{ "id": "c7873915-e357-483a-b82a-860e3b877725", "created_at": "2026-04-06T00:12:38.399064Z", "updated_at": "2026-04-10T03:33:51.889143Z", "deleted_at": null, "sha1_hash": "d721b9452e033d501df92c2d7c6b64d890bb7782", "title": "ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 725475, "plain_text": "ProjectSauron: top level cyber-espionage platform covertly extracts\r\nencrypted government comms\r\nBy GReAT\r\nPublished: 2016-08-08 · Archived: 2026-04-05 15:11:23 UTC\r\n Download the full report (PDF)\r\n Technical analysis\r\n Indicators of compromise (IOC)\r\nDownload YARA rules\r\nMore information about ProjectSauron is available to customers of Kaspersky Intelligence Reporting Service. Contact:\r\nintelreports@kaspersky.com\r\nIntroduction:\r\nOver the last few years, the number of “APT-related” incidents described in the media has grown significantly. For many of\r\nthese, though, the designation “APT”, indicating an “Advanced Persistent Threat”, is usually an exaggeration. With some\r\nnotable exceptions, few of the threat actors usually described in the media are advanced. These exceptions, which in our\r\nopinion represent the pinnacle of cyberespionage tools: the truly “advanced” threat actors out there, are Equation, Regin,\r\nDuqu or Careto. Another such an exceptional espionage platform is “ProjectSauron”, also known as “Strider”.\r\nWhat differentiates a truly advanced threat actor from a wannabe APT? Here are a few features that characterize the ‘top’\r\ncyberespionage groups:\r\nThe use of zero day exploits\r\nUnknown, never identified infection vectors\r\nHave compromised multiple government organizations in several countries\r\nHave successfully stolen information for many years before being discovered\r\nHave the ability to steal information from air gapped networks\r\nSupport multiple covert exfiltration channels on various protocols\r\nMalware modules which can exist only in memory without touching the disk\r\nUnusual persistence techniques which sometime use undocumented OS features\r\n“ProjectSauron” easily covers many of these points.\r\nFrom discovery to detection:\r\nWhen talking about long-standing cyber-espionage campaigns, many people wonder why it took so long to catch them.\r\nPerhaps one of the explanations is having the right tools for the right job. Trying to catch government or military grade\r\nmalware requires specialized technologies and products. One such product is Kaspersky’s AntiTargeted Attacks Platform\r\n(KATA). In September 2015, our anti-targeted attack technologies caught a previously unknown attack. The suspicious\r\nmodule was an executable library, loaded in the memory of a Windows domain controller (DC). The library was registered\r\nas a Windows password filter and had access to sensitive data in cleartext. Additional research revealed signs of massive\r\nactivity from a new threat actor that we codenamed ‘ProjectSauron’, responsible for large-scale attacks against key\r\ngovernmental entities in several countries.\r\nhttps://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/\r\nPage 1 of 8\n\n“SAURON” – internal name used in the Lua scripts\r\nProjectSauron comprises a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to\r\nenable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical\r\ndetails show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. For\r\nexample, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim.\r\nSome other key features of ProjectSauron:\r\nIt is a modular platform designed to enable long-term cyber-espionage campaigns.\r\nAll modules and network protocols use strong encryption algorithms, such as RC6, RC5, RC4, AES, Salsa20, etc.\r\nIt uses a modified Lua scripting engine to implement the core platform and its plugins.\r\nThere are upwards of 50 different plugin types.\r\nThe actor behind ProjectSauron has a high interest in communication encryption software widely used by targeted\r\ngovernmental organizations. It steals encryption keys, configuration files, and IP addresses of the key infrastructure\r\nservers related to the encryption software.\r\nIt is able to exfiltrate data from air-gapped networks by using specially-prepared USB storage drives where data is\r\nstored in an area invisible to the operation system.\r\nThe platform makes extensive use of the DNS protocol for data exfiltration and real-time status reporting.\r\nThe APT was operational as early as June 2011 and remained active until April 2016.\r\nThe initial infection vector used to penetrate victim networks remains unknown.\r\nThe attackers utilize legitimate software distribution channels for lateral movement within infected networks.\r\nTo help our readers better understand the ProjectSauron attack platform, we’ve prepared an FAQ which brings together\r\nsome of the most important points about this attacker and its tools. A brief technical report is also available, including IOCs\r\nand Yara rules.\r\nOur colleagues from Symantec have also released their analysis on ProjectSauron / Strider. You can read it here:\r\nhttp://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets\r\nProjectSauron FAQ:\r\n1. What is ProjectSauron?\r\nProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term\r\ncampaigns through stealthy survival mechanisms coupled with multiple exfiltration methods.\r\nTechnical details show how attackers learned from other extremely advanced actors in order to avoid repeating their\r\nmistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any\r\nother victim.\r\nUsually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given\r\nindustry. That usually results in several infections in countries within that region, or in the targeted industry around the\r\nworld. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value\r\nintelligence by compromising almost all key entities it could possibly reach within the target area.\r\nThe name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.\r\n2. Who are the victims?\r\nhttps://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/\r\nPage 2 of 8\n\nUsing our telemetry, we found more than 30 infected organizations in Russia, Iran, Rwanda and possibly in Italian-speaking\r\ncountries as well. Many more organizations and geographies are likely to be affected.\r\nThe attacked organizations are key entities that provide core state functions:\r\nGovernment\r\nScientific research centers\r\nMilitary\r\nTelecommunication providers\r\nFinance\r\n3. Have you notified victims?\r\nAs usual, Kaspersky Lab actively collaborates with industry partners, CERTs and law enforcement agencies to notify\r\nvictims and help to mitigate the threat. We also rely on public awareness to spread information about it. If you need more\r\ninformation about this actor, please contact intelreports@kaspersky.com.\r\n4. For how long have the attackers been active?\r\nForensic analysis indicates that the APT has been operational since at least June 2011 and was still active in 2016. Although\r\nit appears to have largely ceased, there is a chance that it is still active on computer systems that are not covered by\r\nKaspersky Lab solutions.\r\n5. Did the attackers use interesting or advanced techniques?\r\nThe attackers used multiple interesting and unusual techniques, including:\r\nData exfiltration and real-time status reporting using DNS requests.\r\nImplant deployment using legitimate software update scripts.\r\nData exfiltration from air-gapped networks through the use of specially prepared USB storage drives where the stolen\r\ndata is stored in the area unused by standard tools of the operating system.\r\nUsing a modified Lua scripting engine to implement the core platform and its plugins. The use of Lua components in\r\nmalware is very rare – it was previously spotted in the Flame and Animal Farm attacks.\r\n6. How did you discover this malware?\r\nhttps://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/\r\nPage 3 of 8\n\nIn September 2015, Kaspersky Lab’s Anti-Targeted Attack Platform discovered anomalous network traffic in a client\r\norganization’s network. Analysis of this incident led to the discovery of a strange executable program library loaded into the\r\nmemory of the domain controller server. The library was registered as a Windows password filter and had access to sensitive\r\ndata such as administrative passwords in cleartext. Additional research revealed signs of activity of a previously unknown\r\nthreat actor.\r\n7. How does ProjectSauron operate?\r\nProjectSauron usually registers its persistence module on domain controllers as a Windows LSA (Local Security Authority)\r\npassword filter. This feature is typically used by system administrators to enforce password policies and validate new\r\npasswords to match specific requirements, such as length and complexity. This way, the ProjectSauron passive backdoor\r\nmodule starts every time any network or local user (including an administrator) logs in or changes a password, and promptly\r\nharvests the password in plaintext.\r\nIn cases where domain controllers lack direct Internet access, the attackers install additional implants on other local servers\r\nwhich have both local network and Internet access and may pass through significant amount of network traffic, i.e. proxy-servers, web-servers, or software update servers. After that, these intermediary servers are used by ProjectSauron as internal\r\nproxy nodes for silent and inconspicuous data exfiltration, blending in with high volumes of legitimate traffic.\r\nOnce installed, the main ProjectSauron modules start working as ‘sleeper cells’, displaying no activity of their own and\r\nwaiting for ‘wake-up’ commands in the incoming network traffic. This method of operation ensures ProjectSauron’s\r\nextended persistence on the servers of targeted organizations.\r\n8. What kind of implants does ProjectSauron use?\r\nMost of ProjectSauron’s core implants are designed to work as backdoors, downloading new modules or running commands\r\nfrom the attacker purely in memory. The only way to capture these modules is by making a full memory dump of the\r\ninfected systems.\r\nAlmost all of ProjectSauron’s core implants are unique, have different file names and sizes, and are individually built for\r\neach target. Each module’s timestamp, both in the file system and in its own headers, is tailored to the environment on which\r\nit is installed.\r\nSecondary ProjectSauron modules are designed to perform specific functions like stealing documents, recording keystrokes,\r\nand stealing encryption keys from both infected computers and attached USB sticks.\r\nProjectSauron implements a modular architecture using its own virtual file system to store additional modules (plugins) and\r\na modified Lua interpreter to execute internal scripts. There are upwards of 50 different plugin types.\r\n9. What is the initial infection vector?\r\nTo date, the initial infection vector used by ProjectSauron to penetrate victim networks remains unknown.\r\n10. How were the ProjectSauron implants deployed within the target network?\r\nIn several cases, ProjectSauron modules were deployed through the modification of scripts used by system administrators to\r\ncentrally deploy legitimate software updates within the network.\r\nIn essence, the attackers injected a command to start the malware by modifying existing software deployment scripts. The\r\ninjected malware is a tiny module that works as a simple downloader.\r\nOnce started under a network administrator account, this small downloader connects to a hard-coded internal or external IP\r\naddress and downloads the bigger ProjectSauron payload from there.\r\nIn cases where the ProjectSauron persistence container is stored on disk in EXE file format, it disguises the files with\r\nlegitimate software file names.\r\n11. What C\u0026C infrastructure did the attackers use?\r\nThe ProjectSauron actor is extremely well prepared when it comes to operational security. Running an expensive\r\ncyberespionage campaign like ProjectSauron requires vast domain and server infrastructure uniquely assigned to each victim\r\nhttps://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/\r\nPage 4 of 8\n\norganization and never reused again. This makes traditional network-based indicators of compromise almost useless because\r\nthey won’t be reused in any other organization.\r\nWe collected 28 domains linked to 11 IPs located in the United States and several European countries that might be\r\nconnected to ProjectSauron campaigns. Even the diversity of ISPs selected for ProjectSauron operations makes it clear that\r\nthe actor did everything possible to avoid creating patterns.\r\n12. Does ProjectSauron target isolated (air-gapped) networks?\r\nYes. We registered a few cases where ProjectSauron successfully penetrated air-gapped networks.\r\nThe ProjectSauron toolkit contains a special module designed to move data from air-gapped networks to Internet-connected\r\nsystems. To achieve this, removable USB devices are used. Once networked systems are compromised, the attackers wait for\r\na USB drive to be attached to the infected machine.\r\nThese USBs are specially formatted to reduce the size of the partition on the USB disk, reserving an amount of hidden data\r\n(several hundred megabytes) at the end of the disk for malicious purposes. This reserved space is used to create a new\r\ncustom-encrypted partition that won’t be recognized by a common OS, such as Windows. The partition has its own semi-filesystem (or virtual file system, VFS) with two core directories: ‘In’ and ‘Out’.\r\nThis method also bypasses many DLP products, since software that disables the plugging of unknown USB devices based on\r\nDeviceID wouldn’t prevent an attack or data leakage, because a genuine recognized USB drive was used.\r\n13. Does ProjectSauron target critical infrastructure?\r\nSome of the entities infected by ProjectSauron can be classified as critical infrastructure. However, we haven’t registered\r\nProjectSauron infections inside industrial control system networks that have SCADA systems in place.\r\nAlso, we have not yet seen a ProjectSauron module targeting any specific industrial hardware or software.\r\n14. Did ProjectSauron use any special communication methods?\r\nFor network communication, the ProjectSauron toolkit has extensive abilities, leveraging the stack of the most commonly\r\nused protocols: ICMP, UDP, TCP, DNS, SMTP and HTTP.\r\nOne of the ProjectSauron plugins is the DNS data exfiltration tool. To avoid generic detection of DNS tunnels at network\r\nlevel, the attackers use it in low-bandwidth mode, which is why it is used solely to exfiltrate target system metadata.\r\nAnother interesting feature in ProjectSauron malware that leverages the DNS protocol is the real-time reporting of the\r\noperation progress to a remote server. Once an operational milestone is achieved, ProjectSauron issues a DNS-request to a\r\nspecial subdomain unique to each target.\r\n15. What is the most sophisticated feature of the ProjectSauron APT?\r\nIn general, the ProjectSauron platform is very advanced and reaches the level of complexity of Regin, Equation and similar\r\nthreat actors we have reported on in the past. Some of the most interesting things in the ProjectSauron platform include:\r\nMultiple exfiltration mechanisms, including piggybacking on known protocols.\r\nBypassing air-gaps using hidden data partitions on USB sticks.\r\nHijacking Windows LSA to control network domain servers.\r\nImplementing an extended Lua engine to write custom malicious scripts to control the entire malware platform with a\r\nhigh-level language.\r\n16. Are the attackers using any zero-day vulnerabilities?\r\nTo date we have not found any 0-day exploits associated with ProjectSauron.\r\nHowever, when penetrating isolated systems, the creation of the encrypted storage area in the USB does not in itself enable\r\nattackers to get control of the air-gapped machines. There has to be another component such as a 0day exploit placed on the\r\nmain partition of the USB drive.\r\nSo far we have not found any 0-day exploit embedded in the body of the malware we analyzed, and we believe it was\r\nprobably deployed in rare, hard-to-catch instances.\r\nhttps://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/\r\nPage 5 of 8\n\n17. Is this a Windows-only threat? What versions of Windows are targeted?\r\nProjectSauron works on all modern Microsoft Windows operating systems – both x64 and x86. We have witnessed\r\ninfections running on Windows XP x86 as well as Windows 2012 R2 Server Edition x64.\r\nTo date, we haven’t found a non-Windows version of ProjectSauron.\r\n18. Were the attackers hunting for specific information?\r\nProjectSauron actively searches for information related to rather uncommon, custom network encryption software. This\r\nclient-server software is widely adopted by many of the target organizations to secure communications, voice, email, and\r\ndocument exchange.\r\nIn a number of the cases we analyzed, ProjectSauron deployed malicious modules inside the custom network encryption’s\r\nsoftware directory, disguised under similar filenames and accessing the data placed beside its own executable. Some of\r\nextracted Lua scripts show that the attackers have a high interest in the software components, keys, configuration files, and\r\nthe location of servers that relay encrypted messages between the nodes.\r\nAlso, one of the embedded ProjectSauron configurations contains a special unique identifier for the targeted network\r\nencryption software’s server within its virtual network. The behavior of the component that searches for the server IP\r\naddress is unusual. After getting the IP, the ProjectSauron component tries to communicate with the remote server using its\r\nown (ProjectSauron) protocol as if it was yet another C\u0026C server. This suggests that some communication servers running\r\nthe mentioned network encryption software could also be infected with ProjectSauron.\r\n19. What exactly is being stolen from the targeted machines?\r\nThe ProjectSauron modules we found are able to steal documents, record keystrokes and steal encryption keys from infected\r\ncomputers and attached USB sticks.\r\nThe fragment of configuration block below, extracted from ProjectSauron, shows the kind of information and file extensions\r\nthe attackers were looking for:\r\n.*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*|.*user.*|.*name|.*email|.*_id|id|uid|mn|mailaddress|.*nick.*|alias|codice|uin|sign-in|strCodUtente|.*pass.*|.*pw|pw.*|additional_info|.*secret.*|.*segreto.*\r\n[^\\$]$\r\n^.*\\.(doc|xls|pdf)$\r\n*.txt;*.doc;*.docx;*.ppt;*.pptx;*.xls;*.xlsx;*.vsd;*.wab;*.pdf;*.dst;*.ppk;*.rsa;*.rar;*.one;*.rtf;~WPL*.tmp;*.FTS;*.rpt;*.conf;*.cfg;*.pk2;*.n\r\nInterestingly, while most of the words and extensions above are in the English language, several of them point to Italian,\r\nsuch as: ‘codice’, ‘strCodUtente’ and ‘segreto’.\r\nKeywords / filenames targeted by ProjectSauron data theft modules:\r\nItalian keyword Translation\r\nCodice code\r\nCodUtente Usercode\r\nSegreto Secret\r\nThis suggests the attackers had prepared to attack Italian-speaking targets as well. However, we are not aware of any Italian\r\nvictims of ProjectSauron at the moment.\r\n20. Have you observed any artifacts indicating who is behind the ProjectSauron APT?\r\nAttribution is hard and reliable attribution is rarely possible in cyberspace. Even with confidence in various indicators and\r\napparent attacker mistakes, there is a greater likelihood that these are smoke and mirrors created by an attacker with a\r\ngreater vantage point and vast resources. When dealing with the most advanced threat actors, as is the case with\r\nProjectSauron, attribution becomes an unsolvable problem.\r\nhttps://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/\r\nPage 6 of 8\n\nWe think an operation of such complexity, aimed at stealing confidential and secret information, can only be executed with\r\nsupport from a nation-state.\r\n22. What would ProjectSauron have cost to set up and run?\r\nKaspersky Lab has no exact data on this, but estimates that the development and operation of ProjectSauron is likely to have\r\nrequired several specialist teams and a budget probably running into millions of dollars.\r\n23. How does the ProjectSauron platform compare to other top-level threat actors?\r\nThe actor behind ProjectSauron is very advanced, comparable only to the top-of-the-top in terms of sophistication: alongside\r\nDuqu, Flame, Equation, and Regin. Whether related or unrelated to these advanced actors, the ProjectSauron attackers have\r\ndefinitely learned from them.\r\nAs a reminder, here are some features of other APT attackers which we discovered that the ProjectSauron attackers had\r\ncarefully learned from or emulated:\r\nDuqu:\r\nUse of intranet C\u0026Cs (where compromised target servers may act as independent C\u0026Cs)\r\nRunning only in memory (persistence on a few gateway hosts only)\r\nUse of different encryption methods per victim\r\nUse of named pipes for LAN communication\r\nMalware distribution through legitimate software deployment channels\r\nFlame:\r\nLua-embedded code\r\nSecure file deletion (through data wiping)\r\nAttacking air-gapped systems via removable devices\r\nEquation and Regin:\r\nUsage of RC5/RC6 encryption\r\nVirtual Filesystems (VFS)\r\nAttacking air-gapped systems via removable devices\r\nHidden data storage on removable devices\r\nThese other actors also showed what made them vulnerable to potential exposure, and ProjectSauron did its best to address\r\nthese issues:\r\nVulnerable or persistent C\u0026C locations\r\nhttps://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/\r\nPage 7 of 8\n\nISP name, IP, domain, and tools reuse across different campaigns\r\nCrypto-algorithm reuse (as well as encryption keys)\r\nForensic footprint on disk\r\nTimestamps in various components\r\nLarge volumes of exfiltrated data, alarming unknown protocols or message formats\r\nIn addition, it appears that the attackers took special care with what we consider as indicators of compromise and\r\nimplemented a unique pattern for each and every target they attacked, so that the same indicators would have little value for\r\nanyone else. This is a summary of the ProjectSauron strategy as we see it. The attackers clearly understand that we as\r\nresearchers are always looking for patterns. Remove the patterns and the operation will be harder to discover. We are aware\r\nof more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg.\r\n24. Do Kaspersky Lab products detect all variants of this malware?\r\nAll Kaspersky Lab products detect ProjectSauron samples as HEUR:Trojan.Multi.Remsec.gen\r\n25. Are there Indicators of Compromise (IOCs) to help victims identify the intrusion?\r\nProjectSauron’s tactics are designed to avoid creating patterns. Implants and infrastructure are customized for each\r\nindividual target and never re-used – so the standard security approach of publishing and checking for the same basic\r\nindicators of compromise (IOC) is of little use.\r\nHowever, structural code similarities are inevitable, especially for non-compressed and non-encrypted code. This opens up\r\nthe possibility of recognizing known code in some cases.\r\nThat’s why, alongside the formal IOCs, we have added relevant YARA rules. While the IOCs have been listed mainly to give\r\nexamples of what they look like, the YARA rules are likely to be of greater use and could detect real traces of ProjectSauron.\r\nFor background: YARA is a tool for uncovering malicious files or patterns of suspicious activity on systems or networks that\r\nshare similarities. YARA rules—basically search strings—help analysts to find, group, and categorize related malware\r\nsamples and draw connections between them in order to build malware families and uncover groups of attacks that might\r\notherwise go unnoticed.\r\nWe have prepared our YARA rules based on tiny similarities and oddities that stood out in the attackers’ techniques. These\r\nrules can be used to scan networks and systems for the same patterns of code. If some of these oddities appear during such a\r\nscan, there is a chance that the organizations has been hit by the same actor.\r\nMore information about ProjectSauron is available to customers of Kaspersky Intelligence Reporting Service. Contact:\r\nintelreports@kaspersky.com\r\nSource: https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/\r\nhttps://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/" ], "report_names": [ "faq-the-projectsauron-apt" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "67bf0462-41a3-4da5-b876-187e9ef7c375", "created_at": "2022-10-25T16:07:23.44832Z", "updated_at": "2026-04-10T02:00:04.607111Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "Careto", "The Mask", "Ugly Face" ], "source_name": "ETDA:Careto", "tools": [ "Careto" ], "source_id": "ETDA", "reports": null }, { "id": "99845f58-2c39-46f7-8369-bb621ebb7002", "created_at": "2022-10-25T16:07:24.238844Z", "updated_at": "2026-04-10T02:00:04.90851Z", "deleted_at": null, "main_name": "Strider", "aliases": [ "G0041", "ProjectSauron" ], "source_name": "ETDA:Strider", "tools": [ "Backdoor.Remsec", "ProjectSauron", "Remsec" ], "source_id": "ETDA", "reports": null }, { "id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde", "created_at": "2023-01-06T13:46:38.472883Z", "updated_at": "2026-04-10T02:00:02.989134Z", "deleted_at": null, "main_name": "ProjectSauron", "aliases": [ "Sauron", "Project Sauron", "G0041" ], "source_name": "MISPGALAXY:ProjectSauron", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e09a7338-fb16-4e39-b579-c3bfc3140c47", "created_at": "2022-10-25T16:07:24.207294Z", "updated_at": "2026-04-10T02:00:04.899166Z", "deleted_at": null, "main_name": "Snowglobe", "aliases": [ "ATK 8", "Animal Farm", "SIG20", "Snowglobe" ], "source_name": "ETDA:Snowglobe", "tools": [ "Babar", "Casper", "Chocopop", "Dino", "EvilBunny", "Nbot", "TFC", "Tafacalou" ], "source_id": "ETDA", "reports": null }, { "id": "548a4081-aa8f-4e2a-bcb3-0c9dfa61944f", "created_at": "2023-01-06T13:46:38.443779Z", "updated_at": "2026-04-10T02:00:02.977564Z", "deleted_at": null, "main_name": "SNOWGLOBE", "aliases": [ "Animal Farm", "Snowglobe", "ATK8" ], "source_name": "MISPGALAXY:SNOWGLOBE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476", "created_at": "2023-01-06T13:46:38.677391Z", "updated_at": "2026-04-10T02:00:03.064818Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "The Mask", "Ugly Face" ], "source_name": "MISPGALAXY:Careto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a0d369c1-f0b7-4c70-a3a5-77aabbd17979", "created_at": "2022-10-25T15:50:23.311311Z", "updated_at": "2026-04-10T02:00:05.407733Z", "deleted_at": null, "main_name": "Strider", "aliases": [ "ProjectSauron" ], "source_name": "MITRE:Strider", "tools": [ "Remsec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434358, "ts_updated_at": 1775792031, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d721b9452e033d501df92c2d7c6b64d890bb7782.pdf", "text": "https://archive.orkl.eu/d721b9452e033d501df92c2d7c6b64d890bb7782.txt", "img": "https://archive.orkl.eu/d721b9452e033d501df92c2d7c6b64d890bb7782.jpg" } }