_name": "ETDA:Mikroceen", "tools": [ "AngryRebel", "Farfli", "Gh0st RAT", "Ghost RAT", "Microcin", "Mikroceen", "Mimikatz", "Moudour", "Mydoor", "PCRat", "logon.dll", "logsupport.dll", "pcaudit.bat", "sqllauncher.dll" ], "source_id": "ETDA", "reports": null }, { "id": "6e79c98d-c678-4f28-b869-5723a78e71f4", "created_at": "2023-01-06T13:46:39.422441Z", "updated_at": "2026-04-10T02:00:03.322083Z", "deleted_at": null, "main_name": "Vicious Panda", "aliases": [ "SixLittleMonkeys" ], "source_name": "MISPGALAXY:Vicious Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "20b5fa2f-2ef1-4e69-8275-25927a762f72", "created_at": "2025-08-07T02:03:24.573647Z", "updated_at": "2026-04-10T02:00:03.765721Z", "deleted_at": null, "main_name": "BRONZE DUDLEY", "aliases": [ "TA428 ", "Temp.Hex ", "Vicious Panda " ], "source_name": "Secureworks:BRONZE DUDLEY", "tools": [ "NCCTrojan", "PhantomNet", "PoisonIvy", "Royal Road" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "7c8cf02c-623a-4793-918b-f908675a1aef", "created_at": "2023-01-06T13:46:38.309165Z", "updated_at": "2026-04-10T02:00:02.921721Z", "deleted_at": null, "main_name": "APT15", "aliases": [ "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE DAVENPORT", "BRONZE IDLEWOOD", "VIXEN PANDA", "Ke3Chang", "Playful Dragon", "BRONZE PALACE", "G0004", "Red Vulture", "Nylon Typhoon" ], "source_name": "MISPGALAXY:APT15", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "17b1b76b-16da-4c4f-8b32-f6fede3eda8c", "created_at": "2022-10-25T16:07:23.750796Z", "updated_at": "2026-04-10T02:00:04.736762Z", "deleted_at": null, "main_name": "Ke3chang", "aliases": [ "APT 15", "BackdoorDiplomacy", "Bronze Davenport", "Bronze Idlewood", "Bronze Palace", "CTG-9246", "G0004", "G0135", "GREF", "Ke3chang", "Metushy", "Nylon Typhoon", "Operation Ke3chang", "Operation MirageFox", "Playful Dragon", "Playful Taurus", "PurpleHaze", "Red Vulture", "Royal APT", "Social Network Team", "Vixen Panda" ], "source_name": "ETDA:Ke3chang", "tools": [ "Agentemis", "Anserin", "BS2005", "BleDoor", "CarbonSteal", "Cobalt Strike", "CobaltStrike", "DarthPusher", "DoubleAgent", "EternalBlue", "GoldenEagle", "Graphican", "HenBox", "HighNoon", "IRAFAU", "Ketrican", "Ketrum", "LOLBAS", "LOLBins", "Living off the Land", "MS Exchange Tool", "Mebroot", "Mimikatz", "MirageFox", "NBTscan", "Okrum", "PluginPhantom", "PortQry", "ProcDump", "PsList", "Quarian", "RbDoor", "RibDoor", "Royal DNS", "RoyalCli", "RoyalDNS", "SAMRID", "SMBTouch", "SilkBean", "Sinowal", "SpyWaller", "Theola", "TidePool", "Torpig", "Turian", "Winnti", "XSLCmd", "cobeacon", "nbtscan", "netcat", "spwebmember" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434755, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d6701e860d79877cc83630ddc31592f7d6735c33.pdf", "text": "https://archive.orkl.eu/d6701e860d79877cc83630ddc31592f7d6735c33.txt", "img": "https://archive.orkl.eu/d6701e860d79877cc83630ddc31592f7d6735c33.jpg" } }