{ "id": "8a7da0f4-275c-4dce-8024-bef2a391d516", "created_at": "2026-04-06T00:14:17.450803Z", "updated_at": "2026-04-10T03:38:20.40536Z", "deleted_at": null, "sha1_hash": "d7ad6011182ace353b1f7c79d6cdb989eade456f", "title": "Mysterious hacking group Careto was run by the Spanish government, sources say", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1977696, "plain_text": "Mysterious hacking group Careto was run by the Spanish\r\ngovernment, sources say\r\nBy Lorenzo Franceschi-Bicchierai\r\nPublished: 2025-05-23 · Archived: 2026-04-05 23:20:47 UTC\r\nMore than a decade ago, researchers at antivirus company Kaspersky identified suspicious internet traffic of what\r\nthey thought was a known government-backed group, based on similar targeting and its phishing techniques.\r\nSoon, the researchers realized they had found a much more advanced hacking operation that was targeting the\r\nCuban government, among others.\r\nEventually the researchers were able to attribute the network activity to a mysterious — and at the time\r\ncompletely unknown — Spanish-speaking hacking group that they called Careto, after the Spanish slang word\r\n(“ugly face” or “mask” in English), which they found buried within the malware’s code. \r\nCareto was never publicly linked to a specific government. But TechCrunch has now learned that the researchers\r\nwho first discovered the group were convinced that Spanish government hackers were behind Careto’s espionage\r\noperations.\r\nWhen Kaspersky first revealed the existence of Careto in 2014, its researchers called the group “one of the most\r\nadvanced threats at the moment,” with its stealthy malware capable of stealing highly sensitive data, including\r\nprivate conversations and keystrokes from the computers it compromised, much akin to powerful government\r\nspyware today. Careto’s malware was used to hack into government institutions and private companies around the\r\nworld.\r\nKaspersky avoided publicly blaming who it thought was behind Careto. But internally, according to several people\r\nwho worked at Kaspersky at the time and had knowledge of the investigation, its researchers concluded that\r\nCareto was a hacking team working for the Spanish government. \r\n“There was no doubt of that, at least no reasonable [doubt],” one of the former employees told TechCrunch, who\r\nlike other sources in this story agreed to speak on condition of anonymity to discuss sensitive matters.\r\nCareto is one of only a handful of Western government hacking groups that has ever been discussed in public,\r\nalong with U.S. government units such as Equation Group, widely believed to be the U.S. National Security\r\nAgency; the Lamberts, believed to be the CIA; and the French government group known as Animal Farm, which\r\nwas behind the Babar and Dino malware. In a rare admission, Bernard Barbier, former head of the French\r\nintelligence service DGSE, publicly confirmed the French government was indeed behind Babar. \r\nThe Spanish government now joins this small group of Western government hacking groups.\r\nhttps://techcrunch.com/2025/05/23/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say/\r\nPage 1 of 6\n\nA screenshot of Careto’s malware code, which inspired the name of the hacking groupImage\r\nCredits:Kaspersky\r\nEarly in its investigation, Kaspersky discovered that the Careto hackers had targeted a particular government\r\nnetwork and systems in Cuba, according to a second former Kaspersky employee. \r\nIt was this Cuban government victim that sparked Kaspersky’s investigation into Careto, according to the people\r\nspeaking with TechCrunch.\r\n“It all started with a guy who worked for the Cuban government who got infected,” the third former Kaspersky\r\nemployee, with knowledge of the Careto investigation, told TechCrunch. The person, who referred to the Cuban\r\ngovernment victim as “patient zero,” said that it appeared the Careto hackers were interested in Cuba because\r\nduring that time there were members of the Basque terrorist organization ETA in the country.\r\nKaspersky researchers noted in a technical report published after their discovery that Cuba had by far the most\r\nnumber of victims per country at the time of the investigation into Careto’s activities, specifically one unnamed\r\nCuban government institution, which the report said showed “the current interest of the attackers.” \r\nThis Cuban government victim would prove key to link Careto to Spain, according to the former Kaspersky\r\nemployees.\r\n“Internally we knew who did it,” the third former Kaspersky employee said, adding that they had “high\r\nconfidence” it was the Spanish government. Two other former Kaspersky employees, who also had knowledge of\r\nthe investigation, said the researchers likewise concluded Spain was behind the attacks. \r\nThe company, however, decided not to disclose it. “It wasn’t broadcast because I think they didn’t want to out a\r\ngovernment like that,” a fourth former Kaspersky researcher said. “We had a strict ‘no attribution’ policy at\r\nKaspersky. Sometimes that policy was stretched but never broken.”\r\nApart from Cuba, other Careto targets also pointed to Spain. The espionage operation affected hundreds of victims\r\nin Brazil, Morocco, Spain itself and — perhaps tellingly — Gibraltar, the disputed British enclave on the Iberian\r\npeninsula that Spain has long claimed as its own territory.\r\nKaspersky declined to answer questions about its researchers’ conclusions.\r\n“We don’t engage in any formal attribution,” Kaspersky spokesperson Mai Al Akkad told TechCrunch in an email.\r\nhttps://techcrunch.com/2025/05/23/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say/\r\nPage 2 of 6\n\nThe Spanish Ministry of Defense declined to comment. The Cuban government did not respond to emails sent to\r\nits Ministry of Foreign Affairs.\r\nThe discovery of Careto\r\nAfter Kaspersky discovered the group’s malware in 2014 and, as a result, learned how to identify other computers\r\ncompromised by it, the researchers found evidence of Careto infections all over the world, compromising victims\r\nin 31 countries spanning several continents. \r\nIn Africa, the group’s malware was found in Algeria, Morocco, and Libya; in Europe, it targeted victims in France,\r\nSpain, and the United Kingdom. In Latin America, there were victims in Brazil, Colombia, Cuba, and Venezuela. \r\nIn its technical report, Kaspersky said that Cuba had the most victims that were being targeted, with “all belonging\r\nto the same institution,” which the researchers perceived as of significance to the hackers at that point in time. \r\nSpain had its own particular interest in Cuba in the preceding years. As an exiled Cuban government official told\r\nthe Spanish daily El Pais at the end of 2013, there were around 15 members of the terror group ETA who lived in\r\nCuba with the approval of the local government. In 2014, a leaked U.S. diplomatic cable noted that Cuba had\r\ngiven refuge to ETA terrorists for years. Earlier in 2010, a Spanish judge ordered the arrest of ETA members living\r\nin Cuba.\r\nWhen covering the news of the discovery of Careto, the Spanish online news outlet El Diario noted that targeting\r\ncountries such as Brazil and Gibraltar would favor the Spanish government’s “geostrategic interests.” The Spanish\r\ngovernment had been pushing for a consortium of government-owned and private companies to win a bid to build\r\na high-speed railway in Brazil from Rio de Janeiro to São Paulo. \r\nAside from targeting government institutions, embassies, and diplomatic organizations, Kaspersky said the Careto\r\ngroup also targeted energy companies, research institutions, and activists. \r\nKaspersky researchers wrote that they were able to find evidence that the Careto malware existed as far back as\r\n2007, and found subsequent versions of Careto capable of exploiting Windows PCs, Macs, and Linux computers.\r\nThe researchers said they found possible evidence of code capable of targeting Android devices and iPhones.\r\nWhile Kaspersky didn’t make its internal attribution public, its researchers left clear hints that pointed to Spain. \r\nFirst, the company researchers noted that they found a string in the malware code that was particularly interesting:\r\n“Caguen1aMar.” That string is a contraction for the popular Spanish expletive, “me cago en la mar,” which\r\nliterally means “I sh–t in the sea,” but roughly translates to “f—k,” a phrase typically used in Spain, and not in\r\nother Spanish-speaking countries.  \r\nWhen Kaspersky announced its discovery of Careto in 2014, the company published a map showing all the\r\ncountries that the hacking group had targeted. Along with the map, Kaspersky included an illustration of a mask\r\nwith bull’s horns and a nose ring (the bull is a national symbol of Spain), castanets or clackers (an instrument used\r\nin Spanish folk music), and the red and yellow colors of the Spanish flag. \r\nhttps://techcrunch.com/2025/05/23/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say/\r\nPage 3 of 6\n\nA detail in the map revealed how important Cuba was for Careto. For certain countries, Kaspersky added icons\r\nspecifying what type of targets it was able to identify. The map showed Cuba had a single hacked victim, marked\r\nas a government institution. Gibraltar, Morocco — whose proximity and territorial disputes make it a strategic\r\nespionage target for Spain — and Switzerland were the only other territories with a government victim.\r\na map of careto’s victims along with An illustration of a maskImage Credits:Kaspersky /\r\nKaspersky said in 2014 that the Careto group’s malware was one of the “most advanced threats” of the time for its\r\nability to grab highly sensitive data from a victim’s computer. Kaspersky said the malware could also intercept\r\ninternet traffic, Skype conversations, encryption (PGP) keys, and VPN configurations, take screenshots, and\r\n“fetch all information from Nokia devices.”\r\nThe Careto group relied in large part on spearphishing emails that contained malicious links impersonating\r\nSpanish newspapers like El País, El Mundo, and Público, and videos about political subjects and food recipes.\r\nOne of the former Kaspersky employees told TechCrunch that the phishing links also included references to ETA\r\nand Basque news, which Kaspersky’s report omitted. \r\nWhen clicking on these malicious links, the victim would get infected using an exploit that hacked the user’s\r\nspecific device, then redirected to a legitimate web page so as to not raise suspicions, according to Kaspersky’s\r\nreport. \r\nThe Careto operators also took advantage of a since-patched vulnerability in older versions of Kaspersky’s\r\nantivirus software, which the company said in its 2014 published report was how it first discovered the malware. \r\nThe ubiquity of Kaspersky’s software in Cuba effectively made it possible for Careto to target almost anyone on\r\nthe island with an internet connection. (By 2018, the Russian antivirus company controlled some 90% of the\r\nisland’s internet security market, according to Cuba Standard, an independent news website.) The antivirus is so\r\npopular across the country that the company’s name has become part of the local slang. \r\nhttps://techcrunch.com/2025/05/23/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say/\r\nPage 4 of 6\n\nBut soon after Kaspersky published its research, the Careto hackers shut down all of its operations discovered by\r\nthe Russian firm, going as far as wiping its logs, which researchers noted was “not very common” and put Careto\r\ninto the “elite” section of government hacking groups.\r\n“You can’t do that if you’re not prepared,” one of the former Kaspersky employees told TechCrunch. “They\r\nsystematically, and in a quick manner, destroyed the whole thing, the whole infrastructure. Boom. It was just\r\ngone.”\r\nCareto gets caught again\r\nAfter Careto went dark, neither Kaspersky nor any other cybersecurity company publicly reported detecting\r\nCareto again — until last year. \r\nKaspersky announced in May 2024 that it had found Careto’s malware once again, saying it saw the group target\r\nan unnamed organization in Latin America that was “previously compromised” by the hacking group most\r\nrecently in 2022, again in 2019, and on another occasion more than 10 years ago.\r\nCareto also hacked a second unnamed organization, located in Central Africa, said Kaspersky.\r\nIn a blog post later in December 2024, Kaspersky’s researchers attributed the new hacks to Careto “with medium\r\nto high confidence,” based in part on filenames that were “alarmingly similar” to filenames found in Careto’s\r\nactivities from a decade ago, as well as overlapping tactics, techniques, and procedures, or TTPs, a cybersecurity\r\nexpression that refers to the unique behaviors of a certain hacking group.\r\nKaspersky researchers Georgy Kucherin and Marc Rivero López, who wrote a paper and presented their research\r\nat the Virus Bulletin security conference in October 2024, said Careto “has always conducted cyber attacks with\r\nextreme caution,” but still “managed to make small but fatal mistakes during their recent operations” that matched\r\nactivity from Careto a decade earlier.\r\nDespite that, Kucherin told TechCrunch that they don’t know who, or which government, is behind the Careto\r\nhacking group. \r\n“It’s likely a nation state,” said Kucherin. “But what entity it was, who developed the malware? From a technical\r\nperspective, it’s impossible to tell.”\r\nContact Us\r\nDo you have more information about Careto (aka The Mask), or other government hacking groups and\r\noperations? From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on\r\nSignal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.\r\nAccording to Kaspersky’s most recent report, this time the Careto hackers broke into the unnamed Latin American\r\nvictim’s email server and then planted its malware. \r\nIn one of the hacked machines the researchers analyzed, Kaspersky found that Careto’s malware could\r\nsurreptitiously switch on the computer’s microphone (while hiding the Windows icon that normally alerts the user\r\nhttps://techcrunch.com/2025/05/23/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say/\r\nPage 5 of 6\n\nthat the mic is on), steal files, such as personal documents, session cookies that can allow access to accounts\r\nwithout needing a password, web browsing histories from several browsers, and more.\r\nIn the case of another victim, according to the report, Careto hackers used a set of implants that work as a\r\nbackdoor, a keylogger, and a screenshot-taker. \r\nDespite the fact that they got caught, and compared to what Kaspersky found more than a decade ago, Kucherin\r\nsaid that the Careto hackers are “still that good.”\r\nCompared to the larger and more well-known government-backed hacking groups, like the North Korean Lazarus\r\nGroup and China’s APT41, Kucherin said Careto is a “very small [advanced persistent threat] that surpasses all\r\nthose large ones in complexity.”\r\n“Their attacks are a masterpiece,” said Kucherin.\r\nSource: https://techcrunch.com/2025/05/23/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say/\r\nhttps://techcrunch.com/2025/05/23/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://techcrunch.com/2025/05/23/mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say/" ], "report_names": [ "mysterious-hacking-group-careto-was-run-by-the-spanish-government-sources-say" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "67bf0462-41a3-4da5-b876-187e9ef7c375", "created_at": "2022-10-25T16:07:23.44832Z", "updated_at": "2026-04-10T02:00:04.607111Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "Careto", "The Mask", "Ugly Face" ], "source_name": "ETDA:Careto", "tools": [ "Careto" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e09a7338-fb16-4e39-b579-c3bfc3140c47", "created_at": "2022-10-25T16:07:24.207294Z", "updated_at": "2026-04-10T02:00:04.899166Z", "deleted_at": null, "main_name": "Snowglobe", "aliases": [ "ATK 8", "Animal Farm", "SIG20", "Snowglobe" ], "source_name": "ETDA:Snowglobe", "tools": [ "Babar", "Casper", "Chocopop", "Dino", "EvilBunny", "Nbot", "TFC", "Tafacalou" ], "source_id": "ETDA", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "548a4081-aa8f-4e2a-bcb3-0c9dfa61944f", "created_at": "2023-01-06T13:46:38.443779Z", "updated_at": "2026-04-10T02:00:02.977564Z", "deleted_at": null, "main_name": "SNOWGLOBE", "aliases": [ "Animal Farm", "Snowglobe", "ATK8" ], "source_name": "MISPGALAXY:SNOWGLOBE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476", "created_at": "2023-01-06T13:46:38.677391Z", "updated_at": "2026-04-10T02:00:03.064818Z", "deleted_at": null, "main_name": "Careto", "aliases": [ "The Mask", "Ugly Face" ], "source_name": "MISPGALAXY:Careto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434457, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d7ad6011182ace353b1f7c79d6cdb989eade456f.pdf", "text": "https://archive.orkl.eu/d7ad6011182ace353b1f7c79d6cdb989eade456f.txt", "img": "https://archive.orkl.eu/d7ad6011182ace353b1f7c79d6cdb989eade456f.jpg" } }